From ltd at cisco.com Sun Nov 1 01:44:09 2009 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 1 Nov 2009 17:44:09 +1100 Subject: [c-nsp] network rebuild questions In-Reply-To: References: <1543E50F-FE03-4549-BDC7-D9B17898D8D8@arbor.net> <82AD5692-DA8D-4F2B-8DCD-935671CB5571@arbor.net> Message-ID: <255D5C42-E897-4CB9-9073-30B0372C049D@cisco.com> On 01/11/2009, at 5:20 AM, Bill Desjardins wrote: > well, sup1 6500's doing everything all in one have been rock solid the > last 5+yrs now and are still pushing ~460k PPS in+out at this very > moment without a hiccup and doing everything I want them too. its 99% > voip traffic as well with very happy customers. I dont see the point > that all of sudden I am going to be in despair and grief with modestly > better hardware and a much improved network architecture. IMHO. bear in mind that a Sup1 is only ever doing "flow switching" aka MLS (multi layer switching), which is akin to 1st packet in a flow goes to software, software sets up a hardware shortcut entry in the MLS cache then subsequent packets in that flow are forwarded in hardware. that works relatively well provided: a. the flow setup rate does not exceed the capabilities of software b. the # of concurrent flows does not exhaust the size of the flow table while often that will be the case under normal conditions, if your traffic is growing at any significant rate per month/quarter/year or if you are exposed to a DoS attack or rogue application, you may well find that Sup1 does not work so well any more and would likely result in network outage(s) and/or broken SLAs on that VoIP traffic. if you have means of protecting against those things, all well and good. but note that subsequent Supervisors on C6K augment the MLS switching path with CEF/FIB in hardware, i.e. no "per flow state" forwarding but instead setup the entire forwarding table in hardware - so as to avoid those issues. cheers, lincoln. From mtinka at globaltransit.net Sun Nov 1 13:18:43 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 2 Nov 2009 02:18:43 +0800 Subject: [c-nsp] Latest iteration of core upgrade - questions In-Reply-To: References: Message-ID: <200911020218.52936.mtinka@globaltransit.net> On Sunday 01 November 2009 03:02:21 am Rick Ernst wrote: > > --- It was an "in", but now it's "at". I can still > > argue it being > > appropriate as a border/"upstream" device and also as > aggregation/"customer". You probably want to try separating both functions where possible, otherwise your routing policies on a multi- function box may get too complex (I've been in bad situations where border routers had to double as route reflectors - not very pretty). > > --- One 720x per upstream, split into dual cores. Sounds good. > > We > > had also considered > > landing upstreams directly on the 7600s, but this allow > for a core device failure without losing upstream > capacity. Again, wherever possible, try separating those functions. > --- I've looked at other vendors, but a big reason for > sticking with Cisco is we have the in-house knowledge. > Changing vendors while re-architecting a production > network seems to be a bad idea. Fair enough - it's always best to go with what you're comfortable handling. > --- What is the benefit in having 4 devices instead of 2? > It seems like you'd just be passing the same traffic > through double the number of devices. Like I'd said, you'd only grow to 4x (2x for edge + core aggregation, and 2x for border + core aggregation) if it became necessary. You'd normally find this in PoP's where you've got a lot of upstream service concentration, typically your flagship PoP when you started operations. Depending on how many border routers you have (as well as what other devices may be sitting at this layer), there may be a need for a number of Ethernet ports. Furthermore, assuming border + edge switch aggregation were collapsed into a single device, failure of either would affect Internet traffic for customers connecting to the same PoP. However, assume traffic to the Internet is coming in from another PoP, which connects to your core routers - here, a failure of a combined border + edge core switch affects both the local and remote PoP's. If you had 2x core switches dedicated for your border + core aggregation, remote PoP's would still have Internet access assuming the main PoP was their exit to the rest of the world. Again, these are all dynamics respective to an individual business. As I'd mentioned, it's typically considered only where necessary. > -- I had actually considered another pair of 7600s at the > aggregation layer, but we currently have ~300 ports in > use and the cable management is a nightmare. The 4948s > let us to a "top-of-rack" design and run back to the > core. We could have done the same thing with a pair of > 7600s and dumb layer-2 switches, but using the 4948s > allows incremental upgrades/migration. Understand - this where I think the Nexus 7000 series may excel. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From cisco-nsp at ml.karotte.org Sun Nov 1 15:16:09 2009 From: cisco-nsp at ml.karotte.org (Sebastian Wiesinger) Date: Sun, 1 Nov 2009 21:16:09 +0100 Subject: [c-nsp] is L2TPv3 right for me? In-Reply-To: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> References: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> Message-ID: <20091101201609.GA6221@danton.fire-world.de> * Church, Charles [2009-10-31 18:59]: > Hey all, > > destinations are sent across, etc)... The link provided will > be gigabit, but with encryption overhead, probably need at > most 900 mbit throughput, mostly using full-size frames as > traffic will be mostly migration data. I've got a couple > 7206s available with NPE-G1. I'm thinking that will work. > Any thoughts? I don't have numbers at the moment but IRRC NPE-G1 can't handle anything near 900MBit/s of L2TPv3 traffic.. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From jmkeller at houseofzen.org Sun Nov 1 16:24:10 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Sun, 01 Nov 2009 16:24:10 -0500 Subject: [c-nsp] ASA SSL TLS Tunnel Window Sizes Message-ID: <4AEDFC7A.9020202@houseofzen.org> All, We had been having some SSL VPN (TLS transport) performance issues on ASA units dedicated to just VPN access. The issue is we're maxing out at 5Mbps on a tunneled connection, but our legacy SSL VPN solution is close to wire speed with the tunnel overhead taken into consideration for the same traffic. I noticed from captures that the ASAs are starting with an initial tcp window of 8192 and never exceeds that, but will reduce that after packet loss and then come back up to 8192 after the congestion avoidance period. The legacy SSL appliance starts at 5840 but after slow start period ramps up and stabilizes at 44448. From external test connections with about 12ms RTT the 8192 value should get us 5.4Mbps in theory, and matches real tests at just under 5Mbps for the tunneled traffic. I couldn't find anything for adjusting max/initial or otherwise window size for the WebVPN/SVC process themselves, just for passed traffic inspection to drop/clear/allow window size related packets during inspection. Thanks in advance for any pointers. -James From oogali at gmail.com Mon Nov 2 00:54:23 2009 From: oogali at gmail.com (Omachonu Ogali) Date: Mon, 2 Nov 2009 00:54:23 -0500 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> Message-ID: How much is "buzz" worth? About the same as YouTube views. (In South Park speak, "theoretical dollars"). If you can't convert *positive* buzz into revenue, your marketing efforts will serve as nothing more than "brand awareness" campaigns. By this point in the conversation, it should be obvious the buzz is turning negative: a) overtones of disinterest due to dubious marketing, b) people biting the bait on what seems to be a month long viral campaign that *still* has 15 more days to go before phase 2, c) conversation shift from the mystery product, to debating whether the marketing works -- and we still don't know what's being marketed other than common sense ("You hate vendor lock-in, I hate vendor lock-in, let's be friends") For as to who... As far as the campaign, any large, established networking vendor, would need to undertake a dramatic shift in culture to promote a dual-vendor strategy for customers to undertake while not angering their shareholders, and I can't see that happening. (Cisco: haha, no; Foundry/Brocade: too busy looking for a buyer of *existing assets* to risk a large change in direction; Extreme: what?) Next up are smaller networking vendors, who would benefit from a dual-vendor strategy, because they're probably not in the door of large enterprise/service provider networks to begin with. For them, I'd imagine vendor lock-in is the holy grail, and an open strategy only works enough to get them in the door, but shoots them in the foot because it makes them more vulnerable to smaller, agile networking startups and migration utilities from larger vendors (for the telecom heads amongst you, think about CLEC in-fighting). This leaves a network management software vendor. They would certain profit from an open standard, which allows them access to manage formerly "proprietary" networks, and manage different vendors' equipment. The hurdle is to get manufacturers to adopt this standard... how do you do this cheaply, other than work the end-user up into a frenzy? So, what network management startup do we know, that's based out of Texas? For some more fun: $ curl http://networkliberationmovement.net/wp-content/themes/nlm-micro/style.css /* Theme Name: Network Liberation Movement Description: Microsite Version: 1.0 Author: Michael Gilbert for RAPP Author URI: http://www.rapp.com/ */ oo On Sat, Oct 31, 2009 at 1:13 PM, christian koch wrote: > On Sat, Oct 31, 2009 at 10:35 AM, Chris Grundemann wrote: > >> On Fri, Oct 30, 2009 at 15:15, christian koch wrote: >> > looks as if its working based on the activity in this thread... >> >> I think someone has to actually buy something, because of the chatter, >> for it to be working... >> > > what if there is nothing to buy? its clearly not a direct marketing > initiative, they're trying to create some interest as to what this > "movement" is going to be about > > my point is that it is successful because they are getting a response, > people are talking about it, the initial poster alone exposed the site, > which caused feedback... and is creating a buzz, that is the point...IMO > > > -christian > From ck at sandcastl.es Mon Nov 2 01:34:01 2009 From: ck at sandcastl.es (christian koch) Date: Sun, 1 Nov 2009 22:34:01 -0800 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> Message-ID: <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> On Sun, Nov 1, 2009 at 9:54 PM, Omachonu Ogali wrote: > How much is "buzz" worth? About the same as YouTube views. (In South Park > speak, "theoretical dollars"). > > If you can't convert *positive* buzz into revenue, your marketing efforts > will serve as nothing more than "brand awareness" campaigns. > > By this point in the conversation, it should be obvious the buzz is turning > negative: > a) overtones of disinterest due to dubious marketing, > b) people biting the bait on what seems to be a month long viral campaign > that *still* has 15 more days to go before phase 2, > c) conversation shift from the mystery product, to debating whether the > marketing works -- and we still don't know what's being marketed other than > common sense ("You hate vendor lock-in, I hate vendor lock-in, let's be > friends") > well said, and agreed -ck From eng_mssk at hotmail.com Mon Nov 2 02:39:24 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 09:39:24 +0200 Subject: [c-nsp] Network KPI Message-ID: hey all we work in a WiMAX operator , and i was wondering what are the best parameters to include in our KPI? _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 From masood at nexlinx.net.pk Mon Nov 2 03:49:14 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 2 Nov 2009 13:49:14 +0500 (PKT) Subject: [c-nsp] Network KPI In-Reply-To: References: Message-ID: <22278.196.46.241.57.1257151754.squirrel@nexmail1.nexlinx.net.pk> Key Performance Indicators (KPIs) can tell you how the network is performing according to certain parameters, but the chosen metrics may not be relevant to certain service classes. And if these are the ones that deliver the most revenue, operators could find themselves in trouble. Key Quality Indicators (KQIs) are typically a combination of several KPIs that can tell operators more about the end-user experience and usage patterns. To determine what the KPIs and KPQs should be on a wimax or any tcp/ip network, it must be borne in mind what customers are most interested in: fast access, good service quality and mobility. Consequently, KPIs can be focused on network procedures--such as attach, authentication, authorisation and creation/activation--which determine access (fast access to services is defined by the success of and speed of access to HTTP servers, to MMS centers, and to other dedicated services that could be offered via the operator's portal). Regards, Masood Blog: http://weblogs.com.pk/jahil/ > > hey all > > we work in a WiMAX operator , and i was wondering what are the best > parameters to include in our KPI? > > > > _________________________________________________________________ > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they > e-mail you. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eng_mssk at hotmail.com Mon Nov 2 05:27:32 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 12:27:32 +0200 Subject: [c-nsp] ME Route issue Message-ID: hi all i have 2 switches ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin i defined an interface VLAN (management) int vlan 1 ip add 10.0.0.2 255.255.255.224 and defined a default route ip route 0.0.0.0 0.0.0.0 10.0.0.1 when i issue the command show ip route 0.0.0.0 router#sh ip route 0.0.0.0 Default gateway is not set Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty i have another device cisco ME-C6524GT-8S with IOS s6523-advipservicesk9-mz.122-18.ZU2.bin its configured the same way but when issuing the show ip route or show ip route 0.0.0.0 router#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.0.1 to network 0.0.0.0 10.0.0.0/27 is subnetted, 1 subnets C 10.0.0.96 is directly connected, Vlan1 S* 0.0.0.0/0 [1/0] via 10.0.0.3 is that normal ?? Thanks in advance _________________________________________________________________ Keep your friends updated?even when you?re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 From masood at nexlinx.net.pk Mon Nov 2 05:49:17 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 2 Nov 2009 15:49:17 +0500 (PKT) Subject: [c-nsp] ME Route issue In-Reply-To: References: Message-ID: <52035.196.46.241.57.1257158957.squirrel@nexmail1.nexlinx.net.pk> check the show running-configuration. verify whether ip routing is enabled. The command, if enabled, appears towards the top of the output. hostname SW ! ! ip subnet-zero ip routing if not thn enable routing on the switch by using the ip routing command. SW(config)#ip routing Regards, Masood Blog: http://weblogs.com.pk/jahil/ > > hi all > > i have 2 switches > ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin > i defined an interface VLAN (management) > int vlan 1 > ip add 10.0.0.2 255.255.255.224 > > and defined a default route > ip route 0.0.0.0 0.0.0.0 10.0.0.1 > > when i issue the command show ip route 0.0.0.0 > router#sh ip route 0.0.0.0 > Default gateway is not set > > Host Gateway Last Use Total Uses Interface > ICMP redirect cache is empty > > i have another device cisco ME-C6524GT-8S with IOS > s6523-advipservicesk9-mz.122-18.ZU2.bin > > its configured the same way > but when issuing the show ip route or show ip route 0.0.0.0 > > router#sh ip route > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is 10.0.0.1 to network 0.0.0.0 > > 10.0.0.0/27 is subnetted, 1 subnets > C 10.0.0.96 is directly connected, Vlan1 > S* 0.0.0.0/0 [1/0] via 10.0.0.3 > > is that normal ?? > > > Thanks in advance > > > > _________________________________________________________________ > Keep your friends updated?even when you?re not signed in. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bluffmaster4hearts at gmail.com Mon Nov 2 06:35:03 2009 From: bluffmaster4hearts at gmail.com (bharath kondi) Date: Mon, 2 Nov 2009 19:35:03 +0800 Subject: [c-nsp] Can Ping Websites but cannot browse. Message-ID: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Dear All, I have a strange situation, I can browse the websites but cannot browse them. Please share your finding with me. Thanks and Regards, Bharath From p.mayers at imperial.ac.uk Mon Nov 2 07:34:56 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 02 Nov 2009 12:34:56 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEED1F0.5050007@imperial.ac.uk> bharath kondi wrote: > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. Check for MTU issues From yanf787 at yahoo.com Mon Nov 2 07:58:39 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Mon, 2 Nov 2009 04:58:39 -0800 (PST) Subject: [c-nsp] is L2TPv3 right for me? In-Reply-To: <20091101201609.GA6221@danton.fire-world.de> References: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> <20091101201609.GA6221@danton.fire-world.de> Message-ID: <994248.36438.qm@web58702.mail.re1.yahoo.com> I would agree with that and I was testing it some time ago and tests involved ISRs, 7206-G1 and 10720 and 10720 was the only device that could do this and even Cisco was surprised. L2TPv3 is not supported in hardware of most devices and in case of 10720 it just had enough processing power. With larger frames, the throughput would increase as, there would less packets to encapsulate, but I never saw with 1400 byte frames anything that went beyond 100 Mbps. EoMPLS might be a better choice (still not sure about G1) and they might just bring L2TPv3 to ASR one day, if they unless they already did. ________________________________ From: Sebastian Wiesinger To: cisco-nsp at puck.nether.net Sent: Sun, November 1, 2009 3:16:09 PM Subject: Re: [c-nsp] is L2TPv3 right for me? * Church, Charles [2009-10-31 18:59]: > Hey all, > > destinations are sent across, etc)... The link provided will > be gigabit, but with encryption overhead, probably need at > most 900 mbit throughput, mostly using full-size frames as > traffic will be mostly migration data. I've got a couple > 7206s available with NPE-G1. I'm thinking that will work. > Any thoughts? I don't have numbers at the moment but IRRC NPE-G1 can't handle anything near 900MBit/s of L2TPv3 traffic.. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Bret.Jaquish at Navistar.com Mon Nov 2 09:01:19 2009 From: Bret.Jaquish at Navistar.com (Jaquish, Bret) Date: Mon, 2 Nov 2009 08:01:19 -0600 Subject: [c-nsp] ubr npe-g2 vs 7200 npe-g2 In-Reply-To: <20091030220727.GL163@greenie.muc.de> References: <089163D0929CFA4EA9611E1BC86D97530238B4727B@BRKSVW125.ad.navistar.com> <20091030220727.GL163@greenie.muc.de> Message-ID: <089163D0929CFA4EA9611E1BC86D97530238DC3621@BRKSVW125.ad.navistar.com> Again this is only concerning the NPE-G1 according to them.. (I can only go by what Cisco is saying, since I don't know myself) "The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor" According to them.... 1. The Processors are different. 2. They have different labels (duh). 3. They use different boot helper images (maybe because of the different processor?). I wish I had a spare to test it out with. If anyone has both, it would be interesting to see the differences. Bret -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Friday, October 30, 2009 5:07 PM To: Jaquish, Bret Cc: Joe Pruett; Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2 Hi, On Fri, Oct 30, 2009 at 02:40:15PM -0500, Jaquish, Bret wrote: > The NPE-G1 cards have a more detailed explanation: > > "The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor. For the Cisco 7200 VXR routers , order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series router, order the UBR7200-NPE-G1 or UBR7200-NPE-G1= product. The two models of NPE-G1 have different labels and use different boot helper images, and they cannot be interchanged between the Cisco 7200 VXR routers and Cisco uBR7200 series routers." I'm not sure if I find "have different labels" a compelling reason for not being interchangeable (or having different PPS specs). Boot helper is one of the most misunderstood parts of the 7200 series anyway... (*and* it can be changed). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de Disclaimer Confidentiality Notice: This e-mail, and any attachments and/or documents linked to this email, are intended for the addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any dissemination, distribution, or copying is prohibited. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If you have received this communication in error, please contact the original sender. From eng_mssk at hotmail.com Mon Nov 2 09:35:40 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 16:35:40 +0200 Subject: [c-nsp] WiMAX CPE Traffic Message-ID: our WiMAX CPEs are not SNMP enabled is there anyway that we can graph or know the traffic of each customer?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From rubensk at gmail.com Mon Nov 2 09:47:47 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Mon, 2 Nov 2009 12:47:47 -0200 Subject: [c-nsp] WiMAX CPE Traffic In-Reply-To: References: Message-ID: <6bb5f5b10911020647w4cee12d9t7547563c91719d83@mail.gmail.com> If you are talking about BreezeMAX 802.16d CPEs, the BreezeMAX 802.16d BST have specific OIDs for graphing the per-CPE or per-service flow traffic. If your customers have one VLAN each, you can graph on the Cisco device using the VLAN or Interface VLAN counters. If all customers share a single VLAN, you will probably have to look at another way to measure their traffic (like RADIUS Stop and interim records). Rubens 2009/11/2 Mohammad Khalil : > > our WiMAX CPEs are not SNMP enabled > is there anyway that we can graph or know the traffic of each customer?? > > Thanks in advance From philxor at gmail.com Mon Nov 2 09:54:03 2009 From: philxor at gmail.com (Phil Bedard) Date: Mon, 2 Nov 2009 09:54:03 -0500 Subject: [c-nsp] WiMAX CPE Traffic In-Reply-To: References: Message-ID: Netflow? Phil On Nov 2, 2009, at 9:35 AM, Mohammad Khalil wrote: > > our WiMAX CPEs are not SNMP enabled > is there anyway that we can graph or know the traffic of each > customer?? > > Thanks in advance > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, > right from Hotmail?. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Nov 2 09:55:33 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 2 Nov 2009 09:55:33 -0500 Subject: [c-nsp] Cisco vs. Juniper Message-ID: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> All, For various reasons, I have never really gotten into researching Juniper products. It seems time for me to start looking into it but it seems daunting because their products are as vast as Cisco. Knowing Cisco products and those little caveats, I am sure Juniper has the same things with various products that you won't find until you either start using it or read mailing lists for 3 years. Anyway, the reason for posting to Cisco-NSP list is, not so much about asking about Juniper products but those who have looked at both and decided to go with Cisco, what made you go with Cisco? We are not at the level to use 7600/NX/CSR yet and more interested in ASA/ISR equivalent for customer side use. I know this is kind of general question but it would be helpful. Thanks! Jay Nakamura From alex at digriz.org.uk Mon Nov 2 09:26:24 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Mon, 2 Nov 2009 14:26:24 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: Phil Mayers wrote: > > bharath kondi wrote: >> >> I have a strange situation, I can browse the websites but cannot browse >> them. > > Check for MTU issues > It is a pretty impressive to screw up non-SSLed traffic with an MTU issue, I would be more inclinded to think it's something else. Real Men(tm) use tcptraceroute: ---- alex at chipmunk:~$ tcptraceroute www.google.com 80 Selected device bond0, address 195.195.131.226, port 47429 for outgoing packets Tracing the path to www.google.com (209.85.227.106) on TCP port 80 (www), 30 hops max 1 no-reverse-defined.ja.net (195.195.131.225) 0.324 ms 0.243 ms 0.241 ms 2 so-1-3-2.read-sbr1.ja.net (146.97.34.157) 0.762 ms 0.752 ms 0.750 ms 3 so-6-0-0.lond-sbr3.ja.net (146.97.33.166) 2.020 ms 2.047 ms 2.191 ms 4 te1-1.lond-ban3.ja.net (146.97.35.98) 2.345 ms 2.236 ms 2.142 ms 5 google.lond-ban3.ja.net (193.62.157.30) 2.206 ms 2.228 ms 2.218 ms 6 209.85.252.76 8.794 ms 2.399 ms 2.358 ms 7 72.14.232.134 8.328 ms 8.423 ms 8.225 ms 8 216.239.49.45 8.280 ms 8.370 ms 8.287 ms 9 209.85.243.93 13.284 ms 8.821 ms 17.787 ms 10 * * * 11 * * * 12 wy-in-f106.1e100.net (209.85.227.106) [open] 9.765 ms 9.779 ms 9.753 ms ---- ....they also give a descriptive breakdown of the problem they are having, what their setup is, any logs and also what they have tried already. However this is reply to Phil not the OP... :) Cheers -- Alexander Clouter .sigmonster says: Am I SHOPLIFTING? From Ian.Mackinnon at atosorigin.com Mon Nov 2 10:14:47 2009 From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian) Date: Mon, 2 Nov 2009 15:14:47 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> Message-ID: <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> Hi Jay, In the past I have compared M7i with ASR1k The major comparison seemed to be that for about the same sort of money Cisco gave you a box with 4 Gig interfaces present whilst J gave you one, and adding more was very expensive. Throughputs would have been about the same, and one thing that bit us on the Juniper side was you can't hope to use Netflow in a real environment without an expensive services PIC. Ian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: 02 November 2009 14:56 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco vs. Juniper All, For various reasons, I have never really gotten into researching Juniper products. It seems time for me to start looking into it but it seems daunting because their products are as vast as Cisco. Knowing Cisco products and those little caveats, I am sure Juniper has the same things with various products that you won't find until you either start using it or read mailing lists for 3 years. Anyway, the reason for posting to Cisco-NSP list is, not so much about asking about Juniper products but those who have looked at both and decided to go with Cisco, what made you go with Cisco? We are not at the level to use 7600/NX/CSR yet and more interested in ASA/ISR equivalent for customer side use. I know this is kind of general question but it would be helpful. Thanks! Jay Nakamura _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________________ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. _______________________________________________________ From p.mayers at imperial.ac.uk Mon Nov 2 10:37:43 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 02 Nov 2009 15:37:43 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <4AEEFCC7.10505@imperial.ac.uk> Alexander Clouter wrote: > Phil Mayers wrote: >> bharath kondi wrote: >>> I have a strange situation, I can browse the websites but cannot browse >>> them. >> Check for MTU issues >> > It is a pretty impressive to screw up non-SSLed traffic with an MTU > issue, I would be more inclinded to think it's something else. That directly contradicts my experience. I have observed widespread failures with ordinary HTTP traffic when MTU problems occur. It depends very much on the website you're hitting and their architecture, as well as the nature of the MTU problem. From sthaug at nethelp.no Mon Nov 2 10:52:54 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 02 Nov 2009 16:52:54 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> Message-ID: <20091102.165254.74705593.sthaug@nethelp.no> > In the past I have compared M7i with ASR1k The M7i is getting a bit long in the tooth, so a better comparison might be ASR1k vs MX80. One important difference if you need a box *now* is of course that MX80 has been announced but I haven't seen it in the price lists yet. > The major comparison seemed to be that for about the same sort of money > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > one, and adding more was very expensive. Agreed, full capacity GigE ports on the M7i are expensive. However, the (overbooked) 4 port IQ2 works very well. > Throughputs would have been about the same, and one thing that bit us on > the Juniper side was you can't hope to use Netflow in a real environment > without an expensive services PIC. Here I'd have to disagree. Sampled netflow works very well without a services PIC. If you don't do sampling the situation is different. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From sthaug at nethelp.no Mon Nov 2 11:12:44 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 02 Nov 2009 17:12:44 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> Message-ID: <20091102.171244.41672267.sthaug@nethelp.no> > Anyway, the reason for posting to Cisco-NSP list is, not so much about > asking about Juniper products but those who have looked at both and > decided to go with Cisco, what made you go with Cisco? We are not at > the level to use 7600/NX/CSR yet and more interested in ASA/ISR > equivalent for customer side use. For the CPE side we've stuck to 800/1800/2800/3800 for the simple reason that the relevant employees had lots of Cisco experience, and the Juniper J series didn't have enough interesting features/higher capacity/lower cost that we had a reason to start using it. We have a couple in the lab... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From oliver.gorwits at oucs.ox.ac.uk Mon Nov 2 11:25:58 2009 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Mon, 02 Nov 2009 16:25:58 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEF0816.9000403@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bharath kondi wrote: > I have a strange situation, I can browse the websites but cannot browse > them. Could there be a near-dead media converter in your path? I have seen this happen once or twice. If it feels like you could fry an egg on it, swap it out. regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrvCBYACgkQ2NPq7pwWBt60lwCePLmcixy+asBhbPsqaXlngbXK +O4AoJr9LDUYM1Cx52Me3v1y0y77derD =EKzP -----END PGP SIGNATURE----- From gsgranados at comcast.net Mon Nov 2 11:29:43 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 2 Nov 2009 08:29:43 -0800 Subject: [c-nsp] Can Ping Websites but cannot browse. References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> Message-ID: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> I second that. I've seen this as an MTU problem more times than not. ----- Original Message ----- From: "Phil Mayers" To: "Alexander Clouter" Cc: Sent: Monday, November 02, 2009 7:37 AM Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > Alexander Clouter wrote: >> Phil Mayers wrote: >>> bharath kondi wrote: >>>> I have a strange situation, I can browse the websites but cannot browse >>>> them. >>> Check for MTU issues >>> >> It is a pretty impressive to screw up non-SSLed traffic with an MTU >> issue, I would be more inclinded to think it's something else. > > That directly contradicts my experience. I have observed widespread > failures with ordinary HTTP traffic when MTU problems occur. > > It depends very much on the website you're hitting and their architecture, > as well as the nature of the MTU problem. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From prospanogi at gmail.com Mon Nov 2 11:51:26 2009 From: prospanogi at gmail.com (Giuseppe Spano) Date: Mon, 2 Nov 2009 17:51:26 +0100 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> Message-ID: <7bcb682b0911020851p2d55d40cs346b4cfddaf90f28@mail.gmail.com> Bharath, try to ping the site you cannot browse with increasing icmp payloads and see if/when you stop receiving echo replies. This could give a final idea about the nature of the problem. Regards, Giuseppe On Mon, Nov 2, 2009 at 5:29 PM, Scott Granados wrote: > I second that. I've seen this as an MTU problem more times than not. > > ----- Original Message ----- From: "Phil Mayers" > To: "Alexander Clouter" > Cc: > Sent: Monday, November 02, 2009 7:37 AM > Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > > > > Alexander Clouter wrote: >> >>> Phil Mayers wrote: >>> >>>> bharath kondi wrote: >>>> >>>>> I have a strange situation, I can browse the websites but cannot browse >>>>> them. >>>>> >>>> Check for MTU issues >>>> >>>> It is a pretty impressive to screw up non-SSLed traffic with an MTU >>> issue, I would be more inclinded to think it's something else. >>> >> >> That directly contradicts my experience. I have observed widespread >> failures with ordinary HTTP traffic when MTU problems occur. >> >> It depends very much on the website you're hitting and their architecture, >> as well as the nature of the MTU problem. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Jonathan.Brashear at hq.speakeasy.net Mon Nov 2 11:52:41 2009 From: Jonathan.Brashear at hq.speakeasy.net (Jonathan Brashear) Date: Mon, 2 Nov 2009 08:52:41 -0800 Subject: [c-nsp] ASA VPN best practices request Message-ID: <725755F5E728EE4086DAAF1A54DACF4F1A2F24E2E9@sea5exbe1.speakeasy.hq> One of my current projects at work is to overhaul the configs on the customer firewalls, specifically the ASA 5500 series. I'm trying to adapt & standardize current config templates especially the implementation side & even more specifically how we handle NAT & VPN setups. If anyone has suggestions on best practices of how to implement standard builds on VPNs(both client & clientless) running in a NATed environment(common pitfalls to avoid, etc.) or good sites dealing with this beyond the Cisco KB/forums, I'd appreciate it. Network Engineer, JNCIS-M > 214-981-1954 (office) > 214-642-4075 (cell) > jbrashear at hq.speakeasy.net http://www.speakeasy.net From Ian.Mackinnon at atosorigin.com Mon Nov 2 12:14:30 2009 From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian) Date: Mon, 2 Nov 2009 17:14:30 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.165254.74705593.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com><61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> Message-ID: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Not wanting to disagree with the mighty Steinar :-) If you have any significant amount of traffic you need to be sampling at over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd party support company explicitly said "don't do it" We had a couple of incidents where our traffic went to a full 1G and our 1/100 sampling totally killed the box. Up until then, I thought if a M7i did anything, it did it at full line rate, always. Ian -----Original Message----- From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] Sent: 02 November 2009 15:53 To: Mackinnon, Ian Cc: zeusdadog at gmail.com; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco vs. Juniper > In the past I have compared M7i with ASR1k The M7i is getting a bit long in the tooth, so a better comparison might be ASR1k vs MX80. One important difference if you need a box *now* is of course that MX80 has been announced but I haven't seen it in the price lists yet. > The major comparison seemed to be that for about the same sort of money > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > one, and adding more was very expensive. Agreed, full capacity GigE ports on the M7i are expensive. However, the (overbooked) 4 port IQ2 works very well. > Throughputs would have been about the same, and one thing that bit us on > the Juniper side was you can't hope to use Netflow in a real environment > without an expensive services PIC. Here I'd have to disagree. Sampled netflow works very well without a services PIC. If you don't do sampling the situation is different. Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________________ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. _______________________________________________________ From cluestore at gmail.com Mon Nov 2 12:25:13 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 2 Nov 2009 11:25:13 -0600 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <4AEED1F0.5050007@imperial.ac.uk> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <580af3b90911020925r2d7d3dcfg9473e985794ec330@mail.gmail.com> mturoute is your friend..... http://www.elifulkerson.com/projects/mturoute.php On Mon, Nov 2, 2009 at 6:34 AM, Phil Mayers wrote: > bharath kondi wrote: > >> Dear All, >> >> I have a strange situation, I can browse the websites but cannot browse >> them. >> > > Check for MTU issues > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Mon Nov 2 12:29:24 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 11:29:24 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.165254.74705593.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> Message-ID: <20091102172924.GT51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 04:52:54PM +0100, sthaug at nethelp.no wrote: > > In the past I have compared M7i with ASR1k > > The M7i is getting a bit long in the tooth, so a better comparison > might be ASR1k vs MX80. One important difference if you need a box > *now* is of course that MX80 has been announced but I haven't seen it > in the price lists yet. They're actually coming out with (or may already be shipping, I don't follow these boxes that closely) a replacement CFEB for M7i/M10i which uses the I-Chip (the same fwding hw as M120 and the current generation of MX). This should give it a slightly longer shelf life, as it will add a bunch of modern features and some additional fib capacity that didn't exist in the old hardware. Still though, this is a very old box (it came out in 2003, as a lower production cost refresh on the M5/M10 which came out in 2000). The CFEB won't fix the very limited capacity, so it wouldn't be a fair comparison against a modern box. MX80 would indeed be a much closer comparison, though the feature set is still pretty different. > Here I'd have to disagree. Sampled netflow works very well without a > services PIC. If you don't do sampling the situation is different. IIRC the default limit for sampled netflow (at least on M7i generation platforms, I can't speak to MX80 or the like) was 7000pps per FPC. So if for example you sampled every 1:1024 packets this would be good for 7.1Mpps of analyzed traffic for FPC (i.e. more than the box will ever be able to forward). -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From cluestore at gmail.com Mon Nov 2 12:41:18 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 2 Nov 2009 11:41:18 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Message-ID: <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> Juniper supports sFlow which can run at higher speeds (full line rate described in their docs) which is what we use. As far as the Cisco vs Juniper argument, we make use of both vendors on out network. For CPE, it's almost hard to beat Cisco with feature set and price. also, as Steiner mentioned, Junos has a little learning curve for someone thats never used it before and is branded in the Cisco cool-aid. We also use Cisco 7600/6500 in our core. For edge/internet peering, we use Juniper M series. IMHO, up until a few years ago, before the ASR line came out, Cisco didn't have a router in that price range that could forward in hardware, so the M series for that role was a no brainer. Clue On Mon, Nov 2, 2009 at 11:14 AM, Mackinnon, Ian < Ian.Mackinnon at atosorigin.com> wrote: > Not wanting to disagree with the mighty Steinar :-) > If you have any significant amount of traffic you need to be sampling at > over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd > party support company explicitly said "don't do it" > > We had a couple of incidents where our traffic went to a full 1G and our > 1/100 sampling totally killed the box. > > Up until then, I thought if a M7i did anything, it did it at full line > rate, always. > > Ian > > > -----Original Message----- > From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] > Sent: 02 November 2009 15:53 > To: Mackinnon, Ian > Cc: zeusdadog at gmail.com; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco vs. Juniper > > > In the past I have compared M7i with ASR1k > > The M7i is getting a bit long in the tooth, so a better comparison > might be ASR1k vs MX80. One important difference if you need a box > *now* is of course that MX80 has been announced but I haven't seen it > in the price lists yet. > > > The major comparison seemed to be that for about the same sort of > money > > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > > one, and adding more was very expensive. > > Agreed, full capacity GigE ports on the M7i are expensive. However, > the (overbooked) 4 port IQ2 works very well. > > > Throughputs would have been about the same, and one thing that bit us > on > > the Juniper side was you can't hope to use Netflow in a real > environment > > without an expensive services PIC. > > Here I'd have to disagree. Sampled netflow works very well without a > services PIC. If you don't do sampling the situation is different. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > > _______________________________________________________ > > Atos Origin and Atos Consulting are trading names used by the Atos Origin > group. The following trading entities are registered in England and Wales: > Atos Origin IT Services UK Limited (registered number 01245534) and Atos > Consulting Limited (registered number 04312380). The registered office for > each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for > each is: GB232327983 > > This e-mail and the documents attached are confidential and intended solely > for the addressee, and may contain confidential or privileged information. > If you receive this e-mail in error, you are not authorised to copy, > disclose, use or retain it. Please notify the sender immediately and delete > this email from your systems. As emails may be intercepted, amended or > lost, they are not secure. Atos Origin therefore can accept no liability > for any errors or their content. Although Atos Origin endeavours to > maintain a virus-free network, we do not warrant that this transmission is > virus-free and can accept no liability for any damages resulting from any > virus transmitted. The risks are deemed to be accepted by everyone who > communicates with Atos Origin by email. > _______________________________________________________ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Mon Nov 2 12:43:06 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 11:43:06 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> References: <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Message-ID: <20091102174306.GU51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 05:14:30PM +0000, Mackinnon, Ian wrote: > Not wanting to disagree with the mighty Steinar :-) > If you have any significant amount of traffic you need to be sampling at > over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd > party support company explicitly said "don't do it" > > We had a couple of incidents where our traffic went to a full 1G and our > 1/100 sampling totally killed the box. It is only a 100Mbps link between the routing engine and CFEB, but I don't think you'd be filling the port even with 1/100 sampling. You'd certainly overload the software sampling capacity, and I suppose you might bump a hard coded rate limit they never expected anyone to bump (which sounds like the case, if it broke regular forwarding). Don't do 1/100 sampling and you'll be fine. :) > Up until then, I thought if a M7i did anything, it did it at full line > rate, always. Actually it doesn't do line rate forwarding either. The "FPC1" component (the 4 main PIC slots) does a peak of 3.2Gbps full duplex, before taking into account jcell overhead (this is a limitation of access to the packet buffer memory). Under artificial conditions (65 byte packets, which consume 2 64-byte jcells) you can force performance down to just under 2.5Gbps. Remember the FPC1 was originally designed for OC48s back in 1998 when Cisco had nothing that could compete with it. It's a testiment to the quality of the design that you can still use it for a couple GE's under non-extreme traffic conditions today (I don't see anyone still trying to use their 7500s to do the same :P), but obviously it's not going to compete with modern hardware. At any rate, this is the wrong list so I'll stop responding with Juniper information unless you wanna move it over to j-nsp. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From moua0100 at umn.edu Mon Nov 2 12:51:54 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 11:51:54 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <4AEF1C3A.3070601@umn.edu> C-NSP Wizards: Our Cisco account team seems to be touting the ASA appliance (in a cluster configuration) as the preferred solution for remote access client vpn (IPSec & SSL); as such my question then is: Is it possible to make an ASA be "vrf-aware"? I will use vrf-aware IOS terminology to describe my goals: * teminate remote access vpn client traffic on "outside" interface ("front-door vrf") * re-direct decrypted traffic to "inside" interface ("inside vrf") towards enterprise apps I tried to use the "group-policy" vlan mapping feature on only achieved some success to redirect traffic out different egress vlans/interface. Here are my findings why the vlan-mapping feature on the Cisco ASA will not work in our environment (I stand by this unless Cisco have other means that I do know of that will achieve "vrf-aware" connectivity from the ASA): * vlan map can re-direct traffic out egress vlan (only at layer 2) * layer 3 routes still needed from the ASA for outbound traffic to egress vlan + asa only allowed one default route in routed, single mode * if this is to work for "vrf-aware" client vpn connection, I'm thinking a default route per egress vlan will be needed; I was not able to do this * vlan mapping does work, but only for simple routing environments; not really geared for multiple VRFs that get connected to a MPLS backbone and border with BGP & OSPF inter-related workings So I proceeded to consider a design that assume that the ASA will only do remote access termination and leave the "vrf-awarness" ("vrf-enabled") capabilities to the underlying network; this is what I came up with: vpn_host_1 <==> IP_Cloud <==> ASA_VPN-Pool-A <==> PBR_BlackBox <==> VRF_A vpn_host_2 <==> IP_Cloud <==> ASA_VPN-Pool-B <==> PBR_BlackBox <==> VRF_B * ASA strictly doing remote access ipsec/ssl client vpn termination; btw, this really simplifies the ASA config significantly * ASA has ingress for client vpn termination & egress for decrypted traffic * decrypted traffic handled by "black box" (in this case catalyst-3750 running router code) that does "policy based routing" based on source IP of client vpn ip pools pros: * ASA relegated to doing only client vpn termination * simplified config per components * PBR moved to another box to facilitate "vrf-aware" client vpn + simple routing on the ASA * one default route * no dynamic routing required cons: * more equipment needed in addition to ASA * downstream failure may not trigger a VPN cluster member to be down (as it should in my opinion); what is needed is something like BFD (bi-directional forward detect) or some form of more intelligent route tracking (this may yet be possible; I've got to think more about this) * overall design complexity increase because "vrf-enabled" moved off ASA At minimum, I think this design will work for our needs; this design assumes additional complex components that I like to avoid if possible (PBR on a "black box" device"). Let me know what folks think; I'd really appreciate any ideas or feedback. ** Note Iif the ASA wias truly VRF-aware like it's IOS brethren then all of this extra complexity may be minimized. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services From ras at e-gerbil.net Mon Nov 2 13:09:22 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 12:09:22 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> Message-ID: <20091102180922.GV51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 11:41:18AM -0600, Clue Store wrote: > Juniper supports sFlow which can run at higher speeds (full line rate > described in their docs) which is what we use. Only the EX-series supports sFlow, not the real Juniper boxes. And no you can't run anything close to 1:1 sampling on it, the limitations are roughly the same as with NetFlow since you're still talking about hardware sampling but software processing (and traversing the internal communications link to the RE with the sampled packets). -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From berghauz at gmail.com Mon Nov 2 13:42:00 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Mon, 2 Nov 2009 21:42:00 +0300 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <13d85870911021042p68c606b5w128a02ffd76ef486@mail.gmail.com> Hello. Did you care a mpls network? Maybe you need look forward on mpls mtu? In any case, it's MTU problem. WBR Aleksey Polyakoff ICQ:9001016 Ogden Nash - "The trouble with a kitten is that when it grows up, it's always a cat." 2009/11/2 bharath kondi > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. > > Please share your finding with me. > > Thanks and Regards, > > Bharath > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pl+list at pmacct.net Mon Nov 2 14:18:03 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Mon, 2 Nov 2009 19:18:03 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <20091102191803.GA22485@london.pmacct.net> On Mon, Nov 02, 2009 at 11:29:24AM -0600, Richard A Steenbergen wrote: > > Here I'd have to disagree. Sampled netflow works very well without a > > services PIC. If you don't do sampling the situation is different. > > IIRC the default limit for sampled netflow (at least on M7i generation > platforms, I can't speak to MX80 or the like) was 7000pps per FPC. So if > for example you sampled every 1:1024 packets this would be good for > 7.1Mpps of analyzed traffic for FPC (i.e. more than the box will ever be > able to forward). Capacity apart, another good subject for the thread is that without a services DPC, you are realistically trapped to NetFlow v5, which these days might or might not be a problem. IPv6, 32-bit ASNs, L2 information come to the mind ... At least, this is so far. Cheers, Paolo From ploopster at gmail.com Mon Nov 2 14:20:24 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 02 Nov 2009 14:20:24 -0500 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEF30F8.6070205@gmail.com> bharath kondi wrote: > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. > > Please share your finding with me. That's often caused by MTU problems. Are you on an ADSL line? Peace... Sridhar From ploopster at gmail.com Mon Nov 2 14:22:30 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 02 Nov 2009 14:22:30 -0500 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <4AEEFCC7.10505@imperial.ac.uk> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> Message-ID: <4AEF3176.9010908@gmail.com> Phil Mayers wrote: > Alexander Clouter wrote: >> Phil Mayers wrote: >>> bharath kondi wrote: >>>> I have a strange situation, I can browse the websites but cannot browse >>>> them. >>> Check for MTU issues >>> >> It is a pretty impressive to screw up non-SSLed traffic with an MTU >> issue, I would be more inclinded to think it's something else. > > That directly contradicts my experience. I have observed widespread > failures with ordinary HTTP traffic when MTU problems occur. > > It depends very much on the website you're hitting and their > architecture, as well as the nature of the MTU problem. One reason why it causes so many problems is that people sometimes ignore (or drop in firewall) PMTUD messages. Peace... Sridhar From dwcarder at wisc.edu Mon Nov 2 14:45:50 2009 From: dwcarder at wisc.edu (Dale W. Carder) Date: Mon, 02 Nov 2009 13:45:50 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102191803.GA22485@london.pmacct.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <20091102191803.GA22485@london.pmacct.net> Message-ID: <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> On Nov 2, 2009, at 1:18 PM, Paolo Lucente wrote: > > Capacity apart, another good subject for the thread is that without a > services DPC, you are realistically trapped to NetFlow v5, which these > days might or might not be a problem. IPv6, 32-bit ASNs, L2 > information > come to the mind ... AFAIK, junos does not have a netflow v9 template that can export both v4 and v6 simultaneously. However, I thought I saw somewhere that 9.6 has a hack to get 32-bit ASN's in netflow v5. Dale From rwest at zyedge.com Mon Nov 2 14:48:47 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 14:48:47 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF1C3A.3070601@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> Ge, > I tried to use the "group-policy" vlan mapping feature on only achieved > some success to redirect traffic out different > egress vlans/interface. Will you be using split-tunneling? If you set each of your internal dot1q interfaces to the same security level and do not enable same-security permit-intrainterface, I don't think you'll need the VLAN mapping. > Here are my findings why the vlan-mapping feature on the Cisco ASA will > not work in our environment (I stand by this unless Cisco have other > means that I do know of that will achieve "vrf-aware" connectivity from > the ASA): > * vlan map can re-direct traffic out egress vlan (only at layer 2) > * layer 3 routes still needed from the ASA for outbound traffic to > egress vlan > + asa only allowed one default route in routed, single mode In multiple context, VPNs do not work. This is on the list of things to be added, but there has been no indication of when. > * if this is to work for "vrf-aware" client vpn connection, I'm > thinking a default route per egress vlan will be needed; I was not able > to do this I used a 3560 for this role and just ran VRF-lite for each customer / enterprise app environment. > * vlan mapping does work, but only for simple routing environments; not > really geared for multiple VRFs that get connected to a MPLS backbone > and border with BGP & OSPF inter-related workings > > So I proceeded to consider a design that assume that the ASA will only > do remote access termination and leave the "vrf-awarness" > ("vrf-enabled") capabilities to the underlying network; this is what I > came up with: > > vpn_host_1 <==> IP_Cloud <==> ASA_VPN-Pool-A <==> PBR_BlackBox <==> > VRF_A > vpn_host_2 <==> IP_Cloud <==> ASA_VPN-Pool-B <==> PBR_BlackBox <==> > VRF_B > > * ASA strictly doing remote access ipsec/ssl client vpn termination; > btw, this really simplifies the ASA config significantly That's currently the only role I have enabled for that pair. Customer traffic is terminated based on group-policy mapping, with environment specific AAA servers referenced. For the SSL-VPN traffic, I had to create a number system matching kludge where each customer had a 7 digit number that corresponds to their environment, which they select during logon. > * ASA has ingress for client vpn termination & egress for decrypted > traffic > * decrypted traffic handled by "black box" (in this case catalyst-3750 > running router code) that does "policy based routing" based on source > IP > of client vpn ip pools You should be able to get 24 VRFs on that box IIRC. > pros: > * ASA relegated to doing only client vpn termination > * simplified config per components > * PBR moved to another box to facilitate "vrf-aware" client vpn > + simple routing on the ASA > * one default route > * no dynamic routing required > > cons: > * more equipment needed in addition to ASA > * downstream failure may not trigger a VPN cluster member to be down > (as > it should in my opinion); what is needed is something like BFD > (bi-directional forward detect) or some form of more intelligent route > tracking (this may yet be possible; I've got to think more about this) > * overall design complexity increase because "vrf-enabled" moved off > ASA > > At minimum, I think this design will work for our needs; this design > assumes additional complex components that I like to avoid if possible > (PBR on a "black box" device"). > > Let me know what folks think; I'd really appreciate any ideas or > feedback. > > ** Note > Iif the ASA wias truly VRF-aware like it's IOS brethren then all of > this > extra complexity may be minimized. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > Thanks, -ryan From rwest at zyedge.com Mon Nov 2 15:04:10 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 15:04:10 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Ge, Just wanted to add one more thing. > * decrypted traffic handled by "black box" (in this case catalyst- > 3750 I've had very poor performance using the 3750 for PBR functions, have you tried to push any load through it? -ryan From cnsp at shreddedmail.com Mon Nov 2 16:04:29 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Mon, 2 Nov 2009 13:04:29 -0800 Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) Message-ID: We have some eBGP neighbors that have their peering session reset in the case of link failure (root-cause analysis and problem resolution as a separate subject). The peers are connected via loopback interfaces and multi-path OSPF. bgp fast-external-failover is supposed to be used for directly connected eBGP peers, but it seems like a link failure on a pair of redundant (layer-3) links is also causing the peer to go down: Nov 1 11:33:12 10.56.205.1 %OSPF-5-ADJCHG: Process 1, Nbr a.b.c.d on FastEthernet8/0/0 from EXSTART to DOWN, Neighbor Down: Interface down or detached Nov 1 11:33:12 10.56.205.1 %BGP-5-ADJCHANGE: neighbor w.x.y.z Down Interface flap The destination to the peer is still in the FIB, and the peer comes back up almost immediately (in this case, about 15 seconds). I'm considering disabling fast-external-failover, but want to better understand the event. The eBGP peer is not "directly connected" on the interface. It is reachable via a loopback peering IP with multi-path OSPF. Is this expected behavior (any link with a route to the destination going down will cause the session to go down)? Any gotchas with disabling fast-failover? Thanks, From peter at rathlev.dk Mon Nov 2 17:10:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 02 Nov 2009 23:10:16 +0100 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Message-ID: <1257199816.18763.5.camel@abehat.net.rm.dk> On Mon, 2009-11-02 at 15:04 -0500, Ryan West wrote: > > * decrypted traffic handled by "black box" (in this case catalyst- > > 3750 > > I've had very poor performance using the 3750 for PBR functions, have > you tried to push any load through it? We're using a couple of 3560s for PBR with no problems forwarding 100 Mbps+. There's no CPU load from the forwarding itself. We haven't tried actually pushing it yet but are planning to try sometime soon. The 3560 needs the "routing" SDM template for this to work; I guess the 3750 also needs this. -- Peter From dcp at dcptech.com Mon Nov 2 16:34:57 2009 From: dcp at dcptech.com (David Prall) Date: Mon, 2 Nov 2009 16:34:57 -0500 Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) In-Reply-To: References: Message-ID: <007401ca5c04$655786e0$300694a0$@com> Turn on PIC-Core cef table output-chain build favor convergence-speed ! please be wary of platform specific caveats ip routing protocol purge interface ! purges interface routes and not routes that followed the interface, this will leave the BGP routes untouched. This is the only thing I could find discussing it: http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/bro adband/dffsrv.html#wp1191135 It is available on other platforms as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Rick Ernst > Sent: Monday, November 02, 2009 4:04 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) > > We have some eBGP neighbors that have their peering session reset in > the > case of link failure (root-cause analysis and problem resolution as a > separate subject). The peers are connected via loopback interfaces and > multi-path OSPF. > > bgp fast-external-failover is supposed to be used for directly > connected > eBGP peers, but it seems like a link failure on a pair of redundant > (layer-3) links is also causing the peer to go down: > Nov 1 11:33:12 10.56.205.1 %OSPF-5-ADJCHG: Process 1, Nbr a.b.c.d on > FastEthernet8/0/0 from EXSTART to DOWN, Neighbor Down: Interface down > or > detached > Nov 1 11:33:12 10.56.205.1 %BGP-5-ADJCHANGE: neighbor w.x.y.z Down > Interface flap > > The destination to the peer is still in the FIB, and the peer comes > back up > almost immediately (in this case, about 15 seconds). > > I'm considering disabling fast-external-failover, but want to better > understand the event. The eBGP peer is not "directly connected" on the > interface. It is reachable via a loopback peering IP with multi-path > OSPF. > Is this expected behavior (any link with a route to the destination > going > down will cause the session to go down)? > > > Any gotchas with disabling fast-failover? > > Thanks, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Mon Nov 2 17:21:46 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 17:21:46 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <1257199816.18763.5.camel@abehat.net.rm.dk> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <1257199816.18763.5.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4697@zy-ex1.zyedge.local> > We're using a couple of 3560s for PBR with no problems forwarding 100 > Mbps+. There's no CPU load from the forwarding itself. We haven't tried > actually pushing it yet but are planning to try sometime soon. > > The 3560 needs the "routing" SDM template for this to work; I guess the > 3750 also needs this. What IOS version? I definitely had the proper SDM template applied, it won't work otherwise. -ryan From sethm at rollernet.us Mon Nov 2 17:54:08 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 02 Nov 2009 14:54:08 -0800 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <1257199816.18763.5.camel@abehat.net.rm.dk> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <1257199816.18763.5.camel@abehat.net.rm.dk> Message-ID: <4AEF6310.1000703@rollernet.us> Peter Rathlev wrote: > On Mon, 2009-11-02 at 15:04 -0500, Ryan West wrote: >>> * decrypted traffic handled by "black box" (in this case catalyst- >>> 3750 >> I've had very poor performance using the 3750 for PBR functions, have >> you tried to push any load through it? > > We're using a couple of 3560s for PBR with no problems forwarding 100 > Mbps+. There's no CPU load from the forwarding itself. We haven't tried > actually pushing it yet but are planning to try sometime soon. > > The 3560 needs the "routing" SDM template for this to work; I guess the > 3750 also needs this. > As fas as I've heard, the 3560 and 3750 are basically the same thing with the major difference being the stacking ports on the 3750. The NME etherswitch modules also identify as a 3750. ~Seth From peter at rathlev.dk Mon Nov 2 18:01:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 03 Nov 2009 00:01:05 +0100 Subject: [c-nsp] 3560/3750 policy routing Message-ID: <1257202865.18763.17.camel@abehat.net.rm.dk> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: > > We're using a couple of 3560s for PBR with no problems forwarding > > 100 Mbps+. There's no CPU load from the forwarding itself. We > > haven't tried actually pushing it yet but are planning to try > > sometime soon. > > > > The 3560 needs the "routing" SDM template for this to work; I guess > > the 3750 also needs this. > > What IOS version? I definitely had the proper SDM template applied, it > won't work otherwise. It has been running IOS 12.2(50)SE1 IP Services "all its life" (some months). When we started using it I was a little nervous if it would cope (and posted on this list about it too) but it performs splendidly for us. -- Peter From cphillips at wbsconnect.com Mon Nov 2 18:00:09 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Mon, 02 Nov 2009 15:00:09 -0800 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> Message-ID: <4AEF6479.3080202@wbsconnect.com> Thirded. I've seen this a lot as well. Scott Granados wrote: > I second that. I've seen this as an MTU problem more times than not. > > ----- Original Message ----- From: "Phil Mayers" > To: "Alexander Clouter" > Cc: > Sent: Monday, November 02, 2009 7:37 AM > Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > > >> Alexander Clouter wrote: >>> Phil Mayers wrote: >>>> bharath kondi wrote: >>>>> I have a strange situation, I can browse the websites but cannot >>>>> browse >>>>> them. >>>> Check for MTU issues >>>> >>> It is a pretty impressive to screw up non-SSLed traffic with an MTU >>> issue, I would be more inclinded to think it's something else. >> >> That directly contradicts my experience. I have observed widespread >> failures with ordinary HTTP traffic when MTU problems occur. >> >> It depends very much on the website you're hitting and their >> architecture, as well as the nature of the MTU problem. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips Director of Network Engineering & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com From tvarriale at comcast.net Mon Nov 2 18:55:16 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 2 Nov 2009 17:55:16 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com><61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com><20091102.165254.74705593.sthaug@nethelp.no><20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu><6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local><6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local><1257199816.18763.5.camel@abehat.net.rm.dk> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4697@zy-ex1.zyedge.local> Message-ID: <86AD3DCD484C49E6968AABF15138BF16@flamdt01> Was the traffic being applied in the CEF path? tv ----- Original Message ----- From: "Ryan West" To: "Peter Rathlev" Cc: "cisco-nsp" Sent: Monday, November 02, 2009 4:21 PM Subject: Re: [c-nsp] how to make ASA vrf-aware / remote-access client VPN >> We're using a couple of 3560s for PBR with no problems forwarding 100 >> Mbps+. There's no CPU load from the forwarding itself. We haven't tried >> actually pushing it yet but are planning to try sometime soon. >> >> The 3560 needs the "routing" SDM template for this to work; I guess the >> 3750 also needs this. > > What IOS version? I definitely had the proper SDM template applied, it > won't work otherwise. > > -ryan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From pl+list at pmacct.net Mon Nov 2 19:00:49 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Tue, 3 Nov 2009 00:00:49 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <20091102191803.GA22485@london.pmacct.net> <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> Message-ID: <20091103000049.GA28661@london.pmacct.net> On Mon, Nov 02, 2009 at 01:45:50PM -0600, Dale W. Carder wrote: > AFAIK, junos does not have a netflow v9 template that can > export both v4 and v6 simultaneously. Wouldn't expect IPv4/v6 to be multiplexed on a single template; each should have its own. ie., on a Cisco: # sho run | inc flow-export ip flow-export source Loopback286 ip flow-export version 9 ip flow-export destination x.x.x.x yyyy ipv6 flow-export source Loopback286 ipv6 flow-export destination x.x.x.x yyyy # sho ip flow export template ... Total number of Templates added = 2 Total active Templates = 2 Flow Templates active = 2 Flow Templates added = 2 ... > However, I thought I saw somewhere that 9.6 has a hack to > get 32-bit ASN's in netflow v5. The hack to introduce sampling information in NetFlow v5, we can say a-posteriori it was quite successful. Remains to see who has interest in pushing the next one ... Cheers, Paolo From dale.shaw+cisco-nsp at gmail.com Mon Nov 2 19:18:01 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Tue, 3 Nov 2009 11:18:01 +1100 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> Hi, On Tue, Nov 3, 2009 at 1:26 AM, Alexander Clouter wrote: > It is a pretty impressive [read: hard/unusual -- Ed.] to screw up non-SSLed traffic with an MTU > issue, In "Opposite Land"? or in a land where IPSec and PPPoX don't exist? :-) cheers, Dale From tomas at soitron.com Mon Nov 2 19:16:39 2009 From: tomas at soitron.com (Daniska, Tomas) Date: Tue, 3 Nov 2009 01:16:39 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <1257202865.18763.17.camel@abehat.net.rm.dk> References: <1257202865.18763.17.camel@abehat.net.rm.dk> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Peter Rathlev > Sent: Tuesday, November 03, 2009 12:01 AM > To: Ryan West > Cc: cisco-nsp > Subject: Re: [c-nsp] 3560/3750 policy routing > > > It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > months). > > When we started using it I was a little nervous if it would cope (and > posted on this list about it too) but it performs splendidly for us. > I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to different SBCs, all done in HW. Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: ******************** When configuring match criteria in a route map, follow these guidelines: -Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping. -Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization. ******************** Did your matching ACLs meet the no-deny requirement? -- deejay __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 (20091102) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From moua0100 at umn.edu Mon Nov 2 22:06:30 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 21:06:30 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Message-ID: <4AEF9E36.1020007@umn.edu> I did some throughput testing with iperf while connected as an ipsec clinets and seemed to get over + > 120 Mbs easily; I too was interested in how far I can push the pbr on the 3750. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Ryan West wrote: > Ge, > > Just wanted to add one more thing. > > >> * decrypted traffic handled by "black box" (in this case catalyst- >> 3750 >> > > I've had very poor performance using the 3750 for PBR functions, have you tried to push any load through it? > > -ryan > > From moua0100 at umn.edu Mon Nov 2 22:10:23 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 21:10:23 -0600 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> Message-ID: <4AEF9F1F.4030600@umn.edu> >> Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: I concur; I can't seem to do anything beyond some basic match & set; the IOS complained when I tried som SET commands with VRF parameters. I suppose this is really a switch platform and not a true router platform. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Daniska, Tomas wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Peter Rathlev >> Sent: Tuesday, November 03, 2009 12:01 AM >> To: Ryan West >> Cc: cisco-nsp >> Subject: Re: [c-nsp] 3560/3750 policy routing >> >> >> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >> months). >> >> When we started using it I was a little nervous if it would cope (and >> posted on this list about it too) but it performs splendidly for us. >> >> > > I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to > different SBCs, all done in HW. > > > Note that PBR on these platforms is very limited in supported route-map > match options, e.g. per cco: > > ******************** > When configuring match criteria in a route map, follow these guidelines: > > -Do not match ACLs that permit packets destined for a local address. PBR > would forward these packets, which could cause ping or Telnet failure or > route protocol flapping. > > -Do not match ACLs with deny ACEs. Packets that match a deny ACE are > sent to the CPU, which could cause high CPU utilization. > ******************** > > Did your matching ACLs meet the no-deny requirement? > > > -- > > deejay > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 > (20091102) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Mon Nov 2 22:17:05 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 3 Nov 2009 01:17:05 -0200 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.171244.41672267.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.171244.41672267.sthaug@nethelp.no> Message-ID: <6bb5f5b10911021917m34d3e406n596fc99d8a17edc5@mail.gmail.com> > For the CPE side we've stuck to 800/1800/2800/3800 for the simple > reason that the relevant employees had lots of Cisco experience, and > the Juniper J series didn't have enough interesting features/higher > capacity/lower cost that we had a reason to start using it. We have a > couple in the lab... Price-wise isn't SRX series a competitor for the ISR series ? Rubens From sethm at rollernet.us Mon Nov 2 22:25:06 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 02 Nov 2009 19:25:06 -0800 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF9E36.1020007@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <4AEF9E36.1020007@umn.edu> Message-ID: <4AEFA292.5060204@rollernet.us> Ge Moua wrote: > I did some throughput testing with iperf while connected as an ipsec > clinets and seemed to get over + > 120 Mbs easily; I too was interested > in how far I can push the pbr on the 3750. > You should be able to push it to the platform's hardware limit as long as nothing goes to CPU. ~Seth From adrian at creative.net.au Mon Nov 2 22:35:34 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 3 Nov 2009 11:35:34 +0800 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AEF9F1F.4030600@umn.edu> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> <4AEF9F1F.4030600@umn.edu> Message-ID: <20091103033534.GD16011@skywalker.creative.net.au> Please read the Cisco 3750 IOS configuration guide. It specifically states that PBR and VRF on the same interface is not permitted. There is also apparently a PBR and fast-PBR mode which if i recall does something akin to either software or hardware switching. I'm not sure of the details. It is all in the IOS configuration guide though! 2c, Adrian On Mon, Nov 02, 2009, Ge Moua wrote: > >> Note that PBR on these platforms is very limited in supported > route-map match options, e.g. per cco: > > I concur; I can't seem to do anything beyond some basic match & set; the > IOS complained when I tried som SET commands with VRF parameters. I > suppose this is really a switch platform and not a true router platform. > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > > > Daniska, Tomas wrote: > >>-----Original Message----- > >>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > >>bounces at puck.nether.net] On Behalf Of Peter Rathlev > >>Sent: Tuesday, November 03, 2009 12:01 AM > >>To: Ryan West > >>Cc: cisco-nsp > >>Subject: Re: [c-nsp] 3560/3750 policy routing > >> > >> > >>It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > >>months). > >> > >>When we started using it I was a little nervous if it would cope (and > >>posted on this list about it too) but it performs splendidly for us. > >> > >> > > > >I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to > >different SBCs, all done in HW. > > > > > >Note that PBR on these platforms is very limited in supported route-map > >match options, e.g. per cco: > > > >******************** > >When configuring match criteria in a route map, follow these guidelines: > > > >-Do not match ACLs that permit packets destined for a local address. PBR > >would forward these packets, which could cause ping or Telnet failure or > >route protocol flapping. > > > >-Do not match ACLs with deny ACEs. Packets that match a deny ACE are > >sent to the CPU, which could cause high CPU utilization. > >******************** > > > >Did your matching ACLs meet the no-deny requirement? > > > > > >-- > > > >deejay > > > > > > > >__________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 > >(20091102) __________ > > > >Tuto spravu preveril ESET NOD32 Antivirus. > > > >http://www.eset.sk > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA - From yvanog at hotmail.com Mon Nov 2 23:06:30 2009 From: yvanog at hotmail.com (Rob Montgomery) Date: Mon, 2 Nov 2009 23:06:30 -0500 Subject: [c-nsp] Cisco VPN Share License Setup Message-ID: Is anyone using the Shared/participant license model for their VPN (AnyConnect)? Rob From johns.stanly at gmail.com Tue Nov 3 01:25:32 2009 From: johns.stanly at gmail.com (Stanly Johns) Date: Tue, 3 Nov 2009 09:25:32 +0300 Subject: [c-nsp] BPDU Guard issue Message-ID: Hi, Is it possible for a BPDU guard enabled switch port to get disabled without connecting any other device than the IP Phone and a PC ? I had to do a shut and no shut to bring it up ! The logs are as follows. your inputs are highly appreciated. Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/21 with BPDU Guard enabled. Disabling port. Nov 2 04:19:15.286: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/21, putting Fa0/21 in err-disable state Nov 2 04:19:16.334: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to down Nov 2 04:19:17.332: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to down Nov 2 04:43:59.058: %SYS-5-CONFIG_I: Configured from console by XXX on vty0 (X.X.X.X.) Nov 2 05:09:57.162: %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down Nov 2 05:10:03.193: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to down Nov 2 05:10:03.327: %ILPOWER-7-DETECT: Interface Fa0/21: Power Device detected: Cisco PD Nov 2 05:10:07.446: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to up Nov 2 05:10:08.453: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up 3560#sh runn int f0/21 Building configuration... Current configuration : 187 bytes ! interface FastEthernet0/21 switchport access vlan dynamic switchport mode access switchport voice vlan 440 no mdix auto spanning-tree portfast spanning-tree bpduguard enable 3560#sh cdp nei f0/21 det ------------------------- Device ID: SEP0012802908E5 Entry address(es): IP address: X.X.X.X Platform: Cisco IP Phone 7960, Capabilities: Host Phone Interface: FastEthernet0/21, Port ID (outgoing port): Port 1 Holdtime : 166 sec Version : P00308000900 advertisement version: 2 Duplex: full Power drawn: 6.300 Watts Management address(es): From sj_hznm at yahoo.com.cn Tue Nov 3 01:36:18 2009 From: sj_hznm at yahoo.com.cn (Joe Shen) Date: Tue, 3 Nov 2009 14:36:18 +0800 (CST) Subject: [c-nsp] Network KPI In-Reply-To: <22278.196.46.241.57.1257151754.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <892863.85528.qm@web15607.mail.cnb.yahoo.com> Is there any introduction or book on network KPI or KQI? joe --- 09?11?2????, masood at nexlinx.net.pk ??? > ???: masood at nexlinx.net.pk > ??: Re: [c-nsp] Network KPI > ???: "Mohammad Khalil" > ??: cisco-nsp at puck.nether.net > ??: 2009?11?2?,??,??4:49 > Key Performance Indicators (KPIs) can > tell you how the network is > performing according to certain parameters, but the chosen > metrics may not > be relevant to certain service classes. And if these are > the ones that > deliver the most revenue, operators could find themselves > in trouble. > > Key Quality Indicators (KQIs) are typically a combination > of several KPIs > that can tell operators more about the end-user experience > and usage > patterns. > > To determine what the KPIs and KPQs should be on a wimax or > any tcp/ip > network, it must be borne in mind what customers are most > interested in: > fast access, good service quality and mobility. > Consequently, KPIs can be > focused on network procedures--such as attach, > authentication, > authorisation and creation/activation--which determine > access (fast access > to services is defined by the success of and speed of > access to HTTP > servers, to MMS centers, and to other dedicated services > that could be > offered via the operator's portal). > > Regards, > Masood > Blog: http://weblogs.com.pk/jahil/ > > > > > > hey all > > > > we work in a WiMAX operator , and i was wondering what > are the best > > parameters to include in our KPI? > > > > > > > > > _________________________________________________________________ > > Windows Live: Friends get your Flickr, Yelp, and Digg > updates when they > > e-mail you. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___________________________________________________________ ????????????????? http://card.mail.cn.yahoo.com/ From peter at rathlev.dk Tue Nov 3 02:16:11 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 03 Nov 2009 08:16:11 +0100 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <1257232571.21889.9.camel@abehat.net.rm.dk> On Tue, 2009-11-03 at 09:25 +0300, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without connecting any other device than the IP Phone and a PC ? If the PC sends BPDUs, yes. :-) > I had to do a shut and no shut to bring it up ! You can use "err-disable recovery" to automate the shut/no shut function, but IMHO that would be wrong in this case. You should find out from where those BPDUs come. (One way would be to temporarily turn off BPDU guard and "debug spanning-tree bpdu receive".) > The logs are as follows. your inputs are highly appreciated. > > Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses > Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on > port FastEthernet0/21 with BPDU Guard enabled. Disabling port. Typically when we see this it's some creative user having connected both the "=> Switch" and "=> PC" ports to the wall, with the phone forwarding BPDUs between the switch ports. You wouldn't happen to see some of the same messages from another switch at the same time? (The fact that you can shut/unshut without the link going down again could also point towards the other end maybe being err-disabled too.) -- Peter From metaliza at nithia.cz Tue Nov 3 02:57:16 2009 From: metaliza at nithia.cz (=?UTF-8?B?TWV0YWzDrXph?=) Date: Tue, 03 Nov 2009 08:57:16 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <1257202865.18763.17.camel@abehat.net.rm.dk> References: <1257202865.18763.17.camel@abehat.net.rm.dk> Message-ID: <4AEFE25C.3040508@nithia.cz> Peter Rathlev wrote: > On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: > >>> We're using a couple of 3560s for PBR with no problems forwarding >>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>> haven't tried actually pushing it yet but are planning to try >>> sometime soon. >>> >>> The 3560 needs the "routing" SDM template for this to work; I guess >>> the 3750 also needs this. >>> >> What IOS version? I definitely had the proper SDM template applied, it >> won't work otherwise. >> > > It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > months). > Hi guys, I have a similar problem: We have been using PBR for forwarding through an IP-in-IP tunnel: interface Tunnel0 ip address 192.168.1.2 255.255.255.252 tunnel source 147.32.98.1 tunnel destination 147.32.127.190 tunnel mode ipip ip access-list extended private-2-hill permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 ! route-map private-2-hill permit 10 match ip address private-2-hill set interface Tunnel0 ! interface Vlan201 ip address 10.13.0.1 255.255.0.0 ip policy route-map private-2-hill ! local policy route-map private-2-hill This had been all functional on 3560 with 12.2(44)SE. At first there had been set ip next-hop, but that hadn't worked, so I've switched to set interface. After replacement of IOS to 12.2(52)SE the "set interface" command was refused after appliance of route map to an SVI. But local PBR still worked. So I've changed to set ip next-hop (which has been accepted by IOS) but with no effect in forwarding (but the local PBR still have worked - because of the SW-based traffic?). After some debugging I've realized that there is broken PBR in the 12.2(52)SE for the 3560. Or am I wrong and have missed something? -- ----------------------------------------------------------- Metaliza @ NitHiA icq #: 63193671 skype: metaliza001 From alex at digriz.org.uk Tue Nov 3 03:39:54 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Tue, 3 Nov 2009 08:39:54 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> Message-ID: <20091103083954.GF4838@chipmunk> Hi, * Dale Shaw [2009-11-03 11:18:01+1100]: > > On Tue, Nov 3, 2009 at 1:26 AM, Alexander Clouter wrote: > > It is a pretty impressive [read: hard/unusual -- Ed.] to screw up non-SSLed traffic with an MTU > > issue, > > In "Opposite Land"? or in a land where IPSec and PPPoX don't exist? :-) > Well at $ORK[-1] I was an ISP packet pusher and there all those 'factory default'ing 1492 MTU routers that blocked all ICMP traffic used to drive us mad. There regular HTTP traffic was always fine[1] as the request always fitted with no problem within a single MTU...it was only when you slapped on some SSL action (or tried to SMTP something about) that the MTU issue would appear. So 'opposite' land being CPE rather than core networking land...hence my "you have to be a special person to have done this". Even the greatest ICMP offenders of the Internet (financial institutions) just gave up dealing with this crap and cranked all their servers to shunt their MTU to 1000ish and tinker with the MSS on the inbound TCP SYN packet. So...this is why I focused on the "cannot browse websites", I personally am just stunned the helpfulness[2] of the group to such a vague question. If any of the helldeskers here said that (which they often do, *sigh*) I have to re-remind them with the public flaying... :-/ Cheers [1] back in the day when you did not have honkingly large cookies, wtf? [2] come on guys, I felt you were all much more on the ball the way you handled http://marc.info/?l=cisco-nsp&m=125441497832189&w=2 :) -- Alexander Clouter .sigmonster says: A vivid and creative mind characterizes you. From rubensk at gmail.com Tue Nov 3 05:44:47 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 3 Nov 2009 08:44:47 -0200 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <6bb5f5b10911030244u1314d9c5vc59d5b89994f020e@mail.gmail.com> On Tue, Nov 3, 2009 at 4:25 AM, Stanly Johns wrote: > Hi, > Is it possible for a BPDU guard enabled switch port to get disabled without > connecting any other device than the IP Phone and a PC ? I had to do a shut > and no shut to bring it up ! > The logs are as follows. your inputs are highly appreciated. Some Broadcom fault-tolerance drivers uses BPDUs in active-active configurations... an l-user might turn it on by mistake Rubens From mtinka at globaltransit.net Tue Nov 3 07:56:53 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 3 Nov 2009 20:56:53 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <200911032057.22402.mtinka@globaltransit.net> On Tuesday 03 November 2009 01:29:24 am Richard A Steenbergen wrote: > They're actually coming out with (or may already be > shipping, I don't follow these boxes that closely) a > replacement CFEB for M7i/M10i which uses the I-Chip (the > same fwding hw as M120 and the current generation of MX). > This should give it a slightly longer shelf life, as it > will add a bunch of modern features and some additional > fib capacity that didn't exist in the old hardware. Still > though, this is a very old box (it came out in 2003, as a > lower production cost refresh on the M5/M10 which came > out in 2000). The CFEB won't fix the very limited > capacity, so it wouldn't be a fair comparison against a > modern box. MX80 would indeed be a much closer > comparison, though the feature set is still pretty > different. I should give it to Cisco, though - the ASR1000 series is a really neat platform because it eats up both Ethernet and SONET/SDH links alike. Even if the data plane in the ASR1000 is centralized in nature (much like the M7i/M10i), and with a 20Gbps ESP now, I'd be more inclined to go for an ASR1000 series box to talk Gig-E on one end, and 10-Gig-E, STM-16/OC-48 or STM-64/OC-192 on the other. Juniper don't really have an answer here. Yes, the MX80 is probably as close they may come, but it cannot support SONET/SDH in a box that can potentially be Ethernet-dense for core or edge applications too, while still be physically small and relatively inexpensive. The M40e will talk SONET/SDH, but it won't support 10Gbps links. And it's way bigger than the ASR1000 series boxes. Don't even get me started on the M120, or the MX240 with an MX-FPC :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ml at kenweb.org Tue Nov 3 08:27:23 2009 From: ml at kenweb.org (ML) Date: Tue, 03 Nov 2009 08:27:23 -0500 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AEFE25C.3040508@nithia.cz> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <4AEFE25C.3040508@nithia.cz> Message-ID: <4AF02FBB.70108@kenweb.org> Metal?za wrote: > Peter Rathlev wrote: >> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: >>>> We're using a couple of 3560s for PBR with no problems forwarding >>>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>>> haven't tried actually pushing it yet but are planning to try >>>> sometime soon. >>>> >>>> The 3560 needs the "routing" SDM template for this to work; I guess >>>> the 3750 also needs this. >>>> >>> What IOS version? I definitely had the proper SDM template applied, it >>> won't work otherwise. >>> >> >> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >> months). >> > > Hi guys, > > I have a similar problem: > > We have been using PBR for forwarding through an IP-in-IP tunnel: > > interface Tunnel0 > ip address 192.168.1.2 255.255.255.252 > tunnel source 147.32.98.1 > tunnel destination 147.32.127.190 > tunnel mode ipip > > ip access-list extended private-2-hill > permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 > permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 > permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 > ! > route-map private-2-hill permit 10 > match ip address private-2-hill > set interface Tunnel0 > ! > interface Vlan201 > ip address 10.13.0.1 255.255.0.0 > ip policy route-map private-2-hill > ! > local policy route-map private-2-hill > This had been all functional on 3560 with 12.2(44)SE. At first there had > been set ip next-hop, but that hadn't worked, so I've switched to set > interface. > > After replacement of IOS to 12.2(52)SE the "set interface" command was > refused after appliance of route map to an SVI. But local PBR still > worked. So I've changed to set ip next-hop (which has been accepted by > IOS) but with no effect in forwarding (but the local PBR still have > worked - because of the SW-based traffic?). > > After some debugging I've realized that there is broken PBR in the > 12.2(52)SE for the 3560. > > Or am I wrong and have missed something? > I had the same problem on an ME3400. I could not use the remote end of a GRE tunnel for PBR. From ianh at ianh.net.au Tue Nov 3 07:51:37 2009 From: ianh at ianh.net.au (Ian Henderson) Date: Tue, 3 Nov 2009 20:51:37 +0800 (WST) Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: On Tue, 3 Nov 2009, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without connecting any other device than the IP Phone and a PC ? I had > to do a shut and no shut to bring it up ! I've run into this - Virtualbox uses Windows bridging to handle networking which runs spanning-tree. Google shows the answer as: "You can prevent the Bridge from forwarding packets by editing the registry. In your favorite registry editor, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP Create a new DWORD value and name it DisableForwarding. Double click the new entry and set its value to 1. You'll need to reboot to apply the change. You can disable the Spanning Tree Algorithm in a similar manner, by creating a DWORD value in the same key called DisableSTA and setting its value to 1." http://articles.techrepublic.com.com/5100-22_11-5569815.html via http://forums.virtualbox.org/viewtopic.php?f=6&t=6264&start=0. Rgds, - I. From cjinfantino at gmail.com Tue Nov 3 12:12:09 2009 From: cjinfantino at gmail.com (CJ) Date: Tue, 3 Nov 2009 12:12:09 -0500 Subject: [c-nsp] Issue with secondary ip address Message-ID: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Hello all, I have a vlan that has a primary and secondary ip address. My DHCP server is in the secondary ip address. The DHCP server is a windows 2003 server with the scope enabled and correct. If I plug a computer into a switch with the vlan configured I cannot get an address. If I create a DHCP server in the primary ip address range with the same scope and options and disable the scope on the other DHCP server it works. I cannot figure out what is going on. From ck at sandcastl.es Tue Nov 3 12:41:38 2009 From: ck at sandcastl.es (christian koch) Date: Tue, 3 Nov 2009 09:41:38 -0800 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: <8c308e8b0911030941vc21f849mdfddbf77a30e5bb@mail.gmail.com> do you have helper address set? On Tue, Nov 3, 2009 at 9:12 AM, CJ wrote: > Hello all, > > I have a vlan that has a primary and secondary ip address. My DHCP > server is in the secondary ip address. The DHCP server is a windows 2003 > server with the scope enabled and correct. If I plug a computer into a > switch with the vlan configured I cannot get an address. If I create a DHCP > server in the primary ip address range with the same scope and options and > disable the scope on the other DHCP server it works. I cannot figure out > what is going on. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gsgranados at comcast.net Tue Nov 3 13:34:04 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 3 Nov 2009 10:34:04 -0800 Subject: [c-nsp] Linux VPN client suggestion? Message-ID: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott From BBlackford at nwresd.k12.or.us Tue Nov 3 13:46:52 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Tue, 3 Nov 2009 10:46:52 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <6069A203FD01884885C037F81DD75080173BBABF99@wsc-mail-01.intra.nwresd.k12.or.us> VPNC http://www.unix-ag.uni-kl.de/~massar/vpnc/ -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Tuesday, November 03, 2009 10:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Linux VPN client suggestion? Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Tue Nov 3 13:47:04 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 3 Nov 2009 13:47:04 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A178AC@zy-ex1.zyedge.local> Scott, There is support in the standard client for linux in the 4.x line, but none in the 5.x. Might also consider AnyConnect Essentials for ~$250 that allows for the SSL client in pretty much all flavors, including 64-bit support. http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.8.02.0030&mdfid=281940729&sftType=VPN+Client+Software&optPlat=Linux&nodecount=2&edesignator=null&modelName=Cisco+VPN+Client+v4.x&treeMdfId=268438162&treeName=Security&modifmdfid=&imname=&hybrid=&imst=&lr=Y -ryan > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Tuesday, November 03, 2009 1:34 PM > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to > provide remote users access to network resources. I have one user who > is > interested in a client for Linux (specifically CentOS) and not sure > what to > suggest. Does anyone have any good pointers for a good client that I > can > point him to? From jeff at ocjtech.us Tue Nov 3 13:50:47 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 3 Nov 2009 12:50:47 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <935ead450911031050j137b319fp67fc7d7c59ced0a9@mail.gmail.com> On Tue, Nov 3, 2009 at 12:34 PM, Scott Granados wrote: > > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to > provide remote users access to network resources. ?I have one user who is > interested in a client for Linux (specifically CentOS) and not sure what to > suggest. ?Does anyone have any good pointers for a good client that I can > point him to? vpnc - if your user enables the EPEL repositories he'll be able to install it without any trouble: https://fedoraproject.org/wiki/EPEL -- Jeff Ollie From elparis at cisco.com Tue Nov 3 13:53:32 2009 From: elparis at cisco.com (Eloy Paris) Date: Tue, 3 Nov 2009 13:53:32 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <20091103185332.GJ23256@turbo.cisco.com> Hi Scott, On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to provide remote users access to network resources. I have one user who > is interested in a client for Linux (specifically CentOS) and not sure > what to suggest. Does anyone have any good pointers for a good client > that I can point him to? > > Any pointers would be appreciated. The Cisco VPN Client does support *some* versions of Linux. However, it does not work with the latest versions of the Linux kernel so if you user's kernel is recent (and unfortunately, "recent" doesn't really have to be very recent) then the official Cisco VPN Client is not an option. However, there is an open source VPN client that works with Cisco VPN headends. I personally use and it works great: http://www.unix-ag.uni-kl.de/~massar/vpnc/ It's included in pretty much all Linux distributions. A quick Google search for "centos vpnc" turned this up as the first hit: http://wiki.centos.org/HowTos/vpnc Hope this helps. Cheers, -- Eloy Paris Cisco PSIRT Ph: +1 919 392-9118 From cjinfantino at gmail.com Tue Nov 3 13:56:32 2009 From: cjinfantino at gmail.com (CJ) Date: Tue, 3 Nov 2009 13:56:32 -0500 Subject: [c-nsp] Fwd: Issue with secondary ip address In-Reply-To: <94e868ee0911031055g62257055m6bddf2c0452701b6@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> <8c308e8b0911030941vc21f849mdfddbf77a30e5bb@mail.gmail.com> <4AF0727B.3060004@emich.edu> <94e868ee0911031055g62257055m6bddf2c0452701b6@mail.gmail.com> Message-ID: <94e868ee0911031056l3a70a69cy782b4ba85a997b20@mail.gmail.com> ---------- Forwarded message ---------- From: CJ Date: Tue, Nov 3, 2009 at 1:55 PM Subject: Re: [c-nsp] Issue with secondary ip address To: jf I tried the ip dhcp smart-rely command but it didn't work. i did try it with the ip helper-address and w/o both setups did not work. Every other vlan int is pulling DHCP...they also have primary and secondary addresses assigned to them. It is just the server vlan that is not pulling DHCP. On Tue, Nov 3, 2009 at 1:12 PM, jf wrote: > You might try the "ip dhcp smart-relay" relay feature to have the ip > helper try with the secondary address in the giaddr field. > > christian koch wrote: > > do you have helper address set? > > > > On Tue, Nov 3, 2009 at 9:12 AM, CJ wrote: > > > > > >> Hello all, > >> > >> I have a vlan that has a primary and secondary ip address. My DHCP > >> server is in the secondary ip address. The DHCP server is a windows 2003 > >> server with the scope enabled and correct. If I plug a computer into a > >> switch with the vlan configured I cannot get an address. If I create a > DHCP > >> server in the primary ip address range with the same scope and options > and > >> disable the scope on the other DHCP server it works. I cannot figure out > >> what is going on. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From gsgranados at comcast.net Tue Nov 3 14:01:03 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 3 Nov 2009 11:01:03 -0800 Subject: [c-nsp] Linux VPN client suggestion? References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> Message-ID: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second. (I actually think we have a license for this feature set already) Thanks as always for the great suggestions. ----- Original Message ----- From: "Eloy Paris" To: "Scott Granados" Cc: Sent: Tuesday, November 03, 2009 10:53 AM Subject: Re: [c-nsp] Linux VPN client suggestion? > Hi Scott, > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > >> Hi all, >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client >> to provide remote users access to network resources. I have one user who >> is interested in a client for Linux (specifically CentOS) and not sure >> what to suggest. Does anyone have any good pointers for a good client >> that I can point him to? >> >> Any pointers would be appreciated. > > The Cisco VPN Client does support *some* versions of Linux. However, it > does not work with the latest versions of the Linux kernel so if you > user's kernel is recent (and unfortunately, "recent" doesn't really have > to be very recent) then the official Cisco VPN Client is not an option. > > However, there is an open source VPN client that works with Cisco VPN > headends. I personally use and it works great: > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > It's included in pretty much all Linux distributions. A quick Google > search for "centos vpnc" turned this up as the first hit: > > http://wiki.centos.org/HowTos/vpnc > > Hope this helps. > > Cheers, > > -- > > Eloy Paris > Cisco PSIRT > Ph: +1 919 392-9118 From moua0100 at umn.edu Tue Nov 3 14:11:27 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 03 Nov 2009 13:11:27 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <4AF0805F.5000100@umn.edu> yum install vpnc you may need to "epel" repo for his. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > client to provide remote users access to network resources. I have > one user who is interested in a client for Linux (specifically CentOS) > and not sure what to suggest. Does anyone have any good pointers for > a good client that I can point him to? > > Any pointers would be appreciated. > > Thank you > Scott > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RGoldberg at compudyne.net Tue Nov 3 13:42:18 2009 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Tue, 3 Nov 2009 12:42:18 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: I use vpnc all the time to connect to ASAs. http://www.unix-ag.uni-kl.de/~massar/vpnc/ Ryan > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Tuesday, November 03, 2009 12:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Linux VPN client suggestion? > > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to > provide remote users access to network resources. I have one user who > is > interested in a client for Linux (specifically CentOS) and not sure > what to > suggest. Does anyone have any good pointers for a good client that I > can > point him to? > > Any pointers would be appreciated. > > Thank you > Scott > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Nov 3 14:20:05 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 03 Nov 2009 13:20:05 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF1C3A.3070601@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> Message-ID: <4AF08265.5050405@justinshore.com> Ge Moua wrote: > C-NSP Wizards: > Our Cisco account team seems to be touting the ASA appliance (in a > cluster configuration) as the preferred solution for remote access > client vpn (IPSec & SSL); as such my question then is: > > Is it possible to make an ASA be "vrf-aware"? My suggestion may not be what you want to hear but I'll give it to you anyway. Forget the ASA cluster and implement it on VRF-aware hardware. You'll never see the end of problems with a cluster such as this and it will be a nightmare for troubleshooting. It will cost you more up front but it's worth doing it right. We use 7600s with FWSMs and IPSec SPAs to provide firewall services and VPN termination services to our Data Center. The FWSMs of course do not do VPN, only firewall services. The IPSec SPAs have their own quirks (see some of my earlier c-nsp posts) but they work fine once you know how to avoid those problems. This solution doesn't so SSL VPN though. The 7600s don't support the WebVPN module which is what you need for SSL VPN. However the 6500 does and also supports the FWSMs and IPSec SPAs. On a lower-end scale you can provide the same VPN services on ASRs, 7200s and even ISRs without having to fight the ASA nightmare. I would avoid the ASA solution at all costs. Duct tape is great until the sticky gives up in the middle of the night. Baling wiring rusts too. Stick with the right solution and you'll be fine. My $.02 (pre-2008 dollars) Justin From daniel.dib at reaper.nu Tue Nov 3 14:21:51 2009 From: daniel.dib at reaper.nu (Daniel Dib) Date: Tue, 3 Nov 2009 20:21:51 +0100 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: <00a101ca5cba$e5c69670$2101a8c0@reap> -----Ursprungligt meddelande----- Fr?n: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] F?r CJ Skickat: den 3 november 2009 18:12 Till: cisco-nsp at puck.nether.net ?mne: [c-nsp] Issue with secondary ip address Hello all, I have a vlan that has a primary and secondary ip address. My DHCP server is in the secondary ip address. The DHCP server is a windows 2003 server with the scope enabled and correct. If I plug a computer into a switch with the vlan configured I cannot get an address. If I create a DHCP server in the primary ip address range with the same scope and options and disable the scope on the other DHCP server it works. I cannot figure out what is going on. Hi, You should try to use ip dhcp smart-relay. If you don't get a reply from primary scope it will ask for the secondary address. See http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rddhcp.h tml#wp1046084 HTH Daniel __________ Information from ESET NOD32 Antivirus, version of virus signature database 4493 (20091009) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From szmetal at gmail.com Tue Nov 3 14:37:10 2009 From: szmetal at gmail.com (Shawn Zandi) Date: Tue, 3 Nov 2009 23:37:10 +0400 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185332.GJ23256@turbo.cisco.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> Message-ID: http://www.shrew.net/software Regards, Shawn Zandi On Tue, Nov 3, 2009 at 10:53 PM, Eloy Paris wrote: > Hi Scott, > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > Hi all, > > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > > to provide remote users access to network resources. I have one user who > > is interested in a client for Linux (specifically CentOS) and not sure > > what to suggest. Does anyone have any good pointers for a good client > > that I can point him to? > > > > Any pointers would be appreciated. > > The Cisco VPN Client does support *some* versions of Linux. However, it > does not work with the latest versions of the Linux kernel so if you > user's kernel is recent (and unfortunately, "recent" doesn't really have > to be very recent) then the official Cisco VPN Client is not an option. > > However, there is an open source VPN client that works with Cisco VPN > headends. I personally use and it works great: > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > It's included in pretty much all Linux distributions. A quick Google > search for "centos vpnc" turned this up as the first hit: > > http://wiki.centos.org/HowTos/vpnc > > Hope this helps. > > Cheers, > > -- > > Eloy Paris > Cisco PSIRT > Ph: +1 919 392-9118 > > From nicotine at warningg.com Tue Nov 3 13:57:30 2009 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 3 Nov 2009 12:57:30 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <20091103185730.GA4121@radiological.warningg.com> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to > provide remote users access to network resources. I have one user who is > interested in a client for Linux (specifically CentOS) and not sure what to > suggest. Does anyone have any good pointers for a good client that I can > point him to? > > Any pointers would be appreciated. > > Thank you > Scott > I believe the Anyconnect client is supported on Linux installs. Anyconnect is supported on 8.x software versions, and Anyconnect Essentials (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses are available for a low cost. If your supported user count is low, and you do not currently utilize any Anyconnect SSL slots, the base license allows a maximum of two active Anyconnect clients without additional license purchase. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From szmetal at gmail.com Tue Nov 3 14:54:54 2009 From: szmetal at gmail.com (Shawn Zandi) Date: Tue, 3 Nov 2009 23:54:54 +0400 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Message-ID: Yes, ASA has built-in license for 2 concurrent SSL connection, SSL-VPN is the better choice On Tue, Nov 3, 2009 at 11:01 PM, Scott Granados wrote: > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > second. (I actually think we have a license for this feature set already) > > Thanks as always for the great suggestions. > > > > ----- Original Message ----- From: "Eloy Paris" > To: "Scott Granados" > Cc: > Sent: Tuesday, November 03, 2009 10:53 AM > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > Hi Scott, >> >> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: >> >> Hi all, >>> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client >>> to provide remote users access to network resources. I have one user who >>> is interested in a client for Linux (specifically CentOS) and not sure >>> what to suggest. Does anyone have any good pointers for a good client >>> that I can point him to? >>> >>> Any pointers would be appreciated. >>> >> >> The Cisco VPN Client does support *some* versions of Linux. However, it >> does not work with the latest versions of the Linux kernel so if you >> user's kernel is recent (and unfortunately, "recent" doesn't really have >> to be very recent) then the official Cisco VPN Client is not an option. >> >> However, there is an open source VPN client that works with Cisco VPN >> headends. I personally use and it works great: >> >> http://www.unix-ag.uni-kl.de/~massar/vpnc/ >> >> It's included in pretty much all Linux distributions. A quick Google >> search for "centos vpnc" turned this up as the first hit: >> >> http://wiki.centos.org/HowTos/vpnc >> >> Hope this helps. >> >> Cheers, >> >> -- >> >> Eloy Paris >> Cisco PSIRT >> Ph: +1 919 392-9118 > > From berghauz at gmail.com Tue Nov 3 15:54:57 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Tue, 3 Nov 2009 23:54:57 +0300 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185730.GA4121@radiological.warningg.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185730.GA4121@radiological.warningg.com> Message-ID: <13d85870911031254j4fa4e4adi714f4c568865b5b7@mail.gmail.com> > > I believe the Anyconnect client is supported on Linux installs. Anyconnect > Yep. Cisco VPN support Linux. WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." From brandon at burn.net Tue Nov 3 16:01:06 2009 From: brandon at burn.net (Brandon Applegate) Date: Tue, 3 Nov 2009 16:01:06 -0500 (EST) Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185730.GA4121@radiological.warningg.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185730.GA4121@radiological.warningg.com> Message-ID: On Tue, 3 Nov 2009, Brandon Ewing wrote: > I believe the Anyconnect client is supported on Linux installs. Anyconnect > is supported on 8.x software versions, and Anyconnect Essentials > (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses > are available for a low cost. > > If your supported user count is low, and you do not currently utilize any > Anyconnect SSL slots, the base license allows a maximum of two active > Anyconnect clients without additional license purchase. > > -- > Brandon Ewing (nicotine at warningg.com) > I'm still on old PIXes here, but looking to the future (and I'm a linux guy) I found Openconnect. http://www.infradead.org/openconnect.html >From what I've read the Cisco Anyconnect client for Linux suffers problems again, not kernel level but SSL / library / 32/64 bit issues. Openconnect reads like it's a lot cleaner than all the workarounds to get Anyconnect working. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From nsp at sky-haven.net Tue Nov 3 16:13:34 2009 From: nsp at sky-haven.net (nsp at sky-haven.net) Date: Tue, 03 Nov 2009 21:13:34 +0000 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <4AF09CFE.8000906@sky-haven.net> Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to provide remote users access to network resources. I have one user > who is interested in a client for Linux (specifically CentOS) and not > sure what to suggest. Does anyone have any good pointers for a good > client that I can point him to? > > Any pointers would be appreciated. Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux client (http://www.shrew.net/) as well if you're of a mind, but vpnc tends to win on simplicity. If yourself (or your user) is a bit of a sick puppy[1], you can actually get things working with Linux IPsec-tools (e.g. Racoon and XFRM). But I advise against it unless the Linux station in question is obligated to maintain existing IPsec sessions. In this case, neither vpnc or ShrewSoft (or probably anything else IPsec-based) will work since both IPsec-tools and vpnc will insist on binding a listener on 500/udp. Best, Lance Dryden [1] For non-Americans, this means something like "a fan of tinkering with Linux, perhaps to the point of obsession." From bitkraft at gmail.com Tue Nov 3 20:10:33 2009 From: bitkraft at gmail.com (Brian Spade) Date: Tue, 3 Nov 2009 17:10:33 -0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <200911032057.22402.mtinka@globaltransit.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <200911032057.22402.mtinka@globaltransit.net> Message-ID: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Mark, what's your thoughts on the MX240? I'm curious now since you state not to get you started. :-) /bs On Tue, Nov 3, 2009 at 4:56 AM, Mark Tinka wrote: > On Tuesday 03 November 2009 01:29:24 am Richard A > Steenbergen wrote: > > > They're actually coming out with (or may already be > > shipping, I don't follow these boxes that closely) a > > replacement CFEB for M7i/M10i which uses the I-Chip (the > > same fwding hw as M120 and the current generation of MX). > > This should give it a slightly longer shelf life, as it > > will add a bunch of modern features and some additional > > fib capacity that didn't exist in the old hardware. Still > > though, this is a very old box (it came out in 2003, as a > > lower production cost refresh on the M5/M10 which came > > out in 2000). The CFEB won't fix the very limited > > capacity, so it wouldn't be a fair comparison against a > > modern box. MX80 would indeed be a much closer > > comparison, though the feature set is still pretty > > different. > > I should give it to Cisco, though - the ASR1000 series is a > really neat platform because it eats up both Ethernet and > SONET/SDH links alike. > > Even if the data plane in the ASR1000 is centralized in > nature (much like the M7i/M10i), and with a 20Gbps ESP now, > I'd be more inclined to go for an ASR1000 series box to talk > Gig-E on one end, and 10-Gig-E, STM-16/OC-48 or > STM-64/OC-192 on the other. > > Juniper don't really have an answer here. Yes, the MX80 is > probably as close they may come, but it cannot support > SONET/SDH in a box that can potentially be Ethernet-dense > for core or edge applications too, while still be physically > small and relatively inexpensive. The M40e will talk > SONET/SDH, but it won't support 10Gbps links. And it's way > bigger than the ASR1000 series boxes. > > Don't even get me started on the M120, or the MX240 with an > MX-FPC :-). > > Cheers, > > Mark. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Wed Nov 4 03:18:30 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 04 Nov 2009 09:18:30 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> References: <20091102172924.GT51443@gerbil.cluepon.net> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Message-ID: <20091104.091830.74736038.sthaug@nethelp.no> > Mark, what's your thoughts on the MX240? I'm curious now since you state > not to get you started. :-) Not answering for Mark here. In any case, MX240 is a sweet little box, but the price difference to the MX480 (and MX960) is so small that it is only interesting if you are *really* pressed for rack space and/or power. We have a couple of them for precisely that reason. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From mtinka at globaltransit.net Wed Nov 4 05:37:16 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 4 Nov 2009 18:37:16 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Message-ID: <200911041837.17064.mtinka@globaltransit.net> On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: > Mark, what's your thoughts on the MX240? I'm curious now > since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ltd at cisco.com Wed Nov 4 06:11:13 2009 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 4 Nov 2009 22:11:13 +1100 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <3B4B9B51-7864-44AA-AE56-A99C8BF5BAEC@cisco.com> On 03/11/2009, at 5:25 PM, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without > connecting any other device than the IP Phone and a PC ? I had to do > a shut > and no shut to bring it up ! > The logs are as follows. your inputs are highly appreciated. you had a loop on a portfast port, BPDU guard prevented that from causing it to melt your network down. you should be thankful. i've seen loops caused by all sorts of things. some virtualization software does it. some vendors' iLO ports can be bridged with a non- iLO port, and some teaming/"failsafe" NIC drivers can do it. my suggestion is to find out the root cause and fix that. cheers, lincoln. From tav at ucomline.net Wed Nov 4 06:53:13 2009 From: tav at ucomline.net (Teslenko Andrey) Date: Wed, 04 Nov 2009 13:53:13 +0200 Subject: [c-nsp] Problem with policies on interfaces C3750E IOS12.2(50) SE2 Message-ID: <4AF16B29.1080303@ucomline.net> Hello all, I recently updated the IOS version on my C3750 to version IOS12.2(50) SE2. Now I have next problem -- all policies on my interfaces don't shape a traffic. The "mls qos" is enabled and policy-map has next view policy-map Customer-200Mbps-critical-In class class-default police 209712000 1000000 exceed-action drop On interface I override all ingress packets and set "cos" for packets to "1" mls qos cos 1 mls qos cos override This is necessary because traffic must be in certain queue So I begin to experiment. And I gets next result -- when I remove option "mls qos cos override" then the policy is working, but when I am returning this option it doesn't work Has anyone the same problem? I can't disable "mls qos cos override" because I want that "qos" scheme remained working But I can't disable policy too. -- Andrey Teslenko Leading ip engineer JSC "Farlep-Invest", Ukraine, Odessa Backbone network department Network operation sector mob: 8063 617-01-68 tel: 8048 716-55-72 From andrea.montefusco at gmail.com Wed Nov 4 08:23:33 2009 From: andrea.montefusco at gmail.com (Andrea Montefusco) Date: Wed, 04 Nov 2009 14:23:33 +0100 Subject: [c-nsp] Cat 3550 policy routing at layer 4 Message-ID: <4AF18055.5030703@gmail.com> Does anyone known if the Catalyst 3550 has a some restriction on policy routing ACL at layer 4 ? In my lab the PBR works well if the route map acl is at layer 3 only access-list 200 permit ip if I use an acl with layer four ACE, like access-list 200 permit tcp eq 25 it doesn't work anymore. The manual generically states that it is possible select the traffic via layer 4 parameters. IOS 12.2.44 SE6 Thanks in advance *am* ------------------- cut here ---------------- ... interface Vlan20 ip address 192.168.1.1 255.255.255.0 ip route-cache policy ip policy route-map SPECIAL-ROUTES ... access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq smtp access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq pop3 ! route-map SPECIAL-ROUTES permit 5 match ip address 200 set ip next-hop 1.1.1.2 ... ------------------- cut here ---------------- --------------------------------------------------------- Andrea Montefusco iw0hdv http://www.montefusco.com --------------------------------------------------------- From dwinkworth at att.net Wed Nov 4 08:49:52 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Wed, 4 Nov 2009 05:49:52 -0800 (PST) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <200911041837.17064.mtinka@globaltransit.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> Message-ID: <2929.78173.qm@web180016.mail.gq1.yahoo.com> ####### The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. ######### Really? The price difference between a 240 and 480 has always made me wonder why someone wouldn't just buy the 480. The difference is small. We'll have to wait and see what the answer is going to be to the ASR. I suspect it will be the SRX, because of the integrated services and flow-based QoS. ________________________________ From: Mark Tinka To: Brian Spade Cc: sthaug at nethelp.no; cisco-nsp at puck.nether.net Sent: Wed, November 4, 2009 4:37:16 AM Subject: Re: [c-nsp] Cisco vs. Juniper On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: > Mark, what's your thoughts on the MX240? I'm curious now > since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. From SHughes at GREnergy.com Wed Nov 4 07:45:21 2009 From: SHughes at GREnergy.com (Hughes, Scott GRE-MG) Date: Wed, 4 Nov 2009 06:45:21 -0600 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: You need to setup a "superscope" on the windows box that includes both the primary and secondary subnets. Even if you don't hand out any addresses in the primary subnet, it needs to exist and bound to the same superscope as your secondary subnet. Sent from my iPhone. On Nov 3, 2009, at 11:19 AM, "CJ" wrote: > Hello all, > > I have a vlan that has a primary and secondary ip address. My DHCP > server is in the secondary ip address. The DHCP server is a windows > 2003 > server with the scope enabled and correct. If I plug a computer into a > switch with the vlan configured I cannot get an address. If I create > a DHCP > server in the primary ip address range with the same scope and > options and > disable the scope on the other DHCP server it works. I cannot figure > out > what is going on. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. From mike-cisconsplist at tiedyenetworks.com Wed Nov 4 11:53:38 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Wed, 04 Nov 2009 08:53:38 -0800 Subject: [c-nsp] rate limits on 2970? Message-ID: <4AF1B192.7010209@tiedyenetworks.com> Hi, I have a pair of 2970's and I want to know if/how it's possible to establish input and output rate limits on it? If there's a cisco guide sorry for bothering you all but a very quick google doesn't give me any answer. The switches are running 12.2(25)SEC code if it makes a difference. Thank you. From berghauz at gmail.com Wed Nov 4 12:19:14 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Wed, 4 Nov 2009 20:19:14 +0300 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <4AF1B192.7010209@tiedyenetworks.com> References: <4AF1B192.7010209@tiedyenetworks.com> Message-ID: <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> Hello. As far as I know, there is no ratelimitg on 2950/60/70. You can use the mechanisms of QoS, but the ratelimiting not work as well, as it described by cisco(token bucket mechanism and etc.). Although you can use in config-if mode, but it affect only ingress traffic. 2009/11/4 Mike > Hi, > > I have a pair of 2970's and I want to know if/how it's possible to > establish input and output rate limits on it? If there's a cisco guide > sorry for bothering you all but a very quick google doesn't give me any > answer. The switches are running 12.2(25)SEC code if it makes a > difference. > > Thank you. > > > WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." From ras at e-gerbil.net Wed Nov 4 12:29:04 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 4 Nov 2009 11:29:04 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <2929.78173.qm@web180016.mail.gq1.yahoo.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> <2929.78173.qm@web180016.mail.gq1.yahoo.com> Message-ID: <20091104172904.GY51443@gerbil.cluepon.net> On Wed, Nov 04, 2009 at 05:49:52AM -0800, Derick Winkworth wrote: > Really? The price difference between a 240 and 480 has > always made me wonder why someone wouldn't just buy the > 480. The difference is small. Funny, I say the same thing about the 960 vs 480. We bought exactly one 480 for a place where we couldn't get anything in the 200-240v range for power, because 90-120v is supported only on 240/480. For the money I'd have much rather gotten a 960 and just not powered up the second half. Actually if you look at it from a components perspective it actually costs you more to buy the smaller chassis. For example a fully redundant MX960 comes with 3 SCBs (fabric modules), a fully redundant MX480 comes with 2. And the price difference between the two is a fraction of the cost of buying a spare SCB. Hopefully MX80 fixes these chassis cost issues with its new more integrated design. I think there is probably a product line opening for an MX120 or MX160 as well. But again, wrong mailing list. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gsgranados at comcast.net Wed Nov 4 12:42:31 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 4 Nov 2009 09:42:31 -0800 Subject: [c-nsp] Restricting VPN connections to company hardware? Message-ID: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott From mawhi at vestas.com Wed Nov 4 15:26:32 2009 From: mawhi at vestas.com (Matthew White) Date: Wed, 4 Nov 2009 12:26:32 -0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Wednesday, November 04, 2009 9:43 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Restricting VPN connections to company hardware? > > Hi, > I've been googling but not finding much although I think > I'm probably > formulating my search incorrectly so I'm hoping for some > pointers here. > I use ASA 5520 hardware to provide VPN services to end > users with Cisco > VPN clients and some L2L sessions. We've been finding that folks are > configuring IPhones and other non approved devices to attach > to the network. > What's the best method to certify that end users are connecting with > approved devices only? Is there a good way say for me to > allow company > provided laptops but not allow clients from home machines where users > duplicate their profile or non-certified end devices like > pocket PC devices? > I understand how to filter based on client type but this > doesn't prevent > someone from copying their profile file from one machine to > another. Any > pointers would be appreciated. > > Thanks > Scott > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Wed Nov 4 15:53:40 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Wed, 4 Nov 2009 23:53:40 +0300 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <20091104204336.M47326@fast-serv.com> References: <4AF1B192.7010209@tiedyenetworks.com> <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> <20091104204336.M47326@fast-serv.com> Message-ID: <13d85870911041253t5de66b03i1c607322c55f2b75@mail.gmail.com> But it not work, if you need more than 2-10 Mbps policer. WBR Aleksey Polyakoff ICQ:9001016 Charles de Gaulle - "The better I get to know men, the more I find myself loving dogs." 2009/11/4 Randy McAnally > 2950 can rate limit in 1Mbps increments if you have the EI software using > policers. Not sure about 2970. > > -- > Randy > > From rsm at fast-serv.com Wed Nov 4 15:44:43 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 4 Nov 2009 15:44:43 -0500 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> References: <4AF1B192.7010209@tiedyenetworks.com> <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> Message-ID: <20091104204336.M47326@fast-serv.com> 2950 can rate limit in 1Mbps increments if you have the EI software using policers. Not sure about 2970. -- Randy ---------- Original Message ----------- From: Alexey Polyakov To: Mike Cc: cisco-nsp at puck.nether.net Sent: Wed, 4 Nov 2009 20:19:14 +0300 Subject: Re: [c-nsp] rate limits on 2970? > Hello. > As far as I know, there is no ratelimitg on 2950/60/70. > You can use the mechanisms of QoS, but the ratelimiting not work as > well, as it described by cisco(token bucket mechanism and etc.). > > Although you can use in config-if mode, but it > affect only ingress traffic. > > 2009/11/4 Mike > > > Hi, > > > > I have a pair of 2970's and I want to know if/how it's possible to > > establish input and output rate limits on it? If there's a cisco guide > > sorry for bothering you all but a very quick google doesn't give me any > > answer. The switches are running 12.2(25)SEC code if it makes a > > difference. > > > > Thank you. > > > > > > > WBR Aleksey Polyakoff ICQ:9001016 > Mike Ditka > - "If > God had wanted man to play soccer, he wouldn't have given us arms." _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jared.a.gillis at gmail.com Wed Nov 4 19:30:29 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 04 Nov 2009 16:30:29 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR Message-ID: <4AF21CA5.4050804@gmail.com> Hi all, I've been having quite a few adventures with IS-IS over the last few weeks and have finally hit a wall, so I'm hoping someone here can give me a hand. Basically, I need to build a network with IS-IS multiarea as described here: http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a00800e9780.html I built up a small lab with 2600s running 12.3 and got it all working exactly as described in the docs and as I needed. I then tried to move that config to production, which is on 7606/Sup720 running 12.2 SRC, and the multiarea features did not function. That is, automatic redistribution of L1 routes into the L2 instance did not occur, nor did advertising of an L2 (default) route into the L1 domain occur. After doing some research, I found this 2007 c-nsp post: http://puck.nether.net/pipermail/cisco-nsp/2007-May/040686.html Paragraph 10: "TAC says that Integrated Multi-area IS-IS is not supported." So, to test this out, I put 12.2 SR onto a 7204VXR in the lab (7606 in the lab is not possible for me at the moment), and inserted into my old 2600 lab, and saw the same behavior as on the 7606, which seems to support the old c-nsp post. The Cisco Feature Navigator (which is definitely not gospel) says that every version of 12.2 SR should support IS-IS multiarea. Does anyone have any conclusive information on this, have you ever been able to get IS-IS multiarea functioning on a 7606/Sup720? If there's some way we can make this functionality work on that platform, I am dying to find it. Secondarily, if we can't have true IS-IS multiarea, we may be able to simulate it by manually redistributing from the L1 instances to the L2 instances, and setting default-information originate on the L1 instances. I attempted this in the lab, and while the commands are accepted and appear to be good, neither redist nor default origination is actually happening. Does anyone have any suggestions on this front? Redist and default origination should "just work". I'm happy to provide config snippets if needed. Any advice or help is highly appreciated. Thanks! -Jared From mtinka at globaltransit.net Wed Nov 4 23:52:59 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 5 Nov 2009 12:52:59 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <2929.78173.qm@web180016.mail.gq1.yahoo.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> <2929.78173.qm@web180016.mail.gq1.yahoo.com> Message-ID: <200911051253.03729.mtinka@globaltransit.net> On Wednesday 04 November 2009 09:49:52 pm Derick Winkworth wrote: > Really? The price difference between a 240 and 480 has > always made me wonder why someone wouldn't just buy the > 480. The difference is small. That is is true - the difference in price "of the chassis" would even have your Juniper account team baffled enough as to why you'd insist on an MX240 and not an MX480, that they'll probably just give you the chassis upgrade for free to shut you up and move the meeting along :-). But that's not the point - when we consider space requirements, cost of the MX-FPC, DPC (and now, MPC) cards for the MX-series, where an ASR1000 would suffice better, Cisco have a better lead. > We'll have to wait and see what the answer is going to > be to the ASR. I suspect it will be the SRX, because > of the integrated services and flow-based QoS. Yep, let's wait and see. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From emagutu at gmail.com Thu Nov 5 01:12:56 2009 From: emagutu at gmail.com (Eric Magutu) Date: Thu, 5 Nov 2009 09:12:56 +0300 Subject: [c-nsp] Relationship between RAM and routes Message-ID: Hi, What is the relationship between RAM and routes? I want to implement 1000 static routes in a cisco 7206vxr (NPE -G1) and needed to find out what effect it would have on my router. Should I do any upgrades? it has 229376K/32768K bytes of memory 509K of NVRAM -- Regards, Eric Magutu From adrian at creative.net.au Thu Nov 5 01:22:01 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 5 Nov 2009 14:22:01 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? Message-ID: <20091105062201.GA25405@skywalker.creative.net.au> G'day, I've been asked by a customer to solve an L2 ethernet problem and I'm investigating simply tunneling the required VLANs over L2TPv3/xconnect. Does anyone have any rough throughput (PPS in particular) info they'd like to share ? And any other deployment info - actually, in particular I'd like to know about fragmentation related issues. I'm looking at the Cisco 28xx series (potentially the Cisco 2811) but I'm concerned about hitting throughput ceilings. Thanks, Adrian From gururug at gmail.com Thu Nov 5 01:37:22 2009 From: gururug at gmail.com (Imran K) Date: Thu, 5 Nov 2009 17:37:22 +1100 Subject: [c-nsp] rate limits on 2970? - police +1 Message-ID: <25d943640911042237i1a6205edw8a183af1e0fec324@mail.gmail.com> +1 for police, simlest way to do what you want http://slaptijack.com/networking/inbound-rate-limiting-on-cisco-catalyst-switches/ From peter.hicks at poggs.co.uk Thu Nov 5 02:08:00 2009 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Thu, 05 Nov 2009 08:08:00 +0100 Subject: [c-nsp] Cat6500 "Waiting for supervisor to come online in other slot" when booting Message-ID: <4AF279D0.8090103@poggs.co.uk> All, I have a pair of 6504Es with Sup32s here, running 12.2(33)SXH6. When they boot, the bootloader loads and I am presented with: ==cut=== System Bootstrap, Version 12.2(18r)SX9, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2008 by cisco Systems, Inc. Cat6k-Sup32 platform with 524288 Kbytes of main memory Autoboot executing command: "boot " Initializing ATA monitor library... string is bootdisk:s3223-boot-mz.122-33.SXH6.bin Initializing ATA monitor library... Self extracting the image... [OK] Self decompressing the image : ################################################################################################################################################ [OK] ... Cisco IOS Software, s3223_sp Software (s3223_sp-BOOT-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 15-Oct-09 11:59 by prod_rel_team Image text-base: 0x40231348, data-base: 0x41B62000 MAC based EOBC installed Waiting (slot 1) for supervisor to come online in other slot. iteration = 0 Next Retry will be done after 6 seconds ==cut=== I only have a single Sup32 in the chassis, and this message continues forever. Breaking out and booting the image manually appears to work. What causes this, and how can I get around it? I am sure I'm not doing something correctly. Regards, Peter From berghauz at gmail.com Thu Nov 5 02:51:37 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 10:51:37 +0300 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105062201.GA25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> L2tpV3 very useful feature, but cause very high load on CPU on reciever side. On 1841 10Mbit/s xconnect channel cause near 40% CPU load. 2Mbit/s channel load CPU near 10%. Max. throughput on 1841 without shaping 28Mbit/s(FULL CPU load). WBR Aleksey Polyakoff ICQ:9001016 Ted Turner - "Sports is like a war without the killing." 2009/11/5 Adrian Chadd > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Thu Nov 5 03:28:05 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 11:28:05 +0300 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> Message-ID: <13d85870911050028p7b04707ckb946374b4112a267@mail.gmail.com> Becouse 1841 care only Fa interface, i think baby giant not supported at all. With 2811 the situation the same, because the Fa. WBR Aleksey Polyakoff ICQ:9001016 Stephen Leacock - "I detest life-insurance agents: they always argue that I shall some day die, which is not so." 2009/11/5 Rens > You need to raise your MTU and the CPU load will go down. > > PS: I'm not sure which IOS version supports baby giant frames on 1841, not > all do. > > From rens at autempspourmoi.be Thu Nov 5 03:12:32 2009 From: rens at autempspourmoi.be (Rens) Date: Thu, 5 Nov 2009 09:12:32 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105062201.GA25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: I have already done up to 400 Mbps with 2811 or 2821 (don't remember) You just have to make sure your MTU is high enough depending on the frame sizes you want to tunnel. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd Sent: jeudi 5 novembre 2009 7:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Experiences with l2tpv3/xconnect? G'day, I've been asked by a customer to solve an L2 ethernet problem and I'm investigating simply tunneling the required VLANs over L2TPv3/xconnect. Does anyone have any rough throughput (PPS in particular) info they'd like to share ? And any other deployment info - actually, in particular I'd like to know about fragmentation related issues. I'm looking at the Cisco 28xx series (potentially the Cisco 2811) but I'm concerned about hitting throughput ceilings. Thanks, Adrian _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rens at autempspourmoi.be Thu Nov 5 03:08:41 2009 From: rens at autempspourmoi.be (Rens) Date: Thu, 5 Nov 2009 09:08:41 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> References: <20091105062201.GA25405@skywalker.creative.net.au> <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> Message-ID: You need to raise your MTU and the CPU load will go down. PS: I'm not sure which IOS version supports baby giant frames on 1841, not all do. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov Sent: jeudi 5 novembre 2009 8:52 To: Adrian Chadd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? L2tpV3 very useful feature, but cause very high load on CPU on reciever side. On 1841 10Mbit/s xconnect channel cause near 40% CPU load. 2Mbit/s channel load CPU near 10%. Max. throughput on 1841 without shaping 28Mbit/s(FULL CPU load). WBR Aleksey Polyakoff ICQ:9001016 Ted Turner - "Sports is like a war without the killing." 2009/11/5 Adrian Chadd > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Thu Nov 5 04:54:34 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 5 Nov 2009 10:54:34 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF21CA5.4050804@gmail.com> References: <4AF21CA5.4050804@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> Jared, > I've been having quite a few adventures with IS-IS over the last few weeks > and have finally hit a wall, so I'm hoping someone here can give me a hand. > Basically, I need to build a network with IS-IS multiarea as described here: > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 0e97 > 80.html I reckon you need to build this for IP? ISIS multiarea is only supported for CLNS routing, as stated in the above link under "Restrictions". > Secondarily, if we can't have true IS-IS multiarea, we may be able to > simulate it by manually redistributing from the L1 instances to the L2 > instances, and setting default-information originate on the L1 instances. I > attempted this in the lab, and while the commands are accepted and appear to > be good, neither redist nor default origination is actually happening. > Does anyone have any suggestions on this front? Redist and default > origination should "just work". not sure what you mean here as an alternative. You can use "default-information originate" to originate a 0.0.0.0/0 in the node's LSPs (instead of using the attached-bit from the L1L2 node, possibly along with "never-set-attached-bit" and "ingore-attached-bit" knobs to control ATT bit behaviour), but the L1 -> L2 advertisement requires a "proper" ISIS design (i.e. no multi-area config when using it for IP). oli From lukasz at bromirski.net Thu Nov 5 05:24:02 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 05 Nov 2009 11:24:02 +0100 Subject: [c-nsp] Relationship between RAM and routes In-Reply-To: References: Message-ID: <4AF2A7C2.7030501@bromirski.net> On 2009-11-05 07:12, Eric Magutu wrote: > Hi, > What is the relationship between RAM and routes? I want to implement 1000 > static routes in a cisco 7206vxr (NPE -G1) and needed to find out what > effect it would have on my router. Should I do any upgrades? it has > 229376K/32768K bytes of memory 509K of NVRAM Neglectable. For a lot of static routes you may consider doing 'service compress-config', but for 1k you should be safe. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From kgraham at industrial-marshmallow.com Thu Nov 5 05:02:09 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 5 Nov 2009 02:02:09 -0800 (PST) Subject: [c-nsp] "common" causes for 6500/7600 FIBDISABLE? Message-ID: <973676.50849.qm@web505.biz.mail.mud.yahoo.com> Having been recently hit by CSCsl62851 and/or CSCsu95171, which I suspect should be cross-referenced (yes, I was behind where we should have been in SRC), are there any "common" causes for a FIBDISABLE (in which PFC/DFC is effectively unloaded)? On an RSP720, this very neatly left both EGP/IGP mostly functional while killing any pratical forwarding-plane activity. I had thought this had come up a year or so here in the context of SXF, but again my search-fu is weak. Whatever the cause, it would seem that the responsible behavior in this condition would be to trigger a crash. CSCsm53392 certainly suggests as much (applying to DFC's), though TAC asserts that there are too many cases where "this would end up in a reboot cycle requiring manual intervention" to be proper (my own inclination being that this degenerate case is still desirable) to allow an admin to "correct" the configuration that caused it. I've been trying to think of cases where a fibdisable would occur outside of a bug-condition and the only thing that comes to mind is a FIB overflow (which as discussed extensively here, is at least purportedly handled gracefully now). Are there cases I'm not thinking of that make non-bug conditions for this this so much more common that destruction of the forwarding plane is desirable over a crash? Though I'm somewhat inclined for a bit of EEM to try to ensure a reload, the lack of an existing knob is vexing... From adrian at creative.net.au Thu Nov 5 05:44:30 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 5 Nov 2009 18:44:30 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <20091105104430.GB25405@skywalker.creative.net.au> On Thu, Nov 05, 2009, Rens wrote: > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. What PPS was this with though? I'm worried about VoIP/PABX traffic causing much more increased CPU. I don't have the option to up the MTU; the supplied underlying circuit is an L2 ethernet metro ethernet style service. Adrian From kgraham at industrial-marshmallow.com Thu Nov 5 04:48:38 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 5 Nov 2009 01:48:38 -0800 (PST) Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <4AF09CFE.8000906@sky-haven.net> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <4AF09CFE.8000906@sky-haven.net> Message-ID: <752959.32354.qm@web505.biz.mail.mud.yahoo.com> > Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux > client (http://www.shrew.net/) as well if you're of a mind, but vpnc > tends to win on simplicity. Out of curiosity, how much actual functionality of the Unity/AnyConnect/etc VPN software are any of you using? L2TP+IPSec is a pretty straightforward config (even w/ VRF-lite) and is doable w/ just a ADVSECURITY license. Most Linux distros, Windows (going back to at least XP), OS X, Windows Mobile (to at least 5) and the iPhone all support it out of the box.. RFC3948 support is also very common, allowing easy NAT traversal. From ronan at iol.ie Thu Nov 5 07:17:34 2009 From: ronan at iol.ie (Ronan Mullally) Date: Thu, 5 Nov 2009 12:17:34 +0000 (GMT) Subject: [c-nsp] IPsec Stateful Failure question Message-ID: Before I jump in both feet first and try configuring it, the Stateful Failure for IPsec guide (12.4) says: "A stateful failover crypto map applied to an interface in a VRF instance is not supported. However, VRF-aware IPSEC features are supported when a stateful failover crypto map is applied to an interface in the global VRF". If I read this right, then configuring things like this: interface Port-channel1.106 description Customer X VPN - Front Door VRF mtu 1600 encapsulation dot1Q 106 ip vrf forwarding f-CustomerX ip address 1.2.3.4 255.255.255.248 ip mtu 1500 standby 106 ip 1.2.3.5 standby 106 follow vpn-vip standby 106 name f-customerx-vip crypto map CustomerX redundancy f-customerx-vip end Means I'm not going to be able to do stateful failover, correct? -Ronan From drew.weaver at thenap.com Thu Nov 5 08:26:18 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 08:26:18 -0500 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... Message-ID: Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. Any advice is appreciated. -Drew From sthaug at nethelp.no Thu Nov 5 09:07:53 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 05 Nov 2009 15:07:53 +0100 (CET) Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: <20091105.150753.74726103.sthaug@nethelp.no> > Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? > > The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. There is no "reasonable price" 10G for 12000, just as there isn't for the Juniper M320... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From david.freedman at uk.clara.net Thu Nov 5 10:25:15 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 05 Nov 2009 15:25:15 +0000 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: According to global price list ( SPA-1X10GE-L-V2 + 12000-SIP-601= (E5) ) < 1X10GE-LR-SC (E4) Quite why one would want to spend less money on an E4 with half the density is beyond me. Dave. Drew Weaver wrote: > Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? > > The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. > > Any advice is appreciated. > > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From linux.yahoo at gmail.com Thu Nov 5 12:02:27 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Thu, 5 Nov 2009 18:02:27 +0100 Subject: [c-nsp] ACS 3 --> 5 Message-ID: <7100ed370911050902o86cf4fdo4c663fa7b6ffe2bd@mail.gmail.com> Hi, Does anyone already was able to easily import ACS configuration from version 3 to 5? Any problems? It seems we need to fisrt import configuration in ACS 4 to export to 5 but i am not sure. Thanks for your input Manu From neil-johnson at uiowa.edu Thu Nov 5 12:25:20 2009 From: neil-johnson at uiowa.edu (Johnson, Neil M) Date: Thu, 5 Nov 2009 11:25:20 -0600 Subject: [c-nsp] NAT/PAT appliance recommendations Message-ID: I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). One wireless network has six wireless controllers each four 1 Gb/s connections, the other has five wireless controllers. Those interfaces are nowhere near saturated, but we will be adding another 900 AP's to the network and moving to 802.11N. All traffic from the wireless clients will be NAT'ed. Thanks. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-johnson at uiowa.edu From moua0100 at umn.edu Thu Nov 5 12:43:03 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 05 Nov 2009 11:43:03 -0600 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: References: Message-ID: <4AF30EA7.70308@umn.edu> coincidently, we just did this for our wifi clients too; using an asa5550 to do the nat; works pretty decent; the asa evolved from the pix which was in its early days a nat appliance: right now the box is doing ~39,000 nat translations and the cpu is just running luke-warm. Border-FW-01/UofM-NAT# sh conn count 38295 in use, 117008 most used Border-FW-01/UofM-NAT# Border-FW-01/UofM-NAT# sh xlate count 38957 in use, 51352 most used CPU utilization for 5 seconds = 18.9%; 1 minute: 19.4%; 5 minutes: 19.4% Border-FW-01/UofM-NAT# Border-FW-01/UofM-NAT# sh ver Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.1(3) Compiled on Tue 05-May-09 22:45 by builders Border-FW-01 up 84 days 22 hours failover cluster up 103 days 19 hours Hardware: ASA5550 Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled Botnet Traffic Filter : Disabled Configuration last modified by moua0100 at 15:44:50.126 CDT Wed Sep 23 2009 Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Johnson, Neil M wrote: > I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s connections, the other has five wireless controllers. Those interfaces are nowhere near saturated, but we will be adding another 900 AP's to the network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Nov 5 12:56:47 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 05 Nov 2009 18:56:47 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Message-ID: <1257443807.13192.0.camel@hal9000> Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses vpnc in the background) and zero poblems against a vpn3030 El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second. > (I actually think we have a license for this feature set already) > > Thanks as always for the great suggestions. > > > > ----- Original Message ----- > From: "Eloy Paris" > To: "Scott Granados" > Cc: > Sent: Tuesday, November 03, 2009 10:53 AM > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > Hi Scott, > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > >> Hi all, > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > >> to provide remote users access to network resources. I have one user who > >> is interested in a client for Linux (specifically CentOS) and not sure > >> what to suggest. Does anyone have any good pointers for a good client > >> that I can point him to? > >> > >> Any pointers would be appreciated. > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > does not work with the latest versions of the Linux kernel so if you > > user's kernel is recent (and unfortunately, "recent" doesn't really have > > to be very recent) then the official Cisco VPN Client is not an option. > > > > However, there is an open source VPN client that works with Cisco VPN > > headends. I personally use and it works great: > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > It's included in pretty much all Linux distributions. A quick Google > > search for "centos vpnc" turned this up as the first hit: > > > > http://wiki.centos.org/HowTos/vpnc > > > > Hope this helps. > > > > Cheers, > > > > -- > > > > Eloy Paris > > Cisco PSIRT > > Ph: +1 919 392-9118 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From berghauz at gmail.com Thu Nov 5 13:06:41 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 21:06:41 +0300 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: References: Message-ID: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> Hi. 3854 can handle a lot of nat translations. But... can't handle a lot of Mbps.. There is some mrtg's graphs. NAT translations: http://i039.radikal.ru/0911/9f/845c6ec3d143.png CPU load: http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." 2009/11/5 Johnson, Neil M > > I'm looking for recommendations for a device to NAT/PAT so that we can move > our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and > about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s > connections, the other has five wireless controllers. Those interfaces are > nowhere near saturated, but we will be adding another 900 AP's to the > network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Thu Nov 5 13:15:30 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 5 Nov 2009 13:15:30 -0500 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> References: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> Message-ID: <003701ca5e43$f5e0a340$e1a1e9c0$@org> Is that graph (NAT) the number of "active" NAT translations? Just curious as that is a LOT of translations being measured on that platform..;) Cheers, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov Sent: November-05-09 1:07 PM To: Johnson, Neil M Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NAT/PAT appliance recommendations Hi. 3854 can handle a lot of nat translations. But... can't handle a lot of Mbps.. There is some mrtg's graphs. NAT translations: http://i039.radikal.ru/0911/9f/845c6ec3d143.png CPU load: http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." 2009/11/5 Johnson, Neil M > > I'm looking for recommendations for a device to NAT/PAT so that we can move > our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and > about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s > connections, the other has five wireless controllers. Those interfaces are > nowhere near saturated, but we will be adding another 900 AP's to the > network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Nov 5 13:41:16 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 13:41:16 -0500 Subject: [c-nsp] Gigabit Interface Input Errors Message-ID: Hi, I noticed I'm seeing some Input errors on a gigabit ethernet interface: 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. Does anyone have any tips on finding out what is causing it to overrun? My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. thanks, -Drew From Michael.Balasko at cityofhenderson.com Thu Nov 5 13:47:08 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Thu, 5 Nov 2009 10:47:08 -0800 Subject: [c-nsp] OT: ASA rant was : RE: NAT/PAT appliance recommendations In-Reply-To: <4AF30EA7.70308@umn.edu> References: <4AF30EA7.70308@umn.edu> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A3182@COHNTCS09.ci.henderson.nv.us> I second the ASA's to do this. Although I'd disagree with the ASA's having evolved from the pix's. All Cisco has appeared to do is install more bugs and try to out-do IOS and Windows ME for the buggiest OS's ever. That being said I am warming up to 7.2 train. One of my new favorite bugs- Editing an Object Group causes the ASA to crash. This seems to be something that should have been vetted. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method =fetchBugDetails&bugId=CSCsy71401 That being said things are infinitely more complicated than they were back in the oh-how-I-miss-my-Pix-520 days. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua coincidently, we just did this for our wifi clients too; using an asa5550 to do the nat; works pretty decent; the asa evolved from the pix which was in its early days a nat appliance: Johnson, Neil M wrote: > I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). From cjk at klement.org Thu Nov 5 13:48:29 2009 From: cjk at klement.org (Charles Klement) Date: Thu, 5 Nov 2009 10:48:29 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <1257443807.13192.0.camel@hal9000> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> Message-ID: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> One important thing to remember is that VPNC can ignore pretty much any policy sent down from the concentrator. This includes split tunnelling as well as client versioning. This is one of the reasons that I've been pushing the company I work for towards anyconnect. On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > vpnc in the background) and zero poblems against a vpn3030 > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > second. > > (I actually think we have a license for this feature set already) > > > > Thanks as always for the great suggestions. > > > > > > > > ----- Original Message ----- > > From: "Eloy Paris" > > To: "Scott Granados" > > Cc: > > Sent: Tuesday, November 03, 2009 10:53 AM > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > Hi Scott, > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > >> Hi all, > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > client > > >> to provide remote users access to network resources. I have one user > who > > >> is interested in a client for Linux (specifically CentOS) and not sure > > >> what to suggest. Does anyone have any good pointers for a good client > > >> that I can point him to? > > >> > > >> Any pointers would be appreciated. > > > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > > does not work with the latest versions of the Linux kernel so if you > > > user's kernel is recent (and unfortunately, "recent" doesn't really > have > > > to be very recent) then the official Cisco VPN Client is not an option. > > > > > > However, there is an open source VPN client that works with Cisco VPN > > > headends. I personally use and it works great: > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > It's included in pretty much all Linux distributions. A quick Google > > > search for "centos vpnc" turned this up as the first hit: > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > Hope this helps. > > > > > > Cheers, > > > > > > -- > > > > > > Eloy Paris > > > Cisco PSIRT > > > Ph: +1 919 392-9118 > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Thu Nov 5 13:52:32 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 21:52:32 +0300 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: <003701ca5e43$f5e0a340$e1a1e9c0$@org> References: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> <003701ca5e43$f5e0a340$e1a1e9c0$@org> Message-ID: <13d85870911051052x59cd7ac4v286aaa22b2b3a1e8@mail.gmail.com> I'm surprised no less than you, but it is so But I must clarify, translation timeout is 1200 sec for both tcp and udp. For comparsion, 7513 almost dead on 7-10K translations, with less than 4 time timeouts. cis3845-MB_okt#sh ip nat stat Total active translations: 167741 (0 static, 167741 dynamic; 167747 extended) cis3845-MB_okt#sh ver Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.4(3g), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 06-Nov-06 05:34 by alnguyen ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) cis3845-MB_okt uptime is 8 weeks, 6 days, 13 hours, 40 minutes System returned to ROM by power-on System image file is "flash:c3845-ipbase-mz.124-3g.bin" Cisco 3845 (revision 1.0) with 225280K/36864K bytes of memory. Processor board ID FCZ1111711G 2 Gigabit Ethernet interfaces DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 62720K bytes of ATA System CompactFlash (Read/Write) WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." 2009/11/5 Paul Stewart > Is that graph (NAT) the number of "active" NAT translations? Just curious > as that is a LOT of translations being measured on that platform..;) > > Cheers, > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov > Sent: November-05-09 1:07 PM > To: Johnson, Neil M > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] NAT/PAT appliance recommendations > > Hi. > > 3854 can handle a lot of nat translations. But... can't handle a lot of > Mbps.. > There is some mrtg's graphs. > NAT translations: > http://i039.radikal.ru/0911/9f/845c6ec3d143.png > CPU load: > http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png > > > WBR Aleksey Polyakoff ICQ:9001016 > Marie von > Ebner-Eschenbach< > http://www.brainyquote.com/quotes/authors/m/marie_von_ebner > eschenbac.html > > > - "Even a stopped clock is right twice a day." > > 2009/11/5 Johnson, Neil M > > > > > I'm looking for recommendations for a device to NAT/PAT so that we can > move > > our wireless network to private IP address space. > > > > We have approximately 1500 wireless clients on one wireless network and > > about 500 clients on the other (our campus is separated by a river). > > > > One wireless network has six wireless controllers each four 1 Gb/s > > connections, the other has five wireless controllers. Those interfaces > are > > nowhere near saturated, but we will be adding another 900 AP's to the > > network and moving to 802.11N. > > > > All traffic from the wireless clients will be NAT'ed. > > > > Thanks. > > -Neil > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: neil-johnson at uiowa.edu > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From synack at live.com Thu Nov 5 13:53:43 2009 From: synack at live.com (Darin Herteen) Date: Thu, 5 Nov 2009 12:53:43 -0600 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Bing brings you maps, menus, and reviews organized in one place. http://www.bing.com/search?q=restaurants&form=MFESRP&publ=WLHMTAG&crea=TEXT_MFESRP_Local_MapsMenu_Resturants_1x1 From drew.weaver at thenap.com Thu Nov 5 13:58:06 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Bing brings you maps, menus, and reviews organized in one place. Try it now. From adrian.minta at gmail.com Thu Nov 5 13:58:41 2009 From: adrian.minta at gmail.com (Adrian Minta) Date: Thu, 05 Nov 2009 20:58:41 +0200 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: <4AF32061.7000604@gmail.com> Drew Weaver wrote: > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > ASA firewall ? -- Best regards, Adrian Minta From tbaranski at mail.com Thu Nov 5 14:00:02 2009 From: tbaranski at mail.com (Terry Baranski) Date: Thu, 5 Nov 2009 14:00:02 -0500 Subject: [c-nsp] IPsec Stateful Failure question In-Reply-To: References: Message-ID: <000101ca5e4a$2e9c3360$8bd49a20$@com> Strange -- we've done stateful IPSec on a VRF interface before. I wasn't aware of this supposed restriction. -Terry -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ronan Mullally Sent: Thursday, November 05, 2009 7:18 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPsec Stateful Failure question Before I jump in both feet first and try configuring it, the Stateful Failure for IPsec guide (12.4) says: "A stateful failover crypto map applied to an interface in a VRF instance is not supported. However, VRF-aware IPSEC features are supported when a stateful failover crypto map is applied to an interface in the global VRF". If I read this right, then configuring things like this: interface Port-channel1.106 description Customer X VPN - Front Door VRF mtu 1600 encapsulation dot1Q 106 ip vrf forwarding f-CustomerX ip address 1.2.3.4 255.255.255.248 ip mtu 1500 standby 106 ip 1.2.3.5 standby 106 follow vpn-vip standby 106 name f-customerx-vip crypto map CustomerX redundancy f-customerx-vip end Means I'm not going to be able to do stateful failover, correct? From drew.weaver at thenap.com Thu Nov 5 14:11:53 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 14:11:53 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <4AF32061.7000604@gmail.com> References: <4AF32061.7000604@gmail.com> Message-ID: Nah this particular instance it is one interface in a 3GE-GBIC-SC in a GSR. thanks, -Drew -----Original Message----- From: Adrian Minta [mailto:adrian.minta at gmail.com] Sent: Thursday, November 05, 2009 1:59 PM To: Drew Weaver Cc: 'cisco-nsp at puck.nether.net' Subject: Re: [c-nsp] Gigabit Interface Input Errors Drew Weaver wrote: > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > ASA firewall ? -- Best regards, Adrian Minta From synack at live.com Thu Nov 5 14:19:27 2009 From: synack at live.com (Darin Herteen) Date: Thu, 5 Nov 2009 13:19:27 -0600 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Unfortunately I don't know of anyway to check the hardware buffer(s), and my "guess" is per line card. I would also run a "show process cpu" while the overruns incrementing (if you can) to see if the utilization is above 90%. I've heard of this causing overruns in the past. I haven't experienced it myself though. From: drew.weaver at thenap.com To: synack at live.com; cisco-nsp at puck.nether.net Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: RE: [c-nsp] Gigabit Interface Input Errors Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Bing brings you maps, menus, and reviews organized in one place. Try it now. _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/ From drew.weaver at thenap.com Thu Nov 5 14:39:14 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 14:39:14 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: The only time the CPU utilization is above 10% on this system is when BGP Scanner runs, and it was my understanding that BGP scanner shouldn't cause any issues with traffic. -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 2:19 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Unfortunately I don't know of anyway to check the hardware buffer(s), and my "guess" is per line card. I would also run a "show process cpu" while the overruns incrementing (if you can) to see if the utilization is above 90%. I've heard of this causing overruns in the past. I haven't experienced it myself though. ________________________________ From: drew.weaver at thenap.com To: synack at live.com; cisco-nsp at puck.nether.net Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: RE: [c-nsp] Gigabit Interface Input Errors Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Bing brings you maps, menus, and reviews organized in one place. Try it now. ________________________________ Hotmail: Trusted email with powerful SPAM protection. Sign up now. From kenny.sallee at gmail.com Thu Nov 5 14:40:57 2009 From: kenny.sallee at gmail.com (Kenny Sallee) Date: Thu, 5 Nov 2009 11:40:57 -0800 Subject: [c-nsp] MPLS Multi-AS options... Message-ID: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> So I'm reading this document from Cisco: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ias_optab.html and http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_connect_asbr.html as well as RFC 4364 section 10 "Multi-AS Backbones". I'm wondering if anyone is actually doing any flavor of Multi-AS backbone this in the real world? Option A doesn't seem scalable at all. Option B seems scalable, but the level of trust and lack of QoS may be a concern. Option AB - I'm trying to fully understand w/o a ton of lab time. As I read the first Cisco link above, with Option AB - you must configure a sub-interface PER VPN/Client in it's own VRF on each SP's ASBR. So if you have 100 different customers, on that interconnect between SP1 and SP2 you must configure 100 sub-interfaces, VRF's with unique (agree'd upon)RD's. Then you configure a single MP-BGP session to carry the VPNv4 addresses for all VRF's. So really you are only saving X number of BGP sessions with Option AB compared to say just Option A correct? Anyone out there with practical experience doing this in a production environment? Thanks, Kenny Is there any other technology for 'exteding VRF' to an Application Service provider type network? From dale.shaw+cisco-nsp at gmail.com Thu Nov 5 14:41:45 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Fri, 6 Nov 2009 06:41:45 +1100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105104430.GB25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091105104430.GB25405@skywalker.creative.net.au> Message-ID: <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> Hi Adrian, On Thu, Nov 5, 2009 at 9:44 PM, Adrian Chadd wrote: > > I don't have the option to up the MTU; the supplied underlying circuit > is an L2 ethernet metro ethernet style service. Do you know for sure that the carrier MTU doesn't have the headroom you need? cheers, Dale From nils.kolstein at sscplus.nl Thu Nov 5 15:32:10 2009 From: nils.kolstein at sscplus.nl (Nils Kolstein) Date: Thu, 5 Nov 2009 21:32:10 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: <4AF32061.7000604@gmail.com> Message-ID: <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> What's the utilization on the other 2 interfaces? I am not familiar with this specific platform, but it might also be caused by slot/backplane limitations causing packets to be dropped if the total BW exceeds a certain (non line-rate) value. I have seen this behaviour on some platforms. Regards, Nils Kolstein > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Drew Weaver > Sent: donderdag 5 november 2009 20:12 > To: 'Adrian Minta' > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Nah this particular instance it is one interface in a 3GE-GBIC-SC in a > GSR. > > thanks, > -Drew > > -----Original Message----- > From: Adrian Minta [mailto:adrian.minta at gmail.com] > Sent: Thursday, November 05, 2009 1:59 PM > To: Drew Weaver > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Drew Weaver wrote: > > Hi, > > > > I noticed I'm seeing some Input errors on a gigabit ethernet > interface: > > > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > > > the number of input errors seems to increment along with the overrun > counter which I assume means that the actual errors are overrun errors. > > > > Does anyone have any tips on finding out what is causing it to > overrun? > > > > My first inclination is to assume it is not a huge problem because of > the amount of packets that are flowing through this interface: > > > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of > 2367831951 is a fairly small number but I wanted to check and see if > you all had any thoughts. > > > > thanks, > > -Drew > > > ASA firewall ? > > -- > Best regards, > Adrian Minta > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmayer at loplof.de Thu Nov 5 15:00:59 2009 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 5 Nov 2009 21:00:59 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105200059.GR28388@thot.informatik.uni-kl.de> On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much any > policy sent down from the concentrator. This includes split tunnelling as > well as client versioning. > > This is one of the reasons that I've been pushing the company I work for > towards anyconnect. Oh, and for anyconnect there isn't such a workaround? ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From jmayer at loplof.de Thu Nov 5 15:01:56 2009 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 5 Nov 2009 21:01:56 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105200156.GS28388@thot.informatik.uni-kl.de> On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much any > policy sent down from the concentrator. This includes split tunnelling as > well as client versioning. And since a recent patch even the Firewall requirements :-) Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From gert at greenie.muc.de Thu Nov 5 15:38:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 5 Nov 2009 21:38:53 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: <20091105203853.GY163@greenie.muc.de> Hi, On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: > Does anyone have any tips on finding out what is causing it to overrun? "Hardware too slow error" - packets arrive in short bursts at line rate, and your router cannot handle that. For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they come in evenly spaced - packetpacketpacket - but if 1000 packets arrive back-to-back and then a longer pause, it will overrun the buffers. There's not much you can do, except "get a hardware forwarding box" or "just accept it, and only worry if the errors increase more frequently". We do some of both :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From elparis at cisco.com Thu Nov 5 15:59:13 2009 From: elparis at cisco.com (Eloy Paris) Date: Thu, 5 Nov 2009 15:59:13 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105205913.GB5362@turbo.cisco.com> Hi Charles, On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much > any policy sent down from the concentrator. This includes split > tunnelling as well as client versioning. > > This is one of the reasons that I've been pushing the company I work > for towards anyconnect. I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc is to the Cisco VPN Client) suffers from the same lack of enforcement issues. And even if the authors tried to enforce policies it should be easy to modify OpenConnect so it doesn't enforce anything. Don't get me wrong -- it's a good thing to move to AnyConnect since no new features are being added to the old Cisco VPN Client; I just don't think that policy enforcement is a good reason to justify a migration. Cheers, Eloy Paris.- Cisco PSIRT > On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > > > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > > vpnc in the background) and zero poblems against a vpn3030 > > > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > > second. > > > (I actually think we have a license for this feature set already) > > > > > > Thanks as always for the great suggestions. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Eloy Paris" > > > To: "Scott Granados" > > > Cc: > > > Sent: Tuesday, November 03, 2009 10:53 AM > > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > > > > Hi Scott, > > > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > > > >> Hi all, > > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > > client > > > >> to provide remote users access to network resources. I have one user > > who > > > >> is interested in a client for Linux (specifically CentOS) and not sure > > > >> what to suggest. Does anyone have any good pointers for a good client > > > >> that I can point him to? > > > >> > > > >> Any pointers would be appreciated. > > > > > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > > > does not work with the latest versions of the Linux kernel so if you > > > > user's kernel is recent (and unfortunately, "recent" doesn't really > > have > > > > to be very recent) then the official Cisco VPN Client is not an option. > > > > > > > > However, there is an open source VPN client that works with Cisco VPN > > > > headends. I personally use and it works great: > > > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > > > It's included in pretty much all Linux distributions. A quick Google > > > > search for "centos vpnc" turned this up as the first hit: > > > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > > > Hope this helps. > > > > > > > > Cheers, > > > > > > > > -- > > > > > > > > Eloy Paris > > > > Cisco PSIRT > > > > Ph: +1 919 392-9118 > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Thu Nov 5 16:10:33 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 5 Nov 2009 16:10:33 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <20091105203853.GY163@greenie.muc.de> References: <20091105203853.GY163@greenie.muc.de> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Thursday, November 05, 2009 3:39 PM . > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". Hopefully I'm not completing high-jacking here, but I have seen similar issues on the 4500 w/WS-X4548-GB-RJ45 line cards. The fabric has 6gbps per slot, so the oversubscription is 8:1. The best tell tale sign that I'm hitting oversubscription are input errors with no CRC or overruns, like below: 30 second input rate 6394000 bits/sec, 719 packets/sec 30 second output rate 722000 bits/sec, 481 packets/sec 770898484 packets input, 957181248327 bytes, 0 no buffer Received 594832 broadcasts (560167 multicast) 0 runts, 0 giants, 0 throttles 282191 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 455543646 packets output, 153140605424 bytes, 0 underruns Is there a more systematic approach to detecting this? I've gone through some docs and most useful information is geared toward the 6500, such as http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC. Currently I have to use a combination of interface statistics and historical Cacti graphs to narrow down over-utilized port ranges. Thanks, -ryan From cjk at klement.org Thu Nov 5 16:20:06 2009 From: cjk at klement.org (Charles Klement) Date: Thu, 5 Nov 2009 13:20:06 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091105205913.GB5362@turbo.cisco.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> Message-ID: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Oh well, I guess policy enforcement will just have to be via the HR department rather than a technical solution. :) On Thu, Nov 5, 2009 at 12:59 PM, Eloy Paris wrote: > Hi Charles, > > On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > > > One important thing to remember is that VPNC can ignore pretty much > > any policy sent down from the concentrator. This includes split > > tunnelling as well as client versioning. > > > > This is one of the reasons that I've been pushing the company I work > > for towards anyconnect. > > I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc > is to the Cisco VPN Client) suffers from the same lack of enforcement > issues. And even if the authors tried to enforce policies it should be > easy to modify OpenConnect so it doesn't enforce anything. > > Don't get me wrong -- it's a good thing to move to AnyConnect since no > new features are being added to the old Cisco VPN Client; I just don't > think that policy enforcement is a good reason to justify a migration. > > Cheers, > > Eloy Paris.- > Cisco PSIRT > > > On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > > > > > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > > > vpnc in the background) and zero poblems against a vpn3030 > > > > > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > > > second. > > > > (I actually think we have a license for this feature set already) > > > > > > > > Thanks as always for the great suggestions. > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Eloy Paris" > > > > To: "Scott Granados" > > > > Cc: > > > > Sent: Tuesday, November 03, 2009 10:53 AM > > > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > > > > > > > Hi Scott, > > > > > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > > > > > >> Hi all, > > > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > > > client > > > > >> to provide remote users access to network resources. I have one > user > > > who > > > > >> is interested in a client for Linux (specifically CentOS) and not > sure > > > > >> what to suggest. Does anyone have any good pointers for a good > client > > > > >> that I can point him to? > > > > >> > > > > >> Any pointers would be appreciated. > > > > > > > > > > The Cisco VPN Client does support *some* versions of Linux. > However, it > > > > > does not work with the latest versions of the Linux kernel so if > you > > > > > user's kernel is recent (and unfortunately, "recent" doesn't really > > > have > > > > > to be very recent) then the official Cisco VPN Client is not an > option. > > > > > > > > > > However, there is an open source VPN client that works with Cisco > VPN > > > > > headends. I personally use and it works great: > > > > > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > > > > > > It's included in pretty much all Linux distributions. A quick > Google > > > > > search for "centos vpnc" turned this up as the first hit: > > > > > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > > > > > Hope this helps. > > > > > > > > > > Cheers, > > > > > > > > > > -- > > > > > > > > > > Eloy Paris > > > > > Cisco PSIRT > > > > > Ph: +1 919 392-9118 > > > > > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From NMaio at guesswho.com Thu Nov 5 16:24:54 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Thu, 5 Nov 2009 16:24:54 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> References: <20091105203853.GY163@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> Message-ID: <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> Ryan, I have similar problems with 4500s so I keep a close eye on the detailed counters. In particular I watch the transmit drops and also the receive buffer stats. Pauses frames also indicate a problem in our environment and I would expect in some other environments. It's a long output but I have always found it very helpful since the reason for the input/output errors are not always evident in a show interface output. show int counters detail Port Tx-Drops-Queue-1 Tx-Drops-Queue-2 Tx-Drops-Queue-3 Tx-Drops-Queue-4 Gi5/34 0 0 0 0 Gi5/35 0 0 0 0 Gi5/36 0 0 0 0 Gi5/37 0 0 0 0 Gi5/38 0 0 0 0 Gi5/39 0 0 0 0 Gi5/40 0 0 0 0 Gi5/41 0 0 0 0 Gi5/42 0 0 0 0 Gi5/43 0 0 0 0 Gi5/44 0 0 0 0 Gi5/45 0 0 0 0 Gi5/46 0 0 0 0 Gi5/47 0 0 0 0 Gi5/48 0 0 0 0 Gi7/1 21257797383 0 0 0 show int counters detail .. ... Port Rx-No-Pkt-Buff RxPauseFrames TxPauseFrames PauseFramesDrop Gi4/26 0 0 0 0 Gi4/27 0 0 0 0 Gi4/28 0 0 0 0 Gi4/29 0 0 0 0 Gi4/30 0 0 0 0 Gi4/31 0 0 0 0 Gi4/32 0 107830 0 0 Gi4/33 0 0 346468 0 Gi4/34 0 0 0 0 Gi4/35 0 0 0 0 Gi4/36 0 0 0 0 Gi4/37 0 0 9056 0 Gi4/38 0 0 0 0 Gi4/39 0 0 0 0 Gi4/40 0 0 240746 0 Gi4/41 1548 0 0 0 Gi4/42 0 0 1390048 0 Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West Sent: Thursday, November 05, 2009 4:11 PM To: Gert Doering; Drew Weaver Cc: 'cisco-nsp at puck.nether.net' Subject: Re: [c-nsp] Gigabit Interface Input Errors Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Thursday, November 05, 2009 3:39 PM . > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". Hopefully I'm not completing high-jacking here, but I have seen similar issues on the 4500 w/WS-X4548-GB-RJ45 line cards. The fabric has 6gbps per slot, so the oversubscription is 8:1. The best tell tale sign that I'm hitting oversubscription are input errors with no CRC or overruns, like below: 30 second input rate 6394000 bits/sec, 719 packets/sec 30 second output rate 722000 bits/sec, 481 packets/sec 770898484 packets input, 957181248327 bytes, 0 no buffer Received 594832 broadcasts (560167 multicast) 0 runts, 0 giants, 0 throttles 282191 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 455543646 packets output, 153140605424 bytes, 0 underruns Is there a more systematic approach to detecting this? I've gone through some docs and most useful information is geared toward the 6500, such as http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC. Currently I have to use a combination of interface statistics and historical Cacti graphs to narrow down over-utilized port ranges. Thanks, -ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff at ocjtech.us Thu Nov 5 16:52:38 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Thu, 5 Nov 2009 15:52:38 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Message-ID: <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: > Oh well, I guess policy enforcement will just have to be via the HR > department rather than a technical solution. :) Which is where it belongs anyway. -- Jeff Ollie From jeff at ocjtech.us Thu Nov 5 16:52:38 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Thu, 5 Nov 2009 15:52:38 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Message-ID: <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: > Oh well, I guess policy enforcement will just have to be via the HR > department rather than a technical solution. :) Which is where it belongs anyway. -- Jeff Ollie From rwest at zyedge.com Thu Nov 5 16:56:47 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 5 Nov 2009 16:56:47 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> References: <20091105203853.GY163@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A71@zy-ex1.zyedge.local> Nick, Thanks, this is what I was looking for. > > show int counters detail > > Port Tx-Drops-Queue-1 Tx-Drops-Queue-2 Tx-Drops-Queue-3 Tx- > Drops-Queue-4 > 0 > Gi7/1 21257797383 0 0 > 0 > > show int counters detail > .. > ... > Port Rx-No-Pkt-Buff RxPauseFrames TxPauseFrames > PauseFramesDrop > 0 > Gi4/32 0 107830 0 > 0 > Gi4/37 0 0 9056 > 0 > Gi4/38 0 0 0 > 0 > Gi4/39 0 0 0 > 0 > Gi4/40 0 0 240746 > 0 > Gi4/41 1548 0 0 > 0 > Gi4/42 0 0 1390048 > 0 > > Nick > -ryan From gsgranados at comcast.net Thu Nov 5 17:04:07 2009 From: gsgranados at comcast.net (Scott Granados) Date: Thu, 5 Nov 2009 14:04:07 -0800 Subject: [c-nsp] Linux VPN client suggestion? References: <002701ca5cb4$45098180$2508120a@am.thmulti.com><20091103185332.GJ23256@turbo.cisco.com><008001ca5cb8$02ad7360$2508120a@am.thmulti.com><1257443807.13192.0.camel@hal9000><8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com><20091105205913.GB5362@turbo.cisco.com><8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> Message-ID: <04d201ca5e63$eabeb360$2508120a@am.thmulti.com> I second that. Besides, we're talking about a flavor of Unix here not a Microsoft rough approximation of an operating system. Policies are for the week windows users who don't know better and who think a registry is something you have for weddings. Besides, your group policies can be undone with a resourceful end user and a live boot Linux cd with the correct tool set. If you don't trust your employees you might consider keeping them out of the building because we all know that physical access trumps most other types.;) ----- Original Message ----- From: "Jeffrey Ollie" To: Sent: Thursday, November 05, 2009 1:52 PM Subject: Re: [c-nsp] Linux VPN client suggestion? > On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: >> Oh well, I guess policy enforcement will just have to be via the HR >> department rather than a technical solution. :) > > Which is where it belongs anyway. > > -- > Jeff Ollie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Thu Nov 5 19:02:36 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 06 Nov 2009 01:02:36 +0100 Subject: [c-nsp] Interface descriptions - what do you put in? In-Reply-To: <4A156E1D.2080404@templin.org> References: <4A156E1D.2080404@templin.org> Message-ID: <1257465756.5066.5.camel@hal9000> Area code - critical value - description - remote port [port-cX] Area code: [ip|sys|rf] are responsible of the end device critical value: 00 total service disruption for the customers 01 partial service disruption for the customers - some customers are working others not or the service is degraded 02 no impact in the customers (ex, pcs or internal desktops) description: as you prefer remote port: Gi0/1/12 or G1/12 RFEC1 (RFEC = remote port-channel) example: A - 00 - Trunk to stack01 - G1/0/24 RFEC1 it works ok for us El jue, 21-05-2009 a las 10:07 -0500, Pete Templin escribi?: > List, > > What do you put into your interface descriptions? Do you document > circuit ID, far-end equipment/port, near-end equipment/port, and/or > anything else? > > Pete > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared.a.gillis at gmail.com Thu Nov 5 20:00:35 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 05 Nov 2009 17:00:35 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> Message-ID: <4AF37533.6010700@gmail.com> Oliver Boehmer (oboehmer) wrote: > Jared, > >> I've been having quite a few adventures with IS-IS over the last few > weeks >> and have finally hit a wall, so I'm hoping someone here can give me a > hand. >> Basically, I need to build a network with IS-IS multiarea as described > here: > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 > 0e97 >> 80.html > > I reckon you need to build this for IP? ISIS multiarea is only supported > for CLNS routing, as stated in the above link under "Restrictions". I do need this for IP routing, not CLNS. If the feature is only supported for ISO CLNS and not IP routing, why does it work on my lab of 2600s running 12.3 latest, with the exact same config, also in an IP-only environment? Really, my only need is to prevent my L1 routers from learning the entire area's routes, but my network design requires me to directly connect my L2 router to an L1 (i.e. no room for a L2/L1 between them). I just need the L1 routers to get a default towards its directly attached L2, and the L2 backbone to learn the L1's routes. This is essentially a TS-NSSA in OSPF. If there's some other way I can get this behavior with IS-IS, I'm all ears. >> Secondarily, if we can't have true IS-IS multiarea, we may be able to >> simulate it by manually redistributing from the L1 instances to the L2 >> instances, and setting default-information originate on the L1 > instances. I >> attempted this in the lab, and while the commands are accepted and > appear to >> be good, neither redist nor default origination is actually happening. >> Does anyone have any suggestions on this front? Redist and default >> origination should "just work". > > not sure what you mean here as an alternative. You can use > "default-information originate" to originate a 0.0.0.0/0 in the node's > LSPs (instead of using the attached-bit from the L1L2 node, possibly > along with "never-set-attached-bit" and "ingore-attached-bit" knobs to > control ATT bit behaviour), but the L1 -> L2 advertisement requires a > "proper" ISIS design (i.e. no multi-area config when using it for IP). I have default-information originate on my upstream router, towards the L1 it is connected to. The L1 has no default route in it's table, and is not apparently receiving the ATT bit, as it's not sending traffic towards the upstream. In any case, if I can't get L1->L2 advertisement, the point is moot. > > oli From adrian at creative.net.au Thu Nov 5 20:46:11 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 09:46:11 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091105104430.GB25405@skywalker.creative.net.au> <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> Message-ID: <20091106014611.GC25405@skywalker.creative.net.au> On Fri, Nov 06, 2009, Dale Shaw wrote: > > I don't have the option to up the MTU; the supplied underlying circuit > > is an L2 ethernet metro ethernet style service. > > Do you know for sure that the carrier MTU doesn't have the headroom you need? I'm going to make that assumption in case it is either true now, or becomes true later. Adrian From jmkeller at houseofzen.org Thu Nov 5 20:56:59 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Thu, 05 Nov 2009 20:56:59 -0500 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: <4AF3826B.4080403@houseofzen.org> My understanding is the Cisco VPN (IPSEC) client don't have the host integration features that are available in the AnyConnect client (yet). One of the reasons we are doing SSL VPN on ASA is to be able to do the host profiling and do the IT Approved / Other dynamic access policies. You can do a combination of checks that match up to your 'approved' devices. In our case, non-IT standard systems have to run Secure Desktop sessions and only get WebVPN. IT standard systems get AnyConnect with full IP tunneling. Again as folks have said - you are trusting the end client software to do the right thing. So don't expect this to keep out 'the smart kids'. You can cycle through checks and do MD5s, but if someone is motivated and wants to reverse the checks they can spoof it. At that point you just need to back up policy with HR walking someone from the building, and have some way to audit to catch the smart kids who really should know better but think the Corp IT folks are fools. :) -James Scott Granados wrote: > Hi, > I've been googling but not finding much although I think I'm > probably formulating my search incorrectly so I'm hoping for some > pointers here. > I use ASA 5520 hardware to provide VPN services to end users with > Cisco VPN clients and some L2L sessions. We've been finding that > folks are configuring IPhones and other non approved devices to attach > to the network. What's the best method to certify that end users are > connecting with approved devices only? Is there a good way say for me > to allow company provided laptops but not allow clients from home > machines where users duplicate their profile or non-certified end > devices like pocket PC devices? I understand how to filter based on > client type but this doesn't prevent someone from copying their > profile file from one machine to another. Any pointers would be > appreciated. > > Thanks > Scott > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmkeller at houseofzen.org Thu Nov 5 21:00:39 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Thu, 05 Nov 2009 21:00:39 -0500 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: <4AF38347.3060508@houseofzen.org> I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: > Hi Scott, > > Certificate based authentication can meet these needs. > > This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml > > > -mtw > > > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >> Sent: Wednesday, November 04, 2009 9:43 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Restricting VPN connections to company hardware? >> >> Hi, >> I've been googling but not finding much although I think >> I'm probably >> formulating my search incorrectly so I'm hoping for some >> pointers here. >> I use ASA 5520 hardware to provide VPN services to end >> users with Cisco >> VPN clients and some L2L sessions. We've been finding that folks are >> configuring IPhones and other non approved devices to attach >> to the network. >> What's the best method to certify that end users are connecting with >> approved devices only? Is there a good way say for me to >> allow company >> provided laptops but not allow clients from home machines where users >> duplicate their profile or non-certified end devices like >> pocket PC devices? >> I understand how to filter based on client type but this >> doesn't prevent >> someone from copying their profile file from one machine to >> another. Any >> pointers would be appreciated. >> >> Thanks >> Scott >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adrian at creative.net.au Thu Nov 5 21:26:32 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 10:26:32 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <20091106022632.GE25405@skywalker.creative.net.au> On Thu, Nov 05, 2009, Rens wrote: > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. Just out of morbid curiousity - so will the router terminating L2TPv3 actually fragment and reassemble L2TPv3 frames as needed, or is it hoping another upstream router will fragment as needed? Adrian From tvarriale at comcast.net Thu Nov 5 21:56:57 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 5 Nov 2009 20:56:57 -0600 Subject: [c-nsp] Experiences with l2tpv3/xconnect? References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <59D8212EA5374DEE946B9EF480C6B269@flamdt01> Surely you mean 40mbps or a different platform? tv ----- Original Message ----- From: "Rens" To: "'Adrian Chadd'" ; Sent: Thursday, November 05, 2009 2:12 AM Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? >I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd > Sent: jeudi 5 novembre 2009 7:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Experiences with l2tpv3/xconnect? > > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mark at edgewire.sg Thu Nov 5 22:10:14 2009 From: mark at edgewire.sg (mark [at] edgewire) Date: Fri, 6 Nov 2009 11:10:14 +0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users. On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote: > I haven't read up the cert authentication much, but what stops the > user from moving the cert file to another un-approved device (per > the original question) - all you are doing is Two-factor at that > point - user but not host based checking correct? > > -James > > Matthew White wrote: >> Hi Scott, >> >> Certificate based authentication can meet these needs. >> >> This document is just a starting point -- the client certificate >> installation procedure is onerous. If you have a MS environment >> it's easier to push out certs with group policy objects than making >> your end users download and install certificates. >> >> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml >> >> >> -mtw >> >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Scott Granados >>> Sent: Wednesday, November 04, 2009 9:43 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Restricting VPN connections to company hardware? >>> >>> Hi, >>> I've been googling but not finding much although I think I'm >>> probably formulating my search incorrectly so I'm hoping for some >>> pointers here. >>> I use ASA 5520 hardware to provide VPN services to end users >>> with Cisco VPN clients and some L2L sessions. We've been finding >>> that folks are configuring IPhones and other non approved devices >>> to attach to the network. What's the best method to certify that >>> end users are connecting with approved devices only? Is there a >>> good way say for me to allow company provided laptops but not >>> allow clients from home machines where users duplicate their >>> profile or non-certified end devices like pocket PC devices? I >>> understand how to filter based on client type but this doesn't >>> prevent someone from copying their profile file from one machine >>> to another. Any pointers would be appreciated. >>> >>> Thanks >>> Scott >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Thu Nov 5 23:18:13 2009 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Nov 2009 20:18:13 -0800 (PST) Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> Message-ID: <862039.25519.qm@web80508.mail.mud.yahoo.com> ..with user certs, nothing stops the user from importing it to another un-approved machine..one reason at my last job we moved to machine certs/appliance based ssl vpn solution. --- On Thu, 11/5/09, James Michael Keller wrote: From: James Michael Keller Subject: Re: [c-nsp] Restricting VPN connections to company hardware? To: "Matthew White" Cc: "cisco-nsp at puck.nether.net" Date: Thursday, November 5, 2009, 6:00 PM I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: > Hi Scott, > > Certificate based authentication can meet these needs. > > This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml > > > -mtw > >? >??? >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >> Sent: Wednesday, November 04, 2009 9:43 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Restricting VPN connections to company hardware? >> >> Hi, >>? ???I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. >>? ???I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions.? We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only?? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another.???Any pointers would be appreciated. >> >> Thanks >> Scott >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >>? ??? > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ >??? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cnsp at shreddedmail.com Fri Nov 6 02:11:56 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Thu, 5 Nov 2009 23:11:56 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 Message-ID: I'm trying to wrap my brain around Cisco's document on the 6500/7600 technology: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html Terminology on the bus architecture and switch fabric are becoming less confusing to me the more I read it, but I'm still not comfortable with my level of understanding. What I think the document says is: - The 32Gbs shared bus is the path between the supervisor and individual line cards. Line cards do not move data between each other; traffic must pass through the Sup. - The raw capacity of the 32Gbs bus is just that; 32Gbs across the entire bus, combined across all cards - The switch fabric is single or dual channel 20Gbs, dual channel just allowing higher port/speed-density on the line cards - The 20Gbs fabric is used to transfer traffic directly between DFC-enabled line cards, bypassing the Sup. - The 20Gbs fabric is not shared, each DFC line card can talk to any other DFC line card at 20Gbs up to a potential aggregate of 720Gbs - CEF and dCEF simply refer to whether the line card has a DFC - CEF256 using 8Gbs of the fabric, CEF720 uses 20Gbs - "Classic" line cards use only the 32Gbs bus. - Usage of 8Gbs or 20Gbs on the fabric is dependent on the line card and the Sup. - Sup720 allows 20Gbs, others are only 8Gbs - Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is present. - The full "720Gbs" capacity is all dual-fabric line cards with DFCs I'm most confused on the 8Gbs limit and how it relates to the Supervisor and line cards. Other discussions I've had indicate that some combination of line cards can bring the whole system down to the lowest common denominator. Am I on track? Where does oversubscription on line cards come in? Is there something else I haven't covered? Sorry for the laundry list. I'd rather make sure I'm clear in my head before the design, then find a gotcha after it is too late. Thanks! From peter at rathlev.dk Fri Nov 6 02:12:37 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 06 Nov 2009 08:12:37 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: > Why is it not possible to check it against the MAC address of the > connecting device? Log incoming connections and their MAC address and > match it against a list of hardware that has been assigned to the users. Please state how you expect this not to be spoofed. :-) -- Peter From troy at i2bnetworks.com Fri Nov 6 01:41:29 2009 From: troy at i2bnetworks.com (troy at i2bnetworks.com) Date: Thu, 5 Nov 2009 22:41:29 -0800 (PST) Subject: [c-nsp] Cisco 15454 question Message-ID: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> Hi all, I am hoping to gain some insight from some of the people who have done this type of thing before. I am setting up a 24 strand fiber connection between two facilities. I will be doing GigE on 4 strands and placing the Cisco 15454 with OC48 cards on 4 strands of fibers. What I need to do is be able to cross connects circuits at the DS1, DS3 and OCn level between the two facilities. Below are the cards that I have spec'd for this. Can anyone tell me if I am missing anything? Assume that there are protect cards for each and I know I do not have any OC3/OC12 cards for the OCn cross connects(We would add these later). I also know that I need the correct backplane cards for DS1 and DS3 handoff. 15454-OC48IR1310 1310nm OC48 cards 15454-DS3XM-6 6 port DS3 transmux cards 15454-DS1N-14 14 port DS1 cards 15454-TCC+ Timing and control cards 15454-XC-TV Cross connect cards 15454-FTA3 Any input on what I am missing or if there are better cards to use would be great. Thanks, -Troy From mark at edgewire.sg Fri Nov 6 02:19:18 2009 From: mark at edgewire.sg (mark [at] edgewire) Date: Fri, 6 Nov 2009 15:19:18 +0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> Message-ID: <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> There's no way of stopping a determined user that wants to bypass whatever filters or red tape you have in place really but if you're able to restrict most of the users, would you say no to it? There's not a single solution to deploy where people can't find a way to use another device, at least not that I know of. Maybe you could shed some light on it instead of just pointing out that the MAC address can be spoofed and would you expect your average run of the mill user know how to spoof MAC addresses? On 06-Nov-2009, at 3:12 PM, Peter Rathlev wrote: > On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: >> Why is it not possible to check it against the MAC address of the >> connecting device? Log incoming connections and their MAC address and >> match it against a list of hardware that has been assigned to the >> users. > > Please state how you expect this not to be spoofed. :-) > > -- > Peter > > From peter at rathlev.dk Fri Nov 6 02:45:36 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 06 Nov 2009 08:45:36 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> Message-ID: <1257493536.26343.8.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote: > There's no way of stopping a determined user that wants to bypass > whatever filters or red tape you have in place really but if you're > able to restrict most of the users, would you say no to it? There's > not a single solution to deploy where people can't find a way to use > another device, at least not that I know of. Maybe you could shed some > light on it instead of just pointing out that the MAC address can be > spoofed and would you expect your average run of the mill user know > how to spoof MAC addresses? We're talking a VPN client here. The "MAC address" that your system will look at to determine if the client is valid is just some bytes in an IP packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't need intelligent users. That's the "problem" with this NAC concept: The system only works if you trust your software client. And you have no reason to trust it. IMHO security should not be based on things like these. OTOH I personally think that the situation is fine; NAC/whatever prevents Jane and John Doe from accidentially causing unintended damage through neglect. But it also allows the geeks to connect even though they might not have the same concept of what a valid computing device is. If my companys "policies" on computers were enforced (and some are acutally trying to do just that) I would be forced to use systems that wouldn't let me do things the way I like. Enforced policy => I find another place to work. -- Peter From oboehmer at cisco.com Fri Nov 6 02:50:53 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 6 Nov 2009 08:50:53 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF37533.6010700@gmail.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Jared, > >> I've been having quite a few adventures with IS-IS over the last few > > weeks > >> and have finally hit a wall, so I'm hoping someone here can give me a > > hand. > >> Basically, I need to build a network with IS-IS multiarea as described > > here: > > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 > > 0e97 > >> 80.html > > > > I reckon you need to build this for IP? ISIS multiarea is only supported > > for CLNS routing, as stated in the above link under "Restrictions". > > I do need this for IP routing, not CLNS. If the feature is only supported > for ISO CLNS and not IP routing, why does it work on my lab of 2600s running > 12.3 latest, with the exact same config, also in an IP-only environment? Well, don't really know. It's not tested, but it might work in some environment/releases.. never looked at it really.. > Really, my only need is to prevent my L1 routers from learning the entire > area's routes, but my network design requires me to directly connect my L2 > router to an L1 (i.e. no room for a L2/L1 between them). I just need the L1 > routers to get a default towards its directly attached L2, and the L2 > backbone to learn the L1's routes. This is essentially a TS-NSSA in OSPF. If > there's some other way I can get this behavior with IS-IS, I'm all ears. Hmm, if you stick all L1s into the same area (i.e. "standard" design), you can't prevent them from seeing the L1 LSPs from the other L1s in the area. However you could investigate filtering the routes from being entered into the RIB, similar to "distribute-list in" command in OSPF, which doesn't exist in IS-IS. But you could try router isis distance 255 ip distance 115 0.0.0.0 255.255.255.255 10 ! access-list 10 permit 0.0.0.0 to have only the default-route in the RIB. Not sure if this helps, not sure which problem you are trying to solve :) oli From swmike at swm.pp.se Fri Nov 6 03:09:58 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 6 Nov 2009 09:09:58 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: On Fri, 6 Nov 2009, Oliver Boehmer (oboehmer) wrote: > to have only the default-route in the RIB. Not sure if this helps, not > sure which problem you are trying to solve :) This is probably the biggest problem, the few people doing L1-L2 separation are those into academia/theoretics (passing a test/exam), when you go into the real world it's no longer in major use. I've never bothered to learn about ISIS L1, never needed to, see no use for it in real life. L2-only is the way to go. I'd also recommend against it from a sw standpoint. Sure, the sw supports it, but it hasn't been exposed to real life as much as L2 only because of above reasons. -- Mikael Abrahamsson email: swmike at swm.pp.se From rens at autempspourmoi.be Fri Nov 6 03:36:34 2009 From: rens at autempspourmoi.be (Rens) Date: Fri, 6 Nov 2009 09:36:34 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <59D8212EA5374DEE946B9EF480C6B269@flamdt01> References: <20091105062201.GA25405@skywalker.creative.net.au> <59D8212EA5374DEE946B9EF480C6B269@flamdt01> Message-ID: <042F605B0D814E6B851E53B5F8A031B4@EU.corp.clearwire.com> Indeed, I looked at the wrong lab tests. Max I got out of a 2811 was around 90Mbps (1024 bytes) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: vendredi 6 novembre 2009 3:57 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? Surely you mean 40mbps or a different platform? tv ----- Original Message ----- From: "Rens" To: "'Adrian Chadd'" ; Sent: Thursday, November 05, 2009 2:12 AM Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? >I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd > Sent: jeudi 5 novembre 2009 7:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Experiences with l2tpv3/xconnect? > > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Fri Nov 6 04:04:54 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:04:54 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106090454.GB163@greenie.muc.de> Hi, On Thu, Nov 05, 2009 at 11:11:56PM -0800, Rick Ernst wrote: > What I think the document says is: [..] As far as I understand the architecture, all of this is correct :-) > - Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is > present. > > I'm most confused on the 8Gbs limit and how it relates to the Supervisor and > line cards. 65xx cards (like the WS-X6516) have an 8Gbps fabric connection, 67xx cards (WS-X6724-SFP) have 20Gbps fabric connection. Sup2+SFM has 8Gbps fabric. Sup720 has 20Gbps fabric that can also run at 8Gbps - and *as far as I understand* - this is independent among line cards, so you can have one WS-X6516 running at 8Gbps and one WS-X6724-SFP running at 20Gbps. > Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. There's two sides to "lowest common denominator" - bus/fabric (so if you have a Sup2 without fabric module, only shared bus for you...) - and PFC revision. There's Sup720/3A, /3B and /3C, and all of these can come with "-XL". So - if you have a Sup720/3C-XL with 1 million TCAM entries and 96k MAC table entries, and add a line card that has an DFC-3A on it, the whole system will fall down to "3A, no XL" level -> no MPLS, 256k TCAM entries, 32k MAC table entries. This is only relevant if you have DFCs in the system. > Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? Oversubscription is the next independent gotcha - for example, the 6724 card has 24 gbit ports, but only 20 gbps fabric connection (which is not that bad, given that in practice, nobody runs all 24 ports at 100% line rate all the time). The 6708 10G card has 8x10 gbit externally, but only 40 gbps fabric connection - but it has a DFC and can do local switching without going to the fabric, so depending on your traffic pattern, it's more or less oversubscribed... The 6704 10G card has 40 gbps fabric connection, but a somewhat slow internal ASIC, so it won't do more than 35 Gbit/s (or so) in total... So you also need to take into account the specifics of the line card you're planning to use. > Sorry for the laundry list. I'd rather make sure I'm clear in my head > before the design, then find a gotcha after it is too late. The architecture *is* a bit confusing :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 04:53:55 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:53:55 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106022632.GE25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> Message-ID: <20091106095355.GC163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 10:26:32AM +0800, Adrian Chadd wrote: > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > upstream router will fragment as needed? Well, as always this depends on "who is hitting the MTU wall" - if the encapsulating router already knows "can't send this packet", it will fragment itself, otherwise, a router on the path needs to do so. Reassembly is always done on the receiving L2TPv3 router, and is expensive. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From oboehmer at cisco.com Fri Nov 6 04:54:39 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 6 Nov 2009 10:54:39 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com><4AF37533.6010700@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF91D@XMB-AMS-103.cisco.com> Mikael, > > to have only the default-route in the RIB. Not sure if this helps, not > > sure which problem you are trying to solve :) > > This is probably the biggest problem, the few people doing L1-L2 > separation are those into academia/theoretics (passing a test/exam), when > you go into the real world it's no longer in major use. > > I've never bothered to learn about ISIS L1, never needed to, see no use > for it in real life. L2-only is the way to go. Well, there are L1L2 networks in production, and when you think about scaling Layer 3 into the (MetroE) access layer, you start to deal with >10000 of routers in an ISIS domain, something which can't be handled in a single area. > I'd also recommend against it from a sw standpoint. Sure, the sw supports > it, but it hasn't been exposed to real life as much as L2 only because of > above reasons. see above, L1L2 is deployed, I personally know of two carriers' networks. So there is definitly exposure... oli From hl at r-kom.de Fri Nov 6 04:22:41 2009 From: hl at r-kom.de (Holger) Date: Fri, 6 Nov 2009 10:22:41 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106022632.GE25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> Message-ID: <20091106092241.GB28569@magnix> On 06.11.09 10:26, Adrian Chadd wrote: > On Thu, Nov 05, 2009, Rens wrote: Hi, > > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > > You just have to make sure your MTU is high enough depending on the frame > > sizes you want to tunnel. I get the 2801 to tunnel about 40mbit, depending on package size of course. I think 400mbit is more than possible. > > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > upstream router will fragment as needed? Yes, both l2tp router will fragment and reassemble as needed, but you might get problems if any transit router is fragmenting again. You should lower your mtu at the external interface to prevent that. Furthermore you will notice a big performance hit with packets causing fragmentation. > Adrian Holger From gert at greenie.muc.de Fri Nov 6 04:56:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:56:27 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: <20091106095627.GD163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 11:10:14AM +0800, mark [at] edgewire wrote: > Why is it not possible to check it against the MAC address of the > connecting device? Log incoming connections and their MAC address and > match it against a list of hardware that has been assigned to the users. What's a MAC address? Seriously: if someone is trying to play tricks with your security policy, why are you assuming that he is not going to enter whatever MAC address you want to see into his client? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From euang+cisco-nsp at lists.eusahues.co.uk Fri Nov 6 04:33:21 2009 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 6 Nov 2009 09:33:21 +0000 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: <20091106093320.GA27676@hyperion.eusahues.co.uk> On Thu, Nov 05, 2009 at 03:25:15PM +0000, David Freedman wrote: > According to global price list > > ( SPA-1X10GE-L-V2 + 12000-SIP-601= (E5) ) < 1X10GE-LR-SC (E4) > > Quite why one would want to spend less money on an E4 with half the > density is beyond me. The 1X10GE-LR-SC went EoS about a year ago, but even when both were available, getting the IOS change tested and approved to support the E5 (as well as type approving the new card itself) would have been far more expensive (on a number of levels) for us than buying the slightly more expensive E4. "I would like to use the new card, not the old one that we know works" wouldn't have got me very far. "The E4 is crap, and the E5 might not be" might have been a better arguement to have though. *shrug* -- Euan Galloway From adrian at creative.net.au Fri Nov 6 05:51:10 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 18:51:10 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106095355.GC163@greenie.muc.de> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> <20091106095355.GC163@greenie.muc.de> Message-ID: <20091106105110.GA21938@skywalker.creative.net.au> On Fri, Nov 06, 2009, Gert Doering wrote: > Hi, > > On Fri, Nov 06, 2009 at 10:26:32AM +0800, Adrian Chadd wrote: > > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > > upstream router will fragment as needed? > > Well, as always this depends on "who is hitting the MTU wall" - if the > encapsulating router already knows "can't send this packet", it will > fragment itself, otherwise, a router on the path needs to do so. > > Reassembly is always done on the receiving L2TPv3 router, and is expensive. Absolutely. I just think I'm going to have to bite that. I'll do up some basic testing and report back numbers once it is deployed. Thanks, Adrian From cnsp at shreddedmail.com Fri Nov 6 07:15:39 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Fri, 6 Nov 2009 04:15:39 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Thanks (and Gert, too), So, - The 32Gbs bus is shared and the PFC on the sup does the forwarding - The switch fabric is on the Sup; DFC cards use the fabric, others use the PFC - The fabric is limited to 8 or 20Gbs depending on Sup; CEF 256cards use 8Gbs, CEF720 uses 20gbs if the Sup supports it - Lowest-common-denominator applies to DFC cards; you get the DFC features, capabilities and TCAM of the least capable card/Sup, but you can mix-and-match - If I happen to install a 256K DFC in a 1M TCAM system, can the DFC be forced off; 1M TCAM via the 32Gbs bus? - The 32Gbs bus and 20Gbs fabric are total capacity; could you push 1Gbs/31Gbs on the 32Gbs bus? - Design considerations need to include Sup level, PFC, DFC, 32Gbs shared, 8gbs/20Gbs fabric >From a practical viewpoint, I'm currently pushing a little less than ~800Mbs in+out at about 120Kpps. It's getting to be too much for my current software forwarding, especially during D/DoS. A Sup720-3BXL gives me 1M routes in TCAM, and 15Gbs/30Mpps forwarding in the PFC. Control-plane and data-plane separation, with data-plane in hardware. I could use any combination of line cards and still be significantly ahead of my current utilization. As the bits get bigger and faster, I can offload forwarding onto DFC-enabled cards, but I'd need to start with DFCs that also have the large TCAM, otherwise I'm still using the 32Gbs bus and the PFC. For D/DoS purposes, policing is handled in hardware at the port ASIC. If a 1Gbs-connected network were to go nuts and was throttled to 1Mbs, neither the bus nor fabric would see the .99Gbs? Rick On Thu, Nov 5, 2009 at 11:42 PM, Asbjorn Hojmark wrote: > On Thu, 5 Nov 2009 23:11:56 -0800, you wrote: > > > - The raw capacity of the 32Gbs bus is just that; 32Gbs across the > > entire bus, combined across all cards > > Well, actually it's 16 Gbps shared bus. (The "32G" is marketing, and > even more so here, because it's not full duplex; it's a bus). > > > - The switch fabric is single or dual channel 20Gbs, dual channel > > just allowing higher port/speed-density on the line cards > > Each slot gets two fabric connections, but some cards use only one of > those. The channels can be 8 og 20G. > > > - The 20Gbs fabric is used to transfer traffic directly between > > DFC-enabled line cards, bypassing the Sup. > > Not really. With a DFC, the lookup is done on the line card (instead > of on the PFC on the Sup), but the forwarding is still done via the > fabric (which is also on the Sup). > > > - The full "720Gbs" capacity is all dual-fabric line cards with DFCs > > 9 slots * 2 channels/slot * 20G/channel * 2 for marketing = 720. > > The bandwidth is not (directly) dependant on the precense of DFCs, > only the forwarding capacity. (And other resources, such as NetFlow > table space). > > -A > From nick at inex.ie Fri Nov 6 07:30:19 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 13:30:19 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <4AF416DB.4090005@inex.ie> On 06/11/2009 08:11, Rick Ernst wrote: > - The 20Gbs fabric is used to transfer traffic directly between > DFC-enabled line cards, bypassing the Sup. Not quite. All fabric enabled cards can transfer traffic directly to each other, as it's a crossbar fabric. The difference between DFC and non-DFC enabled cards is that on a DFC enabled card, the destination path lookup is done locally on the card, whereas on a non DFC card, the internal path lookup is done by the sup720, and the line cards use the 32Gb bus as an out-of-band data channel for doing internal lookups. The destination path lookup just tells the card which physical destination fabric path to use when sending the packet from one 20G fabric channel to another. As each packet triggers a destination lookup, on a busy box pushing many mpps, the 32Gb bus can get saturated by lookup requests, and if this happens you need to use DFCs to move the lookup functionality away from the sup720 and into the line card. So using a DFC will not affect switching speed unless you are pushing a very large number of pps. > Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. That used to be the case in certain configurations a long time ago, but not any more. > Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? Oversubscription on line cards just means that there is more edge switching capacity than the line card can actually handle. So on a 6148-ge-tx card, the card has 48 gig ports, but in fact it can only handle 8G of traffic (and even then, with a strong tailwind). On a fabric card, you have either 1x or 2x 20G channels from the line card into the fabric. This means that if you have more edge bandwidth being used than fabric capacity available, you can run into over subscription problems. In practice, this tends not to be a problem on the 6724 / 6748 cards (whether TX or SFP), because on an imix system, you'll statistically only rarely run into full port saturation problems with every card on the box pushing line rate or near line rate. Oversubscription on fabric enabled cards tends to be more of a problem with 10GE line cards for a variety of reasons - there's lots of talk about this in the list archives, to which I refer you. Nick From drew.weaver at thenap.com Fri Nov 6 07:55:01 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 6 Nov 2009 07:55:01 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> References: <4AF32061.7000604@gmail.com> <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> Message-ID: The card in total when I last added everything all up is doing about 1.9Gbps and 1.4Mpps -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nils Kolstein Sent: Thursday, November 05, 2009 3:32 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Gigabit Interface Input Errors What's the utilization on the other 2 interfaces? I am not familiar with this specific platform, but it might also be caused by slot/backplane limitations causing packets to be dropped if the total BW exceeds a certain (non line-rate) value. I have seen this behaviour on some platforms. Regards, Nils Kolstein > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Drew Weaver > Sent: donderdag 5 november 2009 20:12 > To: 'Adrian Minta' > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Nah this particular instance it is one interface in a 3GE-GBIC-SC in a > GSR. > > thanks, > -Drew > > -----Original Message----- > From: Adrian Minta [mailto:adrian.minta at gmail.com] > Sent: Thursday, November 05, 2009 1:59 PM > To: Drew Weaver > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Drew Weaver wrote: > > Hi, > > > > I noticed I'm seeing some Input errors on a gigabit ethernet > interface: > > > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > > > the number of input errors seems to increment along with the overrun > counter which I assume means that the actual errors are overrun errors. > > > > Does anyone have any tips on finding out what is causing it to > overrun? > > > > My first inclination is to assume it is not a huge problem because of > the amount of packets that are flowing through this interface: > > > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of > 2367831951 is a fairly small number but I wanted to check and see if > you all had any thoughts. > > > > thanks, > > -Drew > > > ASA firewall ? > > -- > Best regards, > Adrian Minta > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ak at gaaga.org Fri Nov 6 07:59:04 2009 From: ak at gaaga.org (Andrey Kozlov) Date: Fri, 6 Nov 2009 14:59:04 +0200 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: Hi, James! It is possible to make private key non-exportable. So, once installed certificate can't be exported in future. Cheers. On Fri, Nov 6, 2009 at 4:00 AM, James Michael Keller < jmkeller at houseofzen.org> wrote: > I haven't read up the cert authentication much, but what stops the user > from moving the cert file to another un-approved device (per the original > question) - all you are doing is Two-factor at that point - user but not > host based checking correct? > > -James > > > Matthew White wrote: > >> Hi Scott, >> >> Certificate based authentication can meet these needs. >> >> This document is just a starting point -- the client certificate >> installation procedure is onerous. If you have a MS environment it's easier >> to push out certs with group policy objects than making your end users >> download and install certificates. >> >> >> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml >> >> >> -mtw >> >> >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto: >>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >>> Sent: Wednesday, November 04, 2009 9:43 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Restricting VPN connections to company hardware? >>> >>> Hi, >>> I've been googling but not finding much although I think I'm probably >>> formulating my search incorrectly so I'm hoping for some pointers here. >>> I use ASA 5520 hardware to provide VPN services to end users with >>> Cisco VPN clients and some L2L sessions. We've been finding that folks are >>> configuring IPhones and other non approved devices to attach to the network. >>> What's the best method to certify that end users are connecting with >>> approved devices only? Is there a good way say for me to allow company >>> provided laptops but not allow clients from home machines where users >>> duplicate their profile or non-certified end devices like pocket PC devices? >>> I understand how to filter based on client type but this doesn't prevent >>> someone from copying their profile file from one machine to another. Any >>> pointers would be appreciated. >>> >>> Thanks >>> Scott >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gururug at gmail.com Fri Nov 6 08:25:58 2009 From: gururug at gmail.com (Imran K) Date: Sat, 7 Nov 2009 00:25:58 +1100 Subject: [c-nsp] Restricting VPN connections to company hardware? Message-ID: <25d943640911060525m223935dma371f3b6d6b4bd4@mail.gmail.com> You may be able to find some extensions for NAC/NAP that will check the device itself for something that says it's bona-fide company issue before issue of ip. Alternatively you could run single ip per user / crypto with MAC filtering ( i'd by pass this by routing / natting my home devices through my company laptop ) From geoff at pendery.net Fri Nov 6 08:55:18 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Fri, 6 Nov 2009 07:55:18 -0600 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Well you're off to an excellent start. ?Others have added some good clarifications and details, but so far I don't see this one answered: "Other discussions I've had indicate that some combination of line cards can bring the whole system down to the lowest common denominator." My guess is that this is referring to the Fabric/Bus mode, for the chassis. It's described on the link you sent, if you search to "Cisco Catalyst 6500 Architecture: Bus Switching Modes" As Nick Hilliard explained, the bus is used, even with all fabric cards, for communication between the Sup and the line cards. The Sup first determines which of the three modes to use for communication. If you have a Sup with no fabric (like Sup 1A, or Sup 2 w/o SFM, or Sup 32) the switch will run in "Flow-Through" mode, meaning that each time a packet is received, the entire packet is sent on the shared bus, so it's seen by the Sup and all line cards. This will only get you up to 15 Mpps, and a theoretical max of 32 Gbps (likely lower in practice). If you have a fabric Sup and fabric line cards, but at least one Classic line card, the switch will drop into "Truncated" mode. This is likely what someone was referring to when they told you "lowest common denominator". The classic cards will still send the whole packet, like in flow-through mode, but the fabric cards will send only the headers, and send the data portion to the Sup via fabric. This is still limited to 15 Mpps, but because the data flows via fabric, you can squeeze some extra bandwidth out. Lastly, if you have no Classic cards present in the chassis, it can go into Compact mode, where only compressed headers are sent via the bus, all data flows via fabric. This gets you up to 30 Mpps and your theoretical 720 Gbps of total forwarding capacity. Here's some sample output from a chassis with all fabric (and in this case, dCEF) cards: hostname#show fabric show fabric active: Active fabric card in slot 5 No backup fabric card in the system show fabric mode: Global switching mode is Compact dCEF mode is not enforced for system to operate Fabric module is not ?required for system to operate Modules are allowed to operate in bus mode Truncated mode is allowed, due to presence of DFC module Module Slot ? ? Switching Mode ?? ?1 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?2 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?5 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?9 ? ? ? ? ? ? ? ? ? ? dCEF -Geoff On Fri, Nov 6, 2009 at 1:11 AM, Rick Ernst wrote: > > I'm trying to wrap my brain around Cisco's document on the 6500/7600 > technology: > > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html > > Terminology on the bus architecture and switch fabric are becoming less > confusing to me the more I read it, but I'm still not comfortable with my > level of understanding. > What I think the document says is: > > ?- The 32Gbs shared bus is the path between the supervisor and individual > line cards. Line cards do not move data between each other; traffic must > pass through the Sup. > ?- The raw capacity of the 32Gbs bus is just that; 32Gbs across the entire > bus, combined across all cards > ?- The switch fabric is single or dual channel 20Gbs, dual channel just > allowing higher port/speed-density on the line cards > ?- The 20Gbs fabric is used to transfer traffic directly between > DFC-enabled line cards, bypassing the Sup. > ?- The 20Gbs fabric is not shared, each DFC line card can talk to any other > DFC line card at 20Gbs up to a potential aggregate of 720Gbs > ?- CEF and dCEF simply refer to whether the line card has a DFC > ?- CEF256 using 8Gbs of the fabric, CEF720 uses 20Gbs > ?- "Classic" line cards use only the 32Gbs bus. > ?- Usage of 8Gbs or 20Gbs on the fabric is dependent on the line card and > the Sup. > ?- Sup720 allows 20Gbs, others are only 8Gbs > ?- Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is > present. > ?- The full "720Gbs" capacity is all dual-fabric line cards with DFCs > > I'm most confused on the 8Gbs limit and how it relates to the Supervisor and > line cards. ?Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. ?Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? > > Sorry for the laundry list. ?I'd rather make sure I'm clear in my head > before the design, then find a gotcha after it is too late. > > Thanks! > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jasongurtz at npumail.com Fri Nov 6 09:34:22 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 09:34:22 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jeff-kell at utc.edu Fri Nov 6 09:54:33 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 06 Nov 2009 09:54:33 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <4AF438A9.7030800@utc.edu> Jason Gurtz wrote: > We're looking to build a SAN, probably iSCSI and everyone keeps quoting > the 3750G for top of the rack. We have one iSCSI array on a 4948 (another alternative). Jeff From gert at greenie.muc.de Fri Nov 6 10:13:17 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 16:13:17 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106151317.GG163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 04:15:39AM -0800, Rick Ernst wrote: > - The 32Gbs bus is shared and the PFC on the sup does the forwarding Yes. > - The switch fabric is on the Sup; DFC cards use the fabric, others use the > PFC Not exactly. Fabric-enabled cards will always use the fabric to transport the packets directly to the destination line card. If the card has no DFC, it will use the bus(!) to do the destination lookup via the Sup PFC. (I'm a bit unclear on how fabric-only cards transport packets to bus-only cards, tho). > - If I happen to install a 256K DFC in a 1M TCAM system, can the DFC be > forced off; 1M TCAM via the 32Gbs bus? As far as I know, no. If you have no DFC, you need a CFC on the card. > - The 32Gbs bus and 20Gbs fabric are total capacity; could you push > 1Gbs/31Gbs on the 32Gbs bus? Hmmm? > - Design considerations need to include Sup level, PFC, DFC, 32Gbs shared, > 8gbs/20Gbs fabric Yes. If you have enough traffic that it matters... > >From a practical viewpoint, I'm currently pushing a little less than ~800Mbs > in+out at about 120Kpps. It's getting to be too much for my current software > forwarding, especially during D/DoS. A Sup720-3BXL gives me 1M routes in > TCAM, and 15Gbs/30Mpps forwarding in the PFC. Control-plane and data-plane > separation, with data-plane in hardware. I could use any combination of line > cards and still be significantly ahead of my current utilization. As the > bits get bigger and faster, I can offload forwarding onto DFC-enabled cards, > but I'd need to start with DFCs that also have the large TCAM, otherwise > I'm still using the 32Gbs bus and the PFC. Yes. > For D/DoS purposes, policing is handled in hardware at the port ASIC. If a > 1Gbs-connected network were to go nuts and was throttled to 1Mbs, neither > the bus nor fabric would see the .99Gbs? I think this depends on card type. A bus-only card has no other way to decide what to do with the packet than "put it on the bus". On a fabric/CFC card, you'll see the headers on the bus, but not the packets. A DFC card will drop the packet right away. (I might be mistaken here) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mksmith at adhost.com Fri Nov 6 11:37:33 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 6 Nov 2009 08:37:33 -0800 Subject: [c-nsp] Cisco 15454 question In-Reply-To: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> References: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> Message-ID: <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> > Hi all, > > I am hoping to gain some insight from some of the people who have done > this type of thing before. I am setting up a 24 strand fiber connection > between two facilities. I will be doing GigE on 4 strands and placing > the > Cisco 15454 with OC48 cards on 4 strands of fibers. > > What I need to do is be able to cross connects circuits at the DS1, DS3 > and OCn level between the two facilities. Below are the cards that I > have > spec'd for this. Can anyone tell me if I am missing anything? Assume > that > there are protect cards for each and I know I do not have any OC3/OC12 > cards for the OCn cross connects(We would add these later). I also know > that I need the correct backplane cards for DS1 and DS3 handoff. > > 15454-OC48IR1310 1310nm OC48 cards > > 15454-DS3XM-6 6 port DS3 transmux cards > > 15454-DS1N-14 14 port DS1 cards > > 15454-TCC+ Timing and control cards > > 15454-XC-TV Cross connect cards > > 15454-FTA3 > > Any input on what I am missing or if there are better cards to use > would > be great. > You will need GigE cards. It appears you're going for old (read, EOS/EOL) equipment, so you will most likely be looking at the E1000-2 cards. Also, you won't be running the GigE specifically across fibers. Instead, you will carry the GigE circuits within your backbone OC-48's as an OC-24 (actually concatenated OC-12's). So, you will need to think about the number of OC-48 cards you need to do this. Regards, Mike From maddison at lightbound.net Fri Nov 6 11:51:58 2009 From: maddison at lightbound.net (Matt Addison) Date: Fri, 6 Nov 2009 11:51:58 -0500 Subject: [c-nsp] Cisco 15454 question In-Reply-To: <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> References: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> Message-ID: What's the dB loss of the fiber (@1310 and 1550) between the 2 buildings? The DS1 cards are a waste of a VT matrix port, just get additional XM6 capacity if necessary and use an external mux like an Adtran MX2800. You'll also need the EIA cards that go on the back of the shelf (either a 15454-EIA-1BNCA24= or a 15454-EIA-1BNCB24=)- by default the 15454 has no actual physical connectors. If you want to transport DS3s, I'd recommend also getting a 15454-DS3-12= card since those ports are _much_ cheaper than XM6 ports. Do you actually need to do transmux DS3s? XM6 is only really _needed_ when you want to do cross connects at a DS1 level, if you just need to transport DS1s between the 2 buildings without needing to switch them to different timeslots, you could get by with MX2800s hanging off the DS3-12 cards (you'd just build a DS3 between the DS3-12s on either end, also if you don't need to do cross connects at the DS1 level you could get away with XC cards instead of XCVTs- however if you need to take circuits in from carriers on OC3/channelized DS3 you'd still need XCVT and XM6 cards). ~Matt > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Michael K. Smith - Adhost > Sent: Friday, November 06, 2009 11:38 AM > To: troy at i2bnetworks.com; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco 15454 question > > > Hi all, > > > > I am hoping to gain some insight from some of the people who have > done > > this type of thing before. I am setting up a 24 strand fiber > connection > > between two facilities. I will be doing GigE on 4 strands and placing > > the > > Cisco 15454 with OC48 cards on 4 strands of fibers. > > > > What I need to do is be able to cross connects circuits at the DS1, > DS3 > > and OCn level between the two facilities. Below are the cards that I > > have > > spec'd for this. Can anyone tell me if I am missing anything? Assume > > that > > there are protect cards for each and I know I do not have any > OC3/OC12 > > cards for the OCn cross connects(We would add these later). I also > know > > that I need the correct backplane cards for DS1 and DS3 handoff. > > > > 15454-OC48IR1310 1310nm OC48 cards > > > > 15454-DS3XM-6 6 port DS3 transmux cards > > > > 15454-DS1N-14 14 port DS1 cards > > > > 15454-TCC+ Timing and control cards > > > > 15454-XC-TV Cross connect cards > > > > 15454-FTA3 > > > > Any input on what I am missing or if there are better cards to use > > would > > be great. > > > You will need GigE cards. It appears you're going for old (read, > EOS/EOL) equipment, so you will most likely be looking at the E1000-2 > cards. Also, you won't be running the GigE specifically across fibers. > Instead, you will carry the GigE circuits within your backbone OC-48's > as an OC-24 (actually concatenated OC-12's). So, you will need to > think > about the number of OC-48 cards you need to do this. > > Regards, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Karen.Young35 at t-mobile.com Fri Nov 6 12:36:37 2009 From: Karen.Young35 at t-mobile.com (Young, Karen) Date: Fri, 6 Nov 2009 09:36:37 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: Not sure that you want to go with Nexus at this point. Its got some really nice features, however we keep running into code bugs . Not just stuff that's obscure and shows up in certain situations but real show-stoppers like being unable to form port-channels with HP blade servers. Also, the cli isn't really complete yet and there are a number of missing commands that make management and troubleshooting more difficult than it really should be. To be honest, I feel like we're being used as guinea pigs for beta testing. Its been one d at mn thing after another. Personally, I don't think its really ready for full scale production yet. ky -----Original Message----- From: Jason Gurtz [mailto:jasongurtz at npumail.com] Sent: Friday, November 06, 2009 6:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3750G vs. Nexus for a SAN We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jmplank at gmail.com Fri Nov 6 13:05:35 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 6 Nov 2009 13:05:35 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: Hello, I would love if you could elaborate on some of the problems that you are having. Why can you not form port-channels with HP blade servers? I would also like you to explain what management and troubleshooting issues you have had. You've made some pretty hefty accusations here and Nexus is in several large production environments at this point. Not to say that the platform aren't perfect, but I'd really like to understand some of the technical issues and short comings you have experienced. Jason On Fri, Nov 6, 2009 at 12:36 PM, Young, Karen wrote: > Not sure that you want to go with Nexus at this point. Its got some really nice features, however we keep running into code bugs . Not just stuff that's obscure and shows up in certain situations but real show-stoppers like being unable to form port-channels with HP blade servers. Also, the cli isn't really complete yet and there are a number of missing commands that make management and troubleshooting more difficult than it really should be. > > To be honest, I feel like we're being used as guinea pigs for beta testing. Its been one d at mn thing after another. Personally, I don't think its really ready for full scale production yet. > > ky > > -----Original Message----- > From: Jason Gurtz [mailto:jasongurtz at npumail.com] > Sent: Friday, November 06, 2009 6:34 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3750G vs. Nexus for a SAN > > We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. ?From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. > > Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? ?Or is the 3750G just "good enough?" ?Or no one has the experience to quote? > > ~JasonG > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From nick at inex.ie Fri Nov 6 14:06:53 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 19:06:53 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <4AF473CD.7000405@inex.ie> On 06/11/2009 14:34, Jason Gurtz wrote: > Is Nexus that much more expensive that no one is quoting it? or is it more > for FCoE? Or is the 3750G just "good enough?" Or no one has the > experience to quote? N5010 is a 10G switch; the 3750G is a 1G switch, so it's probably not surprising that it's more expensive. Incidentally, if you're planning to use the N5K as a fancy 1G switch, note that the system will change the switching mode from cut-through to store-n-forward for GE ports; cut-through is only supported for 10G transceivers. This may matter for iSCSI. Nick From jasongurtz at npumail.com Fri Nov 6 14:26:15 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 14:26:15 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: > Not sure that you want to go with Nexus at this point. Its got some > really nice features, however we keep running into code bugs . Not just > stuff that's obscure and shows up in certain situations but real show- > stoppers like being unable to form port-channels with HP blade servers. Interesting assessment and sorry to hear about the microsoftish experience. We're not intending to use blades (ESX Server 4 on a number of HP DL380G6 is likely) and would like to do cross-box etherchannels for redundancy. Jeff mentioned the 4948 of which the 10G version looks great since we're wanting to mirror the san off-site over fiber. There's still a chance that fiber channel will happen though it looks like that doesn't really make sense in this day and age. Here, vendors are pushing the MDS9124 box. Thanks for the responses so far. ~JasonG From jasongurtz at npumail.com Fri Nov 6 14:26:19 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 14:26:19 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF473CD.7000405@inex.ie> References: <4AF473CD.7000405@inex.ie> Message-ID: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, > note > that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Thanks for that, I had been wondering about the 1G situation. ~JasonG From CFlint at mt.gov Fri Nov 6 14:34:58 2009 From: CFlint at mt.gov (Flint, Chris) Date: Fri, 6 Nov 2009 12:34:58 -0700 Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: <169F1B4CBA47CC4F93BF2BD0A504C0552F01E7BD68@doaisd05222.state.mt.ads> Hi Jason, I'd second the recommendation for a 4948 instead of a 3750E. The 3750E has issues pushing large flows of traffic that the 4948 doesn't have. From what I've seen on the list, the 3750E is built to be a fast desktop aggregation switch, and the 4948 is built for server aggregation. Also, the Nexus 5010's only offer 8 ports of 1G or 10G, and the rest are 10G only. Chris =============================== Message: 4 Date: Fri, 06 Nov 2009 09:54:33 -0500 From: Jeff Kell To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: <4AF438A9.7030800 at utc.edu> Content-Type: text/plain; charset=ISO-8859-1 Jason Gurtz wrote: > We're looking to build a SAN, probably iSCSI and everyone keeps quoting > the 3750G for top of the rack. We have one iSCSI array on a 4948 (another alternative). Jeff =========================== Message: 3 Date: Fri, 6 Nov 2009 09:34:22 -0500 From: "Jason Gurtz" To: Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: Content-Type: text/plain; charset="us-ascii" We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jared.a.gillis at gmail.com Fri Nov 6 14:37:23 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Fri, 06 Nov 2009 11:37:23 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <4AF47AF3.7040200@gmail.com> Oliver Boehmer (oboehmer) wrote: > Jared, > > Well, don't really know. It's not tested, but it might work in some > environment/releases.. never looked at it really.. Here's a quick lab diagram/config snippet for anyone who's interested: A----B |\ /| | \/ | |/ \| C D All routers are 2620XM running 12.3 ipservices latest. A and B are multiarea L1/L2 routers: Router A: int Fast0/0 desc To C ip address 192.168.0.1 255.255.255.252 ip router isis C int Fast0/0 desc To D ip address 192.168.0.5 255.255.255.252 ip router isis D int Ser0/0 desc To B ip address 192.168.255.1 255.255.255.252 ip router isis router isis net 00.000c.30ca.5c00.00 is-type level-2-only router isis C net 00.000c.30ca.5c00.00 is-type level-1 router isis D net 00.000c.30ca.5c00.00 is-type level-1 B is similar, with different IP/NET addresses. Router C: int loopback 1 ip address 10.0.0.1 255.255.255.255 int Fast0/0 desc To A ip address 192.168.0.2 255.255.255.252 ip router isis int Fast0/0 desc To B ip address 192.168.1.2 255.255.255.252 ip router isis router isis net 00.000a.f49d.9640.00 passive-interface loopback 1 is-type level-1 Router D is similar. In this configuration, routers A and B learn all routes in the network, and exchange them via their L2 link. Routers C and D are only aware of their directly connected routes, plus a default towards A/B. C does not have Ds routes, and vice-versa, however they are able to ping each other's loops, by following default to A/B which do have the route towards the loop. I have also taken down the mesh-style connection between A/D and B/C, so the network looks like: C---A---B---D And the design works exactly the same. When I replace A with a 7204VXR running 12.2 SR ipservices, the whole thing breaks. C has no default towards A, and B does not learn any routes that C advertises to A. The design constraint I have is that in my production network, the C/D routers will be 3750s, which do not have the TCAM space to learn every route in the network I am building, and they will always be a stub (or more exactly an OSPF TS-NSSA), so that's the behavior I am looking for. I could move to OSPF, but this network will utilize MPLS, and I want to use the MPLS TE extensions of IS-IS. I am aware that OSPF has similar extensions, but IS-IS works better for us, and the network is already built on IS-IS, and an IGP migration is something I'd like to avoid if possible. > Hmm, if you stick all L1s into the same area (i.e. "standard" design), > you can't prevent them from seeing the L1 LSPs from the other L1s in the > area. However you could investigate filtering the routes from being > entered into the RIB, similar to "distribute-list in" command in OSPF, > which doesn't exist in IS-IS. But you could try > > router isis > distance 255 ip > distance 115 0.0.0.0 255.255.255.255 10 > ! > access-list 10 permit 0.0.0.0 > > to have only the default-route in the RIB. Not sure if this helps, not > sure which problem you are trying to solve :) That is interesting, I shall have to play with it. As I noted above, I'm trying to emulate an OSPF TS-NSSA in IS-IS, because my stub area routers don't have the TCAM to handle every route in the domain. I just have trouble believing that in 2009 a widely-used routing protocol like IS-IS doesn't have some way of handling this case. > oli From jmplank at gmail.com Fri Nov 6 14:40:25 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 6 Nov 2009 14:40:25 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <4AF473CD.7000405@inex.ie> Message-ID: Also, there are caveats with the N5K's. Only certain ports can be used for 1G connectivity. For instance, on the 5020 only the first 16 ports can be used. On Fri, Nov 6, 2009 at 2:26 PM, Jason Gurtz wrote: > > >> Incidentally, if you're planning to use the N5K as a fancy 1G switch, >> note >> that the system will change the switching mode from cut-through to >> store-n-forward for GE ports; cut-through is only supported for 10G >> transceivers. ?This may matter for iSCSI. > > Thanks for that, I had been wondering about the 1G situation. > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From vikas.hazrati at googlemail.com Fri Nov 6 15:03:12 2009 From: vikas.hazrati at googlemail.com (vikas hazrati) Date: Fri, 6 Nov 2009 22:03:12 +0200 Subject: [c-nsp] DHCP_PD / IPv6 Message-ID: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> Hello all I have been trying testing DHCP-PD functionality for ADSL / PPPoE users. Using basic cisco-site examples I was able to assign an IPv6 prefix to the CPE. The problem I am facing is the following: When the PPPoE session is torn down, the corresponding Virtual-Access interface (and ipv6 routes) are deleted from the NAS as expected, but in the CPE the DHCP-client remains up. So when the PPPoE session is restablished no new routes are installed in the NAS routing table for the DHCP delegated prefixes, so no traffic can be forwarded to the customer subnet. The question is how can I make sure that in a DHCP-PD environment, the DHCP client of the CPE is reinitialized when the PPPoE session used for internet connectivity is re-established The config used on the CPE side is really simple interface Dialer 123 encapsulation ppp dialer pool 123 ipv6 address autoconfig default ipv6 enable ipv6 dhcp client pd DHCP_PD ppp pap sent-username **** password 0 **** Any help is welcomed From jeff-kell at utc.edu Fri Nov 6 15:05:13 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 06 Nov 2009 15:05:13 -0500 Subject: [c-nsp] IOS retraction? Message-ID: <4AF48179.8030903@utc.edu> In chasing my notes and upgrade schedules to respond to the last vulnerabilities announcement (September?), had a list of then-running platforms and IOS, along with the recommended/forthcoming release numbers containing the fix. I've been collecting images and working my way down the list of priorities since then. Included on my list were some 3550s (we route a number of 3550-12Gs) running various 12.2SE versions. The original security announcement listed the "recommended" fix as 12.2(50)SE3, or 12.2(52)SE; Available on 13-OCT-2009. At the time (or shortly afterward) I did indeed grab a c3550-ipservicesk9-tar.122-50.SE3.tar (it's in my boot library). This weekend was the first opportunity to hit the 3550s, so I double-checked TAC to see if the 12.2(52) was there (being somewhat brave). Today, the most recent listing for all 3550s is c3550-ipservicesk9-tar.122-44.SE6.tar. Say what?? If you track all the 3550 models down, this version only shows up for the 3550-24-DC switch (?). Is this some Marketing flip (on the EOL train) for the other 3550s, or was the 122-50/122-52 series actually "recalled" from these platforms? Anyone else get ahead of the curve and running 12.2(50) or (52) on a 3550 successfully? Gotten a recall notice yet? :-) Very confused, Jeff From cnsp at shreddedmail.com Fri Nov 6 15:06:36 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Fri, 6 Nov 2009 12:06:36 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Thanks everybody for all the feedback and information. Between that and the white paper I'm starting to feel comfortable with my decision-making process. At worst, I can start asking more intelligent questions (and be able to vet the answers) of Cisco. One piece that I'm still unclear on is on CEF256/fabric cards and connectivity to the rest of the system. The white paper says: "- CEF256: The line card in this mode supports a connection into the 32-Gbps shared bus and the switch fabric-these line cards will use the switch fabric for data switching when the Supervisor Engine 720 is present-if a Supervisor Engine 32 is present it will revert back to using the 32-Gbps shared bus." The way that is written, a CEF256 card in a Sup720 equipped chassis will use the 8Gbs fabric to move data around. In a sparsely populated (eg 2 CEF256 cards) system there is more capacity on the shared 32Gbs bus than on the fabric. Am I misreading/misunderstanding? Does forcing the card into flow-through mode address this? Rick On Fri, Nov 6, 2009 at 5:55 AM, Geoffrey Pendery wrote: > > If you have a Sup with no fabric (like Sup 1A, or Sup 2 w/o SFM, or > Sup 32) the switch will run in "Flow-Through" mode, meaning that each > time a packet is received, the entire packet is sent on the shared > bus, so it's seen by the Sup and all line cards. This will only get > you up to 15 Mpps, and a theoretical max of 32 Gbps (likely lower in > practice). > > If you have a fabric Sup and fabric line cards, but at least one > Classic line card, the switch will drop into "Truncated" mode. This > is likely what someone was referring to when they told you "lowest > common denominator". The classic cards will still send the whole > packet, like in flow-through mode, but the fabric cards will send only > the headers, and send the data portion to the Sup via fabric. This is > still limited to 15 Mpps, but because the data flows via fabric, you > can squeeze some extra bandwidth out. > > Lastly, if you have no Classic cards present in the chassis, it can go > into Compact mode, where only compressed headers are sent via the bus, > all data flows via fabric. This gets you up to 30 Mpps and your > theoretical 720 Gbps of total forwarding capacity. > > > From justin at justinshore.com Fri Nov 6 15:08:00 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 06 Nov 2009 14:08:00 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF47AF3.7040200@gmail.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> <4AF47AF3.7040200@gmail.com> Message-ID: <4AF48220.4000900@justinshore.com> Jared Gillis wrote: > In this configuration, routers A and B learn all routes in the network, and exchange them via their L2 link. > Routers C and D are only aware of their directly connected routes, plus a default towards A/B. C does not have Ds routes, and vice-versa, however they are able to ping each other's loops, by following default to A/B which do have the route towards the loop. > I have also taken down the mesh-style connection between A/D and B/C, so the network looks like: > C---A---B---D > And the design works exactly the same. > When I replace A with a 7204VXR running 12.2 SR ipservices, the whole thing breaks. C has no default towards A, and B does not learn any routes that C advertises to A. This is why we were forced to deploy a flat L2-only topology on our network. We could not get multiarea IS-IS for IP to work on our 7600s running 12.2SR. Since it works on the hardware in your example with the 7200s and simply doesn't work because of the code that I personally call that a bug that needs to be squashed. I would open a TAC case and approach it from that angle. The only reason it doesn't work is because it hasn't been coded in 12.2SR. > The design constraint I have is that in my production network, the C/D routers will be 3750s, which do not have the TCAM space to learn every route in the network I am building, and they will always be a stub (or more exactly an OSPF TS-NSSA), so that's the behavior I am looking for. > I could move to OSPF, but this network will utilize MPLS, and I want to use the MPLS TE extensions of IS-IS. I am aware that OSPF has similar extensions, but IS-IS works better for us, and the network is already built on IS-IS, and an IGP migration is something I'd like to avoid if possible. I was going to through up a red flag about trying to run IS-IS on a 3750 because the last time I looked fixed-config non-ME Cat switches didn't support IS-IS. However I checked the FN just to be sure since it's been a long while since I looked and sure enough they added IS-IS to the 3750s with 12.2(50)SE. You did mention MPLS though so I'll go ahead and bite at that one. Are you planning on running MPLS on your 3750? You're wording doesn't specify one way or another. Justin From doug at warner.fm Fri Nov 6 14:24:07 2009 From: doug at warner.fm (Doug Warner) Date: Fri, 06 Nov 2009 14:24:07 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers Message-ID: <4AF477D7.6040508@warner.fm> We're running into an issue were a pair of gigabit ports in an etherchannel are accumulating out-discards. From my reading here on cisco-nsp, it doesn't sound like many people have a solution for this on the same platform. We're currently pushing ~500Mbps/50Kpps through this pair of ports in etherchannel; should we be seeing these types of problems, and if so, what type of hardware would people recommend upgrading to? -Doug -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From nick at inex.ie Fri Nov 6 15:21:08 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 20:21:08 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <4AF473CD.7000405@inex.ie> Message-ID: <4AF48534.3020302@inex.ie> On 06/11/2009 19:40, Jason Plank wrote: > Also, there are caveats with the N5K's. Only certain ports can be used > for 1G connectivity. For instance, on the 5020 only the first 16 ports > can be used. and on a 5010, only the first 8 ports. Nick From sethm at rollernet.us Fri Nov 6 16:26:40 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Nov 2009 13:26:40 -0800 Subject: [c-nsp] 4948 IPv6 Throughput Message-ID: <4AF49490.9060301@rollernet.us> The only thing I can find on the 4948 for IPv6 performance is that it's "in software". Does anyone know what that means? ~Seth From gert at greenie.muc.de Fri Nov 6 16:35:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:35:21 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF473CD.7000405@inex.ie> References: <4AF473CD.7000405@inex.ie> Message-ID: <20091106213521.GL163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 07:06:53PM +0000, Nick Hilliard wrote: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, note > that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Out of curiosity: how does it cut-through if it has to multiplex multiple ports, as in: packets coming in on port A and B and leaving on C? As soon as two packets overlap (time-wise) on A and B, you can't do cut-through... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 16:37:51 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:37:51 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106213751.GN163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 12:06:36PM -0800, Rick Ernst wrote: > The way that is written, a CEF256 card in a Sup720 equipped chassis will use > the 8Gbs fabric to move data around. In a sparsely populated (eg 2 CEF256 > cards) system there is more capacity on the shared 32Gbs bus than on the > fabric. Correct. > Does forcing the card into flow-through mode address this? No idea (we only have a few CEF256 cards, and they are in Sup2-no-SFM or in Sup32 switches). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 16:45:59 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:45:59 +0100 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <4AF477D7.6040508@warner.fm> References: <4AF477D7.6040508@warner.fm> Message-ID: <20091106214559.GP163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 02:24:07PM -0500, Doug Warner wrote: > We're running into an issue were a pair of gigabit ports in an etherchannel > are accumulating out-discards. From my reading here on cisco-nsp, it doesn't > sound like many people have a solution for this on the same platform. > > We're currently pushing ~500Mbps/50Kpps through this pair of ports in > etherchannel; should we be seeing these types of problems, and if so, what > type of hardware would people recommend upgrading to? We have been told that Force10 gear handles this situation much more gracefully - more flexible & larger buffers, and (which seems to be the key thing) flow control towards the ingress ports. The smaller cisco switches have no flow control and not enough buffers to handle somewhat bursty ingress ports. What we did was to upgrade the 2G ether channel to a 4G ether channel, which was cheaper than to get a Force10 switch ($$$ :( ) - the 4G channel terminates on a 6500, which has larger buffers and more brains. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From nick at inex.ie Fri Nov 6 16:56:49 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 21:56:49 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091106213521.GL163@greenie.muc.de> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> Message-ID: <4AF49BA1.3060508@inex.ie> On 06/11/2009 21:35, Gert Doering wrote: > Out of curiosity: how does it cut-through if it has to multiplex multiple > ports, as in: packets coming in on port A and B and leaving on C? As > soon as two packets overlap (time-wise) on A and B, you can't do > cut-through... The switch has per-port buffers; from what i remember, quite a bit smaller than on other products, as the unit is cut-through. You also need these buffers when you're operating 1G ports in store-n-forward mode. I don't know whether the packets are buffered on input or on output. Nick From sethm at rollernet.us Fri Nov 6 17:40:00 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Nov 2009 14:40:00 -0800 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF495AA.1040708@linuxgoeroe.dhs.org> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> Message-ID: <4AF4A5C0.3010305@rollernet.us> Marco van den Bovenkamp wrote: > Seth Mattinen wrote: > >> The only thing I can find on the 4948 for IPv6 performance is that it's >> "in software". Does anyone know what that means? > > Yes, it means 'It can't really do it, but we pretend it can' > I figured as much. ~Seth From philxor at gmail.com Fri Nov 6 17:47:00 2009 From: philxor at gmail.com (Phil Bedard) Date: Fri, 6 Nov 2009 17:47:00 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091106213521.GL163@greenie.muc.de> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> Message-ID: It doesn't, it buffers until there isn't contention, acting like a store and forward switch. Phil On Nov 6, 2009, at 4:35 PM, Gert Doering wrote: > Hi, > > On Fri, Nov 06, 2009 at 07:06:53PM +0000, Nick Hilliard wrote: >> Incidentally, if you're planning to use the N5K as a fancy 1G >> switch, note >> that the system will change the switching mode from cut-through to >> store-n-forward for GE ports; cut-through is only supported for 10G >> transceivers. This may matter for iSCSI. > > Out of curiosity: how does it cut-through if it has to multiplex > multiple > ports, as in: packets coming in on port A and B and leaving on C? As > soon as two packets overlap (time-wise) on A and B, you can't do > cut-through... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From maillist at thelan.no Fri Nov 6 21:06:43 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Sat, 07 Nov 2009 03:06:43 +0100 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF4A5C0.3010305@rollernet.us> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> <4AF4A5C0.3010305@rollernet.us> Message-ID: <4AF4D633.5000009@thelan.no> Seth Mattinen wrote: > Marco van den Bovenkamp wrote: > >> Yes, it means 'It can't really do it, but we pretend it can' >> > > > I figured as much. Well, what exactly do you want to know? It means the switch punts all IPv6-packets destined for another prefix to the CPU rendering it quite useless for forwarding IPv6 packets, but it will probably work fine with IPv6 for management (telnet, snmp, etc). If you want performance numbers my bet is you won't be able to push more than about 75-100Mbps under ideal conditions (all 1500B or 9KB packets), but it all depends on the traffic. It is impossible to predict the performance of a switch doing forwarding in software. -- Harald Firing Karlsen From ler762 at gmail.com Fri Nov 6 21:32:33 2009 From: ler762 at gmail.com (Lee) Date: Fri, 6 Nov 2009 21:32:33 -0500 Subject: [c-nsp] IOS retraction? In-Reply-To: <4AF48179.8030903@utc.edu> References: <4AF48179.8030903@utc.edu> Message-ID: Yes, running 12.2(50)SE3 on a pair of 3550s with no problems. & no recall notice :) I suspect it's just their screwed up site not showing all the software if you go in looking by device type. I had the same problem of not seeing the recommended software for 3550s & I think if you go looking by IOS version you can find it that way. At least that's my recollection.. I just tried visiting Cisco's software download page to double-check & got Page Unavailable The Webpage you requested is unavailable. Please revisit at a later time. We apologize for the temporary inconvenience. Regards, Lee On Fri, Nov 6, 2009 at 3:05 PM, Jeff Kell wrote: > In chasing my notes and upgrade schedules to respond to the last > vulnerabilities announcement (September?), had a list of then-running > platforms and IOS, along with the recommended/forthcoming release > numbers containing the fix. I've been collecting images and working my > way down the list of priorities since then. > > Included on my list were some 3550s (we route a number of 3550-12Gs) > running various 12.2SE versions. > > The original security announcement listed the "recommended" fix as > 12.2(50)SE3, or 12.2(52)SE; Available on 13-OCT-2009. > > At the time (or shortly afterward) I did indeed grab a > c3550-ipservicesk9-tar.122-50.SE3.tar (it's in my boot library). > > This weekend was the first opportunity to hit the 3550s, so I > double-checked TAC to see if the 12.2(52) was there (being somewhat brave). > > Today, the most recent listing for all 3550s is > c3550-ipservicesk9-tar.122-44.SE6.tar. > > Say what?? > > If you track all the 3550 models down, this version only shows up for > the 3550-24-DC switch (?). > > Is this some Marketing flip (on the EOL train) for the other 3550s, or > was the 122-50/122-52 series actually "recalled" from these platforms? > > Anyone else get ahead of the curve and running 12.2(50) or (52) on a > 3550 successfully? Gotten a recall notice yet? :-) > > Very confused, > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rsm at fast-serv.com Fri Nov 6 23:28:53 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 6 Nov 2009 23:28:53 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <4AF477D7.6040508@warner.fm> References: <4AF477D7.6040508@warner.fm> Message-ID: <20091107042844.M11863@fast-serv.com> Are you running QOS? -- Randy ---------- Original Message ----------- From: Doug Warner To: cisco-nsp at puck.nether.net Sent: Fri, 06 Nov 2009 14:24:07 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers > We're running into an issue were a pair of gigabit ports in an etherchannel > are accumulating out-discards. From my reading here on cisco-nsp, > it doesn't sound like many people have a solution for this on the > same platform. > > We're currently pushing ~500Mbps/50Kpps through this pair of ports in > etherchannel; should we be seeing these types of problems, and if so, > what type of hardware would people recommend upgrading to? > > -Doug ------- End of Original Message ------- From illcritikz at gmail.com Sat Nov 7 03:13:12 2009 From: illcritikz at gmail.com (Ben Steele) Date: Sat, 7 Nov 2009 19:13:12 +1100 Subject: [c-nsp] DHCP_PD / IPv6 In-Reply-To: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> References: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> Message-ID: <4422cf660911070013t5e623342yaa49af7c923e879c@mail.gmail.com> The "fix" is to clear ipv6 dhcp client Dialer123 I use event manager to do this automagically for me like so: event manager applet monitor_ipv6_dhcp event syslog pattern "DIALER-6-BIND" action 1.0 cli command "clear ipv6 dhcp client Dialer1" This reacts to an event in the log of "DIALER-6-BIND" which for me is my Dialer re-establishing its PPP session, do a clear int d123 and check your logs to verify this for you. You can view the results of event manager by: router#sh event manager history events No. Time of Event Event Type Name 1 Sat Nov 7 11:12:56 2009 syslog applet: monitor_ipv6_dhcp and of course a sh ipv6 dhcp interface d123 will show you your new lease aswell. Cheers, Ben On Sat, Nov 7, 2009 at 7:03 AM, vikas hazrati wrote: > Hello all > > I have been trying testing DHCP-PD functionality for ADSL / PPPoE users. > Using basic cisco-site examples I was > able to assign an IPv6 prefix to the CPE. The problem I am facing is the > following: > > When the PPPoE session is torn down, the corresponding Virtual-Access > interface (and ipv6 routes) are deleted from > the NAS as expected, but in the CPE the DHCP-client remains up. So when the > PPPoE session is restablished no > new routes are installed in the NAS routing table for the DHCP delegated > prefixes, so no traffic can be forwarded to the > customer subnet. > > The question is how can I make sure that in a DHCP-PD environment, the DHCP > client of the CPE is reinitialized > when the PPPoE session used for internet connectivity is re-established > > The config used on the CPE side is really simple > > interface Dialer 123 > encapsulation ppp > dialer pool 123 > ipv6 address autoconfig default > ipv6 enable > ipv6 dhcp client pd DHCP_PD > ppp pap sent-username **** password 0 **** > > > Any help is welcomed > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Sat Nov 7 03:54:07 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 07 Nov 2009 00:54:07 -0800 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF4D633.5000009@thelan.no> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> <4AF4A5C0.3010305@rollernet.us> <4AF4D633.5000009@thelan.no> Message-ID: <4AF535AF.101@rollernet.us> Harald Firing Karlsen wrote: > Seth Mattinen wrote: >> Marco van den Bovenkamp wrote: >> >>> Yes, it means 'It can't really do it, but we pretend it can' >>> >> >> >> I figured as much. > Well, what exactly do you want to know? It means the switch punts all > IPv6-packets destined for another prefix to the CPU rendering it quite > useless for forwarding IPv6 packets, but it will probably work fine with > IPv6 for management (telnet, snmp, etc). > > If you want performance numbers my bet is you won't be able to push more > than about 75-100Mbps under ideal conditions (all 1500B or 9KB packets), > but it all depends on the traffic. It is impossible to predict the > performance of a switch doing forwarding in software. > General forwarding, access lists, etc. Anything you would do with IPv4 right now but in a dual-stack network where things prefer IPv6 first. I'm using 3750's and their TCAM space for v6 stuffs is somewhat tiny. ~Seth From gary at velocity-servers.net Sat Nov 7 04:56:28 2009 From: gary at velocity-servers.net (Gary Stanley) Date: Sat, 07 Nov 2009 04:56:28 -0500 Subject: [c-nsp] dmzlink-bw and ebgp-multihop 2 Message-ID: <200911071030.nA7AUXpQ049587@puck.nether.net> I have a very unusual network setup, ISP-A requires me to have ebgp-multihop of 2 because we're not physically connected (we seem to be 2 hops away) Anyways, is there some kind of design implementation to use to make dmzlink-bw work? neighbor disable-connected-check only works if you're 1 hop from a ebgp session, dmzlink-bw works fine on ISP-B's session (3356). Currently I'm using "bgp bestpath as-path multipath-relax" but the traffic ratios are costing me money, and we do not have the memory to take full tables, or partials (only 32k max) or the money to afford to buy a huge switch just for memory Anyone have some suggestions? Thanks! -G From rubensk at gmail.com Sat Nov 7 07:14:21 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Sat, 7 Nov 2009 10:14:21 -0200 Subject: [c-nsp] dmzlink-bw and ebgp-multihop 2 In-Reply-To: <200911071030.nA7AUXpQ049587@puck.nether.net> References: <200911071030.nA7AUXpQ049587@puck.nether.net> Message-ID: <6bb5f5b10911070414i5eee380ewaa704282d1fa1b85@mail.gmail.com> May be tunneling the BGP session with GRE, L2TPv3, MPLS x-connect or VPLS so it will now appear as a single-hop ? Rubens On Sat, Nov 7, 2009 at 7:56 AM, Gary Stanley wrote: > I have a very unusual network setup, ISP-A requires me to have ebgp-multihop > of 2 because we're not physically connected (we seem to be 2 hops away) > > Anyways, is there some kind of design implementation to use to make > dmzlink-bw work? neighbor disable-connected-check only works if you're 1 hop > from a ebgp session, dmzlink-bw works fine on ISP-B's session (3356). > Currently I'm using "bgp bestpath as-path multipath-relax" but the traffic > ratios are costing me money, and we do not have the memory to take full > tables, or partials (only 32k max) or the money to afford to buy a huge > switch just for memory > > Anyone have some suggestions? > > Thanks! > -G > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Sat Nov 7 02:34:29 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 7 Nov 2009 15:34:29 +0800 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> Message-ID: <200911071534.30804.mtinka@globaltransit.net> On Friday 06 November 2009 03:40:57 am Kenny Sallee wrote: > I'm wondering if anyone is actually doing any flavor of > Multi-AS backbone this in the real world? Option A > doesn't seem scalable at all. Option B seems scalable, > but the level of trust and lack of QoS may be a concern. > Option AB - I'm trying to fully understand w/o a ton of > lab time. As I read the first Cisco link above, with > Option AB - you must configure a sub-interface PER > VPN/Client in it's own VRF on each SP's ASBR. So if you > have 100 different customers, on that interconnect > between SP1 and SP2 you must configure 100 > sub-interfaces, VRF's with unique (agree'd upon)RD's. > Then you configure a single MP-BGP session to carry the > VPNv4 addresses for all VRF's. So really you are only > saving X number of BGP sessions with Option AB compared > to say just Option A correct? Yes, the difference between Option AB (a.k.a Option D) and Option A or Option B is that with Option AB, only a single eBGP session between the ASBR's is required. Furthermore, while forwarding can be based on MPLS, IP forwarding is also supported, which preserves QoS values that can be used for processing across the ASBR<=>ASBR link. My suggestion; for any NNI option you choose, it should go a long way in making your life easy, i.e., you don't have create a sub-interface for each customer VPN, you don't have to create an eBGP session for each customer VPN. While Option AB is in an IETF draft state, I only know of Cisco being the only vendor implementing it (there could be others, though - I haven't researched beyond the vendors we use in production). However, some of the other vendors are able to implement the methods Option AB uses to operate, but in such a manner that it may not necessarily be compatible to Cisco's, or if it is, implementing it may not be as scalable, requiring that a number of boxes in the end-to-end VPN connection be touched for co-ordination. Personally, I think Option AB is rather complicated in its design, but based on Cisco's implementation, a lot of that complexity is hidden from the operators, with the routers doing all that automatically. It is an interesting option, but the need to configure a sub-interface for each VPN leaves a strange taste in my mouth. One of the other vendors we're working with is able to implement Option B + IP processing, which is cool because we maintain a single interface for all VPN's, and a single eBGP session for all VPN's, without losing the ability to do QoS. Still checking with Cisco whether they can do this. Things get a lot more interesting when you try to inter-op NNI relationships. If Cisco can't do Option B + IP processing, it may make sense for us to have both a Cisco and non-Cisco NNI router at each NNI site in order to have smooth NNI relationships depending on what platforms our partners can support. Of course, we can only support two platforms, so work becomes trickier if our NNI partner brings along an unsupported device - but, it won't be the end of the world :-). Things get a lot more interesting if you want to NNI for l2vpn/VPLS services. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sat Nov 7 02:34:23 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 7 Nov 2009 15:34:23 +0800 Subject: [c-nsp] Relationship between RAM and routes In-Reply-To: References: Message-ID: <200911071534.24790.mtinka@globaltransit.net> On Thursday 05 November 2009 02:12:56 pm Eric Magutu wrote: > Hi, > What is the relationship between RAM and routes? Well, the more routing entries you have, the more memory you need to hold them. This is truer for dynamic routing protocols than the opposite, as routing entries learned dynamically carry additional attributes along with them and all sorts of goodies that need to make friends with RAM + CPU :-). That said... > I want > to implement 1000 static routes in a cisco 7206vxr (NPE > -G1) and needed to find out what effect it would have on > my router. Should I do any upgrades? it has > 229376K/32768K bytes of memory 509K of NVRAM 1,000 static routing entries should not be a problem for the platform to handle. I'd be more worried about your energy levels and the amount of NVRAM at your disposal (although there are other options you can consider to manage a larger active configuration). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From peter.hicks at poggs.co.uk Sat Nov 7 11:58:32 2009 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Sat, 07 Nov 2009 16:58:32 +0000 Subject: [c-nsp] Cat6500 "Waiting for supervisor to come online in other slot" when booting In-Reply-To: <4AF279D0.8090103@poggs.co.uk> References: <4AF279D0.8090103@poggs.co.uk> Message-ID: <4AF5A738.1060800@poggs.co.uk> All, Peter Hicks wrote: > I have a pair of 6504Es with Sup32s here, running 12.2(33)SXH6. When > they boot, the bootloader loads and I am presented with: > > ==cut=== ... > Cisco IOS Software, s3223_sp Software (s3223_sp-BOOT-M), Version > 12.2(33)SXH6, RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2009 by Cisco Systems, Inc. > Compiled Thu 15-Oct-09 11:59 by prod_rel_team > Image text-base: 0x40231348, data-base: 0x41B62000 > > MAC based EOBC installed > > Waiting (slot 1) for supervisor to come online in other slot. iteration > = 0 > Next Retry will be done after 6 seconds > > ==cut=== For the archives - because somebody else is likely to have this problem, the problem was that I had a modular software image and the boot variables weren't set properly. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80313e09.html explains how to install modular images. Regards, Peter From doug at warner.fm Sat Nov 7 12:39:51 2009 From: doug at warner.fm (Doug Warner) Date: Sat, 07 Nov 2009 12:39:51 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <20091107042844.M11863@fast-serv.com> References: <4AF477D7.6040508@warner.fm> <20091107042844.M11863@fast-serv.com> Message-ID: <4AF5B0E7.5010004@warner.fm> No, QOS is disabled. I'm still seeing a lot of discarded packets in queue 3, weight 2 though. -Doug On 11/06/2009 11:28 PM, Randy McAnally wrote: > Are you running QOS? > > -- > Randy > > ---------- Original Message ----------- > From: Doug Warner > To: cisco-nsp at puck.nether.net > Sent: Fri, 06 Nov 2009 14:24:07 -0500 > Subject: [c-nsp] Upgrade for C2960-48TC with more buffers > >> We're running into an issue were a pair of gigabit ports in an etherchannel >> are accumulating out-discards. From my reading here on cisco-nsp, >> it doesn't sound like many people have a solution for this on the >> same platform. >> >> We're currently pushing ~500Mbps/50Kpps through this pair of ports in >> etherchannel; should we be seeing these types of problems, and if so, >> what type of hardware would people recommend upgrading to? >> >> -Doug > ------- End of Original Message ------- > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From kloch at kl.net Sat Nov 7 16:13:45 2009 From: kloch at kl.net (Kevin Loch) Date: Sat, 07 Nov 2009 16:13:45 -0500 Subject: [c-nsp] unknown ethertype 0x200e Message-ID: <4AF5E309.4000202@kl.net> Does anyone know what this might be, from a routed interface on SRD3: 15:00:18.774808 00:02:fc:c1:0d:b2 > 00:00:00:00:02:02, ethertype Unknown (0x200e), length 78: 0x0000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f ................ 0x0010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ 0x0020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ 0x0030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f 0123456789:;<=>? I'd like to know what knob to use to turn it off. Google didn't turn up anything helpful. - Kevin From eng_mssk at hotmail.com Sat Nov 7 17:04:34 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 8 Nov 2009 00:04:34 +0200 Subject: [c-nsp] SNMP Trap Software Message-ID: hey all i am using Cacti to graph my devices (SNMP port 161) i want a free software that able me to send traps to (SNMP port 162) Best Regards, _________________________________________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 From CJones at enterprisedata.com.au Sat Nov 7 17:18:09 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Sun, 8 Nov 2009 09:18:09 +1100 Subject: [c-nsp] SNMP Trap Software In-Reply-To: References: Message-ID: <9ACFA99B-ADDB-47C4-A6D3-A2466FE41CA6@enterprisedata.com.au> snmptrapd (part of the net-snmp package, which is included with most Linux/Unix distributions these days), can handle that for you. Take a look at http://net-snmp.sourceforge.net/ Regards, Chris Jones On 08/11/2009, at 9:04 AM, Mohammad Khalil wrote: > > hey all > i am using Cacti to graph my devices (SNMP port 161) > i want a free software that able me to send traps to (SNMP port 162) > > Best Regards, > > _________________________________________________________________ > Windows Live: Make it easier for your friends to see what you?re up > to on Facebook. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From swmike at swm.pp.se Sun Nov 8 03:29:23 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 8 Nov 2009 09:29:23 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081520.34864.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> <200911081520.34864.mtinka@globaltransit.net> Message-ID: On Sun, 8 Nov 2009, Mark Tinka wrote: > I will say one thing, though. Dividing the IS-IS domain into > L1 and L2 levels accordingly is meant to help you scale. That might make sense if you have all routes in there, but when just carrying loopbacks it kind of stops making sense (at least to me). -- Mikael Abrahamsson email: swmike at swm.pp.se From mtinka at globaltransit.net Sun Nov 8 02:13:33 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 15:13:33 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF48220.4000900@justinshore.com> References: <4AF21CA5.4050804@gmail.com> <4AF47AF3.7040200@gmail.com> <4AF48220.4000900@justinshore.com> Message-ID: <200911081513.34421.mtinka@globaltransit.net> On Saturday 07 November 2009 04:08:00 am Justin Shore wrote: > I was going to through up a red flag about trying to run > IS-IS on a 3750 because the last time I looked > fixed-config non-ME Cat switches didn't support IS-IS. > However I checked the FN just to be sure since it's been > a long while since I looked and sure enough they added > IS-IS to the 3750s with 12.2(50)SE. We have IS-IS running on 3560G's and 3750's for L1-only, IOS 12.2(52)SE. All our Ethernet switches run pure Layer 2 switching, so we're only using IS-IS to provide access to the device's Loopback address, for management. It works. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sun Nov 8 02:20:33 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 15:20:33 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <200911081520.34864.mtinka@globaltransit.net> On Friday 06 November 2009 04:09:58 pm Mikael Abrahamsson wrote: > This is probably the biggest problem, the few people > doing L1-L2 separation are those into academia/theoretics > (passing a test/exam), when you go into the real world > it's no longer in major use. > > I've never bothered to learn about ISIS L1, never needed > to, see no use for it in real life. L2-only is the way to > go. > > I'd also recommend against it from a sw standpoint. Sure, > the sw supports it, but it hasn't been exposed to real > life as much as L2 only because of above reasons. Well, we switched from OSPF to IS-IS in 2008, and we're running: * L1-only for all routers/switches in a PoP. * L1/L2 on all core routers. * L2-only for all PoP-to-PoP core links. The above has been stable, runs very well - helps us manage a multi-Gbps transport network :-). I will say one thing, though. Dividing the IS-IS domain into L1 and L2 levels accordingly is meant to help you scale. However, in this case, we trade scaling for optimality (even with an L1 and L2 network) by performing Route Leaking on all core routers. So if you think about it, it sort of moots the point, and perhaps makes an L2-only network an obvious choice. However, we still went ahead to deploy a multi-level IS-IS backbone, because there could be some day where we only need L1 routes in a specific PoP (which, to be honest, I can't see now - but as with anything else in network operations, better to be prepared). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sun Nov 8 06:17:24 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 19:17:24 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> Message-ID: <200911081917.29547.mtinka@globaltransit.net> On Sunday 08 November 2009 04:29:23 pm Mikael Abrahamsson wrote: > That might make sense if you have all routes in there, > but when just carrying loopbacks it kind of stops making > sense (at least to me). Well, a route is a route. The difference between philosophies is just the volume. I get your point, but who's to say I won't have 10,000 routers in production? Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ras at e-gerbil.net Sun Nov 8 06:33:55 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 8 Nov 2009 05:33:55 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081917.29547.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <20091108113355.GD51443@gerbil.cluepon.net> On Sun, Nov 08, 2009 at 07:17:24PM +0800, Mark Tinka wrote: > On Sunday 08 November 2009 04:29:23 pm Mikael Abrahamsson > wrote: > > > That might make sense if you have all routes in there, > > but when just carrying loopbacks it kind of stops making > > sense (at least to me). > > Well, a route is a route. The difference between > philosophies is just the volume. > > I get your point, but who's to say I won't have 10,000 > routers in production? IMHO the rule of thumb for multiple areas in either ISIS or OSPF is "if you have to ask whether you should use them or not, the answer is you shouldn't". Their sensible use is so vastly exagerated in books and lab tests that it isn't even funny. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From adwhite at inchix.net Sun Nov 8 06:49:58 2009 From: adwhite at inchix.net (Andrew White) Date: Sun, 8 Nov 2009 22:49:58 +1100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Any reason why you wouldn't go for fcoe on nexus 5k? :) On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz wrote: >> Not sure that you want to go with Nexus at this point. Its got some >> really nice features, however we keep running into code bugs . Not just >> stuff that's obscure and shows up in certain situations but real show- >> stoppers like being unable to form port-channels with HP blade servers. > > Interesting assessment and sorry to hear about the microsoftish > experience. ?We're not intending to use blades (ESX Server 4 on a number > of HP DL380G6 is likely) and would like to do cross-box etherchannels for > redundancy. > > Jeff mentioned the 4948 of which the 10G version looks great since we're > wanting to mirror the san off-site over fiber. > > There's still a chance that fiber channel will happen though it looks like > that doesn't really make sense in this day and age. ?Here, vendors are > pushing the MDS9124 box. > > Thanks for the responses so far. > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Sun Nov 8 07:10:05 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 8 Nov 2009 13:10:05 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081917.29547.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: On Sun, 8 Nov 2009, Mark Tinka wrote: > Well, a route is a route. The difference between > philosophies is just the volume. > > I get your point, but who's to say I won't have 10,000 > routers in production? In order to detect loopbacks going away and using this to invalidate/remove next-hops quickly, you can't aggregate anyway. Sorry, I have yet to hear someone describe an ISP network (designed as per ISP essentials, carry loopbacks in IGP and everything else in BGP), where IGP aggregation makes sense. If you have 10k routers in your IGP, well, you most likely did something wrong earlier in the process. Also, with modern processorns and techniques such as partial tree recalculation in modern router OSes, I'm sure even 10k routers would be manageable in a single area. -- Mikael Abrahamsson email: swmike at swm.pp.se From amr.ccie at gmail.com Sun Nov 8 08:49:04 2009 From: amr.ccie at gmail.com (Jason Alex) Date: Sun, 8 Nov 2009 15:49:04 +0200 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 Message-ID: Dear All, Kindly i want to upgrade one of my routers to Cisco IOS XR 3.8.1 (Cisco 12410) my current IOS is 3.6.1 any advice how can i make this upgrade gracefully without any downtime ? and what are the steps to migrate to version 3.8.1 Thanks & Regards Jason From brian at bluecoat93.org Sun Nov 8 10:33:35 2009 From: brian at bluecoat93.org (Brian Landers) Date: Sun, 8 Nov 2009 10:33:35 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> I realize this is cisco-nsp, but does anyone have any opinions on the Force 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or two) at the top of every rack in my data center! On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > Any reason why you wouldn't go for fcoe on nexus 5k? :) > > > > On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz > wrote: > >> Not sure that you want to go with Nexus at this point. Its got some > >> really nice features, however we keep running into code bugs . Not just > >> stuff that's obscure and shows up in certain situations but real show- > >> stoppers like being unable to form port-channels with HP blade servers. > > > > Interesting assessment and sorry to hear about the microsoftish > > experience. We're not intending to use blades (ESX Server 4 on a number > > of HP DL380G6 is likely) and would like to do cross-box etherchannels for > > redundancy. > > > > Jeff mentioned the 4948 of which the 10G version looks great since we're > > wanting to mirror the san off-site over fiber. > > > > There's still a chance that fiber channel will happen though it looks > like > > that doesn't really make sense in this day and age. Here, vendors are > > pushing the MDS9124 box. > > > > Thanks for the responses so far. > > > > ~JasonG > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Brian C Landers http://www.packetslave.com/ CCIE #23115 From william.mccall at gmail.com Sun Nov 8 13:30:41 2009 From: william.mccall at gmail.com (William McCall) Date: Sun, 8 Nov 2009 12:30:41 -0600 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: There will be downtime if you go directly with these versions. Check with your SE or TAC. IIRC, they should have a list of versions to go through to do a nice graceful (albeit, with some minor disruptions) upgrade. -- William McCall, CCIE #25044 On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > Dear All, > ? ? ? ? ? ? Kindly i want to upgrade one of my routers to Cisco IOS XR > 3.8.1 (Cisco 12410) > my current IOS is 3.6.1 > > any advice how can i make this upgrade gracefully without any downtime ? > and what are the steps to migrate to version 3.8.1 > > > Thanks & Regards > Jason > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From edigheorghiu at gmail.com Sun Nov 8 16:01:40 2009 From: edigheorghiu at gmail.com (Eduard Gheorghiu) Date: Sun, 8 Nov 2009 23:01:40 +0200 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: William, can you give an example of two XR versions that you can migrate between without reloading the whole box? I would like to try it in the lab in order to see how it is done. Thanks, Eduard On Nov 8, 2009 8:41 PM, "William McCall" wrote: There will be downtime if you go directly with these versions. Check with your SE or TAC. IIRC, they should have a list of versions to go through to do a nice graceful (albeit, with some minor disruptions) upgrade. -- William McCall, CCIE #25044 On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > Dear All, > Ki... From nick at inex.ie Sun Nov 8 16:16:59 2009 From: nick at inex.ie (Nick Hilliard) Date: Sun, 08 Nov 2009 21:16:59 +0000 Subject: [c-nsp] unknown ethertype 0x200e In-Reply-To: <4AF5E309.4000202@kl.net> References: <4AF5E309.4000202@kl.net> Message-ID: <4AF7354B.10600@inex.ie> On 07/11/2009 21:13, Kevin Loch wrote: > Does anyone know what this might be, from a routed interface > on SRD3: > > 15:00:18.774808 00:02:fc:c1:0d:b2 > 00:00:00:00:02:02, ethertype Unknown > (0x200e), length 78: > 0x0000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f ................ > 0x0010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ > 0x0020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ > 0x0030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f 0123456789:;<=>? > > I'd like to know what knob to use to turn it off. Google didn't turn up > anything helpful. Looks like junk traffic to me. Might be worth opening up a TAC case: the payload looks peculiar and as you note, the ethertype is unknown. The destination mac address also looks odd. Nick From dudepron at gmail.com Sun Nov 8 19:22:58 2009 From: dudepron at gmail.com (Aaron) Date: Sun, 8 Nov 2009 19:22:58 -0500 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> There isn't a version that you can do that. Aaron On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu wrote: > William, can you give an example of two XR versions that you can migrate > between without reloading the whole box? I would like to try it in the lab > in order to see how it is done. > Thanks, > Eduard > > On Nov 8, 2009 8:41 PM, "William McCall" wrote: > > There will be downtime if you go directly with these versions. Check > with your SE or TAC. IIRC, they should have a list of versions to go > through to do a nice graceful (albeit, with some minor disruptions) > upgrade. > > > -- > William McCall, CCIE #25044 > > On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > > Dear All, > Ki... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From william.mccall at gmail.com Sun Nov 8 19:55:39 2009 From: william.mccall at gmail.com (William McCall) Date: Sun, 8 Nov 2009 18:55:39 -0600 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> Message-ID: *shrug* I recalled incorrectly. I was under the impression that some of the minor releases were capable of in-service upgrade. However, it looks like it just applies to SMUs. And even then, the SMUs might take out the box. On Sun, Nov 8, 2009 at 6:22 PM, Aaron wrote: > There isn't a version that you can do that. > > Aaron > > On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu > wrote: >> >> William, can you give an example of two XR versions that you can migrate >> between without reloading the whole box? I would like to try it in the lab >> in order to see how it is done. >> Thanks, >> Eduard >> >> On Nov 8, 2009 8:41 PM, "William McCall" wrote: >> >> There will be downtime if you go directly with these versions. Check >> with your SE or TAC. IIRC, they should have a list of versions to go >> through to do a nice graceful (albeit, with some minor disruptions) >> upgrade. >> >> >> -- >> William McCall, CCIE #25044 >> >> On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > >> Dear All, > ? ? ? ? ? ? Ki... >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- William McCall, CCIE #25044 From dudepron at gmail.com Sun Nov 8 22:29:50 2009 From: dudepron at gmail.com (Aaron) Date: Sun, 8 Nov 2009 22:29:50 -0500 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> Message-ID: <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> Yeah. ISSU isn't were it should be. Some SMU's require a reload depending on what componets are touched. On Sun, Nov 8, 2009 at 19:55, William McCall wrote: > *shrug* I recalled incorrectly. I was under the impression that some > of the minor releases were capable of in-service upgrade. However, it > looks like it just applies to SMUs. And even then, the SMUs might take > out the box. > > On Sun, Nov 8, 2009 at 6:22 PM, Aaron wrote: > > There isn't a version that you can do that. > > > > Aaron > > > > On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu > > wrote: > >> > >> William, can you give an example of two XR versions that you can migrate > >> between without reloading the whole box? I would like to try it in the > lab > >> in order to see how it is done. > >> Thanks, > >> Eduard > >> > >> On Nov 8, 2009 8:41 PM, "William McCall" > wrote: > >> > >> There will be downtime if you go directly with these versions. Check > >> with your SE or TAC. IIRC, they should have a list of versions to go > >> through to do a nice graceful (albeit, with some minor disruptions) > >> upgrade. > >> > >> > >> -- > >> William McCall, CCIE #25044 > >> > >> On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > > > >> Dear All, > Ki... > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > -- > William McCall, CCIE #25044 > From andy.saykao at staff.netspace.net.au Mon Nov 9 00:26:29 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 9 Nov 2009 16:26:29 +1100 Subject: [c-nsp] Troubelshooting Output Drops on 7301 Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAEEF@vic-cr-ex1.staff.netspace.net.au> Hi All, We're seeing some output drops occur on one of our interstate links. Just wondering how I can track what's causing it and/or whether it's normal behaviour for the output queue to fill up every now and then because of an increase in bursty traffic at the time. Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 11624 (Counters were cleared 17 minutes ago.) I've read Cisco's "Troubleshooting Input Queue Drops and Output Queue Drops" but it doesn't seem to have any information relating to my situation. Also searched for help on the list but nothing much to go on. Cisco IOS Software, 7301 Software (C7301-JS-M), Version 12.2(31)SB13, RELEASE SOFTWARE (fc1) Cisco 7301 (NPE) processor (revision A) with 229376K/32768K bytes of memory. interface GigabitEthernet0/2 description Link from XXX to YYY mtu 9000 bandwidth 150000 ip address 203.17.96.X 255.255.255.252 load-interval 30 media-type gbic speed auto duplex auto negotiation auto mpls ip router>sh int gig 0/2 GigabitEthernet0/2 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 000b.60a5.ac19 (bia 000b.60a5.ac19) Description: Link from XXX to YYY Internet address is 203.17.96.X/30 MTU 9000 bytes, BW 150000 Kbit, DLY 10 usec, reliability 255/255, txload 221/255, rxload 153/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, 1000BaseLX, Auto-negotiation, media type is LX output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 00:17:33 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 11624 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 90511000 bits/sec, 17280 packets/sec 30 second output rate 130521000 bits/sec, 21551 packets/sec 18784789 packets input, 3852868380 bytes, 0 no buffer Received 1244 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 66127 multicast, 0 pause input 22942732 packets output, 4128502155 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out router#sh proc memory Processor Pool Total: 174234996 Used: 64120552 Free: 110114444 I/O Pool Total: 33554432 Used: 3729248 Free: 29825184 router#sh processes cpu sorted CPU utilization for five seconds: 20%/18%; one minute: 19%; five minutes: 19% Any help would be appreciated. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ras at e-gerbil.net Mon Nov 9 02:23:46 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 9 Nov 2009 01:23:46 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911091432.32320.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> <200911091432.32320.mtinka@globaltransit.net> Message-ID: <20091109072346.GK51443@gerbil.cluepon.net> On Mon, Nov 09, 2009 at 02:32:11PM +0800, Mark Tinka wrote: > On Sunday 08 November 2009 07:33:55 pm Richard A Steenbergen > wrote: > > > IMHO the rule of thumb for multiple areas in either ISIS > > or OSPF is "if you have to ask whether you should use > > them or not, the answer is you shouldn't". Their sensible > > use is so vastly exagerated in books and lab tests that > > it isn't even funny. > > Speaking on my/our own behalf, there wouldn't be a doubt in > our minds whether we needed the hierarchy or not. > > In our case, coming from OSPF where Areas were in vast use > (different for each PoP, and we had quite a few), it made > sense, at the time, to maintain a similar hierarchy in IS- > IS, especially since what we wanted the most out of the > migration was its "stretchy" property. > > However, like I mentioned in an earlier post, it quickly > dawned on us that since Route Leaking essentially adds all > L1 routes from other PoP's into the L1 database in other > PoP's, and you turn off the ATT bit to gain optimality, the > point of running both L1 and L2 for scaling reasons quickly > becomes moot. I'm not questioning your decision, I'm just stating it for the archives and for everyone else who has to make this same decision at some point in the future: If you have to ask, just don't do it. I see way too many people trying to deploy areas with 10 router networks because they read somewhere that it was what they were supposed to do to scale, or because people saw it on an exam somewhere. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From mtinka at globaltransit.net Mon Nov 9 01:32:11 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 9 Nov 2009 14:32:11 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091108113355.GD51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> Message-ID: <200911091432.32320.mtinka@globaltransit.net> On Sunday 08 November 2009 07:33:55 pm Richard A Steenbergen wrote: > IMHO the rule of thumb for multiple areas in either ISIS > or OSPF is "if you have to ask whether you should use > them or not, the answer is you shouldn't". Their sensible > use is so vastly exagerated in books and lab tests that > it isn't even funny. Speaking on my/our own behalf, there wouldn't be a doubt in our minds whether we needed the hierarchy or not. In our case, coming from OSPF where Areas were in vast use (different for each PoP, and we had quite a few), it made sense, at the time, to maintain a similar hierarchy in IS- IS, especially since what we wanted the most out of the migration was its "stretchy" property. However, like I mentioned in an earlier post, it quickly dawned on us that since Route Leaking essentially adds all L1 routes from other PoP's into the L1 database in other PoP's, and you turn off the ATT bit to gain optimality, the point of running both L1 and L2 for scaling reasons quickly becomes moot. However, having already gone down that path, in actual practice - operationally - it makes very little difference (to us) and doesn't add any undue complexity or burden. Only our core routers are L1/L2 capable, and those are beasts that forward only on MPLS labels. Everything else, i.e., all devices within each PoP (edge, peering, upstream, route reflectors, RTBH routers, aggregation switches, e.t.c.), speaks L1-only. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From skoal at skoal.name Mon Nov 9 01:55:43 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 07:55:43 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <4AF7BCEF.20506@skoal.name> Did you look at the c2350 also? http://www.cisco.com/en/US/products/ps10116/index.html Brian Landers wrote: > I realize this is cisco-nsp, but does anyone have any opinions on the Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! > > > On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > >> Any reason why you wouldn't go for fcoe on nexus 5k? :) >> >> >> >> On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz >> wrote: >>>> Not sure that you want to go with Nexus at this point. Its got some >>>> really nice features, however we keep running into code bugs . Not just >>>> stuff that's obscure and shows up in certain situations but real show- >>>> stoppers like being unable to form port-channels with HP blade servers. >>> Interesting assessment and sorry to hear about the microsoftish >>> experience. We're not intending to use blades (ESX Server 4 on a number >>> of HP DL380G6 is likely) and would like to do cross-box etherchannels for >>> redundancy. >>> >>> Jeff mentioned the 4948 of which the 10G version looks great since we're >>> wanting to mirror the san off-site over fiber. >>> >>> There's still a chance that fiber channel will happen though it looks >> like >>> that doesn't really make sense in this day and age. Here, vendors are >>> pushing the MDS9124 box. >>> >>> Thanks for the responses so far. >>> >>> ~JasonG >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mtinka at globaltransit.net Mon Nov 9 03:22:45 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 9 Nov 2009 16:22:45 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <200911091622.50838.mtinka@globaltransit.net> On Sunday 08 November 2009 08:10:05 pm Mikael Abrahamsson wrote: > In order to detect loopbacks going away and using this to > invalidate/remove next-hops quickly, you can't aggregate > anyway. My point exactly - the use of Route Leaking without the ATT bit nullifies the need for a multi-level IS-IS network for the sole purpose of scaling. > Sorry, I have yet to hear someone describe an ISP network > (designed as per ISP essentials, carry loopbacks in IGP > and everything else in BGP), where IGP aggregation makes > sense. If you have 10k routers in your IGP, well, you > most likely did something wrong earlier in the process. Completely agree with you, and I reiterate my statement in the paragraph above. While this may apply specifically to MPLS-enabled environments, you might like to know (in case you don't already) that 'draft-swallow-mpls-aggregate-fec-01.txt' proposes an extension to LDP that would allow it to form an end-to-end LSP without the need to hold each and every routing entry for all routers in all routers, i.e., it permits the end-to-end LSP setup while also allowing IGP route summarization. Check out: http://tools.ietf.org/id/draft-swallow-mpls-aggregate- fec-01.txt But as mentioned, it only applies to MPLS environments. It sounds interesting but I'm not sure whether we'd be keen on a feature like this. Given that we carry only infrastructure and Loopback addresses in IS-IS (and the fact that our routers are fairly CPU-able), we're not concerned about sacrificing scaling for optimality as it pertains to IGP route summarization, or lack thereof. > Also, with modern processorns and techniques such as > partial tree recalculation in modern router OSes, I'm > sure even 10k routers would be manageable in a single > area. Again, completely agree - and while I wouldn't want to start a "war of the protocols", I think IS-IS is better at this than OSPFv2, not only because of features such as iSPF, LSP Lifetime, PRC and SPF Delay, but also because unlike OSPFv2, IS-IS cleanly separates IP Reachability information from topology information, as distinct TLV's are used to encode both bits of information. Because OSPFv2 carries IP Reachability information in Type 1 and Type 2 LSA's, it means changes in IP Reachability information only will initiate a potentially unnecessary update of the topology information as well, e.g., when all that has changed is the metric for a route, and not a failure of a link. In this case, PRC in OSPFv2 is relegated to Type 3, 4, 5 and 7 LSA's, and this starts to get into OSPF hierarchy (which is the issue under discussion at this point in this thread). OSPFv3 has been fixed re: this limitation, as IP Reachability information and topology information has been encoded into separate data structures, much like IS-IS. But coming back to why I think the L1 and L2 separation might come in handy, is if we decide to isolate a part of our network for one reason or another. Why, one might ask? For better or worse, we have a number of scenarios where deploying networks that should have nothing to do with the rest of our backbone are being considered (these are mostly business reasons, not technical - just to be clear, hehe). In such a case, while the separation of L1 and L2 databases is not the driving factor for this, it becomes an unintentional enabling by-product of this structure. Again, this probably isn't reason enough to do things this way (as mentioned to Richard in my previous post, our goal for migration was because IS-IS is "stretchy" and not because OSPF is eating up too much router CPU), but in our case, the operational difference between running the network in either mode is trivial. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From eng_mssk at hotmail.com Mon Nov 9 04:22:46 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 9 Nov 2009 11:22:46 +0200 Subject: [c-nsp] overruns Message-ID: hey all i have Cisco 7606 connected to WiMAX ASN GW via port channel now i have the following issue router#sh int po10 | inc overrun 0 input errors, 0 CRC, 0 frame, 8032 overrun, 0 ignored router#sh int po10 | inc ove router#sh int po20 | inc overrun 0 input errors, 0 CRC, 0 frame, 4305576 overrun, 0 ignored router#sh run int po10 Building configuration... Current configuration : 216 bytes ! interface Port-channel10 description CORE_VLAN to ASN Gateway switchport switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end router#sh run int po20 Building configuration... Current configuration : 215 bytes ! interface Port-channel20 description RAS-VLAN to ASN Gateway switchport switchport access vlan 20 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end router#sh int port-channel 10 etherchannel Age of the Port-channel = 284d:17h:52m:00s Logical slot/port = 14/1 Number of ports = 5 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = - Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 21 Gi3/3 On 2 1 42 Gi3/11 On 2 2 84 Gi3/19 On 2 3 08 Gi3/27 On 1 4 10 Gi3/35 On 1 Time since last port bundled: 154d:01h:08m:46s Gi3/35 Time since last port Un-bundled: 154d:01h:08m:50s Gi3/35 router#sh int port-channel 20 etherchannel Age of the Port-channel = 284d:17h:52m:09s Logical slot/port = 14/2 Number of ports = 5 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = - Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 21 Gi3/4 On 2 1 42 Gi3/12 On 2 2 84 Gi3/20 On 2 3 08 Gi3/28 On 1 4 10 Gi3/36 On 1 Time since last port bundled: 154d:00h:55m:38s Gi3/36 Time since last port Un-bundled: 154d:00h:55m:41s Gi3/36 example of the interfaces: CR1.KJ-Building#sh run int g3/36 Building configuration... Current configuration : 284 bytes ! interface GigabitEthernet3/36 description RAS_VLAN (porrtchannel 20) switchport switchport access vlan 20 switchport mode access no logging event link-status load-interval 30 speed 1000 duplex full flowcontrol receive on flowcontrol send on channel-group 20 mode on end CR1.KJ-Building#sh run int g3/35 Building configuration... Current configuration : 300 bytes ! interface GigabitEthernet3/35 description CORE_VLAN to ASN Gateway (porrtchannel 10) switchport switchport access vlan 10 switchport mode access no logging event link-status load-interval 30 speed 1000 duplex full flowcontrol receive on flowcontrol send on channel-group 10 mode on end and on the other router router#sh int po10 | inc overrun 0 input errors, 0 CRC, 0 frame, 1643 overrun, 0 ignored router#sh int po20 | inc overrun 0 input errors, 0 CRC, 0 frame, 591813 overrun, 0 ignored anyone can help ?? _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From gert at greenie.muc.de Mon Nov 9 04:24:00 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 10:24:00 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7BCEF.20506@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> Message-ID: <20091109092400.GT163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: > Did you look at the c2350 also? > http://www.cisco.com/en/US/products/ps10116/index.html The data sheet sounds very nice indeed. What I can't see from there is: - does it support flow-control? - how big and how flexible are its buffers? (as compared to 2950/2960/3750) - is there a redundant power suppy option? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From skoal at skoal.name Mon Nov 9 04:30:07 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 10:30:07 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091109092400.GT163@greenie.muc.de> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> Message-ID: <4AF7E11F.1030409@skoal.name> Gert Doering wrote: > Hi, > > On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: >> Did you look at the c2350 also? >> http://www.cisco.com/en/US/products/ps10116/index.html > > The data sheet sounds very nice indeed. > > What I can't see from there is: > > - does it support flow-control? sh int t0/1 flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper --------- -------- -------- -------- -------- ------- ------- Te0/1 Unsupp. Unsupp. off off 0 0 > - how big and how flexible are its buffers? how can i check this from cmd? > (as compared to 2950/2960/3750) > - is there a redundant power suppy option? it has redundant power supply's. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From gert at greenie.muc.de Mon Nov 9 04:42:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 10:42:52 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7E11F.1030409@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> <4AF7E11F.1030409@skoal.name> Message-ID: <20091109094252.GU163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 10:30:07AM +0100, Gergely Antal wrote: > > On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: > >> Did you look at the c2350 also? > >> http://www.cisco.com/en/US/products/ps10116/index.html > > > > The data sheet sounds very nice indeed. > > > > What I can't see from there is: > > > > - does it support flow-control? > sh int t0/1 flowcontrol > Port Send FlowControl Receive FlowControl RxPause TxPause > admin oper admin oper > --------- -------- -------- -------- -------- ------- ------- > Te0/1 Unsupp. Unsupp. off off 0 0 Hmmm. what about the Gig ports? > > - how big and how flexible are its buffers? > how can i check this from cmd? I think you can't. At least on the other switches, I have not yet found a way to ask the device about its buffer details. > > (as compared to 2950/2960/3750) > > - is there a redundant power suppy option? > it has redundant power supply's. It has? Cool. (That's not clearly visible from the data sheet). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From skoal at skoal.name Mon Nov 9 04:51:49 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 10:51:49 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091109094252.GU163@greenie.muc.de> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> <4AF7E11F.1030409@skoal.name> <20091109094252.GU163@greenie.muc.de> Message-ID: <4AF7E635.9010104@skoal.name> Gert Doering wrote: > Hi, > > On Mon, Nov 09, 2009 at 10:30:07AM +0100, Gergely Antal wrote: >>> On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: >>>> Did you look at the c2350 also? >>>> http://www.cisco.com/en/US/products/ps10116/index.html >>> The data sheet sounds very nice indeed. >>> >>> What I can't see from there is: >>> >>> - does it support flow-control? >> sh int t0/1 flowcontrol >> Port Send FlowControl Receive FlowControl RxPause TxPause >> admin oper admin oper >> --------- -------- -------- -------- -------- ------- ------- >> Te0/1 Unsupp. Unsupp. off off 0 0 > > Hmmm. what about the Gig ports? the same > >>> - how big and how flexible are its buffers? >> how can i check this from cmd? > > I think you can't. At least on the other switches, I have not yet found > a way to ask the device about its buffer details. > >>> (as compared to 2950/2960/3750) >>> - is there a redundant power suppy option? >> it has redundant power supply's. > > It has? Cool. (That's not clearly visible from the data sheet). sorry i was misleading you.It has modular power and fan trays,but its not redundant. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mvanton at gmail.com Mon Nov 9 05:56:18 2009 From: mvanton at gmail.com (vince anton) Date: Mon, 9 Nov 2009 11:56:18 +0100 Subject: [c-nsp] 7600 for ip transit uplink Message-ID: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> Hi All, im looking at using a 7600 to terminate a 10GE uplink for IP transit to my upstream. no BGP full table yet, just a default route. I will be using a 6704 to connect the 7600 my core, of course also using 10GE links. The question i have is regarding which interface to use to connect to the upstream. Although using another of the ports on the 6704 would work for this, Im not entirely convinced about it vs using say a SIP-600 which is possibly more appropriate ? Is the 6704 port something I should not consider at all for the upstream link ? I'd like to hear from people as to what they are doing in their networks to evaluate pros and cons. Im aware that 6704 is a LAN card, as opposed to using a SIP-600 which is intended for WAN which offers deeper buffers, shaping etc... but the price difference is enormous! thanks anton From gert at greenie.muc.de Mon Nov 9 06:44:55 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 12:44:55 +0100 Subject: [c-nsp] 7600 for ip transit uplink In-Reply-To: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> References: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> Message-ID: <20091109114455.GW163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 11:56:18AM +0100, vince anton wrote: > im looking at using a 7600 to terminate a 10GE uplink for IP transit to my > upstream. no BGP full table yet, just a default route. > > I will be using a 6704 to connect the 7600 my core, of course also using > 10GE links. We're using 6704 and 6708 to terminate uplinks, and they do the job nicely. BUT: we have plenty of bandwidth available, so we have no need for QoS or deep buffers or anything more fancy offered by the SIP or ES cards. > Im aware that 6704 is a LAN card, as opposed to using a SIP-600 which is > intended for WAN which offers deeper buffers, shaping etc... but the price > difference is enormous! Yes. Our design choice was "for the total amount of money we have, just get more bandwidth". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From florent.paratte at gmail.com Mon Nov 9 06:54:53 2009 From: florent.paratte at gmail.com (Florent PARATTE (G)) Date: Mon, 9 Nov 2009 12:54:53 +0100 Subject: [c-nsp] 7200 Queuing Message-ID: Hello, I would like to have precisions on default queuing on 7200 Routers. Here is my test topology: PC -----100Mbps------ Switch ------100Mbps------- Router ------10Mbps------ Switch ------100Mbps----- LAN There is no QOS configured on equipments. There is a softphone on the PC and a flooding tool. There is an Asterisk server on the LAN which is displaying information about calls. Packets from PC are not marked. Packets from Asterisk are marked (SIP: CS3, RTP: EF). Here is my test sequence: I flood at 30Mbps from the PC to an IP on the LAN. I call, from the PC, a phone on the LAN. Here is my problem: I have packet loss on the LAN side router interface, but there is no RTP packet loss! In the "show interface e2/0" command output, the queuing strategy is FIFO. In the "show queue interface e2/0" command output, it is written this command is not used with FIFO strategy. I made a lot of tests, the priority doesn't depend of neither the Layer 4 header (UDP ou TCP, ports), neither the CoS field. So I imagine it may have a WFQ algorithm as queuing, but. So my question is: Is there some default queuing management on Cisco 7200 Router interfaces that is not displayed? Thank you in advance, Florent Paratte From rwest at zyedge.com Mon Nov 9 08:57:55 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 9 Nov 2009 08:57:55 -0500 Subject: [c-nsp] 7200 Queuing In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Florent PARATTE (G) > Sent: Monday, November 09, 2009 6:55 AM > > In the "show interface e2/0" command output, the queuing strategy is > FIFO. > > In the "show queue interface e2/0" command output, it is written this > command is not used with FIFO strategy. > > I made a lot of tests, the priority doesn't depend of neither the Layer > 4 > header (UDP ou TCP, ports), neither the CoS field. So I imagine it may > have > a WFQ algorithm as queuing, but. > FIFO is the default for your Ethernet interfaces. You should look into LLQ to prioritize your voice traffic and allocate some bandwidth for signaling on the 7200. Once you get your MQC policy setup, you can enable fair-queue or WRED for your remaining traffic. If you know that you haven't enabled QoS on your switches yet, the tags should carry to your router. If you have enabled QoS, you'll need to trust the markings from your voice equipment and routers. You can verify this quickly by matching what you're expecting to see on the inbound interface of your router. HTH, -ryan From brian at bluecoat93.org Mon Nov 9 09:05:34 2009 From: brian at bluecoat93.org (Brian Landers) Date: Mon, 9 Nov 2009 09:05:34 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7BCEF.20506@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> Message-ID: <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> On Mon, Nov 9, 2009 at 1:55 AM, Gergely Antal wrote: > Did you look at the c2350 also? > http://www.cisco.com/en/US/products/ps10116/index.html > > Very interesting, indeed. Would be nice to see a POE version as well (to compete with the Force10 S50V), but as it seems to be positioned specifically as a data center switch, that doesn't seem likely. Doesn't appear to be in the pricing tool yet, though? -- Brian C Landers http://www.packetslave.com/ CCIE #23115 From lists at hojmark.org Mon Nov 9 09:30:50 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Mon, 09 Nov 2009 15:30:50 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> Message-ID: <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A From florent.paratte at gmail.com Mon Nov 9 09:46:57 2009 From: florent.paratte at gmail.com (Florent PARATTE (G)) Date: Mon, 9 Nov 2009 15:46:57 +0100 Subject: [c-nsp] 7200 Queuing In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> References: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> Message-ID: Thank you for your answer. Sorry, I forgot saying what I tried to do: I know how to configure QoS settings but before applying it I would like to have congestion, so RTP packet loss to see "before/after" results. But my problem is here. I'm not able to have RTP packet loss, even with the topology described just before. Normally, with this test topology, I should have RTP packet loss, is it right? -----Message d'origine----- De?: Ryan West [mailto:rwest at zyedge.com] Envoy??: lundi, 9. novembre 2009 14:58 ??: Florent PARATTE (G); cisco-nsp at puck.nether.net Objet?: RE: [c-nsp] 7200 Queuing Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Florent PARATTE (G) > Sent: Monday, November 09, 2009 6:55 AM > > In the "show interface e2/0" command output, the queuing strategy is > FIFO. > > In the "show queue interface e2/0" command output, it is written this > command is not used with FIFO strategy. > > I made a lot of tests, the priority doesn't depend of neither the Layer > 4 > header (UDP ou TCP, ports), neither the CoS field. So I imagine it may > have > a WFQ algorithm as queuing, but. > FIFO is the default for your Ethernet interfaces. You should look into LLQ to prioritize your voice traffic and allocate some bandwidth for signaling on the 7200. Once you get your MQC policy setup, you can enable fair-queue or WRED for your remaining traffic. If you know that you haven't enabled QoS on your switches yet, the tags should carry to your router. If you have enabled QoS, you'll need to trust the markings from your voice equipment and routers. You can verify this quickly by matching what you're expecting to see on the inbound interface of your router. HTH, -ryan From petelists at templin.org Mon Nov 9 10:45:28 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 09 Nov 2009 07:45:28 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091109072346.GK51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> Message-ID: <4AF83918.9010505@templin.org> Richard A Steenbergen wrote: > I'm not questioning your decision, I'm just stating it for the archives > and for everyone else who has to make this same decision at some point > in the future: If you have to ask, just don't do it. I see way too many > people trying to deploy areas with 10 router networks because they read > somewhere that it was what they were supposed to do to scale, or because > people saw it on an exam somewhere. +1. I've recently finished a complete overhaul of a 14-router 5-POP network that had 6 areas (one for each POP), and had area 0 split into two independent areas 0. Access routers in any POP had no idea that access routers existed in other POPs, etc. pt From jasongurtz at npumail.com Mon Nov 9 12:02:10 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Mon, 9 Nov 2009 12:02:10 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: > Any reason why you wouldn't go for fcoe on nexus 5k? :) It does look like that is what the box is really for. To answer the question, it all depends on what SAN goes in. A lot of the newer stuff with better value is iSCSI only and eschews FC in any form. Maybe I better question to ask is how does the nexus 5k fare against 49xx switch doing iSCSI? ~JasonG From jasongurtz at npumail.com Mon Nov 9 11:59:56 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Mon, 9 Nov 2009 11:59:56 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: > I realize this is cisco-nsp, but does anyone have any opinions on the > Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! Another thing we found when considering 1G w/ 10G uplinks and value is Fujitsu XG0448. ~JasonG From psirt at cisco.com Mon Nov 9 12:30:03 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Mon, 9 Nov 2009 12:30:03 -0500 Subject: [c-nsp] Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Message-ID: <200911091210.tls@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.0 For Public Release 2009 November 9 1600 UTC (GMT) Summary ======= An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products ================= Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products - ------------------- This section will be updated when more information is available. Products Confirmed Not Vulnerable - --------------------------------- The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client This section will be updated when more information is available. Details ======= TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl +------------------------------------------------------------+ | Product | Bug ID | |----------------------------+-------------------------------| | Cisco Adaptive Security | CSCtd01491 | | Device Manager (ASDM) | | |----------------------------+-------------------------------| | Cisco AON Software | CSCtd01646 | | | | |----------------------------+-------------------------------| | Cisco AON Healthcare for | CSCtd01652 | | HIPAA and ePrescription | | |----------------------------+-------------------------------| | Cisco Application and | CSCtd01529 | | Content Networking System | | | (ACNS) Software | | |----------------------------+-------------------------------| | Cisco Application | CSCtd01480 | | Networking Manager | | |----------------------------+-------------------------------| | Cisco ASA 5500 Series | CSCtd00697 | | Adaptive Security | | | Appliances | | |----------------------------+-------------------------------| | Cisco ASA Advanced | | | Inspection and Prevention | CSCtd01539 | | (AIP) Security Services | | | Module | | |----------------------------+-------------------------------| | Cisco AVS 3100 Series | CSCtd01566 | | Application Velocity | | | System | | |----------------------------+-------------------------------| | Cisco Catalyst 6500 Series | CSCtd06389 | | SSL Services Module | | |----------------------------+-------------------------------| | Firewall Services Module | CSCtd04061 | | FWSM | | |----------------------------+-------------------------------| | Cisco CSS 11000 Series | CSCtd01636 | | Content Services Switches | | |----------------------------+-------------------------------| | Cisco Unified SIP Phones | CSCtd01446 | | | | |----------------------------+-------------------------------| | Cisco Data Center Network | CSCtd02635 | | Manager | | |----------------------------+-------------------------------| | Cisco Data Mobility | CSCtd02642 | | Manager | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01703 | | Encoders | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01692 | | Manager | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01718 | | Players | | |----------------------------+-------------------------------| | Cisco Emergency Responder | CSCtd02650 | | | | |----------------------------+-------------------------------| | Cisco IOS Software | CSCtd00658 | | | | |----------------------------+-------------------------------| | Cisco IOS XE Software | CSCtd00658 | | | | |----------------------------+-------------------------------| | Cisco IOS XR Software | CSCtd02658 | | | | |----------------------------+-------------------------------| | Cisco IP Communicator | CSCtd02662 | | | | |----------------------------+-------------------------------| | CATOS | CSCtd00662 | | | | |----------------------------+-------------------------------| | Cisco IronPort Appliances | CSCtd02069 | | | | |----------------------------+-------------------------------| | Cisco Unified MeetingPlace | CSCtd02709 | | | | |----------------------------+-------------------------------| | Cisco NAC Appliance (Clean | CSCtd01453 | | Access) | | |----------------------------+-------------------------------| | Cisco NAC Guest Server | CSCtd01462 | | | | |----------------------------+-------------------------------| | Cisco NAC Profiler | CSCtd02716 | | | | |----------------------------+-------------------------------| | Cisco Network Analysis | CSCtd02729 | | Module Software (NAM) | | |----------------------------+-------------------------------| | Cisco Network Registrar | CSCtd02748 | | | | |----------------------------+-------------------------------| | Cisco ONS 15500 Series | CSCtd02769 | | | | |----------------------------+-------------------------------| | Cisco Physical Access | CSCtd02777 | | Gateways | | |----------------------------+-------------------------------| | Cisco Physical Access | CSCtd03912 | | Manager | | |----------------------------+-------------------------------| | Cisco Physical Security | CSCtd03920 | | ISM | | |----------------------------+-------------------------------| | Cisco QoS Device Manager | CSCtd03923 | | | | |----------------------------+-------------------------------| | Cisco Secure Access | CSCtd00725 | | Control Server (ACS) | | |----------------------------+-------------------------------| | Cisco Secure Desktop | CSCtd03928 | | | | |----------------------------+-------------------------------| | Cisco Secure Services | CSCtd03935 | | Client | | |----------------------------+-------------------------------| | Cisco Security Agent CSA | CSCtd02689 | | | | |----------------------------+-------------------------------| | Cisco Security Monitoring, | CSCtd02654 | | Analysis and Response | | | System (MARS) | | |----------------------------+-------------------------------| | Cisco Unified IP Phones | CSCtd04121 | | | | |----------------------------+-------------------------------| | Cisco Service Control | CSCtd04171 | | Subscriber Manager | | |----------------------------+-------------------------------| | Cisco TelePresence Manager | CSCtd01771 | | | | |----------------------------+-------------------------------| | Telepresence for Consumer | CSCtd01752 | | | | |----------------------------+-------------------------------| | Cisco TelePresence | CSCtd01742 | | Recording Server | | |----------------------------+-------------------------------| | Cisco Network Asset | CSCtd04198 | | Collector | | |----------------------------+-------------------------------| | Cisco Unified | CSCtd01282 | | Communications Manager | | | (CallManager) | | |----------------------------+-------------------------------| | Cisco Unified Business | CSCtd05731 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Enterprise | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Express | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05755 | | Center Management Portal | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Products | | |----------------------------+-------------------------------| | Cisco Unified Department | CSCtd05733 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified E-Mail | CSCtd05756 | | Interaction Manager | | |----------------------------+-------------------------------| | Cisco Unified Enterprise | CSCtd05735 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified Mobile | CSCtd05762 | | Communicator | | |----------------------------+-------------------------------| | Cisco Unified Mobility | CSCtd05786 | | | | |----------------------------+-------------------------------| | Cisco Unified Mobility | CSCtd05783 | | Advantage | | |----------------------------+-------------------------------| | Cisco Unified Operations | CSCtd05784 | | Manager | | |----------------------------+-------------------------------| | Cisco Unified Personal | CSCtd05759 | | Communicator | | |----------------------------+-------------------------------| | Cisco Unified Presence | CSCtd05791 | | | | |----------------------------+-------------------------------| | Cisco Unified Provisioning | CSCtd05777 | | Manager | | |----------------------------+-------------------------------| | Cisco Unified Quick | CSCtd05738 | | Connect | | |----------------------------+-------------------------------| | Cisco Unified Service | CSCtd05780 | | Monitor | | |----------------------------+-------------------------------| | Cisco Unified Service | CStCd05778 | | Statistics Manager | | |----------------------------+-------------------------------| | Cisco Unified SIP Proxy | CSCtd05765 | | | | |----------------------------+-------------------------------| | Cisco Unity | CSCtd02855 | | | | |----------------------------+-------------------------------| | Cisco NX-OS Software | CSCtd00699 and CSCtd00703 | | | | |----------------------------+-------------------------------| | Cisco Video Portal | CSCtd04097 | | | | |----------------------------+-------------------------------| | Cisco Video Surveillance | CSCtd02831 | | Media Server Software | | |----------------------------+-------------------------------| | Cisco Video Surveillance | CSCtd02780 | | Operations Manager | | | Software | | |----------------------------+-------------------------------| | Cisco Wide Area File | CSCtd04106 | | Services Software (WAFS) | | |----------------------------+-------------------------------| | Cisco Wireless Control | CSCtd01625 | | System | | |----------------------------+-------------------------------| | Cisco Wireless LAN | CSCtd01611 | | Controller (WLAN) | | |----------------------------+-------------------------------| | Cisco Wireless Location | CSCtd04115 | | Appliance | | |----------------------------+-------------------------------| | CiscoWorks Common Services | CSCtd01597 | | Software | | |----------------------------+-------------------------------| | CiscoWorks Wireless LAN | CSCtd04111 | | Solution Engine (WLSE) | | +------------------------------------------------------------+ This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-3555. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * TLS Renegotiation Vulnerability (all Cisco Bugs above) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Unavailable Report Confidence - Confirmed Impact ====== This section will be updated when more information is available. Software Versions and Fixes =========================== This section will be updated to include fixed software versions for affected Cisco products as they become available. Workarounds =========== Workarounds are being investigated. This section will be updated when more information becomes available. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from PhoneFactor, Inc. Cisco is not aware of any malicious exploitation of this vulnerability. Proof-of-concept exploit code has been published for this vulnerability. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-November-9 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Nov 09, 2009 Document ID: 111046 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkr4TCsACgkQ86n/Gc8U/uDNWgCfYptXVZhz0qn2DvRh2zUtZ5EF OS4AoJediPm3/t9XqYIdrjR5PNP25iY/ =SkAu -----END PGP SIGNATURE----- From sethm at rollernet.us Mon Nov 9 12:37:48 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 09 Nov 2009 09:37:48 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <4AF8536C.4090300@rollernet.us> Brian Landers wrote: > I realize this is cisco-nsp, but does anyone have any opinions on the Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! > A HP ProCurve 6600-48G-4XG is a bit less and has 4x 10 gig and 48x 10/100/1000 ports. And they actually tell you the packet buffer size in their spec sheets. Never used this model personally though, but I have some other HP switches and I've been happy with them. The price difference and functionally equal (for my needs) that I'd seriously consider HP if they had complete IPv6 support. Cisco-nsp seems to be the mot active list of the *-nsp and having this list as a resource is valuable. ~Seth From jared.a.gillis at gmail.com Mon Nov 9 12:51:40 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Mon, 09 Nov 2009 09:51:40 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <4AF856AC.5070805@gmail.com> Mikael Abrahamsson wrote: > In order to detect loopbacks going away and using this to > invalidate/remove next-hops quickly, you can't aggregate anyway. > > Sorry, I have yet to hear someone describe an ISP network (designed as > per ISP essentials, carry loopbacks in IGP and everything else in BGP), > where IGP aggregation makes sense. If you have 10k routers in your IGP, > well, you most likely did something wrong earlier in the process. > > Also, with modern processorns and techniques such as partial tree > recalculation in modern router OSes, I'm sure even 10k routers would be > manageable in a single area. While I agree with these statements, our issue is not tree recalculation/convergence. Our issue and driving need for IS-IS multiarea is the fact that we have 3750ME's which can only hold ~2k routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust the TCAM unless we can do route summarization (i.e. upstream L2's send default/ATT only). -Jared From Michael.Balasko at cityofhenderson.com Mon Nov 9 12:56:07 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 9 Nov 2009 09:56:07 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> I too can vouch for the 5K's not being ready for prime time. Here is a short list of the "advanced" features we are trying to use- -Disable the HTTP/HTTPS server onboard -NTP Authentication -ACL's for SNMP access -VTY ACL's -VTP passthrough - VTP packets WILL NOT pass through this switch. Please save the VTY argument is bad for someone else. As far as the Cisco litmus test of "it forwards packets so it's working as designed" it operates fine, but until the above mention issues are fixed, we can't in good conscience roll them into production to find the real bugs. We have piles of TAC cases open for this and we have screamed loud enough to be in direct contact with the 5K business unit product manager. The official answer is hurry up and wait. In order to fix these Cisco bugs we bought a pair of Brocade Turboiron 24's which are now our only non-Cisco piece of kit out of over 400 devices. All that being said we bought the 5K's to do 10G distribution for our core so your mileage may vary depending on needs. If it were done again right this second, I'd look at Arista Networks. We demo'd their gear way back and was impressed with the support folks and the willingness to respond to issues by cutting code instead of providing a workaround of "none" or "don't use that feature". They couldn't do RPVST+ at the time and that's why we looked elsewhere. They say to do it today and based on some of the folks I know work there I'm inclined to believe them. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Landers Sent: Sunday, November 08, 2009 7:34 AM To: Andrew White Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN I realize this is cisco-nsp, but does anyone have any opinions on the Force 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or two) at the top of every rack in my data center! On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > Any reason why you wouldn't go for fcoe on nexus 5k? :) > > > > On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz > wrote: > >> Not sure that you want to go with Nexus at this point. Its got some > >> really nice features, however we keep running into code bugs . Not just > >> stuff that's obscure and shows up in certain situations but real show- > >> stoppers like being unable to form port-channels with HP blade servers. From peter at rathlev.dk Mon Nov 9 13:09:26 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 09 Nov 2009 19:09:26 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? Message-ID: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> Pardon my ignorance, but we've recently inherited a bunch of WS-CBS3012-IBM-I bladecenter switches, and I can't really grasp the management interface concept. All our other bladecenter switches are CIGESM with a regular interface Vlan marked as "management-interface", and even though I don't like this at least it works. These CBS-switches have no "management-interface" commands; the IP address assigned from the bladecenter management module ("AMM") sticks to a "Fa0" interface, not what I intend to use for management (Vlan2). We have no problem configuring "inband" management as such, but every time someone edits and saves the AMM configuration the default-gateway is overwritten. I know of "protected mode" but the paperwork involved in getting permission to enable this means I'm looking at alternatives. We can't configure the AMM interface with the real default gateway since this address is outside the Fa0-assigned net. Is there some way of bridging the Fa0 interface with a specific VLAN? Or another way of making this work? What exactly is "Fa0" and where would I insert a cable into this port? It doesn't seem to exist physically on the front of the module. (I tried reading the "Getting Started" guide and the chapter regarding management in the "Configuration Guide" but either I'm blind or they're targeted server people.) Thank you. -- Peter From peter at rathlev.dk Mon Nov 9 13:17:33 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 09 Nov 2009 19:17:33 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> Message-ID: <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter From jimmi at netpoint.com.br Mon Nov 9 13:07:57 2009 From: jimmi at netpoint.com.br (jimmi) Date: Mon, 9 Nov 2009 15:07:57 -0300 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <200911071534.30804.mtinka@globaltransit.net> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> Message-ID: <20091109180657.M51920@netpoint.com.br> Folks. I read these papers long time ago, so I do not remember anymore exactly what this options labels (A, B, AB,...) definition means. What I can tell you guys is that I operate a network which has a Inter-AS peering were we exchange IPv4 & VPNv4 prefixes and traffic while maintaining QoS services compability at both sides (ASs) for long time, and customers which VPNs have sites serviced by both ASs have their QoS requirements honored at both ASs Backbones and last mile connections. I already had real "Inter-AS + QoS compatibility" experience with Cisco being the only platform, and where Cisco interoperate with (two) different vendors, and that worked just fine. This deployment where you just had to establish a single eBGP peering at VPNv4 address-family to exchange VPNv4 prefixes and traffic (of course you may exchange IPv4 also, and may establish redundant peerings) brings lots of benefits. It does not impact at your ASBR resources, reduces the number of connections between ASBRs & routing gets simplified, allows oversubscription between ASBRs, does not require your to act at the borders (ASBRs) each time a "site" is added or removed from a customer VPN (despite where this site is connected). []s. Jimmi. ---------- Original Message ----------- From: Mark Tinka To: cisco-nsp at puck.nether.net Sent: Sat, 7 Nov 2009 15:34:29 +0800 Subject: Re: [c-nsp] MPLS Multi-AS options... > On Friday 06 November 2009 03:40:57 am Kenny Sallee wrote: > > > I'm wondering if anyone is actually doing any flavor of > > Multi-AS backbone this in the real world? Option A > > doesn't seem scalable at all. Option B seems scalable, > > but the level of trust and lack of QoS may be a concern. > > Option AB - I'm trying to fully understand w/o a ton of > > lab time. As I read the first Cisco link above, with > > Option AB - you must configure a sub-interface PER > > VPN/Client in it's own VRF on each SP's ASBR. So if you > > have 100 different customers, on that interconnect > > between SP1 and SP2 you must configure 100 > > sub-interfaces, VRF's with unique (agree'd upon)RD's. > > Then you configure a single MP-BGP session to carry the > > VPNv4 addresses for all VRF's. So really you are only > > saving X number of BGP sessions with Option AB compared > > to say just Option A correct? > > Yes, the difference between Option AB (a.k.a Option D) and > Option A or Option B is that with Option AB, only a single > eBGP session between the ASBR's is required. Furthermore, > while forwarding can be based on MPLS, IP forwarding is also > supported, which preserves QoS values that can be used for > processing across the ASBR<=>ASBR link. > > My suggestion; for any NNI option you choose, it should go a > long way in making your life easy, i.e., you don't have > create a sub-interface for each customer VPN, you don't have > to create an eBGP session for each customer VPN. > > While Option AB is in an IETF draft state, I only know of > Cisco being the only vendor implementing it (there could be > others, though - I haven't researched beyond the vendors we > use in production). However, some of the other vendors are > able to implement the methods Option AB uses to operate, but > in such a manner that it may not necessarily be compatible > to Cisco's, or if it is, implementing it may not be as > scalable, requiring that a number of boxes in the end-to-end > VPN connection be touched for co-ordination. > > Personally, I think Option AB is rather complicated in its > design, but based on Cisco's implementation, a lot of that > complexity is hidden from the operators, with the routers > doing all that automatically. It is an interesting option, > but the need to configure a sub-interface for each VPN > leaves a strange taste in my mouth. > > One of the other vendors we're working with is able to > implement Option B + IP processing, which is cool because we > maintain a single interface for all VPN's, and a single eBGP > session for all VPN's, without losing the ability to do QoS. > Still checking with Cisco whether they can do this. > > Things get a lot more interesting when you try to inter-op > NNI relationships. If Cisco can't do Option B + IP > processing, it may make sense for us to have both a Cisco > and non-Cisco NNI router at each NNI site in order to have > smooth NNI relationships depending on what platforms our > partners can support. Of course, we can only support two > platforms, so work becomes trickier if our NNI partner > brings along an unsupported device - but, it won't be the > end of the world :-). > > Things get a lot more interesting if you want to NNI for > l2vpn/VPLS services. > > Cheers, > > Mark. ------- End of Original Message ------- From tin.nguyen at sasktel.net Mon Nov 9 15:27:25 2009 From: tin.nguyen at sasktel.net (Tin Nguyen) Date: Mon, 09 Nov 2009 14:27:25 -0600 Subject: [c-nsp] Experience with CRS-1 FP-40? Message-ID: <6c566cc2ee93.4af826cd@sasktel.net> Hello all, I am looking to learn of any good or bad deployment experience with the new Cisco CRS-1 FP-40 module. Besides the limitations outlined in cisco's datasheet (less pps and QoS queues than MSC-40), is there any other gotcha's that you have found in testing or deployment? Thank you for sharing your experiences in this matter, Tin From kilobit at gmail.com Mon Nov 9 15:46:55 2009 From: kilobit at gmail.com (bas) Date: Mon, 9 Nov 2009 21:46:55 +0100 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> Message-ID: On Mon, Nov 9, 2009 at 4:29 AM, Aaron wrote: > Yeah. ISSU isn't were it should be. Some SMU's require a reload depending on > what componets are touched. Out of the last 20 SMU's for 3.6.2 only 11 were non traffic impacting. (for us) http://marc.info/?l=cisco-nsp&m=125508819921150&w=2 From kenny.sallee at gmail.com Mon Nov 9 16:57:19 2009 From: kenny.sallee at gmail.com (Kenny Sallee) Date: Mon, 9 Nov 2009 13:57:19 -0800 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <20091109180657.M51920@netpoint.com.br> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> <20091109180657.M51920@netpoint.com.br> Message-ID: <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> Hi Jimmi - thanks for sharing - some comments / questions inline below On Mon, Nov 9, 2009 at 10:07 AM, jimmi wrote: > > Folks. > > I read these papers long time ago, so I do not remember anymore exactly > what > this options labels (A, B, AB,...) definition means. > Quick recap for you: Option A = back to back VRF's via sub-interfaces and BGP peering PER VRF (lots of resources) Option B = exchange of VPN-IPv4 addresses and agreement on RT's and label switched path from ingress PE to egress PE routers Option AB (aka option D as I've learned): VRF's and sub-interface per client and a single eBGP session to carry VPN-IPv4 addresses > > What I can tell you guys is that I operate a network which has a Inter-AS > peering were we exchange IPv4 & VPNv4 prefixes and traffic while > maintaining > QoS services compability at both sides (ASs) for long time, and customers > which VPNs have sites serviced by both ASs have their QoS requirements > honored > at both ASs Backbones and last mile connections. > Sounds like your are doing option B? > > I already had real "Inter-AS + QoS compatibility" experience with Cisco > being > the only platform, and where Cisco interoperate with (two) different > vendors, > and that worked just fine. > On your ASBR - do you have to create VRF's for every customer that crosses the ASBR? Do you mind sharing the relveant parts of your configuration (sanitized of course) if possible? > > This deployment where you just had to establish a single eBGP peering at > VPNv4 > address-family to exchange VPNv4 prefixes and traffic (of course you may > exchange IPv4 also, and may establish redundant peerings) brings lots of > benefits. It does not impact at your ASBR resources, reduces the number of > connections between ASBRs & routing gets simplified, allows > oversubscription > between ASBRs, does not require your to act at the borders (ASBRs) each > time a > "site" is added or removed from a customer VPN (despite where this site is > connected). > That's interesting actually - sounds pretty straight forward. So far it seems like some overseas operators are actually doing this or contemplating doing it. Anyone in the continental US researching and/or implemented (ing) either of the options? Kenny > > > > From egirard at focustsi.com Mon Nov 9 17:29:42 2009 From: egirard at focustsi.com (Eric Girard) Date: Mon, 9 Nov 2009 17:29:42 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: Peter, I'm not familiar with the IBM, but when I deploy the 3x20 for the HP chassis, I just disable to the Fa0 port to cut it off from the HP Onboard Administrator, and then proceed to configure it as a 'regular' switch with a management VLAN that comes in on the regular uplinks to the rest of the network. Hope that helps. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Monday, November 09, 2009 1:18 PM To: cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Nov 9 17:53:42 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 10 Nov 2009 09:53:42 +1100 Subject: [c-nsp] Troubelshooting Output Drops on 7301 References: <56F211C5E3F24F47B103EA1B253822BE044AAEEF@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAEF5@vic-cr-ex1.staff.netspace.net.au> Hi All, Is it bad to change the hold-queue from it's default of 40 on the Cisco 7301? I came across this article which isn't specific to the 7301, but in the article they recommended changing the hold-queue on a 1G interface to "hold-queue 1024 out". http://fasterdata.es.net/cisco.html Once I set the interface with a "hold-queue 1024 out", it seems the output drops have decreased significantly. Prior to doing this I was seeing a lot of output drops and doing a show int would always see the output drop counter increasing. They seem to have stopped with increasing the hold-queue. Are there any advantages or disadvantages to tampering with the hold queue in terms of it having any performance or load implications??? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From jcdarby at usgs.gov Mon Nov 9 19:22:58 2009 From: jcdarby at usgs.gov (Justin C Darby) Date: Mon, 9 Nov 2009 19:22:58 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: , <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: Enable protected mode on the AMM, then 'platform chassis-management protected-mode' on your switch. The switch will require a reload and sever the fastethernet management ports automatically. We do this all the time here. :) Note that this seriously breaks any existing configuration in some circumstances (which I won't get to here). I strongly suggest you use the provided stacking cables at least between two switches in one Bladecenter chassis if your switch does stacking (I use 3110x's, mostly, so it's required to get 10GbE uplink redundancy). Justin -----cisco-nsp-bounces at puck.nether.net wrote: ----- To: Peter Rathlev , cisco-nsp From: Eric Girard Sent by: cisco-nsp-bounces at puck.nether.net Date: 11/10/2009 07:33AM Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? Peter, I'm not familiar with the IBM, but when I deploy the 3x20 for the HP chassis, I just disable to the Fa0 port to cut it off from the HP Onboard Administrator, and then proceed to configure it as a 'regular' switch with a management VLAN that comes in on the regular uplinks to the rest of the network. Hope that helps. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Monday, November 09, 2009 1:18 PM To: cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From judah.scott.iam at gmail.com Mon Nov 9 21:30:54 2009 From: judah.scott.iam at gmail.com (Judah Scott) Date: Mon, 9 Nov 2009 18:30:54 -0800 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 Message-ID: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> What is the difference between the three CRS L3+ forwarding engines? The datasheets look like straight copy-paste besides the weight and power-ratings. The only downside to FP40 that I have found so far relates to the inability to use SIP-800 (and as a results, older SPAs). Can anyone point me to more complete comparisons? Thanks in advance. -J Scott From mrz at velvet.org Mon Nov 9 23:10:25 2009 From: mrz at velvet.org (matthew zeier) Date: Mon, 9 Nov 2009 20:10:25 -0800 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> On Nov 9, 2009, at 2:29 PM, Eric Girard wrote: > Peter, > I'm not familiar with the IBM, but when I deploy the 3x20 for the > HP chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a > 'regular' switch with a management VLAN that comes in on the regular > uplinks to the rest of the network. Hope that helps. What do you gain from this? I did that with the first switch but don't anymore. fa0 sits on NMS along with the OA. Means I don't need to carry the NMS Vlan on the 3x20. (though I do wish HP/Cisco would integrate the serial console like HP's done with their own switches) From mauritz at three6five.com Tue Nov 10 01:37:18 2009 From: mauritz at three6five.com (Mauritz Lewies) Date: Tue, 10 Nov 2009 09:37:18 +0300 Subject: [c-nsp] overruns In-Reply-To: References: Message-ID: <1257835038.5732.15.camel@mauritzlewies> Hi Is flow-control enabled on the other end? Seems like you are connecting to a device that doesn't support flow-control. regards On Mon, 2009-11-09 at 11:22 +0200, Mohammad Khalil wrote: > hey all > > i have Cisco 7606 connected to WiMAX ASN GW via port channel > now i have the following issue > router#sh int po10 | inc overrun > 0 input errors, 0 CRC, 0 frame, 8032 overrun, 0 ignored > router#sh int po10 | inc ove > router#sh int po20 | inc overrun > 0 input errors, 0 CRC, 0 frame, 4305576 overrun, 0 ignored > > router#sh run int po10 > Building configuration... > > Current configuration : 216 bytes > ! > interface Port-channel10 > description CORE_VLAN to ASN Gateway > switchport > switchport access vlan 10 > switchport trunk encapsulation dot1q > switchport mode access > flowcontrol receive on > flowcontrol send on > end > > router#sh run int po20 > Building configuration... > > Current configuration : 215 bytes > ! > interface Port-channel20 > description RAS-VLAN to ASN Gateway > switchport > switchport access vlan 20 > switchport trunk encapsulation dot1q > switchport mode access > flowcontrol receive on > flowcontrol send on > end > > router#sh int port-channel 10 etherchannel > Age of the Port-channel = 284d:17h:52m:00s > Logical slot/port = 14/1 Number of ports = 5 > GC = 0x00000000 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = - > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------+------------------+----------- > 0 21 Gi3/3 On 2 > 1 42 Gi3/11 On 2 > 2 84 Gi3/19 On 2 > 3 08 Gi3/27 On 1 > 4 10 Gi3/35 On 1 > > Time since last port bundled: 154d:01h:08m:46s Gi3/35 > Time since last port Un-bundled: 154d:01h:08m:50s Gi3/35 > > > router#sh int port-channel 20 etherchannel > Age of the Port-channel = 284d:17h:52m:09s > Logical slot/port = 14/2 Number of ports = 5 > GC = 0x00000000 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = - > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------+------------------+----------- > 0 21 Gi3/4 On 2 > 1 42 Gi3/12 On 2 > 2 84 Gi3/20 On 2 > 3 08 Gi3/28 On 1 > 4 10 Gi3/36 On 1 > > Time since last port bundled: 154d:00h:55m:38s Gi3/36 > Time since last port Un-bundled: 154d:00h:55m:41s Gi3/36 > > example of the interfaces: > > > CR1.KJ-Building#sh run int g3/36 > Building configuration... > > Current configuration : 284 bytes > ! > interface GigabitEthernet3/36 > description RAS_VLAN (porrtchannel 20) > switchport > switchport access vlan 20 > switchport mode access > no logging event link-status > load-interval 30 > speed 1000 > duplex full > flowcontrol receive on > flowcontrol send on > channel-group 20 mode on > end > > CR1.KJ-Building#sh run int g3/35 > Building configuration... > > Current configuration : 300 bytes > ! > interface GigabitEthernet3/35 > description CORE_VLAN to ASN Gateway (porrtchannel 10) > switchport > switchport access vlan 10 > switchport mode access > no logging event link-status > load-interval 30 > speed 1000 > duplex full > flowcontrol receive on > flowcontrol send on > channel-group 10 mode on > end > > and on the other router > > router#sh int po10 | inc overrun > 0 input errors, 0 CRC, 0 frame, 1643 overrun, 0 ignored > router#sh int po20 | inc overrun > 0 input errors, 0 CRC, 0 frame, 591813 overrun, 0 ignored > > > anyone can help ?? > > > > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Tue Nov 10 02:11:57 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 09 Nov 2009 23:11:57 -0800 Subject: [c-nsp] Using "autocommand" securely? Message-ID: <4AF9123D.6050400@rollernet.us> I have an old PM25 that obviously doesn't support telnet that I use for serial console access, so I thought of using the following quick and dirty way of giving it some external transport security via SSH to a cisco and autocommanding to telnet: username bettysue noescape nohangup user-maxlinks 1 password x username bettysue autocommand telnet 1.2.3.4 5678 Is there anything bad or insecure about doing this i.e. any way to get to the IOS prompt or to abuse the router itself? ~Seth From ras at e-gerbil.net Tue Nov 10 02:36:00 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 10 Nov 2009 01:36:00 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF856AC.5070805@gmail.com> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> Message-ID: <20091110073600.GE51443@gerbil.cluepon.net> On Mon, Nov 09, 2009 at 09:51:40AM -0800, Jared Gillis wrote: > While I agree with these statements, our issue is not tree > recalculation/convergence. Our issue and driving need for IS-IS > multiarea is the fact that we have 3750ME's which can only hold ~2k > routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust > the TCAM unless we can do route summarization (i.e. upstream L2's send > default/ATT only). So why can't you put the the routes into iBGP, use your IGP only for the loopbacks, and learn a default route from your upstream devices? -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From perc69 at gmail.com Tue Nov 10 02:46:28 2009 From: perc69 at gmail.com (Per Carlson) Date: Tue, 10 Nov 2009 08:46:28 +0100 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 In-Reply-To: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> References: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> Message-ID: <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> Hi. > What is the difference between the three CRS L3+ forwarding engines? ?The > datasheets look like straight copy-paste besides the weight and > power-ratings. That's true for MSC and MSC-B. They are virtually the same, but the B-version draws less power (and requires a newer XR-version). > The only downside to FP40 that I have found so far relates > to the inability to use SIP-800 (and as a results, older SPAs). The FP40 is a completely different breed, and as you have found out, supports different PLIMS than MSC/MSC-B. These linecards where originally designed for the ASR14k (a CRS1-light device), but it were pulled from the market before getting released (more or less). The downsides of FP40, compared to MSC/MSC-B, are less hardware queues and not being able to do 40G at minimal packet sizes. You can use older SPA's in any of the "Flexible Interface Modules" (http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-553671.html and http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-549654.html). -- Pelle From mvanton at gmail.com Tue Nov 10 04:34:14 2009 From: mvanton at gmail.com (vince anton) Date: Tue, 10 Nov 2009 10:34:14 +0100 Subject: [c-nsp] 7600 for ip transit uplink In-Reply-To: <1ebb7fa90911090555r1ae975a1p80686ddc8de3cb22@mail.gmail.com> References: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> <1ebb7fa90911090555r1ae975a1p80686ddc8de3cb22@mail.gmail.com> Message-ID: <87e0d3ae0911100134xdc842c3h8d9713f428d27ec@mail.gmail.com> thanks for your replies anthony, yes you are correct, its surely 10GE (6704 or SPA being the question), and not SDH/OC192 I currently have 6704 links to my internal core working just fine, but those are LAN links as intended by design of the card :) the choice and suitability of the interface to the upstream carrier is the question here, as the cost of a 10G interface on the already existing 6704 card is low (basically the cost of the XENPAK), compared to the cost of a SIP/ES20 which is $$$ then again if there are serious issues with using the LAN port for an upstream, it _may_ perhaps justify the price if we gain on stability, etc.. would be interesting to know the _technical_ reasons why cisco frown at this. thanks anton From peter at rathlev.dk Tue Nov 10 07:22:20 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 13:22:20 +0100 Subject: [c-nsp] uRPF bug on C6k SXI1? Message-ID: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> Hi, I've discovered what seems to be a bug on C6k at least in SXI1. I haven't been able to find anything about it in the bug toolkit. It might be related to CSCsk65860 though. If I configure a SVI in a VRF and add "ip verify source reachable-via any" and afterwards enable "ip verify source reachable-via any allow-default" the switch seems to drop a lot of traffic, something like every 12th packet. If I remove the "ip verify"-command and then add the version with "allow-default" directly, I have no problems. Without uRPF there's no problem either. Only when first entering the command without "allow-default" and then adding "allow-default" does the problem appear. Have anybody seen anything like this? Would anybody know how to debug this? When the problem appears, the "show ip interface VlanX" aren't showing any uRPF drops: R1#sh ip int vlan 901 Vlan901 is up, line protocol is up [...] IP verify source reachable-via ANY, allow default 0 verification drops 0 suppressed verification drops IP multicast multilayer switching is disabled R2# Sending traffic out of this interface gives the errors: R2#ping vrf RM03313 10.100.28.1 so 10.100.141.2 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.100.28.1, timeout is 2 seconds: Packet sent with a source address of 10.100.141.2 !!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!! !!.!!!!!!!!!!!.!!!!!!!!!!!.!!! Success rate is 92 percent (92/100), round-trip min/avg/max = 1/1/4 ms R2# When removing/re-adding the uRPF command the forwarding works fine: R2#ping vrf RM03313 10.100.28.1 so 10.100.141.2 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.100.28.1, timeout is 2 seconds: Packet sent with a source address of 10.100.141.2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms R2# We're glad we found a fix, but maybe others have been pulling out hair over this one. :-) -- Peter From peter at rathlev.dk Tue Nov 10 07:25:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 13:25:16 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: , <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: <1257855916.22754.13.camel@abehat.dyn.net.rm.dk> On Mon, 2009-11-09 at 17:29 -0500, Eric Girard wrote: > I'm not familiar with the IBM, but when I deploy the 3x20 for the HP > chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a 'regular' > switch with a management VLAN that comes in on the regular uplinks to > the rest of the network. Hope that helps. I'm apparantly not allowed to shut the interface, at least not with the switch not in protected mode. On Mon, 2009-11-09 at 19:22 -0500, Justin C Darby wrote: > Enable protected mode on the AMM, then 'platform chassis-management > protected-mode' on your switch. The switch will require a reload and sever > the fastethernet management ports automatically. As I wrote in the original post, the paperwork to get permission to do this isn't trivial, but of course it is the only correct answer. Thanks for the replies everyone. :-) -- Peter From p.mayers at imperial.ac.uk Tue Nov 10 08:23:08 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 10 Nov 2009 13:23:08 +0000 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> Message-ID: <4AF9693C.4000301@imperial.ac.uk> Peter Rathlev wrote: > Hi, > > I've discovered what seems to be a bug on C6k at least in SXI1. I > haven't been able to find anything about it in the bug toolkit. It might > be related to CSCsk65860 though. > > If I configure a SVI in a VRF and add "ip verify source reachable-via > any" and afterwards enable "ip verify source reachable-via any > allow-default" the switch seems to drop a lot of traffic, something like > every 12th packet. Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted (use a SPAN session to find out) and this rate-limiting what's causing the drops? If so, it could be a hardware/tcam programming error; we've seen a few of these in obscure cases on SXI, and I've not found a reliable way to clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or the various "clear" commands (e.g. "clear cef" etc.) > > If I remove the "ip verify"-command and then add the version with > "allow-default" directly, I have no problems. Without uRPF there's no > problem either. Only when first entering the command without > "allow-default" and then adding "allow-default" does the problem appear. We haven't seen that, but have seen other issues where (apparently) CEF entries are programmed incorrectly resulting in traffic being CPU punted and having to pass through CoPP, and thus being very lossy. See e.g. http://www.gossamer-threads.com/lists/cisco/nsp/112984 From nadengine at googlemail.com Tue Nov 10 08:58:32 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 15:58:32 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> Message-ID: <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer ( I've attached a diagram in question.jpg for ease of explanation) in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad From zivl at gilat.net Tue Nov 10 09:13:06 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 10 Nov 2009 16:13:06 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Message-ID: Hi Nad, This list accepts only text only messages, so the picture isn't attached to the message we've got. I suggest you to upload your diagram to some free image hosting site such as http://imageshack.us/ and post the link here -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of shadow floating Sent: Tuesday, November 10, 2009 3:59 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Network design change Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer ( I've attached a diagram in question.jpg for ease of explanation) in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From sony.scaria at gmail.com Tue Nov 10 09:25:31 2009 From: sony.scaria at gmail.com (sony.scaria at gmail.com) Date: Tue, 10 Nov 2009 14:25:31 +0000 Subject: [c-nsp] BGP Community-MED [7:137451] Message-ID: <903160314-1257863127-cardhu_decombobulator_blackberry.rim.net-718747546-@bda135.bisx.produk.on.blackberry> Metric will be carried into an AS, but will not pass it to a 3rd AS. When the same update is carried to the 3rd AS, the MED value is set to 0. Ps: an optional non transitive attribute must be deleted by a router that has not implemented the attribute. Sony. ------Original Message------ From: R.B. Kumar Sender: nobody at groupstudy.com To: cisco at groupstudy.com ReplyTo: R.B. Kumar Subject: BGP Community-MED [7:137451] Sent: Nov 10, 2009 16:56 Hi Friends, A basic CCNA level query. Hope you experts donot bother to help me on this I know that BGP MED is having OPTIONAL NON-TRANSITIVE attribute. But I also know that MED is capable of moving to immediate next neighbour AS. MED is a hint to external neighbors about the preferred path into an autonomous system (AS) that has multiple entry points But since it is passing to next AS, How it is catagorized as NON-TRANSITIVE ? Since it is seen in neighbour AS, I thought it should be TRANSITIVE . But to my surprise it is OPTIONAL NON-TRANSITIVE Please help me where i have understood wrongly regards & Thanks in advance RBK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=137451&t=137451 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Sent on my BlackBerry? from Vodafone From mtinka at globaltransit.net Tue Nov 10 09:31:40 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:31:40 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091109072346.GK51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> Message-ID: <200911102232.01323.mtinka@globaltransit.net> On Monday 09 November 2009 03:23:46 pm Richard A Steenbergen wrote: > I'm not questioning your decision, I'm just stating it > for the archives and for everyone else who has to make > this same decision at some point in the future: If you > have to ask, just don't do it. I see way too many people > trying to deploy areas with 10 router networks because > they read somewhere that it was what they were supposed > to do to scale, or because people saw it on an exam > somewhere. This makes sense, and I appreciate where you're coming from. However, wearing my "instructor" hat when we give workshops in various places around the world, we tend to teach folk how to build large scale networks, based on our own experiences doing the same. In some cases, we say build scaling into your operations even when it may seem "unnecessary", because the general assumption is that your network is going to grow. Sure, it could take 5, 10, 15 years, depending on whom you ask, but if there's a chance it does grow, you don't want to re-work your entire design to add scaling into the mix; especially since adding scalability in from the start doesn't add any incremental cost in terms of $$ or complexity. And I'm not just talking about OSPF or IS-IS specifically (since router CPU's are much faster these days, assuming operators can afford such platforms), but networking in general, especially for some features or protocols where thinking about scalability from day one isn't such a bad idea, even if it might make little sense today. I'm sure many of us, in our careers as network operators, have wished that we had done something differently in the past not to suffer the pain of today - even if it seemed infeasible, at the time, that we'd get to where we are today. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Nov 10 09:40:39 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:40:39 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF83918.9010505@templin.org> References: <4AF21CA5.4050804@gmail.com> <20091109072346.GK51443@gerbil.cluepon.net> <4AF83918.9010505@templin.org> Message-ID: <200911102241.01282.mtinka@globaltransit.net> On Monday 09 November 2009 11:45:28 pm Pete Templin wrote: > +1. I've recently finished a complete overhaul of a > 14-router 5-POP network that had 6 areas (one for each > POP), and had area 0 split into two independent areas 0. > Access routers in any POP had no idea that access routers > existed in other POPs, etc. I may be missing it in your message above, but if you're able to share, did you collapse the entire backbone into a single Area, or did you maintain the splits? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From egirard at focustsi.com Tue Nov 10 09:48:27 2009 From: egirard at focustsi.com (Eric Girard) Date: Tue, 10 Nov 2009 09:48:27 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> Message-ID: I'm don't think there is a big gain, but typically the OA tends to just get cabled back into the chassis switch anyways so the management VLAN is already there, and I have seen the internal switch inside the OA go bad before. I've also seen it be a political issue between the server team and the network team, so it's just easier to keep it separate. The console issue is interesting, because the MDS 9124 has the internal console, but the switches do not. Eric -----Original Message----- From: matthew zeier [mailto:mrz at velvet.org] Sent: Monday, November 09, 2009 11:10 PM To: Eric Girard Cc: Peter Rathlev; cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Nov 9, 2009, at 2:29 PM, Eric Girard wrote: > Peter, > I'm not familiar with the IBM, but when I deploy the 3x20 for the > HP chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a > 'regular' switch with a management VLAN that comes in on the regular > uplinks to the rest of the network. Hope that helps. What do you gain from this? I did that with the first switch but don't anymore. fa0 sits on NMS along with the OA. Means I don't need to carry the NMS Vlan on the 3x20. (though I do wish HP/Cisco would integrate the serial console like HP's done with their own switches) From mtinka at globaltransit.net Tue Nov 10 09:47:40 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:47:40 +0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> References: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> Message-ID: <200911102247.42128.mtinka@globaltransit.net> On Tuesday 10 November 2009 01:56:07 am Michael Balasko wrote: > All that being said we bought the 5K's to do 10G > distribution for our core so your mileage may vary > depending on needs. To digress a little, we considered using the Nexus 5000 as a 10Gbps core aggregation switch, because it's way cheaper than the WS-X6704/8 line cards. But given that we'd be looking at adding more bandwidth in terms of N x 10Gbps, it made more sense to consider boxes that will scale to native 40Gbps and 100Gbps Ethernet interfaces. But, if a network is sure they'll never need anymore 10Gbps port density or large bandwidth to serve several downstream/upstream routers, the Nexus 5000 is definitely good value for 10Gbps Ethernet aggregation, current software issues aside, of course. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From nadengine at googlemail.com Tue Nov 10 10:46:49 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 17:46:49 +0200 Subject: [c-nsp] Network design change In-Reply-To: References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Message-ID: <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> thanks alot Ziv i'll try to put it in a txt format: Site A Site B internet internet | | Firewall A Firewall B | | link under investigation | | | |--------(DMZ Switch) -------------------------------------------------------------------------------- (DMZ Switch)---| | | | | | | | | Higjh speed link | Core Switch A ------------------------------------------------------------------------------------------------------------------Core Switch B Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad 2009/11/10 Ziv Leyes : > Hi Nad, > This list accepts only text only messages, so the picture isn't attached to the message we've got. > I suggest you to upload your diagram to some free image hosting site such as http://imageshack.us/ and post the link here > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nadengine at googlemail.com Tue Nov 10 10:54:14 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 17:54:14 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> Message-ID: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> thanks alot Ziv the link for the diagram is here : http://img18.imageshack.us/img18/77/questionhk.jpg Hi All, My company has two sites in to 2 different locations (plz see the diagram from picture in the link) that are connected via high speed link at the core layer ?in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. ?Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad From zivl at gilat.net Tue Nov 10 11:09:23 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 10 Nov 2009 18:09:23 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> Message-ID: I don't see any problem with that solution, it seems to be quite good for what you're trying to achieve, and I don't think there are major security issues, assuming that the DMZ is a well protected from internet zone and properly isolated from the internal network. What kind of point to point link are you planning to implement? -----Original Message----- From: shadow floating [mailto:nadengine at googlemail.com] Sent: Tuesday, November 10, 2009 5:54 PM To: Ziv Leyes; cisco-nsp at puck.nether.net Subject: [c-nsp] Network design change thanks alot Ziv the link for the diagram is here : http://img18.imageshack.us/img18/77/questionhk.jpg Hi All, My company has two sites in to 2 different locations (plz see the diagram from picture in the link) that are connected via high speed link at the core layer ?in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. ?Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From frosya84 at mail.ru Tue Nov 10 11:08:00 2009 From: frosya84 at mail.ru (Ruzhanskaya Olga) Date: Tue, 10 Nov 2009 19:08:00 +0300 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 Message-ID: Hello List! We have 2 7206VXR-NPEG2 routers in different towns (T1 and T2), with the same configuration template, same IOS - 12.2(31)SB11. Each of them have one interface for client's services termination; one for transport connection to core routers (P router). The challenge is : traffic load on T1 is twice as much on T2, but the CPU load is almost the same. Details: 1) There are the same number/load of Internet services with uRPF enabled on both routers 2) The same number acls 3) In "sh proc cpu sorted" the main cycles are used for packet forwarding -------------------------------------------------------------------------- Here are some outputs from T2 (less traffic, same CPU load),uplink, 5 minutes after cleared counters: T2#sh int gi0/2 | i 30 30 second input rate 459618000 bits/sec, 74812 packets/sec 30 second output rate 276334000 bits/sec, 59440 packets/sec T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/1000/0 (size/max total/drops) T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Here are some outputs from T1 (more traffic, same CPU load),uplink, 5 minutes after cleared counters: T1# sh int gi0/2 | i 30 30 second input rate 780209000 bits/sec, 111772 packets/sec 30 second output rate 356832000 bits/sec, 105820 packets/sec T1# sh int gi0/2 | i queue Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) T1# sh int gi0/2 | i error 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets -------------------------------------------------------------------------- Any suggestions are appreciated. Best regards, Olga From eng_mssk at hotmail.com Tue Nov 10 11:23:10 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 10 Nov 2009 18:23:10 +0200 Subject: [c-nsp] streaming Message-ID: hey all i have a wimax connection and i tested everything is ok from browsing to download speed except for streaming what are possible causes for streaming to be so slow while other applications are fairly fast thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From cchurc05 at harris.com Tue Nov 10 11:28:57 2009 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 10 Nov 2009 11:28:57 -0500 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 In-Reply-To: References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5634FE@MLBMXUS2.cs.myharris.net> The T2 router has vastly different queue sizes. It would appear that it has some type of QOS applied to it, where the other one doesn't. That would explain the additional CPU usage. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruzhanskaya Olga Sent: Tuesday, November 10, 2009 11:08 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 Hello List! We have 2 7206VXR-NPEG2 routers in different towns (T1 and T2), with the same configuration template, same IOS - 12.2(31)SB11. Each of them have one interface for client's services termination; one for transport connection to core routers (P router). The challenge is : traffic load on T1 is twice as much on T2, but the CPU load is almost the same. Details: 1) There are the same number/load of Internet services with uRPF enabled on both routers 2) The same number acls 3) In "sh proc cpu sorted" the main cycles are used for packet forwarding -------------------------------------------------------------------------- Here are some outputs from T2 (less traffic, same CPU load),uplink, 5 minutes after cleared counters: T2#sh int gi0/2 | i 30 30 second input rate 459618000 bits/sec, 74812 packets/sec 30 second output rate 276334000 bits/sec, 59440 packets/sec T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/1000/0 (size/max total/drops) T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Here are some outputs from T1 (more traffic, same CPU load),uplink, 5 minutes after cleared counters: T1# sh int gi0/2 | i 30 30 second input rate 780209000 bits/sec, 111772 packets/sec 30 second output rate 356832000 bits/sec, 105820 packets/sec T1# sh int gi0/2 | i queue Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) T1# sh int gi0/2 | i error 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets -------------------------------------------------------------------------- Any suggestions are appreciated. Best regards, Olga _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From n00dles at nix-jutsu.net Tue Nov 10 11:42:50 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Tue, 10 Nov 2009 16:42:50 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport Message-ID: <20091110164250.GA1003@atsuko> Hello all, We have a strange issue between PIX 501's running and our 800 series routers, we are using verious 800s with a spread of IOS versions. The problem manifests itself as a drop of connectivity between the two devices, that being we lose layer 3 forwarding out of the switch-port module on the 800. We are of the opinion we have ethernet connectivity between devices as the mac-address table is being populated after being cleared, and linkstate show up/up but we cannot ping, nor can the device ARP for the PIX. Static ARP entrys also no not fix the issue, the only way we have found so far to fix the problem is to reboot the 800. Has anyone experienced this kind of problem before? Regards -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From cisco-nsp at slepicka.net Tue Nov 10 11:44:34 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Tue, 10 Nov 2009 10:44:34 -0600 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> Message-ID: <4AF99872.3000806@slepicka.net> >>this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Just keep in mind that traffic through the firewalls usually* needs to be symmetric. Be sure to account for that in your design. * https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html shadow floating wrote: > thanks alot Ziv > the link for the diagram is here : > http://img18.imageshack.us/img18/77/questionhk.jpg > > Hi All, > My company has two sites in to 2 different locations (plz see the > diagram from picture in the link) that are > connected via high speed link at the core layer in each site I've 1 > DMZ , the network team wants to connect the DMZ switches in both sites > for better performance and "security" - the link under investigation > is shown in red in the picture - via high speed link without passing > at all by the core network layer, as they say that will aid more in > the replication between server A and backup server A in the DMZs and > also this will help if any of the 2 firewalls had failure to access > both DMZs from any firewall. > Is that better from security point of view? > > appreciating your great help and advice > thanks alot > > Regards, > Nad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Tue Nov 10 12:13:50 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 10 Nov 2009 15:13:50 -0200 Subject: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI Message-ID: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Hi, Just curious: what happens on a label-enabled interface when a packet comes with a label that hasn't been negotiated thru LDP ? Is it a default permit, a default deny, anything that can be changed or tuned ? Rubens From avayner at cisco.com Tue Nov 10 12:29:14 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 10 Nov 2009 18:29:14 +0100 Subject: [c-nsp] streaming In-Reply-To: References: Message-ID: Muhammad, What do you mean streaming is slow? What kind of streaming? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 10, 2009 18:23 To: cisco-nsp at puck.nether.net Subject: [c-nsp] streaming hey all i have a wimax connection and i tested everything is ok from browsing to download speed except for streaming what are possible causes for streaming to be so slow while other applications are fairly fast thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1 :092010 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From berghauz at gmail.com Tue Nov 10 12:31:17 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Tue, 10 Nov 2009 20:31:17 +0300 Subject: [c-nsp] Voice Vlan on metro 3400 Message-ID: <13d85870911100931s44cee41dib6377aad487da6aa@mail.gmail.com> Hello everybody. Can anybody clarify, is the feature "Voice VLAN" supported on ME3400 switch? It's feature very usefull on 2950/2960 with cisco phones, but on 3400, i cant find it. WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." From cisco-nsp at slepicka.net Tue Nov 10 12:54:08 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Tue, 10 Nov 2009 11:54:08 -0600 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF49BA1.3060508@inex.ie> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> <4AF49BA1.3060508@inex.ie> Message-ID: <4AF9A8C0.9060800@slepicka.net> You can read about the architecture here: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-462176.html I'll give you my understanding of it -- I appreciate any corrections if I miss the mark on something. >>I don't know whether the packets are buffered on input or on output. Both. Each port has a set of 416 virtual output queues (on the 5020 -- don't know if this is true for the 5010 or if there are half as many). A VOQ is, essentially, a queue for each egress port. In other words, on ingress, a packet is put into one of 416 queues (52 egress ports * 8 queues -- one for each 802.1p CoS). Congestion on one egress port doesn't impact traffic destined for other ports. Internally, the packets are moved around at greater than 10Gb speed (+20%), so there is egress buffering as well. This allows multiple packets to be queued up and sent out at 10Gb rate without interruption and is also used for flow control buffering. >>per-port buffers...quite a bit smaller than on other products 480KB per port shared between per-CoS ingress and egress buffers. Most are assigned to ingress, but I don't know the ratio. There is also buffering on the fabric itself, though I'm not entirely sure what its impact is in this scenario (I think it's primarily just used as an optimization to increase throughput). James Nick Hilliard wrote: > On 06/11/2009 21:35, Gert Doering wrote: >> Out of curiosity: how does it cut-through if it has to multiplex >> multiple >> ports, as in: packets coming in on port A and B and leaving on C? As >> soon as two packets overlap (time-wise) on A and B, you can't do >> cut-through... > > The switch has per-port buffers; from what i remember, quite a bit > smaller than on other products, as the unit is cut-through. You also > need these buffers when you're operating 1G ports in store-n-forward > mode. I don't know whether the packets are buffered on input or on > output. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From judah.scott.iam at gmail.com Tue Nov 10 13:17:58 2009 From: judah.scott.iam at gmail.com (Judah Scott) Date: Tue, 10 Nov 2009 10:17:58 -0800 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 In-Reply-To: <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> References: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> Message-ID: <3172b9cb0911101017p15da784pb6081f9db79c0b96@mail.gmail.com> Thanks for the responses! -J Scott On Mon, Nov 9, 2009 at 11:46 PM, Per Carlson wrote: > Hi. > > > What is the difference between the three CRS L3+ forwarding engines? The > > datasheets look like straight copy-paste besides the weight and > > power-ratings. > > That's true for MSC and MSC-B. They are virtually the same, but the > B-version draws less power (and requires a newer XR-version). > > > The only downside to FP40 that I have found so far relates > > to the inability to use SIP-800 (and as a results, older SPAs). > > The FP40 is a completely different breed, and as you have found out, > supports different PLIMS than MSC/MSC-B. These linecards where > originally designed for the ASR14k (a CRS1-light device), but it were > pulled from the market before getting released (more or less). The > downsides of FP40, compared to MSC/MSC-B, are less hardware queues and > not being able to do 40G at minimal packet sizes. > > You can use older SPA's in any of the "Flexible Interface Modules" > ( > http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-553671.html > and > http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-549654.html > ). > > -- > Pelle > From mark.meijerink at sara.nl Tue Nov 10 13:14:26 2009 From: mark.meijerink at sara.nl (Mark Meijerink) Date: Tue, 10 Nov 2009 19:14:26 +0100 Subject: [c-nsp] RSA and rancid Message-ID: <4AF9AD82.2040904@sara.nl> Hi there, I am looking for a way to combine RSA tokens to authenticate to devices and use rancid to make backups of my device configuration. The RSA tokens use radius as authentication method. The problem is that rancid is an automated process and the rancid process is not able to watch on a RSA token and fill in the authentication key. This sounds a bit strange but I don't know any other way to describe the problem. Is anyone of you using RSA tokens and rancid? If so, please explain how you make this work. Thanks in advance for your comments. Regards, Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jared.a.gillis at gmail.com Tue Nov 10 14:21:09 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Tue, 10 Nov 2009 11:21:09 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091110073600.GE51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> <20091110073600.GE51443@gerbil.cluepon.net> Message-ID: <4AF9BD25.80405@gmail.com> Richard A Steenbergen wrote: > On Mon, Nov 09, 2009 at 09:51:40AM -0800, Jared Gillis wrote: >> While I agree with these statements, our issue is not tree >> recalculation/convergence. Our issue and driving need for IS-IS >> multiarea is the fact that we have 3750ME's which can only hold ~2k >> routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust >> the TCAM unless we can do route summarization (i.e. upstream L2's send >> default/ATT only). > > So why can't you put the the routes into iBGP, use your IGP only for the > loopbacks, and learn a default route from your upstream devices? That's exactly what we are doing, but still expect to exhaust the TCAM before too long, especially if we add support for IPv6 (which is a long-term goal). -Jared From swmike at swm.pp.se Tue Nov 10 14:26:00 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 10 Nov 2009 20:26:00 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF9BD25.80405@gmail.com> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> <20091110073600.GE51443@gerbil.cluepon.net> <4AF9BD25.80405@gmail.com> Message-ID: On Tue, 10 Nov 2009, Jared Gillis wrote: > That's exactly what we are doing, but still expect to exhaust the TCAM > before too long, especially if we add support for IPv6 (which is a > long-term goal). Do you realistically see IPv6 support working in the 3750MEs ? Looking at the scalability numbers I've been kind of sceptic... -- Mikael Abrahamsson email: swmike at swm.pp.se From leonardo.souza at nec.com.br Tue Nov 10 14:31:32 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 17:31:32 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> Hi list, I would like to know whether SUP720-3BXL supports IPv4 fragmented packets in hardware or not. If it can be supported in hardware, in which cases would the PFC3 punt the IPv4 fragmented packets to MSFC? Unfortunately I could not find/receive a good reference about it so far. Thanks. From rubensk at gmail.com Tue Nov 10 14:40:44 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 10 Nov 2009 17:40:44 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> Message-ID: <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> Leonardo, Do you mean the ability to fragment packets when traversing to smaller MTU links, or matching fragmented packets in ACLs (fragment ACL clause) ? On my experience it doesn't support the former, and the later is PFC-supported but not available on every IOS release. Rubens On Tue, Nov 10, 2009 at 5:31 PM, Leonardo Gama Souza wrote: > Hi list, > > > > I would like to know whether SUP720-3BXL supports IPv4 fragmented > packets in hardware or not. > > If it can be supported in hardware, in which cases would the PFC3 punt > the IPv4 fragmented packets to MSFC? > > Unfortunately I could not find/receive a good reference about it so far. > > > > Thanks. > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From leonardo.souza at nec.com.br Tue Nov 10 14:50:02 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 17:50:02 -0200 Subject: [c-nsp] RES: IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> Hi, Actually I meant the ability to forward fragmented packets in hardware. The router is not fragmenting the packets at all. -----Mensagem original----- De: Rubens Kuhl [mailto:rubensk at gmail.com] Enviada em: ter?a-feira, 10 de novembro de 2009 17:41 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL Leonardo, Do you mean the ability to fragment packets when traversing to smaller MTU links, or matching fragmented packets in ACLs (fragment ACL clause) ? On my experience it doesn't support the former, and the later is PFC-supported but not available on every IOS release. Rubens On Tue, Nov 10, 2009 at 5:31 PM, Leonardo Gama Souza wrote: > Hi list, > > > > I would like to know whether SUP720-3BXL supports IPv4 fragmented > packets in hardware or not. > > If it can be supported in hardware, in which cases would the PFC3 punt > the IPv4 fragmented packets to MSFC? > > Unfortunately I could not find/receive a good reference about it so far. > > > > Thanks. > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Tue Nov 10 14:59:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 10 Nov 2009 20:59:01 +0100 Subject: [c-nsp] RES: IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> Message-ID: <20091110195901.GI163@greenie.muc.de> Hi, On Tue, Nov 10, 2009 at 05:50:02PM -0200, Leonardo Gama Souza wrote: > Actually I meant the ability to forward fragmented packets in hardware. > The router is not fragmenting the packets at all. There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From philxor at gmail.com Tue Nov 10 15:09:42 2009 From: philxor at gmail.com (Phil Bedard) Date: Tue, 10 Nov 2009 15:09:42 -0500 Subject: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI In-Reply-To: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> References: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Message-ID: By default it will drop the traffic. If you know the incoming label you can create a static binding, but you can't create a static binding for the default route... Not sure of any other mechanisms. In JunOS you can create an "MPLS default route" which takes unknown labeled packets and lets you manipulate them as you see fit. But this isn't JunOS. :) Phil On Nov 10, 2009, at 12:13 PM, Rubens Kuhl wrote: > Hi, > > Just curious: what happens on a label-enabled interface when a packet > comes with a label that hasn't been negotiated thru LDP ? Is it a > default permit, a default deny, anything that can be changed or tuned > ? > > > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Tue Nov 10 15:20:13 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 18:20:13 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <20091110195901.GI163@greenie.muc.de> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Hi, >There is nothing special about *forwarding* fragmented packets - unless >you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? From leonardo.souza at nec.com.br Tue Nov 10 16:00:22 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 19:00:22 -0200 Subject: [c-nsp] RES: Default behaviour of MPLS enabled interfaces on 6500 SXI In-Reply-To: References: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E3C@spsrvmail03.nec.br> Maybe: mpls static crossconnect in_label out_interface out_label -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Phil Bedard Enviada em: ter?a-feira, 10 de novembro de 2009 18:10 Para: Rubens Kuhl Cc: Cisco-nsp Assunto: Re: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI By default it will drop the traffic. If you know the incoming label you can create a static binding, but you can't create a static binding for the default route... Not sure of any other mechanisms. In JunOS you can create an "MPLS default route" which takes unknown labeled packets and lets you manipulate them as you see fit. But this isn't JunOS. :) Phil On Nov 10, 2009, at 12:13 PM, Rubens Kuhl wrote: > Hi, > > Just curious: what happens on a label-enabled interface when a packet > comes with a label that hasn't been negotiated thru LDP ? Is it a > default permit, a default deny, anything that can be changed or tuned > ? > > > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sthaug at nethelp.no Tue Nov 10 16:03:57 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 10 Nov 2009 22:03:57 +0100 (CET) Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <20091110.220357.74737002.sthaug@nethelp.no> > >There is nothing special about *forwarding* fragmented packets - unless > >you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? Normal ACL or possible a QoS policy based on an ACL. > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? No. Each fragment is matched against the ACL on its own. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ras at e-gerbil.net Tue Nov 10 16:13:40 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 10 Nov 2009 15:13:40 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911102232.01323.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> <200911102232.01323.mtinka@globaltransit.net> Message-ID: <20091110211340.GH51443@gerbil.cluepon.net> On Tue, Nov 10, 2009 at 10:31:40PM +0800, Mark Tinka wrote: > > > However, wearing my "instructor" hat when we give workshops > in various places around the world, we tend to teach folk > how to build large scale networks, based on our own > experiences doing the same. > > In some cases, we say build scaling into your operations > even when it may seem "unnecessary", because the general > assumption is that your network is going to grow. Sure, it > could take 5, 10, 15 years, depending on whom you ask, but > if there's a chance it does grow, you don't want to re-work > your entire design to add scaling into the mix; especially > since adding scalability in from the start doesn't add any > incremental cost in terms of $$ or complexity. I have nothing against advocating that you design your network to scale from the very beginning, and (without trying to channel Vijay Gill here) IMHO if oyu don't design your netwrok to scale then in all likelihood it WON'T scale. But there is also a point where you start making more trouble for yourself than you save, and may actually inhibit your growth by adding unnecessary additional complexity. Smart network engineering is about knowing the network you are trying to build, and figuring out where that magic line is so you don't cross it. I think your argument applies perfectly to situations like "but I only have a few hundred /30s between my 10 3560s, why can't I just redistribute connected/static into my IGP and call it a day". Yes you COULD, but if you grow your network by even a very small amount you'll start to bump the CAM limits on your stackable switches, and thus you should probably engineer your network to scale past that limit from the very beginning. Taking the time to design a system with only loopbacks into IGP + iBGP loopback peering and redistribution of other routes into BGP may be more time consuming than just slapping a redist into your IGP, but it will save you more time in the end. On the other hand, what level of scale do you need before IGP areas actually start to pay off, and make it worth the added complexity and other issues you will impose (inter-area TE problems, etc)? You'd need to take your 10 routers to what? 100? 1000? 10000? At what point does your newly expanded network look absolutely nothing like your original network, to the point that nothing you decided about your 10 router network has any bearing on your new network? If you're really designing some massive dial network with the potential for 10000 pops, or the next IBM Global Services network, you may have a legitimate reason for needing the IGP areas. But if you're building a more concentrated network there just may never be a situation where there is any benefit no matter how big you grow (i.e. I don't think Level 3 has any need for them :P). There is no right answer for everyone, your network may look very different from mine, etc. We can both make arguments for simplistic theories like "you should always design to scale" vs "keep it simple stupid" until we're blue in the face, but at the end of the day this is an engineering question to which there is no one correct answer. Did I mention I got a lot of D's in class from arguing with the teacher? :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From c-nsp at djvh.nl Tue Nov 10 16:18:19 2009 From: c-nsp at djvh.nl (Dirk-Jan van Helmond) Date: Tue, 10 Nov 2009 22:18:19 +0100 Subject: [c-nsp] RSA and rancid In-Reply-To: <4AF9AD82.2040904@sara.nl> References: <4AF9AD82.2040904@sara.nl> Message-ID: <61FA706B-E242-45F6-A3CE-E380D1F2EDA8@djvh.nl> Hi Mark, Don't use RSA authentication for automated processes? If the authentication isn't being sent plaintext, there is no added security in using one time passwords for automated processes. Regards, Dirk-Jan On Nov 10, 2009, at 7:14 PM, Mark Meijerink wrote: > Hi there, > > I am looking for a way to combine RSA tokens to authenticate to devices and use rancid to make backups of my device > configuration. > > The RSA tokens use radius as authentication method. The problem is that rancid is an automated process and the rancid > process is not able to watch on a RSA token and fill in the authentication key. This sounds a bit strange but I don't > know any other way to describe the problem. > > Is anyone of you using RSA tokens and rancid? If so, please explain how you make this work. Thanks in advance for your > comments. > > Regards, > Mark > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue Nov 10 16:26:10 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 22:26:10 +0100 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? Message-ID: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: > Just keep in mind that traffic through the firewalls usually* needs to > be symmetric. Be sure to account for that in your design. > > * > https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html I've read about this, but I fail to see what the point is. If the firewall doesn't do stateful inspection, then why use a firewall? Why not just a router/switch with L4 ACLs? What am I missing? -- Peter From gert at greenie.muc.de Tue Nov 10 16:37:14 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 10 Nov 2009 22:37:14 +0100 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <20091110213714.GK163@greenie.muc.de> Hi, On Tue, Nov 10, 2009 at 06:20:13PM -0200, Leonardo Gama Souza wrote: > >There is nothing special about *forwarding* fragmented packets - unless > >you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? No. Routers will never reassemble transit traffic. (Some firewall devices do, so maybe the IOS firewalling feature set will do funny things with fragments, but normal IOS will never ever reassemble packets not destined to itself) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From moua0100 at umn.edu Tue Nov 10 16:42:10 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 10 Nov 2009 15:42:10 -0600 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <4AF9DE32.2050902@umn.edu> I've always been leery of this feature; I've consider using it in the past to troubleshoot badly written apps that mucks up tcp 3-way handshakes/4-way teardowns; I can see this as a quick & dirty mechanism to bypass the stateful inspection engine without taking the firewall logically out of the data path; I'd be careful with using this feature without serious consideration of consequences; I also don't like the fact that it changes the default "stateful inspection" behavior. I'd also be interested to hear what other folks think about this.. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Peter Rathlev wrote: > On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: > >> Just keep in mind that traffic through the firewalls usually* needs to >> be symmetric. Be sure to account for that in your design. >> >> * >> https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html >> > > I've read about this, but I fail to see what the point is. If the > firewall doesn't do stateful inspection, then why use a firewall? Why > not just a router/switch with L4 ACLs? > > What am I missing? > > From peter at rathlev.dk Tue Nov 10 16:54:52 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 22:54:52 +0100 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <4AF9693C.4000301@imperial.ac.uk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> <4AF9693C.4000301@imperial.ac.uk> Message-ID: <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> Hi Phil, Thanks for the input. On Tue, 2009-11-10 at 13:23 +0000, Phil Mayers wrote: > Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted > (use a SPAN session to find out) and this rate-limiting what's causing > the drops? No CoPP or rate-limiters configured, only defaults. Is there any way to see counters for the rate-limiters? The "show > If so, it could be a hardware/tcam programming error; we've seen a few > of these in obscure cases on SXI, and I've not found a reliable way to > clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or > the various "clear" commands (e.g. "clear cef" etc.) Well, I tried shutting/unshutting the SVI, and now I can't seem to recreate the problem. :-( > > If I remove the "ip verify"-command and then add the version with > > "allow-default" directly, I have no problems. Without uRPF there's > > no problem either. Only when first entering the command without > > "allow-default" and then adding "allow-default" does the problem > > appear. > > We haven't seen that, but have seen other issues where (apparently) > CEF entries are programmed incorrectly resulting in traffic being CPU > punted and having to pass through CoPP, and thus being very lossy. I would really like to have looked more into this, but with the problem gone, I'm stuck: If it would happen again, is there any way to check what the rate-limiters/CoPP drops via some counters? -- Regards, Peter From rwest at zyedge.com Tue Nov 10 16:54:28 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 10 Nov 2009 16:54:28 -0500 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <4AF9DE32.2050902@umn.edu> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> <4AF9DE32.2050902@umn.edu> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17CDA@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Ge Moua > Sent: Tuesday, November 10, 2009 4:42 PM > To: Peter Rathlev > Cc: cisco-nsp > Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass? > > I've always been leery of this feature; I've consider using it in the > past to troubleshoot badly written apps that mucks up tcp 3-way > handshakes/4-way teardowns; I can see this as a quick & dirty mechanism > to bypass the stateful inspection engine without taking the firewall > logically out of the data path; I'd be careful with using this feature > without serious consideration of consequences; I also don't like the > fact that it changes the default "stateful inspection" behavior. > > I'd also be interested to hear what other folks think about this.. > I've used it when there is only a layer 2 switch at a branch office and a CE managed MPLS router is on the same segment. If the ASA is the default route in this scenario and traffic is sent to the MPLS router, the handshakes don't complete and the traffic is dropped. There are other ways around this, of course, but it's an option to allow the ASA to route on its inside interface before it examines the flow. Netscreens have no issue with this and Checkpoints just need to know about the internal network and they will route as well. -ryan From eng_mssk at hotmail.com Tue Nov 10 17:06:43 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 11 Nov 2009 00:06:43 +0200 Subject: [c-nsp] streaming In-Reply-To: References: Message-ID: any site with streaming ir buddering , like youtube and stuff like that slow, means the buffering is so slow > Subject: RE: [c-nsp] streaming > Date: Tue, 10 Nov 2009 18:29:14 +0100 > From: avayner at cisco.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > Muhammad, > > What do you mean streaming is slow? > What kind of streaming? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Tuesday, November 10, 2009 18:23 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] streaming > > > hey all > > i have a wimax connection and i tested everything is ok from browsing to > download speed except for streaming > what are possible causes for streaming to be so slow while other > applications are fairly fast > > thanks in advance > > _________________________________________________________________ > Windows Live: Keep your friends up to date with what you do online. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1 > :092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From dwinkworth at att.net Tue Nov 10 16:57:49 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 10 Nov 2009 13:57:49 -0800 (PST) Subject: [c-nsp] backup lsp/second path-option priority... In-Reply-To: <4AF9A8C0.9060800@slepicka.net> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> <4AF49BA1.3060508@inex.ie> <4AF9A8C0.9060800@slepicka.net> Message-ID: <344830.44368.qm@web180016.mail.gq1.yahoo.com> I am trying to configure something like this: A primary LSP with 5g bandwidth... and lower priority.. A secondary LSP with 500m bandwidth and higher priority.. Essentially, if all links are up, then the primary paths will be used and we will have maximum bandwidth utilization... If we loose a link, then the secondary LSPs will kick in for those failed primaries, and if necessary, the secondary LSP will preempt other primary LSPs.? Any thoughts on how to accomplish this in IOS?? Thanks... From rdobbins at arbor.net Tue Nov 10 18:31:44 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 10 Nov 2009 23:31:44 +0000 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > I've read about this, but I fail to see what the point is. The point is that there shouldn't be firewalls in front of servers in the first place, given that every packet which comes in is unsolicited and therefore the stateful inspection is both completely obviated and forms a DDoS chokepoint; and yet folks have been so conditioned by security snake-oil marketing to put firewalls in front of their servers that they do it anyways, complain to their vendors when said firewalls fall over with relatively small amounts of traffic due to state-table exhaustion, and thus need a way to disable the stateful inspection they paid so much to achieve so that they can still claim that they've a firewall in front of their servers, even though said firewalls are iatrogenic in nature. ;> Folks should do as you say, hardening their servers/apps/services, enforcing policy via stateless ACLs in hardware, and deploying reaction tools such as S/RTBH. Firewalls in front of servers is generally a Bad Idea, period. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From gsgranados at comcast.net Tue Nov 10 18:44:26 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 10 Nov 2009 15:44:26 -0800 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <01b201ca625f$c63ad500$2408120a@am.thmulti.com> And don't forget stop running Microsoft products! Secure and Microsoft can't be used in the same text let alone sentence unless it's in the negative. This is a big part of the firewall conditioning. People are so used to hopelessly insecure operating environments that this makes sense as a solution when in reality all one need do is run a real OS properly hardened. ----- Original Message ----- From: "Dobbins, Roland" To: "Cisco-nsp" Sent: Tuesday, November 10, 2009 3:31 PM Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass? > > On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > >> I've read about this, but I fail to see what the point is. > > The point is that there shouldn't be firewalls in front of servers in the > first place, given that every packet which comes in is unsolicited and > therefore the stateful inspection is both completely obviated and forms a > DDoS chokepoint; and yet folks have been so conditioned by security > snake-oil marketing to put firewalls in front of their servers that they > do it anyways, complain to their vendors when said firewalls fall over > with relatively small amounts of traffic due to state-table exhaustion, > and thus need a way to disable the stateful inspection they paid so much > to achieve so that they can still claim that they've a firewall in front > of their servers, even though said firewalls are iatrogenic in nature. > > ;> > > Folks should do as you say, hardening their servers/apps/services, > enforcing policy via stateless ACLs in hardware, and deploying reaction > tools such as S/RTBH. Firewalls in front of servers is generally a Bad > Idea, period. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ashnet2009 at gmail.com Tue Nov 10 18:47:29 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Tue, 10 Nov 2009 18:47:29 -0500 Subject: [c-nsp] OT : AristaNetworks Switches Message-ID: <896a291f0911101547r20c131d6sb5fd3503380aa6ef@mail.gmail.com> Hi Folks, A bit offtopic but wondering if anybody has had the chance of evaluating/Deploying AristaNetwork Switching products. they are currently offering low latency 10Gig switching products and appear to be competing in the same space as Nexus platform. Any feedback would be greatly appreciated, Thanks in advance From john at vanoppen.com Tue Nov 10 19:27:24 2009 From: john at vanoppen.com (John van Oppen) Date: Tue, 10 Nov 2009 16:27:24 -0800 Subject: [c-nsp] OT : AristaNetworks Switches References: <896a291f0911101547r20c131d6sb5fd3503380aa6ef@mail.gmail.com> Message-ID: We have a few of them in production, since this is non-cisco shoot me an email off-list and I can chat about them. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ash Net Sent: Tuesday, November 10, 2009 3:47 PM To: Cisco-nsp Subject: [c-nsp] OT : AristaNetworks Switches Hi Folks, A bit offtopic but wondering if anybody has had the chance of evaluating/Deploying AristaNetwork Switching products. they are currently offering low latency 10Gig switching products and appear to be competing in the same space as Nexus platform. Any feedback would be greatly appreciated, Thanks in advance _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From adwhite at inchix.net Wed Nov 11 02:16:54 2009 From: adwhite at inchix.net (Andrew White) Date: Wed, 11 Nov 2009 18:16:54 +1100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: <9e2e3bc20911102316s66f49b3as14ea4a9cc603ff95@mail.gmail.com> On Tue, Nov 10, 2009 at 4:02 AM, Jason Gurtz wrote: >> Any reason why you wouldn't go for fcoe on nexus 5k? :) > > It does look like that is what the box is really for. ?To answer the > question, it all depends on what SAN goes in. ?A lot of the newer stuff > with better value is iSCSI only and eschews FC in any form. > Well i'm not to sure on the better value point - I doubt it will be long before netapp and the likes pop a fcoe cna into their kit. Current prices of gen-2 cna's are not really any more expensive than a dual port 10ge card so why wouldn't you go fcoe? No ip, no tcp windows, no need to chew cpu on hosts no managing authentication > Maybe I better question to ask is how does the nexus 5k fare against 49xx > switch doing iSCSI? I don't think it would make much difference really, 5k will have less latency not that it really matters for iscsi :) > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Wed Nov 11 01:46:17 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 11 Nov 2009 14:46:17 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091110211340.GH51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911102232.01323.mtinka@globaltransit.net> <20091110211340.GH51443@gerbil.cluepon.net> Message-ID: <200911111446.39608.mtinka@globaltransit.net> On Wednesday 11 November 2009 05:13:40 am Richard A Steenbergen wrote: > :-). > I have nothing against advocating that you design your > network to scale from the very beginning, and (without > trying to channel Vijay Gill here) IMHO if oyu don't > design your netwrok to scale then in all likelihood it > WON'T scale. Agree. > But there is also a point where you start > making more trouble for yourself than you save, and may > actually inhibit your growth by adding unnecessary > additional complexity. Also agree, e.g., it is possible to build too much redundancy that just ends up being complex, it is possible to have too many upstream service providers that your eBGP routing policy becomes too complicated and fails to work as expected, e.t.c. We say, "Scale, but KISS". > Smart network engineering is about > knowing the network you are trying to build, and figuring > out where that magic line is so you don't cross it. Also agree. Again, we don't say "Scale for scaling's sake", on the assumption that it is possible for those learning to misunderstand the message and think scaling = complexity, and that complexity may be justified by the need to scale. Unfortunately, without getting into the full details about the workshops we give, I can understand why you may think we may be advocating for "blind scaling", for lack of a better term. But on the contrary, our messages are very specific to areas where scaling is important, without adding undue complexity, and keeping things as simple as they should be. So yes, in principle, agree here also. > I think your argument applies perfectly to situations > like "but I only have a few hundred /30s between my 10 > 3560s, why can't I just redistribute connected/static > into my IGP and call it a day". :-), not at all, actually. We NEVER advocate for any customer prefixes (including /30 point-to-points) to be anywhere near the IGP. We also NEVER advocate for any kind of redistribution (although we realize a lot of folks tend to trade-off when it comes to this, mostly due to mind-set, laziness, e.t.c.). I once gave a workshop where the entire class agreed that redistribution isn't necessarily a good thing when done blindly and with laziness as an unconscious motive. We all agreed that if it was possible, avoid it, unless you really know what you're doing, e.g., l3vpn's for PE-CE routing, redistribution controlled with route-maps, e.t.c. Then what happens, one of the attendees goes back and actually continues to redistribute all Connected and Static entries without prejudice because when he joined the trade, it was engrained in him either by books, mentors, vendor marketing, e.t.c. - as instructors, we can also only go so far :-\. > Yes you COULD, but if you > grow your network by even a very small amount you'll > start to bump the CAM limits on your stackable switches, > and thus you should probably engineer your network to > scale past that limit from the very beginning. Agree - of course, there are dynamics that cannot be captured during workshops, e.g., will you use regular routers at the edge or TCAM-limited so-called Layer 3 switches instead; to run with your example, Richard. Like you say, there is no magic solution. Our message, while specific, is also generalized in many areas; scale as long as you keep simplicity in mind, but adapt to your individual environments and make your own decisions because no two networks have the same "pocket-depth", nor do they have the same topology. So yes, in principle, agree here also. > Taking the > time to design a system with only loopbacks into IGP + > iBGP loopback peering and redistribution of other routes > into BGP may be more time consuming than just slapping a > redist into your IGP, but it will save you more time in > the end. But this is exactly what our workshops advocate. Nowhere do we say you should do anything else :-). IGP only for infrastructure + Loopbacks. iBGP for all customer prefixes. Is our message. But you do get some folk who've heard this for the first time at the workshop and fail to comprehend why an IGP is not used for "all internal" routing entries. So they'll gladly do the workshop with you, as well as the labs, but go back home and continue to bloat their IGP. Again, as instructors, we can only go so far. So yes, agree here also (is it getting old, hehe?). > On the other hand, what level of scale do you need before > IGP areas actually start to pay off, and make it worth > the added complexity and other issues you will impose > (inter-area TE problems, etc)? You'd need to take your 10 > routers to what? 100? 1000? 10000? At what point does > your newly expanded network look absolutely nothing like > your original network, to the point that nothing you > decided about your 10 router network has any bearing on > your new network? If you're really designing some massive > dial network with the potential for 10000 pops, or the > next IBM Global Services network, you may have a > legitimate reason for needing the IGP areas. But if > you're building a more concentrated network there just > may never be a situation where there is any benefit no > matter how big you grow (i.e. I don't think Level 3 has > any need for them :P). Again, I agree - that's why I mentioned, in my previous post to you, that our message on "Scale as early as possible (in correspondence with your individual environment and with simplicity at heart)", transcends just IGP routing; there's a lot more to it that will influence the choices the operators that attend our workshops will make. We look at the issues holistically, not individually, and hope that the attendees make the most reasonable design decision based on the "most neutral" information provided, e.g.: - Solve the iBGP mesh problem with route reflectors or confederations. Route reflectors are simpler than confederations, but there have been corner cases where confederations have been desirable. Because those corner cases are few and far between, and we think simplicity in this case is trumps "corner case", we recommend the use route reflectors. - We get attendees asking what model of XR 12000 series or CRS-1 is better for their core just because the Cisco product positioning says so, or which model in the T-series range is better just because Juniper product positioning says so. Our advice is neutral, "Don't drink the marketing cool aid. Many networks have 7200-VXR's or M7i's as core, because that's all they've ever needed in their plans - and they work". - Static routing in a 5-router network will work well, but just because it is small, doesn't mean you should wait until you explode to 100 routers before you consider moving to dynamic routing, especially if router and network resources are not an issue. Here, we're recommending to scale early because we assume the network might either grow, or become too complex to manage as the number of routing entries increases, or both. - RFD (Route Flap Dampening) has a specific solution to solve. But given that router control planes are getting faster, global connectivity is getting more stable with more sub-sea and terrestrial connectivity coming online, e.t.c., many networks realize that the troubles RFD causes may not be worth the perceived benefits. So, if you have to deploy it, think about what it means to your business/network - if it were I (the instructor), I wouldn't for A, B, C, D reasons. Our goal is not to simply say, "Take our word for it, it's the rule". Our goal is to foster open and unrestricted thinking, with some basic guidelines, of course. So yes, in principle, agree here also. > There is no right answer for > everyone, your network may look very different from mine, > etc. Agree, based on my arguments above. We try to provide fundamental principles with basic guidelines, not rules. The idea is knowledge transfer, not technology transfer. To analogize, "It is wrong to kill someone, but just because we haven't explicitly mentioned that stabbing them without causing them death is equally as wrong, doesn't mean we're sanctioning it - learn to think beyond the marketing/snazzy slides/RFC's/vendor-centric fora/news media/standards bodies meetings, e.t.c.". > We can both make arguments for simplistic theories > like "you should always design to scale" vs "keep it > simple stupid"... I know this is just an example you're giving, but to nit- pick, there's no reason why you can't scale and maintain simplicity at the same time - and I'm sure you agree also that you can scale while maintaining simplicity, depending on the situation at hand. But my actual comment on this one is, some ideologies compliment each other, they are not always necessarily presented (to be considered) in contrast. But in general, ... > until we're blue in the face, but at the > end of the day this is an engineering question to which > there is no one correct answer. ... I take your point, and I agree, again, per my arguments above. > I guess the issue here was that you may not be familiar with the kinds of workshops we run, so it may not be unreasonable to assume we're teaching "scalability" for its own "sake". In fact, to illustrate the kind of confusion we put our attendees through, on the one hand, we say, "Aggregate your eBGP announcements as much as possible, and where you can, aggregate your iBGP announcements just as much". On the other, we say, "Route summarization in a link state IGP helps scale the network, but it may break optimal routing, so in this case, we trade-off scalability for optimality". Attendees get very confused about why we "selectively" scale, and the devil is in the details, as I'm sure you can appreciate. However, those that manage to understand the tactics we use to open up their minds, then ask, "But doesn't the use of Route Leaking in IS-IS moot the need for multiple levels on the basis of building a multi-level IS-IS network just for scaling? So then what is the point of having multiple levels in IS-IS in the first place?" When we hear questions like these, we know we have reached success :-). There's tons of other cases, but this is the general idea. We encourage workshops given by other operators, because there's nothing like it when compared to reading vendor certification material, reading RFC spec's, reading vendor product marketing data sheets, or attending classes given by individuals that have learned how IP networks work, but have never run a network. > Did I mention I got a lot of D's in class from arguing > with the teacher? +1 :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From arne.svennevik at met.no Wed Nov 11 03:59:37 2009 From: arne.svennevik at met.no (arne.svennevik at met.no) Date: Wed, 11 Nov 2009 08:59:37 +0000 (UTC) Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <1943528331.2437241257929684801.JavaMail.root@imap1a> Message-ID: <394222653.2437631257929977020.JavaMail.root@imap1a> ----- "Nick Hilliard" wrote: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, > note that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Looking at the specs an alternative would be a central 5010 and two 2148 FEX as top-of-rack 1G. Using up to 40 of the 1G ports and 4 x 10G for uplink to N5K would make it line-rate, right? Has anyone got any experiences with this setup? Arne From alex at digriz.org.uk Wed Nov 11 05:12:49 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 11 Nov 2009 10:12:49 +0000 Subject: [c-nsp] RSA and rancid References: <4AF9AD82.2040904@sara.nl> <61FA706B-E242-45F6-A3CE-E380D1F2EDA8@djvh.nl> Message-ID: <1afqs6-3dp.ln1@chipmunk.wormnet.eu> Dirk-Jan van Helmond wrote: > > Don't use RSA authentication for automated processes? > Use local accounts, or if your devices support it SSH public keys are a handy option. To be honest you would be crazy to rely just on RSA authentication as if your RADIUS server is dead you will not be able to log into *any* of your switching infrastructure...oh your RADIUS server might be dead because of a network issue :) Also why VoIP is great, no support calls to deal with when there are problems :) So in short, you *have* to have a local backup account...even if it is only accessible via a serial console server. > If the authentication isn't being sent plaintext, there is no added > security in using one time passwords for automated processes. > I have to take grumblings against that. OTP's go a good way to stop bruteforce attacks[1] and also goes a long way to *prove* that the person logging in has not had their credentials p0wned. Cheers [1] well if you are using naff pincode jobs (RSA or HOTP for example), then maybe it is pointless not but rfc2289 is rather good -- Alexander Clouter .sigmonster says: Girls are better looking in snowstorms. -- Archie Goodwin From jimmi at netpoint.com.br Wed Nov 11 06:52:40 2009 From: jimmi at netpoint.com.br (jimmi) Date: Wed, 11 Nov 2009 08:52:40 -0300 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> <20091109180657.M51920@netpoint.com.br> <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> Message-ID: <20091111115124.M44452@netpoint.com.br> Kenny, Mark, and who else are interesting on this matter. It will be a pleasure to discuss and share information regarding it, but if you don't mind I rather doing it private, without coping the whole list. Just let me know how else are interesting. ---------- Original Message ----------- From: Kenny Sallee To: jimmi Cc: mtinka at globaltransit.net, cisco-nsp at puck.nether.net Sent: Mon, 9 Nov 2009 13:57:19 -0800 Subject: Re: [c-nsp] MPLS Multi-AS options... > Hi Jimmi - thanks for sharing - some comments / questions inline below > > On Mon, Nov 9, 2009 at 10:07 AM, jimmi wrote: > > > > > Folks. > > > > I read these papers long time ago, so I do not remember anymore exactly > > what > > this options labels (A, B, AB,...) definition means. > > > > Quick recap for you: > Option A = back to back VRF's via sub-interfaces and BGP peering PER > VRF > (lots of resources) Option B = exchange of VPN-IPv4 addresses and > agreement on RT's and label switched path from ingress PE to egress > PE routers Option AB (aka option D as I've learned): VRF's and sub- > interface per client and a single eBGP session to carry VPN-IPv4 addresses > > > > > What I can tell you guys is that I operate a network which has a Inter-AS > > peering were we exchange IPv4 & VPNv4 prefixes and traffic while > > maintaining > > QoS services compability at both sides (ASs) for long time, and customers > > which VPNs have sites serviced by both ASs have their QoS requirements > > honored > > at both ASs Backbones and last mile connections. > > > > Sounds like your are doing option B? > > > > > I already had real "Inter-AS + QoS compatibility" experience with Cisco > > being > > the only platform, and where Cisco interoperate with (two) different > > vendors, > > and that worked just fine. > > > > On your ASBR - do you have to create VRF's for every customer that crosses > the ASBR? Do you mind sharing the relveant parts of your configuration > (sanitized of course) if possible? > > > > > This deployment where you just had to establish a single eBGP peering at > > VPNv4 > > address-family to exchange VPNv4 prefixes and traffic (of course you may > > exchange IPv4 also, and may establish redundant peerings) brings lots of > > benefits. It does not impact at your ASBR resources, reduces the number of > > connections between ASBRs & routing gets simplified, allows > > oversubscription > > between ASBRs, does not require your to act at the borders (ASBRs) each > > time a > > "site" is added or removed from a customer VPN (despite where this site is > > connected). > > > > That's interesting actually - sounds pretty straight forward. So > far it seems like some overseas operators are actually doing this or > contemplating doing it. Anyone in the continental US researching > and/or implemented (ing) either of the options? > > Kenny > > > > > > > > > ------- End of Original Message ------- From lists at quux.de Wed Nov 11 09:03:08 2009 From: lists at quux.de (Jens Link) Date: Wed, 11 Nov 2009 15:03:08 +0100 Subject: [c-nsp] RSA and rancid In-Reply-To: <4AF9AD82.2040904@sara.nl> (Mark Meijerink's message of "Tue\, 10 Nov 2009 19\:14\:26 +0100") References: <4AF9AD82.2040904@sara.nl> Message-ID: <87k4xxjh0j.fsf@laphroiag.quux.de> Mark Meijerink writes: > Is anyone of you using RSA tokens and rancid? If so, please explain how > you make this work. Thanks in advance for your comments. Friend of mine told me that a combination of a web cam, fuzzyOCR and some Perl code is working fine for token based auto logins. I haven't worked with RSA tokens for a long while but I think there was an option to not use a token for logging in. HTH Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From p.mayers at imperial.ac.uk Wed Nov 11 11:31:36 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 11 Nov 2009 16:31:36 +0000 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> <4AF9693C.4000301@imperial.ac.uk> <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> Message-ID: <4AFAE6E8.8080401@imperial.ac.uk> Peter Rathlev wrote: > Hi Phil, > > Thanks for the input. > > On Tue, 2009-11-10 at 13:23 +0000, Phil Mayers wrote: >> Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted >> (use a SPAN session to find out) and this rate-limiting what's causing >> the drops? > > No CoPP or rate-limiters configured, only defaults. Is there any way to > see counters for the rate-limiters? The "show > >> If so, it could be a hardware/tcam programming error; we've seen a few >> of these in obscure cases on SXI, and I've not found a reliable way to >> clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or >> the various "clear" commands (e.g. "clear cef" etc.) > > Well, I tried shutting/unshutting the SVI, and now I can't seem to > recreate the problem. :-( Yep, that sounds familiar. We've seen the problem with dodgy CEF prefixes "suddenly" go away when SVIs are shut/no shut. Someone suggested the next-hop MTU getting set wrong in the hardware and causing CPU punts, and that this can happen when SVIs come up/down very occasionally :o( > >>> If I remove the "ip verify"-command and then add the version with >>> "allow-default" directly, I have no problems. Without uRPF there's >>> no problem either. Only when first entering the command without >>> "allow-default" and then adding "allow-default" does the problem >>> appear. >> We haven't seen that, but have seen other issues where (apparently) >> CEF entries are programmed incorrectly resulting in traffic being CPU >> punted and having to pass through CoPP, and thus being very lossy. > > I would really like to have looked more into this, but with the problem > gone, I'm stuck: If it would happen again, is there any way to check > what the rate-limiters/CoPP drops via some counters? Well, CoPP drop can be see with: sh policy-map control-plane ...but if you haven't got it setup, you'll see nothing. sh mls rate-limit ...shows the current config for MLS rate limiters, but again if you've not got it setup then the defaults are some pretty conservative multicast punts and nothing else IIRC. Hmm. From vuillaumes at gmail.com Wed Nov 11 12:17:21 2009 From: vuillaumes at gmail.com (samuel vuillaume) Date: Wed, 11 Nov 2009 12:17:21 -0500 Subject: [c-nsp] VPLS and SSTP or STP Message-ID: HI guys, Just a quick question. Here's my context --------------------------------------------------- CPE1----------*QinQ + L2PT port* (7600)------VPLS-----------(7600) *Trunk port* ------NNI---------CPE2 CPE1 and CPE2 run PVST+ and both 7600 don't run any STP On QinQ + L2PT port (7600), i ran a debug netdr and: - i can see PVST+ traffic coming CPE1 - i can't see PVST+ traffic coming from CPE2 ((from (7600) Trunk portChassis) On (7600) Trunk port, i ran the same debug, debug netdr and: - i can see L2PT traffic coming ((QinQ + L2PT port (7600)) originated from CPE1 My question is on a *basic Trunk port* (as above facing CPE2), How VPLS should handle those SSTP BDPUs (01:00:0C...CD) ? Apparently they're dropped, and only untagged STP BPDU 01:80...... are allowed. IMPORTANT: the NNI VLAN is already double tagged. Any thoughts would be appreciated.... tks Sam From ben at cuckoo.org Wed Nov 11 12:33:14 2009 From: ben at cuckoo.org (Ben White) Date: Wed, 11 Nov 2009 17:33:14 +0000 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 In-Reply-To: References: Message-ID: Packet fragmentation and re-assembly on one path to one of the sites could explain it. Maybe 'show ip traffic' could glean some useful information. -- Ben From thomas at habets.pp.se Wed Nov 11 06:00:45 2009 From: thomas at habets.pp.se (Thomas Habets) Date: Wed, 11 Nov 2009 12:00:45 +0100 (CET) Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <20091110213714.GK163@greenie.muc.de> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> <20091110213714.GK163@greenie.muc.de> Message-ID: On Tue, 10 Nov 2009, Gert Doering wrote: > No. Routers will never reassemble transit traffic. Never is a strong word. It seems "ip virtual-reassembly" do it. It looks like it at least reassembles them in memory and delays them before forwarding them (as fragments) from the debug and counters. On a virtual 7200: Router#show ip virtual-reassembly fa1/0 FastEthernet1/0: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 16 Fragments per reassembly (max-fragments): 32 Reassembly timeout (timeout): 3 seconds Drop fragments: OFF Current reassembly count:0 Current fragment count:0 Total reassembly count:23 Total reassembly timeout count:3 Not that you'd want to do it, but still. --------- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From lukasz at bromirski.net Wed Nov 11 18:29:04 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 12 Nov 2009 00:29:04 +0100 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> <20091110213714.GK163@greenie.muc.de> Message-ID: <4AFB48C0.5050003@bromirski.net> On 2009-11-11 12:00, Thomas Habets wrote: > On Tue, 10 Nov 2009, Gert Doering wrote: >> No. Routers will never reassemble transit traffic. > > Never is a strong word. It seems "ip virtual-reassembly" do it. It looks > like it at least reassembles them in memory and delays them before > forwarding them (as fragments) from the debug and counters. On a virtual > 7200: Sure. But that functionality is not found on core routers, but on border routers running CBAC/ZBFW or IPS functionalities, that need a whole packet to do it's work on it. As Gert noted, fragmented IP packet is forwarded in hardware (or "normally") as long as it contains valid header information. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From chpreddi at gmail.com Wed Nov 11 20:18:07 2009 From: chpreddi at gmail.com (Pratap Reddy) Date: Thu, 12 Nov 2009 12:18:07 +1100 Subject: [c-nsp] Cisco 12000 Series Packet over SONET/SDH (POS) Line Cards (2-Port OC-192c POS ) Message-ID: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> Hi, I am planing to use Cisco 12000 series Two port OC-192 line card. I would like to have some feedback on this line card. This line card supports Synchronous Digital Hierarchy (SDH). Does any one configured it as Gig enabling WAN. I used SPA-1x10GE-WL-V2 on 12000-SIP-600 as 10Gig enabling WAN. So I am trying to check if 2-Port OC-192c POS can also be configured for 10Gig enabling WAN. Cheers. Pratap. From gwendel at gmail.com Wed Nov 11 21:07:50 2009 From: gwendel at gmail.com (Greg Wendel) Date: Wed, 11 Nov 2009 21:07:50 -0500 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <8dfae3430911111807t79f5f95u69e1e71a86f32396@mail.gmail.com> Roland, iatrogenic. induced inadvertently ... http://www.merriam-webster.com/dictionary/IATROGENIC It is not often I have to look up a word on this board. Well played sir. On Tue, Nov 10, 2009 at 6:31 PM, Dobbins, Roland wrote: > > On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > > > I've read about this, but I fail to see what the point is. > > The point is that there shouldn't be firewalls in front of servers in the > first place, given that every packet which comes in is unsolicited and > therefore the stateful inspection is both completely obviated and forms a > DDoS chokepoint; and yet folks have been so conditioned by security > snake-oil marketing to put firewalls in front of their servers that they do > it anyways, complain to their vendors when said firewalls fall over with > relatively small amounts of traffic due to state-table exhaustion, and thus > need a way to disable the stateful inspection they paid so much to achieve > so that they can still claim that they've a firewall in front of their > servers, even though said firewalls are iatrogenic in nature. > > ;> > > Folks should do as you say, hardening their servers/apps/services, > enforcing policy via stateless ACLs in hardware, and deploying reaction > tools such as S/RTBH. Firewalls in front of servers is generally a Bad > Idea, period. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From mksmith at adhost.com Wed Nov 11 21:11:26 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Wed, 11 Nov 2009 18:11:26 -0800 Subject: [c-nsp] RSA and rancid In-Reply-To: <87k4xxjh0j.fsf@laphroiag.quux.de> Message-ID: On 11/11/09 6:03 AM, "Jens Link" wrote: > Mark Meijerink writes: > >> Is anyone of you using RSA tokens and rancid? If so, please explain how >> you make this work. Thanks in advance for your comments. > > Friend of mine told me that a combination of a web cam, fuzzyOCR and > some Perl code is working fine for token based auto logins. > > I haven't worked with RSA tokens for a long while but I think there was > an option to not use a token for logging in. > If you are running an ACS/TACACS+ server on the back end you should be able to specify local-database authentication for your Rancid user and RSA token for everything else. Regards, Mike From rubensk at gmail.com Wed Nov 11 21:13:21 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Thu, 12 Nov 2009 00:13:21 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <6bb5f5b10911111813m30da24dbkcc582766c798a2bd@mail.gmail.com> >>There is nothing special about *forwarding* fragmented packets - unless >>you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? It assumes that any fragment matches clauses with L4 info, because it lacks stateful context from the first fragment to eval it. Rubens From swmike at swm.pp.se Thu Nov 12 01:31:16 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 12 Nov 2009 07:31:16 +0100 (CET) Subject: [c-nsp] Cisco 12000 Series Packet over SONET/SDH (POS) Line Cards (2-Port OC-192c POS ) In-Reply-To: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> References: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> Message-ID: On Thu, 12 Nov 2009, Pratap Reddy wrote: > Hi, > > I am planing to use Cisco 12000 series Two port OC-192 line card. > > I would like to have some feedback on this line card. > > This line card supports Synchronous Digital Hierarchy (SDH). > Does any one configured it as Gig enabling WAN. > I used SPA-1x10GE-WL-V2 on 12000-SIP-600 as 10Gig enabling WAN. > So I am trying to check if 2-Port OC-192c POS can also be configured > for 10Gig enabling WAN. No, it's Packet over Sonet using HDLC or PPP, it doesn't do ethernet at all. Also, it requires 12800 upgrade/fabric to work (if it's the old Engine6 card you're referring to). PS. I interpreted "10Gig enabling WAN" as 10GBASE-LW (WANPHY), if it's something else then all bets are off. -- Mikael Abrahamsson email: swmike at swm.pp.se From n00dles at nix-jutsu.net Thu Nov 12 04:12:46 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Thu, 12 Nov 2009 09:12:46 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport In-Reply-To: <00dc01ca6229$164da950$42e8fbf0$@net> References: <20091110164250.GA1003@atsuko> <00dc01ca6229$164da950$42e8fbf0$@net> Message-ID: <20091112091246.GA52721@atsuko> On Tuesday, 10 November 2009 at K:13:13 -0600, Jesse Alexander wrote: > I have seen this issue happen with a customer 800 series, and I think there > were just too many IP's for it to handle. If I remember correctly, they > were using an 871. In my case, we think it couldn't handle a /22 (I think > it was a /22, it was a couple of years ago). Each site of which there a large number(a chain of hotels) each has a /27, we are currently seeing the issue on 10-15 sites randomly. I'm doubtful that the kit is unable to handle the load. > The customer would be fine for a period of time (a few hours or less), then > would not be able to reach the world until they rebooted it. Because we > didn't manage the 800, we had no visibility to it, so I cannot tell you > the specific reason. Because the issue went away after he customer > upgraded their hardware, we can only assume that the 800 was insufficient > for their needs. Our customer wont consider swaping kit out, your experiance sounds more advanced than ours we are only seeing the issue sporadicly. > > -Jesse > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > n00dles at nix-jutsu.net > Sent: Tuesday, November 10, 2009 10:43 AM > To: cisco-nsp at puck.nether.net > Cc: networks at timico.net > Subject: Re: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport > > Hello all, > > We have a strange issue between PIX 501's running 6.3(5) and our 800 series > routers, we are using verious 800s(857/877) with a spread of IOS versions. > The problem manifests itself as a drop of connectivity between the two > devices, that being we lose layer 3 forwarding out of the switch-port > module on the 800. > > We are of the opinion we have ethernet connectivity between devices as > the mac-address table is being populated after being cleared, and > linkstate show up/up but we cannot ping, nor can the device ARP for > the PIX. > > Static ARP entrys also no not fix the issue, the only way we have found > so far to fix the problem is to reboot the 800. > > Has anyone experienced this kind of problem before? > > Regards > > -- > _ > Chris Nicholls ASCII ribbon campaign ( ) > Timico Network Operations - against HTML, vCards and X > chris at timico.net - proprietary attachments in e-mail / \ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---end quoted text--- -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From n00dles at nix-jutsu.net Thu Nov 12 04:37:34 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Thu, 12 Nov 2009 09:37:34 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport In-Reply-To: <73636ae00911111004m5ed306d3p3f7aea90aea6ee25@mail.gmail.com> References: <20091110164250.GA1003@atsuko> <73636ae00911111004m5ed306d3p3f7aea90aea6ee25@mail.gmail.com> Message-ID: <20091112093734.GB52721@atsuko> On Wednesday, 11 November 2009 at K:04:55 +0000, Paul Cosgrove wrote: > Not personally, but I have heard of similar issues which affect old > versions of the PIX software. Does disabling/enabling or > disconnecting/reconnecting the interface also resolve the issue? Sadly not that I'm aware of, the customer "manages" the PIXs involed which are really only doing NAT from the looks of the config they have provided. > On Tue, Nov 10, 2009 at 4:42 PM, <[1]n00dles at nix-jutsu.net> wrote: > > Hello all, > We have a strange issue between PIX 501's running 6.3and our 800 series > routers, we are using verious 800s(857/877) with a spread of IOS versions. > The > problem manifests itself as a drop of connectivity between the two > devices, that being we lose layer 3 forwarding out of the > switch-port > module on the 800. > We are of the opinion we have ethernet connectivity between devices > as > the mac-address table is being populated after being cleared, and > linkstate show up/up but we cannot ping, nor can the device ARP for > the PIX. > Static ARP entrys also no not fix the issue, the only way we have > found > so far to fix the problem is to reboot the 800. > Has anyone experienced this kind of problem before? > Regards > -- > _ > Chris Nicholls ASCII ribbon campaign ( ) > Timico Network Operations - against HTML, vCards and X > [2]chris at timico.net - proprietary attachments in e-mail / > \ > _______________________________________________ > cisco-nsp mailing list [3]cisco-nsp at puck.nether.net > [4]https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at [5]http://puck.nether.net/pipermail/cisco-nsp/ > > References > > 1. mailto:n00dles at nix-jutsu.net > 2. mailto:chris at timico.net > 3. mailto:cisco-nsp at puck.nether.net > 4. https://puck.nether.net/mailman/listinfo/cisco-nsp > 5. http://puck.nether.net/pipermail/cisco-nsp/ ---end quoted text--- -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From niklas.rehnberg at gmail.com Thu Nov 12 07:27:07 2009 From: niklas.rehnberg at gmail.com (niklas rehnberg) Date: Thu, 12 Nov 2009 13:27:07 +0100 Subject: [c-nsp] (multi chass)i mc lag feature 7600 Message-ID: Hi, Has anyone any information about when the 7600 will support mc-lag? //Niklas From achatz at forthnet.gr Thu Nov 12 07:57:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 12 Nov 2009 14:57:26 +0200 Subject: [c-nsp] (multi chass)i mc lag feature 7600 In-Reply-To: References: Message-ID: <4AFC0636.9060602@forthnet.gr> ES cards under SRE are supposed to support it. -- Tassos niklas rehnberg wrote on 12/11/2009 14:27: > Hi, > Has anyone any information about when the 7600 will support mc-lag? > > //Niklas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From madunix at gmail.com Thu Nov 12 08:10:02 2009 From: madunix at gmail.com (madunix) Date: Thu, 12 Nov 2009 15:10:02 +0200 Subject: [c-nsp] Fiber Message-ID: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> I need to know your opinion about fiber to desk i.e. pros and cons.. Thanks in advance. From swmike at swm.pp.se Thu Nov 12 08:24:33 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 12 Nov 2009 14:24:33 +0100 (CET) Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: On Thu, 12 Nov 2009, madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. Fiber is much more sensitive to dust, bending and other kind of things that might happen day-to-day with people who don't really know or care about data communication. It's also more expensive generally (everything involved, NICs, switches and cables is more expensive). Why would you want to do it? I don't really see any pros what so ever to do it. -- Mikael Abrahamsson email: swmike at swm.pp.se From iam at st-andrews.ac.uk Thu Nov 12 08:29:28 2009 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Thu, 12 Nov 2009 13:29:28 +0000 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC0DB8.4020708@st-andrews.ac.uk> madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Well, it does rather depend on your requirements. My opinion is that it's good: where you're not allowed copper, like oil refineries where copper cable won't work due to massive interference where you must have runs to desktops that are over 90m (tho I've some long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) Downsides are obviously: cost of adapters for PCs cost of fibre switches single-technology (you don't get 10/100/1000 fibre standards, so you have to do all one-standard) it's more sensitive to being bashed, stood on, etc Back in the day, when they thought copper was dead, Brand-Rex developed a shotgun copper+blown-fibre tube called BloTwist. (http://www.ezziengineering.com/pdf/cables/BloliteBro.pdf) . Of all the places our local Brand-Rex guy knows they fitted it, not one has used the fibre capability to date. What actually is your requirement? -- ian Ian McDonald, ITS, University of St Andrews The University of St Andrews is a charity registered in Scotland: SC013532 From shaw38 at gmail.com Thu Nov 12 09:49:36 2009 From: shaw38 at gmail.com (Steve Shaw) Date: Thu, 12 Nov 2009 09:49:36 -0500 Subject: [c-nsp] WDM Splitter Message-ID: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> Guys, Has anyone used one of these WDM splitter cables from cisco (WDM-1300-1550-S)? https://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b_ps708_Products_Data_Sheet.html If I'm reading the data sheet correctly, since it splits off the 1300 and 1550 wavelengths you *should* be able to get 2x10-GE out of a single pair with an LR and ER optic at either end. Thanks, Steve From nick at inex.ie Thu Nov 12 10:13:04 2009 From: nick at inex.ie (Nick Hilliard) Date: Thu, 12 Nov 2009 15:13:04 +0000 Subject: [c-nsp] Fiber In-Reply-To: References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC2600.3070707@inex.ie> On 12/11/2009 13:24, Mikael Abrahamsson wrote: > Why would you want to do it? I don't really see any pros what so ever to > do it. it's useful if you want 10G to the desk. Otherwise, it's too fragile and sensitive for the average office environment. Nick From mhuff at ox.com Thu Nov 12 09:01:35 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 12 Nov 2009 09:01:35 -0500 Subject: [c-nsp] Fiber In-Reply-To: <4AFC0DB8.4020708@st-andrews.ac.uk> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC0DB8.4020708@st-andrews.ac.uk> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> > where you're not allowed copper, like oil refineries > where copper cable won't work due to massive interference > where you must have runs to desktops that are over 90m (tho I've some > long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) Now that 10G over copper Cat6a (802.3an 10GBASE-T) has been finalized there aren't any good reason to go with fiber except for physical requirements like Ian stated. Also Desktop fiber aggregation is much more expensive in terms of line cards, diversity of switch choices, lack of desktop NICs. Usually I hear FTTD being done to "future proof" the wiring. Most of the times the fiber never ends up being used. Cat6a is backwards compatible with 5e, so if you are doing a new wiring plant, that's enough "future proof" for the next reasonable term. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com? | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 From damin at nacs.net Thu Nov 12 09:48:27 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Thu, 12 Nov 2009 09:48:27 -0500 Subject: [c-nsp] L2TP Configuration Debugging Message-ID: <02f101ca63a7$3487be40$9d973ac0$@net> Hello, I am attempting to help a customer debug an interconnect issue on his L2TP configuration. Unfortunately, this particular customer is not very Cisco savvy, and I am not very L2TP on Cisco savvy, so I would like to recruit someone for an hour (paid) to assist in debugging this tunnel configuration. Specifically, we are attempting to get DSL PPPoE sessions to establish the tunnel to a remote router for authentication / transport. Please let me know if you are interested in assisting, and what your hourly rate is. Thanks! From travis.marlow at everestgt.com Thu Nov 12 10:22:34 2009 From: travis.marlow at everestgt.com (Travis Marlow) Date: Thu, 12 Nov 2009 09:22:34 -0600 Subject: [c-nsp] SP QoS Service Class Message-ID: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> I'm trying to plan for a QoS implementation for an Internet Access provider. I just finished reading RFC 4594 and it recommends VoIP signalling traffic be marked CS5. Every other reference I have seen always has it at AF31 or CS3. Is anyone else using the RFC recommendation? Would any SP be willing to share a general configuration for service classes they have defined. Sorry for the duplicate, I sent from the wrong email address before. From madunix at gmail.com Thu Nov 12 11:12:47 2009 From: madunix at gmail.com (madunix) Date: Thu, 12 Nov 2009 18:12:47 +0200 Subject: [c-nsp] Fiber In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC0DB8.4020708@st-andrews.ac.uk> <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> Message-ID: <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> am just trying to take advantage of using light technologies in LAN for our new building, due to long distance between the offices over 90m, i know fiber is fast expensive and copper gigabit still far cheaper, and fiber to desktop isn't required for a majority of applications. Thanks On Thu, Nov 12, 2009 at 4:01 PM, Matthew Huff wrote: >> where you're not allowed copper, like oil refineries >> where copper cable won't work due to massive interference >> where you must have runs to desktops that are over 90m (tho I've some >> long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) > > Now that 10G over copper Cat6a (802.3an 10GBASE-T) has been finalized there aren't any good reason to go with fiber except for physical requirements like Ian stated. Also Desktop fiber aggregation is much more expensive in terms of line cards, diversity of switch choices, lack of desktop NICs. Usually I hear FTTD being done to "future proof" the wiring. Most of the times the fiber never ends up being used. Cat6a is backwards compatible with 5e, so if you are doing a new wiring plant, that's enough "future proof" for the next reasonable term. > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com? | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From koug at intracom.gr Thu Nov 12 10:38:28 2009 From: koug at intracom.gr (John Kougoulos) Date: Thu, 12 Nov 2009 17:38:28 +0200 (GTB Standard Time) Subject: [c-nsp] Fiber In-Reply-To: <4AFC2600.3070707@inex.ie> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC2600.3070707@inex.ie> Message-ID: > > it's useful if you want 10G to the desk. Otherwise, it's too fragile and > sensitive for the average office environment. > Maybe plastic optical fibers are not so fragile/sensitive, but I haven't seen them in production John From Charlie.Greenaway at btinet.bt.com Thu Nov 12 11:16:23 2009 From: Charlie.Greenaway at btinet.bt.com (Charlie Greenaway) Date: Thu, 12 Nov 2009 16:16:23 -0000 Subject: [c-nsp] L2TP Configuration Debugging Message-ID: <7EA99F102607DF43BDF25CC6847500870450E566@lhmail.btinet.local> Gregory, Please drop me a line with the configuration of the router acting as PPPoE client and the router acting as the LNS. Also, please detail what is in the RADIUS profile (if a AAA server is being used). No promises but I'll check it over and offer up some suggestions if I have any. Best regards, Charlie G Charlie Greenaway - CCIE#11226 (Security/R&S) Solutions Architect | BT iNet | Tel: +44 (0)1993 885897 Email: charlie.greenaway at btinet.bt.com | Web:?www.btinet.bt.com -------------------------- Hello, I am attempting to help a customer debug an interconnect issue on his L2TP configuration. Unfortunately, this particular customer is not very Cisco savvy, and I am not very L2TP on Cisco savvy, so I would like to recruit someone for an hour (paid) to assist in debugging this tunnel configuration. Specifically, we are attempting to get DSL PPPoE sessions to establish the tunnel to a remote router for authentication / transport. Please let me know if you are interested in assisting, and what your hourly rate is. Thanks! This e-mail contains BT iNet information, which may be privileged or confidential. It?s meant only for use by the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you have received this e-mail in error, please let me know immediately on the e-mail address above. Thank you. We monitor our e-mail system, and may record your e-mails. BT iNet is a trading name of BT Convergent Solutions Limited Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 3238603 From akg1330 at gmail.com Thu Nov 12 10:20:16 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Thu, 12 Nov 2009 10:20:16 -0500 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC27B0.9000408@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ We have an extensive fiber to the desk network. The pros are that it allowed us to centralize equipment much farther away from the clients than the 100m distance limitation of twisted pair. This allowed for better port utilization, better environmentals (power and cooling in one place rather than lots of closets) The current plant we're on has supported us from 10BaseFL, 100BaseFX, ATM155, and will continue to support us through 1000BaseX (though we might run into some distance limitations on some of our stations). So, the plant has last much longer than a copper plant would have. Cons: The electronics are more expensive: fiber switchports will cost mor and you'll need media converters or fiber NICs, the fiber patch cords are more expensive. Connectors: There has been one copper connector for twisted pair ethernet, while we have several for fiber No speed negotiation: we do have some devices that are 10Base-T only or 100Base-T only, so that presents a challenge (different client equipment to allow for rate adaptation. New problems that are arising: No realistic PoE option: we have a growing demand for network powered devices (APs and phones). There are power injecting media converters, but they are more expensive. What specifically is leading you to FTTD? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8J7AACgkQQr/gMVyFYyRmFwCgiZ1XuiekECwHV8j/dIotw9e6 oJoAn19+LKKiZ8lfp0HpKZZabvDw7KEI =6iNY -----END PGP SIGNATURE----- From akg1330 at gmail.com Thu Nov 12 10:28:01 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Thu, 12 Nov 2009 10:28:01 -0500 Subject: [c-nsp] WDM Splitter In-Reply-To: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> References: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> Message-ID: <4AFC2981.30000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Shaw wrote: > Guys, > > Has anyone used one of these WDM splitter cables from cisco > (WDM-1300-1550-S)? > > https://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b_ps708_Products_Data_Sheet.html > > If I'm reading the data sheet correctly, since it splits off the 1300 and > 1550 wavelengths you *should* be able to get 2x10-GE out of a single > pair with an LR and ER optic at either end. > > Thanks, > > Steve > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ It sounds like your application is something along the lines of what is depicted in Figure 12. WDM Splitter Cable for Non-CWDM Applications? I haven't used that specific part to do a 1310/1550 10G network, but we have a similar part from Fiberdyne (a Dual Window Mux) to do a SONET (at 1310) overlay on a DWDM signal. We also have a 1000BaseLX overlay onto DWDM systems and have even done a video signal at 1310 using these parts. As long as you could run either optic over this cable without the combiner/splitter, you should be fine. It will introduce a bit of loss, so make sure you account for that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8KYEACgkQQr/gMVyFYyRpVACeOPaqaiI5qcC+H1eJYoMNu0jC asAAn1XhR5ve8IaOxcGnoaCxodgvGZi5 =pJ78 -----END PGP SIGNATURE----- From mtinka at globaltransit.net Thu Nov 12 11:51:38 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 13 Nov 2009 00:51:38 +0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <200911130051.46421.mtinka@globaltransit.net> On Thursday 12 November 2009 09:10:02 pm madunix wrote: > I need to know your opinion about fiber to desk i.e. pros > and cons.. I tend to agree with Matthew and the others that have commented on this. The issue of distance and bandwidth notwithstanding, we've experienced situations where delivering fibre to somebody's home or desk is considered more for marketing mileage than any technical reasons. However, that also tends to set you up for a potential PR disaster since customers tend to "eat that **** up", and misunderstand it at the same time. Unless you're trying to solve a distance problem, and/or your customer requires anything more than 1Gbps (well, Cat-6a, as others have mentioned, has been standardized - but diffusion may take a while) then consider copper. Otherwise, the additional potential cost in maintaining it does not really justify passing over copper solutions, IMHO. Moreover, fibre deployments to the home or desk require CPE, which, in very many cases, speak copper on the other end. So what's really the point? Needless to say, laptops, routers, switches, set-top boxes, wi-fi AP's, PC's, Mac's, game consoles, Tv's, e.t.c., all ship with RJ-45 dual- or tri- rate copper ports as standard these days. So no need for CPE, no need for additional customer training, e.t.c. Again, distance and bandwidth notwithstanding, this, in my mind, tends to question the long-term sustainability of FTTH, either through PON (Passive Optical Networks) or Active Ethernet. Since FTTH is looked at as a potential replacement for regular ADSL (i.e., consumer broadband), how many users can eat up a 1Gbps connection, assuming their ISP let them? This is not considering bandwidth used by IPTv and such, as customers buy channels for IPTv services, not bandwidth to drive the channels (that's the service provider's problem). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mawhi at vestas.com Thu Nov 12 11:50:15 2009 From: mawhi at vestas.com (Matthew White) Date: Thu, 12 Nov 2009 08:50:15 -0800 Subject: [c-nsp] Fiber In-Reply-To: References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC2600.3070707@inex.ie> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Kougoulos > Sent: Thursday, November 12, 2009 7:38 AM > To: Nick Hilliard > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Fiber > > > > > it's useful if you want 10G to the desk. Otherwise, it's > too fragile and > > sensitive for the average office environment. > > Don't forget the wiring closet side. Much more care needs to be taken with designing a structured cabling layout for fiber than for copper. With the added cost for patch cords, etc... I don't see any advantages over copper. -mtw From gtb at slac.stanford.edu Thu Nov 12 12:03:23 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Thu, 12 Nov 2009 09:03:23 -0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <6F51B50ECF32084788B9B3A8469A71B52916559D39@EXCHCLUSTER1-02.win.slac.stanford.edu> > I need to know your opinion about fiber to desk i.e. pros and cons.. If one needs fiber for distance, electrical isolation, limited space/cooling for access switches, etc., one may want to look at various FTTx technologies (xPON and friends) which can provide fiber to "near" the desk with a relatively low cost drop to copper (the ONT) at the desk. Note that FTTx is (mostly) a residential subscriber type of solution (more bandwidth *to* the desk than from it), and that may not meet the needs of servers or "power users" (that are really more like servers). As with all else, your particular situation will vary. A presentation by Sandia at the Internet2/ESCC Joint Techs meeting in Indiana in June of 2009 discussed their particular FTTx plans (and may provide some thoughts): http://www.internet2.edu/presentations/jt2009jul/20090720-brenkosh.pdf Gary From mtinka at globaltransit.net Thu Nov 12 12:04:00 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 13 Nov 2009 01:04:00 +0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> Message-ID: <200911130104.05791.mtinka@globaltransit.net> On Friday 13 November 2009 12:12:47 am madunix wrote: > am just trying to take advantage of using light > technologies in LAN for our new building, due to long > distance between the offices over 90m, i know fiber is > fast expensive and copper gigabit still far cheaper, and > fiber to desktop isn't required for a majority of > applications. If the cost of deploying a fibre-based LAN (in terms of fibre spools, optics, CPE/converters, NIC's, maintenance, e.t.c.) outweighs the cost of doing a FTTB (Basement) and feeding trunk fibre pairs up to strategically-positioned copper-based Ethernet switches where you're not having to worry about cable distance to users, then you have your answer. Else, you'd need to make the hard choices :-). And don't just look at capex. Consider opex too (both financial and otherwise). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From sethm at rollernet.us Thu Nov 12 13:41:59 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 12 Nov 2009 10:41:59 -0800 Subject: [c-nsp] Client-to-client wireless on 877W Message-ID: <4AFC56F7.6070307@rollernet.us> Does anyone know offhand how to enable local wireless bridge (client to client communication) on the radio on a Cisco 877W? I swear I thought I saw it in the docs somewhere a year ago when I set this thing up, but for the life of me I can't find it now or I'm not searching for whatever Cisco likes to call this function. ~Seth From jason at pins.net Thu Nov 12 15:39:25 2009 From: jason at pins.net (Jason Berenson) Date: Thu, 12 Nov 2009 15:39:25 -0500 Subject: [c-nsp] SP QoS Service Class In-Reply-To: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> References: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> Message-ID: <4AFC727D.4060706@pins.net> Travis, This map has worked pretty well for us. The idea behind splitting out RTP from signaling is if signaling doesn't get through, the call will drop. I welcome constructive criticism. :) class-map match-any Core_Voice_Signaling match access-group name Core_Voice_Signaling class-map match-any Core_Voice_RTP match access-group name Core_Voice_RTP ! policy-map voice class Core_Voice_Signaling bandwidth percent 5 class Core_Voice_RTP priority percent 70 class class-default fair-queue random-detect dscp-based ! ip access-list extended Core_Voice_RTP remark DSCP 24 = TOS 3 permit udp any any dscp cs3 remark DSCP ef permit udp any any dscp ef ip access-list extended Core_Voice_Signaling remark MGCP Signaling permit udp any any eq 2727 permit udp any eq 2727 any permit udp any any eq 2427 permit udp any eq 2427 any remark Samsung Signaling permit udp any any eq 6000 permit udp any eq 6000 any permit tcp any any eq 6100 permit tcp any eq 6100 any remark Cisco Skinny Signaling permit udp any any eq 2000 permit udp any eq 2000 any permit tcp any any eq 2000 permit tcp any eq 2000 any remark Allworx Signaling permit udp any any eq 2088 permit udp any eq 2088 any permit tcp any any eq 8081 permit tcp any eq 8081 any remark ADIX Signaling permit tcp any any eq 50000 permit tcp any eq 50000 any remark SIP Signalling permit udp any any eq 5060 permit udp any eq 5060 any permit udp any any eq 5061 permit udp any eq 5061 any permit tcp any any eq 5060 permit tcp any eq 5060 any permit tcp any any eq 5061 permit tcp any eq 5061 any ! -Jason Travis Marlow wrote: > I'm trying to plan for a QoS implementation for an Internet Access provider. > I just finished reading RFC 4594 and it recommends VoIP signalling traffic > be marked CS5. Every other reference I have seen always has it at AF31 or > CS3. Is anyone else using the RFC recommendation? Would any SP be willing to > share a general configuration for service classes they have defined. > > Sorry for the duplicate, I sent from the wrong email address before. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Thu Nov 12 21:32:46 2009 From: tdurack at gmail.com (Tim Durack) Date: Thu, 12 Nov 2009 21:32:46 -0500 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Message-ID: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> Anyone know how glean traffic behaves on a Sup720 with CoPP configured? We have gradually locked down our CoPP config, to the point that our final class is a default deny for any unclassified traffic. Unfortunately this has the unwanted side-effect of dropping glean traffic, with the knock-on effect of some arp resolution problems. In our tests, it appears that configuring an explicit class-default works around this, but I can't find any documentation. So far TAC hasn't come up with anything either. On the Nexus, docs specifically state that glean traffic is directed to the default class. -- Tim:> From rintrum at gmail.com Thu Nov 12 22:30:32 2009 From: rintrum at gmail.com (Rin) Date: Fri, 13 Nov 2009 10:30:32 +0700 Subject: [c-nsp] MAC address use on 7600 Message-ID: <002101ca6411$aa38ef00$feaacd00$@com> Hi group, Can someone explain why router 7600 uses the same MAC address for all VLAN interfaces and ES20 ports? Catalyst 3560 has different MAC address for each VLAN interface. Thanks, Rin From jim at tgasolutions.com Thu Nov 12 23:16:30 2009 From: jim at tgasolutions.com (Jim McBurnett) Date: Thu, 12 Nov 2009 23:16:30 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> Message-ID: It is on the price list. $5300.. I have on in production and one on order for a customer.. Nice switch... Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, November 09, 2009 9:31 AM To: Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ketimun at gmail.com Fri Nov 13 01:56:42 2009 From: ketimun at gmail.com (selamat pagi) Date: Fri, 13 Nov 2009 07:56:42 +0100 Subject: [c-nsp] router boots into ROMMON Message-ID: My 7600 boots ignores the boot statement and goes into ROMMON. >From ROMMON I can boot with following command: rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* rommon 1 > set PS1=rommon ! > LOG_PREFIX_VERSION=1 CONFIG_FILE= SWITCH_NUMBER=0 SLOTCACHE=cards; CRASHINFO=crashinfo_FAILED CV= BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; ** config: boot-start-marker boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin boot-end-marker 7600#*sh boot* BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; CONFIG_FILE variable = BOOTLDR variable = Configuration register is 0x2102 Any ideas what could be wrong ? Cheers, ketimun From wim.holemans at UA.AC.BE Fri Nov 13 02:15:04 2009 From: wim.holemans at UA.AC.BE (Holemans Wim) Date: Fri, 13 Nov 2009 08:15:04 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com><689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com><4AF7BCEF.20506@skoal.name><689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com><1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> Message-ID: What version of IOS does it run ? Base version or lite version ? Wim Holemans Network Services University of Antwerp -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jim McBurnett Sent: vrijdag 13 november 2009 5:17 To: Asbjorn Hojmark - Lists; Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN It is on the price list. $5300.. I have on in production and one on order for a customer.. Nice switch... Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, November 09, 2009 9:31 AM To: Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cphillips at wbsconnect.com Fri Nov 13 02:28:49 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Thu, 12 Nov 2009 23:28:49 -0800 Subject: [c-nsp] router boots into ROMMON In-Reply-To: References: Message-ID: <4AFD0AB1.7090302@wbsconnect.com> Config register looks fine. Most obvious thing would be that the bin file doesn't exist. What does "dir sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin" return? Does the file exist? selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. >>From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? > > Cheers, ketimun > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ketimun at gmail.com Fri Nov 13 03:31:30 2009 From: ketimun at gmail.com (selamat pagi) Date: Fri, 13 Nov 2009 09:31:30 +0100 Subject: [c-nsp] Fwd: router boots into ROMMON In-Reply-To: References: <4AFD0A9D.5080901@skoal.name> Message-ID: Fantastic, that's the solution confreg on SP was 0, re-configuring conf-reg solved the issue :-) Many, mans thanks !!!!! 7600#remote command switch show boot BOOT variable = bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; CONFIG_FILE variable = BOOTLDR variable does not exist Configuration register is 0x0 (will be 0x2102 at next reload) > From peter at rathlev.dk Fri Nov 13 03:32:34 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 13 Nov 2009 09:32:34 +0100 Subject: [c-nsp] router boots into ROMMON In-Reply-To: References: Message-ID: <1258101154.10157.1.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-13 at 07:56 +0100, selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. > >From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? Try "remote command switch show boot" to see if the sup also has correct boot information. Resetting the boot variable and issuing "copy running-config startup-config" should correct any differences between the two. -- Peter From llc at dansketelecom.com Fri Nov 13 03:07:50 2009 From: llc at dansketelecom.com (Lars Lystrup Christensen) Date: Fri, 13 Nov 2009 09:07:50 +0100 Subject: [c-nsp] router boots into ROMMON In-Reply-To: <4AFD0AB1.7090302@wbsconnect.com> References: <4AFD0AB1.7090302@wbsconnect.com> Message-ID: <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> Well... I've seen the same problem in the past. The problem is that the ROMMON is not in sync with the config file. Try set the config register using the ROMMON as the ROMMON might have a setting denying it to use the config register in config file. ______________________________________ Med venlig hilsen / Kind regards Lars Lystrup Christensen Implementerings-/NOC-tekniker, CCIE(tm) #20292 Danske Telecom A/S Park All? 350A 2605 Br?ndby -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Phillips Sent: 13. november 2009 08:29 To: selamat pagi Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] router boots into ROMMON Config register looks fine. Most obvious thing would be that the bin file doesn't exist. What does "dir sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin" return? Does the file exist? selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. >>From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? > > Cheers, ketimun > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From savage at savage.za.org Fri Nov 13 04:15:59 2009 From: savage at savage.za.org (Chris Knipe) Date: Fri, 13 Nov 2009 11:15:59 +0200 Subject: [c-nsp] 4006 weirdness Message-ID: <20091113111559.15115i73mjfjphhs@webmail1.konsoleh.co.za> Hi, I have a legacy 4006 Chasis with a SUP3, recently started giving issues. I know it's EOL, and more than likely needs to be replaced, but any assistance if possible, would be appreciated. I'm getting CRC32 errors for NVRAM, always at byte 0x54000000 i.e. Switch#sh ver Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, data-base: 0x00AA2B8C CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 ROM: Switch uptime is 19 hours, 7 minutes System returned to ROM by reload CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 System restarted at 09:26:23 SAST Fri Nov 13 2009 Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX0520S0M4 Last reset from Reload 96 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of non-volatile configuration memory. Configuration register is 0x0 CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 What's worring me even more at this stage: Switch#sh bootvar CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 BOOT variable does not exist CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 CONFIG_FILE variable does not exist CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 BOOTLDR variable does not exist Configuration register is 0x0 CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 FYI: Switch#sh module Mod Ports Card Type Model Serial No. ----+-----+--------------------------------------+-----------------+----------- 1 2 1000BaseX (GBIC) Supervisor Module WS-X4014 JAB063505JN 2 48 10/100BaseTX (RJ45) WS-X4148-RJ JAB04100A1Q 3 48 10/100BaseTX (RJ45) WS-X4148-RJ JAB0412056T M MAC addresses Hw Fw Sw Stat --+--------------------------------+---+-----------------+---------------+----- CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 1 0006.28c0.ff00 to 0006.28c1.02ff 2.1 12.1(8a)EW, Ok 2 0001.42f6.9210 to 0001.42f6.923f 2.3 Ok 3 0001.42f6.81c0 to 0001.42f6.81ef 2.3 Ok Is the SUP pretty much dead? Everything is still running fine from the face of it, but I'm really concerned about these errors.... Regards, Chris From ivan at ig.sk Fri Nov 13 04:50:05 2009 From: ivan at ig.sk (Ivan Gasparik) Date: Fri, 13 Nov 2009 10:50:05 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <20091105203853.GY163@greenie.muc.de> References: <20091105203853.GY163@greenie.muc.de> Message-ID: <200911131050.05124.ivan@ig.sk> Hi folks, Does anybody know what causes the router to drop packets as overrun and what as an input queue drops. There are two show interface examples of NPE-G1, both with input hold-queue set to 4096. The first one only shows 153 overrun packets, in the second interface output you can see overruns together with input queue drops: GigabitEthernet0/1 is up, line protocol is up ... Input queue: 0/4096/0/58537 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/4096 (size/max) 1 minute input rate 43040000 bits/sec, 6944 packets/sec 1 minute output rate 23483000 bits/sec, 7180 packets/sec 2609205324 packets input, 3131277093 bytes, 6 no buffer Received 2871721 broadcasts (0 IP multicasts) 0 runts, 0 giants, 2 throttles 153 input errors, 0 CRC, 0 frame, 153 overrun, 0 ignored 0 watchdog, 2871721 multicast, 0 pause input GigabitEthernet0/3 is up, line protocol is up ... Input queue: 0/4096/4258004/961350 (size/max/drops/flushes); Total output drops: 44638280 Queueing strategy: Class-based queueing Output queue: 6/4096/0 (size/max total/drops) 1 minute input rate 15685000 bits/sec, 5120 packets/sec 1 minute output rate 28836000 bits/sec, 5171 packets/sec 2503236491 packets input, 208082741 bytes, 589462 no buffer Received 1329388071 broadcasts (13 IP multicasts) 0 runts, 12 giants, 960 throttles 128042 input errors, 12 CRC, 0 frame, 128018 overrun, 0 ignored 0 watchdog, 1424143105 multicast, 0 pause input Thanks Ivan On Thursday 05 November 2009 21:38:53 Gert Doering wrote: > Hi, > > On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: > > Does anyone have any tips on finding out what is causing it to > > overrun? > > "Hardware too slow error" - packets arrive in short bursts at line rate, > and your router cannot handle that. > > For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they > come in evenly spaced - packetpacketpacket - but if > 1000 packets arrive back-to-back and then a longer pause, it will > overrun the buffers. > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". > > We do some of both :-) > > gert > From p.mayers at imperial.ac.uk Fri Nov 13 05:18:17 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 13 Nov 2009 10:18:17 +0000 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> Message-ID: <4AFD3269.6040004@imperial.ac.uk> Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. From andreas.mueller at zdv.uni-tuebingen.de Fri Nov 13 05:50:46 2009 From: andreas.mueller at zdv.uni-tuebingen.de (Andreas Mueller) Date: Fri, 13 Nov 2009 11:50:46 +0100 Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses Message-ID: <4AFD3A06.1070604@zdv.uni-tuebingen.de> Hello, I need to realize an IPv6-island inside an IPv4 network. To connect my IPv6-island to the IPv4-world I need a network-device with the following features: - the IPv6-addresses need to be mapped (dynamically) to IPv4-addresses for internet-connectivity. - the IPv6-Island will contain about a hundred computers. - some servers in the IPv6-island have to be reached from the outside-world by a static-IPv4-address. - the network is based on gigabit ethernet. what possibilities do I have to realize this scenario ? thanks for help && happy weekend, Andreas Mueller -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6155 bytes Desc: S/MIME Cryptographic Signature URL: From sigurbjornl at vodafone.is Fri Nov 13 04:59:00 2009 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Fri, 13 Nov 2009 09:59:00 +0000 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <200911131050.05124.ivan@ig.sk> Message-ID: Do a show controller Gi0/1 | i rx_resource Chances are the input error count is the same as the rx_resource_error count This is a microburst issue, and sadly, I know of no way to get around it, the only solution is buying a router that is able to handle wirespeed Gig BR, Sibbi > From: Ivan Gasparik > Date: Fri, 13 Nov 2009 10:50:05 +0100 > To: > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Hi folks, > > Does anybody know what causes the router to drop packets as > overrun and what as an input queue drops. There are two show interface > examples of NPE-G1, both with input hold-queue set to 4096. The first > one only shows 153 overrun packets, in the second interface output > you can see overruns together with input queue drops: > > GigabitEthernet0/1 is up, line protocol is up > ... > Input queue: 0/4096/0/58537 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/4096 (size/max) > 1 minute input rate 43040000 bits/sec, 6944 packets/sec > 1 minute output rate 23483000 bits/sec, 7180 packets/sec > 2609205324 packets input, 3131277093 bytes, 6 no buffer > Received 2871721 broadcasts (0 IP multicasts) > 0 runts, 0 giants, 2 throttles > 153 input errors, 0 CRC, 0 frame, 153 overrun, 0 ignored > 0 watchdog, 2871721 multicast, 0 pause input > > GigabitEthernet0/3 is up, line protocol is up > ... > Input queue: 0/4096/4258004/961350 (size/max/drops/flushes); Total output > drops: 44638280 > Queueing strategy: Class-based queueing > Output queue: 6/4096/0 (size/max total/drops) > 1 minute input rate 15685000 bits/sec, 5120 packets/sec > 1 minute output rate 28836000 bits/sec, 5171 packets/sec > 2503236491 packets input, 208082741 bytes, 589462 no buffer > Received 1329388071 broadcasts (13 IP multicasts) > 0 runts, 12 giants, 960 throttles > 128042 input errors, 12 CRC, 0 frame, 128018 overrun, 0 ignored > 0 watchdog, 1424143105 multicast, 0 pause input > > Thanks > Ivan > > > On Thursday 05 November 2009 21:38:53 Gert Doering wrote: >> Hi, >> >> On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: >>> Does anyone have any tips on finding out what is causing it to >>> overrun? >> >> "Hardware too slow error" - packets arrive in short bursts at line rate, >> and your router cannot handle that. >> >> For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they >> come in evenly spaced - packetpacketpacket - but if >> 1000 packets arrive back-to-back and then a longer pause, it will >> overrun the buffers. >> >> There's not much you can do, except "get a hardware forwarding box" >> or "just accept it, and only worry if the errors increase more >> frequently". >> >> We do some of both :-) >> >> gert >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Fri Nov 13 07:07:26 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 13 Nov 2009 13:07:26 +0100 (CET) Subject: [c-nsp] router boots into ROMMON In-Reply-To: <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> References: <4AFD0AB1.7090302@wbsconnect.com> <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> Message-ID: On Fri, 13 Nov 2009, Lars Lystrup Christensen wrote: > Well... I've seen the same problem in the past. The problem is that the > ROMMON is not in sync with the config file. Try set the config register > using the ROMMON as the ROMMON might have a setting denying it to use > the config register in config file. When I had this problem 3-4 years ago, it was enough to set the config-register again from normal config and save the config, for all parts of the router to be in sync again. This was in SXE days... -- Mikael Abrahamsson email: swmike at swm.pp.se From Kiran.Oddiraju at cbre.com Fri Nov 13 08:01:58 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Fri, 13 Nov 2009 13:01:58 -0000 Subject: [c-nsp] Cisco VPN server Message-ID: Hello guys, Can someone please forward me a sample VPN server configuration for Cisco 1800 router. Basically I want my c1800 router as VPN server with DHCP and my clients to be able to access machines on my network and use Cisco softphones. I have been trying with some guides on Cisco website but the vpn client keeps trying to connect and throws me an error 412 'Remote peer no longer responding'. Many thanks, Kiran CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From tdurack at gmail.com Fri Nov 13 08:15:22 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 13 Nov 2009 08:15:22 -0500 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <4AFD3269.6040004@imperial.ac.uk> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> <4AFD3269.6040004@imperial.ac.uk> Message-ID: <9e246b4d0911130515r7037c9crbc5ac7603da2715d@mail.gmail.com> On Fri, Nov 13, 2009 at 5:18 AM, Phil Mayers wrote: > Tim Durack wrote: >> >> Anyone know how glean traffic behaves on a Sup720 with CoPP configured? > > Glean traffic is matched against CoPP. This is "by design" according to the > (fairly clued up sounding) TAC engineer I spoke to. > > As you've discovered, this is irritating. Indeed. It makes no sense for glean traffic to be lumped in with everything else destined to the control-plane. The only thing that needs to happen with glean traffic is an arp request. It looks like with the Nexus Cisco have improved/corrected this. http://tinyurl.com/yc2c737 states: Different types of packets can reach the control plane: Receive packets Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router. Exception packets Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, then the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set. Redirected packets Packets that are redirected to the supervisor module. Features like Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module. Glean packets If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host. ... Configuring a Control Plane Policy Map You must configure a policy map for CoPP, which include policing parameters. If you do not configure a policer for a class, then the default policer conform action is drop. Glean packets are policed using the default-class. The Cisco NX-OS software supports 1-rate 2-color and 2-rate 3-color policing. >> >> We have gradually locked down our CoPP config, to the point that our >> final class is a default deny for any unclassified traffic. >> Unfortunately this has the unwanted side-effect of dropping glean >> traffic, with the knock-on effect of some arp resolution problems. >> >> In our tests, it appears that configuring an explicit class-default >> works around this, but I can't find any documentation. So far TAC >> hasn't come up with anything either. > > Really? Hmm. So you have a config where glean traffic is *not* being matched > by CoPP? Can you share the exact config? I think I was wrong. Still have the same problem. > I will unicast you the SR# of my case; perhaps the TAC engineers can collude > to produce a response clarifying. > Thanks, will take a look. In my book, this behaviour undermines the value of copp. I can't tightly restrict traffic to the control-plane, as glean traffic could be anything. -- Tim:> Sent from Brooklyn, NY, United States From llc at dansketelecom.com Fri Nov 13 09:26:16 2009 From: llc at dansketelecom.com (Lars Lystrup Christensen) Date: Fri, 13 Nov 2009 15:26:16 +0100 Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses In-Reply-To: <4AFD3A06.1070604@zdv.uni-tuebingen.de> References: <4AFD3A06.1070604@zdv.uni-tuebingen.de> Message-ID: <44417CD2F19FEA4F885088340A71D332025A6D96@mail.office.dansketelecom.com> Hi Andreas I would suggest an ugly a NAT-PT device, capable of doing both v4 and v6. However, there is no guaranties of the serverpart working correctly, as you might have the same issues as with IPv4 NAT. You should be able to do the NAT on any Cisco router capable of doing IPv6 and NAT. Don't use L3 switches, as they might not support this to satisfactory. Take a further look at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html ______________________________________ Med venlig hilsen / Kind regards Lars Lystrup Christensen Implementerings-/NOC-tekniker, CCIE(tm) #20292 Danske Telecom A/S Park All? 350A 2605 Br?ndby -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andreas Mueller Sent: 13. november 2009 11:51 To: cisco-nsp Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses Hello, I need to realize an IPv6-island inside an IPv4 network. To connect my IPv6-island to the IPv4-world I need a network-device with the following features: - the IPv6-addresses need to be mapped (dynamically) to IPv4-addresses for internet-connectivity. - the IPv6-Island will contain about a hundred computers. - some servers in the IPv6-island have to be reached from the outside-world by a static-IPv4-address. - the network is based on gigabit ethernet. what possibilities do I have to realize this scenario ? thanks for help && happy weekend, Andreas Mueller From jlewis at lewis.org Fri Nov 13 09:31:23 2009 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 13 Nov 2009 09:31:23 -0500 (EST) Subject: [c-nsp] 3550 IOS Message-ID: I was looking at updating software on a 3550 recently and noticed the very latest 12.2SE code claims to only run on the 3550-24-DC. Is this because the 3550-24-DC was for some reason excluded from the EOS/EOL announcement for the rest of the 3550 family (for which End of Software Maintenance was May 2007)? IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while there are versions up to 122-52.SE that claim to be for the 3550-24-DC only. These later versions do seem to work on 3550's other than the 3550-24-DC, but I suppose they're just not officially supported (or officially unsupported)? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sony.scaria at gmail.com Fri Nov 13 09:54:01 2009 From: sony.scaria at gmail.com (sony.scaria at gmail.com) Date: Fri, 13 Nov 2009 14:54:01 +0000 Subject: [c-nsp] router boots into ROMMON Message-ID: <1291397392-1258124034-cardhu_decombobulator_blackberry.rim.net-1192748925-@bda135.bisx.produk.on.blackberry> I had a similar situation days before where I was upgrading the ios and I was using a flash which I took from a similar spare device . I copied the ios, set conf-reg, set boot path, but the router did not boot from the new code. Finally I formatted the flash, copied the ios again, set boot statements to the new path and reloaded. And that worked. Sony. ------Original Message------ From: Mikael Abrahamsson Sender: cisco-nsp-bounces at puck.nether.net To: cisco-nsp Subject: Re: [c-nsp] router boots into ROMMON Sent: Nov 13, 2009 17:37 On Fri, 13 Nov 2009, Lars Lystrup Christensen wrote: > Well... I've seen the same problem in the past. The problem is that the > ROMMON is not in sync with the config file. Try set the config register > using the ROMMON as the ROMMON might have a setting denying it to use > the config register in config file. When I had this problem 3-4 years ago, it was enough to set the config-register again from normal config and save the config, for all parts of the router to be in sync again. This was in SXE days... -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent on my BlackBerry? from Vodafone From drew.weaver at thenap.com Fri Nov 13 10:46:49 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 13 Nov 2009 10:46:49 -0500 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) Message-ID: Hi list happy friday, he BGP scanner issue has been beaten (literally) to death here, but I had a few general performance related questions regarding the 6500.. I notice that if I ping a somewhat busy interface on a 6500 about once a minute or so I get: Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time=172ms TTL=253 Reply from x.x.x.x: bytes=32 time=386ms TTL=253 Reply from x.x.x.x: bytes=32 time=366ms TTL=253 Reply from x.x.x.x: bytes=32 time=410ms TTL=253 Reply from x.x.x.x: bytes=32 time=353ms TTL=253 Reply from x.x.x.x: bytes=32 time=7ms TTL=253 Reply from x.x.x.x: bytes=32 time=66ms TTL=253 Reply from x.x.x.x: bytes=32 time=120ms TTL=253 Request timed out. Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 and it does seem to correspond to the BGP scanner running the CPU utilization up to 80%, is that the 'norm' for this time of high cpu utilization? Second, I noticed we're having a high number of TTL failures: TTL failures : 24541591 So I implemented a HW rate-limiter as such: mls rate-limit all ttl-failure 500 10 Two questions about this, A) is there any way to find out how many packets are being 'rate-limited' due to this command? and B) do I need to enable mls qos or anything else to 'globally enable' the HW rate-limiter? 3rd, I'm noticing some queuing issues, Input queue: 0/75/13413/13085 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/75/15112/15021 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/2000/4294895378/0 (size/max/drops/flushes); Total output drops:4294941485 Output queue: 0/40 (size/max) Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/2000/4294945720/0 (size/max/drops/flushes); Total output drops:1 Output queue: 0/40 (size/max) Input queue: 0/2000/4294804008/0 (size/max/drops/flushes); Total output drops:3 Input queue: 0/75/549064/527178 (size/max/drops/flushes); Total output drops:2784 Output queue: 0/40 (size/max) Input queue: 0/75/372439/361186 (size/max/drops/flushes); Total output drops:90049 I am using the Gig-E interfaces on the Sup720-3BXL as well as WS-X6724-SFPs Is there a disadvantage to using the Interfaces on the SUP720-3BXL vs the 6724? Should one modify settings to improve the queuing? I was under the impression that the X6724 was not over-subscribed but from the looks of those queues it seems to be slightly inadequate. any advice on any of these issues is greatly appreciated. Thanks, -Drew From nick at inex.ie Fri Nov 13 11:20:02 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 13 Nov 2009 16:20:02 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: References: Message-ID: <4AFD8732.6020707@inex.ie> On 13/11/2009 15:46, Drew Weaver wrote: > and it does seem to correspond to the BGP scanner running the CPU > utilization up to 80%, is that the 'norm' for this time of high cpu > utilization? in my experience yes. > I was under the impression that the X6724 was not over-subscribed but > from the looks of those queues it seems to be slightly inadequate. 24 GE ports, single 20G fabric connection. Go figure. The output drops may not be caused by over-subscription, btw. It may be just that the port is receiving too much traffic. If your 5 minute graphs look well under 950 megs, take a look at 30 second graphs and see what they are saying. Microbursts can cause all sorts of interest effects which you simply won't see on a 5 minute average. Nick From p.mayers at imperial.ac.uk Fri Nov 13 11:26:05 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 13 Nov 2009 16:26:05 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: References: Message-ID: <4AFD889D.1090204@imperial.ac.uk> > I noticed we're having a high number of TTL failures: > > TTL failures : 24541591 > > So I implemented a HW rate-limiter as such: > > mls rate-limit all ttl-failure 500 10 > > Two questions about this, > > A) is there any way to find out how many packets are being 'rate-limited' due to this command? > and I am not aware of any, but would like to know too! > B) do I need to enable mls qos or anything else to 'globally enable' the HW rate-limiter? No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. From shimshah at cisco.com Fri Nov 13 11:58:53 2009 From: shimshah at cisco.com (Shimol Shah) Date: Fri, 13 Nov 2009 11:58:53 -0500 Subject: [c-nsp] MAC address use on 7600 In-Reply-To: <002101ca6411$aa38ef00$feaacd00$@com> References: <002101ca6411$aa38ef00$feaacd00$@com> Message-ID: <4AFD904D.7070009@cisco.com> Hi Rin, I tested on 7600 and 6500 in my lab. Here are the findings: 1. by default, all of the interfaces are layer 3 interface, since they're configured as "no ip address". All of the MAC-address are the same for layer 3 interfaces, as per design. 2. I changed the interface to switchport, then I found the interface mac-address is changed to unique layer 2 mac address, which comes from the module range(sh mod). Both 7600 and 6500 behave the same. By default, 7604#sh int g2/1 GigabitEthernet2/1 is administratively down, line protocol is down (disabled) Hardware is c7600 1Gb 802.3, address is 0013.5f1e.fe40 (bia 0013.5f1e.fe40) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 1w0d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 7604#sh run int g2/1 Building configuration... Current configuration : 61 bytes ! interface GigabitEthernet2/1 no ip address shutdown end After configuring it to be a switchport, 7604#conf t Enter configuration commands, one per line. End with CNTL/Z. 7604(config)#int g2/1 7604(config-if)#switchport 7604(config-if)#end 7604#sh int g2/ *Apr 10 21:07:30.500: %SYS-5-CONFIG_I: Configured from console by console1 GigabitEthernet2/1 is administratively down, line protocol is down (disabled) Hardware is c7600 1Gb 802.3, address is 001c.584c.5bf4 (bia 001c.584c.5bf4) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 1w0d Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0007.0e62.12e8 to 0007.0e62.12eb 5.2 12.2(33r)SRB 12.2(33)SRC Ok 2 001c.584c.5bf4 to 001c.584c.5bf7 5.2 12.2(33r)SRB 12.2(33)SRC Ok 3 0013.60a4.9a88 to 0013.60a4.9b07 2.0 12.2(33)SRC 12.2(33)SRC Ok The 7600 I am testing is running over 12.2(33)SRC/SRB2 3. Further more, I found the layer 3 interfaces share the same mac while layer 2 interfaces should use unique mac is by design. And all platforms have the same behavior. http://www.cisco.com/warp/customer/473/catmac_41263.html#topic1 For the lower end switches, the interfaces are layer 2 interface by default so you don't see the problem. However for ES-20 beaware of the below bug CSCso79720 All ES20 ports use same MAC address when configured as switchport. Found in 12.2(33)SRC 12.2(33)SRB02 Intergrated in 12.2(33)SRD 12.2(33)SRC02 12.2(33)SRB04 HTH Shimol Rin said the following on 11/12/2009 10:30 PM: > Hi group, > > > > Can someone explain why router 7600 uses the same MAC address for all VLAN > interfaces and ES20 ports? Catalyst 3560 has different MAC address for each > VLAN interface. > > > > Thanks, > > Rin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Fri Nov 13 12:27:27 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 13 Nov 2009 18:27:27 +0100 Subject: [c-nsp] 3550 IOS In-Reply-To: References: Message-ID: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-13 at 09:31 -0500, Jon Lewis wrote: > IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while > there are versions up to 122-52.SE that claim to be for the 3550-24-DC > only. These later versions do seem to work on 3550's other than the > 3550-24-DC, but I suppose they're just not officially supported (or > officially unsupported)? Of course only Cisco can answer that, but the newer images seem to run fine on WS-C3550-12G and WS-C3550-24-EMI models at least. We're running 12.2(50)SE1 and SE3 on several. I would suspect that they have simply stopped testing the releases on the EoL'ed platforms, so some weird combination of firmware/hardware issues might bite our behinds some day. The 3550 was a very good platform IMHO. Far better than the 3560. -- Peter From jasongurtz at npumail.com Fri Nov 13 12:31:48 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 13 Nov 2009 12:31:48 -0500 Subject: [c-nsp] Info on the C2350 Message-ID: Just got of the horn with a Cisco SE and he related that this switch is basically a 3560E with toned down features introduced for the "competitive market." Is that 4MB shared per 16 ports for the buffers then? The guy was pushing nexus 5k hard (and FCoE) but I think that's outside of the budget as is, unfortunately, the 49xx. I've been burning the brain on all the iSCSI vs. FC[oE] vs. NFS and have come to the conclusion that in a VMWare environment the only thing FC has over hardware accelerated iSCSI is lower latency. Since we're not a super or scientific computing facility I'm not sure that even that matters. Thanks for all the responses on the previous thread; I learned a lot. ~JasonG From jeff-kell at utc.edu Fri Nov 13 12:49:16 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 13 Nov 2009 12:49:16 -0500 Subject: [c-nsp] 3550 IOS In-Reply-To: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> References: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> Message-ID: <4AFD9C1C.3090608@utc.edu> Peter Rathlev wrote: > On Fri, 2009-11-13 at 09:31 -0500, Jon Lewis wrote: > >> IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while >> there are versions up to 122-52.SE that claim to be for the 3550-24-DC >> only. > Of course only Cisco can answer that, but the newer images seem to run > fine on WS-C3550-12G and WS-C3550-24-EMI models at least. We're running > 12.2(50)SE1 and SE3 on several. TAC tells me 12.2(44)SE6 is the latest supported release. I had tried 12.2(50) on a 3550-12, but backed off "just in case". I could *almost* swear I pulled down the 12.2(50) from the regular software download links after the September vulnerability announcements as it was (and still is) the "recommended fixed release" for the 12.2SE train, but as others have noted, that is not the case today if you follow the 3550 model links (other than the 24-DC). Jeff From rdobbins at arbor.net Fri Nov 13 14:36:24 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 13 Nov 2009 19:36:24 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: <4AFD889D.1090204@imperial.ac.uk> References: <4AFD889D.1090204@imperial.ac.uk> Message-ID: <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> On Nov 13, 2009, at 11:26 PM, Phil Mayers wrote: > No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. Correct. Also note that HWRL policies have precedence over CoPP. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From ler762 at gmail.com Fri Nov 13 16:53:43 2009 From: ler762 at gmail.com (Lee) Date: Fri, 13 Nov 2009 16:53:43 -0500 Subject: [c-nsp] sup720 etherchannel port preferences? Message-ID: Is there any performance difference for a two port etherchannel created on a single WS-X6748 card vs. one port on two different WS-X6748 cards? We've got a backup server that's maxing out it's 1Gb link and want to give it some more bandwidth, so I was wondering if it made any difference on which ports or which cards (all the cards being 6748s) you configured an etherchannel. Thanks, Lee From John.Herbert at ins.com Sat Nov 14 10:25:23 2009 From: John.Herbert at ins.com (John.Herbert at ins.com) Date: Sat, 14 Nov 2009 09:25:23 -0600 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <4AFD3269.6040004@imperial.ac.uk> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com>, <4AFD3269.6040004@imperial.ac.uk> Message-ID: Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Sat Nov 14 13:35:59 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 15 Nov 2009 02:35:59 +0800 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* Message-ID: <200911150235.59896.mtinka@globaltransit.net> So after chasing this thing since SRC, and having gone through all the various rebuilds until now, I'm not proud to say that the evil BFD + watchdog nmi timeout bug persists. It wasn't but just a day ago that an NPE-G1 we upgraded to SRC5, and on which we enabled BFD in the hopes that that bug had finally been found and fixed (TAC confirmed it is fixed in SRC5 - like it was in SRC1 to SRC4 - as well as other IOS branches sharing this platform-independent code), experienced an uncommanded reboot citing a watchdog timeout. Just like before. Oh well, no BFD on those, then. And something tells me even by SRC10 (should the code base last that long), Cisco will not have found a solution for it. What quality networking, we have these days... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Sat Nov 14 16:27:17 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 14 Nov 2009 22:27:17 +0100 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <200911150235.59896.mtinka@globaltransit.net> References: <200911150235.59896.mtinka@globaltransit.net> Message-ID: <20091114212717.GM163@greenie.muc.de> Hi, On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > What quality networking, we have these days... Hey, at least you *have* BFD. Unlike us folks with SXH and SXI that want to use BFD on SVI interfaces... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From dr at cluenet.de Sat Nov 14 16:31:27 2009 From: dr at cluenet.de (Daniel Roesen) Date: Sat, 14 Nov 2009 22:31:27 +0100 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <200911150235.59896.mtinka@globaltransit.net> References: <200911150235.59896.mtinka@globaltransit.net> Message-ID: <20091114213127.GA18999@srv03.cluenet.de> On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > What quality networking, we have these days... I think it's called "Carrier grade" these days... Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From p.mayers at imperial.ac.uk Sat Nov 14 17:24:09 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 14 Nov 2009 22:24:09 +0000 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Message-ID: I'm a bit confused about what you're trying to say here. The mls glean rate limiter is completley different to copp. The op's problem, and one i have observed too, is that copp is applied to all cpu traffic, including the original packet which was punted to glean. IMHO, and tac have advised me of the same, enabling the mls glean limiter is second only to enabling the receive limiter in terms of risk. It's not useful in the general case, because it's not source- or svi-specific. In short - copp is a good, source specific tool to control received packets, but the issue under discussion is that, on 6500, it applies to packets that trigger glean too, which is usually unhelpful. It's definitely unhelpful if you want to put a 0.0.0.0/0 destination in your copp acls. -original message- Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean From: "John.Herbert at ins.com" Date: 14/11/2009 15:25 Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From John.Herbert at ins.com Sat Nov 14 17:42:53 2009 From: John.Herbert at ins.com (John.Herbert at ins.com) Date: Sat, 14 Nov 2009 16:42:53 -0600 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: References: Message-ID: Ah I see - I misunderstood the issue being described. Appreciate the clarification, and I stand corrected. j. ________________________________________ From: Phil Mayers [p.mayers at imperial.ac.uk] Sent: Saturday, November 14, 2009 17:24 To: Herbert, John Cc: tdurack at gmail.com; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean I'm a bit confused about what you're trying to say here. The mls glean rate limiter is completley different to copp. The op's problem, and one i have observed too, is that copp is applied to all cpu traffic, including the original packet which was punted to glean. IMHO, and tac have advised me of the same, enabling the mls glean limiter is second only to enabling the receive limiter in terms of risk. It's not useful in the general case, because it's not source- or svi-specific. In short - copp is a good, source specific tool to control received packets, but the issue under discussion is that, on 6500, it applies to packets that trigger glean too, which is usually unhelpful. It's definitely unhelpful if you want to put a 0.0.0.0/0 destination in your copp acls. -original message- Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean From: "John.Herbert at ins.com" Date: 14/11/2009 15:25 Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mail4hh at pobox.com Sat Nov 14 19:58:08 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sat, 14 Nov 2009 16:58:08 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu Message-ID: During a high network usage event, the cpu load increased to 90% sustained, while a 'show processes cpu' did not reveal any culprits. I suspected IP Input may be consuming a high amount of cpu, but it was only at 2.7% The 3550 is working as a L3 router with two static entries for the default gw (for load balancing on our uplink). Traffic levels at the time of the high cpu usage were ~120Mbps. I also examined broadcast packet counts and traffic destined for the router itself. They also did not reveal anything out of the ordinary. Do you have any suggestions on what I should be looking at to determine the source of the high cpu usage? Thank you, Hector From maillist at thelan.no Sat Nov 14 21:59:12 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Sun, 15 Nov 2009 03:59:12 +0100 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: Message-ID: <4AFF6E80.6030607@thelan.no> Hector Herrera wrote: > During a high network usage event, the cpu load increased to 90% > sustained, while a 'show processes cpu' did not reveal any culprits. > I suspected IP Input may be consuming a high amount of cpu, but it was > only at 2.7% > > The 3550 is working as a L3 router with two static entries for the > default gw (for load balancing on our uplink). > > Traffic levels at the time of the high cpu usage were ~120Mbps. > > I also examined broadcast packet counts and traffic destined for the > router itself. They also did not reveal anything out of the ordinary. > > Do you have any suggestions on what I should be looking at to > determine the source of the high cpu usage? > What did the topmost line in the "show processes cpu" say? At the five second average you got two values; one is for interrupts and the other is for process cpu usage. My guess is you was seing a lot of interrupts which means traffic was punted to the CPU. Take a look at some of the other threads on c-nsp to find out what kind of traffic was being punted ("show cef not-cef-switched" is a good start). Hope this was helpfull -- Harald Firing Karlsen From mail4hh at pobox.com Sun Nov 15 01:43:03 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sat, 14 Nov 2009 22:43:03 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <4AFF6E80.6030607@thelan.no> References: <4AFF6E80.6030607@thelan.no> Message-ID: Thank you for your responses. I collected the commands to run the next time the cpu utilization spikes. I did manage to capture the output of 'show cef not-cef-switched' and it shows a very large number under the "unsupported" column. All the other columns are zero. Reading on the list archives I found a few commands to diagnose the "unsupported" column and according to the output, it appears that it's caused by TTL-expired being send to the cpu for processing. Does this mean that the hardware can't handle the TTL expired load or that TTL-expired messages are strictly a software process on this hardware (3550-12t)? If I have such a large number of TTL-expired messages, does that mean I have a routing loop somewhere? If so, I have three uplink interfaces, how do I find out which interface is causing the punts? Here is the output from the commands I ran: van-hc16-423-router#show ip cef switching stat Reason Drop Punt Punt2Host RP LES No route 0 0 37 RP LES Packet destined for us 0 273716 0 RP LES No adjacency 8587 0 0 RP LES TTL expired 0 0 1676276 RP LES Unclassified reason 1 0 0 RP LES Neighbor resolution req 210055 3 0 RP LES Total 218643 273719 1676313 All Total 218643 273719 1676313 van-hc16-423-router#show ip cef switching stat feature IPv4 CEF input features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 IPv4 CEF output features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF post-encap features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF for us features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF punt features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF local features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 van-hc16-423-router#sh ip arp summ 16 IP ARP entries, with 0 of them incomplete van-hc16-423-router#sh sdm prefer The current template is the routing extended-match template. The selected template optimizes the resources in the switch to support this level of features for 16 routed interfaces and 1K VLANs. number of unicast mac addresses: 6K number of igmp groups: 6K number of qos aces: 1K number of security aces: 1K number of unicast routes: 12K number of multicast routes: 6K van-hc16-423-router#sh ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 0 1 64 152 static 0 0 0 0 bgp 4280 0 0 0 0 External: 0 Internal: 0 Local: 0 internal 1 1172 Total 1 1 64 1324 van-hc16-423-router#sh ip route vrf PublicRouter sum van-hc16-423-router#sh ip route vrf PublicRouter summary IP routing table name is PublicRouter(1) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 0 4 256 608 static 1 0 128 152 bgp 4280 1274 1134 154112 367036 External: 2408 Internal: 0 Local: 0 internal 66 77352 Total 1341 1138 154496 445148 van-hc16-423-router# On Sat, Nov 14, 2009 at 6:59 PM, Harald Firing Karlsen wrote: > Hector Herrera wrote: >> >> During a high network usage event, the cpu load increased to 90% >> sustained, while a 'show processes cpu' did not reveal any culprits. >> I suspected IP Input may be consuming a high amount of cpu, but it was >> only at 2.7% >> >> The 3550 is working as a L3 router with two static entries for the >> default gw (for load balancing on our uplink). >> >> Traffic levels at the time of the high cpu usage were ~120Mbps. >> >> I also examined broadcast packet counts and traffic destined for the >> router itself. ?They also did not reveal anything out of the ordinary. >> >> Do you have any suggestions on what I should be looking at to >> determine the source of the high cpu usage? >> > > What did the topmost line in the "show processes cpu" say? At the five > second average you got two values; one is for interrupts and the other is > for process cpu usage. My guess is you was seing a lot of interrupts which > means traffic was punted to the CPU. Take a look at some of the other > threads on c-nsp to find out what kind of traffic was being punted ("show > cef not-cef-switched" is a good start). > > Hope this was helpfull > > -- > Harald Firing Karlsen > -- Hector Herrera President Pier Programming Services Ltd. From swmike at swm.pp.se Sun Nov 15 03:30:39 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 15 Nov 2009 09:30:39 +0100 (CET) Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: On Sat, 14 Nov 2009, Hector Herrera wrote: > If I have such a large number of TTL-expired messages, does that mean I > have a routing loop somewhere? If so, I have three uplink interfaces, > how do I find out which interface is causing the punts? Try "show int switching" (hidden command, you can't tab-complete). -- Mikael Abrahamsson email: swmike at swm.pp.se From mail4hh at pobox.com Sun Nov 15 04:43:45 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sun, 15 Nov 2009 01:43:45 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: Great, so now I know: from 'show ip cef switching stat' I learned that there is a large number of packets with an expired TTL (TTL-expired is handled by the IP process, ie. software routing) from 'show interface switching' (hidden command) I learned the interface that has a high number of packets In and packets Out in the row "IP Process" Since the number of packets in the two commands above are very close to each other, I think I have identified the network interface with the large number of TTL-expired packets. It is a BGP interface, so my best guess is that a BGP neighbour is advertising routes that they don't actually carry in their routing tables and for some reason they are sending the packets back to me, and the question now is to locate the culprit route advertisement and contact the neighbor. Right? Still, for the next time I see high cpu usage, the commands to use are: 'show process cpu' and look at the first few lines to determine if it's interrupts or processes consuming the cpu time. If it's processes, look at the list of processes for any that are using large percentages. To diagnose high cpu consumption by interrupts, CPU Profiling (http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af0.shtml) is a possible tool. Thank you all for your help! Hector From swmike at swm.pp.se Sun Nov 15 05:12:47 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 15 Nov 2009 11:12:47 +0100 (CET) Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: On Sun, 15 Nov 2009, Hector Herrera wrote: > Since the number of packets in the two commands above are very close to > each other, I think I have identified the network interface with the > large number of TTL-expired packets. It is a BGP interface, so my best > guess is that a BGP neighbour is advertising routes that they don't > actually carry in their routing tables and for some reason they are > sending the packets back to me, and the question now is to locate the > culprit route advertisement and contact the neighbor. Right? Yes, or they didn't null-route their aggregate prefix and has default route to you (or you didn't null-route your prefix and you have a default route to them). Best way is probably to port-mirror the port and look for the ICMP messages generated. You might also have luck with "debug icmp" on the 3550 and see whereto the ICMP messages are sent. There might also be a debug command to actually tell you what unreachables are being sent. Make sure you have "no logging console", and remember it's always a risk to debug things... -- Mikael Abrahamsson email: swmike at swm.pp.se From asturluismi at gmail.com Sun Nov 15 08:58:04 2009 From: asturluismi at gmail.com (luismi) Date: Sun, 15 Nov 2009 14:58:04 +0100 Subject: [c-nsp] IRIS Project Message-ID: <1258293484.12313.0.camel@hal9000> IS there anyone in this mailing list involved with the IRIS project? From asturluismi at gmail.com Sun Nov 15 09:12:24 2009 From: asturluismi at gmail.com (luismi) Date: Sun, 15 Nov 2009 15:12:24 +0100 Subject: [c-nsp] BDF over port-channels? Message-ID: <1258294344.12313.1.camel@hal9000> Is it supported in any IOS? Does anyone if it is going to be supported in the future? From eng_mssk at hotmail.com Sun Nov 15 10:00:52 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 17:00:52 +0200 Subject: [c-nsp] Kron Message-ID: hey all i have configured kron to backup my configuration files and all is working fine now i want to take ping values and store it in a file on the TFTP server but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect so how is the way to do that ?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From avayner at cisco.com Sun Nov 15 10:15:56 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 15 Nov 2009 16:15:56 +0100 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: Mohammad, Wouldn't IP SLA be a better way to do it? You can also create an EEM script that would be triggered by IP SLA threshold values, so you will get a custom alert. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, November 15, 2009 17:01 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Kron hey all i have configured kron to backup my configuration files and all is working fine now i want to take ping values and store it in a file on the TFTP server but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect so how is the way to do that ?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail(r). http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4 :092009 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sun Nov 15 10:16:22 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 15 Nov 2009 16:16:22 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258294344.12313.1.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> Message-ID: Which platforms? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Sunday, November 15, 2009 16:12 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BDF over port-channels? Is it supported in any IOS? Does anyone if it is going to be supported in the future? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Sun Nov 15 10:37:42 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 17:37:42 +0200 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: hi Arie the problem is that the IOS installed on my switches does not support event manager feature thats why i am looking for kron > Subject: RE: [c-nsp] Kron > Date: Sun, 15 Nov 2009 16:15:56 +0100 > From: avayner at cisco.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > Mohammad, > > Wouldn't IP SLA be a better way to do it? > You can also create an EEM script that would be triggered by IP SLA > threshold values, so you will get a custom alert. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Sunday, November 15, 2009 17:01 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Kron > > > hey all > > i have configured kron to backup my configuration files and all is > working fine > now i want to take ping values and store it in a file on the TFTP server > but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING > is incorrect > so how is the way to do that ?? > > Thanks in advance > > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, right > from Hotmail(r). > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4 > :092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From rwest at zyedge.com Sun Nov 15 10:54:49 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 15 Nov 2009 10:54:49 -0500 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: You could graph your rtr/ip sla stats using mrtg or cacti. Sent from handheld. On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" wrote: > > hi Arie > > the problem is that the IOS installed on my switches does not > support event manager feature thats why i am looking for kron > >> Subject: RE: [c-nsp] Kron >> Date: Sun, 15 Nov 2009 16:15:56 +0100 >> From: avayner at cisco.com >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net >> >> Mohammad, >> >> Wouldn't IP SLA be a better way to do it? >> You can also create an EEM script that would be triggered by IP SLA >> threshold values, so you will get a custom alert. >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad >> Khalil >> Sent: Sunday, November 15, 2009 17:01 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Kron >> >> >> hey all >> >> i have configured kron to backup my configuration files and all is >> working fine >> now i want to take ping values and store it in a file on the TFTP >> server >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ >> PING >> is incorrect >> so how is the way to do that ?? >> >> Thanks in advance >> >> >> _________________________________________________________________ >> Windows Live Hotmail: Your friends can get your Facebook updates, >> right >> from Hotmail(r). >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- >> xm:SI_SB_4 >> :092009 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _________________________________________________________________ > Windows Live: Keep your friends up to date with what you do online. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Sun Nov 15 10:41:32 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Nov 2009 10:41:32 -0500 (EST) Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: On Sun, 15 Nov 2009, Mohammad Khalil wrote: > i have configured kron to backup my configuration files and all is working fine > now i want to take ping values and store it in a file on the TFTP server > but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect > so how is the way to do that ?? The file "PING" on your TFTP server needs to exist and it needs to have the correct permissions to allow writing. The other question is related to the use of recording the ping results. If you're keeping them as documentation of a specific link or router being reachable, that's one thing, but if you plan to record them for some kind of performance measurement, those numbers might be of limited value at best. I'm also not sure that the syntax you have above will work. jms From eng_mssk at hotmail.com Sun Nov 15 13:08:36 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 20:08:36 +0200 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: yes ryan thats what i am trying to do , i want to measure latency between 2 sites but my metro ethernet switches does not support ip sla or event manager thats y i am trying to find an alternatives by exporting ping results on a scheduled basis and use a script for graphing them > From: rwest at zyedge.com > To: eng_mssk at hotmail.com > CC: avayner at cisco.com; cisco-nsp at puck.nether.net > Date: Sun, 15 Nov 2009 10:54:49 -0500 > Subject: Re: [c-nsp] Kron > > You could graph your rtr/ip sla stats using mrtg or cacti. > > Sent from handheld. > > On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" > wrote: > > > > > hi Arie > > > > the problem is that the IOS installed on my switches does not > > support event manager feature thats why i am looking for kron > > > >> Subject: RE: [c-nsp] Kron > >> Date: Sun, 15 Nov 2009 16:15:56 +0100 > >> From: avayner at cisco.com > >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > >> > >> Mohammad, > >> > >> Wouldn't IP SLA be a better way to do it? > >> You can also create an EEM script that would be triggered by IP SLA > >> threshold values, so you will get a custom alert. > >> > >> Arie > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad > >> Khalil > >> Sent: Sunday, November 15, 2009 17:01 > >> To: cisco-nsp at puck.nether.net > >> Subject: [c-nsp] Kron > >> > >> > >> hey all > >> > >> i have configured kron to backup my configuration files and all is > >> working fine > >> now i want to take ping values and store it in a file on the TFTP > >> server > >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ > >> PING > >> is incorrect > >> so how is the way to do that ?? > >> > >> Thanks in advance > >> > >> > >> _________________________________________________________________ > >> Windows Live Hotmail: Your friends can get your Facebook updates, > >> right > >> from Hotmail(r). > >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- > >> xm:SI_SB_4 > >> :092009 > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _________________________________________________________________ > > Windows Live: Keep your friends up to date with what you do online. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 From rwest at zyedge.com Sun Nov 15 13:20:16 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 15 Nov 2009 13:20:16 -0500 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: Are you sure it doesn't support RTR? Sent from handheld. On Nov 15, 2009, at 1:08 PM, "Mohammad Khalil" > wrote: yes ryan thats what i am trying to do , i want to measure latency between 2 sites but my metro ethernet switches does not support ip sla or event manager thats y i am trying to find an alternatives by exporting ping results on a scheduled basis and use a script for graphing them > From: rwest at zyedge.com > To: eng_mssk at hotmail.com > CC: avayner at cisco.com; cisco-nsp at puck.nether.net > Date: Sun, 15 Nov 2009 10:54:49 -0500 > Subject: Re: [c-nsp] Kron > > You could graph your rtr/ip sla stats using mrtg or cacti. > > Sent from handheld. > > On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" > > wrote: > > > > > hi Arie > > > > the problem is that the IOS installed on my switches does not > > support event manager feature thats why i am looking for kron > > > >> Subject: RE: [c-nsp] Kron > >> Date: Sun, 15 Nov 2009 16:15:56 +0100 > >> From: avayner at cisco.com > >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > >> > >> Mohammad, > >> > >> Wouldn't IP SLA be a better way to do it? > >> You can also create an EEM script that would be triggered by IP SLA > >> threshold values, so you will get a custom alert. > >> > >> Arie > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad > >> Khalil > >> Sent: Sunday, November 15, 2009 17:01 > >> To: cisco-nsp at puck.nether.net > >> Subject: [c-nsp] Kron > >> > >> > >> hey all > >> > >> i have configured kron to backup my configuration files and all is > >> working fine > >> now i want to take ping values and store it in a file on the TFTP > >> server > >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ > >> PING > >> is incorrect > >> so how is the way to do that ?? > >> > >> Thanks in advance > >> > >> > >> _________________________________________________________________ > >> Windows Live Hotmail: Your friends can get your Facebook updates, > >> right > >> from Hotmail(r). > >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- > >> xm:SI_SB_4 > >> :092009 > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _________________________________________________________________ > > Windows Live: Keep your friends up to date with what you do online. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. From ras at e-gerbil.net Sun Nov 15 13:59:10 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 15 Nov 2009 12:59:10 -0600 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <20091114212717.GM163@greenie.muc.de> References: <200911150235.59896.mtinka@globaltransit.net> <20091114212717.GM163@greenie.muc.de> Message-ID: <20091115185910.GL51443@gerbil.cluepon.net> On Sat, Nov 14, 2009 at 10:27:17PM +0100, Gert Doering wrote: > Hi, > > On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > > What quality networking, we have these days... > > Hey, at least you *have* BFD. Unlike us folks with SXH and SXI that > want to use BFD on SVI interfaces... They pulled BFD from SVI's on SR code too. Not that it's any more broken than BFD on physical interfaces really. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gert at greenie.muc.de Sun Nov 15 14:19:36 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 15 Nov 2009 20:19:36 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258294344.12313.1.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> Message-ID: <20091115191936.GP163@greenie.muc.de> Hi, On Sun, Nov 15, 2009 at 03:12:24PM +0100, luismi wrote: > Is it supported in any IOS? > Does anyone if it is going to be supported in the future? On 7600s, it should work, if you are using "routed mode" port channels (or subinterfaces). On vlan interfaces, it is not there (yet?). On GSRs, I have no idea. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mtinka at globaltransit.net Sun Nov 15 17:17:50 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 16 Nov 2009 06:17:50 +0800 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <20091115185910.GL51443@gerbil.cluepon.net> References: <200911150235.59896.mtinka@globaltransit.net> <20091114212717.GM163@greenie.muc.de> <20091115185910.GL51443@gerbil.cluepon.net> Message-ID: <200911160618.10525.mtinka@globaltransit.net> On Monday 16 November 2009 02:59:10 am Richard A Steenbergen wrote: > They pulled BFD from SVI's on SR code too. Not that it's > any more broken than BFD on physical interfaces really. > :) I have it configured on physical interfaces on a 7604/RSP720-3CXL running 12.2(33)SRC5. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From asturluismi at gmail.com Sun Nov 15 22:43:46 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 16 Nov 2009 04:43:46 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000> Message-ID: <1258343026.13091.0.camel@hal9000> 7200 npe-g2 and 7600 rsp720-pfc3 El dom, 15-11-2009 a las 16:16 +0100, Arie Vayner (avayner) escribi?: > Which platforms? > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Sunday, November 15, 2009 16:12 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] BDF over port-channels? > > Is it supported in any IOS? > Does anyone if it is going to be supported in the future? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Sun Nov 15 23:31:07 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 16 Nov 2009 15:31:07 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Hi All, We migrated a link between two pops onto a Switched Ethernet circuit and since then we can't pass MPLS VPN traffic between those two pops from PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. ------------------------- BGP log on PE1: ------------------------- Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: sent to neighbor 172.16.99.4 4/0 (hold time expired) 0 bytes ------------------------- Topology: ------------------------- POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 [P2 --> PE2 (lo99:172.16.99.4)] ------------------------- P1: ------------------------- interface GigabitEthernet4/0/1 description Connection to P2 bandwidth 150000 ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation auto mpls ip ------------------------- P2: ------------------------- interface GigabitEthernet0/2 description Connection to P1 bandwidth 150000 ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type gbic speed auto duplex auto negotiation auto mpls ip Interesting thing to note is that if I remove "mpls ip" from P1's interface, the MP-BGP sessions are formed between PE1 and PE2 and stay up. When I put "mpls ip" back on the interface, the MP-BGP session times out with the error messgage in the BGP log above. The only thing that has changed is the introduction of the new Switched Ethernet circuit. I was thinking that it might have something to do with jumbo frames but our UpStream Providers tells me that they have configured jumbo frames on either end of the link plus I can ping end from P1 to P2 with byte sizes larger than 8000 bytes. Has anyone got any ideas as to why the MP-BGP sessions all of a sudden can no longer stay up and what further debug/troubleshooting i can do? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ecralar at hotmail.com Mon Nov 16 01:52:29 2009 From: ecralar at hotmail.com (Alex) Date: Mon, 16 Nov 2009 06:52:29 -0000 Subject: [c-nsp] Can not establish MP-BGP sessions In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Message-ID: Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit and > since then we can't pass MPLS VPN traffic between those two pops from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent > Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 > load-interval 30 > negotiation auto > mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 > load-interval 30 > media-type gbic > speed auto > duplex auto > negotiation auto > mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session times > out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new Switched > Ethernet circuit. I was thinking that it might have something to do with > jumbo frames but our UpStream Providers tells me that they have > configured jumbo frames on either end of the link plus I can ping end > from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mschedrin at gmail.com Mon Nov 16 05:18:07 2009 From: mschedrin at gmail.com (Mikhail Schedrin) Date: Mon, 16 Nov 2009 13:18:07 +0300 Subject: [c-nsp] SCE 8000 troubles Message-ID: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> Hi all. My SCE8000 logs a lot of error messages: > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > congestion bypassed 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > occurred. Please report to Cisco's customer support 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > executed with 1363 errors. 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support After these messages SCE can stop shaping, reboot, stop syncing subscribers etc. I could not find any explanation in documentation about such errors. Did anyone meet such problems? -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 From jp at softnet.si Mon Nov 16 05:56:17 2009 From: jp at softnet.si (Primoz Jeroncic) Date: Mon, 16 Nov 2009 11:56:17 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL Message-ID: Hi We are slowly moving toward IPv6 implementation in production, so I came to ACLs. I would want to have some protection for our servers, so I went to configure IPv6 ACL, which is based on our IPv4 ACL. Problem is, that it looks like I can't make host based ACL entries on c3560. If I try to add line for SMTP server I get following: interface FastEthernet0/1 no switchport ipv6 address xxxx:xxxx:0:3::1/64 ipv6 enable ipv6 traffic-filter fw-ipv6 out test(config)#ipv6 access-list fw-ipv6 test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 % Host address xxxx:xxxx:0:3::2 can not be supported % ACE can not be added % Failed to add access list If I try to do same thing on c12008, it works without problems. Any idea how to solve this problem? PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From copse at xy.org Mon Nov 16 06:31:28 2009 From: copse at xy.org (Roger Wiklund) Date: Mon, 16 Nov 2009 12:31:28 +0100 Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected Message-ID: Hi I have a strange problem. I have a Serial interface with one /30 IP configure as a link network between PE and CE. interface Serial1/0 description MPLS Circuit bandwidth 34368 ip address 206.115.103.122 255.255.255.252 ip nbar protocol-discovery encapsulation ppp framing g751 dsu bandwidth 34010 serial restart-delay 0 no cdp enable max-reserved-bandwidth 90 service-policy output shape-etm router#sh conf | i 206.115.103.121 neighbor 206.115.103.121 remote-as X But Im seeing 2 IPs, Im actually seeing the PEs IP addressing, as beeing directly connected, and as I have redist connect it's beeing advertised to the PE. router#show ip route connected C 206.115.103.120/30 is directly connected, Serial1/0 C 206.115.103.121/32 is directly connected, Serial1/0 router#show ip bgp nei 206.115.103.121 advertised-routes *> 206.115.103.120/30 0.0.0.0 0 32768 ? *> 206.115.103.121/32 0.0.0.0 0 32768 ? Have you ever seen this before? Cisco 7204VXR (NPE400) processor (revision B) with 229376K/32768K bytes of memory. (C7200-IS-M), Version 12.4(25b) Regards Roger From sthaug at nethelp.no Mon Nov 16 06:31:56 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 16 Nov 2009 12:31:56 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <20091116.123156.74736630.sthaug@nethelp.no> > We are slowly moving toward IPv6 implementation in production, so I > came to ACLs. I would want to have some protection for our servers, > so I went to configure IPv6 ACL, which is based on our IPv4 ACL. > Problem is, that it looks like I can't make host based ACL entries > on c3560. If I try to add line for SMTP server I get following: I seem to remember 3560 has 144 bit TCAM entries - which cannot easily support 128 bit IPv6 + 16 bit source port + 16 bit destination port. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From olof.kasselstrand at gmail.com Mon Nov 16 06:43:19 2009 From: olof.kasselstrand at gmail.com (Olof Kasselstrand) Date: Mon, 16 Nov 2009 12:43:19 +0100 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: Hi, What happends if you drop the "host" keyword and add /128 to the host address? // Olof On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic wrote: > Hi > > We are slowly moving toward IPv6 implementation in production, so I came to > ACLs. I would want to have some protection for our servers, > so I went to configure IPv6 ACL, which is based on our IPv4 ACL. > Problem is, that it looks like I can't make host based ACL entries > on c3560. If I try to add line for SMTP server I get following: > > interface FastEthernet0/1 > ?no switchport > ?ipv6 address xxxx:xxxx:0:3::1/64 > ?ipv6 enable > ?ipv6 traffic-filter fw-ipv6 out > > test(config)#ipv6 access-list fw-ipv6 > test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 > % Host address xxxx:xxxx:0:3::2 can not be supported > % ACE can not be added > % Failed to add access list > > If I try to do same thing on c12008, it works without problems. > > Any idea how to solve this problem? > > PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if > this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". > > Have fun, > Primoz Jeroncic > Support - IP Connectivity & Routing > ------------------------------------------------------------------- > Softnet d.o.o. ?tel: ?+386 1 562 31 40 ? | > Borovec 2 ? ? ? fax: ?+386 1 562 18 55 ? | ? ? ? 1 + 1 = 3 > 1236 Trzin ? ? ?primoz(at)softnet.si ? ? | for larger values of 1 > Slovenija ? ? ? http://flea.softnet.si/ > ------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tim at pelican.org Mon Nov 16 06:47:19 2009 From: tim at pelican.org (Tim Franklin) Date: Mon, 16 Nov 2009 11:47:19 +0000 (GMT) Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: Message-ID: <22434271.01258372039851.JavaMail.root@jennyfur.pelican.org> > router#show ip route connected > > C 206.115.103.120/30 is directly connected, Serial1/0 > C 206.115.103.121/32 is directly connected, Serial1/0 > router#show ip bgp nei 206.115.103.121 advertised-routes This is completely normal for a point-to-point circuit - you get a connected route for the network configured on your end, and you also get the host address of your peer, as determined during the PPP negotiation. (There's no reason that opposite ends of a PPP link have to be in the same subnet - the peer could have a completely unrelated address). If you want to remove it, just configure 'no peer neighbor-route' on the interface. You'll need to bounce the interface for this to take effect. Regards, Tim. From dale.shaw+cisco-nsp at gmail.com Mon Nov 16 06:53:14 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Mon, 16 Nov 2009 22:53:14 +1100 Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: References: Message-ID: <3329cbb40911160353j7a2d29b9h57ec017aa9318698@mail.gmail.com> Hi Roger, On Mon, Nov 16, 2009 at 10:31 PM, Roger Wiklund wrote: > > I have a strange problem. I have a Serial interface with one /30 IP > configure as a link network between PE and CE. > [....] > > Have you ever seen this before? Yeah. Check out: http://blog.ioshints.info/2008/02/remove-unwanted-ppp-peer-route.html cheers, Dale From amsoares at netcabo.pt Mon Nov 16 07:15:24 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 12:15:24 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE Message-ID: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From leonardo.souza at nec.com.br Mon Nov 16 07:41:09 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 10:41:09 -0200 Subject: [c-nsp] RES: FABRIC-3-ERR_HANDLE In-Reply-To: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Mon Nov 16 07:48:47 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 12:48:47 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> Message-ID: <1175087E65814145B873862D6AB00596@int.convex.pt> No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Mon Nov 16 07:48:36 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 10:48:36 -0200 Subject: [c-nsp] RES: SCE 8000 troubles In-Reply-To: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> References: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> Which were the subscribers and unidirectional flows usage at the moment of the problem? I've never seen such errors. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Mikhail Schedrin Enviada em: segunda-feira, 16 de novembro de 2009 08:18 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] SCE 8000 troubles Hi all. My SCE8000 logs a lot of error messages: > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > congestion bypassed 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > occurred. Please report to Cisco's customer support 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > executed with 1363 errors. 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support After these messages SCE can stop shaping, reboot, stop syncing subscribers etc. I could not find any explanation in documentation about such errors. Did anyone meet such problems? -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Mon Nov 16 08:06:15 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 11:06:15 -0200 Subject: [c-nsp] RES: FABRIC-3-ERR_HANDLE In-Reply-To: <1175087E65814145B873862D6AB00596@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> Hi, Sounds weird. You're right. It seems a problem with csc0. I guess it's only 4 because there's only one CSC active at any time. -----Mensagem original----- De: Antonio Soares [mailto:amsoares at netcabo.pt] Enviada em: segunda-feira, 16 de novembro de 2009 10:49 Para: Leonardo Gama Souza; cisco-nsp at puck.nether.net Assunto: RE: [c-nsp] FABRIC-3-ERR_HANDLE No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.tahina at moov.mg Mon Nov 16 08:10:10 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Mon, 16 Nov 2009 16:10:10 +0300 Subject: [c-nsp] routing with 2 upstreams issue Message-ID: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Hi All, I'm connected to 2 upstreams, is there any performance issue if upload from 192.168.1.0/24 is via upstream 1 but download for this class is from upstream 2 ? BR From thegameiam at yahoo.com Mon Nov 16 07:17:21 2009 From: thegameiam at yahoo.com (David Barak) Date: Mon, 16 Nov 2009 04:17:21 -0800 (PST) Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: Message-ID: <656731.77506.qm@web31808.mail.mud.yahoo.com> Hi Roger, PPP by default will inject the /32 address of the "far" end into the connected route table. You can modify this with either a route-map on your redistribute connected statement, or more simply add "no peer neighbor-route" under your interface configuration which will modify the PPP behavior. -David Barak Roger Wiklund wrote: > Hi > I have a strange problem. I have a Serial interface with one /30 IP > configure as a link network between PE and CE. > interface Serial1/0 > description MPLS Circuit > bandwidth 34368 > ip address 206.115.103.122 255.255.255.252 > ip nbar protocol-discovery > encapsulation ppp > framing g751 > dsu bandwidth 34010 > serial restart-delay 0 > no cdp enable > max-reserved-bandwidth 90 > service-policy output shape-etm > router#sh conf | i 206.115.103.121 > neighbor 206.115.103.121 remote-as X > But Im seeing 2 IPs, Im actually seeing the PEs IP addressing, as beeing > directly connected, and as I have redist connect it's beeing advertised to > the PE. > router#show ip route connected > C 206.115.103.120/30 is directly connected, Serial1/0 > C 206.115.103.121/32 is directly connected, Serial1/0 > router#show ip bgp nei 206.115.103.121 advertised-routes > *> 206.115.103.120/30 > 0.0.0.0 0 32768 ? > *> 206.115.103.121/32 > 0.0.0.0 0 32768 ? > Have you ever seen this before? > Cisco 7204VXR (NPE400) processor (revision B) with 229376K/32768K bytes of > memory. > (C7200-IS-M), Version 12.4(25b) > Regards > Roger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jp at softnet.si Mon Nov 16 08:22:25 2009 From: jp at softnet.si (Primoz Jeroncic) Date: Mon, 16 Nov 2009 14:22:25 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: On Mon, 16 Nov 2009, Olof Kasselstrand wrote: > Hi, > > What happends if you drop the "host" keyword and add /128 to the host address? Hi Olof Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128. Primoz > > // Olof > > On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic wrote: >> Hi >> >> We are slowly moving toward IPv6 implementation in production, so I came to >> ACLs. I would want to have some protection for our servers, >> so I went to configure IPv6 ACL, which is based on our IPv4 ACL. >> Problem is, that it looks like I can't make host based ACL entries >> on c3560. If I try to add line for SMTP server I get following: >> >> interface FastEthernet0/1 >> ?no switchport >> ?ipv6 address xxxx:xxxx:0:3::1/64 >> ?ipv6 enable >> ?ipv6 traffic-filter fw-ipv6 out >> >> test(config)#ipv6 access-list fw-ipv6 >> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 >> % Host address xxxx:xxxx:0:3::2 can not be supported >> % ACE can not be added >> % Failed to add access list >> >> If I try to do same thing on c12008, it works without problems. >> >> Any idea how to solve this problem? >> >> PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if >> this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". >> >> Have fun, >> Primoz Jeroncic >> Support - IP Connectivity & Routing >> ------------------------------------------------------------------- >> Softnet d.o.o. ?tel: ?+386 1 562 31 40 ? | >> Borovec 2 ? ? ? fax: ?+386 1 562 18 55 ? | ? ? ? 1 + 1 = 3 >> 1236 Trzin ? ? ?primoz(at)softnet.si ? ? | for larger values of 1 >> Slovenija ? ? ? http://flea.softnet.si/ >> ------------------------------------------------------------------- >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From amsoares at netcabo.pt Mon Nov 16 08:28:57 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 13:28:57 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> Message-ID: <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> But if '0' is csc0 and '1' is csc1, it means the problem could be with csc in slot16. This is exactly the csc in standby: 12k2#execute-on slot 8 sh controlle fia ========= Standby RP (Slot 8) ========= Fabric configuration: 10Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 Fab epoch no 0 Halt count 0 What kind of problems may have a csc in standby mode ? I don't mind replacing the csc but this doesn't make any sense to me. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 13:06 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, Sounds weird. You're right. It seems a problem with csc0. I guess it's only 4 because there's only one CSC active at any time. -----Mensagem original----- De: Antonio Soares [mailto:amsoares at netcabo.pt] Enviada em: segunda-feira, 16 de novembro de 2009 10:49 Para: Leonardo Gama Souza; cisco-nsp at puck.nether.net Assunto: RE: [c-nsp] FABRIC-3-ERR_HANDLE No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Mon Nov 16 08:45:54 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 16 Nov 2009 08:45:54 -0500 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> References: <4AFD889D.1090204@imperial.ac.uk> <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> Message-ID: So is anyone aware of a newer version of the 6724 that has better buffers or are we supposed to just use SIP-600s and the 10x1GE-V2 in the 6500s? thanks, -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland Sent: Friday, November 13, 2009 2:36 PM To: Cisco-nsp Subject: Re: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) On Nov 13, 2009, at 11:26 PM, Phil Mayers wrote: > No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. Correct. Also note that HWRL policies have precedence over CoPP. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Nov 16 08:51:51 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 00:51:51 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> Hi Alex, 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why MP-BGP won't come up bc I don't seem to have two way comms bt PE routers' BGP update-source lo99 address. POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 --> PE2 (lo99:172.16.99.4)] Eg: Ping PE1 > PE2 (OK!) PE1#ping 172.16.99.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms Eg: Ping PE2 > PE1 (NOT OK!) PE2#ping 172.16.99.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Ping PE2 > P1 (OK!) Ping P2 > P1 (OK!) *** Seems like I can't get any traffic/labels beyond P1 to get to PE1.*** Forwarding table entry for PE1(lo99) looks ok on P1. P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 203.17.102.113 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come up. PE1#sh ip bgp vpnv4 all summary BGP router identifier 203.17.101.20, local AS number 4854 BGP table version is 11983, main routing table version 11983 15 network entries using 2115 bytes of memory 15 path entries using 1020 bytes of memory 6/3 BGP path/bestpath attribute entries using 840 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 1 BGP community entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 4119 total bytes of memory BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 Active 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 Active 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 Active 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 Active 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 7 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 Active 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 5 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 2 If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but ofcourse I have no mpls vpn traffic because those links no are no longer mpls enabled. Note that all Active BGP peers are PE devices which sit on the POP2 side. So all BGP peers on POP1 can establish BGP sessions with each other but not to BGP peers at POP2. Like wise PE's at POP2 can establish BGP sessions with each other and not with PE's located at POP1. The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you can't ping PE2 > PE1. PE2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 617 3034 172.16.99.13/32 0 Gi0/0.11 203.10.110.211 P2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 203.17.96.97 P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 203.17.102.113 The fact that PE's at POP2 can not communicate with PE's at POP1 is why I think BGP isn't coming up between PE1 and PE2. I don't know why mpls traffic/labels are not being swapped and forwarded beyond P1 to reach PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to me - any ideas??? Like I said we haven't changed any config except moving from our existing circuit to a new protected switched ethernet circuit. Thanks. Andy -----Original Message----- From: Alex [mailto:ecralar at hotmail.com] Sent: Monday, 16 November 2009 5:52 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit > and since then we can't pass MPLS VPN traffic between those two pops > from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > auto mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > gbic speed auto duplex auto negotiation auto mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session > times out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new > Switched Ethernet circuit. I was thinking that it might have something > to do with jumbo frames but our UpStream Providers tells me that they > have configured jumbo frames on either end of the link plus I can ping > end from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received > this email by mistake and delete this email from your system. Please > note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From mschedrin at gmail.com Mon Nov 16 08:59:43 2009 From: mschedrin at gmail.com (Mikhail Schedrin) Date: Mon, 16 Nov 2009 16:59:43 +0300 Subject: [c-nsp] SCE 8000 troubles In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> References: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> Message-ID: <73ec141e0911160559y4c06d41dp8d8219a0f4812e2b@mail.gmail.com> More than 50K of subscribers and more than 8 Gbit/s. Do you use SM server? 2009/11/16 Leonardo Gama Souza > Which were the subscribers and unidirectional flows usage at the moment of > the problem? > I've never seen such errors. > > -----Mensagem original----- > De: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] Em nome de Mikhail Schedrin > Enviada em: segunda-feira, 16 de novembro de 2009 08:18 > Para: cisco-nsp at puck.nether.net > Assunto: [c-nsp] SCE 8000 troubles > > Hi all. > My SCE8000 logs a lot of error messages: > > > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > > congestion bypassed > > 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > > congestion bypassed > > 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > > congestion bypassed > > > > 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning > > 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > > occurred. Please report to Cisco's customer support > > > 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > > executed with 1363 errors. > > 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > > occurred. Please report to Cisco's customer support > > 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > > occurred. Please report to Cisco's customer support > > After these messages SCE can stop shaping, reboot, stop syncing > subscribers > etc. > I could not find any explanation in documentation about such errors. > Did anyone meet such problems? > > -- > ? ?????????, > ?????? ?????? > ????????? ?????? ??2 > SkyNet Telecom http://sknt.ru > ?????-????????? > ???. +7 812 600-75-35 ext. 554 > ???. +7 911 934-79-83 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 From tim at selfnet.de Mon Nov 16 08:58:19 2009 From: tim at selfnet.de (Tim) Date: Mon, 16 Nov 2009 14:58:19 +0100 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <20091116135819.GA32363@samstag.members.selfnet.de> Primoz, On Mon, Nov 16, 2009 at 11:56:17AM +0100, Primoz Jeroncic wrote: > test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 > % Host address xxxx:xxxx:0:3::2 can not be supported > % ACE can not be added > % Failed to add access list > > If I try to do same thing on c12008, it works without problems. > > Any idea how to solve this problem? """ IPv6 ACL Limitations ... The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: - IPv6 source and destination addresses?ACL matching is supported only on prefixes from /0 to /64 and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports only these host addresses with no loss of information: - aggregatable global unicast addresses - link local addresses """ http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4334642 Cheers, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From dudepron at gmail.com Mon Nov 16 11:09:50 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:09:50 -0500 Subject: [c-nsp] Can not establish MP-BGP sessions In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> Message-ID: <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> What is the HW on both ends? Possible one has a bug that is causing headaches. On Mon, Nov 16, 2009 at 08:51, Andy Saykao < andy.saykao at staff.netspace.net.au> wrote: > Hi Alex, > > 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from > PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why > MP-BGP won't come up bc I don't seem to have two way comms bt PE > routers' BGP update-source lo99 address. > > POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 > --> PE2 (lo99:172.16.99.4)] > > Eg: Ping PE1 > PE2 (OK!) > PE1#ping 172.16.99.4 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms > > Eg: Ping PE2 > PE1 (NOT OK!) > PE2#ping 172.16.99.13 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > Ping PE2 > P1 (OK!) > Ping P2 > P1 (OK!) > > *** Seems like I can't get any traffic/labels beyond P1 to get to > PE1.*** > > Forwarding table entry for PE1(lo99) looks ok on P1. > > P1#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 > 203.17.102.113 > > 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come > up. > > PE1#sh ip bgp vpnv4 all summary > BGP router identifier 203.17.101.20, local AS number 4854 > BGP table version is 11983, main routing table version 11983 > 15 network entries using 2115 bytes of memory > 15 path entries using 1020 bytes of memory > 6/3 BGP path/bestpath attribute entries using 840 bytes of memory > 2 BGP rrinfo entries using 48 bytes of memory > 1 BGP AS-PATH entries using 24 bytes of memory > 1 BGP community entries using 24 bytes of memory > 2 BGP extended community entries using 48 bytes of memory > 0 BGP route-map cache entries using 0 bytes of memory > 0 BGP filter-list cache entries using 0 bytes of memory > BGP using 4119 total bytes of memory > BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down > State/PfxRcd > 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 > Active > 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 > Active > 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 > Active > 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 > Active > 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 > 7 > 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 > Active > 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 > 5 > 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 > 2 > > If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but > ofcourse I have no mpls vpn traffic because those links no are no longer > mpls enabled. > > Note that all Active BGP peers are PE devices which sit on the POP2 > side. So all BGP peers on POP1 can establish BGP sessions with each > other but not to BGP peers at POP2. Like wise PE's at POP2 can establish > BGP sessions with each other and not with PE's located at POP1. > > The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you > can't ping PE2 > PE1. > > PE2#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 617 3034 172.16.99.13/32 0 Gi0/0.11 > 203.10.110.211 > > P2#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 > 203.17.96.97 > > P1#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 > 203.17.102.113 > > The fact that PE's at POP2 can not communicate with PE's at POP1 is why > I think BGP isn't coming up between PE1 and PE2. I don't know why mpls > traffic/labels are not being swapped and forwarded beyond P1 to reach > PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to > me - any ideas??? Like I said we haven't changed any config except > moving from our existing circuit to a new protected switched ethernet > circuit. > > Thanks. > > Andy > > > > > -----Original Message----- > From: Alex [mailto:ecralar at hotmail.com] > Sent: Monday, 16 November 2009 5:52 PM > To: Andy Saykao; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Can not establish MP-BGP sessions > > Hi Andy, > Couple of questions: > 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when > "mpls ip" is ON on both Gi4/0/1 and Gi0/2? > 2/ Can you establish BGP session between _interface_ addresses when > "mpls ip" is ON on both Gi4/0/1 and Gi0/2? > Rgds > Alex > > -------------------------------------------------- > From: "Andy Saykao" > Date: 16 November 2009 04:31 > To: > Subject: [c-nsp] Can not establish MP-BGP sessions > > > Hi All, > > > > We migrated a link between two pops onto a Switched Ethernet circuit > > and since then we can't pass MPLS VPN traffic between those two pops > > from > > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > > > ------------------------- > > BGP log on PE1: > > ------------------------- > > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > > sent to neighbor > > 172.16.99.4 4/0 (hold time expired) 0 bytes > > > > ------------------------- > > Topology: > > ------------------------- > > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > > [P2 --> PE2 (lo99:172.16.99.4)] > > > > ------------------------- > > P1: > > ------------------------- > > interface GigabitEthernet4/0/1 > > description Connection to P2 > > bandwidth 150000 > > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > > auto mpls ip > > > > ------------------------- > > P2: > > ------------------------- > > interface GigabitEthernet0/2 > > description Connection to P1 > > bandwidth 150000 > > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > > gbic speed auto duplex auto negotiation auto mpls ip > > > > Interesting thing to note is that if I remove "mpls ip" from P1's > > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > > > up. When I put "mpls ip" back on the interface, the MP-BGP session > > times out with the error messgage in the BGP log above. > > > > The only thing that has changed is the introduction of the new > > Switched Ethernet circuit. I was thinking that it might have something > > > to do with jumbo frames but our UpStream Providers tells me that they > > have configured jumbo frames on either end of the link plus I can ping > > > end from P1 to P2 with byte sizes larger than 8000 bytes. > > > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > > > can no longer stay up and what further debug/troubleshooting i can do? > > > > Thanks. > > > > Andy > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > are addressed. > > Please notify the sender immediately by email if you have received > > this email by mistake and delete this email from your system. Please > > note that any views or opinions presented in this email are solely > > those of the author and do not necessarily represent those of the > organisation. > > Finally, the recipient should check this email and any attachments for > > > the presence of viruses. The organisation accepts no liability for any > > > damage caused by any virus transmitted by this email. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Nov 16 11:11:39 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:11:39 -0500 Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <7.0.1.0.2.20091116160625.0624b640@moov.mg> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Message-ID: <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> Only if the BW or quality of the 2 networks is an issue. Asymmetrical routing happens a lot in the internet. On Mon, Nov 16, 2009 at 08:10, RAZAFINDRATSIFA Rivo Tahina wrote: > Hi All, > > I'm connected to 2 upstreams, is there any performance issue if upload from > 192.168.1.0/24 is via upstream 1 but download for this class is from > upstream 2 ? > > BR > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Nov 16 11:19:12 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:19:12 -0500 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> Message-ID: <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> It is normal to have a CSC in standby mode. If something goes wrong with the other CSC, it takes over. Step 1 - Gather data before making any changes term length 0 - so you don?t have to hit enter show log show tech show monitor event-trace fab show monitor event-trace agent-ctrl show monitor event-trace board_mgr show monitor event-trace lci execute-on all show controllers fia (x5 times or so) show controllers errors fabric counters (x5 times or so) show controllers errors (x5 times or so) show controllers xbar (x5 times or so) show controllers sca (x5 times or so) show controllers clock show controllers fab-clk Step 2 - Determine if the issue is with a single or multiple slots, including the RP slots Step 3 - Check location of the primary clock scheduler and if both CSC are active (from show controllers clock) and the number of SFC. If only 1 CSC, troubleshoot missing CSC first. Ensure that you will have 4 active fabric cards before OIRing card since line cards may go out of service due to lack to fabric BW. Step 4 - *CRC- and LOS errors in control path from CSC to SFC cards* Explanation <#CRC_and_LOS_errors_control_path> >From *show controllers xbar*, on 120XX chassis look at Interrupt status field, on 124XX and 128XX, look at Control LOS status and Control CRC error fields. If 0 then go to step 5. Check to see which card is primary from *show controllers clock* and if both are present. If incrementing and the error is on all fabric cards, then OIR primary CSC If incrementing and the error is only one 1 fabric card, then OIR fabric If *show controllers xbar* does not show more errors, then the issue was seating, otherwise RMA card Step 5 ? *CSC Clocking and Synchronization problems * Explaination <#CSC_clocking_and_sync> From *show controllers clock* and *show controllers errors* (CLKSTS field) Check to see which card is primary from *show controllers clock*. If all the cards are using primary clock (default is CSC_0), then go to step 6 Cards not using same clock must be in IOS RUN, RP ACTV or RP STBY, if not, go to step 6 If multiple cards not using primary, OIR primary CSC, if still, RMA primary CSC If single card not using primary, OIR suspect card, if still, RMA suspect card Step 6 ? *ToFab FIA Halt* Explanation <#ToFab_FIA_Halt> If a syslog message or from *execute-on all show controllers fia* we observe errors If the RP has failed over and we have line cards also halted, then suspect the chassis or backplane. If only a line card is halted, the router tries to recover several times, if it cannot recover, the RP resets the line card and runs additional tests. If the line card fails, then RMA the line card Step 7 - *CRC and LOS errors between fabric cards and line cards/RPs* Explanation from LC/RP to Fabric <#CRC_and_LOS_Errors_from_LC> Explanation from Fabric to LC/RP <#CRC_and_LOS_Errors_from_Fabric> Errors are observed from *show controller error* (not useful on 120XX) and *show controller errors fabric counters*. The DAT_LOS (124XX and 128XX) and DAT_CRC (128XX only) identify the cards. On a 120XX, the cause of errors from LC/RP to fabric can only be determined by removing 1 card at a time to see if the errors stop. Since the possibility is high that a in use line card is the problem, start with the backbone facing cards first one at a time, then customer facing one at a time, then cards not in use one at a time. If multiple cards show DAT_CRC and DAT_LOS errors, then cause is most likely a fabric card determined from the bitmap. Reseat suspect card to see if errors continue. If so, RMA card. Show controller errors fabric counters show errors from the fabric. The bitmask will determine which one is suspect. Reset suspect card to see if errors continue. If so, RMA card. From streiner at cluebyfour.org Mon Nov 16 11:46:15 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 16 Nov 2009 11:46:15 -0500 (EST) Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> Message-ID: On Mon, 16 Nov 2009, Aaron wrote: > Only if the BW or quality of the 2 networks is an issue. Asymmetrical > routing happens a lot in the internet. Asymmetric routing is pretty much an unavoidable fact of life once your packets leave your borders, but it is not 'bad'. It can make troubleshooting connectivity issues more involved, but those issues often need to be researched in both directions anyway. jms From Jeff.Wojciechowski at midlandpaper.com Mon Nov 16 11:45:51 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Mon, 16 Nov 2009 10:45:51 -0600 Subject: [c-nsp] 2801 WIC errors Message-ID: <6B8401A83219DF499C34DEAEE9A5999220CFFDB026@XBOX.midlandpaper.com> Hi All, I have a 2801 running 12.4(22)T3 with WIC1-DSU-T1-V2 giving me some WIC related error logging messages: wait_ft1_wic_mailbox failed and %SERVICE_MODULE-4-WICNOTREADY: Unit Serial0/2/0 not ready for next command, -Traceback= 0x60D0DAE4 0x60458EEC 0x60458F9C 0x6045A20C 0x6045A5F4 0x6045AE8C 0x6044FDD8 0x60456620 0x60454774 0x604556EC 0x60D5E75C 0x60D3B9F8 0x60D3BB48 0x60D5E75C 0x60D84644 0x61B0D864 Best I can tell is that both log entries occur when I do a 'show service-module' which interestingly enough has incomplete information: Module type is T1/fractional Hardware revision is 1.0, Software revision is 20090901, Image checksum is 0x44F2D8, Protocol revision is 0.1 Receiver has no alarms. Framing is ESF, Line Code is B8ZS, Current clock source is line, Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536 Kbits/sec. Last module self-test (done at startup): results unretrievable Last clearing of alarm counters 5d02h loss of signal : 0, loss of frame : 0, AIS alarm : 0, Remote alarm : 0, Module access errors : 0, Total Data (last 96 15 minute intervals): Failed to read total data Failed to read current interval data I've got a ticket open with TAC and service isn't interrupted but am curious the if this the experts on the list think this is a bad WIC or something else? Thanks in advance, Jeff From amsoares at netcabo.pt Mon Nov 16 12:01:05 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 17:01:05 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> Message-ID: Thank you very much for this detailed troubleshooting procedure. There was a command that gave me something: sh control errors fab count SLOT 6 : CellDrop (lane0..3) 765 765 765 765 CRC CRC CRC CRC CRC LOS LOS LOS LOS LOS Counter XBAR0 XBAR1 XBAR2 XBAR3 XBAR4 XBAR0 XBAR1 XBAR2 XBAR3 XBAR4 Lane0 33601 0 0 0 0 0 0 0 0 0 Lane1 15058 0 0 0 0 0 0 0 0 0 Lane2 4509 0 0 0 0 0 0 0 0 0 Lane3 1619 0 0 0 0 0 0 0 0 0 So this once again points to something wrong with CSC0. I will replace it to see if the problem goes away. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt ________________________________ From: Aaron [mailto:dudepron at gmail.com] Sent: segunda-feira, 16 de Novembro de 2009 16:19 To: Antonio Soares Cc: Leonardo Gama Souza; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE It is normal to have a CSC in standby mode. If something goes wrong with the other CSC, it takes over. Step 1 - Gather data before making any changes term length 0 - so you don?t have to hit enter show log show tech show monitor event-trace fab show monitor event-trace agent-ctrl show monitor event-trace board_mgr show monitor event-trace lci execute-on all show controllers fia (x5 times or so) show controllers errors fabric counters (x5 times or so) show controllers errors (x5 times or so) show controllers xbar (x5 times or so) show controllers sca (x5 times or so) show controllers clock show controllers fab-clk Step 2 - Determine if the issue is with a single or multiple slots, including the RP slots Step 3 - Check location of the primary clock scheduler and if both CSC are active (from show controllers clock) and the number of SFC. If only 1 CSC, troubleshoot missing CSC first. Ensure that you will have 4 active fabric cards before OIRing card since line cards may go out of service due to lack to fabric BW. Step 4 - CRC- and LOS errors in control path from CSC to SFC cards Explanation >From show controllers xbar, on 120XX chassis look at Interrupt status field, on 124XX and 128XX, look at Control LOS status and Control CRC error fields. If 0 then go to step 5. Check to see which card is primary from show controllers clock and if both are present. If incrementing and the error is on all fabric cards, then OIR primary CSC If incrementing and the error is only one 1 fabric card, then OIR fabric If show controllers xbar does not show more errors, then the issue was seating, otherwise RMA card Step 5 ? CSC Clocking and Synchronization problems Explaination From show controllers clock and show controllers errors (CLKSTS field) Check to see which card is primary from show controllers clock. If all the cards are using primary clock (default is CSC_0), then go to step 6 Cards not using same clock must be in IOS RUN, RP ACTV or RP STBY, if not, go to step 6 If multiple cards not using primary, OIR primary CSC, if still, RMA primary CSC If single card not using primary, OIR suspect card, if still, RMA suspect card Step 6 ? ToFab FIA Halt Explanation If a syslog message or from execute-on all show controllers fia we observe errors If the RP has failed over and we have line cards also halted, then suspect the chassis or backplane. If only a line card is halted, the router tries to recover several times, if it cannot recover, the RP resets the line card and runs additional tests. If the line card fails, then RMA the line card Step 7 - CRC and LOS errors between fabric cards and line cards/RPs Explanation from LC/RP to Fabric Explanation from Fabric to LC/RP Errors are observed from show controller error (not useful on 120XX) and show controller errors fabric counters. The DAT_LOS (124XX and 128XX) and DAT_CRC (128XX only) identify the cards. On a 120XX, the cause of errors from LC/RP to fabric can only be determined by removing 1 card at a time to see if the errors stop. Since the possibility is high that a in use line card is the problem, start with the backbone facing cards first one at a time, then customer facing one at a time, then cards not in use one at a time. If multiple cards show DAT_CRC and DAT_LOS errors, then cause is most likely a fabric card determined from the bitmap. Reseat suspect card to see if errors continue. If so, RMA card. Show controller errors fabric counters show errors from the fabric. The bitmask will determine which one is suspect. Reset suspect card to see if errors continue. If so, RMA card. From pc.chiodi at gmail.com Mon Nov 16 12:06:50 2009 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Mon, 16 Nov 2009 09:06:50 -0800 (PST) Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <7.0.1.0.2.20091116160625.0624b640@moov.mg> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Message-ID: <8d284266-1b46-4ac6-a50b-1966e21b454d@s15g2000yqs.googlegroups.com> Hi, On Nov 16, 2:10?pm, RAZAFINDRATSIFA Rivo Tahina wrote: > Hi All, > > I'm connected to 2 upstreams, is there any performance issue if > upload from 192.168.1.0/24 is via upstream 1 but download for this > class is from upstream 2 ? I would be worried more about security issues than performance issues. If you have stateful firewalls or other stateful tools they may lose track about flows entering and exiting your network. For example, you can find an overview about this topic here: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=5 bye -- http://piercarlochiodi.tel From sethm at rollernet.us Mon Nov 16 12:18:44 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 16 Nov 2009 09:18:44 -0800 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <4B018974.5080007@rollernet.us> Primoz Jeroncic wrote: > On Mon, 16 Nov 2009, Olof Kasselstrand wrote: > >> Hi, >> >> What happends if you drop the "host" keyword and add /128 to the host >> address? > > Hi Olof > > Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128. > Not supported. Never will be. Here's why: http://mailman.nanog.org/pipermail/nanog/2009-October/014101.html Use EUI-64 or "fake" EUI-64 addressing on this platform. ~Seth From jonas at bjorklund.cn Mon Nov 16 13:20:09 2009 From: jonas at bjorklund.cn (Jonas) Date: Mon, 16 Nov 2009 19:20:09 +0100 (CET) Subject: [c-nsp] SUP2 boot problem Message-ID: Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas From jared at puck.nether.net Mon Nov 16 13:31:29 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Nov 2009 13:31:29 -0500 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> Is that the latest rommon for sup2? You may also want to make sure your MFSC2 has the latest rommon as well, (assuming you have a MFSC2 in your sup2, which it would appear is the case). c6msfc2-rm2.srec.122-17r.S5 is that image. You also want to check the monlib on the ata disk. - Jared On Nov 16, 2009, at 1:20 PM, Jonas wrote: > Hello, > > Im trying to upgrade an old SUP2. > I can boot 12.1.27 from bootflash: without problem. > When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. > > > > System Bootstrap, Version 7.1(1) > Copyright (c) 1994-2001 by cisco Systems, Inc. > c6k_sup2 processor with 262144 Kbytes of main memory > > Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Command error complete on disk0: > open: read error...requested 0x4 bytes, got 0xffffffff > trouble reading device magic number > loadprog: error - on file open > boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Exit at the end of BOOT string > rommon 1 > > > > > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? > > /Jonas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Mon Nov 16 13:36:10 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 16 Nov 2009 13:36:10 -0500 Subject: [c-nsp] Engine 5 link bonding support. Message-ID: Hi, I have a 12810 /w 12.0(32)SY10 and I am unable to add gigabit ethernet interfaces from my SPA-10X1GE-V2 to a port channel. I guess I just assumed incorrectly that since it was a newer image it should work. Which image should I use that has all of the same features as 12.0(32)SY10 but will allow link bonding with E5 interfaces? On the feature navigator it says that 12.0(32)SY10 supports link bonding. thanks, -Drew From cchurc05 at harris.com Mon Nov 16 13:44:25 2009 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 16 Nov 2009 13:44:25 -0500 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5E2CD1@MLBMXUS2.cs.myharris.net> I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Mon Nov 16 13:48:00 2009 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 16 Nov 2009 13:48:00 -0500 Subject: [c-nsp] SUP2 boot problem References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5E2CDA@MLBMXUS2.cs.myharris.net> Forgot to mention, 'sh flash all' will show you the monlib stuff. Chuck -----Original Message----- From: Church, Charles Sent: Monday, November 16, 2009 1:44 PM To: 'Jonas'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] SUP2 boot problem I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Mon Nov 16 13:57:49 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 16 Nov 2009 10:57:49 -0800 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <6F51B50ECF32084788B9B3A8469A71B52916559D5E@EXCHCLUSTER1-02.win.slac.stanford.edu> > Autoboot executing command: "boot > disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Command error complete on disk0: > open: read error...requested 0x4 bytes, got 0xffffffff > trouble reading device magic number > loadprog: error - on file open > boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Exit at the end of BOOT string You should check to be sure that the monlib is correct, but my recollection is that the "trouble reading device magic number" error is often the result of a particular PCMCIA flash disk having "different" timings than Cisco supports in the bootstrap program. I also recall that even some Cisco branded cards were field notice recalled for the same problem. The "challenge" is that not all SUP2's will exhibit the same problem with the same cards, and even those that fail booting will almost always work when you boot to IOS (which, presumably, uses different timings for accessing the flash disks.) So, you might try swapping in another PCMCIA card to see if that works for you. You may need to try a few different vendors. The ones that I have found that tend to work are 64MB SANDISK and 48MB VIKING cards, but I am sure there are other variants; those are just the ones that worked for me (and that is where I stopped experimenting). Gary From eninja at gmail.com Mon Nov 16 14:07:18 2009 From: eninja at gmail.com (e ninja) Date: Mon, 16 Nov 2009 11:07:18 -0800 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: Antonio, You should *never* troubleshoot fabric errors with *any* exec-on commands. They run over the fabric that may or may not be compromised. 1. Are any other LCs apart from slot 6 reporting CRC errors? 2. grab two "sh contr fia" from the RP and an attach to all the LCs and send over. Eninja On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares wrote: > Hello group, > > I have a 12k reporting this: > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 > > In one week, i have 4 of these messages. > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > What could be the problem ? > > The "show controllers fia" do not show any problem. > > The "execute-on slot 6 show controllers fia" show this: > > Switch cards present: 0x1F > Switch cards monitored: 0x1F > 0 1 2 3 4 > -------- -------- -------- -------- -------- > los 0 0 0 0 0 > state Off Off Off Off Off > crc16 53989 0 0 0 0 > xor error0 0 0 0 > cell drops1020 1020 1020 1020 > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Mon Nov 16 14:19:44 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 16 Nov 2009 20:19:44 +0100 (CET) Subject: [c-nsp] Engine 5 link bonding support. In-Reply-To: References: Message-ID: On Mon, 16 Nov 2009, Drew Weaver wrote: > On the feature navigator it says that 12.0(32)SY10 supports link > bonding. It does on all non-E5 linecards, just not E5. For E5, you have to go to 33S. -- Mikael Abrahamsson email: swmike at swm.pp.se From petelists at templin.org Mon Nov 16 13:55:16 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 16 Nov 2009 12:55:16 -0600 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <4B01A014.5050802@templin.org> Jonas wrote: > Hello, > > Im trying to upgrade an old SUP2. > I can boot 12.1.27 from bootflash: without problem. > When I do reload from IOS with 12.2.18 and boot from disk0: it will give > the error below and stay i rommon. disk0: is a 64MB flash disk. Is your 12.1.27 image a hybrid image or native image? You probably need to boot into some sort of native image, then format disk0: and TFTP your IOS image onto the disk0:. It needs to be formatted from within IOS (and presumably native IOS) to be readable at boot time, AFAIK. Pete (who just did some native conversions last week) From oboehmer at cisco.com Mon Nov 16 14:50:53 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 16 Nov 2009 20:50:53 +0100 Subject: [c-nsp] Engine 5 link bonding support. In-Reply-To: References: Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE03E7@XMB-AMS-103.cisco.com> > > I have a 12810 /w 12.0(32)SY10 and I am unable to add gigabit ethernet > interfaces from my SPA-10X1GE-V2 to a port channel. > > I guess I just assumed incorrectly that since it was a newer image it should > work. > > Which image should I use that has all of the same features as 12.0(32)SY10 > but will allow link bonding with E5 interfaces? you need 12.0(33)S or later, which introduced link bundling on Engine 5 interfaces. Please check the feature documentation at http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lnkbndl.html for reference and restrictions/caveats.. oli From clane1875 at gmail.com Mon Nov 16 16:14:33 2009 From: clane1875 at gmail.com (Chris Lane) Date: Mon, 16 Nov 2009 16:14:33 -0500 Subject: [c-nsp] 3750 High cpu Message-ID: <2e1cd850911161314m73648331n2dec465ae3bbe36a@mail.gmail.com> Not sure what Adjust regions is. After a google search nothing turns up. here is my cpu output: sh proc cpu sorted | e 0.00 CPU utilization for five seconds: 72%/49%; one minute: 69%; five minutes: 69% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 56 1458890966 8848611 164876 7.50% 4.92% 4.59% 0 Adjust Regions Following another thread suggested looking at mac address table: sh mac-address-table count | i Space Total Mac Address Space Available: 4968 -- sh platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 784/6272 81/582 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 784/6272 81/582 IPv4 unicast indirectly-connected routes: 272/2176 146/1072 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces: 528/528 18/18 IPv4 security aces: 1024/1024 57/57 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization Any help would be appreciated Chris //CL From mulitskiy at acedsl.com Mon Nov 16 16:43:59 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 16 Nov 2009 16:43:59 -0500 Subject: [c-nsp] c6500: traffic routed to Null0 is seen in SPAN as CPU traffic Message-ID: <200911161644.00031.mulitskiy@acedsl.com> Hello, I have the following hardware/software: 6509, SUP32, 12.2(33)SXH4. Here's the story. I was doing CPU traffic profiling for CoPP. I've created CoPP with class-default basically measuring traffic, but not limiting it: policy-map CPP-IN class class-default police 256000 conform-action transmit exceed-action transmit To my surprise I saw about 20M of traffic in CoPP class-default, most in hardware counters: CORE1#sh policy-map control-plane input class class-default Control Plane Interface Service-policy input: CPP-IN Hardware Counters: class-map: class-default (match-any) Match: any police : 256000 bps 8000 limit 8000 extended limit Earl in slot 5 : 106459028196 bytes 5 minute offered rate 17580264 bps aggregate-forwarded 106459028196 bytes action: transmit exceeded 0 bytes action: transmit aggregate-forward 16774272 bps exceed 0 bps Software Counters: Class-map: class-default (match-any) 3242699 packets, 201814640 bytes 5 minute offered rate 10000 bps, drop rate 0 bps Match: any 3242700 packets, 201814640 bytes 5 minute rate 10000 bps police: cir 256000 bps, bc 8000 bytes conformed 3243173 packets, 201843118 bytes; actions: transmit exceeded 19 packets, 1140 bytes; actions: transmit conformed 9000 bps, exceed 0 bps Then I've enabled local SPAN session with RP CPU as a source. Here's the config: interface Null0 no ip unreachables ! monitor session 1 type local source cpu rp tx destination interface Fa3/7 ingress learning ! ip route 10.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.0.2.0 255.255.255.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 Again to my surprise when I'm running tcpdump on the machine attached to Fa3/7 I see traffic to those null-routed subnets. I always thought that null-routed traffic on a hardware platform shouldn't hit CPU. There's no CPU problem on this box. The box is forwarding about 200M of traffic with CPU normally staying at 5%. So I wonder if this is just cosmetic as I think I would definitely see more CPU usage on SUP32 if it really handled about 20M of traffic in software. Has anybody see it? Any ideas? Thanks, Michael From andy.saykao at staff.netspace.net.au Mon Nov 16 17:48:04 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 09:48:04 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF22@vic-cr-ex1.staff.netspace.net.au> P1=7301 and the other end P2=7606. The PE's are 7301 running 12.2(31)SB13 Odd thing is that it was all working prior to switching across this our new switched ethernet circuit. ________________________________ From: Aaron [mailto:dudepron at gmail.com] Sent: Tuesday, 17 November 2009 3:10 AM To: Andy Saykao Cc: Alex; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions What is the HW on both ends? Possible one has a bug that is causing headaches. On Mon, Nov 16, 2009 at 08:51, Andy Saykao wrote: Hi Alex, 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why MP-BGP won't come up bc I don't seem to have two way comms bt PE routers' BGP update-source lo99 address. POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 --> PE2 (lo99:172.16.99.4)] Eg: Ping PE1 > PE2 (OK!) PE1#ping 172.16.99.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms Eg: Ping PE2 > PE1 (NOT OK!) PE2#ping 172.16.99.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Ping PE2 > P1 (OK!) Ping P2 > P1 (OK!) *** Seems like I can't get any traffic/labels beyond P1 to get to PE1.*** Forwarding table entry for PE1(lo99) looks ok on P1. P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 203.17.102.113 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come up. PE1#sh ip bgp vpnv4 all summary BGP router identifier 203.17.101.20, local AS number 4854 BGP table version is 11983, main routing table version 11983 15 network entries using 2115 bytes of memory 15 path entries using 1020 bytes of memory 6/3 BGP path/bestpath attribute entries using 840 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 1 BGP community entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 4119 total bytes of memory BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 Active 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 Active 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 Active 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 Active 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 7 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 Active 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 5 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 2 If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but ofcourse I have no mpls vpn traffic because those links no are no longer mpls enabled. Note that all Active BGP peers are PE devices which sit on the POP2 side. So all BGP peers on POP1 can establish BGP sessions with each other but not to BGP peers at POP2. Like wise PE's at POP2 can establish BGP sessions with each other and not with PE's located at POP1. The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you can't ping PE2 > PE1. PE2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 617 3034 172.16.99.13/32 0 Gi0/0.11 203.10.110.211 P2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 203.17.96.97 P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 203.17.102.113 The fact that PE's at POP2 can not communicate with PE's at POP1 is why I think BGP isn't coming up between PE1 and PE2. I don't know why mpls traffic/labels are not being swapped and forwarded beyond P1 to reach PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to me - any ideas??? Like I said we haven't changed any config except moving from our existing circuit to a new protected switched ethernet circuit. Thanks. Andy -----Original Message----- From: Alex [mailto:ecralar at hotmail.com] Sent: Monday, 16 November 2009 5:52 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit > and since then we can't pass MPLS VPN traffic between those two pops > from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > auto mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > gbic speed auto duplex auto negotiation auto mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session > times out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new > Switched Ethernet circuit. I was thinking that it might have something > to do with jumbo frames but our UpStream Providers tells me that they > have configured jumbo frames on either end of the link plus I can ping > end from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received > this email by mistake and delete this email from your system. Please > note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From jared at puck.nether.net Mon Nov 16 18:11:09 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Nov 2009 18:11:09 -0500 Subject: [c-nsp] how not to write a release note Message-ID: <20091116231109.GA74400@puck.nether.net> Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From ras at e-gerbil.net Mon Nov 16 18:34:02 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 16 Nov 2009 17:34:02 -0600 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <20091116233402.GY51443@gerbil.cluepon.net> On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Still not as funny as this one: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. We really need a wall of shame website where people can submit the true gems. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From reuben-cisco-nsp at reub.net Mon Nov 16 18:27:27 2009 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 17 Nov 2009 10:27:27 +1100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <4B01DFDF.2070504@reub.net> Well there's always this one, for a laugh: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. I thought that was a joke, but it's not.. Reuben On 17/11/2009 10:11 AM, Jared Mauch wrote: > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. > > - Jared > From Michael.Balasko at cityofhenderson.com Mon Nov 16 19:49:08 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 16 Nov 2009 16:49:08 -0800 Subject: [c-nsp] OT: RE: how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A31BA@COHNTCS09.ci.henderson.nv.us> Create a node on everything2.com like this one.... http://www.everything2.com/title/support.microsoft.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard A Steenbergen Sent: Monday, November 16, 2009 3:34 PM To: Jared Mauch Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how not to write a release note On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Still not as funny as this one: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. We really need a wall of shame website where people can submit the true gems. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From newton at atdot.dotat.org Mon Nov 16 20:52:39 2009 From: newton at atdot.dotat.org (Mark Newton) Date: Tue, 17 Nov 2009 12:22:39 +1030 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <261B798C-EE02-4E02-878A-847AD3D2612B@atdot.dotat.org> On 17/11/2009, at 10:04 AM, Richard A Steenbergen wrote: > On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: >> CSCta14457 - A Cisco device may report alignment errors >> "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. >> >> Does not say anything about what may trigger it, eg: mtu, >> packet fragmentation, etc.. > > Still not as funny as this one: > > CSCso05336 My favourite is this, from the (disastrous) 7401ASR platform: CSCdy18641 Symptoms A router may reload unexpectedly when a Layer 2 Tunneling Protocol (L2TP) connection is established. Conditions This symptom is observed on a Cisco 7401ASR router that is used as a Layer 2 Tunneling Protocol (L2TP) network server (LNS). Workaround There is no workaround. This one was particularly notable because when Cisco originally started pimping the 7401 they said that one of the specific roles it had been designed for was "Broadband aggregation" with "Intelligent L2TP tunneling support." http://www.cisco.com/en/US/products/hw/routers/ps354/products_quick_reference_guide09186a0080091fd1.html I don't think they were ever actually useful for any role at all. The only way I ever managed to get them to work reliably was to turn off PXF, which totally killed their performance. Worst platform ever. - mark -------------------------------------------------------------------- I tried an internal modem, newton at atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- From andy.saykao at staff.netspace.net.au Tue Nov 17 00:21:15 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 16:21:15 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF34@vic-cr-ex1.staff.netspace.net.au> This has been resolved. Thanks for everyone's help. Turns out it was something within our Provider's network which does the backhaul for us that had some mac-access group configured on their switch and was blocking the PE's loopbacks from communicating with each other. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From andy.saykao at staff.netspace.net.au Tue Nov 17 02:03:34 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 18:03:34 +1100 Subject: [c-nsp] debug mpls packet Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> Hi All, Does anyone know what the middle number represents in a "debug mpls packet" ( eg: {7963 6 254} )? I can't find this information anywhere. router#debug mpls packet gigabitEthernet 0/2 Packet debugging is on on idb GigabitEthernet0/2 router# Nov 17 16:26:07.670 AEDT: MPLS turbo: Gi0/2: rx: Len 97 Stack {7963 6 254} - ipv4 data Nov 17 16:26:08.442 AEDT: MPLS turbo: Gi0/2: rx: Len 78 Stack {7963 6 254} - ipv4 data Nov 17 16:26:11.882 AEDT: MPLS turbo: Gi0/2: rx: Len 82 Stack {18 0 254} {2750 0 255} - ipv4 data Nov 17 16:26:11.882 AEDT: MPLS turbo: Gi0/1: tx: Len 82 Stack {8878 0 253} {2750 0 255} - ipv4 data {7963 6 254} 7693 = Label 6 = ??? 254 = I presume is the TTL What does the 6 represent?? In the other label, it's a ZERO instead {18 0 254} . Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From oboehmer at cisco.com Tue Nov 17 02:25:15 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 08:25:15 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> > > Does anyone know what the middle number represents in a "debug mpls > packet" ( eg: {7963 6 254} )? > I can't find this information anywhere. > > 7693 = Label > 6 = ??? > 254 = I presume is the TTL > > What does the 6 represent?? it's the EXP value. you're right about the last being the TTL. oli From bandwidth.user at gmail.com Tue Nov 17 02:43:32 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 15:43:32 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> Message-ID: <4B025424.2030104@gmail.com> Oliver Boehmer (oboehmer) wrote: >> Does anyone know what the middle number represents in a "debug mpls >> packet" ( eg: {7963 6 254} )? >> I can't find this information anywhere. >> >> 7693 = Label >> 6 = ??? >> 254 = I presume is the TTL >> >> What does the 6 represent?? > > it's the EXP value. you're right about the last being the TTL. > > oli Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? Roy From oboehmer at cisco.com Tue Nov 17 02:49:39 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 08:49:39 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B025424.2030104@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> > >> Does anyone know what the middle number represents in a "debug mpls > >> packet" ( eg: {7963 6 254} )? > >> I can't find this information anywhere. > >> > >> 7693 = Label > >> 6 = ??? > >> 254 = I presume is the TTL > >> > >> What does the 6 represent?? > > > > it's the EXP value. you're right about the last being the TTL. > > > > oli > > Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? Hmm, why do you think so? Looking at the code, it only prints the 3 exp. bits. oli From bandwidth.user at gmail.com Tue Nov 17 03:05:32 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 16:05:32 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> Message-ID: <4B02594C.8010004@gmail.com> Oliver Boehmer (oboehmer) wrote: >>>> Does anyone know what the middle number represents in a "debug mpls >>>> packet" ( eg: {7963 6 254} )? >>>> I can't find this information anywhere. >>>> >>>> 7693 = Label >>>> 6 = ??? >>>> 254 = I presume is the TTL >>>> >>>> What does the 6 represent?? >>> it's the EXP value. you're right about the last being the TTL. >>> >>> oli >> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? > > Hmm, why do you think so? Looking at the code, it only prints the 3 exp. > bits. Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into one value. Roy From avayner at cisco.com Tue Nov 17 03:11:28 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 09:11:28 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: Jared, I took a quick look and this has to do with QOS. I have sent an internal query for more info. Will advise. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Tuesday, November 17, 2009 01:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] how not to write a release note Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bandwidth.user at gmail.com Tue Nov 17 03:19:21 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 16:19:21 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B02594C.8010004@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> Message-ID: <4B025C89.8090705@gmail.com> roy wrote: > Oliver Boehmer (oboehmer) wrote: >>>>> Does anyone know what the middle number represents in a "debug mpls >>>>> packet" ( eg: {7963 6 254} )? >>>>> I can't find this information anywhere. >>>>> >>>>> 7693 = Label >>>>> 6 = ??? >>>>> 254 = I presume is the TTL >>>>> >>>>> What does the 6 represent?? >>>> it's the EXP value. you're right about the last being the TTL. >>>> >>>> oli >>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >> >> Hmm, why do you think so? Looking at the code, it only prints the 3 exp. >> bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into > one value. Referring to EXP/CoS + S, that is. Roy From p.mayers at imperial.ac.uk Tue Nov 17 03:47:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 17 Nov 2009 08:47:01 +0000 Subject: [c-nsp] SXI3 / rogue DHCP feature? Message-ID: <4B026305.3000203@imperial.ac.uk> Hmm: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb87454 """ Symptom: This bug deals with a feature requested by customer. Customer wants to send DHCPDISCOVER probes on untrusted ports to detect the Rogue DHCP Servers. """ Yet the release notes list "no new features". Shame; it's an interesting-sounding idea! From asturluismi at gmail.com Tue Nov 17 04:31:00 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 10:31:00 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091115191936.GP163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> Message-ID: <1258450260.31116.0.camel@hal9000> Did you try it' El dom, 15-11-2009 a las 20:19 +0100, Gert Doering escribi?: > Hi, > > On Sun, Nov 15, 2009 at 03:12:24PM +0100, luismi wrote: > > Is it supported in any IOS? > > Does anyone if it is going to be supported in the future? > > On 7600s, it should work, if you are using "routed mode" port channels > (or subinterfaces). On vlan interfaces, it is not there (yet?). > > On GSRs, I have no idea. > > gert > From gert at greenie.muc.de Tue Nov 17 04:54:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 10:54:52 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258450260.31116.0.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> Message-ID: <20091117095452.GB163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 10:31:00AM +0100, luismi wrote: > Did you try it' No. Our most relevant port-channels all are "switchport" type interfaces, and there is no BFD on SVI :-( But given the 6500/7600 architecture, I would be fairly confident that it works. On the other hand, well, BFD on SVI *did* work in the past... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From asturluismi at gmail.com Tue Nov 17 04:58:31 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 10:58:31 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <1258451911.31116.1.camel@hal9000> I can't believe it, I need to check it. > Still not as funny as this one: > > CSCso05336 > > Symptoms: A Cisco 1811 router reloads when trying to connect to > irc.freenode.net during the first 36 hours following a reload. > > Conditions: The symptom is observed only in the first 36 hours > following a reload. > > Workaround: Do not connect to irc.freenode.net the first 36 hours > following a reload. > > We really need a wall of shame website where people can submit the true > gems. :) > From asturluismi at gmail.com Tue Nov 17 05:01:48 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 11:01:48 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117095452.GB163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> Message-ID: <1258452108.31116.2.camel@hal9000> I see a message like "BDF not supported over port-channels" in my routers. Also "sh bfd ..." doesn't show anything. El mar, 17-11-2009 a las 10:54 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 10:31:00AM +0100, luismi wrote: > > Did you try it' > > No. Our most relevant port-channels all are "switchport" type interfaces, > and there is no BFD on SVI :-( > > But given the 6500/7600 architecture, I would be fairly confident that it > works. On the other hand, well, BFD on SVI *did* work in the past... > > gert From gert at greenie.muc.de Tue Nov 17 05:09:20 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 11:09:20 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258452108.31116.2.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> Message-ID: <20091117100920.GE163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > I see a message like "BDF not supported over port-channels" in my > routers. Which IOS version is that? On what platform? You could be a bit more proactive in your questions... this makes it much easier to give meaningful responses, really... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jonas at bjorklund.cn Tue Nov 17 06:57:42 2009 From: jonas at bjorklund.cn (=?ISO-8859-1?Q?Jonas_Bj=F6rklund?=) Date: Tue, 17 Nov 2009 12:57:42 +0100 (CET) Subject: [c-nsp] SUP2 boot problem In-Reply-To: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> References: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> Message-ID: On Mon, 16 Nov 2009, Jared Mauch wrote: > Is that the latest rommon for sup2? > > You may also want to make sure your MFSC2 has the latest rommon as well, (assuming you have a MFSC2 in your sup2, which it would appear is the case). > > c6msfc2-rm2.srec.122-17r.S5 is that image. I upgraded rommon and it didnt help. I format a new flashcard from the SUP2 as the other cardm but this time it worked much better. Thanks! /Jonas From oboehmer at cisco.com Tue Nov 17 07:19:11 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 13:19:11 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B02594C.8010004@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> > >>>> Does anyone know what the middle number represents in a "debug mpls > >>>> packet" ( eg: {7963 6 254} )? > >>>> I can't find this information anywhere. > >>>> > >>>> 7693 = Label > >>>> 6 = ??? > >>>> 254 = I presume is the TTL > >>>> > >>>> What does the 6 represent?? > >>> it's the EXP value. you're right about the last being the TTL. > >>> > >>> oli > >> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? > > > > Hmm, why do you think so? Looking at the code, it only prints the 3 exp. > > bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into > one value. still not sure what you refer to, and why you think the debug discussed shows the 4-bit Exp+S value rather than the 3-bit Exp only? oli From asturluismi at gmail.com Tue Nov 17 07:20:58 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 13:20:58 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117100920.GE163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> Message-ID: <1258460458.31116.3.camel@hal9000> I wrote it in a previous email but here is again :D 7200 npe-g2 and 7600 rsp720-pfc3 I am using 12.2SRC but it is not supported there an I would like to know if it is supported in another train. El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > > I see a message like "BDF not supported over port-channels" in my > > routers. > > Which IOS version is that? On what platform? > > You could be a bit more proactive in your questions... this makes it > much easier to give meaningful responses, really... :-) > > gert From amsoares at netcabo.pt Tue Nov 17 07:36:48 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Tue, 17 Nov 2009 12:36:48 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> Almost all LC's are reporting errors in the column "CRC XBAR0". So i think that replacing the CSC0 will be the best to do at the moment. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _____ From: e ninja [mailto:eninja at gmail.com] Sent: segunda-feira, 16 de Novembro de 2009 19:07 To: Antonio Soares Cc: cisco-nsp at puck.nether.net; eninja at gmail.com Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE Antonio, You should never troubleshoot fabric errors with any exec-on commands. They run over the fabric that may or may not be compromised. 1. Are any other LCs apart from slot 6 reporting CRC errors? 2. grab two "sh contr fia" from the RP and an attach to all the LCs and send over. Eninja On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares wrote: Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 17 09:12:04 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 15:12:04 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <20091117141204.GG163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 These are very very *VERY* different platforms... > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. ... so it might very well be supported on one of them, and not on the other... Just for the record - my assumption was wrong. I just tried to configure BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter the bfd commands on the port-channel interfaces. Physical interfaces only. (Which makes some sort of sense, *iff* the BFD-handling is done in the line card - where it belongs, to be independent of whatever load the main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart enough to run BFD locally. So whatever...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From eninja at gmail.com Tue Nov 17 09:13:14 2009 From: eninja at gmail.com (Eninja) Date: Tue, 17 Nov 2009 15:13:14 +0100 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> Message-ID: Cool. ITMT, you may want to shut down CSC0 with a 'hw-module...' to minimize further impact to the fabric and clear fabric errors on all LCs. A fresh 'sh contr fia' (repeated a few times) thereafter should reveal 0 CRCs. Eninja On Nov 17, 2009, at 1:36 PM, "Antonio Soares" wrote: > Almost all LC's are reporting errors in the column "CRC XBAR0". So i > think that replacing the CSC0 will be the best to do at the moment. > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > > From: e ninja [mailto:eninja at gmail.com] > Sent: segunda-feira, 16 de Novembro de 2009 19:07 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net; eninja at gmail.com > Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE > > Antonio, > > You should never troubleshoot fabric errors with any exec-on > commands. They run over the fabric that may or may not be compromised. > Are any other LCs apart from slot 6 reporting CRC errors? > grab two "sh contr fia" from the RP and an attach to all the LCs and > send over. > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > Hello group, > > I have a 12k reporting this: > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from > slot 6 > > In one week, i have 4 of these messages. > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > What could be the problem ? > > The "show controllers fia" do not show any problem. > > The "execute-on slot 6 show controllers fia" show this: > > Switch cards present: 0x1F > Switch cards monitored: 0x1F > 0 1 2 3 4 > -------- -------- -------- -------- -------- > los 0 0 0 0 0 > state Off Off Off Off Off > crc16 53989 0 0 0 0 > xor error0 0 0 0 > cell drops1020 1020 1020 1020 > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at princeton.edu Tue Nov 17 09:51:01 2009 From: jfitz at princeton.edu (Jeff Fitzwater) Date: Tue, 17 Nov 2009 09:51:01 -0500 Subject: [c-nsp] SXI(3) code status? Message-ID: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. Does anyone else have GOOD or BAD new on SXI(3)? Jeff Fitzwater OIT Network Systems Princeton University From jeff-kell at utc.edu Tue Nov 17 10:09:21 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 17 Nov 2009 10:09:21 -0500 Subject: [c-nsp] Flowcontrol conflict 4506 SupIV / 6509 Sup720 Message-ID: <4B02BCA1.3060402@utc.edu> This may end up a TAC case after I gather more information this morning, but thought I'd run this by the list in case it rang any bells (or you had similar configurations)... We had a maintenance window last night to push out some IOS upgrades to our distribution layer, complete with a scheduled reload to try to minimize downtime. Everything went well with one notable exception, a two-port etherchannel trunk between a 4506 and 6509 (that was working just fine beforehand). From the 6509 side (which was the side noting the issue): Nov 16 21:58:08.727 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to up Nov 16 21:58:08.727 EST: %LINK-3-UPDOWN: Interface Port-channel8, changed state to up Nov 16 21:58:08.731 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel8, changed state to up Nov 16 21:58:08.743 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/43, changed state to up Nov 16 21:58:08.983 EST: %LINK-3-UPDOWN: Interface Vlan224, changed state to down Nov 16 21:58:08.987 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan224, changed state to down Nov 16 21:58:09.147 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:09.175 EST: %LINK-3-UPDOWN: Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:08.650 EST: %EC-SP-5-CANNOT_BUNDLE2: Gi1/22 is not compatible with Gi2/43 and will be suspended (flow control send of Gi1/22 is desired, Gi2/43 is off) Nov 16 21:58:08.658 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:08.698 EST: %EC-SP-5-COMPATIBLE: Gi1/22 is compatible with port-channel members I've never configured flowcontrol anywhere... and this is the first issue I've seen. The 6509 was untouched, the 4506 was changed/reloaded. The channel did not come up until I did a flowcontrol send off (which now does not appear anywhere in the config, making it even more confusing). 4506 side is the two SupIV supervisor ports. Was running 12.2(50)SG1 and working, rebooted into 12.2(53)SG1. 6509 blade 1 is a 6724-SFP, blade 2 is a 6748-SFP. The 6509 has 13 port-channels configured across these two blades and there have been no issues with any other port-channel. The 6509 has another port-channel to another 4506 configured practically the same (different switchport allowed vlans) and had no issues. Anyone see this before? Any words of wisdom regarding avoiding potential flowcontrol issues? Jeff From rubensk at gmail.com Tue Nov 17 10:22:51 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 17 Nov 2009 13:22:51 -0200 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> Message-ID: <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. Rubens On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: > I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. > > > Does anyone else have ?GOOD or BAD new on SXI(3)? > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Tue Nov 17 10:31:18 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 17 Nov 2009 10:31:18 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. I strongly recommend using it over prior versions of SXI. Due to the removal of hardware support we replaced the older 63xx/62xx series cards. - Jared On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: > SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), > OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. > > > Rubens > > > > On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >> >> >> Does anyone else have GOOD or BAD new on SXI(3)? >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cnsp at shreddedmail.com Tue Nov 17 11:33:33 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Tue, 17 Nov 2009 08:33:33 -0800 Subject: [c-nsp] No SVI throughput/bandwidth counters on Catalyst 4948 Message-ID: I started deploying Catalyst 4948 switches as TOR devices about 3 months ago. The policing and packet-handling have been behaving quite nicely. Physical ports are mapped to SVIs and the SVIs have policers attached. The primary reason for SVIs is to allow a paired 4948 to act as an HSRP partner across a dot1q trunk for the individual interfaces. Up until last night, everything seemed to be working fine. We moved our Checkpoint firewall from behind the core down to behind aggregation (new mantra; no customers attach at the core - everybody is a customer. We had some ad-hoc stuff attached to the core that I'm slowly pruning). >From spot-checking, all of the SVIs and physical interfaces report bits/sec and packets/sec properly, other than the new interfaces I lit up for the firewall. Only the physical port interfaces show activity on bits/packets/sec. I am, however, seeing L3 Switched counters. The only differences I can think of are; a) firewall isn't policed, and b) Checkpoint does weird stuff with unicast-IP-on-multicast-MAC for its load-balancing and failover. I added a policer to the firewall interface, and added the magic static arp on (that Checkpoint uses) to an existing interface and the behavior didn't change. Checkpoint interface is weird, others are OK. Any suggestions on what to look for? Thanks, ----- --> Working: interface GigabitEthernet1/1 switchport access vlan 101 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end #show int g1/1 GigabitEthernet1/1 is up, line protocol is up (connected) 5 minute input rate 215000 bits/sec, 53 packets/sec 5 minute output rate 258000 bits/sec, 47 packets/sec interface Vlan101 description Normal customer ip address x.y.34.226 255.255.255.248 no ip redirects no ip proxy-arp standby 101 ip x.y.34.225 standby 101 timers 5 15 standby 101 priority 110 standby 101 preempt service-policy input BW_12M service-policy output BW_12M end #show int vlan 101 Vlan101 is up, line protocol is up 5 minute input rate 210000 bits/sec, 55 packets/sec 5 minute output rate 236000 bits/sec, 46 packets/sec L3 in Switched: ucast: 487633 pkt, 188595448 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 439823 pkt, 245564925 bytes - mcast: 0 pkt, 0 bytes --> Weird: interface GigabitEthernet1/46 description Checkpoint Firewall "A" switchport access vlan 146 switchport mode access spanning-tree portfast end #show int g1/46 GigabitEthernet1/46 is up, line protocol is up (connected) 5 minute input rate 25263000 bits/sec, 3476 packets/sec 5 minute output rate 15737000 bits/sec, 5351 packets/sec interface Vlan146 description Checkpoint Firewall "A" ip address x.y.1.82 255.255.255.248 no ip redirects no ip proxy-arp standby 146 ip x.y.1.81 standby 146 timers 5 15 standby 146 priority 110 standby 146 preempt end #show int vlan 146 Vlan146 is up, line protocol is up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L3 in Switched: ucast: 94104774 pkt, 91006951231 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 44127262 pkt, 16712790232 bytes - mcast: 0 pkt, 0 bytes From lukasz at bromirski.net Tue Nov 17 11:50:33 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 17 Nov 2009 17:50:33 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117141204.GG163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> Message-ID: <4B02D459.1060309@bromirski.net> On 2009-11-17 15:12, Gert Doering wrote: > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) You're right. The current 6500 LCs don't have capability to run BFD in fully distributed mode. All BFD-bound functionality is job of the active Supervisor. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From gert at greenie.muc.de Tue Nov 17 11:57:44 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 17:57:44 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B02D459.1060309@bromirski.net> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <4B02D459.1060309@bromirski.net> Message-ID: <20091117165744.GL163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 05:50:33PM +0100, ?ukasz Bromirski wrote: > On 2009-11-17 15:12, Gert Doering wrote: > > >(Which makes some sort of sense, *iff* the BFD-handling is done in the > >line card - where it belongs, to be independent of whatever load the > >main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > >enough to run BFD locally. So whatever...) > > You're right. The current 6500 LCs don't have capability to run BFD > in fully distributed mode. All BFD-bound functionality is job of the > active Supervisor. Out of curiosity: since the boot messages suggest that 67xx cards with CFC or DFC run "some sort of local IOS" - would those be smart enough? What about SIP and ES cards? So many things still to learn about this platform :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From cphillips at wbsconnect.com Tue Nov 17 12:05:02 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Tue, 17 Nov 2009 09:05:02 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: <4B02D7BE.1020000@wbsconnect.com> Jared, After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? Thanks in advance! Jared Mauch wrote: > SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. > > I strongly recommend using it over prior versions of SXI. > > Due to the removal of hardware support we replaced the older 63xx/62xx series cards. > > - Jared > > On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: > >> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >> >> >> Rubens >> >> >> >> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>> >>> >>> Does anyone else have GOOD or BAD new on SXI(3)? >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Tue Nov 17 12:11:04 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 18:11:04 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117141204.GG163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> Message-ID: <1258477864.31116.4.camel@hal9000> I was just curious, because I would like to deploy BFD but I saw those messages on my routers because the port-channels configurations and I would like to know if it was supported in other train or something similar. El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > I wrote it in a previous email but here is again :D > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > These are very very *VERY* different platforms... > > > I am using 12.2SRC but it is not supported there an I would like to know > > if it is supported in another train. > > ... so it might very well be supported on one of them, and not on the > other... > > Just for the record - my assumption was wrong. I just tried to configure > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > the bfd commands on the port-channel interfaces. Physical interfaces > only. > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) > > gert From jared at puck.nether.net Tue Nov 17 12:12:32 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 17 Nov 2009 12:12:32 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <4B02D7BE.1020000@wbsconnect.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> Message-ID: <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> Release 12.2(33)SXH and later releases do not support the following hardware: These Ethernet Switching Modules: ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ ?WS-X6248A-TEL 48-port 10/100TX RJ-21 ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 ?WS-X6248-TEL 48-port 10/100TX RJ-21 ?WS-X6324-100FX-SM 24-port 100FX Ethernet ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. You will see something like this in 'show power': 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. - Jared On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: > Jared, > > After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? > > Thanks in advance! > > Jared Mauch wrote: >> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >> I strongly recommend using it over prior versions of SXI. >> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >> - Jared >> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>> >>> >>> Rubens >>> >>> >>> >>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>> >>>> >>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>> >>>> >>>> Jeff Fitzwater >>>> OIT Network Systems >>>> Princeton University >>>> >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Nov 17 12:21:38 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 17 Nov 2009 11:21:38 -0600 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <4B02DBA2.1050801@justinshore.com> luismi wrote: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 > > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. 12.2SR is all you can run on the RSP720. SX and SR will both run on the Sup720 but certain LCs are not supported in SR and visa versa. I only run and recommend 12.4T on 7200s so I can't speak to the 12.2 features for that platform. Justin From edigheorghiu at gmail.com Tue Nov 17 12:25:12 2009 From: edigheorghiu at gmail.com (Eduard Gheorghiu) Date: Tue, 17 Nov 2009 19:25:12 +0200 Subject: [c-nsp] IOS XR version you use Message-ID: Hi everyone! I look for a good choice of XR to upgrade to from 3.5. In terms of features there are no mandatory ones that could drive us to do 3.8 instead of 3.6 Does anyone of you use 3.8 in a production environment? Please share any thoughts on this. BR Eduard From achatz at forthnet.gr Tue Nov 17 12:35:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 17 Nov 2009 19:35:26 +0200 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <4B02DEDE.8060003@forthnet.gr> According to Cisco: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 ============================================================ For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. ============================================================ Also there is CSCek67622: ============================================================ BFD should not be configurable on etherchannel intf Symptoms: The bfd interval command is accepted on EtherChannel and EtherChannel member interfaces. Conditions: This symptom is observed on a Cisco router while BFD is not supported on EtherChannels. Workaround: Do not enter the bfd interval command on EtherChannel and EtherChannel member interfaces. ============================================================ It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... -- Tassos luismi wrote on 17/11/2009 14:20: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 > > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. > > El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: >> Hi, >> >> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: >>> I see a message like "BDF not supported over port-channels" in my >>> routers. >> Which IOS version is that? On what platform? >> >> You could be a bit more proactive in your questions... this makes it >> much easier to give meaningful responses, really... :-) >> >> gert > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tassos From NMaio at guesswho.com Tue Nov 17 13:24:04 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Tue, 17 Nov 2009 13:24:04 -0500 Subject: [c-nsp] 7600 ES card and module Message-ID: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> Just a quick question or two. Does anybody have good/bad experience with a 7600-ES20-10G3CXL in a 7606 with 720-3bxl? I am looking to terminate a 1310nm or 1550nm 10Ge from another provider. No dense or coarse wave. Also I am trying to figure out if the XFP-10GLR-OC192SR module will work with this. Am I reading this correctly that this module is supported for both POS and regular 10G Ethernet? Thanks, Nick From drew.weaver at thenap.com Tue Nov 17 13:49:12 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 17 Nov 2009 13:49:12 -0500 Subject: [c-nsp] Portchannel, ttl 1 packets filling input queue. Message-ID: Hey all, I had been suffering from some input/output queue drops on the Catalyst side of a connection between a [Cat6500 (Sup 720-3BXL) WS-6724-SFP] and a GSR 12810 /w SIP-601 & SPA10x1GE-V2. Since this link was tremendously busy I thought perhaps it was simply a matter of micro bursts exceeding the maximum bandwidth of the interface, and instead of upgrading to 10GE for a microburst, I decided to create a port-channel. So I created the port channel using two ports on the 6724-SFP and two ports on the SPA10x1GE-V2. Since the GSR doesn't support anything but etherchannel (for what reason I can't tell you) I used etherchannel. I noticed as soon as this port-channel interface came up that the input queue was immediately getting drops/flushes so I did some: sh buffers input-interface port-channel 1 dump several times in there I saw this: source: x.x.x.x, destination: y.y.y.y, id: 0x0000, ttl: 1, TOS: 0 prot: 17, source port 32136, destination port 9810 where x.x.x.x is a host on my network and y.y.y.y is a host on the Internet. pretty much every time I ran it I saw several packets like this (all with TTL 1). This continued until I broke the port-channel and put everything back to how it was. I ran that same command: sh buffers input-interface g4/19 1 dump On the physical interface connecting the two (without the port channel) and I didn't get the same results. Does anyone know of any bugs or anything with port-channel, or any caveats that might explain what I am running into? thanks, -Drew From dudepron at gmail.com Tue Nov 17 14:02:00 2009 From: dudepron at gmail.com (Aaron) Date: Tue, 17 Nov 2009 14:02:00 -0500 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> So, what is the difference in output from doing exec-on vs attach? You are still connecting via the same method. On Mon, Nov 16, 2009 at 14:07, e ninja wrote: > Antonio, > > You should *never* troubleshoot fabric errors with *any* exec-on commands. > They run over the fabric that may or may not be compromised. > > 1. Are any other LCs apart from slot 6 reporting CRC errors? > 2. grab two "sh contr fia" from the RP and an attach to all the LCs and > send over. > > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > > > Hello group, > > > > I have a 12k reporting this: > > > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot > 6 > > > > In one week, i have 4 of these messages. > > > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > > > What could be the problem ? > > > > The "show controllers fia" do not show any problem. > > > > The "execute-on slot 6 show controllers fia" show this: > > > > Switch cards present: 0x1F > > Switch cards monitored: 0x1F > > 0 1 2 3 4 > > -------- -------- -------- -------- -------- > > los 0 0 0 0 0 > > state Off Off Off Off Off > > crc16 53989 0 0 0 0 > > xor error0 0 0 0 > > cell drops1020 1020 1020 1020 > > > > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > > > > Thanks. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S) > > amsoares at netcabo.pt > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at princeton.edu Tue Nov 17 14:34:52 2009 From: jfitz at princeton.edu (Jeff Fitzwater) Date: Tue, 17 Nov 2009 14:34:52 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> Message-ID: <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. The other flavors are not supported. Jeff On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: > Release 12.2(33)SXH and later releases do not support the following hardware: > > These Ethernet Switching Modules: > > ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ > > ?WS-X6248A-TEL 48-port 10/100TX RJ-21 > > ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 > > ?WS-X6248-TEL 48-port 10/100TX RJ-21 > > ?WS-X6324-100FX-SM 24-port 100FX Ethernet > > ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ > > ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 > > ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ > > Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. > > You will see something like this in 'show power': > 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) > 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) > > It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. > > - Jared > > On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: > >> Jared, >> >> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? >> >> Thanks in advance! >> >> Jared Mauch wrote: >>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>> I strongly recommend using it over prior versions of SXI. >>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>> - Jared >>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>> >>>> >>>> Rubens >>>> >>>> >>>> >>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>> >>>>> >>>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>>> >>>>> >>>>> Jeff Fitzwater >>>>> OIT Network Systems >>>>> Princeton University >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mduksa at gmail.com Tue Nov 17 14:43:42 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Tue, 17 Nov 2009 11:43:42 -0800 Subject: [c-nsp] Cisco 7600 Broadband Licensing Message-ID: Hi, Does anyone know if licensing is need on Cisco 7600 (and if so do you know the product number) for broadband activation on ES+ cards (not interested in SIP)? Let say that we want to enable subscriber management (PPPoE or IPoE) on ES+ cards, what licenses do we need? I know that bunch of BB licenses exist for ASR1K but could not find anything on 7600. Thanks, Marlon From kgraham at industrial-marshmallow.com Tue Nov 17 14:45:20 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 17 Nov 2009 11:45:20 -0800 (PST) Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <577377.68121.qm@web502.biz.mail.mud.yahoo.com> > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Though that one is higher profile, still not as bad as: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/release/notes/ol_6897.html#wp274407 ...listed as a "Limitation and Restriction" (as opposed to "Open Caveat") with no bug citation. At least there's some good bug release-note authors out there, as evidenced byCSCse14048: Cisco X2-10GB-LR transceiver modules with a version identification number lower than V03 might show intermittent frame check sequence (FCS) errors or be ejected from the switch during periods of operational shock greater than 50g. There is no workaround. (still waiting to be able to recommend that as a possible problem to a c-nsp poster...) From avayner at cisco.com Tue Nov 17 15:53:32 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 21:53:32 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258477864.31116.4.camel@hal9000> References: <1258294344.12313.1.camel@hal9000><20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000><20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000><20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000><20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: Just out of curiosity, what are the port-channel on the 7200/7600 is used for? Is it a point to point routed port, or with L2 VLANs switched on top of it? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, November 17, 2009 19:11 To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BDF over port-channels? I was just curious, because I would like to deploy BFD but I saw those messages on my routers because the port-channels configurations and I would like to know if it was supported in other train or something similar. El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > I wrote it in a previous email but here is again :D > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > These are very very *VERY* different platforms... > > > I am using 12.2SRC but it is not supported there an I would like to know > > if it is supported in another train. > > ... so it might very well be supported on one of them, and not on the > other... > > Just for the record - my assumption was wrong. I just tried to configure > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > the bfd commands on the port-channel interfaces. Physical interfaces > only. > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) > > gert _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aptgetd at gmail.com Tue Nov 17 15:46:42 2009 From: aptgetd at gmail.com (sky vader) Date: Tue, 17 Nov 2009 12:46:42 -0800 Subject: [c-nsp] snmpwalk for switch port status Message-ID: <4B030BB2.8090801@gmail.com> Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky From avayner at cisco.com Tue Nov 17 15:57:54 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 21:57:54 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: References: <20091116231109.GA74400@puck.nether.net> Message-ID: Well, as feedback for the issue raised, the bug you flagged is not causing anything other than a traceback message... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner (avayner) Sent: Tuesday, November 17, 2009 10:11 To: Jared Mauch; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how not to write a release note Jared, I took a quick look and this has to do with QOS. I have sent an internal query for more info. Will advise. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Tuesday, November 17, 2009 01:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] how not to write a release note Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 17 17:07:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 23:07:41 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258477864.31116.4.camel@hal9000> Message-ID: <20091117220741.GO163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 09:53:32PM +0100, Arie Vayner (avayner) wrote: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? Just for the records: on the 6500 with SXF or SXH3a, it wasn't possible to turn on BFD on a routed point-to-point port-channel. Switched + SVI is known to be unsupported and unconfigurable since SXH... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From moua0100 at umn.edu Tue Nov 17 16:16:50 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 17 Nov 2009 15:16:50 -0600 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000><20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000><20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000><20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000><20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: <4B0312C2.1090503@umn.edu> we've got some p2p routed ports over here ! interface Port-channel1 description [removed] mtu 4470 ip address 192.168.11.105 255.255.255.252 no negotiation auto snmp trap link-status hold-queue 150 in ! Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Arie Vayner (avayner) wrote: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, November 17, 2009 19:11 > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BDF over port-channels? > > I was just curious, because I would like to deploy BFD but I saw those > messages on my routers because the port-channels configurations and I > would like to know if it was supported in other train or something > similar. > > El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > >> Hi, >> >> On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: >> >>> I wrote it in a previous email but here is again :D >>> >>> 7200 npe-g2 and 7600 rsp720-pfc3 >>> >> These are very very *VERY* different platforms... >> >> >>> I am using 12.2SRC but it is not supported there an I would like to know >>> if it is supported in another train. >>> >> ... so it might very well be supported on one of them, and not on the >> other... >> >> Just for the record - my assumption was wrong. I just tried to configure >> BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter >> the bfd commands on the port-channel interfaces. Physical interfaces >> only. >> >> (Which makes some sort of sense, *iff* the BFD-handling is done in the >> line card - where it belongs, to be independent of whatever load the >> main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart >> enough to run BFD locally. So whatever...) >> >> gert >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abidin.kahraman at gmail.com Tue Nov 17 17:16:15 2009 From: abidin.kahraman at gmail.com (Abidin Kahraman) Date: Tue, 17 Nov 2009 22:16:15 +0000 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B02DEDE.8060003@forthnet.gr> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <4B02DEDE.8060003@forthnet.gr> Message-ID: <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> BFD over port-channel is supported on SRD1. HTH Abidin On 17 Nov 2009, at 17:35, Tassos Chatzithomaoglou wrote: > According to Cisco: > > http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 > > ============================================================ > For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. > ============================================================ > > Also there is CSCek67622: > ============================================================ > BFD should not be configurable on etherchannel intf > Symptoms: The bfd interval command is accepted on > EtherChannel and EtherChannel member interfaces. > > Conditions: This symptom is observed on a Cisco router while BFD is not > supported on EtherChannels. > > Workaround: Do not enter the bfd interval command on > EtherChannel and EtherChannel member interfaces. > ============================================================ > > It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... > > > -- > Tassos > > luismi wrote on 17/11/2009 14:20: >> I wrote it in a previous email but here is again :D >> 7200 npe-g2 and 7600 rsp720-pfc3 >> I am using 12.2SRC but it is not supported there an I would like to know >> if it is supported in another train. >> El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: >>> Hi, >>> >>> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: >>>> I see a message like "BDF not supported over port-channels" in my >>>> routers. >>> Which IOS version is that? On what platform? >>> >>> You could be a bit more proactive in your questions... this makes it >>> much easier to give meaningful responses, really... :-) >>> >>> gert >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Tue Nov 17 18:35:09 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 18 Nov 2009 00:35:09 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117165744.GL163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <4B02D459.1060309@bromirski.net> <20091117165744.GL163@greenie.muc.de> Message-ID: <4B03332D.3050208@bromirski.net> On 2009-11-17 17:57, Gert Doering wrote: > Out of curiosity: since the boot messages suggest that 67xx cards with > CFC or DFC run "some sort of local IOS" - would those be smart enough? No, the 'some sort of IOS' is there to perform only monitoring/ supervising work, not to add some intelligence. Mainly mirroring the SP work, so programming the DFCs, or bridging the requests to PFC on active Sup. > What about SIP and ES cards? SIP-200/400 and ES40 may get distributed BFD support in future. AFAIK no current plans for rebuilds of SRC/SRD apart from scalability enhancements in centralized mode, and AFAIK SRE also won't contain any news here, but I may be wrong of course. SRE is still to be delivered. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From dwbielawa at liberty.edu Tue Nov 17 19:32:38 2009 From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS)) Date: Tue, 17 Nov 2009 19:32:38 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC003F7501F6E@LUEMS04VS.University.liberty.edu> We use switchmap (http://switchmap.sourceforge.net/) it outputs name, description, admin status, oper status, vlan, and mac addresses. It outputs to plain text, as well as HTML. Thank You Daniel Bielawa Network Engineer Liberty University Network Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sky vader Sent: Tuesday, November 17, 2009 3:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmpwalk for switch port status Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Tue Nov 17 19:48:34 2009 From: eninja at gmail.com (Eninja) Date: Wed, 18 Nov 2009 01:48:34 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: References: <20091116231109.GA74400@puck.nether.net> Message-ID: <9C4C5F69-52F1-4306-B3C9-55256889026D@gmail.com> That is not true. Alignment corrections are very CPU intensive activity that may easily overwhelm a device if it occurs frequently. Thus, per thread, users need to know (via properly written release notes) the causes of software defects so they can take steps to workaround or rectify them. Eninja On Nov 17, 2009, at 9:57 PM, "Arie Vayner (avayner)" wrote: > Well, as feedback for the issue raised, the bug you flagged is not > causing anything other than a traceback message... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner > (avayner) > Sent: Tuesday, November 17, 2009 10:11 > To: Jared Mauch; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] how not to write a release note > > Jared, > > I took a quick look and this has to do with QOS. > I have sent an internal query for more info. Will advise. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch > Sent: Tuesday, November 17, 2009 01:11 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] how not to write a release note > > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be > reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. > > - Jared > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only > mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Tue Nov 17 21:51:08 2009 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 17 Nov 2009 20:51:08 -0600 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: Do the relevant scripts with NAGIOS meet your needs? See, for example, check_snmp_int. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sky vader Sent: Tuesday, November 17, 2009 2:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmpwalk for switch port status Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bandwidth.user at gmail.com Tue Nov 17 22:38:48 2009 From: bandwidth.user at gmail.com (roy) Date: Wed, 18 Nov 2009 11:38:48 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> Message-ID: <4B036C48.40300@gmail.com> Oliver Boehmer (oboehmer) wrote: > >>>>>> Does anyone know what the middle number represents in a "debug > mpls >>>>>> packet" ( eg: {7963 6 254} )? >>>>>> I can't find this information anywhere. >>>>>> >>>>>> 7693 = Label >>>>>> 6 = ??? >>>>>> 254 = I presume is the TTL >>>>>> >>>>>> What does the 6 represent?? >>>>> it's the EXP value. you're right about the last being the TTL. >>>>> >>>>> oli >>>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >>> Hmm, why do you think so? Looking at the code, it only prints the 3 > exp. >>> bits. >> Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into >> one value. > > still not sure what you refer to, and why you think the debug discussed > shows the 4-bit Exp+S value rather than the 3-bit Exp only? If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label EXP TTL}. All things held constant; label at 20, TTL at 8, then EXP must be 3+1. Roy From deadheadblues at gmail.com Tue Nov 17 23:09:32 2009 From: deadheadblues at gmail.com (Hobbs) Date: Tue, 17 Nov 2009 21:09:32 -0700 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B036C48.40300@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> <4B036C48.40300@gmail.com> Message-ID: <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> On Tue, Nov 17, 2009 at 8:38 PM, roy wrote: > Oliver Boehmer (oboehmer) wrote: > >> >> >>> Does anyone know what the middle number represents in a "debug >>>>>>> >>>>>> mpls >> >>> packet" ( eg: {7963 6 254} )? >>>>>>> I can't find this information anywhere. >>>>>>> >>>>>>> 7693 = Label >>>>>>> 6 = ??? >>>>>>> 254 = I presume is the TTL >>>>>>> >>>>>>> What does the 6 represent?? >>>>>>> >>>>>> it's the EXP value. you're right about the last being the TTL. >>>>>> >>>>>> oli >>>>>> >>>>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >>>>> >>>> Hmm, why do you think so? Looking at the code, it only prints the 3 >>>> >>> exp. >> >>> bits. >>>> >>> Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into >>> one value. >>> >> >> still not sure what you refer to, and why you think the debug discussed >> shows the 4-bit Exp+S value rather than the 3-bit Exp only? >> > > If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as > Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label EXP TTL}. > All things held constant; label at 20, TTL at 8, then EXP must be 3+1. > > Roy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Reading too much into it. It's just not showing the stack bit. The output is for information. You don't need to know the stack bit, its the only label. And if there were more than one, then it would show all labels. From Skeeve at eintellego.net Tue Nov 17 23:05:03 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Wed, 18 Nov 2009 15:05:03 +1100 Subject: [c-nsp] BGP Community Problem (I think) Message-ID: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> Hey all, I am confused as to why a BGP feed I take and take with a community and redistribute are some 50k routes different. Details follow: Platform is: SYD-A-BDR-A#sh ver Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 13:29 by prod_rel_team ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) BOOTLDR: Cisco IOS Software, 7200 Software (C7200-BOOT-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) SYD-A-BDR-A uptime is 1 year, 43 weeks, 4 days, 20 hours, 26 minutes System returned to ROM by Reload Command at 08:32:21 UTC Mon Jan 8 2001 System restarted at 16:49:17 AEST Thu Jan 17 2008 System image file is "disk2:c7200-advipservicesk9-mz.124-15.T1.bin" - Inbound full route feed 114.x.x.65 4 4xxx 26710538 2546241 130268709 0 0 9w1d 302167 114.x.x.66 4 4xxx 25400126 1834326 130268709 1 0 2w5d 302163 - Tagged with community route-map PRI-IN permit 10 match as-path 50 set weight 80 set community 17xxx:2000 additive ! route-map PRI-IN permit 12 match as-path 52 set weight 90 set community 17xxx:2002 additive ! route-map PRI-IN permit 20 match as-path 2 set weight 80 set community 17xxx:2001 additive - Relevant config ip as-path access-list 2 permit .* ip as-path access-list 50 permit ^4xxx$ ip as-path access-list 52 permit ^4xxx_7xx_1xxx ! ip community-list 200 permit 17xxx:2000 ip community-list 201 permit 17xxx:2001 ip community-list 202 permit 17xxx:2002 - Now, this all seems to work. SYD-A-BDR-A#show ip bgp neighbors 114.x.x.66 received-routes | i Total Total number of prefixes 302163 SYD-A-BDR-A#show ip bgp community-list 201 | redirect tftp://x.x.x.x/dump/20091118.txt [root at dump]# more 20091118.txt | grep 193.66 | wc -l 301542 [root at dump]# more 20091118.txt | grep 193.65 | wc -l 301543 Now... there is a small difference which can be attributed to a variety of things... nothing I'm worried about since it is so close (500 routes). Next: route-map BNEA-OUT permit 10 match ip address prefix-list US-SEND-BNE-BLOCKS ! (Just local routes) ! route-map BNEA-OUT permit 20 match community 201 ! route-map BNEA-OUT permit 30 description Community 17xxx:250 mapped to CL 125 ! (Redistributing peering routes) match community 125 ! So.. we're tagging 301k routes inbound and examining the community list seems to be showing that is working fine, and then we are, using Community List 201 - sending that 301k + Local + Peering (7900 routes) to another PoP. But... SYD-A-BDR-A#show ip bgp neighbors 203.x.x.6 advertised-routes | i Total Total number of prefixes 250915 So this is missing about 51k routes + Peering routes of about 8k... but the peering routes seem to be there, so that makes it about 60k transit routes that are missing that are not being sent 'in router' onto the next neighbour. I hope I've included most significant information... if this doesn't make sense, let me know and I will explain in more detail? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. From deadheadblues at gmail.com Tue Nov 17 23:52:15 2009 From: deadheadblues at gmail.com (Hobbs) Date: Tue, 17 Nov 2009 21:52:15 -0700 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> Message-ID: <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> On Tue, Nov 17, 2009 at 9:05 PM, Skeeve Stevens wrote: > Hey all, > > I am confused as to why a BGP feed I take and take with a community and > redistribute are some 50k routes different. > > Details follow: > > Platform is: > > SYD-A-BDR-A#sh ver > Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version > 12.4(15)T1, RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2007 by Cisco Systems, Inc. > Compiled Wed 18-Jul-07 13:29 by prod_rel_team > > ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) > BOOTLDR: Cisco IOS Software, 7200 Software (C7200-BOOT-M), Version > 12.4(15)T1, RELEASE SOFTWARE (fc2) > > SYD-A-BDR-A uptime is 1 year, 43 weeks, 4 days, 20 hours, 26 minutes > System returned to ROM by Reload Command at 08:32:21 UTC Mon Jan 8 2001 > System restarted at 16:49:17 AEST Thu Jan 17 2008 > System image file is "disk2:c7200-advipservicesk9-mz.124-15.T1.bin" > > > > - Inbound full route feed > > > 114.x.x.65 4 4xxx 26710538 2546241 130268709 0 0 9w1d 302167 > 114.x.x.66 4 4xxx 25400126 1834326 130268709 1 0 2w5d 302163 > > - Tagged with community > > route-map PRI-IN permit 10 > match as-path 50 > set weight 80 > set community 17xxx:2000 additive > ! > route-map PRI-IN permit 12 > match as-path 52 > set weight 90 > set community 17xxx:2002 additive > ! > route-map PRI-IN permit 20 > match as-path 2 > set weight 80 > set community 17xxx:2001 additive > > > - Relevant config > > ip as-path access-list 2 permit .* > ip as-path access-list 50 permit ^4xxx$ > ip as-path access-list 52 permit ^4xxx_7xx_1xxx > ! > ip community-list 200 permit 17xxx:2000 > ip community-list 201 permit 17xxx:2001 > ip community-list 202 permit 17xxx:2002 > > > - Now, this all seems to work. > > SYD-A-BDR-A#show ip bgp neighbors 114.x.x.66 received-routes | i Total > Total number of prefixes 302163 > > SYD-A-BDR-A#show ip bgp community-list 201 | redirect > tftp://x.x.x.x/dump/20091118.txt > > [root at dump]# more 20091118.txt | grep 193.66 | wc -l > 301542 > [root at dump]# more 20091118.txt | grep 193.65 | wc -l > 301543 > > Now... there is a small difference which can be attributed to a variety of > things... nothing I'm worried about since it is so close (500 routes). > > Next: > > route-map BNEA-OUT permit 10 > match ip address prefix-list US-SEND-BNE-BLOCKS ! (Just local routes) > ! > route-map BNEA-OUT permit 20 > match community 201 > ! > route-map BNEA-OUT permit 30 > description Community 17xxx:250 mapped to CL 125 ! (Redistributing > peering routes) > match community 125 > ! > > > So.. we're tagging 301k routes inbound and examining the community list > seems to be showing that is working fine, and then we are, using Community > List 201 - sending that 301k + Local + Peering (7900 routes) to another PoP. > > But... > > SYD-A-BDR-A#show ip bgp neighbors 203.x.x.6 advertised-routes | i Total > Total number of prefixes 250915 > > So this is missing about 51k routes + Peering routes of about 8k... but the > peering routes seem to be there, so that makes it about 60k transit routes > that are missing that are not being sent 'in router' onto the next > neighbour. > > I hope I've included most significant information... if this doesn't make > sense, let me know and I will explain in more detail? > > > ...Skeeve > > > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > www.linkedin.com/in/skeeve ; facebook.com/eintellego > -- > NOC, NOC, who's there? > > Disclaimer: Limits of Liability and Disclaimer: This message is for the > named person's use only. It may contain sensitive and private proprietary or > legally privileged information. You must not, directly or indirectly, use, > disclose, distribute, print, or copy any part of this message if you are not > the intended recipient. eintellego Pty Ltd and each legal entity in the > Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail > communications through its networks. Any views expressed in this message > are those of the individual sender, except where the message states > otherwise and the sender is authorised to state them to be the views of any > such entity. Any reference to costs, fee quotations, contractual > transactions and variations to contract terms is subject to separate > confirmation in writing signed by an authorised representative of > eintellego. Whilst all efforts are made to safeguard inbound and outbound > e-mails, we cannot guarantee that attachments are! > virus-free or compatible with your systems and do not accept any liability > in respect of viruses or computer problems experienced. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Not sure off-hand, but you can do show ip bgp neighbor and far down in the output you will see a section showing stats about why prefixes were dropped (route-map, dist-list, etc). What does it say? From metaliza at nithia.cz Wed Nov 18 00:25:03 2009 From: metaliza at nithia.cz (=?UTF-8?B?TWV0YWzDrXph?=) Date: Wed, 18 Nov 2009 06:25:03 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AF02FBB.70108@kenweb.org> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <4AEFE25C.3040508@nithia.cz> <4AF02FBB.70108@kenweb.org> Message-ID: <4B03852F.1010605@nithia.cz> ML wrote: > Metal?za wrote: >> Peter Rathlev wrote: >>> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: >>>>> We're using a couple of 3560s for PBR with no problems forwarding >>>>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>>>> haven't tried actually pushing it yet but are planning to try >>>>> sometime soon. >>>>> >>>>> The 3560 needs the "routing" SDM template for this to work; I guess >>>>> the 3750 also needs this. >>>>> >>>> What IOS version? I definitely had the proper SDM template applied, it >>>> won't work otherwise. >>>> >>> >>> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >>> months). >>> >> >> Hi guys, >> >> I have a similar problem: >> >> We have been using PBR for forwarding through an IP-in-IP tunnel: >> >> interface Tunnel0 >> ip address 192.168.1.2 255.255.255.252 >> tunnel source 147.32.98.1 >> tunnel destination 147.32.127.190 >> tunnel mode ipip >> >> ip access-list extended private-2-hill >> permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 >> permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 >> permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 >> ! >> route-map private-2-hill permit 10 >> match ip address private-2-hill >> set interface Tunnel0 >> ! >> interface Vlan201 >> ip address 10.13.0.1 255.255.0.0 >> ip policy route-map private-2-hill >> ! >> local policy route-map private-2-hill >> This had been all functional on 3560 with 12.2(44)SE. At first there >> had been set ip next-hop, but that hadn't worked, so I've switched to >> set interface. >> >> After replacement of IOS to 12.2(52)SE the "set interface" command >> was refused after appliance of route map to an SVI. But local PBR >> still worked. So I've changed to set ip next-hop (which has been >> accepted by IOS) but with no effect in forwarding (but the local PBR >> still have worked - because of the SW-based traffic?). >> >> After some debugging I've realized that there is broken PBR in the >> 12.2(52)SE for the 3560. >> >> Or am I wrong and have missed something? >> > > I had the same problem on an ME3400. I could not use the remote end > of a GRE tunnel for PBR. Finally I have solved it! It's simple:-) set ip next-hop 192.168.1.1 192.168.1.2 More generallly: set ip next-hop -- ----------------------------------------------------------- Metaliza @ NitHiA icq #: 63193671 skype: metaliza001 From bandwidth.user at gmail.com Wed Nov 18 00:25:42 2009 From: bandwidth.user at gmail.com (roy) Date: Wed, 18 Nov 2009 13:25:42 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> <4B036C48.40300@gmail.com> <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> Message-ID: <4B038556.1070908@gmail.com> Hobbs wrote: > > > On Tue, Nov 17, 2009 at 8:38 PM, roy > wrote: > > Oliver Boehmer (oboehmer) wrote: > > > > Does anyone know what the middle number > represents in a "debug > > mpls > > packet" ( eg: {7963 6 254} )? > I can't find this information anywhere. > > 7693 = Label > 6 = ??? > 254 = I presume is the TTL > > What does the 6 represent?? > > it's the EXP value. you're right about the last > being the TTL. > > oli > > Could it be the 3-bit EXP and 1-bit Bottom of Stack > Flag combined? > > Hmm, why do you think so? Looking at the code, it only > prints the 3 > > exp. > > bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label > Stack] into > one value. > > > still not sure what you refer to, and why you think the debug > discussed > shows the 4-bit Exp+S value rather than the 3-bit Exp only? > > > If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as > Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label > EXP TTL}. All things held constant; label at 20, TTL at 8, then EXP > must be 3+1. > > Roy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Reading too much into it. It's just not showing the stack bit. The > output is for information. You don't need to know the stack bit, its the > only label. And if there were more than one, then it would show all labels. Right on, too much reading. I didn't take the text as it is. Oli was on spot. Cheers! Roy From Skeeve at eintellego.net Wed Nov 18 01:40:53 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Wed, 18 Nov 2009 17:40:53 +1100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> Message-ID: <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> But, the router isn't even sending them to the next router... between tagging them and re-sending them, they just aren't there.... so I would assume the neighbour they are being sent to is nothing to do with it? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? > > Not sure off-hand, but you can do show ip bgp neighbor and far down in > the > output you will see a section showing stats about why prefixes were > dropped > (route-map, dist-list, etc). What does it say? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From illcritikz at gmail.com Wed Nov 18 02:05:05 2009 From: illcritikz at gmail.com (Ben Steele) Date: Wed, 18 Nov 2009 18:05:05 +1100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> Message-ID: <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> As Hobbs mentioned do a "sh ip bgp neighbor " and look for the prefix activity part which will tell you about prefixes that didn't get sent to that peer for various reasons. Have you looked at the communities attached to the prefixes you have learnt from your other peer that you aren't advertising?, do they have either no-advertise/no-export/local-as etc. on them? is the peer your receiving the feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens wrote: > But, the router isn't even sending them to the next router... between > tagging them and re-sending them, they just aren't there.... so I would > assume the neighbour they are being sent to is nothing to do with it? > > ...Skeeve > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > www.linkedin.com/in/skeeve ; facebook.com/eintellego > -- > NOC, NOC, who's there? > > > > > > Not sure off-hand, but you can do show ip bgp neighbor and far down in > > the > > output you will see a section showing stats about why prefixes were > > dropped > > (route-map, dist-list, etc). What does it say? > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From uvh at siemens.com Wed Nov 18 02:24:58 2009 From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342)) Date: Wed, 18 Nov 2009 08:24:58 +0100 Subject: [c-nsp] IP Traffic Types/Applications Supported by Cisco NAT? Message-ID: <5FD7A7EC774B114092B1603D69E42C9B02E9920C@BDKB1EEA.ww007.siemens.net> Hey All, Is there any work around to get SNMP over 1-to-1 NAT on Cisco? I found an old overview from CCIE Routing TCP/IP, Volume II 2002, does anyone know where i could find an updated revision? Traffic Types/Applications Supported Any TCP/UDP traffic that does not carry source and/or destination IP addresses in the application data stream HTTP TFTP Telnet archie finger NTP NFS rlogin, rsh, rcp Traffic Types/Applications Supported with IP Addresses in Their Data Stream ICMP FTP (including PORT and PASV) NetBIOS over TCP/IP (datagram, name, and session services) Progressive Networks' RealAudio White Pines' CuSeeMe Xing Technologies' StreamWorks DNS A and PTR queries and responses H.323/NetMeeting [12.0(1)/12.0(1)T and later] VDOLive [11.3(4)/11.3(4)T and later] Vxtreme [11.3(4)/11.3(4)T and later] IP Multicast [12.0(1)T] (source address translation only) Traffic Types/Applications Not Supported Routing table updates DNS zone transfers BOOTP talk, ntalk SNMP NetShow Med venlig hilsen / Best Regards Ulrich Vestergaard B. Hansen Network Engineer / Siemens From gert at greenie.muc.de Wed Nov 18 02:30:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 18 Nov 2009 08:30:01 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B0312C2.1090503@umn.edu> References: <1258477864.31116.4.camel@hal9000> <4B0312C2.1090503@umn.edu> Message-ID: <20091118073001.GQ163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 03:16:50PM -0600, Ge Moua wrote: > we've got some p2p routed ports over here > > ! > interface Port-channel1 > description [removed] > mtu 4470 > ip address 192.168.11.105 255.255.255.252 > no negotiation auto > snmp trap link-status > hold-queue 150 in > ! ... and where's the BFD? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From dv at dv.ru Wed Nov 18 02:13:17 2009 From: dv at dv.ru (Dmitry Valdov) Date: Wed, 18 Nov 2009 10:13:17 +0300 (MSK) Subject: [c-nsp] 7600 ES card and module In-Reply-To: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> References: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> Message-ID: <20091118100222.K47791@xkis.kis.ru> Hello, On Tue, 17 Nov 2009, NMaio at guesswho.com wrote: > Does anybody have good/bad experience with a 7600-ES20-10G3CXL in a 7606 with 720-3bxl? We have 2 routers in this configuration. The only difference that the chassics are 7609. We're running MPLS/VPLS with ES20 cards without any problem for more than a year. Why do you need such smart and expensive cards to conect to other provider? What functionality do you need? > Also I am trying to figure out if the XFP-10GLR-OC192SR module will work with this. Am I reading this correctly that this module is supported for both POS and regular 10G Ethernet? Seems like that. I've never use it in POS mode but in Eth mode it works good with ES20 cards. -- Dmitry Valdov CCIE #15379 (R&S and SP) From eninja at gmail.com Wed Nov 18 02:40:11 2009 From: eninja at gmail.com (Eninja) Date: Wed, 18 Nov 2009 08:40:11 +0100 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> Message-ID: 'Exec-on' commands are sent via IPC over the switch fabric and 'attach' sessions go over the mbus. Eninja On Nov 17, 2009, at 8:02 PM, Aaron wrote: > So, what is the difference in output from doing exec-on vs attach? > You are still connecting via the same method. > > On Mon, Nov 16, 2009 at 14:07, e ninja wrote: > Antonio, > > You should *never* troubleshoot fabric errors with *any* exec-on > commands. > They run over the fabric that may or may not be compromised. > > 1. Are any other LCs apart from slot 6 reporting CRC errors? > 2. grab two "sh contr fia" from the RP and an attach to all the > LCs and > send over. > > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > > > Hello group, > > > > I have a 12k reporting this: > > > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error > from slot 6 > > > > In one week, i have 4 of these messages. > > > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > > > What could be the problem ? > > > > The "show controllers fia" do not show any problem. > > > > The "execute-on slot 6 show controllers fia" show this: > > > > Switch cards present: 0x1F > > Switch cards monitored: 0x1F > > 0 1 2 3 4 > > -------- -------- -------- -------- -------- > > los 0 0 0 0 0 > > state Off Off Off Off Off > > crc16 53989 0 0 0 0 > > xor error0 0 0 0 > > cell drops1020 1020 1020 1020 > > > > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > > > > Thanks. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S) > > amsoares at netcabo.pt > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From thehink at gmail.com Wed Nov 18 04:38:36 2009 From: thehink at gmail.com (andrew) Date: Wed, 18 Nov 2009 01:38:36 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> Message-ID: <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> Here is some BAD on SXI3 ... with redundant supervisor, SSH breaks upon supervisor switchover. -andrew On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater wrote: > The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. > > The other flavors are not supported. > > Jeff > > On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: > >> Release 12.2(33)SXH and later releases do not support the following hardware: >> >> These Ethernet Switching Modules: >> >> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >> >> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >> >> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >> >> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >> >> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >> >> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >> >> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >> >> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >> >> ? ? ? Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. >> >> You will see something like this in 'show power': >> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not supported) >> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not supported) >> >> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. >> >> ? ? ? - Jared >> >> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >> >>> Jared, >>> >>> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. ?Do you have a URL or can you be more specific? >>> >>> Thanks in advance! >>> >>> Jared Mauch wrote: >>>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>>> I strongly recommend using it over prior versions of SXI. >>>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>>> - Jared >>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>> >>>>> >>>>> Rubens >>>>> >>>>> >>>>> >>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>>> >>>>>> >>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>> >>>>>> >>>>>> Jeff Fitzwater >>>>>> OIT Network Systems >>>>>> Princeton University >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -andrew From cphillips at wbsconnect.com Wed Nov 18 05:00:08 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Wed, 18 Nov 2009 02:00:08 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> Message-ID: <4B03C5A8.30506@wbsconnect.com> Define breaks. Breaks as in your ssh connection drops and you have to login again, or breaks as in your ssh connection drops and the ssh service doesn't restart? andrew wrote: > Here is some BAD on SXI3 ... > > with redundant supervisor, SSH breaks upon supervisor switchover. > > -andrew > > On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater wrote: >> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. >> >> The other flavors are not supported. >> >> Jeff >> >> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >> >>> Release 12.2(33)SXH and later releases do not support the following hardware: >>> >>> These Ethernet Switching Modules: >>> >>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>> >>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>> >>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>> >>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>> >>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>> >>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>> >>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>> >>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>> >>> Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. >>> >>> You will see something like this in 'show power': >>> 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) >>> 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) >>> >>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. >>> >>> - Jared >>> >>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>> >>>> Jared, >>>> >>>> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? >>>> >>>> Thanks in advance! >>>> >>>> Jared Mauch wrote: >>>>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>>>> I strongly recommend using it over prior versions of SXI. >>>>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>>>> - Jared >>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>> >>>>>> >>>>>> Rubens >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>>>> >>>>>>> >>>>>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>>>>> >>>>>>> >>>>>>> Jeff Fitzwater >>>>>>> OIT Network Systems >>>>>>> Princeton University >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- Chris Phillips Director of Network Engineering & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com From asturluismi at gmail.com Wed Nov 18 05:04:58 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 18 Nov 2009 11:04:58 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: <1258538698.12346.1.camel@hal9000> We used here against 3750 with cross-stack etherchannel configuration, and it is working very good so far. El mar, 17-11-2009 a las 21:53 +0100, Arie Vayner (avayner) escribi?: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, November 17, 2009 19:11 > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BDF over port-channels? > > I was just curious, because I would like to deploy BFD but I saw those > messages on my routers because the port-channels configurations and I > would like to know if it was supported in other train or something > similar. > > El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > > Hi, > > > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > > I wrote it in a previous email but here is again :D > > > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > > > These are very very *VERY* different platforms... > > > > > I am using 12.2SRC but it is not supported there an I would like to know > > > if it is supported in another train. > > > > ... so it might very well be supported on one of them, and not on the > > other... > > > > Just for the record - my assumption was wrong. I just tried to configure > > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > > the bfd commands on the port-channel interfaces. Physical interfaces > > only. > > > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > > line card - where it belongs, to be independent of whatever load the > > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > > enough to run BFD locally. So whatever...) > > > > gert > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Wed Nov 18 05:15:20 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 18 Nov 2009 18:15:20 +0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: <200911181815.22693.mtinka@globaltransit.net> On Tuesday 17 November 2009 11:31:18 pm Jared Mauch wrote: > I strongly recommend using it over prior versions of SXI. As part of our recent round of upgrades, we moved from SXH3 to SXI2a. It did fix a non-severe AAA bug we hit when we first moved to SXH3. If we'd waited 4 extra days, we'd have rolled over to SXI3 instead, but for our applications (pure Layer 2 Ethernet switching with the boxes running as an IS-IS DIS), SXI2a should be super-stable for us for another 10 years, even (okay, maybe not, hehe). Newer line cards notwithstanding, if it weren't for the AAA bug, we'd probably have stayed on SXH3 also (which served us well for some 1.3 years). We simply aren't using any of the other features to run any potentially crippling kinky stuff on the box. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From asturluismi at gmail.com Wed Nov 18 05:24:03 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 18 Nov 2009 11:24:03 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <4B02DEDE.8060003@forthnet.gr> <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> Message-ID: <1258539843.12346.2.camel@hal9000> That is what I was looking for. do you use it in 7600 and/or 7200? El mar, 17-11-2009 a las 22:16 +0000, Abidin Kahraman escribi?: > BFD over port-channel is supported on SRD1. > > HTH > Abidin > > On 17 Nov 2009, at 17:35, Tassos Chatzithomaoglou wrote: > > > According to Cisco: > > > > http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 > > > > ============================================================ > > For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. > > ============================================================ > > > > Also there is CSCek67622: > > ============================================================ > > BFD should not be configurable on etherchannel intf > > Symptoms: The bfd interval command is accepted on > > EtherChannel and EtherChannel member interfaces. > > > > Conditions: This symptom is observed on a Cisco router while BFD is not > > supported on EtherChannels. > > > > Workaround: Do not enter the bfd interval command on > > EtherChannel and EtherChannel member interfaces. > > ============================================================ > > > > It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... > > > > > > -- > > Tassos > > > > luismi wrote on 17/11/2009 14:20: > >> I wrote it in a previous email but here is again :D > >> 7200 npe-g2 and 7600 rsp720-pfc3 > >> I am using 12.2SRC but it is not supported there an I would like to know > >> if it is supported in another train. > >> El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: > >>> Hi, > >>> > >>> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > >>>> I see a message like "BDF not supported over port-channels" in my > >>>> routers. > >>> Which IOS version is that? On what platform? > >>> > >>> You could be a bit more proactive in your questions... this makes it > >>> much easier to give meaningful responses, really... :-) > >>> > >>> gert > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > > Tassos > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From thehink at gmail.com Wed Nov 18 05:29:06 2009 From: thehink at gmail.com (andrew) Date: Wed, 18 Nov 2009 02:29:06 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <4B03C5A8.30506@wbsconnect.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> Message-ID: <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> Breaks as in after forcing a sup switchover while on console subsequent SSH connections are refused, as it seems the private key is missing/unreadable. This is logged: Nov 18 10:16:08.211: SSH2 0: RSA_sign: private key not found Nov 18 10:16:08.211: SSH2 0: signature creation failed, status -1 Clearing RSA keys and re-generating did not help. Clear RSA keys, *reboot box*, and re-generate did fix. On Wed, Nov 18, 2009 at 2:00 AM, Chris Phillips wrote: > Define breaks. ?Breaks as in your ssh connection drops and you have to login > again, or breaks as in your ssh connection drops and the ssh service doesn't > restart? > > andrew wrote: >> >> Here is some BAD on SXI3 ... >> >> with redundant supervisor, SSH breaks upon supervisor switchover. >> >> -andrew >> >> On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater >> wrote: >>> >>> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It >>> did however work in SXI, which we are running now. >>> >>> The other flavors are not supported. >>> >>> Jeff >>> >>> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >>> >>>> Release 12.2(33)SXH and later releases do not support the following >>>> hardware: >>>> >>>> These Ethernet Switching Modules: >>>> >>>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>>> >>>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>>> >>>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>>> >>>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>>> >>>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>>> >>>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>>> >>>> ? ? ?Now, the caveat is that they did not actually remove the hardware >>>> support for some of these until SXI1, so while the release notes say one >>>> thing, the actual support varies. >>>> >>>> You will see something like this in 'show power': >>>> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> >>>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I >>>> can't recall if that was the case for SXI2/2a/or 1. >>>> >>>> ? ? ?- Jared >>>> >>>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>>> >>>>> Jared, >>>>> >>>>> After quickly glancing at the release notes, I was unable to find >>>>> anything about the removal of hardware support for the 63xx series cards. >>>>> ?Do you have a URL or can you be more specific? >>>>> >>>>> Thanks in advance! >>>>> >>>>> Jared Mauch wrote: >>>>>> >>>>>> SXI3 has a number of bug fixes for our network, including one that >>>>>> would cause the next-hop to be populated as 'drop' in hardware. >>>>>> I strongly recommend using it over prior versions of SXI. >>>>>> Due to the removal of hardware support we replaced the older 63xx/62xx >>>>>> series cards. >>>>>> - Jared >>>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>>> >>>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>>> >>>>>>> >>>>>>> Rubens >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater >>>>>>> wrote: >>>>>>>> >>>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, >>>>>>>> which it did not recognize in previous versions, and so far no complaints >>>>>>>> but then again it's not in a real world yet. >>>>>>>> >>>>>>>> >>>>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>>>> >>>>>>>> >>>>>>>> Jeff Fitzwater >>>>>>>> OIT Network Systems >>>>>>>> Princeton University >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> > > -- > Chris Phillips > Director of Network Engineering & Peering Coordinator > WBS Connect > cphillips at wbsconnect.com > (866) WBS-CONX > (720) 259-8361 - direct > (303) 968-4383 - mobile > www.wbsconnect.com > -- -andrew From Reinhold.Fischer at gmx.net Wed Nov 18 05:30:14 2009 From: Reinhold.Fischer at gmx.net (Reinhold Fischer) Date: Wed, 18 Nov 2009 11:30:14 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> Message-ID: <20091118103014.GA1529@fart> We upgraded tonight one of our boxes to SXI3. The WS-X6324-100FX-MM works with this version of code! hth, Reinhold On Tue, Nov 17, 2009 at 09:51:01AM -0500, Jeff Fitzwater wrote: > I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. > > > Does anyone else have GOOD or BAD new on SXI(3)? > > > Jeff Fitzwater > OIT Network Systems > Princeton University From tomas at soitron.com Wed Nov 18 05:40:39 2009 From: tomas at soitron.com (Daniska, Tomas) Date: Wed, 18 Nov 2009 11:40:39 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <200911181815.22693.mtinka@globaltransit.net> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu><6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <200911181815.22693.mtinka@globaltransit.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302855601@kenya.tronet.as> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Wednesday, November 18, 2009 11:15 AM > To: cisco-nsp at puck.nether.net > Cc: Jared Mauch > Subject: Re: [c-nsp] SXI(3) code status? > > On Tuesday 17 November 2009 11:31:18 pm Jared Mauch wrote: > > > I strongly recommend using it over prior versions of SXI. > > As part of our recent round of upgrades, we moved from SXH3 > to SXI2a. It did fix a non-severe AAA bug we hit when we > first moved to SXH3. Which one that was? We've been hit by a bug when using TAC+ out of a VRF. Initial user authentication is OK, but the subsequent enable auth outgoing packets do not have the proper VRF set and go out the GRT instead. Funny enough, the return packet returns via the VRF and the box eats it. We've filed CSCtc86306 for this hoping to have this fixed by SXI3, but after exchanging lots of e-mails with India TAC the status was that they do understand the issue and suddenly they've just stated it works as expected. The SXI3 goal is missed now, and ages to come until the next maintenance build... Aug 28 17:00:37.285: AAA/MEMORY: create_user (0xF7E8CF8) user='xxxxxxxx' ruser='NULL' ds0=0 port='tty2' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) <=== they somehow forgot to fill this in for enable auth -- deejay __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4616 (20091117) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From perc69 at gmail.com Wed Nov 18 06:11:37 2009 From: perc69 at gmail.com (Per Carlson) Date: Wed, 18 Nov 2009 12:11:37 +0100 Subject: [c-nsp] IOS XR version you use In-Reply-To: References: Message-ID: <746ca6da0911180311o4e4e729cqdbde8800cf29ab7a@mail.gmail.com> Hi. > I look for a good choice of XR to upgrade to from 3.5. In terms of features > there are no mandatory ones that could drive us to do 3.8 instead of 3.6 > Does anyone of you use 3.8 in a production environment? Please share any > thoughts on this. We are using 3.5.4 (CRS and XR12k) and do plan a move to 3.6.3 on both platforms. XR 3.8 didn't give us any needed features either, and the lower exposure in "the wild" made the choice of 3.6 rather easy. -- Pelle From jan.gregor at chronix.org Wed Nov 18 05:28:14 2009 From: jan.gregor at chronix.org (Jan Gregor) Date: Wed, 18 Nov 2009 11:28:14 +0100 Subject: [c-nsp] ASA IPSec weirdness Message-ID: <4B03CC3E.1080607@chronix.org> Hello all, recently I got issue with L2L IPSec tunnel on one of our ASA firewalls. The problem is that when remote site initiates the connection, ASA negotiates the assotiation as thought it is an VPN Client (ipsec-ra is also configured on same firewall). Not working association (asa is responder): Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xCD25D187 (3441807751) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2709, crypto-map: VPNClientMap Working association (asa is initiator): Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xF9214935 (4179708213) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2710, crypto-map: outside_map ASA configuration looks like this: crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA crypto dynamic-map VPNClientMap 1 set reverse-route crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer a.a.a.a crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap I have tried everything that I could think of - xauth disabling (which i think is default on asa), upgrading router asa software, ... Nothing worked and disabling the vpn clients is not an option for me :/ . Anyone stumbled across something similar in the past and was able to fix it? Thanks for any pointers. Best regards, Jan Gregor From eng_mssk at hotmail.com Wed Nov 18 06:24:27 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 18 Nov 2009 13:24:27 +0200 Subject: [c-nsp] Flow Control Message-ID: Dear all i have 5 giga ethernet interfaces connected via port channel to WiMAX ASN gateway the device is cisco CISCO7606-S with IOS c7600s72033-advipservicesk9-mz.122-33.SRB2.bin when i issue the command sh run int po20 interface Port-channel20 switchport switchport access vlan 20 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end sh int po20 | inc flow input flow-control is off, output flow-control is off does that mean that the other device dont support flow control ? or i need something else to enable flow control ? because i suffer from overruns on the port channel ? is that the problem ? Thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From howie at thingy.com Wed Nov 18 05:46:52 2009 From: howie at thingy.com (Howard Jones) Date: Wed, 18 Nov 2009 10:46:52 +0000 Subject: [c-nsp] 32-bit ASN for 7200 G2? Message-ID: <4B03D09C.6060800@thingy.com> I'm researching IOS versions for upgrading our transit routers to support 32-bit ASNs, and it seems that I need to use basically the absolute latest 12.4T release (12.4.24T) to get that support. I can't get it in 12.2S or 12.4 mainline at all. Is that really the case? What does everyone else use on their G2/7201s? This is just for BGP internet peering connections and OSPF. Nothing at all fancy, I just don't like the bleeding edge :-) Thanks, Howie From rwest at zyedge.com Wed Nov 18 07:04:02 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 18 Nov 2009 07:04:02 -0500 Subject: [c-nsp] ASA IPSec weirdness In-Reply-To: <4B03CC3E.1080607@chronix.org> References: <4B03CC3E.1080607@chronix.org> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E586338C@zy-ex1.zyedge.local> Jan, -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Gregor Sent: Wednesday, November 18, 2009 5:28 AM Hello all, recently I got issue with L2L IPSec tunnel on one of our ASA firewalls. The problem is that when remote site initiates the connection, ASA negotiates the assotiation as thought it is an VPN Client (ipsec-ra is also configured on same firewall). Not working association (asa is responder): Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xCD25D187 (3441807751) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2709, crypto-map: VPNClientMap Working association (asa is initiator): Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xF9214935 (4179708213) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2710, crypto-map: outside_map ASA configuration looks like this: crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA crypto dynamic-map VPNClientMap 1 set reverse-route crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer a.a.a.a crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap ---------------- Are you sure they are landing on your tunnel with the right address? The fact that it's hitting your dyn map makes me think they are coming from another address. Do you have control of the remote end, do you know what type of device it is? Can you enable some isakmp debugs to capture more traffic. As the responder, you'll be able to gather the most useful debug, you should be able to figure out what's going with a debug cry isa 255. -ryan From lukasz at bromirski.net Wed Nov 18 07:11:03 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 18 Nov 2009 13:11:03 +0100 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03D09C.6060800@thingy.com> References: <4B03D09C.6060800@thingy.com> Message-ID: <4B03E457.6070802@bromirski.net> On 2009-11-18 11:46, Howard Jones wrote: > I'm researching IOS versions for upgrading our transit routers to > support 32-bit ASNs, and it seems that I need to use basically the > absolute latest 12.4T release (12.4.24T) to get that support. I can't > get it in 12.2S or 12.4 mainline at all. Yeah, the 12.4(24)T, rebuilds of it and the new 15.0M line. It will also appear in the 12.2SRE. If you're afraid of following the edge, 4-byte ASN support is also present in the 12.0(33)S rebuilds. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From bacon at walleyesoftware.com Wed Nov 18 07:29:47 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Wed, 18 Nov 2009 06:29:47 -0600 Subject: [c-nsp] BGP primer recco Message-ID: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> Hi folks - Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. Willing to buy 2-3 to get the right one. I know the very fundamentals of BGP, and conversant in most other IOS topics (route-maps and route redist, weights, IGPs). I can set up a basic neighbor and get IBGP vs EBGP, but need to understand community strings and weighting in BGP-world - used to an EIGRP/OSPF world primarily. Goal is to know how to effectively multi-home our enterprise (3 offices, 4 ISPs, we have an assigned ASN and /24), including redirecting inet traffic between the sites over our private WAN links. Not looking to run a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest to multi-home. My needs are limited; also, it isn't just for the public internet, I also need to present multi-home over BGP to trading partners from our multiple sites over multiple links. I intend to keep the two routing domains separate tho.) So essentially I need "BGP for non-dummies that is also a good reference book". (Yes, I also have the mandatory on-call friend-who-does-this-for-a-living to pester, but he does it for a living for someone else, and I want him to remain a friend. :) ) Thanks, -bacon From pl+list at pmacct.net Wed Nov 18 07:00:56 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Wed, 18 Nov 2009 12:00:56 +0000 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03D09C.6060800@thingy.com> References: <4B03D09C.6060800@thingy.com> Message-ID: <20091118120056.GA21017@moussaka.pmacct.net> Hi, You can wait a couple of weeks and get the feature on 12.2SRE. 32-bit ASN should be around on 12.0S images aswell. Cheers, Paolo On Wed, Nov 18, 2009 at 10:46:52AM +0000, Howard Jones wrote: > I'm researching IOS versions for upgrading our transit routers to > support 32-bit ASNs, and it seems that I need to use basically the > absolute latest 12.4T release (12.4.24T) to get that support. I can't > get it in 12.2S or 12.4 mainline at all. > > Is that really the case? > > What does everyone else use on their G2/7201s? This is just for BGP > internet peering connections and OSPF. Nothing at all fancy, I just > don't like the bleeding edge :-) > > Thanks, > > Howie From abalashov at evaristesys.com Wed Nov 18 07:38:48 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 18 Nov 2009 07:38:48 -0500 Subject: [c-nsp] BGP primer recco In-Reply-To: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> Message-ID: <4B03EAD8.8040506@evaristesys.com> I enjoyed the O'Reilly BGP book - has always served me well. Jeff Bacon wrote: > Hi folks - > > Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. > Willing to buy 2-3 to get the right one. > > I know the very fundamentals of BGP, and conversant in most other IOS > topics (route-maps and route redist, weights, IGPs). I can set up a > basic neighbor and get IBGP vs EBGP, but need to understand community > strings and weighting in BGP-world - used to an EIGRP/OSPF world > primarily. > > Goal is to know how to effectively multi-home our enterprise (3 offices, > 4 ISPs, we have an assigned ASN and /24), including redirecting inet > traffic between the sites over our private WAN links. Not looking to run > a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest > to multi-home. My needs are limited; also, it isn't just for the public > internet, I also need to present multi-home over BGP to trading partners > from our multiple sites over multiple links. I intend to keep the two > routing domains separate tho.) > > So essentially I need "BGP for non-dummies that is also a good reference > book". > > (Yes, I also have the mandatory on-call > friend-who-does-this-for-a-living to pester, but he does it for a living > for someone else, and I want him to remain a friend. :) ) > > Thanks, > -bacon > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 From rmikisa at gmail.com Wed Nov 18 07:40:06 2009 From: rmikisa at gmail.com (Mikisa Richard) Date: Wed, 18 Nov 2009 15:40:06 +0300 Subject: [c-nsp] VPN traffic In-Reply-To: References: Message-ID: <000601ca684c$46aff3e0$d40fdba0$@com> Dear all, In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it possible to debug the actual traffic in the tunnel. Scenario: Site to site tunnel comes up but either side cannot reach the remote nodes beyond the firewalls. Regards, Richard From teklish76 at yahoo.com Wed Nov 18 08:03:12 2009 From: teklish76 at yahoo.com (teklay gebremichael) Date: Wed, 18 Nov 2009 05:03:12 -0800 (PST) Subject: [c-nsp] vlan across a routed link Message-ID: <995578.89071.qm@web43135.mail.sp1.yahoo.com> i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks From rwest at zyedge.com Wed Nov 18 08:24:26 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 18 Nov 2009 08:24:26 -0500 Subject: [c-nsp] VPN traffic In-Reply-To: <000601ca684c$46aff3e0$d40fdba0$@com> References: <000601ca684c$46aff3e0$d40fdba0$@com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E5863390@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mikisa Richard > Sent: Wednesday, November 18, 2009 7:40 AM > > Dear all, > > In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it > possible to > debug the actual traffic in the tunnel. Scenario: Site to site tunnel > comes > up but either side cannot reach the remote nodes beyond the firewalls. > Can you describe your scenario in a little more detail? Is the firewall inline with all traffic? If it's not, you're probably hitting a routing issue. With just informational level buffer logging, you should be able to see why the traffic might be failing. If you want to process the traffic through your ACLs and watch for hits there, you can disable sysopt permit-vpn. -ryan From B.Anszperger at aster.pl Wed Nov 18 07:51:30 2009 From: B.Anszperger at aster.pl (Bartlomiej Anszperger) Date: Wed, 18 Nov 2009 13:51:30 +0100 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03E457.6070802@bromirski.net> References: <4B03D09C.6060800@thingy.com> <4B03E457.6070802@bromirski.net> Message-ID: <4B03EDD2.5090308@aster.pl> ?ukasz Bromirski pisze: > If you're afraid of following the edge, 4-byte ASN support is also > present in the 12.0(33)S rebuilds. And from 12.0(32)SY8 onwards, please refer to http://www.cisco.com/en/US/docs/ios/12_0/12_0sy/release/notes/120SYrn.html#wp2884958 Best regards -- Bartek From olof.kasselstrand at gmail.com Wed Nov 18 08:32:21 2009 From: olof.kasselstrand at gmail.com (Olof Kasselstrand) Date: Wed, 18 Nov 2009 14:32:21 +0100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> Message-ID: Hi, Are you using soft-reconfigure on the routers? That will cause this kind of behavior. // Olof On Wed, Nov 18, 2009 at 8:05 AM, Ben Steele wrote: > As Hobbs mentioned do a "sh ip bgp neighbor " and look for > the prefix activity part which will tell you about prefixes that didn't get > sent to that peer for various reasons. > > Have you looked at the communities attached to the prefixes you have learnt > from your other peer that you aren't advertising?, do they have either > no-advertise/no-export/local-as etc. on them? is the peer your receiving the > feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? > > > On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens wrote: > >> But, the router isn't even sending them to the next router... between >> tagging them and re-sending them, they just aren't there.... so I would >> assume the neighbour they are being sent to is nothing to do with it? >> >> ...Skeeve >> >> -- >> Skeeve Stevens, CEO/Technical Director >> eintellego Pty Ltd - The Networking Specialists >> skeeve at eintellego.net / www.eintellego.net >> Phone: 1300 753 383, Fax: (+612) 8572 9954 >> Cell +61 (0)414 753 383 / skype://skeeve >> www.linkedin.com/in/skeeve ; facebook.com/eintellego >> -- >> NOC, NOC, who's there? >> >> >> > >> > Not sure off-hand, but you can do show ip bgp neighbor and far down in >> > the >> > output you will see a section showing stats about why prefixes were >> > dropped >> > (route-map, dist-list, etc). What does it say? >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From braaen at zcorum.com Wed Nov 18 09:02:49 2009 From: braaen at zcorum.com (Brian Raaen) Date: Wed, 18 Nov 2009 09:02:49 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: <200911180902.49735.braaen@zcorum.com> try this, written for Debian Linux so may or may not need modification to run on your system. #!/bin/bash comunity= host= group= list= output= if [ "$#" == "0" ] then echo "$0: No Arguments.... please put at least a host" >&2 echo "Usage: $0 [-c community_string] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 1 fi while getopts :c:l:o:h opt do case $opt in c) community="$OPTARG" ;; l) list="$OPTARG" ;; o) output="$OPTARG" ;; h) echo "Usage: $0 [-c community_string] [-g nagios_contact_group] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 0 ;; '?') echo "$0: invalid option -$OPTARG" >&2 echo "Usage: $0 [-c community_string] [-g nagios_contact_group] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 1 ;; esac done shift $((OPTIND - 1)) host="$1" if [ ! $community ] then community="public" fi if [ $list ] then list=`cat $list` else list=`snmpwalk -v 2c -c $community -Oe $host 1.3.6.1.2.1.31.1.1.1.1 | egrep -v "( STRING: Nu0| STRING: T1 | STRING: Lo| STRING: LI| = STRING: Vi| = STRING: Vt)" | sed 's/.*\.\([0-9]*\) = STRING:.*/\1/'` fi for i in $list do index=$i type=`snmpget -v 2c -c $community -Oev $host 1.3.6.1.2.1.2.2.1.2. $index | sed 's/^STRING: //'` description=`snmpget -v 2c -c $community -Oev $host 1.3.6.1.2.1.31.1.1.1.18.$index | sed 's/^STRING: //'` status=`snmpget -v 2c -c $community -Ov $host .1.3.6.1.2.1.2.2.1.7. $index | sed 's/^INTEGER: \(.*\)(.)/\1/'` protocol=`snmpget -v 2c -c $community -Ov $host .1.3.6.1.2.1.2.2.1.8. $index | sed 's/^INTEGER: \(.*\)(.)/\1/'` if [ $output ] then echo -e "$type\t$status\t$protocol\t$description" >>$output else echo -e "$type\t$status\t$protocol\t$description" fi done -- ---------------------- Brian Raaen Network Engineer braaen at zcorum.com On Tuesday 17 November 2009, sky vader wrote: > Hi, > > Can anyone point me in right direction for a perl script that will > snmpwalk the MIB for switch port status whether "up" or "down" including > total number of ports available? > > I have approximately 400 switches that I would like to query via script > and pipe the results to a file for every device. > > I'm currently querying it manually (see below) which is not scaling :-) > > $ snmpwalk -c > interfaces.ifTable.ifEntry.ifOperStatus | grep down > > > Any pointers will be greatly appreciated. > > > regards > sky > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Wed Nov 18 09:25:38 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 18 Nov 2009 14:25:38 +0000 Subject: [c-nsp] vlan across a routed link In-Reply-To: <995578.89071.qm@web43135.mail.sp1.yahoo.com> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> Message-ID: <4B0403E2.8030204@imperial.ac.uk> teklay gebremichael wrote: > i work in a university which has three campuses. on each campuse, > there is one cisco 6509 switch as a core switch. all other switches > (L2) are in vtp client except the core switches. the campuses are > connected with a routed link. so, one campuse, has 10.128.0.0/16 > subnet and the others have a subnet of 10.129.0.0/16 and > 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise > individaul vlans. > > here is my problem. > > i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but > computers in this vlan are located in the 10.128.0.0/16 campuse and > 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and > 10.130.0.0/16 is not trunk it is routed with ip address. so can any > body suggest me how to implement such senario which allows one vlan > (in this case 192.168.1.0/24) to be visible from the two campuses? > i.e to propage that specific valn across a routed link not a trunk > link. thanks You will need to convert the link from routed to switchport. That is, transform this: interface Gi1/1 ip address a.b.c.d ...to: interface Gi1/1 switchport switchport mode trunk switchport trunk native vlan 4000 switchport trunk allowed vlan yourvlan,4000 int Vlan4000 ip address a.b.c.d From eric.hoelzle at gmail.com Wed Nov 18 09:25:57 2009 From: eric.hoelzle at gmail.com (Eric Hoelzle) Date: Wed, 18 Nov 2009 09:25:57 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <200911180902.49735.braaen@zcorum.com> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> Message-ID: <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> Here's a version in perl that runs on windows or *nix. Net::SNMP required. I have an older version using net::snmp::info that reads more cleanly, but had trouble getting that module to work under ActiveState perl at my current job. -- Eric --------[ begin paste ]----- use Net::SNMP; $ARGC = $#ARGV + 1; if ($ARGC != 2) { die "\nUsage: deadports.pl hostname num_days\n\n"; } $pulldays = $ARGV[1]; $hostname = $ARGV[0]; $community = 'CHANGEME'; print "Unused Port report on $hostname for $pulldays days."; ## set up SNMP session my ($session, $error) = Net::SNMP->session( -version => 'snmpv2c',