From ltd at cisco.com Sun Nov 1 01:44:09 2009 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 1 Nov 2009 17:44:09 +1100 Subject: [c-nsp] network rebuild questions In-Reply-To: References: <1543E50F-FE03-4549-BDC7-D9B17898D8D8@arbor.net> <82AD5692-DA8D-4F2B-8DCD-935671CB5571@arbor.net> Message-ID: <255D5C42-E897-4CB9-9073-30B0372C049D@cisco.com> On 01/11/2009, at 5:20 AM, Bill Desjardins wrote: > well, sup1 6500's doing everything all in one have been rock solid the > last 5+yrs now and are still pushing ~460k PPS in+out at this very > moment without a hiccup and doing everything I want them too. its 99% > voip traffic as well with very happy customers. I dont see the point > that all of sudden I am going to be in despair and grief with modestly > better hardware and a much improved network architecture. IMHO. bear in mind that a Sup1 is only ever doing "flow switching" aka MLS (multi layer switching), which is akin to 1st packet in a flow goes to software, software sets up a hardware shortcut entry in the MLS cache then subsequent packets in that flow are forwarded in hardware. that works relatively well provided: a. the flow setup rate does not exceed the capabilities of software b. the # of concurrent flows does not exhaust the size of the flow table while often that will be the case under normal conditions, if your traffic is growing at any significant rate per month/quarter/year or if you are exposed to a DoS attack or rogue application, you may well find that Sup1 does not work so well any more and would likely result in network outage(s) and/or broken SLAs on that VoIP traffic. if you have means of protecting against those things, all well and good. but note that subsequent Supervisors on C6K augment the MLS switching path with CEF/FIB in hardware, i.e. no "per flow state" forwarding but instead setup the entire forwarding table in hardware - so as to avoid those issues. cheers, lincoln. From mtinka at globaltransit.net Sun Nov 1 13:18:43 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 2 Nov 2009 02:18:43 +0800 Subject: [c-nsp] Latest iteration of core upgrade - questions In-Reply-To: References: Message-ID: <200911020218.52936.mtinka@globaltransit.net> On Sunday 01 November 2009 03:02:21 am Rick Ernst wrote: > > --- It was an "in", but now it's "at". I can still > > argue it being > > appropriate as a border/"upstream" device and also as > aggregation/"customer". You probably want to try separating both functions where possible, otherwise your routing policies on a multi- function box may get too complex (I've been in bad situations where border routers had to double as route reflectors - not very pretty). > > --- One 720x per upstream, split into dual cores. Sounds good. > > We > > had also considered > > landing upstreams directly on the 7600s, but this allow > for a core device failure without losing upstream > capacity. Again, wherever possible, try separating those functions. > --- I've looked at other vendors, but a big reason for > sticking with Cisco is we have the in-house knowledge. > Changing vendors while re-architecting a production > network seems to be a bad idea. Fair enough - it's always best to go with what you're comfortable handling. > --- What is the benefit in having 4 devices instead of 2? > It seems like you'd just be passing the same traffic > through double the number of devices. Like I'd said, you'd only grow to 4x (2x for edge + core aggregation, and 2x for border + core aggregation) if it became necessary. You'd normally find this in PoP's where you've got a lot of upstream service concentration, typically your flagship PoP when you started operations. Depending on how many border routers you have (as well as what other devices may be sitting at this layer), there may be a need for a number of Ethernet ports. Furthermore, assuming border + edge switch aggregation were collapsed into a single device, failure of either would affect Internet traffic for customers connecting to the same PoP. However, assume traffic to the Internet is coming in from another PoP, which connects to your core routers - here, a failure of a combined border + edge core switch affects both the local and remote PoP's. If you had 2x core switches dedicated for your border + core aggregation, remote PoP's would still have Internet access assuming the main PoP was their exit to the rest of the world. Again, these are all dynamics respective to an individual business. As I'd mentioned, it's typically considered only where necessary. > -- I had actually considered another pair of 7600s at the > aggregation layer, but we currently have ~300 ports in > use and the cable management is a nightmare. The 4948s > let us to a "top-of-rack" design and run back to the > core. We could have done the same thing with a pair of > 7600s and dumb layer-2 switches, but using the 4948s > allows incremental upgrades/migration. Understand - this where I think the Nexus 7000 series may excel. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From cisco-nsp at ml.karotte.org Sun Nov 1 15:16:09 2009 From: cisco-nsp at ml.karotte.org (Sebastian Wiesinger) Date: Sun, 1 Nov 2009 21:16:09 +0100 Subject: [c-nsp] is L2TPv3 right for me? In-Reply-To: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> References: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> Message-ID: <20091101201609.GA6221@danton.fire-world.de> * Church, Charles [2009-10-31 18:59]: > Hey all, > > destinations are sent across, etc)... The link provided will > be gigabit, but with encryption overhead, probably need at > most 900 mbit throughput, mostly using full-size frames as > traffic will be mostly migration data. I've got a couple > 7206s available with NPE-G1. I'm thinking that will work. > Any thoughts? I don't have numbers at the moment but IRRC NPE-G1 can't handle anything near 900MBit/s of L2TPv3 traffic.. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From jmkeller at houseofzen.org Sun Nov 1 16:24:10 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Sun, 01 Nov 2009 16:24:10 -0500 Subject: [c-nsp] ASA SSL TLS Tunnel Window Sizes Message-ID: <4AEDFC7A.9020202@houseofzen.org> All, We had been having some SSL VPN (TLS transport) performance issues on ASA units dedicated to just VPN access. The issue is we're maxing out at 5Mbps on a tunneled connection, but our legacy SSL VPN solution is close to wire speed with the tunnel overhead taken into consideration for the same traffic. I noticed from captures that the ASAs are starting with an initial tcp window of 8192 and never exceeds that, but will reduce that after packet loss and then come back up to 8192 after the congestion avoidance period. The legacy SSL appliance starts at 5840 but after slow start period ramps up and stabilizes at 44448. From external test connections with about 12ms RTT the 8192 value should get us 5.4Mbps in theory, and matches real tests at just under 5Mbps for the tunneled traffic. I couldn't find anything for adjusting max/initial or otherwise window size for the WebVPN/SVC process themselves, just for passed traffic inspection to drop/clear/allow window size related packets during inspection. Thanks in advance for any pointers. -James From oogali at gmail.com Mon Nov 2 00:54:23 2009 From: oogali at gmail.com (Omachonu Ogali) Date: Mon, 2 Nov 2009 00:54:23 -0500 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> Message-ID: How much is "buzz" worth? About the same as YouTube views. (In South Park speak, "theoretical dollars"). If you can't convert *positive* buzz into revenue, your marketing efforts will serve as nothing more than "brand awareness" campaigns. By this point in the conversation, it should be obvious the buzz is turning negative: a) overtones of disinterest due to dubious marketing, b) people biting the bait on what seems to be a month long viral campaign that *still* has 15 more days to go before phase 2, c) conversation shift from the mystery product, to debating whether the marketing works -- and we still don't know what's being marketed other than common sense ("You hate vendor lock-in, I hate vendor lock-in, let's be friends") For as to who... As far as the campaign, any large, established networking vendor, would need to undertake a dramatic shift in culture to promote a dual-vendor strategy for customers to undertake while not angering their shareholders, and I can't see that happening. (Cisco: haha, no; Foundry/Brocade: too busy looking for a buyer of *existing assets* to risk a large change in direction; Extreme: what?) Next up are smaller networking vendors, who would benefit from a dual-vendor strategy, because they're probably not in the door of large enterprise/service provider networks to begin with. For them, I'd imagine vendor lock-in is the holy grail, and an open strategy only works enough to get them in the door, but shoots them in the foot because it makes them more vulnerable to smaller, agile networking startups and migration utilities from larger vendors (for the telecom heads amongst you, think about CLEC in-fighting). This leaves a network management software vendor. They would certain profit from an open standard, which allows them access to manage formerly "proprietary" networks, and manage different vendors' equipment. The hurdle is to get manufacturers to adopt this standard... how do you do this cheaply, other than work the end-user up into a frenzy? So, what network management startup do we know, that's based out of Texas? For some more fun: $ curl http://networkliberationmovement.net/wp-content/themes/nlm-micro/style.css /* Theme Name: Network Liberation Movement Description: Microsite Version: 1.0 Author: Michael Gilbert for RAPP Author URI: http://www.rapp.com/ */ oo On Sat, Oct 31, 2009 at 1:13 PM, christian koch wrote: > On Sat, Oct 31, 2009 at 10:35 AM, Chris Grundemann wrote: > >> On Fri, Oct 30, 2009 at 15:15, christian koch wrote: >> > looks as if its working based on the activity in this thread... >> >> I think someone has to actually buy something, because of the chatter, >> for it to be working... >> > > what if there is nothing to buy? its clearly not a direct marketing > initiative, they're trying to create some interest as to what this > "movement" is going to be about > > my point is that it is successful because they are getting a response, > people are talking about it, the initial poster alone exposed the site, > which caused feedback... and is creating a buzz, that is the point...IMO > > > -christian > From ck at sandcastl.es Mon Nov 2 01:34:01 2009 From: ck at sandcastl.es (christian koch) Date: Sun, 1 Nov 2009 22:34:01 -0800 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> Message-ID: <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> On Sun, Nov 1, 2009 at 9:54 PM, Omachonu Ogali wrote: > How much is "buzz" worth? About the same as YouTube views. (In South Park > speak, "theoretical dollars"). > > If you can't convert *positive* buzz into revenue, your marketing efforts > will serve as nothing more than "brand awareness" campaigns. > > By this point in the conversation, it should be obvious the buzz is turning > negative: > a) overtones of disinterest due to dubious marketing, > b) people biting the bait on what seems to be a month long viral campaign > that *still* has 15 more days to go before phase 2, > c) conversation shift from the mystery product, to debating whether the > marketing works -- and we still don't know what's being marketed other than > common sense ("You hate vendor lock-in, I hate vendor lock-in, let's be > friends") > well said, and agreed -ck From eng_mssk at hotmail.com Mon Nov 2 02:39:24 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 09:39:24 +0200 Subject: [c-nsp] Network KPI Message-ID: hey all we work in a WiMAX operator , and i was wondering what are the best parameters to include in our KPI? _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 From masood at nexlinx.net.pk Mon Nov 2 03:49:14 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 2 Nov 2009 13:49:14 +0500 (PKT) Subject: [c-nsp] Network KPI In-Reply-To: References: Message-ID: <22278.196.46.241.57.1257151754.squirrel@nexmail1.nexlinx.net.pk> Key Performance Indicators (KPIs) can tell you how the network is performing according to certain parameters, but the chosen metrics may not be relevant to certain service classes. And if these are the ones that deliver the most revenue, operators could find themselves in trouble. Key Quality Indicators (KQIs) are typically a combination of several KPIs that can tell operators more about the end-user experience and usage patterns. To determine what the KPIs and KPQs should be on a wimax or any tcp/ip network, it must be borne in mind what customers are most interested in: fast access, good service quality and mobility. Consequently, KPIs can be focused on network procedures--such as attach, authentication, authorisation and creation/activation--which determine access (fast access to services is defined by the success of and speed of access to HTTP servers, to MMS centers, and to other dedicated services that could be offered via the operator's portal). Regards, Masood Blog: http://weblogs.com.pk/jahil/ > > hey all > > we work in a WiMAX operator , and i was wondering what are the best > parameters to include in our KPI? > > > > _________________________________________________________________ > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they > e-mail you. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eng_mssk at hotmail.com Mon Nov 2 05:27:32 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 12:27:32 +0200 Subject: [c-nsp] ME Route issue Message-ID: hi all i have 2 switches ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin i defined an interface VLAN (management) int vlan 1 ip add 10.0.0.2 255.255.255.224 and defined a default route ip route 0.0.0.0 0.0.0.0 10.0.0.1 when i issue the command show ip route 0.0.0.0 router#sh ip route 0.0.0.0 Default gateway is not set Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty i have another device cisco ME-C6524GT-8S with IOS s6523-advipservicesk9-mz.122-18.ZU2.bin its configured the same way but when issuing the show ip route or show ip route 0.0.0.0 router#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.0.1 to network 0.0.0.0 10.0.0.0/27 is subnetted, 1 subnets C 10.0.0.96 is directly connected, Vlan1 S* 0.0.0.0/0 [1/0] via 10.0.0.3 is that normal ?? Thanks in advance _________________________________________________________________ Keep your friends updated?even when you?re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 From masood at nexlinx.net.pk Mon Nov 2 05:49:17 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 2 Nov 2009 15:49:17 +0500 (PKT) Subject: [c-nsp] ME Route issue In-Reply-To: References: Message-ID: <52035.196.46.241.57.1257158957.squirrel@nexmail1.nexlinx.net.pk> check the show running-configuration. verify whether ip routing is enabled. The command, if enabled, appears towards the top of the output. hostname SW ! ! ip subnet-zero ip routing if not thn enable routing on the switch by using the ip routing command. SW(config)#ip routing Regards, Masood Blog: http://weblogs.com.pk/jahil/ > > hi all > > i have 2 switches > ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin > i defined an interface VLAN (management) > int vlan 1 > ip add 10.0.0.2 255.255.255.224 > > and defined a default route > ip route 0.0.0.0 0.0.0.0 10.0.0.1 > > when i issue the command show ip route 0.0.0.0 > router#sh ip route 0.0.0.0 > Default gateway is not set > > Host Gateway Last Use Total Uses Interface > ICMP redirect cache is empty > > i have another device cisco ME-C6524GT-8S with IOS > s6523-advipservicesk9-mz.122-18.ZU2.bin > > its configured the same way > but when issuing the show ip route or show ip route 0.0.0.0 > > router#sh ip route > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is 10.0.0.1 to network 0.0.0.0 > > 10.0.0.0/27 is subnetted, 1 subnets > C 10.0.0.96 is directly connected, Vlan1 > S* 0.0.0.0/0 [1/0] via 10.0.0.3 > > is that normal ?? > > > Thanks in advance > > > > _________________________________________________________________ > Keep your friends updated?even when you?re not signed in. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bluffmaster4hearts at gmail.com Mon Nov 2 06:35:03 2009 From: bluffmaster4hearts at gmail.com (bharath kondi) Date: Mon, 2 Nov 2009 19:35:03 +0800 Subject: [c-nsp] Can Ping Websites but cannot browse. Message-ID: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Dear All, I have a strange situation, I can browse the websites but cannot browse them. Please share your finding with me. Thanks and Regards, Bharath From p.mayers at imperial.ac.uk Mon Nov 2 07:34:56 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 02 Nov 2009 12:34:56 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEED1F0.5050007@imperial.ac.uk> bharath kondi wrote: > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. Check for MTU issues From yanf787 at yahoo.com Mon Nov 2 07:58:39 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Mon, 2 Nov 2009 04:58:39 -0800 (PST) Subject: [c-nsp] is L2TPv3 right for me? In-Reply-To: <20091101201609.GA6221@danton.fire-world.de> References: <290EF89F13F04F4E924BB235A46D18F1043B4D24DB@MLBMXUS2.cs.myharris.net> <20091101201609.GA6221@danton.fire-world.de> Message-ID: <994248.36438.qm@web58702.mail.re1.yahoo.com> I would agree with that and I was testing it some time ago and tests involved ISRs, 7206-G1 and 10720 and 10720 was the only device that could do this and even Cisco was surprised. L2TPv3 is not supported in hardware of most devices and in case of 10720 it just had enough processing power. With larger frames, the throughput would increase as, there would less packets to encapsulate, but I never saw with 1400 byte frames anything that went beyond 100 Mbps. EoMPLS might be a better choice (still not sure about G1) and they might just bring L2TPv3 to ASR one day, if they unless they already did. ________________________________ From: Sebastian Wiesinger To: cisco-nsp at puck.nether.net Sent: Sun, November 1, 2009 3:16:09 PM Subject: Re: [c-nsp] is L2TPv3 right for me? * Church, Charles [2009-10-31 18:59]: > Hey all, > > destinations are sent across, etc)... The link provided will > be gigabit, but with encryption overhead, probably need at > most 900 mbit throughput, mostly using full-size frames as > traffic will be mostly migration data. I've got a couple > 7206s available with NPE-G1. I'm thinking that will work. > Any thoughts? I don't have numbers at the moment but IRRC NPE-G1 can't handle anything near 900MBit/s of L2TPv3 traffic.. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Bret.Jaquish at Navistar.com Mon Nov 2 09:01:19 2009 From: Bret.Jaquish at Navistar.com (Jaquish, Bret) Date: Mon, 2 Nov 2009 08:01:19 -0600 Subject: [c-nsp] ubr npe-g2 vs 7200 npe-g2 In-Reply-To: <20091030220727.GL163@greenie.muc.de> References: <089163D0929CFA4EA9611E1BC86D97530238B4727B@BRKSVW125.ad.navistar.com> <20091030220727.GL163@greenie.muc.de> Message-ID: <089163D0929CFA4EA9611E1BC86D97530238DC3621@BRKSVW125.ad.navistar.com> Again this is only concerning the NPE-G1 according to them.. (I can only go by what Cisco is saying, since I don't know myself) "The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor" According to them.... 1. The Processors are different. 2. They have different labels (duh). 3. They use different boot helper images (maybe because of the different processor?). I wish I had a spare to test it out with. If anyone has both, it would be interesting to see the differences. Bret -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Friday, October 30, 2009 5:07 PM To: Jaquish, Bret Cc: Joe Pruett; Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2 Hi, On Fri, Oct 30, 2009 at 02:40:15PM -0500, Jaquish, Bret wrote: > The NPE-G1 cards have a more detailed explanation: > > "The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor. For the Cisco 7200 VXR routers , order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series router, order the UBR7200-NPE-G1 or UBR7200-NPE-G1= product. The two models of NPE-G1 have different labels and use different boot helper images, and they cannot be interchanged between the Cisco 7200 VXR routers and Cisco uBR7200 series routers." I'm not sure if I find "have different labels" a compelling reason for not being interchangeable (or having different PPS specs). Boot helper is one of the most misunderstood parts of the 7200 series anyway... (*and* it can be changed). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de Disclaimer Confidentiality Notice: This e-mail, and any attachments and/or documents linked to this email, are intended for the addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any dissemination, distribution, or copying is prohibited. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If you have received this communication in error, please contact the original sender. From eng_mssk at hotmail.com Mon Nov 2 09:35:40 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 2 Nov 2009 16:35:40 +0200 Subject: [c-nsp] WiMAX CPE Traffic Message-ID: our WiMAX CPEs are not SNMP enabled is there anyway that we can graph or know the traffic of each customer?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From rubensk at gmail.com Mon Nov 2 09:47:47 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Mon, 2 Nov 2009 12:47:47 -0200 Subject: [c-nsp] WiMAX CPE Traffic In-Reply-To: References: Message-ID: <6bb5f5b10911020647w4cee12d9t7547563c91719d83@mail.gmail.com> If you are talking about BreezeMAX 802.16d CPEs, the BreezeMAX 802.16d BST have specific OIDs for graphing the per-CPE or per-service flow traffic. If your customers have one VLAN each, you can graph on the Cisco device using the VLAN or Interface VLAN counters. If all customers share a single VLAN, you will probably have to look at another way to measure their traffic (like RADIUS Stop and interim records). Rubens 2009/11/2 Mohammad Khalil : > > our WiMAX CPEs are not SNMP enabled > is there anyway that we can graph or know the traffic of each customer?? > > Thanks in advance From philxor at gmail.com Mon Nov 2 09:54:03 2009 From: philxor at gmail.com (Phil Bedard) Date: Mon, 2 Nov 2009 09:54:03 -0500 Subject: [c-nsp] WiMAX CPE Traffic In-Reply-To: References: Message-ID: Netflow? Phil On Nov 2, 2009, at 9:35 AM, Mohammad Khalil wrote: > > our WiMAX CPEs are not SNMP enabled > is there anyway that we can graph or know the traffic of each > customer?? > > Thanks in advance > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, > right from Hotmail?. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Nov 2 09:55:33 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 2 Nov 2009 09:55:33 -0500 Subject: [c-nsp] Cisco vs. Juniper Message-ID: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> All, For various reasons, I have never really gotten into researching Juniper products. It seems time for me to start looking into it but it seems daunting because their products are as vast as Cisco. Knowing Cisco products and those little caveats, I am sure Juniper has the same things with various products that you won't find until you either start using it or read mailing lists for 3 years. Anyway, the reason for posting to Cisco-NSP list is, not so much about asking about Juniper products but those who have looked at both and decided to go with Cisco, what made you go with Cisco? We are not at the level to use 7600/NX/CSR yet and more interested in ASA/ISR equivalent for customer side use. I know this is kind of general question but it would be helpful. Thanks! Jay Nakamura From alex at digriz.org.uk Mon Nov 2 09:26:24 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Mon, 2 Nov 2009 14:26:24 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: Phil Mayers wrote: > > bharath kondi wrote: >> >> I have a strange situation, I can browse the websites but cannot browse >> them. > > Check for MTU issues > It is a pretty impressive to screw up non-SSLed traffic with an MTU issue, I would be more inclinded to think it's something else. Real Men(tm) use tcptraceroute: ---- alex at chipmunk:~$ tcptraceroute www.google.com 80 Selected device bond0, address 195.195.131.226, port 47429 for outgoing packets Tracing the path to www.google.com (209.85.227.106) on TCP port 80 (www), 30 hops max 1 no-reverse-defined.ja.net (195.195.131.225) 0.324 ms 0.243 ms 0.241 ms 2 so-1-3-2.read-sbr1.ja.net (146.97.34.157) 0.762 ms 0.752 ms 0.750 ms 3 so-6-0-0.lond-sbr3.ja.net (146.97.33.166) 2.020 ms 2.047 ms 2.191 ms 4 te1-1.lond-ban3.ja.net (146.97.35.98) 2.345 ms 2.236 ms 2.142 ms 5 google.lond-ban3.ja.net (193.62.157.30) 2.206 ms 2.228 ms 2.218 ms 6 209.85.252.76 8.794 ms 2.399 ms 2.358 ms 7 72.14.232.134 8.328 ms 8.423 ms 8.225 ms 8 216.239.49.45 8.280 ms 8.370 ms 8.287 ms 9 209.85.243.93 13.284 ms 8.821 ms 17.787 ms 10 * * * 11 * * * 12 wy-in-f106.1e100.net (209.85.227.106) [open] 9.765 ms 9.779 ms 9.753 ms ---- ....they also give a descriptive breakdown of the problem they are having, what their setup is, any logs and also what they have tried already. However this is reply to Phil not the OP... :) Cheers -- Alexander Clouter .sigmonster says: Am I SHOPLIFTING? From Ian.Mackinnon at atosorigin.com Mon Nov 2 10:14:47 2009 From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian) Date: Mon, 2 Nov 2009 15:14:47 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> Message-ID: <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> Hi Jay, In the past I have compared M7i with ASR1k The major comparison seemed to be that for about the same sort of money Cisco gave you a box with 4 Gig interfaces present whilst J gave you one, and adding more was very expensive. Throughputs would have been about the same, and one thing that bit us on the Juniper side was you can't hope to use Netflow in a real environment without an expensive services PIC. Ian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: 02 November 2009 14:56 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco vs. Juniper All, For various reasons, I have never really gotten into researching Juniper products. It seems time for me to start looking into it but it seems daunting because their products are as vast as Cisco. Knowing Cisco products and those little caveats, I am sure Juniper has the same things with various products that you won't find until you either start using it or read mailing lists for 3 years. Anyway, the reason for posting to Cisco-NSP list is, not so much about asking about Juniper products but those who have looked at both and decided to go with Cisco, what made you go with Cisco? We are not at the level to use 7600/NX/CSR yet and more interested in ASA/ISR equivalent for customer side use. I know this is kind of general question but it would be helpful. Thanks! Jay Nakamura _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________________ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. _______________________________________________________ From p.mayers at imperial.ac.uk Mon Nov 2 10:37:43 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 02 Nov 2009 15:37:43 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <4AEEFCC7.10505@imperial.ac.uk> Alexander Clouter wrote: > Phil Mayers wrote: >> bharath kondi wrote: >>> I have a strange situation, I can browse the websites but cannot browse >>> them. >> Check for MTU issues >> > It is a pretty impressive to screw up non-SSLed traffic with an MTU > issue, I would be more inclinded to think it's something else. That directly contradicts my experience. I have observed widespread failures with ordinary HTTP traffic when MTU problems occur. It depends very much on the website you're hitting and their architecture, as well as the nature of the MTU problem. From sthaug at nethelp.no Mon Nov 2 10:52:54 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 02 Nov 2009 16:52:54 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> Message-ID: <20091102.165254.74705593.sthaug@nethelp.no> > In the past I have compared M7i with ASR1k The M7i is getting a bit long in the tooth, so a better comparison might be ASR1k vs MX80. One important difference if you need a box *now* is of course that MX80 has been announced but I haven't seen it in the price lists yet. > The major comparison seemed to be that for about the same sort of money > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > one, and adding more was very expensive. Agreed, full capacity GigE ports on the M7i are expensive. However, the (overbooked) 4 port IQ2 works very well. > Throughputs would have been about the same, and one thing that bit us on > the Juniper side was you can't hope to use Netflow in a real environment > without an expensive services PIC. Here I'd have to disagree. Sampled netflow works very well without a services PIC. If you don't do sampling the situation is different. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From sthaug at nethelp.no Mon Nov 2 11:12:44 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 02 Nov 2009 17:12:44 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> Message-ID: <20091102.171244.41672267.sthaug@nethelp.no> > Anyway, the reason for posting to Cisco-NSP list is, not so much about > asking about Juniper products but those who have looked at both and > decided to go with Cisco, what made you go with Cisco? We are not at > the level to use 7600/NX/CSR yet and more interested in ASA/ISR > equivalent for customer side use. For the CPE side we've stuck to 800/1800/2800/3800 for the simple reason that the relevant employees had lots of Cisco experience, and the Juniper J series didn't have enough interesting features/higher capacity/lower cost that we had a reason to start using it. We have a couple in the lab... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From oliver.gorwits at oucs.ox.ac.uk Mon Nov 2 11:25:58 2009 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Mon, 02 Nov 2009 16:25:58 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEF0816.9000403@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bharath kondi wrote: > I have a strange situation, I can browse the websites but cannot browse > them. Could there be a near-dead media converter in your path? I have seen this happen once or twice. If it feels like you could fry an egg on it, swap it out. regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrvCBYACgkQ2NPq7pwWBt60lwCePLmcixy+asBhbPsqaXlngbXK +O4AoJr9LDUYM1Cx52Me3v1y0y77derD =EKzP -----END PGP SIGNATURE----- From gsgranados at comcast.net Mon Nov 2 11:29:43 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 2 Nov 2009 08:29:43 -0800 Subject: [c-nsp] Can Ping Websites but cannot browse. References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> Message-ID: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> I second that. I've seen this as an MTU problem more times than not. ----- Original Message ----- From: "Phil Mayers" To: "Alexander Clouter" Cc: Sent: Monday, November 02, 2009 7:37 AM Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > Alexander Clouter wrote: >> Phil Mayers wrote: >>> bharath kondi wrote: >>>> I have a strange situation, I can browse the websites but cannot browse >>>> them. >>> Check for MTU issues >>> >> It is a pretty impressive to screw up non-SSLed traffic with an MTU >> issue, I would be more inclinded to think it's something else. > > That directly contradicts my experience. I have observed widespread > failures with ordinary HTTP traffic when MTU problems occur. > > It depends very much on the website you're hitting and their architecture, > as well as the nature of the MTU problem. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From prospanogi at gmail.com Mon Nov 2 11:51:26 2009 From: prospanogi at gmail.com (Giuseppe Spano) Date: Mon, 2 Nov 2009 17:51:26 +0100 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> Message-ID: <7bcb682b0911020851p2d55d40cs346b4cfddaf90f28@mail.gmail.com> Bharath, try to ping the site you cannot browse with increasing icmp payloads and see if/when you stop receiving echo replies. This could give a final idea about the nature of the problem. Regards, Giuseppe On Mon, Nov 2, 2009 at 5:29 PM, Scott Granados wrote: > I second that. I've seen this as an MTU problem more times than not. > > ----- Original Message ----- From: "Phil Mayers" > To: "Alexander Clouter" > Cc: > Sent: Monday, November 02, 2009 7:37 AM > Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > > > > Alexander Clouter wrote: >> >>> Phil Mayers wrote: >>> >>>> bharath kondi wrote: >>>> >>>>> I have a strange situation, I can browse the websites but cannot browse >>>>> them. >>>>> >>>> Check for MTU issues >>>> >>>> It is a pretty impressive to screw up non-SSLed traffic with an MTU >>> issue, I would be more inclinded to think it's something else. >>> >> >> That directly contradicts my experience. I have observed widespread >> failures with ordinary HTTP traffic when MTU problems occur. >> >> It depends very much on the website you're hitting and their architecture, >> as well as the nature of the MTU problem. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Jonathan.Brashear at hq.speakeasy.net Mon Nov 2 11:52:41 2009 From: Jonathan.Brashear at hq.speakeasy.net (Jonathan Brashear) Date: Mon, 2 Nov 2009 08:52:41 -0800 Subject: [c-nsp] ASA VPN best practices request Message-ID: <725755F5E728EE4086DAAF1A54DACF4F1A2F24E2E9@sea5exbe1.speakeasy.hq> One of my current projects at work is to overhaul the configs on the customer firewalls, specifically the ASA 5500 series. I'm trying to adapt & standardize current config templates especially the implementation side & even more specifically how we handle NAT & VPN setups. If anyone has suggestions on best practices of how to implement standard builds on VPNs(both client & clientless) running in a NATed environment(common pitfalls to avoid, etc.) or good sites dealing with this beyond the Cisco KB/forums, I'd appreciate it. Network Engineer, JNCIS-M > 214-981-1954 (office) > 214-642-4075 (cell) > jbrashear at hq.speakeasy.net http://www.speakeasy.net From Ian.Mackinnon at atosorigin.com Mon Nov 2 12:14:30 2009 From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian) Date: Mon, 2 Nov 2009 17:14:30 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.165254.74705593.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com><61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> Message-ID: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Not wanting to disagree with the mighty Steinar :-) If you have any significant amount of traffic you need to be sampling at over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd party support company explicitly said "don't do it" We had a couple of incidents where our traffic went to a full 1G and our 1/100 sampling totally killed the box. Up until then, I thought if a M7i did anything, it did it at full line rate, always. Ian -----Original Message----- From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] Sent: 02 November 2009 15:53 To: Mackinnon, Ian Cc: zeusdadog at gmail.com; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco vs. Juniper > In the past I have compared M7i with ASR1k The M7i is getting a bit long in the tooth, so a better comparison might be ASR1k vs MX80. One important difference if you need a box *now* is of course that MX80 has been announced but I haven't seen it in the price lists yet. > The major comparison seemed to be that for about the same sort of money > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > one, and adding more was very expensive. Agreed, full capacity GigE ports on the M7i are expensive. However, the (overbooked) 4 port IQ2 works very well. > Throughputs would have been about the same, and one thing that bit us on > the Juniper side was you can't hope to use Netflow in a real environment > without an expensive services PIC. Here I'd have to disagree. Sampled netflow works very well without a services PIC. If you don't do sampling the situation is different. Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________________ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. _______________________________________________________ From cluestore at gmail.com Mon Nov 2 12:25:13 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 2 Nov 2009 11:25:13 -0600 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <4AEED1F0.5050007@imperial.ac.uk> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <580af3b90911020925r2d7d3dcfg9473e985794ec330@mail.gmail.com> mturoute is your friend..... http://www.elifulkerson.com/projects/mturoute.php On Mon, Nov 2, 2009 at 6:34 AM, Phil Mayers wrote: > bharath kondi wrote: > >> Dear All, >> >> I have a strange situation, I can browse the websites but cannot browse >> them. >> > > Check for MTU issues > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Mon Nov 2 12:29:24 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 11:29:24 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.165254.74705593.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> Message-ID: <20091102172924.GT51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 04:52:54PM +0100, sthaug at nethelp.no wrote: > > In the past I have compared M7i with ASR1k > > The M7i is getting a bit long in the tooth, so a better comparison > might be ASR1k vs MX80. One important difference if you need a box > *now* is of course that MX80 has been announced but I haven't seen it > in the price lists yet. They're actually coming out with (or may already be shipping, I don't follow these boxes that closely) a replacement CFEB for M7i/M10i which uses the I-Chip (the same fwding hw as M120 and the current generation of MX). This should give it a slightly longer shelf life, as it will add a bunch of modern features and some additional fib capacity that didn't exist in the old hardware. Still though, this is a very old box (it came out in 2003, as a lower production cost refresh on the M5/M10 which came out in 2000). The CFEB won't fix the very limited capacity, so it wouldn't be a fair comparison against a modern box. MX80 would indeed be a much closer comparison, though the feature set is still pretty different. > Here I'd have to disagree. Sampled netflow works very well without a > services PIC. If you don't do sampling the situation is different. IIRC the default limit for sampled netflow (at least on M7i generation platforms, I can't speak to MX80 or the like) was 7000pps per FPC. So if for example you sampled every 1:1024 packets this would be good for 7.1Mpps of analyzed traffic for FPC (i.e. more than the box will ever be able to forward). -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From cluestore at gmail.com Mon Nov 2 12:41:18 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 2 Nov 2009 11:41:18 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Message-ID: <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> Juniper supports sFlow which can run at higher speeds (full line rate described in their docs) which is what we use. As far as the Cisco vs Juniper argument, we make use of both vendors on out network. For CPE, it's almost hard to beat Cisco with feature set and price. also, as Steiner mentioned, Junos has a little learning curve for someone thats never used it before and is branded in the Cisco cool-aid. We also use Cisco 7600/6500 in our core. For edge/internet peering, we use Juniper M series. IMHO, up until a few years ago, before the ASR line came out, Cisco didn't have a router in that price range that could forward in hardware, so the M series for that role was a no brainer. Clue On Mon, Nov 2, 2009 at 11:14 AM, Mackinnon, Ian < Ian.Mackinnon at atosorigin.com> wrote: > Not wanting to disagree with the mighty Steinar :-) > If you have any significant amount of traffic you need to be sampling at > over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd > party support company explicitly said "don't do it" > > We had a couple of incidents where our traffic went to a full 1G and our > 1/100 sampling totally killed the box. > > Up until then, I thought if a M7i did anything, it did it at full line > rate, always. > > Ian > > > -----Original Message----- > From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] > Sent: 02 November 2009 15:53 > To: Mackinnon, Ian > Cc: zeusdadog at gmail.com; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco vs. Juniper > > > In the past I have compared M7i with ASR1k > > The M7i is getting a bit long in the tooth, so a better comparison > might be ASR1k vs MX80. One important difference if you need a box > *now* is of course that MX80 has been announced but I haven't seen it > in the price lists yet. > > > The major comparison seemed to be that for about the same sort of > money > > Cisco gave you a box with 4 Gig interfaces present whilst J gave you > > one, and adding more was very expensive. > > Agreed, full capacity GigE ports on the M7i are expensive. However, > the (overbooked) 4 port IQ2 works very well. > > > Throughputs would have been about the same, and one thing that bit us > on > > the Juniper side was you can't hope to use Netflow in a real > environment > > without an expensive services PIC. > > Here I'd have to disagree. Sampled netflow works very well without a > services PIC. If you don't do sampling the situation is different. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > > _______________________________________________________ > > Atos Origin and Atos Consulting are trading names used by the Atos Origin > group. The following trading entities are registered in England and Wales: > Atos Origin IT Services UK Limited (registered number 01245534) and Atos > Consulting Limited (registered number 04312380). The registered office for > each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for > each is: GB232327983 > > This e-mail and the documents attached are confidential and intended solely > for the addressee, and may contain confidential or privileged information. > If you receive this e-mail in error, you are not authorised to copy, > disclose, use or retain it. Please notify the sender immediately and delete > this email from your systems. As emails may be intercepted, amended or > lost, they are not secure. Atos Origin therefore can accept no liability > for any errors or their content. Although Atos Origin endeavours to > maintain a virus-free network, we do not warrant that this transmission is > virus-free and can accept no liability for any damages resulting from any > virus transmitted. The risks are deemed to be accepted by everyone who > communicates with Atos Origin by email. > _______________________________________________________ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Mon Nov 2 12:43:06 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 11:43:06 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> References: <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> Message-ID: <20091102174306.GU51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 05:14:30PM +0000, Mackinnon, Ian wrote: > Not wanting to disagree with the mighty Steinar :-) > If you have any significant amount of traffic you need to be sampling at > over 1/1000 or you will kill the link to main cpu. Juniper and our 3rd > party support company explicitly said "don't do it" > > We had a couple of incidents where our traffic went to a full 1G and our > 1/100 sampling totally killed the box. It is only a 100Mbps link between the routing engine and CFEB, but I don't think you'd be filling the port even with 1/100 sampling. You'd certainly overload the software sampling capacity, and I suppose you might bump a hard coded rate limit they never expected anyone to bump (which sounds like the case, if it broke regular forwarding). Don't do 1/100 sampling and you'll be fine. :) > Up until then, I thought if a M7i did anything, it did it at full line > rate, always. Actually it doesn't do line rate forwarding either. The "FPC1" component (the 4 main PIC slots) does a peak of 3.2Gbps full duplex, before taking into account jcell overhead (this is a limitation of access to the packet buffer memory). Under artificial conditions (65 byte packets, which consume 2 64-byte jcells) you can force performance down to just under 2.5Gbps. Remember the FPC1 was originally designed for OC48s back in 1998 when Cisco had nothing that could compete with it. It's a testiment to the quality of the design that you can still use it for a couple GE's under non-extreme traffic conditions today (I don't see anyone still trying to use their 7500s to do the same :P), but obviously it's not going to compete with modern hardware. At any rate, this is the wrong list so I'll stop responding with Juniper information unless you wanna move it over to j-nsp. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From moua0100 at umn.edu Mon Nov 2 12:51:54 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 11:51:54 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <4AEF1C3A.3070601@umn.edu> C-NSP Wizards: Our Cisco account team seems to be touting the ASA appliance (in a cluster configuration) as the preferred solution for remote access client vpn (IPSec & SSL); as such my question then is: Is it possible to make an ASA be "vrf-aware"? I will use vrf-aware IOS terminology to describe my goals: * teminate remote access vpn client traffic on "outside" interface ("front-door vrf") * re-direct decrypted traffic to "inside" interface ("inside vrf") towards enterprise apps I tried to use the "group-policy" vlan mapping feature on only achieved some success to redirect traffic out different egress vlans/interface. Here are my findings why the vlan-mapping feature on the Cisco ASA will not work in our environment (I stand by this unless Cisco have other means that I do know of that will achieve "vrf-aware" connectivity from the ASA): * vlan map can re-direct traffic out egress vlan (only at layer 2) * layer 3 routes still needed from the ASA for outbound traffic to egress vlan + asa only allowed one default route in routed, single mode * if this is to work for "vrf-aware" client vpn connection, I'm thinking a default route per egress vlan will be needed; I was not able to do this * vlan mapping does work, but only for simple routing environments; not really geared for multiple VRFs that get connected to a MPLS backbone and border with BGP & OSPF inter-related workings So I proceeded to consider a design that assume that the ASA will only do remote access termination and leave the "vrf-awarness" ("vrf-enabled") capabilities to the underlying network; this is what I came up with: vpn_host_1 <==> IP_Cloud <==> ASA_VPN-Pool-A <==> PBR_BlackBox <==> VRF_A vpn_host_2 <==> IP_Cloud <==> ASA_VPN-Pool-B <==> PBR_BlackBox <==> VRF_B * ASA strictly doing remote access ipsec/ssl client vpn termination; btw, this really simplifies the ASA config significantly * ASA has ingress for client vpn termination & egress for decrypted traffic * decrypted traffic handled by "black box" (in this case catalyst-3750 running router code) that does "policy based routing" based on source IP of client vpn ip pools pros: * ASA relegated to doing only client vpn termination * simplified config per components * PBR moved to another box to facilitate "vrf-aware" client vpn + simple routing on the ASA * one default route * no dynamic routing required cons: * more equipment needed in addition to ASA * downstream failure may not trigger a VPN cluster member to be down (as it should in my opinion); what is needed is something like BFD (bi-directional forward detect) or some form of more intelligent route tracking (this may yet be possible; I've got to think more about this) * overall design complexity increase because "vrf-enabled" moved off ASA At minimum, I think this design will work for our needs; this design assumes additional complex components that I like to avoid if possible (PBR on a "black box" device"). Let me know what folks think; I'd really appreciate any ideas or feedback. ** Note Iif the ASA wias truly VRF-aware like it's IOS brethren then all of this extra complexity may be minimized. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services From ras at e-gerbil.net Mon Nov 2 13:09:22 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 2 Nov 2009 12:09:22 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <61D4116B957C2843AACB49664C8AB223036C92EB@UKCWRX004.uk.int.atosorigin.com> <580af3b90911020941r46ae845bk579771a631ef1bd6@mail.gmail.com> Message-ID: <20091102180922.GV51443@gerbil.cluepon.net> On Mon, Nov 02, 2009 at 11:41:18AM -0600, Clue Store wrote: > Juniper supports sFlow which can run at higher speeds (full line rate > described in their docs) which is what we use. Only the EX-series supports sFlow, not the real Juniper boxes. And no you can't run anything close to 1:1 sampling on it, the limitations are roughly the same as with NetFlow since you're still talking about hardware sampling but software processing (and traversing the internal communications link to the RE with the sampled packets). -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From berghauz at gmail.com Mon Nov 2 13:42:00 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Mon, 2 Nov 2009 21:42:00 +0300 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <13d85870911021042p68c606b5w128a02ffd76ef486@mail.gmail.com> Hello. Did you care a mpls network? Maybe you need look forward on mpls mtu? In any case, it's MTU problem. WBR Aleksey Polyakoff ICQ:9001016 Ogden Nash - "The trouble with a kitten is that when it grows up, it's always a cat." 2009/11/2 bharath kondi > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. > > Please share your finding with me. > > Thanks and Regards, > > Bharath > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pl+list at pmacct.net Mon Nov 2 14:18:03 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Mon, 2 Nov 2009 19:18:03 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <20091102191803.GA22485@london.pmacct.net> On Mon, Nov 02, 2009 at 11:29:24AM -0600, Richard A Steenbergen wrote: > > Here I'd have to disagree. Sampled netflow works very well without a > > services PIC. If you don't do sampling the situation is different. > > IIRC the default limit for sampled netflow (at least on M7i generation > platforms, I can't speak to MX80 or the like) was 7000pps per FPC. So if > for example you sampled every 1:1024 packets this would be good for > 7.1Mpps of analyzed traffic for FPC (i.e. more than the box will ever be > able to forward). Capacity apart, another good subject for the thread is that without a services DPC, you are realistically trapped to NetFlow v5, which these days might or might not be a problem. IPv6, 32-bit ASNs, L2 information come to the mind ... At least, this is so far. Cheers, Paolo From ploopster at gmail.com Mon Nov 2 14:20:24 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 02 Nov 2009 14:20:24 -0500 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> Message-ID: <4AEF30F8.6070205@gmail.com> bharath kondi wrote: > Dear All, > > I have a strange situation, I can browse the websites but cannot browse > them. > > Please share your finding with me. That's often caused by MTU problems. Are you on an ADSL line? Peace... Sridhar From ploopster at gmail.com Mon Nov 2 14:22:30 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 02 Nov 2009 14:22:30 -0500 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <4AEEFCC7.10505@imperial.ac.uk> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> Message-ID: <4AEF3176.9010908@gmail.com> Phil Mayers wrote: > Alexander Clouter wrote: >> Phil Mayers wrote: >>> bharath kondi wrote: >>>> I have a strange situation, I can browse the websites but cannot browse >>>> them. >>> Check for MTU issues >>> >> It is a pretty impressive to screw up non-SSLed traffic with an MTU >> issue, I would be more inclinded to think it's something else. > > That directly contradicts my experience. I have observed widespread > failures with ordinary HTTP traffic when MTU problems occur. > > It depends very much on the website you're hitting and their > architecture, as well as the nature of the MTU problem. One reason why it causes so many problems is that people sometimes ignore (or drop in firewall) PMTUD messages. Peace... Sridhar From dwcarder at wisc.edu Mon Nov 2 14:45:50 2009 From: dwcarder at wisc.edu (Dale W. Carder) Date: Mon, 02 Nov 2009 13:45:50 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102191803.GA22485@london.pmacct.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <20091102191803.GA22485@london.pmacct.net> Message-ID: <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> On Nov 2, 2009, at 1:18 PM, Paolo Lucente wrote: > > Capacity apart, another good subject for the thread is that without a > services DPC, you are realistically trapped to NetFlow v5, which these > days might or might not be a problem. IPv6, 32-bit ASNs, L2 > information > come to the mind ... AFAIK, junos does not have a netflow v9 template that can export both v4 and v6 simultaneously. However, I thought I saw somewhere that 9.6 has a hack to get 32-bit ASN's in netflow v5. Dale From rwest at zyedge.com Mon Nov 2 14:48:47 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 14:48:47 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF1C3A.3070601@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> Ge, > I tried to use the "group-policy" vlan mapping feature on only achieved > some success to redirect traffic out different > egress vlans/interface. Will you be using split-tunneling? If you set each of your internal dot1q interfaces to the same security level and do not enable same-security permit-intrainterface, I don't think you'll need the VLAN mapping. > Here are my findings why the vlan-mapping feature on the Cisco ASA will > not work in our environment (I stand by this unless Cisco have other > means that I do know of that will achieve "vrf-aware" connectivity from > the ASA): > * vlan map can re-direct traffic out egress vlan (only at layer 2) > * layer 3 routes still needed from the ASA for outbound traffic to > egress vlan > + asa only allowed one default route in routed, single mode In multiple context, VPNs do not work. This is on the list of things to be added, but there has been no indication of when. > * if this is to work for "vrf-aware" client vpn connection, I'm > thinking a default route per egress vlan will be needed; I was not able > to do this I used a 3560 for this role and just ran VRF-lite for each customer / enterprise app environment. > * vlan mapping does work, but only for simple routing environments; not > really geared for multiple VRFs that get connected to a MPLS backbone > and border with BGP & OSPF inter-related workings > > So I proceeded to consider a design that assume that the ASA will only > do remote access termination and leave the "vrf-awarness" > ("vrf-enabled") capabilities to the underlying network; this is what I > came up with: > > vpn_host_1 <==> IP_Cloud <==> ASA_VPN-Pool-A <==> PBR_BlackBox <==> > VRF_A > vpn_host_2 <==> IP_Cloud <==> ASA_VPN-Pool-B <==> PBR_BlackBox <==> > VRF_B > > * ASA strictly doing remote access ipsec/ssl client vpn termination; > btw, this really simplifies the ASA config significantly That's currently the only role I have enabled for that pair. Customer traffic is terminated based on group-policy mapping, with environment specific AAA servers referenced. For the SSL-VPN traffic, I had to create a number system matching kludge where each customer had a 7 digit number that corresponds to their environment, which they select during logon. > * ASA has ingress for client vpn termination & egress for decrypted > traffic > * decrypted traffic handled by "black box" (in this case catalyst-3750 > running router code) that does "policy based routing" based on source > IP > of client vpn ip pools You should be able to get 24 VRFs on that box IIRC. > pros: > * ASA relegated to doing only client vpn termination > * simplified config per components > * PBR moved to another box to facilitate "vrf-aware" client vpn > + simple routing on the ASA > * one default route > * no dynamic routing required > > cons: > * more equipment needed in addition to ASA > * downstream failure may not trigger a VPN cluster member to be down > (as > it should in my opinion); what is needed is something like BFD > (bi-directional forward detect) or some form of more intelligent route > tracking (this may yet be possible; I've got to think more about this) > * overall design complexity increase because "vrf-enabled" moved off > ASA > > At minimum, I think this design will work for our needs; this design > assumes additional complex components that I like to avoid if possible > (PBR on a "black box" device"). > > Let me know what folks think; I'd really appreciate any ideas or > feedback. > > ** Note > Iif the ASA wias truly VRF-aware like it's IOS brethren then all of > this > extra complexity may be minimized. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > Thanks, -ryan From rwest at zyedge.com Mon Nov 2 15:04:10 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 15:04:10 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Ge, Just wanted to add one more thing. > * decrypted traffic handled by "black box" (in this case catalyst- > 3750 I've had very poor performance using the 3750 for PBR functions, have you tried to push any load through it? -ryan From cnsp at shreddedmail.com Mon Nov 2 16:04:29 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Mon, 2 Nov 2009 13:04:29 -0800 Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) Message-ID: We have some eBGP neighbors that have their peering session reset in the case of link failure (root-cause analysis and problem resolution as a separate subject). The peers are connected via loopback interfaces and multi-path OSPF. bgp fast-external-failover is supposed to be used for directly connected eBGP peers, but it seems like a link failure on a pair of redundant (layer-3) links is also causing the peer to go down: Nov 1 11:33:12 10.56.205.1 %OSPF-5-ADJCHG: Process 1, Nbr a.b.c.d on FastEthernet8/0/0 from EXSTART to DOWN, Neighbor Down: Interface down or detached Nov 1 11:33:12 10.56.205.1 %BGP-5-ADJCHANGE: neighbor w.x.y.z Down Interface flap The destination to the peer is still in the FIB, and the peer comes back up almost immediately (in this case, about 15 seconds). I'm considering disabling fast-external-failover, but want to better understand the event. The eBGP peer is not "directly connected" on the interface. It is reachable via a loopback peering IP with multi-path OSPF. Is this expected behavior (any link with a route to the destination going down will cause the session to go down)? Any gotchas with disabling fast-failover? Thanks, From peter at rathlev.dk Mon Nov 2 17:10:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 02 Nov 2009 23:10:16 +0100 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Message-ID: <1257199816.18763.5.camel@abehat.net.rm.dk> On Mon, 2009-11-02 at 15:04 -0500, Ryan West wrote: > > * decrypted traffic handled by "black box" (in this case catalyst- > > 3750 > > I've had very poor performance using the 3750 for PBR functions, have > you tried to push any load through it? We're using a couple of 3560s for PBR with no problems forwarding 100 Mbps+. There's no CPU load from the forwarding itself. We haven't tried actually pushing it yet but are planning to try sometime soon. The 3560 needs the "routing" SDM template for this to work; I guess the 3750 also needs this. -- Peter From dcp at dcptech.com Mon Nov 2 16:34:57 2009 From: dcp at dcptech.com (David Prall) Date: Mon, 2 Nov 2009 16:34:57 -0500 Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) In-Reply-To: References: Message-ID: <007401ca5c04$655786e0$300694a0$@com> Turn on PIC-Core cef table output-chain build favor convergence-speed ! please be wary of platform specific caveats ip routing protocol purge interface ! purges interface routes and not routes that followed the interface, this will leave the BGP routes untouched. This is the only thing I could find discussing it: http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/bro adband/dffsrv.html#wp1191135 It is available on other platforms as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Rick Ernst > Sent: Monday, November 02, 2009 4:04 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF) > > We have some eBGP neighbors that have their peering session reset in > the > case of link failure (root-cause analysis and problem resolution as a > separate subject). The peers are connected via loopback interfaces and > multi-path OSPF. > > bgp fast-external-failover is supposed to be used for directly > connected > eBGP peers, but it seems like a link failure on a pair of redundant > (layer-3) links is also causing the peer to go down: > Nov 1 11:33:12 10.56.205.1 %OSPF-5-ADJCHG: Process 1, Nbr a.b.c.d on > FastEthernet8/0/0 from EXSTART to DOWN, Neighbor Down: Interface down > or > detached > Nov 1 11:33:12 10.56.205.1 %BGP-5-ADJCHANGE: neighbor w.x.y.z Down > Interface flap > > The destination to the peer is still in the FIB, and the peer comes > back up > almost immediately (in this case, about 15 seconds). > > I'm considering disabling fast-external-failover, but want to better > understand the event. The eBGP peer is not "directly connected" on the > interface. It is reachable via a loopback peering IP with multi-path > OSPF. > Is this expected behavior (any link with a route to the destination > going > down will cause the session to go down)? > > > Any gotchas with disabling fast-failover? > > Thanks, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Mon Nov 2 17:21:46 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 2 Nov 2009 17:21:46 -0500 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <1257199816.18763.5.camel@abehat.net.rm.dk> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <1257199816.18763.5.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4697@zy-ex1.zyedge.local> > We're using a couple of 3560s for PBR with no problems forwarding 100 > Mbps+. There's no CPU load from the forwarding itself. We haven't tried > actually pushing it yet but are planning to try sometime soon. > > The 3560 needs the "routing" SDM template for this to work; I guess the > 3750 also needs this. What IOS version? I definitely had the proper SDM template applied, it won't work otherwise. -ryan From sethm at rollernet.us Mon Nov 2 17:54:08 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 02 Nov 2009 14:54:08 -0800 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <1257199816.18763.5.camel@abehat.net.rm.dk> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <1257199816.18763.5.camel@abehat.net.rm.dk> Message-ID: <4AEF6310.1000703@rollernet.us> Peter Rathlev wrote: > On Mon, 2009-11-02 at 15:04 -0500, Ryan West wrote: >>> * decrypted traffic handled by "black box" (in this case catalyst- >>> 3750 >> I've had very poor performance using the 3750 for PBR functions, have >> you tried to push any load through it? > > We're using a couple of 3560s for PBR with no problems forwarding 100 > Mbps+. There's no CPU load from the forwarding itself. We haven't tried > actually pushing it yet but are planning to try sometime soon. > > The 3560 needs the "routing" SDM template for this to work; I guess the > 3750 also needs this. > As fas as I've heard, the 3560 and 3750 are basically the same thing with the major difference being the stacking ports on the 3750. The NME etherswitch modules also identify as a 3750. ~Seth From peter at rathlev.dk Mon Nov 2 18:01:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 03 Nov 2009 00:01:05 +0100 Subject: [c-nsp] 3560/3750 policy routing Message-ID: <1257202865.18763.17.camel@abehat.net.rm.dk> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: > > We're using a couple of 3560s for PBR with no problems forwarding > > 100 Mbps+. There's no CPU load from the forwarding itself. We > > haven't tried actually pushing it yet but are planning to try > > sometime soon. > > > > The 3560 needs the "routing" SDM template for this to work; I guess > > the 3750 also needs this. > > What IOS version? I definitely had the proper SDM template applied, it > won't work otherwise. It has been running IOS 12.2(50)SE1 IP Services "all its life" (some months). When we started using it I was a little nervous if it would cope (and posted on this list about it too) but it performs splendidly for us. -- Peter From cphillips at wbsconnect.com Mon Nov 2 18:00:09 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Mon, 02 Nov 2009 15:00:09 -0800 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <4AEEFCC7.10505@imperial.ac.uk> <001501ca5bd9$b5de3530$2508120a@am.thmulti.com> Message-ID: <4AEF6479.3080202@wbsconnect.com> Thirded. I've seen this a lot as well. Scott Granados wrote: > I second that. I've seen this as an MTU problem more times than not. > > ----- Original Message ----- From: "Phil Mayers" > To: "Alexander Clouter" > Cc: > Sent: Monday, November 02, 2009 7:37 AM > Subject: Re: [c-nsp] Can Ping Websites but cannot browse. > > >> Alexander Clouter wrote: >>> Phil Mayers wrote: >>>> bharath kondi wrote: >>>>> I have a strange situation, I can browse the websites but cannot >>>>> browse >>>>> them. >>>> Check for MTU issues >>>> >>> It is a pretty impressive to screw up non-SSLed traffic with an MTU >>> issue, I would be more inclinded to think it's something else. >> >> That directly contradicts my experience. I have observed widespread >> failures with ordinary HTTP traffic when MTU problems occur. >> >> It depends very much on the website you're hitting and their >> architecture, as well as the nature of the MTU problem. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips Director of Network Engineering & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com From tvarriale at comcast.net Mon Nov 2 18:55:16 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 2 Nov 2009 17:55:16 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com><61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com><20091102.165254.74705593.sthaug@nethelp.no><20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu><6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local><6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local><1257199816.18763.5.camel@abehat.net.rm.dk> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4697@zy-ex1.zyedge.local> Message-ID: <86AD3DCD484C49E6968AABF15138BF16@flamdt01> Was the traffic being applied in the CEF path? tv ----- Original Message ----- From: "Ryan West" To: "Peter Rathlev" Cc: "cisco-nsp" Sent: Monday, November 02, 2009 4:21 PM Subject: Re: [c-nsp] how to make ASA vrf-aware / remote-access client VPN >> We're using a couple of 3560s for PBR with no problems forwarding 100 >> Mbps+. There's no CPU load from the forwarding itself. We haven't tried >> actually pushing it yet but are planning to try sometime soon. >> >> The 3560 needs the "routing" SDM template for this to work; I guess the >> 3750 also needs this. > > What IOS version? I definitely had the proper SDM template applied, it > won't work otherwise. > > -ryan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From pl+list at pmacct.net Mon Nov 2 19:00:49 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Tue, 3 Nov 2009 00:00:49 +0000 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <20091102191803.GA22485@london.pmacct.net> <3C8E65F0-E9B8-4691-B4BB-3E246C8A3A58@wisc.edu> Message-ID: <20091103000049.GA28661@london.pmacct.net> On Mon, Nov 02, 2009 at 01:45:50PM -0600, Dale W. Carder wrote: > AFAIK, junos does not have a netflow v9 template that can > export both v4 and v6 simultaneously. Wouldn't expect IPv4/v6 to be multiplexed on a single template; each should have its own. ie., on a Cisco: # sho run | inc flow-export ip flow-export source Loopback286 ip flow-export version 9 ip flow-export destination x.x.x.x yyyy ipv6 flow-export source Loopback286 ipv6 flow-export destination x.x.x.x yyyy # sho ip flow export template ... Total number of Templates added = 2 Total active Templates = 2 Flow Templates active = 2 Flow Templates added = 2 ... > However, I thought I saw somewhere that 9.6 has a hack to > get 32-bit ASN's in netflow v5. The hack to introduce sampling information in NetFlow v5, we can say a-posteriori it was quite successful. Remains to see who has interest in pushing the next one ... Cheers, Paolo From dale.shaw+cisco-nsp at gmail.com Mon Nov 2 19:18:01 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Tue, 3 Nov 2009 11:18:01 +1100 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> Message-ID: <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> Hi, On Tue, Nov 3, 2009 at 1:26 AM, Alexander Clouter wrote: > It is a pretty impressive [read: hard/unusual -- Ed.] to screw up non-SSLed traffic with an MTU > issue, In "Opposite Land"? or in a land where IPSec and PPPoX don't exist? :-) cheers, Dale From tomas at soitron.com Mon Nov 2 19:16:39 2009 From: tomas at soitron.com (Daniska, Tomas) Date: Tue, 3 Nov 2009 01:16:39 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <1257202865.18763.17.camel@abehat.net.rm.dk> References: <1257202865.18763.17.camel@abehat.net.rm.dk> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Peter Rathlev > Sent: Tuesday, November 03, 2009 12:01 AM > To: Ryan West > Cc: cisco-nsp > Subject: Re: [c-nsp] 3560/3750 policy routing > > > It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > months). > > When we started using it I was a little nervous if it would cope (and > posted on this list about it too) but it performs splendidly for us. > I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to different SBCs, all done in HW. Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: ******************** When configuring match criteria in a route map, follow these guidelines: -Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping. -Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization. ******************** Did your matching ACLs meet the no-deny requirement? -- deejay __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 (20091102) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From moua0100 at umn.edu Mon Nov 2 22:06:30 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 21:06:30 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> Message-ID: <4AEF9E36.1020007@umn.edu> I did some throughput testing with iperf while connected as an ipsec clinets and seemed to get over + > 120 Mbs easily; I too was interested in how far I can push the pbr on the 3750. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Ryan West wrote: > Ge, > > Just wanted to add one more thing. > > >> * decrypted traffic handled by "black box" (in this case catalyst- >> 3750 >> > > I've had very poor performance using the 3750 for PBR functions, have you tried to push any load through it? > > -ryan > > From moua0100 at umn.edu Mon Nov 2 22:10:23 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 02 Nov 2009 21:10:23 -0600 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> Message-ID: <4AEF9F1F.4030600@umn.edu> >> Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: I concur; I can't seem to do anything beyond some basic match & set; the IOS complained when I tried som SET commands with VRF parameters. I suppose this is really a switch platform and not a true router platform. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Daniska, Tomas wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Peter Rathlev >> Sent: Tuesday, November 03, 2009 12:01 AM >> To: Ryan West >> Cc: cisco-nsp >> Subject: Re: [c-nsp] 3560/3750 policy routing >> >> >> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >> months). >> >> When we started using it I was a little nervous if it would cope (and >> posted on this list about it too) but it performs splendidly for us. >> >> > > I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to > different SBCs, all done in HW. > > > Note that PBR on these platforms is very limited in supported route-map > match options, e.g. per cco: > > ******************** > When configuring match criteria in a route map, follow these guidelines: > > -Do not match ACLs that permit packets destined for a local address. PBR > would forward these packets, which could cause ping or Telnet failure or > route protocol flapping. > > -Do not match ACLs with deny ACEs. Packets that match a deny ACE are > sent to the CPU, which could cause high CPU utilization. > ******************** > > Did your matching ACLs meet the no-deny requirement? > > > -- > > deejay > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 > (20091102) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Mon Nov 2 22:17:05 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 3 Nov 2009 01:17:05 -0200 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102.171244.41672267.sthaug@nethelp.no> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.171244.41672267.sthaug@nethelp.no> Message-ID: <6bb5f5b10911021917m34d3e406n596fc99d8a17edc5@mail.gmail.com> > For the CPE side we've stuck to 800/1800/2800/3800 for the simple > reason that the relevant employees had lots of Cisco experience, and > the Juniper J series didn't have enough interesting features/higher > capacity/lower cost that we had a reason to start using it. We have a > couple in the lab... Price-wise isn't SRX series a competitor for the ISR series ? Rubens From sethm at rollernet.us Mon Nov 2 22:25:06 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 02 Nov 2009 19:25:06 -0800 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF9E36.1020007@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4651@zy-ex1.zyedge.local> <6E21B2BDEF6E714EA0B5BA8D5D0E140124DFAF4663@zy-ex1.zyedge.local> <4AEF9E36.1020007@umn.edu> Message-ID: <4AEFA292.5060204@rollernet.us> Ge Moua wrote: > I did some throughput testing with iperf while connected as an ipsec > clinets and seemed to get over + > 120 Mbs easily; I too was interested > in how far I can push the pbr on the 3750. > You should be able to push it to the platform's hardware limit as long as nothing goes to CPU. ~Seth From adrian at creative.net.au Mon Nov 2 22:35:34 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 3 Nov 2009 11:35:34 +0800 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AEF9F1F.4030600@umn.edu> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <6B43981C32F8464CB24CEE209DA32BD3027CD4F3@kenya.tronet.as> <4AEF9F1F.4030600@umn.edu> Message-ID: <20091103033534.GD16011@skywalker.creative.net.au> Please read the Cisco 3750 IOS configuration guide. It specifically states that PBR and VRF on the same interface is not permitted. There is also apparently a PBR and fast-PBR mode which if i recall does something akin to either software or hardware switching. I'm not sure of the details. It is all in the IOS configuration guide though! 2c, Adrian On Mon, Nov 02, 2009, Ge Moua wrote: > >> Note that PBR on these platforms is very limited in supported > route-map match options, e.g. per cco: > > I concur; I can't seem to do anything beyond some basic match & set; the > IOS complained when I tried som SET commands with VRF parameters. I > suppose this is really a switch platform and not a true router platform. > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > > > Daniska, Tomas wrote: > >>-----Original Message----- > >>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > >>bounces at puck.nether.net] On Behalf Of Peter Rathlev > >>Sent: Tuesday, November 03, 2009 12:01 AM > >>To: Ryan West > >>Cc: cisco-nsp > >>Subject: Re: [c-nsp] 3560/3750 policy routing > >> > >> > >>It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > >>months). > >> > >>When we started using it I was a little nervous if it would cope (and > >>posted on this list about it too) but it performs splendidly for us. > >> > >> > > > >I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to > >different SBCs, all done in HW. > > > > > >Note that PBR on these platforms is very limited in supported route-map > >match options, e.g. per cco: > > > >******************** > >When configuring match criteria in a route map, follow these guidelines: > > > >-Do not match ACLs that permit packets destined for a local address. PBR > >would forward these packets, which could cause ping or Telnet failure or > >route protocol flapping. > > > >-Do not match ACLs with deny ACEs. Packets that match a deny ACE are > >sent to the CPU, which could cause high CPU utilization. > >******************** > > > >Did your matching ACLs meet the no-deny requirement? > > > > > >-- > > > >deejay > > > > > > > >__________ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 > >(20091102) __________ > > > >Tuto spravu preveril ESET NOD32 Antivirus. > > > >http://www.eset.sk > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA - From yvanog at hotmail.com Mon Nov 2 23:06:30 2009 From: yvanog at hotmail.com (Rob Montgomery) Date: Mon, 2 Nov 2009 23:06:30 -0500 Subject: [c-nsp] Cisco VPN Share License Setup Message-ID: Is anyone using the Shared/participant license model for their VPN (AnyConnect)? Rob From johns.stanly at gmail.com Tue Nov 3 01:25:32 2009 From: johns.stanly at gmail.com (Stanly Johns) Date: Tue, 3 Nov 2009 09:25:32 +0300 Subject: [c-nsp] BPDU Guard issue Message-ID: Hi, Is it possible for a BPDU guard enabled switch port to get disabled without connecting any other device than the IP Phone and a PC ? I had to do a shut and no shut to bring it up ! The logs are as follows. your inputs are highly appreciated. Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/21 with BPDU Guard enabled. Disabling port. Nov 2 04:19:15.286: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/21, putting Fa0/21 in err-disable state Nov 2 04:19:16.334: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to down Nov 2 04:19:17.332: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to down Nov 2 04:43:59.058: %SYS-5-CONFIG_I: Configured from console by XXX on vty0 (X.X.X.X.) Nov 2 05:09:57.162: %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down Nov 2 05:10:03.193: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to down Nov 2 05:10:03.327: %ILPOWER-7-DETECT: Interface Fa0/21: Power Device detected: Cisco PD Nov 2 05:10:07.446: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed state to up Nov 2 05:10:08.453: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up 3560#sh runn int f0/21 Building configuration... Current configuration : 187 bytes ! interface FastEthernet0/21 switchport access vlan dynamic switchport mode access switchport voice vlan 440 no mdix auto spanning-tree portfast spanning-tree bpduguard enable 3560#sh cdp nei f0/21 det ------------------------- Device ID: SEP0012802908E5 Entry address(es): IP address: X.X.X.X Platform: Cisco IP Phone 7960, Capabilities: Host Phone Interface: FastEthernet0/21, Port ID (outgoing port): Port 1 Holdtime : 166 sec Version : P00308000900 advertisement version: 2 Duplex: full Power drawn: 6.300 Watts Management address(es): From sj_hznm at yahoo.com.cn Tue Nov 3 01:36:18 2009 From: sj_hznm at yahoo.com.cn (Joe Shen) Date: Tue, 3 Nov 2009 14:36:18 +0800 (CST) Subject: [c-nsp] Network KPI In-Reply-To: <22278.196.46.241.57.1257151754.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <892863.85528.qm@web15607.mail.cnb.yahoo.com> Is there any introduction or book on network KPI or KQI? joe --- 09?11?2????, masood at nexlinx.net.pk ??? > ???: masood at nexlinx.net.pk > ??: Re: [c-nsp] Network KPI > ???: "Mohammad Khalil" > ??: cisco-nsp at puck.nether.net > ??: 2009?11?2?,??,??4:49 > Key Performance Indicators (KPIs) can > tell you how the network is > performing according to certain parameters, but the chosen > metrics may not > be relevant to certain service classes. And if these are > the ones that > deliver the most revenue, operators could find themselves > in trouble. > > Key Quality Indicators (KQIs) are typically a combination > of several KPIs > that can tell operators more about the end-user experience > and usage > patterns. > > To determine what the KPIs and KPQs should be on a wimax or > any tcp/ip > network, it must be borne in mind what customers are most > interested in: > fast access, good service quality and mobility. > Consequently, KPIs can be > focused on network procedures--such as attach, > authentication, > authorisation and creation/activation--which determine > access (fast access > to services is defined by the success of and speed of > access to HTTP > servers, to MMS centers, and to other dedicated services > that could be > offered via the operator's portal). > > Regards, > Masood > Blog: http://weblogs.com.pk/jahil/ > > > > > > hey all > > > > we work in a WiMAX operator , and i was wondering what > are the best > > parameters to include in our KPI? > > > > > > > > > _________________________________________________________________ > > Windows Live: Friends get your Flickr, Yelp, and Digg > updates when they > > e-mail you. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___________________________________________________________ ????????????????? http://card.mail.cn.yahoo.com/ From peter at rathlev.dk Tue Nov 3 02:16:11 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 03 Nov 2009 08:16:11 +0100 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <1257232571.21889.9.camel@abehat.net.rm.dk> On Tue, 2009-11-03 at 09:25 +0300, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without connecting any other device than the IP Phone and a PC ? If the PC sends BPDUs, yes. :-) > I had to do a shut and no shut to bring it up ! You can use "err-disable recovery" to automate the shut/no shut function, but IMHO that would be wrong in this case. You should find out from where those BPDUs come. (One way would be to temporarily turn off BPDU guard and "debug spanning-tree bpdu receive".) > The logs are as follows. your inputs are highly appreciated. > > Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses > Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on > port FastEthernet0/21 with BPDU Guard enabled. Disabling port. Typically when we see this it's some creative user having connected both the "=> Switch" and "=> PC" ports to the wall, with the phone forwarding BPDUs between the switch ports. You wouldn't happen to see some of the same messages from another switch at the same time? (The fact that you can shut/unshut without the link going down again could also point towards the other end maybe being err-disabled too.) -- Peter From metaliza at nithia.cz Tue Nov 3 02:57:16 2009 From: metaliza at nithia.cz (=?UTF-8?B?TWV0YWzDrXph?=) Date: Tue, 03 Nov 2009 08:57:16 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <1257202865.18763.17.camel@abehat.net.rm.dk> References: <1257202865.18763.17.camel@abehat.net.rm.dk> Message-ID: <4AEFE25C.3040508@nithia.cz> Peter Rathlev wrote: > On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: > >>> We're using a couple of 3560s for PBR with no problems forwarding >>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>> haven't tried actually pushing it yet but are planning to try >>> sometime soon. >>> >>> The 3560 needs the "routing" SDM template for this to work; I guess >>> the 3750 also needs this. >>> >> What IOS version? I definitely had the proper SDM template applied, it >> won't work otherwise. >> > > It has been running IOS 12.2(50)SE1 IP Services "all its life" (some > months). > Hi guys, I have a similar problem: We have been using PBR for forwarding through an IP-in-IP tunnel: interface Tunnel0 ip address 192.168.1.2 255.255.255.252 tunnel source 147.32.98.1 tunnel destination 147.32.127.190 tunnel mode ipip ip access-list extended private-2-hill permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 ! route-map private-2-hill permit 10 match ip address private-2-hill set interface Tunnel0 ! interface Vlan201 ip address 10.13.0.1 255.255.0.0 ip policy route-map private-2-hill ! local policy route-map private-2-hill This had been all functional on 3560 with 12.2(44)SE. At first there had been set ip next-hop, but that hadn't worked, so I've switched to set interface. After replacement of IOS to 12.2(52)SE the "set interface" command was refused after appliance of route map to an SVI. But local PBR still worked. So I've changed to set ip next-hop (which has been accepted by IOS) but with no effect in forwarding (but the local PBR still have worked - because of the SW-based traffic?). After some debugging I've realized that there is broken PBR in the 12.2(52)SE for the 3560. Or am I wrong and have missed something? -- ----------------------------------------------------------- Metaliza @ NitHiA icq #: 63193671 skype: metaliza001 From alex at digriz.org.uk Tue Nov 3 03:39:54 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Tue, 3 Nov 2009 08:39:54 +0000 Subject: [c-nsp] Can Ping Websites but cannot browse. In-Reply-To: <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> References: <82957ce50911020335v50a2f32ene3048cd7cce841f6@mail.gmail.com> <4AEED1F0.5050007@imperial.ac.uk> <3329cbb40911021618x54eeb2fapeb19646bb9299eb2@mail.gmail.com> Message-ID: <20091103083954.GF4838@chipmunk> Hi, * Dale Shaw [2009-11-03 11:18:01+1100]: > > On Tue, Nov 3, 2009 at 1:26 AM, Alexander Clouter wrote: > > It is a pretty impressive [read: hard/unusual -- Ed.] to screw up non-SSLed traffic with an MTU > > issue, > > In "Opposite Land"? or in a land where IPSec and PPPoX don't exist? :-) > Well at $ORK[-1] I was an ISP packet pusher and there all those 'factory default'ing 1492 MTU routers that blocked all ICMP traffic used to drive us mad. There regular HTTP traffic was always fine[1] as the request always fitted with no problem within a single MTU...it was only when you slapped on some SSL action (or tried to SMTP something about) that the MTU issue would appear. So 'opposite' land being CPE rather than core networking land...hence my "you have to be a special person to have done this". Even the greatest ICMP offenders of the Internet (financial institutions) just gave up dealing with this crap and cranked all their servers to shunt their MTU to 1000ish and tinker with the MSS on the inbound TCP SYN packet. So...this is why I focused on the "cannot browse websites", I personally am just stunned the helpfulness[2] of the group to such a vague question. If any of the helldeskers here said that (which they often do, *sigh*) I have to re-remind them with the public flaying... :-/ Cheers [1] back in the day when you did not have honkingly large cookies, wtf? [2] come on guys, I felt you were all much more on the ball the way you handled http://marc.info/?l=cisco-nsp&m=125441497832189&w=2 :) -- Alexander Clouter .sigmonster says: A vivid and creative mind characterizes you. From rubensk at gmail.com Tue Nov 3 05:44:47 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 3 Nov 2009 08:44:47 -0200 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <6bb5f5b10911030244u1314d9c5vc59d5b89994f020e@mail.gmail.com> On Tue, Nov 3, 2009 at 4:25 AM, Stanly Johns wrote: > Hi, > Is it possible for a BPDU guard enabled switch port to get disabled without > connecting any other device than the IP Phone and a PC ? I had to do a shut > and no shut to bring it up ! > The logs are as follows. your inputs are highly appreciated. Some Broadcom fault-tolerance drivers uses BPDUs in active-active configurations... an l-user might turn it on by mistake Rubens From mtinka at globaltransit.net Tue Nov 3 07:56:53 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 3 Nov 2009 20:56:53 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <20091102172924.GT51443@gerbil.cluepon.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> Message-ID: <200911032057.22402.mtinka@globaltransit.net> On Tuesday 03 November 2009 01:29:24 am Richard A Steenbergen wrote: > They're actually coming out with (or may already be > shipping, I don't follow these boxes that closely) a > replacement CFEB for M7i/M10i which uses the I-Chip (the > same fwding hw as M120 and the current generation of MX). > This should give it a slightly longer shelf life, as it > will add a bunch of modern features and some additional > fib capacity that didn't exist in the old hardware. Still > though, this is a very old box (it came out in 2003, as a > lower production cost refresh on the M5/M10 which came > out in 2000). The CFEB won't fix the very limited > capacity, so it wouldn't be a fair comparison against a > modern box. MX80 would indeed be a much closer > comparison, though the feature set is still pretty > different. I should give it to Cisco, though - the ASR1000 series is a really neat platform because it eats up both Ethernet and SONET/SDH links alike. Even if the data plane in the ASR1000 is centralized in nature (much like the M7i/M10i), and with a 20Gbps ESP now, I'd be more inclined to go for an ASR1000 series box to talk Gig-E on one end, and 10-Gig-E, STM-16/OC-48 or STM-64/OC-192 on the other. Juniper don't really have an answer here. Yes, the MX80 is probably as close they may come, but it cannot support SONET/SDH in a box that can potentially be Ethernet-dense for core or edge applications too, while still be physically small and relatively inexpensive. The M40e will talk SONET/SDH, but it won't support 10Gbps links. And it's way bigger than the ASR1000 series boxes. Don't even get me started on the M120, or the MX240 with an MX-FPC :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ml at kenweb.org Tue Nov 3 08:27:23 2009 From: ml at kenweb.org (ML) Date: Tue, 03 Nov 2009 08:27:23 -0500 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AEFE25C.3040508@nithia.cz> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <4AEFE25C.3040508@nithia.cz> Message-ID: <4AF02FBB.70108@kenweb.org> Metal?za wrote: > Peter Rathlev wrote: >> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: >>>> We're using a couple of 3560s for PBR with no problems forwarding >>>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>>> haven't tried actually pushing it yet but are planning to try >>>> sometime soon. >>>> >>>> The 3560 needs the "routing" SDM template for this to work; I guess >>>> the 3750 also needs this. >>>> >>> What IOS version? I definitely had the proper SDM template applied, it >>> won't work otherwise. >>> >> >> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >> months). >> > > Hi guys, > > I have a similar problem: > > We have been using PBR for forwarding through an IP-in-IP tunnel: > > interface Tunnel0 > ip address 192.168.1.2 255.255.255.252 > tunnel source 147.32.98.1 > tunnel destination 147.32.127.190 > tunnel mode ipip > > ip access-list extended private-2-hill > permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 > permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 > permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 > ! > route-map private-2-hill permit 10 > match ip address private-2-hill > set interface Tunnel0 > ! > interface Vlan201 > ip address 10.13.0.1 255.255.0.0 > ip policy route-map private-2-hill > ! > local policy route-map private-2-hill > This had been all functional on 3560 with 12.2(44)SE. At first there had > been set ip next-hop, but that hadn't worked, so I've switched to set > interface. > > After replacement of IOS to 12.2(52)SE the "set interface" command was > refused after appliance of route map to an SVI. But local PBR still > worked. So I've changed to set ip next-hop (which has been accepted by > IOS) but with no effect in forwarding (but the local PBR still have > worked - because of the SW-based traffic?). > > After some debugging I've realized that there is broken PBR in the > 12.2(52)SE for the 3560. > > Or am I wrong and have missed something? > I had the same problem on an ME3400. I could not use the remote end of a GRE tunnel for PBR. From ianh at ianh.net.au Tue Nov 3 07:51:37 2009 From: ianh at ianh.net.au (Ian Henderson) Date: Tue, 3 Nov 2009 20:51:37 +0800 (WST) Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: On Tue, 3 Nov 2009, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without connecting any other device than the IP Phone and a PC ? I had > to do a shut and no shut to bring it up ! I've run into this - Virtualbox uses Windows bridging to handle networking which runs spanning-tree. Google shows the answer as: "You can prevent the Bridge from forwarding packets by editing the registry. In your favorite registry editor, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP Create a new DWORD value and name it DisableForwarding. Double click the new entry and set its value to 1. You'll need to reboot to apply the change. You can disable the Spanning Tree Algorithm in a similar manner, by creating a DWORD value in the same key called DisableSTA and setting its value to 1." http://articles.techrepublic.com.com/5100-22_11-5569815.html via http://forums.virtualbox.org/viewtopic.php?f=6&t=6264&start=0. Rgds, - I. From cjinfantino at gmail.com Tue Nov 3 12:12:09 2009 From: cjinfantino at gmail.com (CJ) Date: Tue, 3 Nov 2009 12:12:09 -0500 Subject: [c-nsp] Issue with secondary ip address Message-ID: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Hello all, I have a vlan that has a primary and secondary ip address. My DHCP server is in the secondary ip address. The DHCP server is a windows 2003 server with the scope enabled and correct. If I plug a computer into a switch with the vlan configured I cannot get an address. If I create a DHCP server in the primary ip address range with the same scope and options and disable the scope on the other DHCP server it works. I cannot figure out what is going on. From ck at sandcastl.es Tue Nov 3 12:41:38 2009 From: ck at sandcastl.es (christian koch) Date: Tue, 3 Nov 2009 09:41:38 -0800 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: <8c308e8b0911030941vc21f849mdfddbf77a30e5bb@mail.gmail.com> do you have helper address set? On Tue, Nov 3, 2009 at 9:12 AM, CJ wrote: > Hello all, > > I have a vlan that has a primary and secondary ip address. My DHCP > server is in the secondary ip address. The DHCP server is a windows 2003 > server with the scope enabled and correct. If I plug a computer into a > switch with the vlan configured I cannot get an address. If I create a DHCP > server in the primary ip address range with the same scope and options and > disable the scope on the other DHCP server it works. I cannot figure out > what is going on. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gsgranados at comcast.net Tue Nov 3 13:34:04 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 3 Nov 2009 10:34:04 -0800 Subject: [c-nsp] Linux VPN client suggestion? Message-ID: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott From BBlackford at nwresd.k12.or.us Tue Nov 3 13:46:52 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Tue, 3 Nov 2009 10:46:52 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <6069A203FD01884885C037F81DD75080173BBABF99@wsc-mail-01.intra.nwresd.k12.or.us> VPNC http://www.unix-ag.uni-kl.de/~massar/vpnc/ -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Tuesday, November 03, 2009 10:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Linux VPN client suggestion? Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Tue Nov 3 13:47:04 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 3 Nov 2009 13:47:04 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A178AC@zy-ex1.zyedge.local> Scott, There is support in the standard client for linux in the 4.x line, but none in the 5.x. Might also consider AnyConnect Essentials for ~$250 that allows for the SSL client in pretty much all flavors, including 64-bit support. http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.8.02.0030&mdfid=281940729&sftType=VPN+Client+Software&optPlat=Linux&nodecount=2&edesignator=null&modelName=Cisco+VPN+Client+v4.x&treeMdfId=268438162&treeName=Security&modifmdfid=&imname=&hybrid=&imst=&lr=Y -ryan > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Tuesday, November 03, 2009 1:34 PM > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to > provide remote users access to network resources. I have one user who > is > interested in a client for Linux (specifically CentOS) and not sure > what to > suggest. Does anyone have any good pointers for a good client that I > can > point him to? From jeff at ocjtech.us Tue Nov 3 13:50:47 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 3 Nov 2009 12:50:47 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <935ead450911031050j137b319fp67fc7d7c59ced0a9@mail.gmail.com> On Tue, Nov 3, 2009 at 12:34 PM, Scott Granados wrote: > > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to > provide remote users access to network resources. ?I have one user who is > interested in a client for Linux (specifically CentOS) and not sure what to > suggest. ?Does anyone have any good pointers for a good client that I can > point him to? vpnc - if your user enables the EPEL repositories he'll be able to install it without any trouble: https://fedoraproject.org/wiki/EPEL -- Jeff Ollie From elparis at cisco.com Tue Nov 3 13:53:32 2009 From: elparis at cisco.com (Eloy Paris) Date: Tue, 3 Nov 2009 13:53:32 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <20091103185332.GJ23256@turbo.cisco.com> Hi Scott, On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to provide remote users access to network resources. I have one user who > is interested in a client for Linux (specifically CentOS) and not sure > what to suggest. Does anyone have any good pointers for a good client > that I can point him to? > > Any pointers would be appreciated. The Cisco VPN Client does support *some* versions of Linux. However, it does not work with the latest versions of the Linux kernel so if you user's kernel is recent (and unfortunately, "recent" doesn't really have to be very recent) then the official Cisco VPN Client is not an option. However, there is an open source VPN client that works with Cisco VPN headends. I personally use and it works great: http://www.unix-ag.uni-kl.de/~massar/vpnc/ It's included in pretty much all Linux distributions. A quick Google search for "centos vpnc" turned this up as the first hit: http://wiki.centos.org/HowTos/vpnc Hope this helps. Cheers, -- Eloy Paris Cisco PSIRT Ph: +1 919 392-9118 From cjinfantino at gmail.com Tue Nov 3 13:56:32 2009 From: cjinfantino at gmail.com (CJ) Date: Tue, 3 Nov 2009 13:56:32 -0500 Subject: [c-nsp] Fwd: Issue with secondary ip address In-Reply-To: <94e868ee0911031055g62257055m6bddf2c0452701b6@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> <8c308e8b0911030941vc21f849mdfddbf77a30e5bb@mail.gmail.com> <4AF0727B.3060004@emich.edu> <94e868ee0911031055g62257055m6bddf2c0452701b6@mail.gmail.com> Message-ID: <94e868ee0911031056l3a70a69cy782b4ba85a997b20@mail.gmail.com> ---------- Forwarded message ---------- From: CJ Date: Tue, Nov 3, 2009 at 1:55 PM Subject: Re: [c-nsp] Issue with secondary ip address To: jf I tried the ip dhcp smart-rely command but it didn't work. i did try it with the ip helper-address and w/o both setups did not work. Every other vlan int is pulling DHCP...they also have primary and secondary addresses assigned to them. It is just the server vlan that is not pulling DHCP. On Tue, Nov 3, 2009 at 1:12 PM, jf wrote: > You might try the "ip dhcp smart-relay" relay feature to have the ip > helper try with the secondary address in the giaddr field. > > christian koch wrote: > > do you have helper address set? > > > > On Tue, Nov 3, 2009 at 9:12 AM, CJ wrote: > > > > > >> Hello all, > >> > >> I have a vlan that has a primary and secondary ip address. My DHCP > >> server is in the secondary ip address. The DHCP server is a windows 2003 > >> server with the scope enabled and correct. If I plug a computer into a > >> switch with the vlan configured I cannot get an address. If I create a > DHCP > >> server in the primary ip address range with the same scope and options > and > >> disable the scope on the other DHCP server it works. I cannot figure out > >> what is going on. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From gsgranados at comcast.net Tue Nov 3 14:01:03 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 3 Nov 2009 11:01:03 -0800 Subject: [c-nsp] Linux VPN client suggestion? References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> Message-ID: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second. (I actually think we have a license for this feature set already) Thanks as always for the great suggestions. ----- Original Message ----- From: "Eloy Paris" To: "Scott Granados" Cc: Sent: Tuesday, November 03, 2009 10:53 AM Subject: Re: [c-nsp] Linux VPN client suggestion? > Hi Scott, > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > >> Hi all, >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client >> to provide remote users access to network resources. I have one user who >> is interested in a client for Linux (specifically CentOS) and not sure >> what to suggest. Does anyone have any good pointers for a good client >> that I can point him to? >> >> Any pointers would be appreciated. > > The Cisco VPN Client does support *some* versions of Linux. However, it > does not work with the latest versions of the Linux kernel so if you > user's kernel is recent (and unfortunately, "recent" doesn't really have > to be very recent) then the official Cisco VPN Client is not an option. > > However, there is an open source VPN client that works with Cisco VPN > headends. I personally use and it works great: > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > It's included in pretty much all Linux distributions. A quick Google > search for "centos vpnc" turned this up as the first hit: > > http://wiki.centos.org/HowTos/vpnc > > Hope this helps. > > Cheers, > > -- > > Eloy Paris > Cisco PSIRT > Ph: +1 919 392-9118 From moua0100 at umn.edu Tue Nov 3 14:11:27 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 03 Nov 2009 13:11:27 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <4AF0805F.5000100@umn.edu> yum install vpnc you may need to "epel" repo for his. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > client to provide remote users access to network resources. I have > one user who is interested in a client for Linux (specifically CentOS) > and not sure what to suggest. Does anyone have any good pointers for > a good client that I can point him to? > > Any pointers would be appreciated. > > Thank you > Scott > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RGoldberg at compudyne.net Tue Nov 3 13:42:18 2009 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Tue, 3 Nov 2009 12:42:18 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: I use vpnc all the time to connect to ASAs. http://www.unix-ag.uni-kl.de/~massar/vpnc/ Ryan > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Tuesday, November 03, 2009 12:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Linux VPN client suggestion? > > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to > provide remote users access to network resources. I have one user who > is > interested in a client for Linux (specifically CentOS) and not sure > what to > suggest. Does anyone have any good pointers for a good client that I > can > point him to? > > Any pointers would be appreciated. > > Thank you > Scott > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Nov 3 14:20:05 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 03 Nov 2009 13:20:05 -0600 Subject: [c-nsp] how to make ASA vrf-aware / remote-access client VPN In-Reply-To: <4AEF1C3A.3070601@umn.edu> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <61D4116B957C2843AACB49664C8AB223036C920D@UKCWRX004.uk.int.atosorigin.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <4AEF1C3A.3070601@umn.edu> Message-ID: <4AF08265.5050405@justinshore.com> Ge Moua wrote: > C-NSP Wizards: > Our Cisco account team seems to be touting the ASA appliance (in a > cluster configuration) as the preferred solution for remote access > client vpn (IPSec & SSL); as such my question then is: > > Is it possible to make an ASA be "vrf-aware"? My suggestion may not be what you want to hear but I'll give it to you anyway. Forget the ASA cluster and implement it on VRF-aware hardware. You'll never see the end of problems with a cluster such as this and it will be a nightmare for troubleshooting. It will cost you more up front but it's worth doing it right. We use 7600s with FWSMs and IPSec SPAs to provide firewall services and VPN termination services to our Data Center. The FWSMs of course do not do VPN, only firewall services. The IPSec SPAs have their own quirks (see some of my earlier c-nsp posts) but they work fine once you know how to avoid those problems. This solution doesn't so SSL VPN though. The 7600s don't support the WebVPN module which is what you need for SSL VPN. However the 6500 does and also supports the FWSMs and IPSec SPAs. On a lower-end scale you can provide the same VPN services on ASRs, 7200s and even ISRs without having to fight the ASA nightmare. I would avoid the ASA solution at all costs. Duct tape is great until the sticky gives up in the middle of the night. Baling wiring rusts too. Stick with the right solution and you'll be fine. My $.02 (pre-2008 dollars) Justin From daniel.dib at reaper.nu Tue Nov 3 14:21:51 2009 From: daniel.dib at reaper.nu (Daniel Dib) Date: Tue, 3 Nov 2009 20:21:51 +0100 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: <00a101ca5cba$e5c69670$2101a8c0@reap> -----Ursprungligt meddelande----- Fr?n: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] F?r CJ Skickat: den 3 november 2009 18:12 Till: cisco-nsp at puck.nether.net ?mne: [c-nsp] Issue with secondary ip address Hello all, I have a vlan that has a primary and secondary ip address. My DHCP server is in the secondary ip address. The DHCP server is a windows 2003 server with the scope enabled and correct. If I plug a computer into a switch with the vlan configured I cannot get an address. If I create a DHCP server in the primary ip address range with the same scope and options and disable the scope on the other DHCP server it works. I cannot figure out what is going on. Hi, You should try to use ip dhcp smart-relay. If you don't get a reply from primary scope it will ask for the secondary address. See http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rddhcp.h tml#wp1046084 HTH Daniel __________ Information from ESET NOD32 Antivirus, version of virus signature database 4493 (20091009) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From szmetal at gmail.com Tue Nov 3 14:37:10 2009 From: szmetal at gmail.com (Shawn Zandi) Date: Tue, 3 Nov 2009 23:37:10 +0400 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185332.GJ23256@turbo.cisco.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> Message-ID: http://www.shrew.net/software Regards, Shawn Zandi On Tue, Nov 3, 2009 at 10:53 PM, Eloy Paris wrote: > Hi Scott, > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > Hi all, > > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > > to provide remote users access to network resources. I have one user who > > is interested in a client for Linux (specifically CentOS) and not sure > > what to suggest. Does anyone have any good pointers for a good client > > that I can point him to? > > > > Any pointers would be appreciated. > > The Cisco VPN Client does support *some* versions of Linux. However, it > does not work with the latest versions of the Linux kernel so if you > user's kernel is recent (and unfortunately, "recent" doesn't really have > to be very recent) then the official Cisco VPN Client is not an option. > > However, there is an open source VPN client that works with Cisco VPN > headends. I personally use and it works great: > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > It's included in pretty much all Linux distributions. A quick Google > search for "centos vpnc" turned this up as the first hit: > > http://wiki.centos.org/HowTos/vpnc > > Hope this helps. > > Cheers, > > -- > > Eloy Paris > Cisco PSIRT > Ph: +1 919 392-9118 > > From nicotine at warningg.com Tue Nov 3 13:57:30 2009 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 3 Nov 2009 12:57:30 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <20091103185730.GA4121@radiological.warningg.com> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to > provide remote users access to network resources. I have one user who is > interested in a client for Linux (specifically CentOS) and not sure what to > suggest. Does anyone have any good pointers for a good client that I can > point him to? > > Any pointers would be appreciated. > > Thank you > Scott > I believe the Anyconnect client is supported on Linux installs. Anyconnect is supported on 8.x software versions, and Anyconnect Essentials (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses are available for a low cost. If your supported user count is low, and you do not currently utilize any Anyconnect SSL slots, the base license allows a maximum of two active Anyconnect clients without additional license purchase. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From szmetal at gmail.com Tue Nov 3 14:54:54 2009 From: szmetal at gmail.com (Shawn Zandi) Date: Tue, 3 Nov 2009 23:54:54 +0400 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Message-ID: Yes, ASA has built-in license for 2 concurrent SSL connection, SSL-VPN is the better choice On Tue, Nov 3, 2009 at 11:01 PM, Scott Granados wrote: > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > second. (I actually think we have a license for this feature set already) > > Thanks as always for the great suggestions. > > > > ----- Original Message ----- From: "Eloy Paris" > To: "Scott Granados" > Cc: > Sent: Tuesday, November 03, 2009 10:53 AM > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > Hi Scott, >> >> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: >> >> Hi all, >>> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client >>> to provide remote users access to network resources. I have one user who >>> is interested in a client for Linux (specifically CentOS) and not sure >>> what to suggest. Does anyone have any good pointers for a good client >>> that I can point him to? >>> >>> Any pointers would be appreciated. >>> >> >> The Cisco VPN Client does support *some* versions of Linux. However, it >> does not work with the latest versions of the Linux kernel so if you >> user's kernel is recent (and unfortunately, "recent" doesn't really have >> to be very recent) then the official Cisco VPN Client is not an option. >> >> However, there is an open source VPN client that works with Cisco VPN >> headends. I personally use and it works great: >> >> http://www.unix-ag.uni-kl.de/~massar/vpnc/ >> >> It's included in pretty much all Linux distributions. A quick Google >> search for "centos vpnc" turned this up as the first hit: >> >> http://wiki.centos.org/HowTos/vpnc >> >> Hope this helps. >> >> Cheers, >> >> -- >> >> Eloy Paris >> Cisco PSIRT >> Ph: +1 919 392-9118 > > From berghauz at gmail.com Tue Nov 3 15:54:57 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Tue, 3 Nov 2009 23:54:57 +0300 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185730.GA4121@radiological.warningg.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185730.GA4121@radiological.warningg.com> Message-ID: <13d85870911031254j4fa4e4adi714f4c568865b5b7@mail.gmail.com> > > I believe the Anyconnect client is supported on Linux installs. Anyconnect > Yep. Cisco VPN support Linux. WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." From brandon at burn.net Tue Nov 3 16:01:06 2009 From: brandon at burn.net (Brandon Applegate) Date: Tue, 3 Nov 2009 16:01:06 -0500 (EST) Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091103185730.GA4121@radiological.warningg.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185730.GA4121@radiological.warningg.com> Message-ID: On Tue, 3 Nov 2009, Brandon Ewing wrote: > I believe the Anyconnect client is supported on Linux installs. Anyconnect > is supported on 8.x software versions, and Anyconnect Essentials > (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses > are available for a low cost. > > If your supported user count is low, and you do not currently utilize any > Anyconnect SSL slots, the base license allows a maximum of two active > Anyconnect clients without additional license purchase. > > -- > Brandon Ewing (nicotine at warningg.com) > I'm still on old PIXes here, but looking to the future (and I'm a linux guy) I found Openconnect. http://www.infradead.org/openconnect.html >From what I've read the Cisco Anyconnect client for Linux suffers problems again, not kernel level but SSL / library / 32/64 bit issues. Openconnect reads like it's a lot cleaner than all the workarounds to get Anyconnect working. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From nsp at sky-haven.net Tue Nov 3 16:13:34 2009 From: nsp at sky-haven.net (nsp at sky-haven.net) Date: Tue, 03 Nov 2009 21:13:34 +0000 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <002701ca5cb4$45098180$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> Message-ID: <4AF09CFE.8000906@sky-haven.net> Scott Granados wrote: > Hi all, > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > to provide remote users access to network resources. I have one user > who is interested in a client for Linux (specifically CentOS) and not > sure what to suggest. Does anyone have any good pointers for a good > client that I can point him to? > > Any pointers would be appreciated. Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux client (http://www.shrew.net/) as well if you're of a mind, but vpnc tends to win on simplicity. If yourself (or your user) is a bit of a sick puppy[1], you can actually get things working with Linux IPsec-tools (e.g. Racoon and XFRM). But I advise against it unless the Linux station in question is obligated to maintain existing IPsec sessions. In this case, neither vpnc or ShrewSoft (or probably anything else IPsec-based) will work since both IPsec-tools and vpnc will insist on binding a listener on 500/udp. Best, Lance Dryden [1] For non-Americans, this means something like "a fan of tinkering with Linux, perhaps to the point of obsession." From bitkraft at gmail.com Tue Nov 3 20:10:33 2009 From: bitkraft at gmail.com (Brian Spade) Date: Tue, 3 Nov 2009 17:10:33 -0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <200911032057.22402.mtinka@globaltransit.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <20091102.165254.74705593.sthaug@nethelp.no> <20091102172924.GT51443@gerbil.cluepon.net> <200911032057.22402.mtinka@globaltransit.net> Message-ID: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Mark, what's your thoughts on the MX240? I'm curious now since you state not to get you started. :-) /bs On Tue, Nov 3, 2009 at 4:56 AM, Mark Tinka wrote: > On Tuesday 03 November 2009 01:29:24 am Richard A > Steenbergen wrote: > > > They're actually coming out with (or may already be > > shipping, I don't follow these boxes that closely) a > > replacement CFEB for M7i/M10i which uses the I-Chip (the > > same fwding hw as M120 and the current generation of MX). > > This should give it a slightly longer shelf life, as it > > will add a bunch of modern features and some additional > > fib capacity that didn't exist in the old hardware. Still > > though, this is a very old box (it came out in 2003, as a > > lower production cost refresh on the M5/M10 which came > > out in 2000). The CFEB won't fix the very limited > > capacity, so it wouldn't be a fair comparison against a > > modern box. MX80 would indeed be a much closer > > comparison, though the feature set is still pretty > > different. > > I should give it to Cisco, though - the ASR1000 series is a > really neat platform because it eats up both Ethernet and > SONET/SDH links alike. > > Even if the data plane in the ASR1000 is centralized in > nature (much like the M7i/M10i), and with a 20Gbps ESP now, > I'd be more inclined to go for an ASR1000 series box to talk > Gig-E on one end, and 10-Gig-E, STM-16/OC-48 or > STM-64/OC-192 on the other. > > Juniper don't really have an answer here. Yes, the MX80 is > probably as close they may come, but it cannot support > SONET/SDH in a box that can potentially be Ethernet-dense > for core or edge applications too, while still be physically > small and relatively inexpensive. The M40e will talk > SONET/SDH, but it won't support 10Gbps links. And it's way > bigger than the ASR1000 series boxes. > > Don't even get me started on the M120, or the MX240 with an > MX-FPC :-). > > Cheers, > > Mark. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Wed Nov 4 03:18:30 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 04 Nov 2009 09:18:30 +0100 (CET) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> References: <20091102172924.GT51443@gerbil.cluepon.net> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Message-ID: <20091104.091830.74736038.sthaug@nethelp.no> > Mark, what's your thoughts on the MX240? I'm curious now since you state > not to get you started. :-) Not answering for Mark here. In any case, MX240 is a sweet little box, but the price difference to the MX480 (and MX960) is so small that it is only interesting if you are *really* pressed for rack space and/or power. We have a couple of them for precisely that reason. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From mtinka at globaltransit.net Wed Nov 4 05:37:16 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 4 Nov 2009 18:37:16 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> Message-ID: <200911041837.17064.mtinka@globaltransit.net> On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: > Mark, what's your thoughts on the MX240? I'm curious now > since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ltd at cisco.com Wed Nov 4 06:11:13 2009 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 4 Nov 2009 22:11:13 +1100 Subject: [c-nsp] BPDU Guard issue In-Reply-To: References: Message-ID: <3B4B9B51-7864-44AA-AE56-A99C8BF5BAEC@cisco.com> On 03/11/2009, at 5:25 PM, Stanly Johns wrote: > Is it possible for a BPDU guard enabled switch port to get disabled > without > connecting any other device than the IP Phone and a PC ? I had to do > a shut > and no shut to bring it up ! > The logs are as follows. your inputs are highly appreciated. you had a loop on a portfast port, BPDU guard prevented that from causing it to melt your network down. you should be thankful. i've seen loops caused by all sorts of things. some virtualization software does it. some vendors' iLO ports can be bridged with a non- iLO port, and some teaming/"failsafe" NIC drivers can do it. my suggestion is to find out the root cause and fix that. cheers, lincoln. From tav at ucomline.net Wed Nov 4 06:53:13 2009 From: tav at ucomline.net (Teslenko Andrey) Date: Wed, 04 Nov 2009 13:53:13 +0200 Subject: [c-nsp] Problem with policies on interfaces C3750E IOS12.2(50) SE2 Message-ID: <4AF16B29.1080303@ucomline.net> Hello all, I recently updated the IOS version on my C3750 to version IOS12.2(50) SE2. Now I have next problem -- all policies on my interfaces don't shape a traffic. The "mls qos" is enabled and policy-map has next view policy-map Customer-200Mbps-critical-In class class-default police 209712000 1000000 exceed-action drop On interface I override all ingress packets and set "cos" for packets to "1" mls qos cos 1 mls qos cos override This is necessary because traffic must be in certain queue So I begin to experiment. And I gets next result -- when I remove option "mls qos cos override" then the policy is working, but when I am returning this option it doesn't work Has anyone the same problem? I can't disable "mls qos cos override" because I want that "qos" scheme remained working But I can't disable policy too. -- Andrey Teslenko Leading ip engineer JSC "Farlep-Invest", Ukraine, Odessa Backbone network department Network operation sector mob: 8063 617-01-68 tel: 8048 716-55-72 From andrea.montefusco at gmail.com Wed Nov 4 08:23:33 2009 From: andrea.montefusco at gmail.com (Andrea Montefusco) Date: Wed, 04 Nov 2009 14:23:33 +0100 Subject: [c-nsp] Cat 3550 policy routing at layer 4 Message-ID: <4AF18055.5030703@gmail.com> Does anyone known if the Catalyst 3550 has a some restriction on policy routing ACL at layer 4 ? In my lab the PBR works well if the route map acl is at layer 3 only access-list 200 permit ip if I use an acl with layer four ACE, like access-list 200 permit tcp eq 25 it doesn't work anymore. The manual generically states that it is possible select the traffic via layer 4 parameters. IOS 12.2.44 SE6 Thanks in advance *am* ------------------- cut here ---------------- ... interface Vlan20 ip address 192.168.1.1 255.255.255.0 ip route-cache policy ip policy route-map SPECIAL-ROUTES ... access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq smtp access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq pop3 ! route-map SPECIAL-ROUTES permit 5 match ip address 200 set ip next-hop 1.1.1.2 ... ------------------- cut here ---------------- --------------------------------------------------------- Andrea Montefusco iw0hdv http://www.montefusco.com --------------------------------------------------------- From dwinkworth at att.net Wed Nov 4 08:49:52 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Wed, 4 Nov 2009 05:49:52 -0800 (PST) Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <200911041837.17064.mtinka@globaltransit.net> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> Message-ID: <2929.78173.qm@web180016.mail.gq1.yahoo.com> ####### The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. ######### Really? The price difference between a 240 and 480 has always made me wonder why someone wouldn't just buy the 480. The difference is small. We'll have to wait and see what the answer is going to be to the ASR. I suspect it will be the SRX, because of the integrated services and flow-based QoS. ________________________________ From: Mark Tinka To: Brian Spade Cc: sthaug at nethelp.no; cisco-nsp at puck.nether.net Sent: Wed, November 4, 2009 4:37:16 AM Subject: Re: [c-nsp] Cisco vs. Juniper On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: > Mark, what's your thoughts on the MX240? I'm curious now > since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. From SHughes at GREnergy.com Wed Nov 4 07:45:21 2009 From: SHughes at GREnergy.com (Hughes, Scott GRE-MG) Date: Wed, 4 Nov 2009 06:45:21 -0600 Subject: [c-nsp] Issue with secondary ip address In-Reply-To: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> References: <94e868ee0911030912j16062b3awc2cacb15c1ebaec8@mail.gmail.com> Message-ID: You need to setup a "superscope" on the windows box that includes both the primary and secondary subnets. Even if you don't hand out any addresses in the primary subnet, it needs to exist and bound to the same superscope as your secondary subnet. Sent from my iPhone. On Nov 3, 2009, at 11:19 AM, "CJ" wrote: > Hello all, > > I have a vlan that has a primary and secondary ip address. My DHCP > server is in the secondary ip address. The DHCP server is a windows > 2003 > server with the scope enabled and correct. If I plug a computer into a > switch with the vlan configured I cannot get an address. If I create > a DHCP > server in the primary ip address range with the same scope and > options and > disable the scope on the other DHCP server it works. I cannot figure > out > what is going on. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. From mike-cisconsplist at tiedyenetworks.com Wed Nov 4 11:53:38 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Wed, 04 Nov 2009 08:53:38 -0800 Subject: [c-nsp] rate limits on 2970? Message-ID: <4AF1B192.7010209@tiedyenetworks.com> Hi, I have a pair of 2970's and I want to know if/how it's possible to establish input and output rate limits on it? If there's a cisco guide sorry for bothering you all but a very quick google doesn't give me any answer. The switches are running 12.2(25)SEC code if it makes a difference. Thank you. From berghauz at gmail.com Wed Nov 4 12:19:14 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Wed, 4 Nov 2009 20:19:14 +0300 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <4AF1B192.7010209@tiedyenetworks.com> References: <4AF1B192.7010209@tiedyenetworks.com> Message-ID: <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> Hello. As far as I know, there is no ratelimitg on 2950/60/70. You can use the mechanisms of QoS, but the ratelimiting not work as well, as it described by cisco(token bucket mechanism and etc.). Although you can use in config-if mode, but it affect only ingress traffic. 2009/11/4 Mike > Hi, > > I have a pair of 2970's and I want to know if/how it's possible to > establish input and output rate limits on it? If there's a cisco guide > sorry for bothering you all but a very quick google doesn't give me any > answer. The switches are running 12.2(25)SEC code if it makes a > difference. > > Thank you. > > > WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." From ras at e-gerbil.net Wed Nov 4 12:29:04 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 4 Nov 2009 11:29:04 -0600 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <2929.78173.qm@web180016.mail.gq1.yahoo.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911032057.22402.mtinka@globaltransit.net> <505b616c0911031710r51c16390nbd583e74831bb1fe@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> <2929.78173.qm@web180016.mail.gq1.yahoo.com> Message-ID: <20091104172904.GY51443@gerbil.cluepon.net> On Wed, Nov 04, 2009 at 05:49:52AM -0800, Derick Winkworth wrote: > Really? The price difference between a 240 and 480 has > always made me wonder why someone wouldn't just buy the > 480. The difference is small. Funny, I say the same thing about the 960 vs 480. We bought exactly one 480 for a place where we couldn't get anything in the 200-240v range for power, because 90-120v is supported only on 240/480. For the money I'd have much rather gotten a 960 and just not powered up the second half. Actually if you look at it from a components perspective it actually costs you more to buy the smaller chassis. For example a fully redundant MX960 comes with 3 SCBs (fabric modules), a fully redundant MX480 comes with 2. And the price difference between the two is a fraction of the cost of buying a spare SCB. Hopefully MX80 fixes these chassis cost issues with its new more integrated design. I think there is probably a product line opening for an MX120 or MX160 as well. But again, wrong mailing list. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gsgranados at comcast.net Wed Nov 4 12:42:31 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 4 Nov 2009 09:42:31 -0800 Subject: [c-nsp] Restricting VPN connections to company hardware? Message-ID: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott From mawhi at vestas.com Wed Nov 4 15:26:32 2009 From: mawhi at vestas.com (Matthew White) Date: Wed, 4 Nov 2009 12:26:32 -0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Wednesday, November 04, 2009 9:43 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Restricting VPN connections to company hardware? > > Hi, > I've been googling but not finding much although I think > I'm probably > formulating my search incorrectly so I'm hoping for some > pointers here. > I use ASA 5520 hardware to provide VPN services to end > users with Cisco > VPN clients and some L2L sessions. We've been finding that folks are > configuring IPhones and other non approved devices to attach > to the network. > What's the best method to certify that end users are connecting with > approved devices only? Is there a good way say for me to > allow company > provided laptops but not allow clients from home machines where users > duplicate their profile or non-certified end devices like > pocket PC devices? > I understand how to filter based on client type but this > doesn't prevent > someone from copying their profile file from one machine to > another. Any > pointers would be appreciated. > > Thanks > Scott > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Wed Nov 4 15:53:40 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Wed, 4 Nov 2009 23:53:40 +0300 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <20091104204336.M47326@fast-serv.com> References: <4AF1B192.7010209@tiedyenetworks.com> <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> <20091104204336.M47326@fast-serv.com> Message-ID: <13d85870911041253t5de66b03i1c607322c55f2b75@mail.gmail.com> But it not work, if you need more than 2-10 Mbps policer. WBR Aleksey Polyakoff ICQ:9001016 Charles de Gaulle - "The better I get to know men, the more I find myself loving dogs." 2009/11/4 Randy McAnally > 2950 can rate limit in 1Mbps increments if you have the EI software using > policers. Not sure about 2970. > > -- > Randy > > From rsm at fast-serv.com Wed Nov 4 15:44:43 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 4 Nov 2009 15:44:43 -0500 Subject: [c-nsp] rate limits on 2970? In-Reply-To: <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> References: <4AF1B192.7010209@tiedyenetworks.com> <13d85870911040919u63a426e6t26e960ce5d1c6e31@mail.gmail.com> Message-ID: <20091104204336.M47326@fast-serv.com> 2950 can rate limit in 1Mbps increments if you have the EI software using policers. Not sure about 2970. -- Randy ---------- Original Message ----------- From: Alexey Polyakov To: Mike Cc: cisco-nsp at puck.nether.net Sent: Wed, 4 Nov 2009 20:19:14 +0300 Subject: Re: [c-nsp] rate limits on 2970? > Hello. > As far as I know, there is no ratelimitg on 2950/60/70. > You can use the mechanisms of QoS, but the ratelimiting not work as > well, as it described by cisco(token bucket mechanism and etc.). > > Although you can use in config-if mode, but it > affect only ingress traffic. > > 2009/11/4 Mike > > > Hi, > > > > I have a pair of 2970's and I want to know if/how it's possible to > > establish input and output rate limits on it? If there's a cisco guide > > sorry for bothering you all but a very quick google doesn't give me any > > answer. The switches are running 12.2(25)SEC code if it makes a > > difference. > > > > Thank you. > > > > > > > WBR Aleksey Polyakoff ICQ:9001016 > Mike Ditka > - "If > God had wanted man to play soccer, he wouldn't have given us arms." _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jared.a.gillis at gmail.com Wed Nov 4 19:30:29 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 04 Nov 2009 16:30:29 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR Message-ID: <4AF21CA5.4050804@gmail.com> Hi all, I've been having quite a few adventures with IS-IS over the last few weeks and have finally hit a wall, so I'm hoping someone here can give me a hand. Basically, I need to build a network with IS-IS multiarea as described here: http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a00800e9780.html I built up a small lab with 2600s running 12.3 and got it all working exactly as described in the docs and as I needed. I then tried to move that config to production, which is on 7606/Sup720 running 12.2 SRC, and the multiarea features did not function. That is, automatic redistribution of L1 routes into the L2 instance did not occur, nor did advertising of an L2 (default) route into the L1 domain occur. After doing some research, I found this 2007 c-nsp post: http://puck.nether.net/pipermail/cisco-nsp/2007-May/040686.html Paragraph 10: "TAC says that Integrated Multi-area IS-IS is not supported." So, to test this out, I put 12.2 SR onto a 7204VXR in the lab (7606 in the lab is not possible for me at the moment), and inserted into my old 2600 lab, and saw the same behavior as on the 7606, which seems to support the old c-nsp post. The Cisco Feature Navigator (which is definitely not gospel) says that every version of 12.2 SR should support IS-IS multiarea. Does anyone have any conclusive information on this, have you ever been able to get IS-IS multiarea functioning on a 7606/Sup720? If there's some way we can make this functionality work on that platform, I am dying to find it. Secondarily, if we can't have true IS-IS multiarea, we may be able to simulate it by manually redistributing from the L1 instances to the L2 instances, and setting default-information originate on the L1 instances. I attempted this in the lab, and while the commands are accepted and appear to be good, neither redist nor default origination is actually happening. Does anyone have any suggestions on this front? Redist and default origination should "just work". I'm happy to provide config snippets if needed. Any advice or help is highly appreciated. Thanks! -Jared From mtinka at globaltransit.net Wed Nov 4 23:52:59 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 5 Nov 2009 12:52:59 +0800 Subject: [c-nsp] Cisco vs. Juniper In-Reply-To: <2929.78173.qm@web180016.mail.gq1.yahoo.com> References: <9418aca70911020655r1602d95fjc9d0f495b6e863cd@mail.gmail.com> <200911041837.17064.mtinka@globaltransit.net> <2929.78173.qm@web180016.mail.gq1.yahoo.com> Message-ID: <200911051253.03729.mtinka@globaltransit.net> On Wednesday 04 November 2009 09:49:52 pm Derick Winkworth wrote: > Really? The price difference between a 240 and 480 has > always made me wonder why someone wouldn't just buy the > 480. The difference is small. That is is true - the difference in price "of the chassis" would even have your Juniper account team baffled enough as to why you'd insist on an MX240 and not an MX480, that they'll probably just give you the chassis upgrade for free to shut you up and move the meeting along :-). But that's not the point - when we consider space requirements, cost of the MX-FPC, DPC (and now, MPC) cards for the MX-series, where an ASR1000 would suffice better, Cisco have a better lead. > We'll have to wait and see what the answer is going to > be to the ASR. I suspect it will be the SRX, because > of the integrated services and flow-based QoS. Yep, let's wait and see. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From emagutu at gmail.com Thu Nov 5 01:12:56 2009 From: emagutu at gmail.com (Eric Magutu) Date: Thu, 5 Nov 2009 09:12:56 +0300 Subject: [c-nsp] Relationship between RAM and routes Message-ID: Hi, What is the relationship between RAM and routes? I want to implement 1000 static routes in a cisco 7206vxr (NPE -G1) and needed to find out what effect it would have on my router. Should I do any upgrades? it has 229376K/32768K bytes of memory 509K of NVRAM -- Regards, Eric Magutu From adrian at creative.net.au Thu Nov 5 01:22:01 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 5 Nov 2009 14:22:01 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? Message-ID: <20091105062201.GA25405@skywalker.creative.net.au> G'day, I've been asked by a customer to solve an L2 ethernet problem and I'm investigating simply tunneling the required VLANs over L2TPv3/xconnect. Does anyone have any rough throughput (PPS in particular) info they'd like to share ? And any other deployment info - actually, in particular I'd like to know about fragmentation related issues. I'm looking at the Cisco 28xx series (potentially the Cisco 2811) but I'm concerned about hitting throughput ceilings. Thanks, Adrian From gururug at gmail.com Thu Nov 5 01:37:22 2009 From: gururug at gmail.com (Imran K) Date: Thu, 5 Nov 2009 17:37:22 +1100 Subject: [c-nsp] rate limits on 2970? - police +1 Message-ID: <25d943640911042237i1a6205edw8a183af1e0fec324@mail.gmail.com> +1 for police, simlest way to do what you want http://slaptijack.com/networking/inbound-rate-limiting-on-cisco-catalyst-switches/ From peter.hicks at poggs.co.uk Thu Nov 5 02:08:00 2009 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Thu, 05 Nov 2009 08:08:00 +0100 Subject: [c-nsp] Cat6500 "Waiting for supervisor to come online in other slot" when booting Message-ID: <4AF279D0.8090103@poggs.co.uk> All, I have a pair of 6504Es with Sup32s here, running 12.2(33)SXH6. When they boot, the bootloader loads and I am presented with: ==cut=== System Bootstrap, Version 12.2(18r)SX9, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2008 by cisco Systems, Inc. Cat6k-Sup32 platform with 524288 Kbytes of main memory Autoboot executing command: "boot " Initializing ATA monitor library... string is bootdisk:s3223-boot-mz.122-33.SXH6.bin Initializing ATA monitor library... Self extracting the image... [OK] Self decompressing the image : ################################################################################################################################################ [OK] ... Cisco IOS Software, s3223_sp Software (s3223_sp-BOOT-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 15-Oct-09 11:59 by prod_rel_team Image text-base: 0x40231348, data-base: 0x41B62000 MAC based EOBC installed Waiting (slot 1) for supervisor to come online in other slot. iteration = 0 Next Retry will be done after 6 seconds ==cut=== I only have a single Sup32 in the chassis, and this message continues forever. Breaking out and booting the image manually appears to work. What causes this, and how can I get around it? I am sure I'm not doing something correctly. Regards, Peter From berghauz at gmail.com Thu Nov 5 02:51:37 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 10:51:37 +0300 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105062201.GA25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> L2tpV3 very useful feature, but cause very high load on CPU on reciever side. On 1841 10Mbit/s xconnect channel cause near 40% CPU load. 2Mbit/s channel load CPU near 10%. Max. throughput on 1841 without shaping 28Mbit/s(FULL CPU load). WBR Aleksey Polyakoff ICQ:9001016 Ted Turner - "Sports is like a war without the killing." 2009/11/5 Adrian Chadd > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Thu Nov 5 03:28:05 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 11:28:05 +0300 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> Message-ID: <13d85870911050028p7b04707ckb946374b4112a267@mail.gmail.com> Becouse 1841 care only Fa interface, i think baby giant not supported at all. With 2811 the situation the same, because the Fa. WBR Aleksey Polyakoff ICQ:9001016 Stephen Leacock - "I detest life-insurance agents: they always argue that I shall some day die, which is not so." 2009/11/5 Rens > You need to raise your MTU and the CPU load will go down. > > PS: I'm not sure which IOS version supports baby giant frames on 1841, not > all do. > > From rens at autempspourmoi.be Thu Nov 5 03:12:32 2009 From: rens at autempspourmoi.be (Rens) Date: Thu, 5 Nov 2009 09:12:32 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105062201.GA25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: I have already done up to 400 Mbps with 2811 or 2821 (don't remember) You just have to make sure your MTU is high enough depending on the frame sizes you want to tunnel. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd Sent: jeudi 5 novembre 2009 7:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Experiences with l2tpv3/xconnect? G'day, I've been asked by a customer to solve an L2 ethernet problem and I'm investigating simply tunneling the required VLANs over L2TPv3/xconnect. Does anyone have any rough throughput (PPS in particular) info they'd like to share ? And any other deployment info - actually, in particular I'd like to know about fragmentation related issues. I'm looking at the Cisco 28xx series (potentially the Cisco 2811) but I'm concerned about hitting throughput ceilings. Thanks, Adrian _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rens at autempspourmoi.be Thu Nov 5 03:08:41 2009 From: rens at autempspourmoi.be (Rens) Date: Thu, 5 Nov 2009 09:08:41 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> References: <20091105062201.GA25405@skywalker.creative.net.au> <13d85870911042351j32793084p2941c39a02375385@mail.gmail.com> Message-ID: You need to raise your MTU and the CPU load will go down. PS: I'm not sure which IOS version supports baby giant frames on 1841, not all do. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov Sent: jeudi 5 novembre 2009 8:52 To: Adrian Chadd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? L2tpV3 very useful feature, but cause very high load on CPU on reciever side. On 1841 10Mbit/s xconnect channel cause near 40% CPU load. 2Mbit/s channel load CPU near 10%. Max. throughput on 1841 without shaping 28Mbit/s(FULL CPU load). WBR Aleksey Polyakoff ICQ:9001016 Ted Turner - "Sports is like a war without the killing." 2009/11/5 Adrian Chadd > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Thu Nov 5 04:54:34 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 5 Nov 2009 10:54:34 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF21CA5.4050804@gmail.com> References: <4AF21CA5.4050804@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> Jared, > I've been having quite a few adventures with IS-IS over the last few weeks > and have finally hit a wall, so I'm hoping someone here can give me a hand. > Basically, I need to build a network with IS-IS multiarea as described here: > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 0e97 > 80.html I reckon you need to build this for IP? ISIS multiarea is only supported for CLNS routing, as stated in the above link under "Restrictions". > Secondarily, if we can't have true IS-IS multiarea, we may be able to > simulate it by manually redistributing from the L1 instances to the L2 > instances, and setting default-information originate on the L1 instances. I > attempted this in the lab, and while the commands are accepted and appear to > be good, neither redist nor default origination is actually happening. > Does anyone have any suggestions on this front? Redist and default > origination should "just work". not sure what you mean here as an alternative. You can use "default-information originate" to originate a 0.0.0.0/0 in the node's LSPs (instead of using the attached-bit from the L1L2 node, possibly along with "never-set-attached-bit" and "ingore-attached-bit" knobs to control ATT bit behaviour), but the L1 -> L2 advertisement requires a "proper" ISIS design (i.e. no multi-area config when using it for IP). oli From lukasz at bromirski.net Thu Nov 5 05:24:02 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 05 Nov 2009 11:24:02 +0100 Subject: [c-nsp] Relationship between RAM and routes In-Reply-To: References: Message-ID: <4AF2A7C2.7030501@bromirski.net> On 2009-11-05 07:12, Eric Magutu wrote: > Hi, > What is the relationship between RAM and routes? I want to implement 1000 > static routes in a cisco 7206vxr (NPE -G1) and needed to find out what > effect it would have on my router. Should I do any upgrades? it has > 229376K/32768K bytes of memory 509K of NVRAM Neglectable. For a lot of static routes you may consider doing 'service compress-config', but for 1k you should be safe. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From kgraham at industrial-marshmallow.com Thu Nov 5 05:02:09 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 5 Nov 2009 02:02:09 -0800 (PST) Subject: [c-nsp] "common" causes for 6500/7600 FIBDISABLE? Message-ID: <973676.50849.qm@web505.biz.mail.mud.yahoo.com> Having been recently hit by CSCsl62851 and/or CSCsu95171, which I suspect should be cross-referenced (yes, I was behind where we should have been in SRC), are there any "common" causes for a FIBDISABLE (in which PFC/DFC is effectively unloaded)? On an RSP720, this very neatly left both EGP/IGP mostly functional while killing any pratical forwarding-plane activity. I had thought this had come up a year or so here in the context of SXF, but again my search-fu is weak. Whatever the cause, it would seem that the responsible behavior in this condition would be to trigger a crash. CSCsm53392 certainly suggests as much (applying to DFC's), though TAC asserts that there are too many cases where "this would end up in a reboot cycle requiring manual intervention" to be proper (my own inclination being that this degenerate case is still desirable) to allow an admin to "correct" the configuration that caused it. I've been trying to think of cases where a fibdisable would occur outside of a bug-condition and the only thing that comes to mind is a FIB overflow (which as discussed extensively here, is at least purportedly handled gracefully now). Are there cases I'm not thinking of that make non-bug conditions for this this so much more common that destruction of the forwarding plane is desirable over a crash? Though I'm somewhat inclined for a bit of EEM to try to ensure a reload, the lack of an existing knob is vexing... From adrian at creative.net.au Thu Nov 5 05:44:30 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 5 Nov 2009 18:44:30 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <20091105104430.GB25405@skywalker.creative.net.au> On Thu, Nov 05, 2009, Rens wrote: > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. What PPS was this with though? I'm worried about VoIP/PABX traffic causing much more increased CPU. I don't have the option to up the MTU; the supplied underlying circuit is an L2 ethernet metro ethernet style service. Adrian From kgraham at industrial-marshmallow.com Thu Nov 5 04:48:38 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 5 Nov 2009 01:48:38 -0800 (PST) Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <4AF09CFE.8000906@sky-haven.net> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <4AF09CFE.8000906@sky-haven.net> Message-ID: <752959.32354.qm@web505.biz.mail.mud.yahoo.com> > Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux > client (http://www.shrew.net/) as well if you're of a mind, but vpnc > tends to win on simplicity. Out of curiosity, how much actual functionality of the Unity/AnyConnect/etc VPN software are any of you using? L2TP+IPSec is a pretty straightforward config (even w/ VRF-lite) and is doable w/ just a ADVSECURITY license. Most Linux distros, Windows (going back to at least XP), OS X, Windows Mobile (to at least 5) and the iPhone all support it out of the box.. RFC3948 support is also very common, allowing easy NAT traversal. From ronan at iol.ie Thu Nov 5 07:17:34 2009 From: ronan at iol.ie (Ronan Mullally) Date: Thu, 5 Nov 2009 12:17:34 +0000 (GMT) Subject: [c-nsp] IPsec Stateful Failure question Message-ID: Before I jump in both feet first and try configuring it, the Stateful Failure for IPsec guide (12.4) says: "A stateful failover crypto map applied to an interface in a VRF instance is not supported. However, VRF-aware IPSEC features are supported when a stateful failover crypto map is applied to an interface in the global VRF". If I read this right, then configuring things like this: interface Port-channel1.106 description Customer X VPN - Front Door VRF mtu 1600 encapsulation dot1Q 106 ip vrf forwarding f-CustomerX ip address 1.2.3.4 255.255.255.248 ip mtu 1500 standby 106 ip 1.2.3.5 standby 106 follow vpn-vip standby 106 name f-customerx-vip crypto map CustomerX redundancy f-customerx-vip end Means I'm not going to be able to do stateful failover, correct? -Ronan From drew.weaver at thenap.com Thu Nov 5 08:26:18 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 08:26:18 -0500 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... Message-ID: Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. Any advice is appreciated. -Drew From sthaug at nethelp.no Thu Nov 5 09:07:53 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 05 Nov 2009 15:07:53 +0100 (CET) Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: <20091105.150753.74726103.sthaug@nethelp.no> > Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? > > The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. There is no "reasonable price" 10G for 12000, just as there isn't for the Juniper M320... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From david.freedman at uk.clara.net Thu Nov 5 10:25:15 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 05 Nov 2009 15:25:15 +0000 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: According to global price list ( SPA-1X10GE-L-V2 + 12000-SIP-601= (E5) ) < 1X10GE-LR-SC (E4) Quite why one would want to spend less money on an E4 with half the density is beyond me. Dave. Drew Weaver wrote: > Is there any mythical line card that I'm missing for the 12000 that offers 10GE for a reasonable price? > > The idea of using half of a SIP 601 for one 10GE port seems a little outlandish to me, so maybe I am missing something. > > Any advice is appreciated. > > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From linux.yahoo at gmail.com Thu Nov 5 12:02:27 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Thu, 5 Nov 2009 18:02:27 +0100 Subject: [c-nsp] ACS 3 --> 5 Message-ID: <7100ed370911050902o86cf4fdo4c663fa7b6ffe2bd@mail.gmail.com> Hi, Does anyone already was able to easily import ACS configuration from version 3 to 5? Any problems? It seems we need to fisrt import configuration in ACS 4 to export to 5 but i am not sure. Thanks for your input Manu From neil-johnson at uiowa.edu Thu Nov 5 12:25:20 2009 From: neil-johnson at uiowa.edu (Johnson, Neil M) Date: Thu, 5 Nov 2009 11:25:20 -0600 Subject: [c-nsp] NAT/PAT appliance recommendations Message-ID: I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). One wireless network has six wireless controllers each four 1 Gb/s connections, the other has five wireless controllers. Those interfaces are nowhere near saturated, but we will be adding another 900 AP's to the network and moving to 802.11N. All traffic from the wireless clients will be NAT'ed. Thanks. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-johnson at uiowa.edu From moua0100 at umn.edu Thu Nov 5 12:43:03 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 05 Nov 2009 11:43:03 -0600 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: References: Message-ID: <4AF30EA7.70308@umn.edu> coincidently, we just did this for our wifi clients too; using an asa5550 to do the nat; works pretty decent; the asa evolved from the pix which was in its early days a nat appliance: right now the box is doing ~39,000 nat translations and the cpu is just running luke-warm. Border-FW-01/UofM-NAT# sh conn count 38295 in use, 117008 most used Border-FW-01/UofM-NAT# Border-FW-01/UofM-NAT# sh xlate count 38957 in use, 51352 most used CPU utilization for 5 seconds = 18.9%; 1 minute: 19.4%; 5 minutes: 19.4% Border-FW-01/UofM-NAT# Border-FW-01/UofM-NAT# sh ver Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.1(3) Compiled on Tue 05-May-09 22:45 by builders Border-FW-01 up 84 days 22 hours failover cluster up 103 days 19 hours Hardware: ASA5550 Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled Botnet Traffic Filter : Disabled Configuration last modified by moua0100 at 15:44:50.126 CDT Wed Sep 23 2009 Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Johnson, Neil M wrote: > I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s connections, the other has five wireless controllers. Those interfaces are nowhere near saturated, but we will be adding another 900 AP's to the network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Nov 5 12:56:47 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 05 Nov 2009 18:56:47 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> Message-ID: <1257443807.13192.0.camel@hal9000> Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses vpnc in the background) and zero poblems against a vpn3030 El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second. > (I actually think we have a license for this feature set already) > > Thanks as always for the great suggestions. > > > > ----- Original Message ----- > From: "Eloy Paris" > To: "Scott Granados" > Cc: > Sent: Tuesday, November 03, 2009 10:53 AM > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > Hi Scott, > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > >> Hi all, > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client > >> to provide remote users access to network resources. I have one user who > >> is interested in a client for Linux (specifically CentOS) and not sure > >> what to suggest. Does anyone have any good pointers for a good client > >> that I can point him to? > >> > >> Any pointers would be appreciated. > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > does not work with the latest versions of the Linux kernel so if you > > user's kernel is recent (and unfortunately, "recent" doesn't really have > > to be very recent) then the official Cisco VPN Client is not an option. > > > > However, there is an open source VPN client that works with Cisco VPN > > headends. I personally use and it works great: > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > It's included in pretty much all Linux distributions. A quick Google > > search for "centos vpnc" turned this up as the first hit: > > > > http://wiki.centos.org/HowTos/vpnc > > > > Hope this helps. > > > > Cheers, > > > > -- > > > > Eloy Paris > > Cisco PSIRT > > Ph: +1 919 392-9118 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From berghauz at gmail.com Thu Nov 5 13:06:41 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 21:06:41 +0300 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: References: Message-ID: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> Hi. 3854 can handle a lot of nat translations. But... can't handle a lot of Mbps.. There is some mrtg's graphs. NAT translations: http://i039.radikal.ru/0911/9f/845c6ec3d143.png CPU load: http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." 2009/11/5 Johnson, Neil M > > I'm looking for recommendations for a device to NAT/PAT so that we can move > our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and > about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s > connections, the other has five wireless controllers. Those interfaces are > nowhere near saturated, but we will be adding another 900 AP's to the > network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Thu Nov 5 13:15:30 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 5 Nov 2009 13:15:30 -0500 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> References: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> Message-ID: <003701ca5e43$f5e0a340$e1a1e9c0$@org> Is that graph (NAT) the number of "active" NAT translations? Just curious as that is a LOT of translations being measured on that platform..;) Cheers, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov Sent: November-05-09 1:07 PM To: Johnson, Neil M Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NAT/PAT appliance recommendations Hi. 3854 can handle a lot of nat translations. But... can't handle a lot of Mbps.. There is some mrtg's graphs. NAT translations: http://i039.radikal.ru/0911/9f/845c6ec3d143.png CPU load: http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." 2009/11/5 Johnson, Neil M > > I'm looking for recommendations for a device to NAT/PAT so that we can move > our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and > about 500 clients on the other (our campus is separated by a river). > > One wireless network has six wireless controllers each four 1 Gb/s > connections, the other has five wireless controllers. Those interfaces are > nowhere near saturated, but we will be adding another 900 AP's to the > network and moving to 802.11N. > > All traffic from the wireless clients will be NAT'ed. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: neil-johnson at uiowa.edu > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Nov 5 13:41:16 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 13:41:16 -0500 Subject: [c-nsp] Gigabit Interface Input Errors Message-ID: Hi, I noticed I'm seeing some Input errors on a gigabit ethernet interface: 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. Does anyone have any tips on finding out what is causing it to overrun? My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. thanks, -Drew From Michael.Balasko at cityofhenderson.com Thu Nov 5 13:47:08 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Thu, 5 Nov 2009 10:47:08 -0800 Subject: [c-nsp] OT: ASA rant was : RE: NAT/PAT appliance recommendations In-Reply-To: <4AF30EA7.70308@umn.edu> References: <4AF30EA7.70308@umn.edu> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A3182@COHNTCS09.ci.henderson.nv.us> I second the ASA's to do this. Although I'd disagree with the ASA's having evolved from the pix's. All Cisco has appeared to do is install more bugs and try to out-do IOS and Windows ME for the buggiest OS's ever. That being said I am warming up to 7.2 train. One of my new favorite bugs- Editing an Object Group causes the ASA to crash. This seems to be something that should have been vetted. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method =fetchBugDetails&bugId=CSCsy71401 That being said things are infinitely more complicated than they were back in the oh-how-I-miss-my-Pix-520 days. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua coincidently, we just did this for our wifi clients too; using an asa5550 to do the nat; works pretty decent; the asa evolved from the pix which was in its early days a nat appliance: Johnson, Neil M wrote: > I'm looking for recommendations for a device to NAT/PAT so that we can move our wireless network to private IP address space. > > We have approximately 1500 wireless clients on one wireless network and about 500 clients on the other (our campus is separated by a river). From cjk at klement.org Thu Nov 5 13:48:29 2009 From: cjk at klement.org (Charles Klement) Date: Thu, 5 Nov 2009 10:48:29 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <1257443807.13192.0.camel@hal9000> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> Message-ID: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> One important thing to remember is that VPNC can ignore pretty much any policy sent down from the concentrator. This includes split tunnelling as well as client versioning. This is one of the reasons that I've been pushing the company I work for towards anyconnect. On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > vpnc in the background) and zero poblems against a vpn3030 > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > second. > > (I actually think we have a license for this feature set already) > > > > Thanks as always for the great suggestions. > > > > > > > > ----- Original Message ----- > > From: "Eloy Paris" > > To: "Scott Granados" > > Cc: > > Sent: Tuesday, November 03, 2009 10:53 AM > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > Hi Scott, > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > >> Hi all, > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > client > > >> to provide remote users access to network resources. I have one user > who > > >> is interested in a client for Linux (specifically CentOS) and not sure > > >> what to suggest. Does anyone have any good pointers for a good client > > >> that I can point him to? > > >> > > >> Any pointers would be appreciated. > > > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > > does not work with the latest versions of the Linux kernel so if you > > > user's kernel is recent (and unfortunately, "recent" doesn't really > have > > > to be very recent) then the official Cisco VPN Client is not an option. > > > > > > However, there is an open source VPN client that works with Cisco VPN > > > headends. I personally use and it works great: > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > It's included in pretty much all Linux distributions. A quick Google > > > search for "centos vpnc" turned this up as the first hit: > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > Hope this helps. > > > > > > Cheers, > > > > > > -- > > > > > > Eloy Paris > > > Cisco PSIRT > > > Ph: +1 919 392-9118 > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From berghauz at gmail.com Thu Nov 5 13:52:32 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Thu, 5 Nov 2009 21:52:32 +0300 Subject: [c-nsp] NAT/PAT appliance recommendations In-Reply-To: <003701ca5e43$f5e0a340$e1a1e9c0$@org> References: <13d85870911051006h54e9ab8j8fc54ed6ddd9875c@mail.gmail.com> <003701ca5e43$f5e0a340$e1a1e9c0$@org> Message-ID: <13d85870911051052x59cd7ac4v286aaa22b2b3a1e8@mail.gmail.com> I'm surprised no less than you, but it is so But I must clarify, translation timeout is 1200 sec for both tcp and udp. For comparsion, 7513 almost dead on 7-10K translations, with less than 4 time timeouts. cis3845-MB_okt#sh ip nat stat Total active translations: 167741 (0 static, 167741 dynamic; 167747 extended) cis3845-MB_okt#sh ver Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.4(3g), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 06-Nov-06 05:34 by alnguyen ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) cis3845-MB_okt uptime is 8 weeks, 6 days, 13 hours, 40 minutes System returned to ROM by power-on System image file is "flash:c3845-ipbase-mz.124-3g.bin" Cisco 3845 (revision 1.0) with 225280K/36864K bytes of memory. Processor board ID FCZ1111711G 2 Gigabit Ethernet interfaces DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 62720K bytes of ATA System CompactFlash (Read/Write) WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." 2009/11/5 Paul Stewart > Is that graph (NAT) the number of "active" NAT translations? Just curious > as that is a LOT of translations being measured on that platform..;) > > Cheers, > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexey Polyakov > Sent: November-05-09 1:07 PM > To: Johnson, Neil M > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] NAT/PAT appliance recommendations > > Hi. > > 3854 can handle a lot of nat translations. But... can't handle a lot of > Mbps.. > There is some mrtg's graphs. > NAT translations: > http://i039.radikal.ru/0911/9f/845c6ec3d143.png > CPU load: > http://s58.radikal.ru/i162/0911/c7/7052632a4b6c.png > > > WBR Aleksey Polyakoff ICQ:9001016 > Marie von > Ebner-Eschenbach< > http://www.brainyquote.com/quotes/authors/m/marie_von_ebner > eschenbac.html > > > - "Even a stopped clock is right twice a day." > > 2009/11/5 Johnson, Neil M > > > > > I'm looking for recommendations for a device to NAT/PAT so that we can > move > > our wireless network to private IP address space. > > > > We have approximately 1500 wireless clients on one wireless network and > > about 500 clients on the other (our campus is separated by a river). > > > > One wireless network has six wireless controllers each four 1 Gb/s > > connections, the other has five wireless controllers. Those interfaces > are > > nowhere near saturated, but we will be adding another 900 AP's to the > > network and moving to 802.11N. > > > > All traffic from the wireless clients will be NAT'ed. > > > > Thanks. > > -Neil > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: neil-johnson at uiowa.edu > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From synack at live.com Thu Nov 5 13:53:43 2009 From: synack at live.com (Darin Herteen) Date: Thu, 5 Nov 2009 12:53:43 -0600 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Bing brings you maps, menus, and reviews organized in one place. http://www.bing.com/search?q=restaurants&form=MFESRP&publ=WLHMTAG&crea=TEXT_MFESRP_Local_MapsMenu_Resturants_1x1 From drew.weaver at thenap.com Thu Nov 5 13:58:06 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Bing brings you maps, menus, and reviews organized in one place. Try it now. From adrian.minta at gmail.com Thu Nov 5 13:58:41 2009 From: adrian.minta at gmail.com (Adrian Minta) Date: Thu, 05 Nov 2009 20:58:41 +0200 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: <4AF32061.7000604@gmail.com> Drew Weaver wrote: > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > ASA firewall ? -- Best regards, Adrian Minta From tbaranski at mail.com Thu Nov 5 14:00:02 2009 From: tbaranski at mail.com (Terry Baranski) Date: Thu, 5 Nov 2009 14:00:02 -0500 Subject: [c-nsp] IPsec Stateful Failure question In-Reply-To: References: Message-ID: <000101ca5e4a$2e9c3360$8bd49a20$@com> Strange -- we've done stateful IPSec on a VRF interface before. I wasn't aware of this supposed restriction. -Terry -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ronan Mullally Sent: Thursday, November 05, 2009 7:18 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPsec Stateful Failure question Before I jump in both feet first and try configuring it, the Stateful Failure for IPsec guide (12.4) says: "A stateful failover crypto map applied to an interface in a VRF instance is not supported. However, VRF-aware IPSEC features are supported when a stateful failover crypto map is applied to an interface in the global VRF". If I read this right, then configuring things like this: interface Port-channel1.106 description Customer X VPN - Front Door VRF mtu 1600 encapsulation dot1Q 106 ip vrf forwarding f-CustomerX ip address 1.2.3.4 255.255.255.248 ip mtu 1500 standby 106 ip 1.2.3.5 standby 106 follow vpn-vip standby 106 name f-customerx-vip crypto map CustomerX redundancy f-customerx-vip end Means I'm not going to be able to do stateful failover, correct? From drew.weaver at thenap.com Thu Nov 5 14:11:53 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 14:11:53 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <4AF32061.7000604@gmail.com> References: <4AF32061.7000604@gmail.com> Message-ID: Nah this particular instance it is one interface in a 3GE-GBIC-SC in a GSR. thanks, -Drew -----Original Message----- From: Adrian Minta [mailto:adrian.minta at gmail.com] Sent: Thursday, November 05, 2009 1:59 PM To: Drew Weaver Cc: 'cisco-nsp at puck.nether.net' Subject: Re: [c-nsp] Gigabit Interface Input Errors Drew Weaver wrote: > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > ASA firewall ? -- Best regards, Adrian Minta From synack at live.com Thu Nov 5 14:19:27 2009 From: synack at live.com (Darin Herteen) Date: Thu, 5 Nov 2009 13:19:27 -0600 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: Unfortunately I don't know of anyway to check the hardware buffer(s), and my "guess" is per line card. I would also run a "show process cpu" while the overruns incrementing (if you can) to see if the utilization is above 90%. I've heard of this causing overruns in the past. I haven't experienced it myself though. From: drew.weaver at thenap.com To: synack at live.com; cisco-nsp at puck.nether.net Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: RE: [c-nsp] Gigabit Interface Input Errors Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Bing brings you maps, menus, and reviews organized in one place. Try it now. _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/ From drew.weaver at thenap.com Thu Nov 5 14:39:14 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 5 Nov 2009 14:39:14 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: The only time the CPU utilization is above 10% on this system is when BGP Scanner runs, and it was my understanding that BGP scanner shouldn't cause any issues with traffic. -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 2:19 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Unfortunately I don't know of anyway to check the hardware buffer(s), and my "guess" is per line card. I would also run a "show process cpu" while the overruns incrementing (if you can) to see if the utilization is above 90%. I've heard of this causing overruns in the past. I haven't experienced it myself though. ________________________________ From: drew.weaver at thenap.com To: synack at live.com; cisco-nsp at puck.nether.net Date: Thu, 5 Nov 2009 13:58:06 -0500 Subject: RE: [c-nsp] Gigabit Interface Input Errors Thanks for responding, As far as you're aware is there a way to check the hardware buffer to see if this is the case, and is this buffer usually per line card, or per slot (both/either?) -Drew From: Darin Herteen [mailto:synack at live.com] Sent: Thursday, November 05, 2009 1:54 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Gigabit Interface Input Errors Drew, Overruns are usually caused by the receiving hardware buffer being "flooded" for lack of a better term because the input rate exceeded the receiver's ability to handle the traffic. Darin > From: drew.weaver at thenap.com > To: cisco-nsp at puck.nether.net > Date: Thu, 5 Nov 2009 13:41:16 -0500 > Subject: [c-nsp] Gigabit Interface Input Errors > > Hi, > > I noticed I'm seeing some Input errors on a gigabit ethernet interface: > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > the number of input errors seems to increment along with the overrun counter which I assume means that the actual errors are overrun errors. > > Does anyone have any tips on finding out what is causing it to overrun? > > My first inclination is to assume it is not a huge problem because of the amount of packets that are flowing through this interface: > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of 2367831951 is a fairly small number but I wanted to check and see if you all had any thoughts. > > thanks, > -Drew > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Bing brings you maps, menus, and reviews organized in one place. Try it now. ________________________________ Hotmail: Trusted email with powerful SPAM protection. Sign up now. From kenny.sallee at gmail.com Thu Nov 5 14:40:57 2009 From: kenny.sallee at gmail.com (Kenny Sallee) Date: Thu, 5 Nov 2009 11:40:57 -0800 Subject: [c-nsp] MPLS Multi-AS options... Message-ID: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> So I'm reading this document from Cisco: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ias_optab.html and http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_connect_asbr.html as well as RFC 4364 section 10 "Multi-AS Backbones". I'm wondering if anyone is actually doing any flavor of Multi-AS backbone this in the real world? Option A doesn't seem scalable at all. Option B seems scalable, but the level of trust and lack of QoS may be a concern. Option AB - I'm trying to fully understand w/o a ton of lab time. As I read the first Cisco link above, with Option AB - you must configure a sub-interface PER VPN/Client in it's own VRF on each SP's ASBR. So if you have 100 different customers, on that interconnect between SP1 and SP2 you must configure 100 sub-interfaces, VRF's with unique (agree'd upon)RD's. Then you configure a single MP-BGP session to carry the VPNv4 addresses for all VRF's. So really you are only saving X number of BGP sessions with Option AB compared to say just Option A correct? Anyone out there with practical experience doing this in a production environment? Thanks, Kenny Is there any other technology for 'exteding VRF' to an Application Service provider type network? From dale.shaw+cisco-nsp at gmail.com Thu Nov 5 14:41:45 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Fri, 6 Nov 2009 06:41:45 +1100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091105104430.GB25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091105104430.GB25405@skywalker.creative.net.au> Message-ID: <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> Hi Adrian, On Thu, Nov 5, 2009 at 9:44 PM, Adrian Chadd wrote: > > I don't have the option to up the MTU; the supplied underlying circuit > is an L2 ethernet metro ethernet style service. Do you know for sure that the carrier MTU doesn't have the headroom you need? cheers, Dale From nils.kolstein at sscplus.nl Thu Nov 5 15:32:10 2009 From: nils.kolstein at sscplus.nl (Nils Kolstein) Date: Thu, 5 Nov 2009 21:32:10 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: <4AF32061.7000604@gmail.com> Message-ID: <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> What's the utilization on the other 2 interfaces? I am not familiar with this specific platform, but it might also be caused by slot/backplane limitations causing packets to be dropped if the total BW exceeds a certain (non line-rate) value. I have seen this behaviour on some platforms. Regards, Nils Kolstein > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Drew Weaver > Sent: donderdag 5 november 2009 20:12 > To: 'Adrian Minta' > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Nah this particular instance it is one interface in a 3GE-GBIC-SC in a > GSR. > > thanks, > -Drew > > -----Original Message----- > From: Adrian Minta [mailto:adrian.minta at gmail.com] > Sent: Thursday, November 05, 2009 1:59 PM > To: Drew Weaver > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Drew Weaver wrote: > > Hi, > > > > I noticed I'm seeing some Input errors on a gigabit ethernet > interface: > > > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > > > the number of input errors seems to increment along with the overrun > counter which I assume means that the actual errors are overrun errors. > > > > Does anyone have any tips on finding out what is causing it to > overrun? > > > > My first inclination is to assume it is not a huge problem because of > the amount of packets that are flowing through this interface: > > > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of > 2367831951 is a fairly small number but I wanted to check and see if > you all had any thoughts. > > > > thanks, > > -Drew > > > ASA firewall ? > > -- > Best regards, > Adrian Minta > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmayer at loplof.de Thu Nov 5 15:00:59 2009 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 5 Nov 2009 21:00:59 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105200059.GR28388@thot.informatik.uni-kl.de> On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much any > policy sent down from the concentrator. This includes split tunnelling as > well as client versioning. > > This is one of the reasons that I've been pushing the company I work for > towards anyconnect. Oh, and for anyconnect there isn't such a workaround? ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From jmayer at loplof.de Thu Nov 5 15:01:56 2009 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 5 Nov 2009 21:01:56 +0100 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105200156.GS28388@thot.informatik.uni-kl.de> On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much any > policy sent down from the concentrator. This includes split tunnelling as > well as client versioning. And since a recent patch even the Firewall requirements :-) Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From gert at greenie.muc.de Thu Nov 5 15:38:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 5 Nov 2009 21:38:53 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: References: Message-ID: <20091105203853.GY163@greenie.muc.de> Hi, On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: > Does anyone have any tips on finding out what is causing it to overrun? "Hardware too slow error" - packets arrive in short bursts at line rate, and your router cannot handle that. For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they come in evenly spaced - packetpacketpacket - but if 1000 packets arrive back-to-back and then a longer pause, it will overrun the buffers. There's not much you can do, except "get a hardware forwarding box" or "just accept it, and only worry if the errors increase more frequently". We do some of both :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From elparis at cisco.com Thu Nov 5 15:59:13 2009 From: elparis at cisco.com (Eloy Paris) Date: Thu, 5 Nov 2009 15:59:13 -0500 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> Message-ID: <20091105205913.GB5362@turbo.cisco.com> Hi Charles, On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > One important thing to remember is that VPNC can ignore pretty much > any policy sent down from the concentrator. This includes split > tunnelling as well as client versioning. > > This is one of the reasons that I've been pushing the company I work > for towards anyconnect. I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc is to the Cisco VPN Client) suffers from the same lack of enforcement issues. And even if the authors tried to enforce policies it should be easy to modify OpenConnect so it doesn't enforce anything. Don't get me wrong -- it's a good thing to move to AnyConnect since no new features are being added to the old Cisco VPN Client; I just don't think that policy enforcement is a good reason to justify a migration. Cheers, Eloy Paris.- Cisco PSIRT > On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > > > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > > vpnc in the background) and zero poblems against a vpn3030 > > > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > > second. > > > (I actually think we have a license for this feature set already) > > > > > > Thanks as always for the great suggestions. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Eloy Paris" > > > To: "Scott Granados" > > > Cc: > > > Sent: Tuesday, November 03, 2009 10:53 AM > > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > > > > Hi Scott, > > > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > > > >> Hi all, > > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > > client > > > >> to provide remote users access to network resources. I have one user > > who > > > >> is interested in a client for Linux (specifically CentOS) and not sure > > > >> what to suggest. Does anyone have any good pointers for a good client > > > >> that I can point him to? > > > >> > > > >> Any pointers would be appreciated. > > > > > > > > The Cisco VPN Client does support *some* versions of Linux. However, it > > > > does not work with the latest versions of the Linux kernel so if you > > > > user's kernel is recent (and unfortunately, "recent" doesn't really > > have > > > > to be very recent) then the official Cisco VPN Client is not an option. > > > > > > > > However, there is an open source VPN client that works with Cisco VPN > > > > headends. I personally use and it works great: > > > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > > > It's included in pretty much all Linux distributions. A quick Google > > > > search for "centos vpnc" turned this up as the first hit: > > > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > > > Hope this helps. > > > > > > > > Cheers, > > > > > > > > -- > > > > > > > > Eloy Paris > > > > Cisco PSIRT > > > > Ph: +1 919 392-9118 > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Thu Nov 5 16:10:33 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 5 Nov 2009 16:10:33 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <20091105203853.GY163@greenie.muc.de> References: <20091105203853.GY163@greenie.muc.de> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Thursday, November 05, 2009 3:39 PM . > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". Hopefully I'm not completing high-jacking here, but I have seen similar issues on the 4500 w/WS-X4548-GB-RJ45 line cards. The fabric has 6gbps per slot, so the oversubscription is 8:1. The best tell tale sign that I'm hitting oversubscription are input errors with no CRC or overruns, like below: 30 second input rate 6394000 bits/sec, 719 packets/sec 30 second output rate 722000 bits/sec, 481 packets/sec 770898484 packets input, 957181248327 bytes, 0 no buffer Received 594832 broadcasts (560167 multicast) 0 runts, 0 giants, 0 throttles 282191 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 455543646 packets output, 153140605424 bytes, 0 underruns Is there a more systematic approach to detecting this? I've gone through some docs and most useful information is geared toward the 6500, such as http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC. Currently I have to use a combination of interface statistics and historical Cacti graphs to narrow down over-utilized port ranges. Thanks, -ryan From cjk at klement.org Thu Nov 5 16:20:06 2009 From: cjk at klement.org (Charles Klement) Date: Thu, 5 Nov 2009 13:20:06 -0800 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <20091105205913.GB5362@turbo.cisco.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> Message-ID: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Oh well, I guess policy enforcement will just have to be via the HR department rather than a technical solution. :) On Thu, Nov 5, 2009 at 12:59 PM, Eloy Paris wrote: > Hi Charles, > > On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote: > > > One important thing to remember is that VPNC can ignore pretty much > > any policy sent down from the concentrator. This includes split > > tunnelling as well as client versioning. > > > > This is one of the reasons that I've been pushing the company I work > > for towards anyconnect. > > I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc > is to the Cisco VPN Client) suffers from the same lack of enforcement > issues. And even if the authors tried to enforce policies it should be > easy to modify OpenConnect so it doesn't enforce anything. > > Don't get me wrong -- it's a good thing to move to AnyConnect since no > new features are being added to the old Cisco VPN Client; I just don't > think that policy enforcement is a good reason to justify a migration. > > Cheers, > > Eloy Paris.- > Cisco PSIRT > > > On Thu, Nov 5, 2009 at 9:56 AM, luismi wrote: > > > > > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses > > > vpnc in the background) and zero poblems against a vpn3030 > > > > > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi?: > > > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in > > > second. > > > > (I actually think we have a license for this feature set already) > > > > > > > > Thanks as always for the great suggestions. > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Eloy Paris" > > > > To: "Scott Granados" > > > > Cc: > > > > Sent: Tuesday, November 03, 2009 10:53 AM > > > > Subject: Re: [c-nsp] Linux VPN client suggestion? > > > > > > > > > > > > > Hi Scott, > > > > > > > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: > > > > > > > > > >> Hi all, > > > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN > > > client > > > > >> to provide remote users access to network resources. I have one > user > > > who > > > > >> is interested in a client for Linux (specifically CentOS) and not > sure > > > > >> what to suggest. Does anyone have any good pointers for a good > client > > > > >> that I can point him to? > > > > >> > > > > >> Any pointers would be appreciated. > > > > > > > > > > The Cisco VPN Client does support *some* versions of Linux. > However, it > > > > > does not work with the latest versions of the Linux kernel so if > you > > > > > user's kernel is recent (and unfortunately, "recent" doesn't really > > > have > > > > > to be very recent) then the official Cisco VPN Client is not an > option. > > > > > > > > > > However, there is an open source VPN client that works with Cisco > VPN > > > > > headends. I personally use and it works great: > > > > > > > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/ > > > > > > > > > > > It's included in pretty much all Linux distributions. A quick > Google > > > > > search for "centos vpnc" turned this up as the first hit: > > > > > > > > > > http://wiki.centos.org/HowTos/vpnc > > > > > > > > > > Hope this helps. > > > > > > > > > > Cheers, > > > > > > > > > > -- > > > > > > > > > > Eloy Paris > > > > > Cisco PSIRT > > > > > Ph: +1 919 392-9118 > > > > > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From NMaio at guesswho.com Thu Nov 5 16:24:54 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Thu, 5 Nov 2009 16:24:54 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> References: <20091105203853.GY163@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> Message-ID: <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> Ryan, I have similar problems with 4500s so I keep a close eye on the detailed counters. In particular I watch the transmit drops and also the receive buffer stats. Pauses frames also indicate a problem in our environment and I would expect in some other environments. It's a long output but I have always found it very helpful since the reason for the input/output errors are not always evident in a show interface output. show int counters detail Port Tx-Drops-Queue-1 Tx-Drops-Queue-2 Tx-Drops-Queue-3 Tx-Drops-Queue-4 Gi5/34 0 0 0 0 Gi5/35 0 0 0 0 Gi5/36 0 0 0 0 Gi5/37 0 0 0 0 Gi5/38 0 0 0 0 Gi5/39 0 0 0 0 Gi5/40 0 0 0 0 Gi5/41 0 0 0 0 Gi5/42 0 0 0 0 Gi5/43 0 0 0 0 Gi5/44 0 0 0 0 Gi5/45 0 0 0 0 Gi5/46 0 0 0 0 Gi5/47 0 0 0 0 Gi5/48 0 0 0 0 Gi7/1 21257797383 0 0 0 show int counters detail .. ... Port Rx-No-Pkt-Buff RxPauseFrames TxPauseFrames PauseFramesDrop Gi4/26 0 0 0 0 Gi4/27 0 0 0 0 Gi4/28 0 0 0 0 Gi4/29 0 0 0 0 Gi4/30 0 0 0 0 Gi4/31 0 0 0 0 Gi4/32 0 107830 0 0 Gi4/33 0 0 346468 0 Gi4/34 0 0 0 0 Gi4/35 0 0 0 0 Gi4/36 0 0 0 0 Gi4/37 0 0 9056 0 Gi4/38 0 0 0 0 Gi4/39 0 0 0 0 Gi4/40 0 0 240746 0 Gi4/41 1548 0 0 0 Gi4/42 0 0 1390048 0 Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West Sent: Thursday, November 05, 2009 4:11 PM To: Gert Doering; Drew Weaver Cc: 'cisco-nsp at puck.nether.net' Subject: Re: [c-nsp] Gigabit Interface Input Errors Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Thursday, November 05, 2009 3:39 PM . > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". Hopefully I'm not completing high-jacking here, but I have seen similar issues on the 4500 w/WS-X4548-GB-RJ45 line cards. The fabric has 6gbps per slot, so the oversubscription is 8:1. The best tell tale sign that I'm hitting oversubscription are input errors with no CRC or overruns, like below: 30 second input rate 6394000 bits/sec, 719 packets/sec 30 second output rate 722000 bits/sec, 481 packets/sec 770898484 packets input, 957181248327 bytes, 0 no buffer Received 594832 broadcasts (560167 multicast) 0 runts, 0 giants, 0 throttles 282191 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 455543646 packets output, 153140605424 bytes, 0 underruns Is there a more systematic approach to detecting this? I've gone through some docs and most useful information is geared toward the 6500, such as http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC. Currently I have to use a combination of interface statistics and historical Cacti graphs to narrow down over-utilized port ranges. Thanks, -ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff at ocjtech.us Thu Nov 5 16:52:38 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Thu, 5 Nov 2009 15:52:38 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Message-ID: <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: > Oh well, I guess policy enforcement will just have to be via the HR > department rather than a technical solution. :) Which is where it belongs anyway. -- Jeff Ollie From jeff at ocjtech.us Thu Nov 5 16:52:38 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Thu, 5 Nov 2009 15:52:38 -0600 Subject: [c-nsp] Linux VPN client suggestion? In-Reply-To: <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> References: <002701ca5cb4$45098180$2508120a@am.thmulti.com> <20091103185332.GJ23256@turbo.cisco.com> <008001ca5cb8$02ad7360$2508120a@am.thmulti.com> <1257443807.13192.0.camel@hal9000> <8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com> <20091105205913.GB5362@turbo.cisco.com> <8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> Message-ID: <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: > Oh well, I guess policy enforcement will just have to be via the HR > department rather than a technical solution. :) Which is where it belongs anyway. -- Jeff Ollie From rwest at zyedge.com Thu Nov 5 16:56:47 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 5 Nov 2009 16:56:47 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> References: <20091105203853.GY163@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A62@zy-ex1.zyedge.local> <2AA600764E54964491083B1E0EC81A302F86FEA1BE@EXCLUS.nationala-1advertising.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17A71@zy-ex1.zyedge.local> Nick, Thanks, this is what I was looking for. > > show int counters detail > > Port Tx-Drops-Queue-1 Tx-Drops-Queue-2 Tx-Drops-Queue-3 Tx- > Drops-Queue-4 > 0 > Gi7/1 21257797383 0 0 > 0 > > show int counters detail > .. > ... > Port Rx-No-Pkt-Buff RxPauseFrames TxPauseFrames > PauseFramesDrop > 0 > Gi4/32 0 107830 0 > 0 > Gi4/37 0 0 9056 > 0 > Gi4/38 0 0 0 > 0 > Gi4/39 0 0 0 > 0 > Gi4/40 0 0 240746 > 0 > Gi4/41 1548 0 0 > 0 > Gi4/42 0 0 1390048 > 0 > > Nick > -ryan From gsgranados at comcast.net Thu Nov 5 17:04:07 2009 From: gsgranados at comcast.net (Scott Granados) Date: Thu, 5 Nov 2009 14:04:07 -0800 Subject: [c-nsp] Linux VPN client suggestion? References: <002701ca5cb4$45098180$2508120a@am.thmulti.com><20091103185332.GJ23256@turbo.cisco.com><008001ca5cb8$02ad7360$2508120a@am.thmulti.com><1257443807.13192.0.camel@hal9000><8852ac1c0911051048n6c15073dgc6e4364d07895680@mail.gmail.com><20091105205913.GB5362@turbo.cisco.com><8852ac1c0911051320q12c909f2p7afa720906c5e7a1@mail.gmail.com> <935ead450911051352m4c09ff74t1ef004d79cd28c35@mail.gmail.com> Message-ID: <04d201ca5e63$eabeb360$2508120a@am.thmulti.com> I second that. Besides, we're talking about a flavor of Unix here not a Microsoft rough approximation of an operating system. Policies are for the week windows users who don't know better and who think a registry is something you have for weddings. Besides, your group policies can be undone with a resourceful end user and a live boot Linux cd with the correct tool set. If you don't trust your employees you might consider keeping them out of the building because we all know that physical access trumps most other types.;) ----- Original Message ----- From: "Jeffrey Ollie" To: Sent: Thursday, November 05, 2009 1:52 PM Subject: Re: [c-nsp] Linux VPN client suggestion? > On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement wrote: >> Oh well, I guess policy enforcement will just have to be via the HR >> department rather than a technical solution. :) > > Which is where it belongs anyway. > > -- > Jeff Ollie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Thu Nov 5 19:02:36 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 06 Nov 2009 01:02:36 +0100 Subject: [c-nsp] Interface descriptions - what do you put in? In-Reply-To: <4A156E1D.2080404@templin.org> References: <4A156E1D.2080404@templin.org> Message-ID: <1257465756.5066.5.camel@hal9000> Area code - critical value - description - remote port [port-cX] Area code: [ip|sys|rf] are responsible of the end device critical value: 00 total service disruption for the customers 01 partial service disruption for the customers - some customers are working others not or the service is degraded 02 no impact in the customers (ex, pcs or internal desktops) description: as you prefer remote port: Gi0/1/12 or G1/12 RFEC1 (RFEC = remote port-channel) example: A - 00 - Trunk to stack01 - G1/0/24 RFEC1 it works ok for us El jue, 21-05-2009 a las 10:07 -0500, Pete Templin escribi?: > List, > > What do you put into your interface descriptions? Do you document > circuit ID, far-end equipment/port, near-end equipment/port, and/or > anything else? > > Pete > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared.a.gillis at gmail.com Thu Nov 5 20:00:35 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 05 Nov 2009 17:00:35 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> Message-ID: <4AF37533.6010700@gmail.com> Oliver Boehmer (oboehmer) wrote: > Jared, > >> I've been having quite a few adventures with IS-IS over the last few > weeks >> and have finally hit a wall, so I'm hoping someone here can give me a > hand. >> Basically, I need to build a network with IS-IS multiarea as described > here: > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 > 0e97 >> 80.html > > I reckon you need to build this for IP? ISIS multiarea is only supported > for CLNS routing, as stated in the above link under "Restrictions". I do need this for IP routing, not CLNS. If the feature is only supported for ISO CLNS and not IP routing, why does it work on my lab of 2600s running 12.3 latest, with the exact same config, also in an IP-only environment? Really, my only need is to prevent my L1 routers from learning the entire area's routes, but my network design requires me to directly connect my L2 router to an L1 (i.e. no room for a L2/L1 between them). I just need the L1 routers to get a default towards its directly attached L2, and the L2 backbone to learn the L1's routes. This is essentially a TS-NSSA in OSPF. If there's some other way I can get this behavior with IS-IS, I'm all ears. >> Secondarily, if we can't have true IS-IS multiarea, we may be able to >> simulate it by manually redistributing from the L1 instances to the L2 >> instances, and setting default-information originate on the L1 > instances. I >> attempted this in the lab, and while the commands are accepted and > appear to >> be good, neither redist nor default origination is actually happening. >> Does anyone have any suggestions on this front? Redist and default >> origination should "just work". > > not sure what you mean here as an alternative. You can use > "default-information originate" to originate a 0.0.0.0/0 in the node's > LSPs (instead of using the attached-bit from the L1L2 node, possibly > along with "never-set-attached-bit" and "ingore-attached-bit" knobs to > control ATT bit behaviour), but the L1 -> L2 advertisement requires a > "proper" ISIS design (i.e. no multi-area config when using it for IP). I have default-information originate on my upstream router, towards the L1 it is connected to. The L1 has no default route in it's table, and is not apparently receiving the ATT bit, as it's not sending traffic towards the upstream. In any case, if I can't get L1->L2 advertisement, the point is moot. > > oli From adrian at creative.net.au Thu Nov 5 20:46:11 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 09:46:11 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091105104430.GB25405@skywalker.creative.net.au> <3329cbb40911051141h494e3b92l467d68204afbdee9@mail.gmail.com> Message-ID: <20091106014611.GC25405@skywalker.creative.net.au> On Fri, Nov 06, 2009, Dale Shaw wrote: > > I don't have the option to up the MTU; the supplied underlying circuit > > is an L2 ethernet metro ethernet style service. > > Do you know for sure that the carrier MTU doesn't have the headroom you need? I'm going to make that assumption in case it is either true now, or becomes true later. Adrian From jmkeller at houseofzen.org Thu Nov 5 20:56:59 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Thu, 05 Nov 2009 20:56:59 -0500 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: <4AF3826B.4080403@houseofzen.org> My understanding is the Cisco VPN (IPSEC) client don't have the host integration features that are available in the AnyConnect client (yet). One of the reasons we are doing SSL VPN on ASA is to be able to do the host profiling and do the IT Approved / Other dynamic access policies. You can do a combination of checks that match up to your 'approved' devices. In our case, non-IT standard systems have to run Secure Desktop sessions and only get WebVPN. IT standard systems get AnyConnect with full IP tunneling. Again as folks have said - you are trusting the end client software to do the right thing. So don't expect this to keep out 'the smart kids'. You can cycle through checks and do MD5s, but if someone is motivated and wants to reverse the checks they can spoof it. At that point you just need to back up policy with HR walking someone from the building, and have some way to audit to catch the smart kids who really should know better but think the Corp IT folks are fools. :) -James Scott Granados wrote: > Hi, > I've been googling but not finding much although I think I'm > probably formulating my search incorrectly so I'm hoping for some > pointers here. > I use ASA 5520 hardware to provide VPN services to end users with > Cisco VPN clients and some L2L sessions. We've been finding that > folks are configuring IPhones and other non approved devices to attach > to the network. What's the best method to certify that end users are > connecting with approved devices only? Is there a good way say for me > to allow company provided laptops but not allow clients from home > machines where users duplicate their profile or non-certified end > devices like pocket PC devices? I understand how to filter based on > client type but this doesn't prevent someone from copying their > profile file from one machine to another. Any pointers would be > appreciated. > > Thanks > Scott > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmkeller at houseofzen.org Thu Nov 5 21:00:39 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Thu, 05 Nov 2009 21:00:39 -0500 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> Message-ID: <4AF38347.3060508@houseofzen.org> I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: > Hi Scott, > > Certificate based authentication can meet these needs. > > This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml > > > -mtw > > > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >> Sent: Wednesday, November 04, 2009 9:43 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Restricting VPN connections to company hardware? >> >> Hi, >> I've been googling but not finding much although I think >> I'm probably >> formulating my search incorrectly so I'm hoping for some >> pointers here. >> I use ASA 5520 hardware to provide VPN services to end >> users with Cisco >> VPN clients and some L2L sessions. We've been finding that folks are >> configuring IPhones and other non approved devices to attach >> to the network. >> What's the best method to certify that end users are connecting with >> approved devices only? Is there a good way say for me to >> allow company >> provided laptops but not allow clients from home machines where users >> duplicate their profile or non-certified end devices like >> pocket PC devices? >> I understand how to filter based on client type but this >> doesn't prevent >> someone from copying their profile file from one machine to >> another. Any >> pointers would be appreciated. >> >> Thanks >> Scott >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adrian at creative.net.au Thu Nov 5 21:26:32 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 10:26:32 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <20091106022632.GE25405@skywalker.creative.net.au> On Thu, Nov 05, 2009, Rens wrote: > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. Just out of morbid curiousity - so will the router terminating L2TPv3 actually fragment and reassemble L2TPv3 frames as needed, or is it hoping another upstream router will fragment as needed? Adrian From tvarriale at comcast.net Thu Nov 5 21:56:57 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 5 Nov 2009 20:56:57 -0600 Subject: [c-nsp] Experiences with l2tpv3/xconnect? References: <20091105062201.GA25405@skywalker.creative.net.au> Message-ID: <59D8212EA5374DEE946B9EF480C6B269@flamdt01> Surely you mean 40mbps or a different platform? tv ----- Original Message ----- From: "Rens" To: "'Adrian Chadd'" ; Sent: Thursday, November 05, 2009 2:12 AM Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? >I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd > Sent: jeudi 5 novembre 2009 7:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Experiences with l2tpv3/xconnect? > > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mark at edgewire.sg Thu Nov 5 22:10:14 2009 From: mark at edgewire.sg (mark [at] edgewire) Date: Fri, 6 Nov 2009 11:10:14 +0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users. On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote: > I haven't read up the cert authentication much, but what stops the > user from moving the cert file to another un-approved device (per > the original question) - all you are doing is Two-factor at that > point - user but not host based checking correct? > > -James > > Matthew White wrote: >> Hi Scott, >> >> Certificate based authentication can meet these needs. >> >> This document is just a starting point -- the client certificate >> installation procedure is onerous. If you have a MS environment >> it's easier to push out certs with group policy objects than making >> your end users download and install certificates. >> >> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml >> >> >> -mtw >> >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Scott Granados >>> Sent: Wednesday, November 04, 2009 9:43 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Restricting VPN connections to company hardware? >>> >>> Hi, >>> I've been googling but not finding much although I think I'm >>> probably formulating my search incorrectly so I'm hoping for some >>> pointers here. >>> I use ASA 5520 hardware to provide VPN services to end users >>> with Cisco VPN clients and some L2L sessions. We've been finding >>> that folks are configuring IPhones and other non approved devices >>> to attach to the network. What's the best method to certify that >>> end users are connecting with approved devices only? Is there a >>> good way say for me to allow company provided laptops but not >>> allow clients from home machines where users duplicate their >>> profile or non-certified end devices like pocket PC devices? I >>> understand how to filter based on client type but this doesn't >>> prevent someone from copying their profile file from one machine >>> to another. Any pointers would be appreciated. >>> >>> Thanks >>> Scott >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Thu Nov 5 23:18:13 2009 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Nov 2009 20:18:13 -0800 (PST) Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> Message-ID: <862039.25519.qm@web80508.mail.mud.yahoo.com> ..with user certs, nothing stops the user from importing it to another un-approved machine..one reason at my last job we moved to machine certs/appliance based ssl vpn solution. --- On Thu, 11/5/09, James Michael Keller wrote: From: James Michael Keller Subject: Re: [c-nsp] Restricting VPN connections to company hardware? To: "Matthew White" Cc: "cisco-nsp at puck.nether.net" Date: Thursday, November 5, 2009, 6:00 PM I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: > Hi Scott, > > Certificate based authentication can meet these needs. > > This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml > > > -mtw > >? >??? >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >> Sent: Wednesday, November 04, 2009 9:43 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Restricting VPN connections to company hardware? >> >> Hi, >>? ???I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. >>? ???I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions.? We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only?? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another.???Any pointers would be appreciated. >> >> Thanks >> Scott >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >>? ??? > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ >??? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cnsp at shreddedmail.com Fri Nov 6 02:11:56 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Thu, 5 Nov 2009 23:11:56 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 Message-ID: I'm trying to wrap my brain around Cisco's document on the 6500/7600 technology: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html Terminology on the bus architecture and switch fabric are becoming less confusing to me the more I read it, but I'm still not comfortable with my level of understanding. What I think the document says is: - The 32Gbs shared bus is the path between the supervisor and individual line cards. Line cards do not move data between each other; traffic must pass through the Sup. - The raw capacity of the 32Gbs bus is just that; 32Gbs across the entire bus, combined across all cards - The switch fabric is single or dual channel 20Gbs, dual channel just allowing higher port/speed-density on the line cards - The 20Gbs fabric is used to transfer traffic directly between DFC-enabled line cards, bypassing the Sup. - The 20Gbs fabric is not shared, each DFC line card can talk to any other DFC line card at 20Gbs up to a potential aggregate of 720Gbs - CEF and dCEF simply refer to whether the line card has a DFC - CEF256 using 8Gbs of the fabric, CEF720 uses 20Gbs - "Classic" line cards use only the 32Gbs bus. - Usage of 8Gbs or 20Gbs on the fabric is dependent on the line card and the Sup. - Sup720 allows 20Gbs, others are only 8Gbs - Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is present. - The full "720Gbs" capacity is all dual-fabric line cards with DFCs I'm most confused on the 8Gbs limit and how it relates to the Supervisor and line cards. Other discussions I've had indicate that some combination of line cards can bring the whole system down to the lowest common denominator. Am I on track? Where does oversubscription on line cards come in? Is there something else I haven't covered? Sorry for the laundry list. I'd rather make sure I'm clear in my head before the design, then find a gotcha after it is too late. Thanks! From peter at rathlev.dk Fri Nov 6 02:12:37 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 06 Nov 2009 08:12:37 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: > Why is it not possible to check it against the MAC address of the > connecting device? Log incoming connections and their MAC address and > match it against a list of hardware that has been assigned to the users. Please state how you expect this not to be spoofed. :-) -- Peter From troy at i2bnetworks.com Fri Nov 6 01:41:29 2009 From: troy at i2bnetworks.com (troy at i2bnetworks.com) Date: Thu, 5 Nov 2009 22:41:29 -0800 (PST) Subject: [c-nsp] Cisco 15454 question Message-ID: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> Hi all, I am hoping to gain some insight from some of the people who have done this type of thing before. I am setting up a 24 strand fiber connection between two facilities. I will be doing GigE on 4 strands and placing the Cisco 15454 with OC48 cards on 4 strands of fibers. What I need to do is be able to cross connects circuits at the DS1, DS3 and OCn level between the two facilities. Below are the cards that I have spec'd for this. Can anyone tell me if I am missing anything? Assume that there are protect cards for each and I know I do not have any OC3/OC12 cards for the OCn cross connects(We would add these later). I also know that I need the correct backplane cards for DS1 and DS3 handoff. 15454-OC48IR1310 1310nm OC48 cards 15454-DS3XM-6 6 port DS3 transmux cards 15454-DS1N-14 14 port DS1 cards 15454-TCC+ Timing and control cards 15454-XC-TV Cross connect cards 15454-FTA3 Any input on what I am missing or if there are better cards to use would be great. Thanks, -Troy From mark at edgewire.sg Fri Nov 6 02:19:18 2009 From: mark at edgewire.sg (mark [at] edgewire) Date: Fri, 6 Nov 2009 15:19:18 +0800 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> Message-ID: <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> There's no way of stopping a determined user that wants to bypass whatever filters or red tape you have in place really but if you're able to restrict most of the users, would you say no to it? There's not a single solution to deploy where people can't find a way to use another device, at least not that I know of. Maybe you could shed some light on it instead of just pointing out that the MAC address can be spoofed and would you expect your average run of the mill user know how to spoof MAC addresses? On 06-Nov-2009, at 3:12 PM, Peter Rathlev wrote: > On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: >> Why is it not possible to check it against the MAC address of the >> connecting device? Log incoming connections and their MAC address and >> match it against a list of hardware that has been assigned to the >> users. > > Please state how you expect this not to be spoofed. :-) > > -- > Peter > > From peter at rathlev.dk Fri Nov 6 02:45:36 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 06 Nov 2009 08:45:36 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> <1257491562.26343.0.camel@abehat.dyn.net.rm.dk> <3445C578-6FC6-44C3-BE7A-25D56F42504D@edgewire.sg> Message-ID: <1257493536.26343.8.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote: > There's no way of stopping a determined user that wants to bypass > whatever filters or red tape you have in place really but if you're > able to restrict most of the users, would you say no to it? There's > not a single solution to deploy where people can't find a way to use > another device, at least not that I know of. Maybe you could shed some > light on it instead of just pointing out that the MAC address can be > spoofed and would you expect your average run of the mill user know > how to spoof MAC addresses? We're talking a VPN client here. The "MAC address" that your system will look at to determine if the client is valid is just some bytes in an IP packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't need intelligent users. That's the "problem" with this NAC concept: The system only works if you trust your software client. And you have no reason to trust it. IMHO security should not be based on things like these. OTOH I personally think that the situation is fine; NAC/whatever prevents Jane and John Doe from accidentially causing unintended damage through neglect. But it also allows the geeks to connect even though they might not have the same concept of what a valid computing device is. If my companys "policies" on computers were enforced (and some are acutally trying to do just that) I would be forced to use systems that wouldn't let me do things the way I like. Enforced policy => I find another place to work. -- Peter From oboehmer at cisco.com Fri Nov 6 02:50:53 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 6 Nov 2009 08:50:53 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF37533.6010700@gmail.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Jared, > >> I've been having quite a few adventures with IS-IS over the last few > > weeks > >> and have finally hit a wall, so I'm hoping someone here can give me a > > hand. > >> Basically, I need to build a network with IS-IS multiarea as described > > here: > > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 > > 0e97 > >> 80.html > > > > I reckon you need to build this for IP? ISIS multiarea is only supported > > for CLNS routing, as stated in the above link under "Restrictions". > > I do need this for IP routing, not CLNS. If the feature is only supported > for ISO CLNS and not IP routing, why does it work on my lab of 2600s running > 12.3 latest, with the exact same config, also in an IP-only environment? Well, don't really know. It's not tested, but it might work in some environment/releases.. never looked at it really.. > Really, my only need is to prevent my L1 routers from learning the entire > area's routes, but my network design requires me to directly connect my L2 > router to an L1 (i.e. no room for a L2/L1 between them). I just need the L1 > routers to get a default towards its directly attached L2, and the L2 > backbone to learn the L1's routes. This is essentially a TS-NSSA in OSPF. If > there's some other way I can get this behavior with IS-IS, I'm all ears. Hmm, if you stick all L1s into the same area (i.e. "standard" design), you can't prevent them from seeing the L1 LSPs from the other L1s in the area. However you could investigate filtering the routes from being entered into the RIB, similar to "distribute-list in" command in OSPF, which doesn't exist in IS-IS. But you could try router isis distance 255 ip distance 115 0.0.0.0 255.255.255.255 10 ! access-list 10 permit 0.0.0.0 to have only the default-route in the RIB. Not sure if this helps, not sure which problem you are trying to solve :) oli From swmike at swm.pp.se Fri Nov 6 03:09:58 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 6 Nov 2009 09:09:58 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: On Fri, 6 Nov 2009, Oliver Boehmer (oboehmer) wrote: > to have only the default-route in the RIB. Not sure if this helps, not > sure which problem you are trying to solve :) This is probably the biggest problem, the few people doing L1-L2 separation are those into academia/theoretics (passing a test/exam), when you go into the real world it's no longer in major use. I've never bothered to learn about ISIS L1, never needed to, see no use for it in real life. L2-only is the way to go. I'd also recommend against it from a sw standpoint. Sure, the sw supports it, but it hasn't been exposed to real life as much as L2 only because of above reasons. -- Mikael Abrahamsson email: swmike at swm.pp.se From rens at autempspourmoi.be Fri Nov 6 03:36:34 2009 From: rens at autempspourmoi.be (Rens) Date: Fri, 6 Nov 2009 09:36:34 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <59D8212EA5374DEE946B9EF480C6B269@flamdt01> References: <20091105062201.GA25405@skywalker.creative.net.au> <59D8212EA5374DEE946B9EF480C6B269@flamdt01> Message-ID: <042F605B0D814E6B851E53B5F8A031B4@EU.corp.clearwire.com> Indeed, I looked at the wrong lab tests. Max I got out of a 2811 was around 90Mbps (1024 bytes) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: vendredi 6 novembre 2009 3:57 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? Surely you mean 40mbps or a different platform? tv ----- Original Message ----- From: "Rens" To: "'Adrian Chadd'" ; Sent: Thursday, November 05, 2009 2:12 AM Subject: Re: [c-nsp] Experiences with l2tpv3/xconnect? >I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > You just have to make sure your MTU is high enough depending on the frame > sizes you want to tunnel. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adrian Chadd > Sent: jeudi 5 novembre 2009 7:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Experiences with l2tpv3/xconnect? > > G'day, > > I've been asked by a customer to solve an L2 ethernet problem > and I'm investigating simply tunneling the required VLANs over > L2TPv3/xconnect. > > Does anyone have any rough throughput (PPS in particular) info > they'd like to share ? And any other deployment info - actually, > in particular I'd like to know about fragmentation related issues. > > I'm looking at the Cisco 28xx series (potentially the Cisco 2811) > but I'm concerned about hitting throughput ceilings. > > Thanks, > > > Adrian > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Fri Nov 6 04:04:54 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:04:54 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106090454.GB163@greenie.muc.de> Hi, On Thu, Nov 05, 2009 at 11:11:56PM -0800, Rick Ernst wrote: > What I think the document says is: [..] As far as I understand the architecture, all of this is correct :-) > - Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is > present. > > I'm most confused on the 8Gbs limit and how it relates to the Supervisor and > line cards. 65xx cards (like the WS-X6516) have an 8Gbps fabric connection, 67xx cards (WS-X6724-SFP) have 20Gbps fabric connection. Sup2+SFM has 8Gbps fabric. Sup720 has 20Gbps fabric that can also run at 8Gbps - and *as far as I understand* - this is independent among line cards, so you can have one WS-X6516 running at 8Gbps and one WS-X6724-SFP running at 20Gbps. > Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. There's two sides to "lowest common denominator" - bus/fabric (so if you have a Sup2 without fabric module, only shared bus for you...) - and PFC revision. There's Sup720/3A, /3B and /3C, and all of these can come with "-XL". So - if you have a Sup720/3C-XL with 1 million TCAM entries and 96k MAC table entries, and add a line card that has an DFC-3A on it, the whole system will fall down to "3A, no XL" level -> no MPLS, 256k TCAM entries, 32k MAC table entries. This is only relevant if you have DFCs in the system. > Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? Oversubscription is the next independent gotcha - for example, the 6724 card has 24 gbit ports, but only 20 gbps fabric connection (which is not that bad, given that in practice, nobody runs all 24 ports at 100% line rate all the time). The 6708 10G card has 8x10 gbit externally, but only 40 gbps fabric connection - but it has a DFC and can do local switching without going to the fabric, so depending on your traffic pattern, it's more or less oversubscribed... The 6704 10G card has 40 gbps fabric connection, but a somewhat slow internal ASIC, so it won't do more than 35 Gbit/s (or so) in total... So you also need to take into account the specifics of the line card you're planning to use. > Sorry for the laundry list. I'd rather make sure I'm clear in my head > before the design, then find a gotcha after it is too late. The architecture *is* a bit confusing :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 04:53:55 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:53:55 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106022632.GE25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> Message-ID: <20091106095355.GC163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 10:26:32AM +0800, Adrian Chadd wrote: > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > upstream router will fragment as needed? Well, as always this depends on "who is hitting the MTU wall" - if the encapsulating router already knows "can't send this packet", it will fragment itself, otherwise, a router on the path needs to do so. Reassembly is always done on the receiving L2TPv3 router, and is expensive. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From oboehmer at cisco.com Fri Nov 6 04:54:39 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 6 Nov 2009 10:54:39 +0100 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com><4AF37533.6010700@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F9EF91D@XMB-AMS-103.cisco.com> Mikael, > > to have only the default-route in the RIB. Not sure if this helps, not > > sure which problem you are trying to solve :) > > This is probably the biggest problem, the few people doing L1-L2 > separation are those into academia/theoretics (passing a test/exam), when > you go into the real world it's no longer in major use. > > I've never bothered to learn about ISIS L1, never needed to, see no use > for it in real life. L2-only is the way to go. Well, there are L1L2 networks in production, and when you think about scaling Layer 3 into the (MetroE) access layer, you start to deal with >10000 of routers in an ISIS domain, something which can't be handled in a single area. > I'd also recommend against it from a sw standpoint. Sure, the sw supports > it, but it hasn't been exposed to real life as much as L2 only because of > above reasons. see above, L1L2 is deployed, I personally know of two carriers' networks. So there is definitly exposure... oli From hl at r-kom.de Fri Nov 6 04:22:41 2009 From: hl at r-kom.de (Holger) Date: Fri, 6 Nov 2009 10:22:41 +0100 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106022632.GE25405@skywalker.creative.net.au> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> Message-ID: <20091106092241.GB28569@magnix> On 06.11.09 10:26, Adrian Chadd wrote: > On Thu, Nov 05, 2009, Rens wrote: Hi, > > I have already done up to 400 Mbps with 2811 or 2821 (don't remember) > > You just have to make sure your MTU is high enough depending on the frame > > sizes you want to tunnel. I get the 2801 to tunnel about 40mbit, depending on package size of course. I think 400mbit is more than possible. > > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > upstream router will fragment as needed? Yes, both l2tp router will fragment and reassemble as needed, but you might get problems if any transit router is fragmenting again. You should lower your mtu at the external interface to prevent that. Furthermore you will notice a big performance hit with packets causing fragmentation. > Adrian Holger From gert at greenie.muc.de Fri Nov 6 04:56:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 10:56:27 +0100 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: <20091106095627.GD163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 11:10:14AM +0800, mark [at] edgewire wrote: > Why is it not possible to check it against the MAC address of the > connecting device? Log incoming connections and their MAC address and > match it against a list of hardware that has been assigned to the users. What's a MAC address? Seriously: if someone is trying to play tricks with your security policy, why are you assuming that he is not going to enter whatever MAC address you want to see into his client? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From euang+cisco-nsp at lists.eusahues.co.uk Fri Nov 6 04:33:21 2009 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 6 Nov 2009 09:33:21 +0000 Subject: [c-nsp] 10GE on the cheap between a 12000 and a 6500... In-Reply-To: References: Message-ID: <20091106093320.GA27676@hyperion.eusahues.co.uk> On Thu, Nov 05, 2009 at 03:25:15PM +0000, David Freedman wrote: > According to global price list > > ( SPA-1X10GE-L-V2 + 12000-SIP-601= (E5) ) < 1X10GE-LR-SC (E4) > > Quite why one would want to spend less money on an E4 with half the > density is beyond me. The 1X10GE-LR-SC went EoS about a year ago, but even when both were available, getting the IOS change tested and approved to support the E5 (as well as type approving the new card itself) would have been far more expensive (on a number of levels) for us than buying the slightly more expensive E4. "I would like to use the new card, not the old one that we know works" wouldn't have got me very far. "The E4 is crap, and the E5 might not be" might have been a better arguement to have though. *shrug* -- Euan Galloway From adrian at creative.net.au Fri Nov 6 05:51:10 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 6 Nov 2009 18:51:10 +0800 Subject: [c-nsp] Experiences with l2tpv3/xconnect? In-Reply-To: <20091106095355.GC163@greenie.muc.de> References: <20091105062201.GA25405@skywalker.creative.net.au> <20091106022632.GE25405@skywalker.creative.net.au> <20091106095355.GC163@greenie.muc.de> Message-ID: <20091106105110.GA21938@skywalker.creative.net.au> On Fri, Nov 06, 2009, Gert Doering wrote: > Hi, > > On Fri, Nov 06, 2009 at 10:26:32AM +0800, Adrian Chadd wrote: > > Just out of morbid curiousity - so will the router terminating L2TPv3 actually > > fragment and reassemble L2TPv3 frames as needed, or is it hoping another > > upstream router will fragment as needed? > > Well, as always this depends on "who is hitting the MTU wall" - if the > encapsulating router already knows "can't send this packet", it will > fragment itself, otherwise, a router on the path needs to do so. > > Reassembly is always done on the receiving L2TPv3 router, and is expensive. Absolutely. I just think I'm going to have to bite that. I'll do up some basic testing and report back numbers once it is deployed. Thanks, Adrian From cnsp at shreddedmail.com Fri Nov 6 07:15:39 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Fri, 6 Nov 2009 04:15:39 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Thanks (and Gert, too), So, - The 32Gbs bus is shared and the PFC on the sup does the forwarding - The switch fabric is on the Sup; DFC cards use the fabric, others use the PFC - The fabric is limited to 8 or 20Gbs depending on Sup; CEF 256cards use 8Gbs, CEF720 uses 20gbs if the Sup supports it - Lowest-common-denominator applies to DFC cards; you get the DFC features, capabilities and TCAM of the least capable card/Sup, but you can mix-and-match - If I happen to install a 256K DFC in a 1M TCAM system, can the DFC be forced off; 1M TCAM via the 32Gbs bus? - The 32Gbs bus and 20Gbs fabric are total capacity; could you push 1Gbs/31Gbs on the 32Gbs bus? - Design considerations need to include Sup level, PFC, DFC, 32Gbs shared, 8gbs/20Gbs fabric >From a practical viewpoint, I'm currently pushing a little less than ~800Mbs in+out at about 120Kpps. It's getting to be too much for my current software forwarding, especially during D/DoS. A Sup720-3BXL gives me 1M routes in TCAM, and 15Gbs/30Mpps forwarding in the PFC. Control-plane and data-plane separation, with data-plane in hardware. I could use any combination of line cards and still be significantly ahead of my current utilization. As the bits get bigger and faster, I can offload forwarding onto DFC-enabled cards, but I'd need to start with DFCs that also have the large TCAM, otherwise I'm still using the 32Gbs bus and the PFC. For D/DoS purposes, policing is handled in hardware at the port ASIC. If a 1Gbs-connected network were to go nuts and was throttled to 1Mbs, neither the bus nor fabric would see the .99Gbs? Rick On Thu, Nov 5, 2009 at 11:42 PM, Asbjorn Hojmark wrote: > On Thu, 5 Nov 2009 23:11:56 -0800, you wrote: > > > - The raw capacity of the 32Gbs bus is just that; 32Gbs across the > > entire bus, combined across all cards > > Well, actually it's 16 Gbps shared bus. (The "32G" is marketing, and > even more so here, because it's not full duplex; it's a bus). > > > - The switch fabric is single or dual channel 20Gbs, dual channel > > just allowing higher port/speed-density on the line cards > > Each slot gets two fabric connections, but some cards use only one of > those. The channels can be 8 og 20G. > > > - The 20Gbs fabric is used to transfer traffic directly between > > DFC-enabled line cards, bypassing the Sup. > > Not really. With a DFC, the lookup is done on the line card (instead > of on the PFC on the Sup), but the forwarding is still done via the > fabric (which is also on the Sup). > > > - The full "720Gbs" capacity is all dual-fabric line cards with DFCs > > 9 slots * 2 channels/slot * 20G/channel * 2 for marketing = 720. > > The bandwidth is not (directly) dependant on the precense of DFCs, > only the forwarding capacity. (And other resources, such as NetFlow > table space). > > -A > From nick at inex.ie Fri Nov 6 07:30:19 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 13:30:19 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <4AF416DB.4090005@inex.ie> On 06/11/2009 08:11, Rick Ernst wrote: > - The 20Gbs fabric is used to transfer traffic directly between > DFC-enabled line cards, bypassing the Sup. Not quite. All fabric enabled cards can transfer traffic directly to each other, as it's a crossbar fabric. The difference between DFC and non-DFC enabled cards is that on a DFC enabled card, the destination path lookup is done locally on the card, whereas on a non DFC card, the internal path lookup is done by the sup720, and the line cards use the 32Gb bus as an out-of-band data channel for doing internal lookups. The destination path lookup just tells the card which physical destination fabric path to use when sending the packet from one 20G fabric channel to another. As each packet triggers a destination lookup, on a busy box pushing many mpps, the 32Gb bus can get saturated by lookup requests, and if this happens you need to use DFCs to move the lookup functionality away from the sup720 and into the line card. So using a DFC will not affect switching speed unless you are pushing a very large number of pps. > Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. That used to be the case in certain configurations a long time ago, but not any more. > Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? Oversubscription on line cards just means that there is more edge switching capacity than the line card can actually handle. So on a 6148-ge-tx card, the card has 48 gig ports, but in fact it can only handle 8G of traffic (and even then, with a strong tailwind). On a fabric card, you have either 1x or 2x 20G channels from the line card into the fabric. This means that if you have more edge bandwidth being used than fabric capacity available, you can run into over subscription problems. In practice, this tends not to be a problem on the 6724 / 6748 cards (whether TX or SFP), because on an imix system, you'll statistically only rarely run into full port saturation problems with every card on the box pushing line rate or near line rate. Oversubscription on fabric enabled cards tends to be more of a problem with 10GE line cards for a variety of reasons - there's lots of talk about this in the list archives, to which I refer you. Nick From drew.weaver at thenap.com Fri Nov 6 07:55:01 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 6 Nov 2009 07:55:01 -0500 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> References: <4AF32061.7000604@gmail.com> <000401ca5e57$0ef1be10$2cd53a30$@kolstein@sscplus.nl> Message-ID: The card in total when I last added everything all up is doing about 1.9Gbps and 1.4Mpps -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nils Kolstein Sent: Thursday, November 05, 2009 3:32 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Gigabit Interface Input Errors What's the utilization on the other 2 interfaces? I am not familiar with this specific platform, but it might also be caused by slot/backplane limitations causing packets to be dropped if the total BW exceeds a certain (non line-rate) value. I have seen this behaviour on some platforms. Regards, Nils Kolstein > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Drew Weaver > Sent: donderdag 5 november 2009 20:12 > To: 'Adrian Minta' > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Nah this particular instance it is one interface in a 3GE-GBIC-SC in a > GSR. > > thanks, > -Drew > > -----Original Message----- > From: Adrian Minta [mailto:adrian.minta at gmail.com] > Sent: Thursday, November 05, 2009 1:59 PM > To: Drew Weaver > Cc: 'cisco-nsp at puck.nether.net' > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Drew Weaver wrote: > > Hi, > > > > I noticed I'm seeing some Input errors on a gigabit ethernet > interface: > > > > 70 input errors, 0 CRC, 0 frame, 70 overrun, 0 ignored > > > > the number of input errors seems to increment along with the overrun > counter which I assume means that the actual errors are overrun errors. > > > > Does anyone have any tips on finding out what is causing it to > overrun? > > > > My first inclination is to assume it is not a huge problem because of > the amount of packets that are flowing through this interface: > > > > 2367831951 packets input, 247924231216 bytes, 0 no buffer 70 out of > 2367831951 is a fairly small number but I wanted to check and see if > you all had any thoughts. > > > > thanks, > > -Drew > > > ASA firewall ? > > -- > Best regards, > Adrian Minta > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ak at gaaga.org Fri Nov 6 07:59:04 2009 From: ak at gaaga.org (Andrey Kozlov) Date: Fri, 6 Nov 2009 14:59:04 +0200 Subject: [c-nsp] Restricting VPN connections to company hardware? In-Reply-To: <4AF38347.3060508@houseofzen.org> References: <00bb01ca5d76$335e69b0$2508120a@am.thmulti.com> <4AF38347.3060508@houseofzen.org> Message-ID: Hi, James! It is possible to make private key non-exportable. So, once installed certificate can't be exported in future. Cheers. On Fri, Nov 6, 2009 at 4:00 AM, James Michael Keller < jmkeller at houseofzen.org> wrote: > I haven't read up the cert authentication much, but what stops the user > from moving the cert file to another un-approved device (per the original > question) - all you are doing is Two-factor at that point - user but not > host based checking correct? > > -James > > > Matthew White wrote: > >> Hi Scott, >> >> Certificate based authentication can meet these needs. >> >> This document is just a starting point -- the client certificate >> installation procedure is onerous. If you have a MS environment it's easier >> to push out certs with group policy objects than making your end users >> download and install certificates. >> >> >> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml >> >> >> -mtw >> >> >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto: >>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados >>> Sent: Wednesday, November 04, 2009 9:43 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Restricting VPN connections to company hardware? >>> >>> Hi, >>> I've been googling but not finding much although I think I'm probably >>> formulating my search incorrectly so I'm hoping for some pointers here. >>> I use ASA 5520 hardware to provide VPN services to end users with >>> Cisco VPN clients and some L2L sessions. We've been finding that folks are >>> configuring IPhones and other non approved devices to attach to the network. >>> What's the best method to certify that end users are connecting with >>> approved devices only? Is there a good way say for me to allow company >>> provided laptops but not allow clients from home machines where users >>> duplicate their profile or non-certified end devices like pocket PC devices? >>> I understand how to filter based on client type but this doesn't prevent >>> someone from copying their profile file from one machine to another. Any >>> pointers would be appreciated. >>> >>> Thanks >>> Scott >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gururug at gmail.com Fri Nov 6 08:25:58 2009 From: gururug at gmail.com (Imran K) Date: Sat, 7 Nov 2009 00:25:58 +1100 Subject: [c-nsp] Restricting VPN connections to company hardware? Message-ID: <25d943640911060525m223935dma371f3b6d6b4bd4@mail.gmail.com> You may be able to find some extensions for NAC/NAP that will check the device itself for something that says it's bona-fide company issue before issue of ip. Alternatively you could run single ip per user / crypto with MAC filtering ( i'd by pass this by routing / natting my home devices through my company laptop ) From geoff at pendery.net Fri Nov 6 08:55:18 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Fri, 6 Nov 2009 07:55:18 -0600 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Well you're off to an excellent start. ?Others have added some good clarifications and details, but so far I don't see this one answered: "Other discussions I've had indicate that some combination of line cards can bring the whole system down to the lowest common denominator." My guess is that this is referring to the Fabric/Bus mode, for the chassis. It's described on the link you sent, if you search to "Cisco Catalyst 6500 Architecture: Bus Switching Modes" As Nick Hilliard explained, the bus is used, even with all fabric cards, for communication between the Sup and the line cards. The Sup first determines which of the three modes to use for communication. If you have a Sup with no fabric (like Sup 1A, or Sup 2 w/o SFM, or Sup 32) the switch will run in "Flow-Through" mode, meaning that each time a packet is received, the entire packet is sent on the shared bus, so it's seen by the Sup and all line cards. This will only get you up to 15 Mpps, and a theoretical max of 32 Gbps (likely lower in practice). If you have a fabric Sup and fabric line cards, but at least one Classic line card, the switch will drop into "Truncated" mode. This is likely what someone was referring to when they told you "lowest common denominator". The classic cards will still send the whole packet, like in flow-through mode, but the fabric cards will send only the headers, and send the data portion to the Sup via fabric. This is still limited to 15 Mpps, but because the data flows via fabric, you can squeeze some extra bandwidth out. Lastly, if you have no Classic cards present in the chassis, it can go into Compact mode, where only compressed headers are sent via the bus, all data flows via fabric. This gets you up to 30 Mpps and your theoretical 720 Gbps of total forwarding capacity. Here's some sample output from a chassis with all fabric (and in this case, dCEF) cards: hostname#show fabric show fabric active: Active fabric card in slot 5 No backup fabric card in the system show fabric mode: Global switching mode is Compact dCEF mode is not enforced for system to operate Fabric module is not ?required for system to operate Modules are allowed to operate in bus mode Truncated mode is allowed, due to presence of DFC module Module Slot ? ? Switching Mode ?? ?1 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?2 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?5 ? ? ? ? ? ? ? ? ? ? dCEF ?? ?9 ? ? ? ? ? ? ? ? ? ? dCEF -Geoff On Fri, Nov 6, 2009 at 1:11 AM, Rick Ernst wrote: > > I'm trying to wrap my brain around Cisco's document on the 6500/7600 > technology: > > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html > > Terminology on the bus architecture and switch fabric are becoming less > confusing to me the more I read it, but I'm still not comfortable with my > level of understanding. > What I think the document says is: > > ?- The 32Gbs shared bus is the path between the supervisor and individual > line cards. Line cards do not move data between each other; traffic must > pass through the Sup. > ?- The raw capacity of the 32Gbs bus is just that; 32Gbs across the entire > bus, combined across all cards > ?- The switch fabric is single or dual channel 20Gbs, dual channel just > allowing higher port/speed-density on the line cards > ?- The 20Gbs fabric is used to transfer traffic directly between > DFC-enabled line cards, bypassing the Sup. > ?- The 20Gbs fabric is not shared, each DFC line card can talk to any other > DFC line card at 20Gbs up to a potential aggregate of 720Gbs > ?- CEF and dCEF simply refer to whether the line card has a DFC > ?- CEF256 using 8Gbs of the fabric, CEF720 uses 20Gbs > ?- "Classic" line cards use only the 32Gbs bus. > ?- Usage of 8Gbs or 20Gbs on the fabric is dependent on the line card and > the Sup. > ?- Sup720 allows 20Gbs, others are only 8Gbs > ?- Mixed 8/20Gbs line cards can be used. 20Gbs is not lost if 8Gbs is > present. > ?- The full "720Gbs" capacity is all dual-fabric line cards with DFCs > > I'm most confused on the 8Gbs limit and how it relates to the Supervisor and > line cards. ?Other discussions I've had indicate that some combination of > line cards can bring the whole system down to the lowest common > denominator. ?Am I on track? Where does oversubscription on line cards come > in? Is there something else I haven't covered? > > Sorry for the laundry list. ?I'd rather make sure I'm clear in my head > before the design, then find a gotcha after it is too late. > > Thanks! > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jasongurtz at npumail.com Fri Nov 6 09:34:22 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 09:34:22 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jeff-kell at utc.edu Fri Nov 6 09:54:33 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 06 Nov 2009 09:54:33 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <4AF438A9.7030800@utc.edu> Jason Gurtz wrote: > We're looking to build a SAN, probably iSCSI and everyone keeps quoting > the 3750G for top of the rack. We have one iSCSI array on a 4948 (another alternative). Jeff From gert at greenie.muc.de Fri Nov 6 10:13:17 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 16:13:17 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106151317.GG163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 04:15:39AM -0800, Rick Ernst wrote: > - The 32Gbs bus is shared and the PFC on the sup does the forwarding Yes. > - The switch fabric is on the Sup; DFC cards use the fabric, others use the > PFC Not exactly. Fabric-enabled cards will always use the fabric to transport the packets directly to the destination line card. If the card has no DFC, it will use the bus(!) to do the destination lookup via the Sup PFC. (I'm a bit unclear on how fabric-only cards transport packets to bus-only cards, tho). > - If I happen to install a 256K DFC in a 1M TCAM system, can the DFC be > forced off; 1M TCAM via the 32Gbs bus? As far as I know, no. If you have no DFC, you need a CFC on the card. > - The 32Gbs bus and 20Gbs fabric are total capacity; could you push > 1Gbs/31Gbs on the 32Gbs bus? Hmmm? > - Design considerations need to include Sup level, PFC, DFC, 32Gbs shared, > 8gbs/20Gbs fabric Yes. If you have enough traffic that it matters... > >From a practical viewpoint, I'm currently pushing a little less than ~800Mbs > in+out at about 120Kpps. It's getting to be too much for my current software > forwarding, especially during D/DoS. A Sup720-3BXL gives me 1M routes in > TCAM, and 15Gbs/30Mpps forwarding in the PFC. Control-plane and data-plane > separation, with data-plane in hardware. I could use any combination of line > cards and still be significantly ahead of my current utilization. As the > bits get bigger and faster, I can offload forwarding onto DFC-enabled cards, > but I'd need to start with DFCs that also have the large TCAM, otherwise > I'm still using the 32Gbs bus and the PFC. Yes. > For D/DoS purposes, policing is handled in hardware at the port ASIC. If a > 1Gbs-connected network were to go nuts and was throttled to 1Mbs, neither > the bus nor fabric would see the .99Gbs? I think this depends on card type. A bus-only card has no other way to decide what to do with the packet than "put it on the bus". On a fabric/CFC card, you'll see the headers on the bus, but not the packets. A DFC card will drop the packet right away. (I might be mistaken here) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mksmith at adhost.com Fri Nov 6 11:37:33 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 6 Nov 2009 08:37:33 -0800 Subject: [c-nsp] Cisco 15454 question In-Reply-To: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> References: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> Message-ID: <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> > Hi all, > > I am hoping to gain some insight from some of the people who have done > this type of thing before. I am setting up a 24 strand fiber connection > between two facilities. I will be doing GigE on 4 strands and placing > the > Cisco 15454 with OC48 cards on 4 strands of fibers. > > What I need to do is be able to cross connects circuits at the DS1, DS3 > and OCn level between the two facilities. Below are the cards that I > have > spec'd for this. Can anyone tell me if I am missing anything? Assume > that > there are protect cards for each and I know I do not have any OC3/OC12 > cards for the OCn cross connects(We would add these later). I also know > that I need the correct backplane cards for DS1 and DS3 handoff. > > 15454-OC48IR1310 1310nm OC48 cards > > 15454-DS3XM-6 6 port DS3 transmux cards > > 15454-DS1N-14 14 port DS1 cards > > 15454-TCC+ Timing and control cards > > 15454-XC-TV Cross connect cards > > 15454-FTA3 > > Any input on what I am missing or if there are better cards to use > would > be great. > You will need GigE cards. It appears you're going for old (read, EOS/EOL) equipment, so you will most likely be looking at the E1000-2 cards. Also, you won't be running the GigE specifically across fibers. Instead, you will carry the GigE circuits within your backbone OC-48's as an OC-24 (actually concatenated OC-12's). So, you will need to think about the number of OC-48 cards you need to do this. Regards, Mike From maddison at lightbound.net Fri Nov 6 11:51:58 2009 From: maddison at lightbound.net (Matt Addison) Date: Fri, 6 Nov 2009 11:51:58 -0500 Subject: [c-nsp] Cisco 15454 question In-Reply-To: <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> References: <66b073204c0c70da99e95bfd47bc238e.squirrel@www.demo.csst.net> <17838240D9A5544AAA5FF95F8D52031607028860@ad-exh01.adhost.lan> Message-ID: What's the dB loss of the fiber (@1310 and 1550) between the 2 buildings? The DS1 cards are a waste of a VT matrix port, just get additional XM6 capacity if necessary and use an external mux like an Adtran MX2800. You'll also need the EIA cards that go on the back of the shelf (either a 15454-EIA-1BNCA24= or a 15454-EIA-1BNCB24=)- by default the 15454 has no actual physical connectors. If you want to transport DS3s, I'd recommend also getting a 15454-DS3-12= card since those ports are _much_ cheaper than XM6 ports. Do you actually need to do transmux DS3s? XM6 is only really _needed_ when you want to do cross connects at a DS1 level, if you just need to transport DS1s between the 2 buildings without needing to switch them to different timeslots, you could get by with MX2800s hanging off the DS3-12 cards (you'd just build a DS3 between the DS3-12s on either end, also if you don't need to do cross connects at the DS1 level you could get away with XC cards instead of XCVTs- however if you need to take circuits in from carriers on OC3/channelized DS3 you'd still need XCVT and XM6 cards). ~Matt > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Michael K. Smith - Adhost > Sent: Friday, November 06, 2009 11:38 AM > To: troy at i2bnetworks.com; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco 15454 question > > > Hi all, > > > > I am hoping to gain some insight from some of the people who have > done > > this type of thing before. I am setting up a 24 strand fiber > connection > > between two facilities. I will be doing GigE on 4 strands and placing > > the > > Cisco 15454 with OC48 cards on 4 strands of fibers. > > > > What I need to do is be able to cross connects circuits at the DS1, > DS3 > > and OCn level between the two facilities. Below are the cards that I > > have > > spec'd for this. Can anyone tell me if I am missing anything? Assume > > that > > there are protect cards for each and I know I do not have any > OC3/OC12 > > cards for the OCn cross connects(We would add these later). I also > know > > that I need the correct backplane cards for DS1 and DS3 handoff. > > > > 15454-OC48IR1310 1310nm OC48 cards > > > > 15454-DS3XM-6 6 port DS3 transmux cards > > > > 15454-DS1N-14 14 port DS1 cards > > > > 15454-TCC+ Timing and control cards > > > > 15454-XC-TV Cross connect cards > > > > 15454-FTA3 > > > > Any input on what I am missing or if there are better cards to use > > would > > be great. > > > You will need GigE cards. It appears you're going for old (read, > EOS/EOL) equipment, so you will most likely be looking at the E1000-2 > cards. Also, you won't be running the GigE specifically across fibers. > Instead, you will carry the GigE circuits within your backbone OC-48's > as an OC-24 (actually concatenated OC-12's). So, you will need to > think > about the number of OC-48 cards you need to do this. > > Regards, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Karen.Young35 at t-mobile.com Fri Nov 6 12:36:37 2009 From: Karen.Young35 at t-mobile.com (Young, Karen) Date: Fri, 6 Nov 2009 09:36:37 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: Not sure that you want to go with Nexus at this point. Its got some really nice features, however we keep running into code bugs . Not just stuff that's obscure and shows up in certain situations but real show-stoppers like being unable to form port-channels with HP blade servers. Also, the cli isn't really complete yet and there are a number of missing commands that make management and troubleshooting more difficult than it really should be. To be honest, I feel like we're being used as guinea pigs for beta testing. Its been one d at mn thing after another. Personally, I don't think its really ready for full scale production yet. ky -----Original Message----- From: Jason Gurtz [mailto:jasongurtz at npumail.com] Sent: Friday, November 06, 2009 6:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3750G vs. Nexus for a SAN We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jmplank at gmail.com Fri Nov 6 13:05:35 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 6 Nov 2009 13:05:35 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: Hello, I would love if you could elaborate on some of the problems that you are having. Why can you not form port-channels with HP blade servers? I would also like you to explain what management and troubleshooting issues you have had. You've made some pretty hefty accusations here and Nexus is in several large production environments at this point. Not to say that the platform aren't perfect, but I'd really like to understand some of the technical issues and short comings you have experienced. Jason On Fri, Nov 6, 2009 at 12:36 PM, Young, Karen wrote: > Not sure that you want to go with Nexus at this point. Its got some really nice features, however we keep running into code bugs . Not just stuff that's obscure and shows up in certain situations but real show-stoppers like being unable to form port-channels with HP blade servers. Also, the cli isn't really complete yet and there are a number of missing commands that make management and troubleshooting more difficult than it really should be. > > To be honest, I feel like we're being used as guinea pigs for beta testing. Its been one d at mn thing after another. Personally, I don't think its really ready for full scale production yet. > > ky > > -----Original Message----- > From: Jason Gurtz [mailto:jasongurtz at npumail.com] > Sent: Friday, November 06, 2009 6:34 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3750G vs. Nexus for a SAN > > We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. ?From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. > > Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? ?Or is the 3750G just "good enough?" ?Or no one has the experience to quote? > > ~JasonG > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From nick at inex.ie Fri Nov 6 14:06:53 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 19:06:53 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <4AF473CD.7000405@inex.ie> On 06/11/2009 14:34, Jason Gurtz wrote: > Is Nexus that much more expensive that no one is quoting it? or is it more > for FCoE? Or is the 3750G just "good enough?" Or no one has the > experience to quote? N5010 is a 10G switch; the 3750G is a 1G switch, so it's probably not surprising that it's more expensive. Incidentally, if you're planning to use the N5K as a fancy 1G switch, note that the system will change the switching mode from cut-through to store-n-forward for GE ports; cut-through is only supported for 10G transceivers. This may matter for iSCSI. Nick From jasongurtz at npumail.com Fri Nov 6 14:26:15 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 14:26:15 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: > Not sure that you want to go with Nexus at this point. Its got some > really nice features, however we keep running into code bugs . Not just > stuff that's obscure and shows up in certain situations but real show- > stoppers like being unable to form port-channels with HP blade servers. Interesting assessment and sorry to hear about the microsoftish experience. We're not intending to use blades (ESX Server 4 on a number of HP DL380G6 is likely) and would like to do cross-box etherchannels for redundancy. Jeff mentioned the 4948 of which the 10G version looks great since we're wanting to mirror the san off-site over fiber. There's still a chance that fiber channel will happen though it looks like that doesn't really make sense in this day and age. Here, vendors are pushing the MDS9124 box. Thanks for the responses so far. ~JasonG From jasongurtz at npumail.com Fri Nov 6 14:26:19 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 6 Nov 2009 14:26:19 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF473CD.7000405@inex.ie> References: <4AF473CD.7000405@inex.ie> Message-ID: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, > note > that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Thanks for that, I had been wondering about the 1G situation. ~JasonG From CFlint at mt.gov Fri Nov 6 14:34:58 2009 From: CFlint at mt.gov (Flint, Chris) Date: Fri, 6 Nov 2009 12:34:58 -0700 Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: <169F1B4CBA47CC4F93BF2BD0A504C0552F01E7BD68@doaisd05222.state.mt.ads> Hi Jason, I'd second the recommendation for a 4948 instead of a 3750E. The 3750E has issues pushing large flows of traffic that the 4948 doesn't have. From what I've seen on the list, the 3750E is built to be a fast desktop aggregation switch, and the 4948 is built for server aggregation. Also, the Nexus 5010's only offer 8 ports of 1G or 10G, and the rest are 10G only. Chris =============================== Message: 4 Date: Fri, 06 Nov 2009 09:54:33 -0500 From: Jeff Kell To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: <4AF438A9.7030800 at utc.edu> Content-Type: text/plain; charset=ISO-8859-1 Jason Gurtz wrote: > We're looking to build a SAN, probably iSCSI and everyone keeps quoting > the 3750G for top of the rack. We have one iSCSI array on a 4948 (another alternative). Jeff =========================== Message: 3 Date: Fri, 6 Nov 2009 09:34:22 -0500 From: "Jason Gurtz" To: Subject: [c-nsp] 3750G vs. Nexus for a SAN Message-ID: Content-Type: text/plain; charset="us-ascii" We're looking to build a SAN, probably iSCSI and everyone keeps quoting the 3750G for top of the rack. From looking at specs/marketing material, it seems like two Nexus 5010 at top of rack would be a better choice in this application. Generally, comments seem pretty good as long as advanced features aren't needed. Is Nexus that much more expensive that no one is quoting it? or is it more for FCoE? Or is the 3750G just "good enough?" Or no one has the experience to quote? ~JasonG From jared.a.gillis at gmail.com Fri Nov 6 14:37:23 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Fri, 06 Nov 2009 11:37:23 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <4AF47AF3.7040200@gmail.com> Oliver Boehmer (oboehmer) wrote: > Jared, > > Well, don't really know. It's not tested, but it might work in some > environment/releases.. never looked at it really.. Here's a quick lab diagram/config snippet for anyone who's interested: A----B |\ /| | \/ | |/ \| C D All routers are 2620XM running 12.3 ipservices latest. A and B are multiarea L1/L2 routers: Router A: int Fast0/0 desc To C ip address 192.168.0.1 255.255.255.252 ip router isis C int Fast0/0 desc To D ip address 192.168.0.5 255.255.255.252 ip router isis D int Ser0/0 desc To B ip address 192.168.255.1 255.255.255.252 ip router isis router isis net 00.000c.30ca.5c00.00 is-type level-2-only router isis C net 00.000c.30ca.5c00.00 is-type level-1 router isis D net 00.000c.30ca.5c00.00 is-type level-1 B is similar, with different IP/NET addresses. Router C: int loopback 1 ip address 10.0.0.1 255.255.255.255 int Fast0/0 desc To A ip address 192.168.0.2 255.255.255.252 ip router isis int Fast0/0 desc To B ip address 192.168.1.2 255.255.255.252 ip router isis router isis net 00.000a.f49d.9640.00 passive-interface loopback 1 is-type level-1 Router D is similar. In this configuration, routers A and B learn all routes in the network, and exchange them via their L2 link. Routers C and D are only aware of their directly connected routes, plus a default towards A/B. C does not have Ds routes, and vice-versa, however they are able to ping each other's loops, by following default to A/B which do have the route towards the loop. I have also taken down the mesh-style connection between A/D and B/C, so the network looks like: C---A---B---D And the design works exactly the same. When I replace A with a 7204VXR running 12.2 SR ipservices, the whole thing breaks. C has no default towards A, and B does not learn any routes that C advertises to A. The design constraint I have is that in my production network, the C/D routers will be 3750s, which do not have the TCAM space to learn every route in the network I am building, and they will always be a stub (or more exactly an OSPF TS-NSSA), so that's the behavior I am looking for. I could move to OSPF, but this network will utilize MPLS, and I want to use the MPLS TE extensions of IS-IS. I am aware that OSPF has similar extensions, but IS-IS works better for us, and the network is already built on IS-IS, and an IGP migration is something I'd like to avoid if possible. > Hmm, if you stick all L1s into the same area (i.e. "standard" design), > you can't prevent them from seeing the L1 LSPs from the other L1s in the > area. However you could investigate filtering the routes from being > entered into the RIB, similar to "distribute-list in" command in OSPF, > which doesn't exist in IS-IS. But you could try > > router isis > distance 255 ip > distance 115 0.0.0.0 255.255.255.255 10 > ! > access-list 10 permit 0.0.0.0 > > to have only the default-route in the RIB. Not sure if this helps, not > sure which problem you are trying to solve :) That is interesting, I shall have to play with it. As I noted above, I'm trying to emulate an OSPF TS-NSSA in IS-IS, because my stub area routers don't have the TCAM to handle every route in the domain. I just have trouble believing that in 2009 a widely-used routing protocol like IS-IS doesn't have some way of handling this case. > oli From jmplank at gmail.com Fri Nov 6 14:40:25 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 6 Nov 2009 14:40:25 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <4AF473CD.7000405@inex.ie> Message-ID: Also, there are caveats with the N5K's. Only certain ports can be used for 1G connectivity. For instance, on the 5020 only the first 16 ports can be used. On Fri, Nov 6, 2009 at 2:26 PM, Jason Gurtz wrote: > > >> Incidentally, if you're planning to use the N5K as a fancy 1G switch, >> note >> that the system will change the switching mode from cut-through to >> store-n-forward for GE ports; cut-through is only supported for 10G >> transceivers. ?This may matter for iSCSI. > > Thanks for that, I had been wondering about the 1G situation. > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From vikas.hazrati at googlemail.com Fri Nov 6 15:03:12 2009 From: vikas.hazrati at googlemail.com (vikas hazrati) Date: Fri, 6 Nov 2009 22:03:12 +0200 Subject: [c-nsp] DHCP_PD / IPv6 Message-ID: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> Hello all I have been trying testing DHCP-PD functionality for ADSL / PPPoE users. Using basic cisco-site examples I was able to assign an IPv6 prefix to the CPE. The problem I am facing is the following: When the PPPoE session is torn down, the corresponding Virtual-Access interface (and ipv6 routes) are deleted from the NAS as expected, but in the CPE the DHCP-client remains up. So when the PPPoE session is restablished no new routes are installed in the NAS routing table for the DHCP delegated prefixes, so no traffic can be forwarded to the customer subnet. The question is how can I make sure that in a DHCP-PD environment, the DHCP client of the CPE is reinitialized when the PPPoE session used for internet connectivity is re-established The config used on the CPE side is really simple interface Dialer 123 encapsulation ppp dialer pool 123 ipv6 address autoconfig default ipv6 enable ipv6 dhcp client pd DHCP_PD ppp pap sent-username **** password 0 **** Any help is welcomed From jeff-kell at utc.edu Fri Nov 6 15:05:13 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 06 Nov 2009 15:05:13 -0500 Subject: [c-nsp] IOS retraction? Message-ID: <4AF48179.8030903@utc.edu> In chasing my notes and upgrade schedules to respond to the last vulnerabilities announcement (September?), had a list of then-running platforms and IOS, along with the recommended/forthcoming release numbers containing the fix. I've been collecting images and working my way down the list of priorities since then. Included on my list were some 3550s (we route a number of 3550-12Gs) running various 12.2SE versions. The original security announcement listed the "recommended" fix as 12.2(50)SE3, or 12.2(52)SE; Available on 13-OCT-2009. At the time (or shortly afterward) I did indeed grab a c3550-ipservicesk9-tar.122-50.SE3.tar (it's in my boot library). This weekend was the first opportunity to hit the 3550s, so I double-checked TAC to see if the 12.2(52) was there (being somewhat brave). Today, the most recent listing for all 3550s is c3550-ipservicesk9-tar.122-44.SE6.tar. Say what?? If you track all the 3550 models down, this version only shows up for the 3550-24-DC switch (?). Is this some Marketing flip (on the EOL train) for the other 3550s, or was the 122-50/122-52 series actually "recalled" from these platforms? Anyone else get ahead of the curve and running 12.2(50) or (52) on a 3550 successfully? Gotten a recall notice yet? :-) Very confused, Jeff From cnsp at shreddedmail.com Fri Nov 6 15:06:36 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Fri, 6 Nov 2009 12:06:36 -0800 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: Thanks everybody for all the feedback and information. Between that and the white paper I'm starting to feel comfortable with my decision-making process. At worst, I can start asking more intelligent questions (and be able to vet the answers) of Cisco. One piece that I'm still unclear on is on CEF256/fabric cards and connectivity to the rest of the system. The white paper says: "- CEF256: The line card in this mode supports a connection into the 32-Gbps shared bus and the switch fabric-these line cards will use the switch fabric for data switching when the Supervisor Engine 720 is present-if a Supervisor Engine 32 is present it will revert back to using the 32-Gbps shared bus." The way that is written, a CEF256 card in a Sup720 equipped chassis will use the 8Gbs fabric to move data around. In a sparsely populated (eg 2 CEF256 cards) system there is more capacity on the shared 32Gbs bus than on the fabric. Am I misreading/misunderstanding? Does forcing the card into flow-through mode address this? Rick On Fri, Nov 6, 2009 at 5:55 AM, Geoffrey Pendery wrote: > > If you have a Sup with no fabric (like Sup 1A, or Sup 2 w/o SFM, or > Sup 32) the switch will run in "Flow-Through" mode, meaning that each > time a packet is received, the entire packet is sent on the shared > bus, so it's seen by the Sup and all line cards. This will only get > you up to 15 Mpps, and a theoretical max of 32 Gbps (likely lower in > practice). > > If you have a fabric Sup and fabric line cards, but at least one > Classic line card, the switch will drop into "Truncated" mode. This > is likely what someone was referring to when they told you "lowest > common denominator". The classic cards will still send the whole > packet, like in flow-through mode, but the fabric cards will send only > the headers, and send the data portion to the Sup via fabric. This is > still limited to 15 Mpps, but because the data flows via fabric, you > can squeeze some extra bandwidth out. > > Lastly, if you have no Classic cards present in the chassis, it can go > into Compact mode, where only compressed headers are sent via the bus, > all data flows via fabric. This gets you up to 30 Mpps and your > theoretical 720 Gbps of total forwarding capacity. > > > From justin at justinshore.com Fri Nov 6 15:08:00 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 06 Nov 2009 14:08:00 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF47AF3.7040200@gmail.com> References: <4AF21CA5.4050804@gmail.com><6E4D2678AC543844917CA081C9D6B33F9EF294@XMB-AMS-103.cisco.com> <4AF37533.6010700@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> <4AF47AF3.7040200@gmail.com> Message-ID: <4AF48220.4000900@justinshore.com> Jared Gillis wrote: > In this configuration, routers A and B learn all routes in the network, and exchange them via their L2 link. > Routers C and D are only aware of their directly connected routes, plus a default towards A/B. C does not have Ds routes, and vice-versa, however they are able to ping each other's loops, by following default to A/B which do have the route towards the loop. > I have also taken down the mesh-style connection between A/D and B/C, so the network looks like: > C---A---B---D > And the design works exactly the same. > When I replace A with a 7204VXR running 12.2 SR ipservices, the whole thing breaks. C has no default towards A, and B does not learn any routes that C advertises to A. This is why we were forced to deploy a flat L2-only topology on our network. We could not get multiarea IS-IS for IP to work on our 7600s running 12.2SR. Since it works on the hardware in your example with the 7200s and simply doesn't work because of the code that I personally call that a bug that needs to be squashed. I would open a TAC case and approach it from that angle. The only reason it doesn't work is because it hasn't been coded in 12.2SR. > The design constraint I have is that in my production network, the C/D routers will be 3750s, which do not have the TCAM space to learn every route in the network I am building, and they will always be a stub (or more exactly an OSPF TS-NSSA), so that's the behavior I am looking for. > I could move to OSPF, but this network will utilize MPLS, and I want to use the MPLS TE extensions of IS-IS. I am aware that OSPF has similar extensions, but IS-IS works better for us, and the network is already built on IS-IS, and an IGP migration is something I'd like to avoid if possible. I was going to through up a red flag about trying to run IS-IS on a 3750 because the last time I looked fixed-config non-ME Cat switches didn't support IS-IS. However I checked the FN just to be sure since it's been a long while since I looked and sure enough they added IS-IS to the 3750s with 12.2(50)SE. You did mention MPLS though so I'll go ahead and bite at that one. Are you planning on running MPLS on your 3750? You're wording doesn't specify one way or another. Justin From doug at warner.fm Fri Nov 6 14:24:07 2009 From: doug at warner.fm (Doug Warner) Date: Fri, 06 Nov 2009 14:24:07 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers Message-ID: <4AF477D7.6040508@warner.fm> We're running into an issue were a pair of gigabit ports in an etherchannel are accumulating out-discards. From my reading here on cisco-nsp, it doesn't sound like many people have a solution for this on the same platform. We're currently pushing ~500Mbps/50Kpps through this pair of ports in etherchannel; should we be seeing these types of problems, and if so, what type of hardware would people recommend upgrading to? -Doug -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From nick at inex.ie Fri Nov 6 15:21:08 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 20:21:08 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <4AF473CD.7000405@inex.ie> Message-ID: <4AF48534.3020302@inex.ie> On 06/11/2009 19:40, Jason Plank wrote: > Also, there are caveats with the N5K's. Only certain ports can be used > for 1G connectivity. For instance, on the 5020 only the first 16 ports > can be used. and on a 5010, only the first 8 ports. Nick From sethm at rollernet.us Fri Nov 6 16:26:40 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Nov 2009 13:26:40 -0800 Subject: [c-nsp] 4948 IPv6 Throughput Message-ID: <4AF49490.9060301@rollernet.us> The only thing I can find on the 4948 for IPv6 performance is that it's "in software". Does anyone know what that means? ~Seth From gert at greenie.muc.de Fri Nov 6 16:35:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:35:21 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF473CD.7000405@inex.ie> References: <4AF473CD.7000405@inex.ie> Message-ID: <20091106213521.GL163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 07:06:53PM +0000, Nick Hilliard wrote: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, note > that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Out of curiosity: how does it cut-through if it has to multiplex multiple ports, as in: packets coming in on port A and B and leaving on C? As soon as two packets overlap (time-wise) on A and B, you can't do cut-through... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 16:37:51 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:37:51 +0100 Subject: [c-nsp] Please help clarify bus/fabric terminology on the 6500/7600 In-Reply-To: References: Message-ID: <20091106213751.GN163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 12:06:36PM -0800, Rick Ernst wrote: > The way that is written, a CEF256 card in a Sup720 equipped chassis will use > the 8Gbs fabric to move data around. In a sparsely populated (eg 2 CEF256 > cards) system there is more capacity on the shared 32Gbs bus than on the > fabric. Correct. > Does forcing the card into flow-through mode address this? No idea (we only have a few CEF256 cards, and they are in Sup2-no-SFM or in Sup32 switches). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Fri Nov 6 16:45:59 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Nov 2009 22:45:59 +0100 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <4AF477D7.6040508@warner.fm> References: <4AF477D7.6040508@warner.fm> Message-ID: <20091106214559.GP163@greenie.muc.de> Hi, On Fri, Nov 06, 2009 at 02:24:07PM -0500, Doug Warner wrote: > We're running into an issue were a pair of gigabit ports in an etherchannel > are accumulating out-discards. From my reading here on cisco-nsp, it doesn't > sound like many people have a solution for this on the same platform. > > We're currently pushing ~500Mbps/50Kpps through this pair of ports in > etherchannel; should we be seeing these types of problems, and if so, what > type of hardware would people recommend upgrading to? We have been told that Force10 gear handles this situation much more gracefully - more flexible & larger buffers, and (which seems to be the key thing) flow control towards the ingress ports. The smaller cisco switches have no flow control and not enough buffers to handle somewhat bursty ingress ports. What we did was to upgrade the 2G ether channel to a 4G ether channel, which was cheaper than to get a Force10 switch ($$$ :( ) - the 4G channel terminates on a 6500, which has larger buffers and more brains. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From nick at inex.ie Fri Nov 6 16:56:49 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 06 Nov 2009 21:56:49 +0000 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091106213521.GL163@greenie.muc.de> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> Message-ID: <4AF49BA1.3060508@inex.ie> On 06/11/2009 21:35, Gert Doering wrote: > Out of curiosity: how does it cut-through if it has to multiplex multiple > ports, as in: packets coming in on port A and B and leaving on C? As > soon as two packets overlap (time-wise) on A and B, you can't do > cut-through... The switch has per-port buffers; from what i remember, quite a bit smaller than on other products, as the unit is cut-through. You also need these buffers when you're operating 1G ports in store-n-forward mode. I don't know whether the packets are buffered on input or on output. Nick From sethm at rollernet.us Fri Nov 6 17:40:00 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Nov 2009 14:40:00 -0800 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF495AA.1040708@linuxgoeroe.dhs.org> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> Message-ID: <4AF4A5C0.3010305@rollernet.us> Marco van den Bovenkamp wrote: > Seth Mattinen wrote: > >> The only thing I can find on the 4948 for IPv6 performance is that it's >> "in software". Does anyone know what that means? > > Yes, it means 'It can't really do it, but we pretend it can' > I figured as much. ~Seth From philxor at gmail.com Fri Nov 6 17:47:00 2009 From: philxor at gmail.com (Phil Bedard) Date: Fri, 6 Nov 2009 17:47:00 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091106213521.GL163@greenie.muc.de> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> Message-ID: It doesn't, it buffers until there isn't contention, acting like a store and forward switch. Phil On Nov 6, 2009, at 4:35 PM, Gert Doering wrote: > Hi, > > On Fri, Nov 06, 2009 at 07:06:53PM +0000, Nick Hilliard wrote: >> Incidentally, if you're planning to use the N5K as a fancy 1G >> switch, note >> that the system will change the switching mode from cut-through to >> store-n-forward for GE ports; cut-through is only supported for 10G >> transceivers. This may matter for iSCSI. > > Out of curiosity: how does it cut-through if it has to multiplex > multiple > ports, as in: packets coming in on port A and B and leaving on C? As > soon as two packets overlap (time-wise) on A and B, you can't do > cut-through... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From maillist at thelan.no Fri Nov 6 21:06:43 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Sat, 07 Nov 2009 03:06:43 +0100 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF4A5C0.3010305@rollernet.us> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> <4AF4A5C0.3010305@rollernet.us> Message-ID: <4AF4D633.5000009@thelan.no> Seth Mattinen wrote: > Marco van den Bovenkamp wrote: > >> Yes, it means 'It can't really do it, but we pretend it can' >> > > > I figured as much. Well, what exactly do you want to know? It means the switch punts all IPv6-packets destined for another prefix to the CPU rendering it quite useless for forwarding IPv6 packets, but it will probably work fine with IPv6 for management (telnet, snmp, etc). If you want performance numbers my bet is you won't be able to push more than about 75-100Mbps under ideal conditions (all 1500B or 9KB packets), but it all depends on the traffic. It is impossible to predict the performance of a switch doing forwarding in software. -- Harald Firing Karlsen From ler762 at gmail.com Fri Nov 6 21:32:33 2009 From: ler762 at gmail.com (Lee) Date: Fri, 6 Nov 2009 21:32:33 -0500 Subject: [c-nsp] IOS retraction? In-Reply-To: <4AF48179.8030903@utc.edu> References: <4AF48179.8030903@utc.edu> Message-ID: Yes, running 12.2(50)SE3 on a pair of 3550s with no problems. & no recall notice :) I suspect it's just their screwed up site not showing all the software if you go in looking by device type. I had the same problem of not seeing the recommended software for 3550s & I think if you go looking by IOS version you can find it that way. At least that's my recollection.. I just tried visiting Cisco's software download page to double-check & got Page Unavailable The Webpage you requested is unavailable. Please revisit at a later time. We apologize for the temporary inconvenience. Regards, Lee On Fri, Nov 6, 2009 at 3:05 PM, Jeff Kell wrote: > In chasing my notes and upgrade schedules to respond to the last > vulnerabilities announcement (September?), had a list of then-running > platforms and IOS, along with the recommended/forthcoming release > numbers containing the fix. I've been collecting images and working my > way down the list of priorities since then. > > Included on my list were some 3550s (we route a number of 3550-12Gs) > running various 12.2SE versions. > > The original security announcement listed the "recommended" fix as > 12.2(50)SE3, or 12.2(52)SE; Available on 13-OCT-2009. > > At the time (or shortly afterward) I did indeed grab a > c3550-ipservicesk9-tar.122-50.SE3.tar (it's in my boot library). > > This weekend was the first opportunity to hit the 3550s, so I > double-checked TAC to see if the 12.2(52) was there (being somewhat brave). > > Today, the most recent listing for all 3550s is > c3550-ipservicesk9-tar.122-44.SE6.tar. > > Say what?? > > If you track all the 3550 models down, this version only shows up for > the 3550-24-DC switch (?). > > Is this some Marketing flip (on the EOL train) for the other 3550s, or > was the 122-50/122-52 series actually "recalled" from these platforms? > > Anyone else get ahead of the curve and running 12.2(50) or (52) on a > 3550 successfully? Gotten a recall notice yet? :-) > > Very confused, > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rsm at fast-serv.com Fri Nov 6 23:28:53 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 6 Nov 2009 23:28:53 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <4AF477D7.6040508@warner.fm> References: <4AF477D7.6040508@warner.fm> Message-ID: <20091107042844.M11863@fast-serv.com> Are you running QOS? -- Randy ---------- Original Message ----------- From: Doug Warner To: cisco-nsp at puck.nether.net Sent: Fri, 06 Nov 2009 14:24:07 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers > We're running into an issue were a pair of gigabit ports in an etherchannel > are accumulating out-discards. From my reading here on cisco-nsp, > it doesn't sound like many people have a solution for this on the > same platform. > > We're currently pushing ~500Mbps/50Kpps through this pair of ports in > etherchannel; should we be seeing these types of problems, and if so, > what type of hardware would people recommend upgrading to? > > -Doug ------- End of Original Message ------- From illcritikz at gmail.com Sat Nov 7 03:13:12 2009 From: illcritikz at gmail.com (Ben Steele) Date: Sat, 7 Nov 2009 19:13:12 +1100 Subject: [c-nsp] DHCP_PD / IPv6 In-Reply-To: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> References: <67f318c20911061203t450a89f7tec04cdfbe8b74d4b@mail.gmail.com> Message-ID: <4422cf660911070013t5e623342yaa49af7c923e879c@mail.gmail.com> The "fix" is to clear ipv6 dhcp client Dialer123 I use event manager to do this automagically for me like so: event manager applet monitor_ipv6_dhcp event syslog pattern "DIALER-6-BIND" action 1.0 cli command "clear ipv6 dhcp client Dialer1" This reacts to an event in the log of "DIALER-6-BIND" which for me is my Dialer re-establishing its PPP session, do a clear int d123 and check your logs to verify this for you. You can view the results of event manager by: router#sh event manager history events No. Time of Event Event Type Name 1 Sat Nov 7 11:12:56 2009 syslog applet: monitor_ipv6_dhcp and of course a sh ipv6 dhcp interface d123 will show you your new lease aswell. Cheers, Ben On Sat, Nov 7, 2009 at 7:03 AM, vikas hazrati wrote: > Hello all > > I have been trying testing DHCP-PD functionality for ADSL / PPPoE users. > Using basic cisco-site examples I was > able to assign an IPv6 prefix to the CPE. The problem I am facing is the > following: > > When the PPPoE session is torn down, the corresponding Virtual-Access > interface (and ipv6 routes) are deleted from > the NAS as expected, but in the CPE the DHCP-client remains up. So when the > PPPoE session is restablished no > new routes are installed in the NAS routing table for the DHCP delegated > prefixes, so no traffic can be forwarded to the > customer subnet. > > The question is how can I make sure that in a DHCP-PD environment, the DHCP > client of the CPE is reinitialized > when the PPPoE session used for internet connectivity is re-established > > The config used on the CPE side is really simple > > interface Dialer 123 > encapsulation ppp > dialer pool 123 > ipv6 address autoconfig default > ipv6 enable > ipv6 dhcp client pd DHCP_PD > ppp pap sent-username **** password 0 **** > > > Any help is welcomed > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Sat Nov 7 03:54:07 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 07 Nov 2009 00:54:07 -0800 Subject: [c-nsp] 4948 IPv6 Throughput In-Reply-To: <4AF4D633.5000009@thelan.no> References: <4AF49490.9060301@rollernet.us> <4AF495AA.1040708@linuxgoeroe.dhs.org> <4AF4A5C0.3010305@rollernet.us> <4AF4D633.5000009@thelan.no> Message-ID: <4AF535AF.101@rollernet.us> Harald Firing Karlsen wrote: > Seth Mattinen wrote: >> Marco van den Bovenkamp wrote: >> >>> Yes, it means 'It can't really do it, but we pretend it can' >>> >> >> >> I figured as much. > Well, what exactly do you want to know? It means the switch punts all > IPv6-packets destined for another prefix to the CPU rendering it quite > useless for forwarding IPv6 packets, but it will probably work fine with > IPv6 for management (telnet, snmp, etc). > > If you want performance numbers my bet is you won't be able to push more > than about 75-100Mbps under ideal conditions (all 1500B or 9KB packets), > but it all depends on the traffic. It is impossible to predict the > performance of a switch doing forwarding in software. > General forwarding, access lists, etc. Anything you would do with IPv4 right now but in a dual-stack network where things prefer IPv6 first. I'm using 3750's and their TCAM space for v6 stuffs is somewhat tiny. ~Seth From gary at velocity-servers.net Sat Nov 7 04:56:28 2009 From: gary at velocity-servers.net (Gary Stanley) Date: Sat, 07 Nov 2009 04:56:28 -0500 Subject: [c-nsp] dmzlink-bw and ebgp-multihop 2 Message-ID: <200911071030.nA7AUXpQ049587@puck.nether.net> I have a very unusual network setup, ISP-A requires me to have ebgp-multihop of 2 because we're not physically connected (we seem to be 2 hops away) Anyways, is there some kind of design implementation to use to make dmzlink-bw work? neighbor disable-connected-check only works if you're 1 hop from a ebgp session, dmzlink-bw works fine on ISP-B's session (3356). Currently I'm using "bgp bestpath as-path multipath-relax" but the traffic ratios are costing me money, and we do not have the memory to take full tables, or partials (only 32k max) or the money to afford to buy a huge switch just for memory Anyone have some suggestions? Thanks! -G From rubensk at gmail.com Sat Nov 7 07:14:21 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Sat, 7 Nov 2009 10:14:21 -0200 Subject: [c-nsp] dmzlink-bw and ebgp-multihop 2 In-Reply-To: <200911071030.nA7AUXpQ049587@puck.nether.net> References: <200911071030.nA7AUXpQ049587@puck.nether.net> Message-ID: <6bb5f5b10911070414i5eee380ewaa704282d1fa1b85@mail.gmail.com> May be tunneling the BGP session with GRE, L2TPv3, MPLS x-connect or VPLS so it will now appear as a single-hop ? Rubens On Sat, Nov 7, 2009 at 7:56 AM, Gary Stanley wrote: > I have a very unusual network setup, ISP-A requires me to have ebgp-multihop > of 2 because we're not physically connected (we seem to be 2 hops away) > > Anyways, is there some kind of design implementation to use to make > dmzlink-bw work? neighbor disable-connected-check only works if you're 1 hop > from a ebgp session, dmzlink-bw works fine on ISP-B's session (3356). > Currently I'm using "bgp bestpath as-path multipath-relax" but the traffic > ratios are costing me money, and we do not have the memory to take full > tables, or partials (only 32k max) or the money to afford to buy a huge > switch just for memory > > Anyone have some suggestions? > > Thanks! > -G > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Sat Nov 7 02:34:29 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 7 Nov 2009 15:34:29 +0800 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> Message-ID: <200911071534.30804.mtinka@globaltransit.net> On Friday 06 November 2009 03:40:57 am Kenny Sallee wrote: > I'm wondering if anyone is actually doing any flavor of > Multi-AS backbone this in the real world? Option A > doesn't seem scalable at all. Option B seems scalable, > but the level of trust and lack of QoS may be a concern. > Option AB - I'm trying to fully understand w/o a ton of > lab time. As I read the first Cisco link above, with > Option AB - you must configure a sub-interface PER > VPN/Client in it's own VRF on each SP's ASBR. So if you > have 100 different customers, on that interconnect > between SP1 and SP2 you must configure 100 > sub-interfaces, VRF's with unique (agree'd upon)RD's. > Then you configure a single MP-BGP session to carry the > VPNv4 addresses for all VRF's. So really you are only > saving X number of BGP sessions with Option AB compared > to say just Option A correct? Yes, the difference between Option AB (a.k.a Option D) and Option A or Option B is that with Option AB, only a single eBGP session between the ASBR's is required. Furthermore, while forwarding can be based on MPLS, IP forwarding is also supported, which preserves QoS values that can be used for processing across the ASBR<=>ASBR link. My suggestion; for any NNI option you choose, it should go a long way in making your life easy, i.e., you don't have create a sub-interface for each customer VPN, you don't have to create an eBGP session for each customer VPN. While Option AB is in an IETF draft state, I only know of Cisco being the only vendor implementing it (there could be others, though - I haven't researched beyond the vendors we use in production). However, some of the other vendors are able to implement the methods Option AB uses to operate, but in such a manner that it may not necessarily be compatible to Cisco's, or if it is, implementing it may not be as scalable, requiring that a number of boxes in the end-to-end VPN connection be touched for co-ordination. Personally, I think Option AB is rather complicated in its design, but based on Cisco's implementation, a lot of that complexity is hidden from the operators, with the routers doing all that automatically. It is an interesting option, but the need to configure a sub-interface for each VPN leaves a strange taste in my mouth. One of the other vendors we're working with is able to implement Option B + IP processing, which is cool because we maintain a single interface for all VPN's, and a single eBGP session for all VPN's, without losing the ability to do QoS. Still checking with Cisco whether they can do this. Things get a lot more interesting when you try to inter-op NNI relationships. If Cisco can't do Option B + IP processing, it may make sense for us to have both a Cisco and non-Cisco NNI router at each NNI site in order to have smooth NNI relationships depending on what platforms our partners can support. Of course, we can only support two platforms, so work becomes trickier if our NNI partner brings along an unsupported device - but, it won't be the end of the world :-). Things get a lot more interesting if you want to NNI for l2vpn/VPLS services. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sat Nov 7 02:34:23 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 7 Nov 2009 15:34:23 +0800 Subject: [c-nsp] Relationship between RAM and routes In-Reply-To: References: Message-ID: <200911071534.24790.mtinka@globaltransit.net> On Thursday 05 November 2009 02:12:56 pm Eric Magutu wrote: > Hi, > What is the relationship between RAM and routes? Well, the more routing entries you have, the more memory you need to hold them. This is truer for dynamic routing protocols than the opposite, as routing entries learned dynamically carry additional attributes along with them and all sorts of goodies that need to make friends with RAM + CPU :-). That said... > I want > to implement 1000 static routes in a cisco 7206vxr (NPE > -G1) and needed to find out what effect it would have on > my router. Should I do any upgrades? it has > 229376K/32768K bytes of memory 509K of NVRAM 1,000 static routing entries should not be a problem for the platform to handle. I'd be more worried about your energy levels and the amount of NVRAM at your disposal (although there are other options you can consider to manage a larger active configuration). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From peter.hicks at poggs.co.uk Sat Nov 7 11:58:32 2009 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Sat, 07 Nov 2009 16:58:32 +0000 Subject: [c-nsp] Cat6500 "Waiting for supervisor to come online in other slot" when booting In-Reply-To: <4AF279D0.8090103@poggs.co.uk> References: <4AF279D0.8090103@poggs.co.uk> Message-ID: <4AF5A738.1060800@poggs.co.uk> All, Peter Hicks wrote: > I have a pair of 6504Es with Sup32s here, running 12.2(33)SXH6. When > they boot, the bootloader loads and I am presented with: > > ==cut=== ... > Cisco IOS Software, s3223_sp Software (s3223_sp-BOOT-M), Version > 12.2(33)SXH6, RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2009 by Cisco Systems, Inc. > Compiled Thu 15-Oct-09 11:59 by prod_rel_team > Image text-base: 0x40231348, data-base: 0x41B62000 > > MAC based EOBC installed > > Waiting (slot 1) for supervisor to come online in other slot. iteration > = 0 > Next Retry will be done after 6 seconds > > ==cut=== For the archives - because somebody else is likely to have this problem, the problem was that I had a modular software image and the boot variables weren't set properly. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80313e09.html explains how to install modular images. Regards, Peter From doug at warner.fm Sat Nov 7 12:39:51 2009 From: doug at warner.fm (Doug Warner) Date: Sat, 07 Nov 2009 12:39:51 -0500 Subject: [c-nsp] Upgrade for C2960-48TC with more buffers In-Reply-To: <20091107042844.M11863@fast-serv.com> References: <4AF477D7.6040508@warner.fm> <20091107042844.M11863@fast-serv.com> Message-ID: <4AF5B0E7.5010004@warner.fm> No, QOS is disabled. I'm still seeing a lot of discarded packets in queue 3, weight 2 though. -Doug On 11/06/2009 11:28 PM, Randy McAnally wrote: > Are you running QOS? > > -- > Randy > > ---------- Original Message ----------- > From: Doug Warner > To: cisco-nsp at puck.nether.net > Sent: Fri, 06 Nov 2009 14:24:07 -0500 > Subject: [c-nsp] Upgrade for C2960-48TC with more buffers > >> We're running into an issue were a pair of gigabit ports in an etherchannel >> are accumulating out-discards. From my reading here on cisco-nsp, >> it doesn't sound like many people have a solution for this on the >> same platform. >> >> We're currently pushing ~500Mbps/50Kpps through this pair of ports in >> etherchannel; should we be seeing these types of problems, and if so, >> what type of hardware would people recommend upgrading to? >> >> -Doug > ------- End of Original Message ------- > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From kloch at kl.net Sat Nov 7 16:13:45 2009 From: kloch at kl.net (Kevin Loch) Date: Sat, 07 Nov 2009 16:13:45 -0500 Subject: [c-nsp] unknown ethertype 0x200e Message-ID: <4AF5E309.4000202@kl.net> Does anyone know what this might be, from a routed interface on SRD3: 15:00:18.774808 00:02:fc:c1:0d:b2 > 00:00:00:00:02:02, ethertype Unknown (0x200e), length 78: 0x0000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f ................ 0x0010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ 0x0020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ 0x0030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f 0123456789:;<=>? I'd like to know what knob to use to turn it off. Google didn't turn up anything helpful. - Kevin From eng_mssk at hotmail.com Sat Nov 7 17:04:34 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 8 Nov 2009 00:04:34 +0200 Subject: [c-nsp] SNMP Trap Software Message-ID: hey all i am using Cacti to graph my devices (SNMP port 161) i want a free software that able me to send traps to (SNMP port 162) Best Regards, _________________________________________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 From CJones at enterprisedata.com.au Sat Nov 7 17:18:09 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Sun, 8 Nov 2009 09:18:09 +1100 Subject: [c-nsp] SNMP Trap Software In-Reply-To: References: Message-ID: <9ACFA99B-ADDB-47C4-A6D3-A2466FE41CA6@enterprisedata.com.au> snmptrapd (part of the net-snmp package, which is included with most Linux/Unix distributions these days), can handle that for you. Take a look at http://net-snmp.sourceforge.net/ Regards, Chris Jones On 08/11/2009, at 9:04 AM, Mohammad Khalil wrote: > > hey all > i am using Cacti to graph my devices (SNMP port 161) > i want a free software that able me to send traps to (SNMP port 162) > > Best Regards, > > _________________________________________________________________ > Windows Live: Make it easier for your friends to see what you?re up > to on Facebook. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From swmike at swm.pp.se Sun Nov 8 03:29:23 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 8 Nov 2009 09:29:23 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081520.34864.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> <200911081520.34864.mtinka@globaltransit.net> Message-ID: On Sun, 8 Nov 2009, Mark Tinka wrote: > I will say one thing, though. Dividing the IS-IS domain into > L1 and L2 levels accordingly is meant to help you scale. That might make sense if you have all routes in there, but when just carrying loopbacks it kind of stops making sense (at least to me). -- Mikael Abrahamsson email: swmike at swm.pp.se From mtinka at globaltransit.net Sun Nov 8 02:13:33 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 15:13:33 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF48220.4000900@justinshore.com> References: <4AF21CA5.4050804@gmail.com> <4AF47AF3.7040200@gmail.com> <4AF48220.4000900@justinshore.com> Message-ID: <200911081513.34421.mtinka@globaltransit.net> On Saturday 07 November 2009 04:08:00 am Justin Shore wrote: > I was going to through up a red flag about trying to run > IS-IS on a 3750 because the last time I looked > fixed-config non-ME Cat switches didn't support IS-IS. > However I checked the FN just to be sure since it's been > a long while since I looked and sure enough they added > IS-IS to the 3750s with 12.2(50)SE. We have IS-IS running on 3560G's and 3750's for L1-only, IOS 12.2(52)SE. All our Ethernet switches run pure Layer 2 switching, so we're only using IS-IS to provide access to the device's Loopback address, for management. It works. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sun Nov 8 02:20:33 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 15:20:33 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <6E4D2678AC543844917CA081C9D6B33F9EF7F4@XMB-AMS-103.cisco.com> Message-ID: <200911081520.34864.mtinka@globaltransit.net> On Friday 06 November 2009 04:09:58 pm Mikael Abrahamsson wrote: > This is probably the biggest problem, the few people > doing L1-L2 separation are those into academia/theoretics > (passing a test/exam), when you go into the real world > it's no longer in major use. > > I've never bothered to learn about ISIS L1, never needed > to, see no use for it in real life. L2-only is the way to > go. > > I'd also recommend against it from a sw standpoint. Sure, > the sw supports it, but it hasn't been exposed to real > life as much as L2 only because of above reasons. Well, we switched from OSPF to IS-IS in 2008, and we're running: * L1-only for all routers/switches in a PoP. * L1/L2 on all core routers. * L2-only for all PoP-to-PoP core links. The above has been stable, runs very well - helps us manage a multi-Gbps transport network :-). I will say one thing, though. Dividing the IS-IS domain into L1 and L2 levels accordingly is meant to help you scale. However, in this case, we trade scaling for optimality (even with an L1 and L2 network) by performing Route Leaking on all core routers. So if you think about it, it sort of moots the point, and perhaps makes an L2-only network an obvious choice. However, we still went ahead to deploy a multi-level IS-IS backbone, because there could be some day where we only need L1 routes in a specific PoP (which, to be honest, I can't see now - but as with anything else in network operations, better to be prepared). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sun Nov 8 06:17:24 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Nov 2009 19:17:24 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> Message-ID: <200911081917.29547.mtinka@globaltransit.net> On Sunday 08 November 2009 04:29:23 pm Mikael Abrahamsson wrote: > That might make sense if you have all routes in there, > but when just carrying loopbacks it kind of stops making > sense (at least to me). Well, a route is a route. The difference between philosophies is just the volume. I get your point, but who's to say I won't have 10,000 routers in production? Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ras at e-gerbil.net Sun Nov 8 06:33:55 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 8 Nov 2009 05:33:55 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081917.29547.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <20091108113355.GD51443@gerbil.cluepon.net> On Sun, Nov 08, 2009 at 07:17:24PM +0800, Mark Tinka wrote: > On Sunday 08 November 2009 04:29:23 pm Mikael Abrahamsson > wrote: > > > That might make sense if you have all routes in there, > > but when just carrying loopbacks it kind of stops making > > sense (at least to me). > > Well, a route is a route. The difference between > philosophies is just the volume. > > I get your point, but who's to say I won't have 10,000 > routers in production? IMHO the rule of thumb for multiple areas in either ISIS or OSPF is "if you have to ask whether you should use them or not, the answer is you shouldn't". Their sensible use is so vastly exagerated in books and lab tests that it isn't even funny. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From adwhite at inchix.net Sun Nov 8 06:49:58 2009 From: adwhite at inchix.net (Andrew White) Date: Sun, 8 Nov 2009 22:49:58 +1100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: Message-ID: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Any reason why you wouldn't go for fcoe on nexus 5k? :) On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz wrote: >> Not sure that you want to go with Nexus at this point. Its got some >> really nice features, however we keep running into code bugs . Not just >> stuff that's obscure and shows up in certain situations but real show- >> stoppers like being unable to form port-channels with HP blade servers. > > Interesting assessment and sorry to hear about the microsoftish > experience. ?We're not intending to use blades (ESX Server 4 on a number > of HP DL380G6 is likely) and would like to do cross-box etherchannels for > redundancy. > > Jeff mentioned the 4948 of which the 10G version looks great since we're > wanting to mirror the san off-site over fiber. > > There's still a chance that fiber channel will happen though it looks like > that doesn't really make sense in this day and age. ?Here, vendors are > pushing the MDS9124 box. > > Thanks for the responses so far. > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Sun Nov 8 07:10:05 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 8 Nov 2009 13:10:05 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911081917.29547.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: On Sun, 8 Nov 2009, Mark Tinka wrote: > Well, a route is a route. The difference between > philosophies is just the volume. > > I get your point, but who's to say I won't have 10,000 > routers in production? In order to detect loopbacks going away and using this to invalidate/remove next-hops quickly, you can't aggregate anyway. Sorry, I have yet to hear someone describe an ISP network (designed as per ISP essentials, carry loopbacks in IGP and everything else in BGP), where IGP aggregation makes sense. If you have 10k routers in your IGP, well, you most likely did something wrong earlier in the process. Also, with modern processorns and techniques such as partial tree recalculation in modern router OSes, I'm sure even 10k routers would be manageable in a single area. -- Mikael Abrahamsson email: swmike at swm.pp.se From amr.ccie at gmail.com Sun Nov 8 08:49:04 2009 From: amr.ccie at gmail.com (Jason Alex) Date: Sun, 8 Nov 2009 15:49:04 +0200 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 Message-ID: Dear All, Kindly i want to upgrade one of my routers to Cisco IOS XR 3.8.1 (Cisco 12410) my current IOS is 3.6.1 any advice how can i make this upgrade gracefully without any downtime ? and what are the steps to migrate to version 3.8.1 Thanks & Regards Jason From brian at bluecoat93.org Sun Nov 8 10:33:35 2009 From: brian at bluecoat93.org (Brian Landers) Date: Sun, 8 Nov 2009 10:33:35 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> I realize this is cisco-nsp, but does anyone have any opinions on the Force 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or two) at the top of every rack in my data center! On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > Any reason why you wouldn't go for fcoe on nexus 5k? :) > > > > On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz > wrote: > >> Not sure that you want to go with Nexus at this point. Its got some > >> really nice features, however we keep running into code bugs . Not just > >> stuff that's obscure and shows up in certain situations but real show- > >> stoppers like being unable to form port-channels with HP blade servers. > > > > Interesting assessment and sorry to hear about the microsoftish > > experience. We're not intending to use blades (ESX Server 4 on a number > > of HP DL380G6 is likely) and would like to do cross-box etherchannels for > > redundancy. > > > > Jeff mentioned the 4948 of which the 10G version looks great since we're > > wanting to mirror the san off-site over fiber. > > > > There's still a chance that fiber channel will happen though it looks > like > > that doesn't really make sense in this day and age. Here, vendors are > > pushing the MDS9124 box. > > > > Thanks for the responses so far. > > > > ~JasonG > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Brian C Landers http://www.packetslave.com/ CCIE #23115 From william.mccall at gmail.com Sun Nov 8 13:30:41 2009 From: william.mccall at gmail.com (William McCall) Date: Sun, 8 Nov 2009 12:30:41 -0600 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: There will be downtime if you go directly with these versions. Check with your SE or TAC. IIRC, they should have a list of versions to go through to do a nice graceful (albeit, with some minor disruptions) upgrade. -- William McCall, CCIE #25044 On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > Dear All, > ? ? ? ? ? ? Kindly i want to upgrade one of my routers to Cisco IOS XR > 3.8.1 (Cisco 12410) > my current IOS is 3.6.1 > > any advice how can i make this upgrade gracefully without any downtime ? > and what are the steps to migrate to version 3.8.1 > > > Thanks & Regards > Jason > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From edigheorghiu at gmail.com Sun Nov 8 16:01:40 2009 From: edigheorghiu at gmail.com (Eduard Gheorghiu) Date: Sun, 8 Nov 2009 23:01:40 +0200 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: William, can you give an example of two XR versions that you can migrate between without reloading the whole box? I would like to try it in the lab in order to see how it is done. Thanks, Eduard On Nov 8, 2009 8:41 PM, "William McCall" wrote: There will be downtime if you go directly with these versions. Check with your SE or TAC. IIRC, they should have a list of versions to go through to do a nice graceful (albeit, with some minor disruptions) upgrade. -- William McCall, CCIE #25044 On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > Dear All, > Ki... From nick at inex.ie Sun Nov 8 16:16:59 2009 From: nick at inex.ie (Nick Hilliard) Date: Sun, 08 Nov 2009 21:16:59 +0000 Subject: [c-nsp] unknown ethertype 0x200e In-Reply-To: <4AF5E309.4000202@kl.net> References: <4AF5E309.4000202@kl.net> Message-ID: <4AF7354B.10600@inex.ie> On 07/11/2009 21:13, Kevin Loch wrote: > Does anyone know what this might be, from a routed interface > on SRD3: > > 15:00:18.774808 00:02:fc:c1:0d:b2 > 00:00:00:00:02:02, ethertype Unknown > (0x200e), length 78: > 0x0000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f ................ > 0x0010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ > 0x0020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ > 0x0030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f 0123456789:;<=>? > > I'd like to know what knob to use to turn it off. Google didn't turn up > anything helpful. Looks like junk traffic to me. Might be worth opening up a TAC case: the payload looks peculiar and as you note, the ethertype is unknown. The destination mac address also looks odd. Nick From dudepron at gmail.com Sun Nov 8 19:22:58 2009 From: dudepron at gmail.com (Aaron) Date: Sun, 8 Nov 2009 19:22:58 -0500 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: Message-ID: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> There isn't a version that you can do that. Aaron On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu wrote: > William, can you give an example of two XR versions that you can migrate > between without reloading the whole box? I would like to try it in the lab > in order to see how it is done. > Thanks, > Eduard > > On Nov 8, 2009 8:41 PM, "William McCall" wrote: > > There will be downtime if you go directly with these versions. Check > with your SE or TAC. IIRC, they should have a list of versions to go > through to do a nice graceful (albeit, with some minor disruptions) > upgrade. > > > -- > William McCall, CCIE #25044 > > On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > > Dear All, > Ki... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From william.mccall at gmail.com Sun Nov 8 19:55:39 2009 From: william.mccall at gmail.com (William McCall) Date: Sun, 8 Nov 2009 18:55:39 -0600 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> Message-ID: *shrug* I recalled incorrectly. I was under the impression that some of the minor releases were capable of in-service upgrade. However, it looks like it just applies to SMUs. And even then, the SMUs might take out the box. On Sun, Nov 8, 2009 at 6:22 PM, Aaron wrote: > There isn't a version that you can do that. > > Aaron > > On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu > wrote: >> >> William, can you give an example of two XR versions that you can migrate >> between without reloading the whole box? I would like to try it in the lab >> in order to see how it is done. >> Thanks, >> Eduard >> >> On Nov 8, 2009 8:41 PM, "William McCall" wrote: >> >> There will be downtime if you go directly with these versions. Check >> with your SE or TAC. IIRC, they should have a list of versions to go >> through to do a nice graceful (albeit, with some minor disruptions) >> upgrade. >> >> >> -- >> William McCall, CCIE #25044 >> >> On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > >> Dear All, > ? ? ? ? ? ? Ki... >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- William McCall, CCIE #25044 From dudepron at gmail.com Sun Nov 8 22:29:50 2009 From: dudepron at gmail.com (Aaron) Date: Sun, 8 Nov 2009 22:29:50 -0500 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> Message-ID: <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> Yeah. ISSU isn't were it should be. Some SMU's require a reload depending on what componets are touched. On Sun, Nov 8, 2009 at 19:55, William McCall wrote: > *shrug* I recalled incorrectly. I was under the impression that some > of the minor releases were capable of in-service upgrade. However, it > looks like it just applies to SMUs. And even then, the SMUs might take > out the box. > > On Sun, Nov 8, 2009 at 6:22 PM, Aaron wrote: > > There isn't a version that you can do that. > > > > Aaron > > > > On Sun, Nov 8, 2009 at 16:01, Eduard Gheorghiu > > wrote: > >> > >> William, can you give an example of two XR versions that you can migrate > >> between without reloading the whole box? I would like to try it in the > lab > >> in order to see how it is done. > >> Thanks, > >> Eduard > >> > >> On Nov 8, 2009 8:41 PM, "William McCall" > wrote: > >> > >> There will be downtime if you go directly with these versions. Check > >> with your SE or TAC. IIRC, they should have a list of versions to go > >> through to do a nice graceful (albeit, with some minor disruptions) > >> upgrade. > >> > >> > >> -- > >> William McCall, CCIE #25044 > >> > >> On Sun, Nov 8, 2009 at 7:49 AM, Jason Alex wrote: > > > >> Dear All, > Ki... > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > -- > William McCall, CCIE #25044 > From andy.saykao at staff.netspace.net.au Mon Nov 9 00:26:29 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 9 Nov 2009 16:26:29 +1100 Subject: [c-nsp] Troubelshooting Output Drops on 7301 Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAEEF@vic-cr-ex1.staff.netspace.net.au> Hi All, We're seeing some output drops occur on one of our interstate links. Just wondering how I can track what's causing it and/or whether it's normal behaviour for the output queue to fill up every now and then because of an increase in bursty traffic at the time. Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 11624 (Counters were cleared 17 minutes ago.) I've read Cisco's "Troubleshooting Input Queue Drops and Output Queue Drops" but it doesn't seem to have any information relating to my situation. Also searched for help on the list but nothing much to go on. Cisco IOS Software, 7301 Software (C7301-JS-M), Version 12.2(31)SB13, RELEASE SOFTWARE (fc1) Cisco 7301 (NPE) processor (revision A) with 229376K/32768K bytes of memory. interface GigabitEthernet0/2 description Link from XXX to YYY mtu 9000 bandwidth 150000 ip address 203.17.96.X 255.255.255.252 load-interval 30 media-type gbic speed auto duplex auto negotiation auto mpls ip router>sh int gig 0/2 GigabitEthernet0/2 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 000b.60a5.ac19 (bia 000b.60a5.ac19) Description: Link from XXX to YYY Internet address is 203.17.96.X/30 MTU 9000 bytes, BW 150000 Kbit, DLY 10 usec, reliability 255/255, txload 221/255, rxload 153/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, 1000BaseLX, Auto-negotiation, media type is LX output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 00:17:33 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 11624 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 90511000 bits/sec, 17280 packets/sec 30 second output rate 130521000 bits/sec, 21551 packets/sec 18784789 packets input, 3852868380 bytes, 0 no buffer Received 1244 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 66127 multicast, 0 pause input 22942732 packets output, 4128502155 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out router#sh proc memory Processor Pool Total: 174234996 Used: 64120552 Free: 110114444 I/O Pool Total: 33554432 Used: 3729248 Free: 29825184 router#sh processes cpu sorted CPU utilization for five seconds: 20%/18%; one minute: 19%; five minutes: 19% Any help would be appreciated. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ras at e-gerbil.net Mon Nov 9 02:23:46 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 9 Nov 2009 01:23:46 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911091432.32320.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> <200911091432.32320.mtinka@globaltransit.net> Message-ID: <20091109072346.GK51443@gerbil.cluepon.net> On Mon, Nov 09, 2009 at 02:32:11PM +0800, Mark Tinka wrote: > On Sunday 08 November 2009 07:33:55 pm Richard A Steenbergen > wrote: > > > IMHO the rule of thumb for multiple areas in either ISIS > > or OSPF is "if you have to ask whether you should use > > them or not, the answer is you shouldn't". Their sensible > > use is so vastly exagerated in books and lab tests that > > it isn't even funny. > > Speaking on my/our own behalf, there wouldn't be a doubt in > our minds whether we needed the hierarchy or not. > > In our case, coming from OSPF where Areas were in vast use > (different for each PoP, and we had quite a few), it made > sense, at the time, to maintain a similar hierarchy in IS- > IS, especially since what we wanted the most out of the > migration was its "stretchy" property. > > However, like I mentioned in an earlier post, it quickly > dawned on us that since Route Leaking essentially adds all > L1 routes from other PoP's into the L1 database in other > PoP's, and you turn off the ATT bit to gain optimality, the > point of running both L1 and L2 for scaling reasons quickly > becomes moot. I'm not questioning your decision, I'm just stating it for the archives and for everyone else who has to make this same decision at some point in the future: If you have to ask, just don't do it. I see way too many people trying to deploy areas with 10 router networks because they read somewhere that it was what they were supposed to do to scale, or because people saw it on an exam somewhere. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From mtinka at globaltransit.net Mon Nov 9 01:32:11 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 9 Nov 2009 14:32:11 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091108113355.GD51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> Message-ID: <200911091432.32320.mtinka@globaltransit.net> On Sunday 08 November 2009 07:33:55 pm Richard A Steenbergen wrote: > IMHO the rule of thumb for multiple areas in either ISIS > or OSPF is "if you have to ask whether you should use > them or not, the answer is you shouldn't". Their sensible > use is so vastly exagerated in books and lab tests that > it isn't even funny. Speaking on my/our own behalf, there wouldn't be a doubt in our minds whether we needed the hierarchy or not. In our case, coming from OSPF where Areas were in vast use (different for each PoP, and we had quite a few), it made sense, at the time, to maintain a similar hierarchy in IS- IS, especially since what we wanted the most out of the migration was its "stretchy" property. However, like I mentioned in an earlier post, it quickly dawned on us that since Route Leaking essentially adds all L1 routes from other PoP's into the L1 database in other PoP's, and you turn off the ATT bit to gain optimality, the point of running both L1 and L2 for scaling reasons quickly becomes moot. However, having already gone down that path, in actual practice - operationally - it makes very little difference (to us) and doesn't add any undue complexity or burden. Only our core routers are L1/L2 capable, and those are beasts that forward only on MPLS labels. Everything else, i.e., all devices within each PoP (edge, peering, upstream, route reflectors, RTBH routers, aggregation switches, e.t.c.), speaks L1-only. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From skoal at skoal.name Mon Nov 9 01:55:43 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 07:55:43 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <4AF7BCEF.20506@skoal.name> Did you look at the c2350 also? http://www.cisco.com/en/US/products/ps10116/index.html Brian Landers wrote: > I realize this is cisco-nsp, but does anyone have any opinions on the Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! > > > On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > >> Any reason why you wouldn't go for fcoe on nexus 5k? :) >> >> >> >> On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz >> wrote: >>>> Not sure that you want to go with Nexus at this point. Its got some >>>> really nice features, however we keep running into code bugs . Not just >>>> stuff that's obscure and shows up in certain situations but real show- >>>> stoppers like being unable to form port-channels with HP blade servers. >>> Interesting assessment and sorry to hear about the microsoftish >>> experience. We're not intending to use blades (ESX Server 4 on a number >>> of HP DL380G6 is likely) and would like to do cross-box etherchannels for >>> redundancy. >>> >>> Jeff mentioned the 4948 of which the 10G version looks great since we're >>> wanting to mirror the san off-site over fiber. >>> >>> There's still a chance that fiber channel will happen though it looks >> like >>> that doesn't really make sense in this day and age. Here, vendors are >>> pushing the MDS9124 box. >>> >>> Thanks for the responses so far. >>> >>> ~JasonG >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mtinka at globaltransit.net Mon Nov 9 03:22:45 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 9 Nov 2009 16:22:45 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <200911091622.50838.mtinka@globaltransit.net> On Sunday 08 November 2009 08:10:05 pm Mikael Abrahamsson wrote: > In order to detect loopbacks going away and using this to > invalidate/remove next-hops quickly, you can't aggregate > anyway. My point exactly - the use of Route Leaking without the ATT bit nullifies the need for a multi-level IS-IS network for the sole purpose of scaling. > Sorry, I have yet to hear someone describe an ISP network > (designed as per ISP essentials, carry loopbacks in IGP > and everything else in BGP), where IGP aggregation makes > sense. If you have 10k routers in your IGP, well, you > most likely did something wrong earlier in the process. Completely agree with you, and I reiterate my statement in the paragraph above. While this may apply specifically to MPLS-enabled environments, you might like to know (in case you don't already) that 'draft-swallow-mpls-aggregate-fec-01.txt' proposes an extension to LDP that would allow it to form an end-to-end LSP without the need to hold each and every routing entry for all routers in all routers, i.e., it permits the end-to-end LSP setup while also allowing IGP route summarization. Check out: http://tools.ietf.org/id/draft-swallow-mpls-aggregate- fec-01.txt But as mentioned, it only applies to MPLS environments. It sounds interesting but I'm not sure whether we'd be keen on a feature like this. Given that we carry only infrastructure and Loopback addresses in IS-IS (and the fact that our routers are fairly CPU-able), we're not concerned about sacrificing scaling for optimality as it pertains to IGP route summarization, or lack thereof. > Also, with modern processorns and techniques such as > partial tree recalculation in modern router OSes, I'm > sure even 10k routers would be manageable in a single > area. Again, completely agree - and while I wouldn't want to start a "war of the protocols", I think IS-IS is better at this than OSPFv2, not only because of features such as iSPF, LSP Lifetime, PRC and SPF Delay, but also because unlike OSPFv2, IS-IS cleanly separates IP Reachability information from topology information, as distinct TLV's are used to encode both bits of information. Because OSPFv2 carries IP Reachability information in Type 1 and Type 2 LSA's, it means changes in IP Reachability information only will initiate a potentially unnecessary update of the topology information as well, e.g., when all that has changed is the metric for a route, and not a failure of a link. In this case, PRC in OSPFv2 is relegated to Type 3, 4, 5 and 7 LSA's, and this starts to get into OSPF hierarchy (which is the issue under discussion at this point in this thread). OSPFv3 has been fixed re: this limitation, as IP Reachability information and topology information has been encoded into separate data structures, much like IS-IS. But coming back to why I think the L1 and L2 separation might come in handy, is if we decide to isolate a part of our network for one reason or another. Why, one might ask? For better or worse, we have a number of scenarios where deploying networks that should have nothing to do with the rest of our backbone are being considered (these are mostly business reasons, not technical - just to be clear, hehe). In such a case, while the separation of L1 and L2 databases is not the driving factor for this, it becomes an unintentional enabling by-product of this structure. Again, this probably isn't reason enough to do things this way (as mentioned to Richard in my previous post, our goal for migration was because IS-IS is "stretchy" and not because OSPF is eating up too much router CPU), but in our case, the operational difference between running the network in either mode is trivial. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From eng_mssk at hotmail.com Mon Nov 9 04:22:46 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 9 Nov 2009 11:22:46 +0200 Subject: [c-nsp] overruns Message-ID: hey all i have Cisco 7606 connected to WiMAX ASN GW via port channel now i have the following issue router#sh int po10 | inc overrun 0 input errors, 0 CRC, 0 frame, 8032 overrun, 0 ignored router#sh int po10 | inc ove router#sh int po20 | inc overrun 0 input errors, 0 CRC, 0 frame, 4305576 overrun, 0 ignored router#sh run int po10 Building configuration... Current configuration : 216 bytes ! interface Port-channel10 description CORE_VLAN to ASN Gateway switchport switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end router#sh run int po20 Building configuration... Current configuration : 215 bytes ! interface Port-channel20 description RAS-VLAN to ASN Gateway switchport switchport access vlan 20 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end router#sh int port-channel 10 etherchannel Age of the Port-channel = 284d:17h:52m:00s Logical slot/port = 14/1 Number of ports = 5 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = - Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 21 Gi3/3 On 2 1 42 Gi3/11 On 2 2 84 Gi3/19 On 2 3 08 Gi3/27 On 1 4 10 Gi3/35 On 1 Time since last port bundled: 154d:01h:08m:46s Gi3/35 Time since last port Un-bundled: 154d:01h:08m:50s Gi3/35 router#sh int port-channel 20 etherchannel Age of the Port-channel = 284d:17h:52m:09s Logical slot/port = 14/2 Number of ports = 5 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = - Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 21 Gi3/4 On 2 1 42 Gi3/12 On 2 2 84 Gi3/20 On 2 3 08 Gi3/28 On 1 4 10 Gi3/36 On 1 Time since last port bundled: 154d:00h:55m:38s Gi3/36 Time since last port Un-bundled: 154d:00h:55m:41s Gi3/36 example of the interfaces: CR1.KJ-Building#sh run int g3/36 Building configuration... Current configuration : 284 bytes ! interface GigabitEthernet3/36 description RAS_VLAN (porrtchannel 20) switchport switchport access vlan 20 switchport mode access no logging event link-status load-interval 30 speed 1000 duplex full flowcontrol receive on flowcontrol send on channel-group 20 mode on end CR1.KJ-Building#sh run int g3/35 Building configuration... Current configuration : 300 bytes ! interface GigabitEthernet3/35 description CORE_VLAN to ASN Gateway (porrtchannel 10) switchport switchport access vlan 10 switchport mode access no logging event link-status load-interval 30 speed 1000 duplex full flowcontrol receive on flowcontrol send on channel-group 10 mode on end and on the other router router#sh int po10 | inc overrun 0 input errors, 0 CRC, 0 frame, 1643 overrun, 0 ignored router#sh int po20 | inc overrun 0 input errors, 0 CRC, 0 frame, 591813 overrun, 0 ignored anyone can help ?? _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From gert at greenie.muc.de Mon Nov 9 04:24:00 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 10:24:00 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7BCEF.20506@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> Message-ID: <20091109092400.GT163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: > Did you look at the c2350 also? > http://www.cisco.com/en/US/products/ps10116/index.html The data sheet sounds very nice indeed. What I can't see from there is: - does it support flow-control? - how big and how flexible are its buffers? (as compared to 2950/2960/3750) - is there a redundant power suppy option? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From skoal at skoal.name Mon Nov 9 04:30:07 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 10:30:07 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091109092400.GT163@greenie.muc.de> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> Message-ID: <4AF7E11F.1030409@skoal.name> Gert Doering wrote: > Hi, > > On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: >> Did you look at the c2350 also? >> http://www.cisco.com/en/US/products/ps10116/index.html > > The data sheet sounds very nice indeed. > > What I can't see from there is: > > - does it support flow-control? sh int t0/1 flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper --------- -------- -------- -------- -------- ------- ------- Te0/1 Unsupp. Unsupp. off off 0 0 > - how big and how flexible are its buffers? how can i check this from cmd? > (as compared to 2950/2960/3750) > - is there a redundant power suppy option? it has redundant power supply's. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From gert at greenie.muc.de Mon Nov 9 04:42:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 10:42:52 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7E11F.1030409@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> <4AF7E11F.1030409@skoal.name> Message-ID: <20091109094252.GU163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 10:30:07AM +0100, Gergely Antal wrote: > > On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: > >> Did you look at the c2350 also? > >> http://www.cisco.com/en/US/products/ps10116/index.html > > > > The data sheet sounds very nice indeed. > > > > What I can't see from there is: > > > > - does it support flow-control? > sh int t0/1 flowcontrol > Port Send FlowControl Receive FlowControl RxPause TxPause > admin oper admin oper > --------- -------- -------- -------- -------- ------- ------- > Te0/1 Unsupp. Unsupp. off off 0 0 Hmmm. what about the Gig ports? > > - how big and how flexible are its buffers? > how can i check this from cmd? I think you can't. At least on the other switches, I have not yet found a way to ask the device about its buffer details. > > (as compared to 2950/2960/3750) > > - is there a redundant power suppy option? > it has redundant power supply's. It has? Cool. (That's not clearly visible from the data sheet). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From skoal at skoal.name Mon Nov 9 04:51:49 2009 From: skoal at skoal.name (Gergely Antal) Date: Mon, 09 Nov 2009 10:51:49 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <20091109094252.GU163@greenie.muc.de> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <20091109092400.GT163@greenie.muc.de> <4AF7E11F.1030409@skoal.name> <20091109094252.GU163@greenie.muc.de> Message-ID: <4AF7E635.9010104@skoal.name> Gert Doering wrote: > Hi, > > On Mon, Nov 09, 2009 at 10:30:07AM +0100, Gergely Antal wrote: >>> On Mon, Nov 09, 2009 at 07:55:43AM +0100, Gergely Antal wrote: >>>> Did you look at the c2350 also? >>>> http://www.cisco.com/en/US/products/ps10116/index.html >>> The data sheet sounds very nice indeed. >>> >>> What I can't see from there is: >>> >>> - does it support flow-control? >> sh int t0/1 flowcontrol >> Port Send FlowControl Receive FlowControl RxPause TxPause >> admin oper admin oper >> --------- -------- -------- -------- -------- ------- ------- >> Te0/1 Unsupp. Unsupp. off off 0 0 > > Hmmm. what about the Gig ports? the same > >>> - how big and how flexible are its buffers? >> how can i check this from cmd? > > I think you can't. At least on the other switches, I have not yet found > a way to ask the device about its buffer details. > >>> (as compared to 2950/2960/3750) >>> - is there a redundant power suppy option? >> it has redundant power supply's. > > It has? Cool. (That's not clearly visible from the data sheet). sorry i was misleading you.It has modular power and fan trays,but its not redundant. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mvanton at gmail.com Mon Nov 9 05:56:18 2009 From: mvanton at gmail.com (vince anton) Date: Mon, 9 Nov 2009 11:56:18 +0100 Subject: [c-nsp] 7600 for ip transit uplink Message-ID: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> Hi All, im looking at using a 7600 to terminate a 10GE uplink for IP transit to my upstream. no BGP full table yet, just a default route. I will be using a 6704 to connect the 7600 my core, of course also using 10GE links. The question i have is regarding which interface to use to connect to the upstream. Although using another of the ports on the 6704 would work for this, Im not entirely convinced about it vs using say a SIP-600 which is possibly more appropriate ? Is the 6704 port something I should not consider at all for the upstream link ? I'd like to hear from people as to what they are doing in their networks to evaluate pros and cons. Im aware that 6704 is a LAN card, as opposed to using a SIP-600 which is intended for WAN which offers deeper buffers, shaping etc... but the price difference is enormous! thanks anton From gert at greenie.muc.de Mon Nov 9 06:44:55 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 9 Nov 2009 12:44:55 +0100 Subject: [c-nsp] 7600 for ip transit uplink In-Reply-To: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> References: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> Message-ID: <20091109114455.GW163@greenie.muc.de> Hi, On Mon, Nov 09, 2009 at 11:56:18AM +0100, vince anton wrote: > im looking at using a 7600 to terminate a 10GE uplink for IP transit to my > upstream. no BGP full table yet, just a default route. > > I will be using a 6704 to connect the 7600 my core, of course also using > 10GE links. We're using 6704 and 6708 to terminate uplinks, and they do the job nicely. BUT: we have plenty of bandwidth available, so we have no need for QoS or deep buffers or anything more fancy offered by the SIP or ES cards. > Im aware that 6704 is a LAN card, as opposed to using a SIP-600 which is > intended for WAN which offers deeper buffers, shaping etc... but the price > difference is enormous! Yes. Our design choice was "for the total amount of money we have, just get more bandwidth". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From florent.paratte at gmail.com Mon Nov 9 06:54:53 2009 From: florent.paratte at gmail.com (Florent PARATTE (G)) Date: Mon, 9 Nov 2009 12:54:53 +0100 Subject: [c-nsp] 7200 Queuing Message-ID: Hello, I would like to have precisions on default queuing on 7200 Routers. Here is my test topology: PC -----100Mbps------ Switch ------100Mbps------- Router ------10Mbps------ Switch ------100Mbps----- LAN There is no QOS configured on equipments. There is a softphone on the PC and a flooding tool. There is an Asterisk server on the LAN which is displaying information about calls. Packets from PC are not marked. Packets from Asterisk are marked (SIP: CS3, RTP: EF). Here is my test sequence: I flood at 30Mbps from the PC to an IP on the LAN. I call, from the PC, a phone on the LAN. Here is my problem: I have packet loss on the LAN side router interface, but there is no RTP packet loss! In the "show interface e2/0" command output, the queuing strategy is FIFO. In the "show queue interface e2/0" command output, it is written this command is not used with FIFO strategy. I made a lot of tests, the priority doesn't depend of neither the Layer 4 header (UDP ou TCP, ports), neither the CoS field. So I imagine it may have a WFQ algorithm as queuing, but. So my question is: Is there some default queuing management on Cisco 7200 Router interfaces that is not displayed? Thank you in advance, Florent Paratte From rwest at zyedge.com Mon Nov 9 08:57:55 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 9 Nov 2009 08:57:55 -0500 Subject: [c-nsp] 7200 Queuing In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Florent PARATTE (G) > Sent: Monday, November 09, 2009 6:55 AM > > In the "show interface e2/0" command output, the queuing strategy is > FIFO. > > In the "show queue interface e2/0" command output, it is written this > command is not used with FIFO strategy. > > I made a lot of tests, the priority doesn't depend of neither the Layer > 4 > header (UDP ou TCP, ports), neither the CoS field. So I imagine it may > have > a WFQ algorithm as queuing, but. > FIFO is the default for your Ethernet interfaces. You should look into LLQ to prioritize your voice traffic and allocate some bandwidth for signaling on the 7200. Once you get your MQC policy setup, you can enable fair-queue or WRED for your remaining traffic. If you know that you haven't enabled QoS on your switches yet, the tags should carry to your router. If you have enabled QoS, you'll need to trust the markings from your voice equipment and routers. You can verify this quickly by matching what you're expecting to see on the inbound interface of your router. HTH, -ryan From brian at bluecoat93.org Mon Nov 9 09:05:34 2009 From: brian at bluecoat93.org (Brian Landers) Date: Mon, 9 Nov 2009 09:05:34 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF7BCEF.20506@skoal.name> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> Message-ID: <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> On Mon, Nov 9, 2009 at 1:55 AM, Gergely Antal wrote: > Did you look at the c2350 also? > http://www.cisco.com/en/US/products/ps10116/index.html > > Very interesting, indeed. Would be nice to see a POE version as well (to compete with the Force10 S50V), but as it seems to be positioned specifically as a data center switch, that doesn't seem likely. Doesn't appear to be in the pricing tool yet, though? -- Brian C Landers http://www.packetslave.com/ CCIE #23115 From lists at hojmark.org Mon Nov 9 09:30:50 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Mon, 09 Nov 2009 15:30:50 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> Message-ID: <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A From florent.paratte at gmail.com Mon Nov 9 09:46:57 2009 From: florent.paratte at gmail.com (Florent PARATTE (G)) Date: Mon, 9 Nov 2009 15:46:57 +0100 Subject: [c-nsp] 7200 Queuing In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> References: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17B56@zy-ex1.zyedge.local> Message-ID: Thank you for your answer. Sorry, I forgot saying what I tried to do: I know how to configure QoS settings but before applying it I would like to have congestion, so RTP packet loss to see "before/after" results. But my problem is here. I'm not able to have RTP packet loss, even with the topology described just before. Normally, with this test topology, I should have RTP packet loss, is it right? -----Message d'origine----- De?: Ryan West [mailto:rwest at zyedge.com] Envoy??: lundi, 9. novembre 2009 14:58 ??: Florent PARATTE (G); cisco-nsp at puck.nether.net Objet?: RE: [c-nsp] 7200 Queuing Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Florent PARATTE (G) > Sent: Monday, November 09, 2009 6:55 AM > > In the "show interface e2/0" command output, the queuing strategy is > FIFO. > > In the "show queue interface e2/0" command output, it is written this > command is not used with FIFO strategy. > > I made a lot of tests, the priority doesn't depend of neither the Layer > 4 > header (UDP ou TCP, ports), neither the CoS field. So I imagine it may > have > a WFQ algorithm as queuing, but. > FIFO is the default for your Ethernet interfaces. You should look into LLQ to prioritize your voice traffic and allocate some bandwidth for signaling on the 7200. Once you get your MQC policy setup, you can enable fair-queue or WRED for your remaining traffic. If you know that you haven't enabled QoS on your switches yet, the tags should carry to your router. If you have enabled QoS, you'll need to trust the markings from your voice equipment and routers. You can verify this quickly by matching what you're expecting to see on the inbound interface of your router. HTH, -ryan From petelists at templin.org Mon Nov 9 10:45:28 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 09 Nov 2009 07:45:28 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091109072346.GK51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081917.29547.mtinka@globaltransit.net> <20091108113355.GD51443@gerbil.cluepon.net> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> Message-ID: <4AF83918.9010505@templin.org> Richard A Steenbergen wrote: > I'm not questioning your decision, I'm just stating it for the archives > and for everyone else who has to make this same decision at some point > in the future: If you have to ask, just don't do it. I see way too many > people trying to deploy areas with 10 router networks because they read > somewhere that it was what they were supposed to do to scale, or because > people saw it on an exam somewhere. +1. I've recently finished a complete overhaul of a 14-router 5-POP network that had 6 areas (one for each POP), and had area 0 split into two independent areas 0. Access routers in any POP had no idea that access routers existed in other POPs, etc. pt From jasongurtz at npumail.com Mon Nov 9 12:02:10 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Mon, 9 Nov 2009 12:02:10 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: > Any reason why you wouldn't go for fcoe on nexus 5k? :) It does look like that is what the box is really for. To answer the question, it all depends on what SAN goes in. A lot of the newer stuff with better value is iSCSI only and eschews FC in any form. Maybe I better question to ask is how does the nexus 5k fare against 49xx switch doing iSCSI? ~JasonG From jasongurtz at npumail.com Mon Nov 9 11:59:56 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Mon, 9 Nov 2009 11:59:56 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: > I realize this is cisco-nsp, but does anyone have any opinions on the > Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! Another thing we found when considering 1G w/ 10G uplinks and value is Fujitsu XG0448. ~JasonG From psirt at cisco.com Mon Nov 9 12:30:03 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Mon, 9 Nov 2009 12:30:03 -0500 Subject: [c-nsp] Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Message-ID: <200911091210.tls@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.0 For Public Release 2009 November 9 1600 UTC (GMT) Summary ======= An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products ================= Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products - ------------------- This section will be updated when more information is available. Products Confirmed Not Vulnerable - --------------------------------- The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client This section will be updated when more information is available. Details ======= TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl +------------------------------------------------------------+ | Product | Bug ID | |----------------------------+-------------------------------| | Cisco Adaptive Security | CSCtd01491 | | Device Manager (ASDM) | | |----------------------------+-------------------------------| | Cisco AON Software | CSCtd01646 | | | | |----------------------------+-------------------------------| | Cisco AON Healthcare for | CSCtd01652 | | HIPAA and ePrescription | | |----------------------------+-------------------------------| | Cisco Application and | CSCtd01529 | | Content Networking System | | | (ACNS) Software | | |----------------------------+-------------------------------| | Cisco Application | CSCtd01480 | | Networking Manager | | |----------------------------+-------------------------------| | Cisco ASA 5500 Series | CSCtd00697 | | Adaptive Security | | | Appliances | | |----------------------------+-------------------------------| | Cisco ASA Advanced | | | Inspection and Prevention | CSCtd01539 | | (AIP) Security Services | | | Module | | |----------------------------+-------------------------------| | Cisco AVS 3100 Series | CSCtd01566 | | Application Velocity | | | System | | |----------------------------+-------------------------------| | Cisco Catalyst 6500 Series | CSCtd06389 | | SSL Services Module | | |----------------------------+-------------------------------| | Firewall Services Module | CSCtd04061 | | FWSM | | |----------------------------+-------------------------------| | Cisco CSS 11000 Series | CSCtd01636 | | Content Services Switches | | |----------------------------+-------------------------------| | Cisco Unified SIP Phones | CSCtd01446 | | | | |----------------------------+-------------------------------| | Cisco Data Center Network | CSCtd02635 | | Manager | | |----------------------------+-------------------------------| | Cisco Data Mobility | CSCtd02642 | | Manager | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01703 | | Encoders | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01692 | | Manager | | |----------------------------+-------------------------------| | Cisco Digital Media | CSCtd01718 | | Players | | |----------------------------+-------------------------------| | Cisco Emergency Responder | CSCtd02650 | | | | |----------------------------+-------------------------------| | Cisco IOS Software | CSCtd00658 | | | | |----------------------------+-------------------------------| | Cisco IOS XE Software | CSCtd00658 | | | | |----------------------------+-------------------------------| | Cisco IOS XR Software | CSCtd02658 | | | | |----------------------------+-------------------------------| | Cisco IP Communicator | CSCtd02662 | | | | |----------------------------+-------------------------------| | CATOS | CSCtd00662 | | | | |----------------------------+-------------------------------| | Cisco IronPort Appliances | CSCtd02069 | | | | |----------------------------+-------------------------------| | Cisco Unified MeetingPlace | CSCtd02709 | | | | |----------------------------+-------------------------------| | Cisco NAC Appliance (Clean | CSCtd01453 | | Access) | | |----------------------------+-------------------------------| | Cisco NAC Guest Server | CSCtd01462 | | | | |----------------------------+-------------------------------| | Cisco NAC Profiler | CSCtd02716 | | | | |----------------------------+-------------------------------| | Cisco Network Analysis | CSCtd02729 | | Module Software (NAM) | | |----------------------------+-------------------------------| | Cisco Network Registrar | CSCtd02748 | | | | |----------------------------+-------------------------------| | Cisco ONS 15500 Series | CSCtd02769 | | | | |----------------------------+-------------------------------| | Cisco Physical Access | CSCtd02777 | | Gateways | | |----------------------------+-------------------------------| | Cisco Physical Access | CSCtd03912 | | Manager | | |----------------------------+-------------------------------| | Cisco Physical Security | CSCtd03920 | | ISM | | |----------------------------+-------------------------------| | Cisco QoS Device Manager | CSCtd03923 | | | | |----------------------------+-------------------------------| | Cisco Secure Access | CSCtd00725 | | Control Server (ACS) | | |----------------------------+-------------------------------| | Cisco Secure Desktop | CSCtd03928 | | | | |----------------------------+-------------------------------| | Cisco Secure Services | CSCtd03935 | | Client | | |----------------------------+-------------------------------| | Cisco Security Agent CSA | CSCtd02689 | | | | |----------------------------+-------------------------------| | Cisco Security Monitoring, | CSCtd02654 | | Analysis and Response | | | System (MARS) | | |----------------------------+-------------------------------| | Cisco Unified IP Phones | CSCtd04121 | | | | |----------------------------+-------------------------------| | Cisco Service Control | CSCtd04171 | | Subscriber Manager | | |----------------------------+-------------------------------| | Cisco TelePresence Manager | CSCtd01771 | | | | |----------------------------+-------------------------------| | Telepresence for Consumer | CSCtd01752 | | | | |----------------------------+-------------------------------| | Cisco TelePresence | CSCtd01742 | | Recording Server | | |----------------------------+-------------------------------| | Cisco Network Asset | CSCtd04198 | | Collector | | |----------------------------+-------------------------------| | Cisco Unified | CSCtd01282 | | Communications Manager | | | (CallManager) | | |----------------------------+-------------------------------| | Cisco Unified Business | CSCtd05731 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Enterprise | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Express | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05755 | | Center Management Portal | | |----------------------------+-------------------------------| | Cisco Unified Contact | CSCtd05790 | | Center Products | | |----------------------------+-------------------------------| | Cisco Unified Department | CSCtd05733 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified E-Mail | CSCtd05756 | | Interaction Manager | | |----------------------------+-------------------------------| | Cisco Unified Enterprise | CSCtd05735 | | Attendant Console | | |----------------------------+-------------------------------| | Cisco Unified Mobile | CSCtd05762 | | Communicator | | |----------------------------+-------------------------------| | Cisco Unified Mobility | CSCtd05786 | | | | |----------------------------+-------------------------------| | Cisco Unified Mobility | CSCtd05783 | | Advantage | | |----------------------------+-------------------------------| | Cisco Unified Operations | CSCtd05784 | | Manager | | |----------------------------+-------------------------------| | Cisco Unified Personal | CSCtd05759 | | Communicator | | |----------------------------+-------------------------------| | Cisco Unified Presence | CSCtd05791 | | | | |----------------------------+-------------------------------| | Cisco Unified Provisioning | CSCtd05777 | | Manager | | |----------------------------+-------------------------------| | Cisco Unified Quick | CSCtd05738 | | Connect | | |----------------------------+-------------------------------| | Cisco Unified Service | CSCtd05780 | | Monitor | | |----------------------------+-------------------------------| | Cisco Unified Service | CStCd05778 | | Statistics Manager | | |----------------------------+-------------------------------| | Cisco Unified SIP Proxy | CSCtd05765 | | | | |----------------------------+-------------------------------| | Cisco Unity | CSCtd02855 | | | | |----------------------------+-------------------------------| | Cisco NX-OS Software | CSCtd00699 and CSCtd00703 | | | | |----------------------------+-------------------------------| | Cisco Video Portal | CSCtd04097 | | | | |----------------------------+-------------------------------| | Cisco Video Surveillance | CSCtd02831 | | Media Server Software | | |----------------------------+-------------------------------| | Cisco Video Surveillance | CSCtd02780 | | Operations Manager | | | Software | | |----------------------------+-------------------------------| | Cisco Wide Area File | CSCtd04106 | | Services Software (WAFS) | | |----------------------------+-------------------------------| | Cisco Wireless Control | CSCtd01625 | | System | | |----------------------------+-------------------------------| | Cisco Wireless LAN | CSCtd01611 | | Controller (WLAN) | | |----------------------------+-------------------------------| | Cisco Wireless Location | CSCtd04115 | | Appliance | | |----------------------------+-------------------------------| | CiscoWorks Common Services | CSCtd01597 | | Software | | |----------------------------+-------------------------------| | CiscoWorks Wireless LAN | CSCtd04111 | | Solution Engine (WLSE) | | +------------------------------------------------------------+ This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-3555. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * TLS Renegotiation Vulnerability (all Cisco Bugs above) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Unavailable Report Confidence - Confirmed Impact ====== This section will be updated when more information is available. Software Versions and Fixes =========================== This section will be updated to include fixed software versions for affected Cisco products as they become available. Workarounds =========== Workarounds are being investigated. This section will be updated when more information becomes available. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from PhoneFactor, Inc. Cisco is not aware of any malicious exploitation of this vulnerability. Proof-of-concept exploit code has been published for this vulnerability. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-November-9 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Nov 09, 2009 Document ID: 111046 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkr4TCsACgkQ86n/Gc8U/uDNWgCfYptXVZhz0qn2DvRh2zUtZ5EF OS4AoJediPm3/t9XqYIdrjR5PNP25iY/ =SkAu -----END PGP SIGNATURE----- From sethm at rollernet.us Mon Nov 9 12:37:48 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 09 Nov 2009 09:37:48 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <4AF8536C.4090300@rollernet.us> Brian Landers wrote: > I realize this is cisco-nsp, but does anyone have any opinions on the Force > 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been > frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a > 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or > two) at the top of every rack in my data center! > A HP ProCurve 6600-48G-4XG is a bit less and has 4x 10 gig and 48x 10/100/1000 ports. And they actually tell you the packet buffer size in their spec sheets. Never used this model personally though, but I have some other HP switches and I've been happy with them. The price difference and functionally equal (for my needs) that I'd seriously consider HP if they had complete IPv6 support. Cisco-nsp seems to be the mot active list of the *-nsp and having this list as a resource is valuable. ~Seth From jared.a.gillis at gmail.com Mon Nov 9 12:51:40 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Mon, 09 Nov 2009 09:51:40 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> Message-ID: <4AF856AC.5070805@gmail.com> Mikael Abrahamsson wrote: > In order to detect loopbacks going away and using this to > invalidate/remove next-hops quickly, you can't aggregate anyway. > > Sorry, I have yet to hear someone describe an ISP network (designed as > per ISP essentials, carry loopbacks in IGP and everything else in BGP), > where IGP aggregation makes sense. If you have 10k routers in your IGP, > well, you most likely did something wrong earlier in the process. > > Also, with modern processorns and techniques such as partial tree > recalculation in modern router OSes, I'm sure even 10k routers would be > manageable in a single area. While I agree with these statements, our issue is not tree recalculation/convergence. Our issue and driving need for IS-IS multiarea is the fact that we have 3750ME's which can only hold ~2k routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust the TCAM unless we can do route summarization (i.e. upstream L2's send default/ATT only). -Jared From Michael.Balasko at cityofhenderson.com Mon Nov 9 12:56:07 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 9 Nov 2009 09:56:07 -0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> I too can vouch for the 5K's not being ready for prime time. Here is a short list of the "advanced" features we are trying to use- -Disable the HTTP/HTTPS server onboard -NTP Authentication -ACL's for SNMP access -VTY ACL's -VTP passthrough - VTP packets WILL NOT pass through this switch. Please save the VTY argument is bad for someone else. As far as the Cisco litmus test of "it forwards packets so it's working as designed" it operates fine, but until the above mention issues are fixed, we can't in good conscience roll them into production to find the real bugs. We have piles of TAC cases open for this and we have screamed loud enough to be in direct contact with the 5K business unit product manager. The official answer is hurry up and wait. In order to fix these Cisco bugs we bought a pair of Brocade Turboiron 24's which are now our only non-Cisco piece of kit out of over 400 devices. All that being said we bought the 5K's to do 10G distribution for our core so your mileage may vary depending on needs. If it were done again right this second, I'd look at Arista Networks. We demo'd their gear way back and was impressed with the support folks and the willingness to respond to issues by cutting code instead of providing a workaround of "none" or "don't use that feature". They couldn't do RPVST+ at the time and that's why we looked elsewhere. They say to do it today and based on some of the folks I know work there I'm inclined to believe them. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Landers Sent: Sunday, November 08, 2009 7:34 AM To: Andrew White Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN I realize this is cisco-nsp, but does anyone have any opinions on the Force 10 S-series for top-of-rack? Especially for iSCSI SAN. I've long been frustrated with Cisco's lack of a cost-effective "48 ports of gigE with a 10ge uplink" switch. I don't really *need* a $12,000 layer 3 switch (or two) at the top of every rack in my data center! On Sun, Nov 8, 2009 at 6:49 AM, Andrew White wrote: > Any reason why you wouldn't go for fcoe on nexus 5k? :) > > > > On Sat, Nov 7, 2009 at 6:26 AM, Jason Gurtz > wrote: > >> Not sure that you want to go with Nexus at this point. Its got some > >> really nice features, however we keep running into code bugs . Not just > >> stuff that's obscure and shows up in certain situations but real show- > >> stoppers like being unable to form port-channels with HP blade servers. From peter at rathlev.dk Mon Nov 9 13:09:26 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 09 Nov 2009 19:09:26 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? Message-ID: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> Pardon my ignorance, but we've recently inherited a bunch of WS-CBS3012-IBM-I bladecenter switches, and I can't really grasp the management interface concept. All our other bladecenter switches are CIGESM with a regular interface Vlan marked as "management-interface", and even though I don't like this at least it works. These CBS-switches have no "management-interface" commands; the IP address assigned from the bladecenter management module ("AMM") sticks to a "Fa0" interface, not what I intend to use for management (Vlan2). We have no problem configuring "inband" management as such, but every time someone edits and saves the AMM configuration the default-gateway is overwritten. I know of "protected mode" but the paperwork involved in getting permission to enable this means I'm looking at alternatives. We can't configure the AMM interface with the real default gateway since this address is outside the Fa0-assigned net. Is there some way of bridging the Fa0 interface with a specific VLAN? Or another way of making this work? What exactly is "Fa0" and where would I insert a cable into this port? It doesn't seem to exist physically on the front of the module. (I tried reading the "Getting Started" guide and the chapter regarding management in the "Configuration Guide" but either I'm blind or they're targeted server people.) Thank you. -- Peter From peter at rathlev.dk Mon Nov 9 13:17:33 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 09 Nov 2009 19:17:33 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> Message-ID: <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter From jimmi at netpoint.com.br Mon Nov 9 13:07:57 2009 From: jimmi at netpoint.com.br (jimmi) Date: Mon, 9 Nov 2009 15:07:57 -0300 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <200911071534.30804.mtinka@globaltransit.net> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> Message-ID: <20091109180657.M51920@netpoint.com.br> Folks. I read these papers long time ago, so I do not remember anymore exactly what this options labels (A, B, AB,...) definition means. What I can tell you guys is that I operate a network which has a Inter-AS peering were we exchange IPv4 & VPNv4 prefixes and traffic while maintaining QoS services compability at both sides (ASs) for long time, and customers which VPNs have sites serviced by both ASs have their QoS requirements honored at both ASs Backbones and last mile connections. I already had real "Inter-AS + QoS compatibility" experience with Cisco being the only platform, and where Cisco interoperate with (two) different vendors, and that worked just fine. This deployment where you just had to establish a single eBGP peering at VPNv4 address-family to exchange VPNv4 prefixes and traffic (of course you may exchange IPv4 also, and may establish redundant peerings) brings lots of benefits. It does not impact at your ASBR resources, reduces the number of connections between ASBRs & routing gets simplified, allows oversubscription between ASBRs, does not require your to act at the borders (ASBRs) each time a "site" is added or removed from a customer VPN (despite where this site is connected). []s. Jimmi. ---------- Original Message ----------- From: Mark Tinka To: cisco-nsp at puck.nether.net Sent: Sat, 7 Nov 2009 15:34:29 +0800 Subject: Re: [c-nsp] MPLS Multi-AS options... > On Friday 06 November 2009 03:40:57 am Kenny Sallee wrote: > > > I'm wondering if anyone is actually doing any flavor of > > Multi-AS backbone this in the real world? Option A > > doesn't seem scalable at all. Option B seems scalable, > > but the level of trust and lack of QoS may be a concern. > > Option AB - I'm trying to fully understand w/o a ton of > > lab time. As I read the first Cisco link above, with > > Option AB - you must configure a sub-interface PER > > VPN/Client in it's own VRF on each SP's ASBR. So if you > > have 100 different customers, on that interconnect > > between SP1 and SP2 you must configure 100 > > sub-interfaces, VRF's with unique (agree'd upon)RD's. > > Then you configure a single MP-BGP session to carry the > > VPNv4 addresses for all VRF's. So really you are only > > saving X number of BGP sessions with Option AB compared > > to say just Option A correct? > > Yes, the difference between Option AB (a.k.a Option D) and > Option A or Option B is that with Option AB, only a single > eBGP session between the ASBR's is required. Furthermore, > while forwarding can be based on MPLS, IP forwarding is also > supported, which preserves QoS values that can be used for > processing across the ASBR<=>ASBR link. > > My suggestion; for any NNI option you choose, it should go a > long way in making your life easy, i.e., you don't have > create a sub-interface for each customer VPN, you don't have > to create an eBGP session for each customer VPN. > > While Option AB is in an IETF draft state, I only know of > Cisco being the only vendor implementing it (there could be > others, though - I haven't researched beyond the vendors we > use in production). However, some of the other vendors are > able to implement the methods Option AB uses to operate, but > in such a manner that it may not necessarily be compatible > to Cisco's, or if it is, implementing it may not be as > scalable, requiring that a number of boxes in the end-to-end > VPN connection be touched for co-ordination. > > Personally, I think Option AB is rather complicated in its > design, but based on Cisco's implementation, a lot of that > complexity is hidden from the operators, with the routers > doing all that automatically. It is an interesting option, > but the need to configure a sub-interface for each VPN > leaves a strange taste in my mouth. > > One of the other vendors we're working with is able to > implement Option B + IP processing, which is cool because we > maintain a single interface for all VPN's, and a single eBGP > session for all VPN's, without losing the ability to do QoS. > Still checking with Cisco whether they can do this. > > Things get a lot more interesting when you try to inter-op > NNI relationships. If Cisco can't do Option B + IP > processing, it may make sense for us to have both a Cisco > and non-Cisco NNI router at each NNI site in order to have > smooth NNI relationships depending on what platforms our > partners can support. Of course, we can only support two > platforms, so work becomes trickier if our NNI partner > brings along an unsupported device - but, it won't be the > end of the world :-). > > Things get a lot more interesting if you want to NNI for > l2vpn/VPLS services. > > Cheers, > > Mark. ------- End of Original Message ------- From tin.nguyen at sasktel.net Mon Nov 9 15:27:25 2009 From: tin.nguyen at sasktel.net (Tin Nguyen) Date: Mon, 09 Nov 2009 14:27:25 -0600 Subject: [c-nsp] Experience with CRS-1 FP-40? Message-ID: <6c566cc2ee93.4af826cd@sasktel.net> Hello all, I am looking to learn of any good or bad deployment experience with the new Cisco CRS-1 FP-40 module. Besides the limitations outlined in cisco's datasheet (less pps and QoS queues than MSC-40), is there any other gotcha's that you have found in testing or deployment? Thank you for sharing your experiences in this matter, Tin From kilobit at gmail.com Mon Nov 9 15:46:55 2009 From: kilobit at gmail.com (bas) Date: Mon, 9 Nov 2009 21:46:55 +0100 Subject: [c-nsp] Upgrade to XR-IOS 3.8.1 In-Reply-To: <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> References: <480dad640911081622j7afe120cs4ab668589e3dc062@mail.gmail.com> <480dad640911081929h1cd625ccueedf1c058f7b38ae@mail.gmail.com> Message-ID: On Mon, Nov 9, 2009 at 4:29 AM, Aaron wrote: > Yeah. ISSU isn't were it should be. Some SMU's require a reload depending on > what componets are touched. Out of the last 20 SMU's for 3.6.2 only 11 were non traffic impacting. (for us) http://marc.info/?l=cisco-nsp&m=125508819921150&w=2 From kenny.sallee at gmail.com Mon Nov 9 16:57:19 2009 From: kenny.sallee at gmail.com (Kenny Sallee) Date: Mon, 9 Nov 2009 13:57:19 -0800 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <20091109180657.M51920@netpoint.com.br> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> <20091109180657.M51920@netpoint.com.br> Message-ID: <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> Hi Jimmi - thanks for sharing - some comments / questions inline below On Mon, Nov 9, 2009 at 10:07 AM, jimmi wrote: > > Folks. > > I read these papers long time ago, so I do not remember anymore exactly > what > this options labels (A, B, AB,...) definition means. > Quick recap for you: Option A = back to back VRF's via sub-interfaces and BGP peering PER VRF (lots of resources) Option B = exchange of VPN-IPv4 addresses and agreement on RT's and label switched path from ingress PE to egress PE routers Option AB (aka option D as I've learned): VRF's and sub-interface per client and a single eBGP session to carry VPN-IPv4 addresses > > What I can tell you guys is that I operate a network which has a Inter-AS > peering were we exchange IPv4 & VPNv4 prefixes and traffic while > maintaining > QoS services compability at both sides (ASs) for long time, and customers > which VPNs have sites serviced by both ASs have their QoS requirements > honored > at both ASs Backbones and last mile connections. > Sounds like your are doing option B? > > I already had real "Inter-AS + QoS compatibility" experience with Cisco > being > the only platform, and where Cisco interoperate with (two) different > vendors, > and that worked just fine. > On your ASBR - do you have to create VRF's for every customer that crosses the ASBR? Do you mind sharing the relveant parts of your configuration (sanitized of course) if possible? > > This deployment where you just had to establish a single eBGP peering at > VPNv4 > address-family to exchange VPNv4 prefixes and traffic (of course you may > exchange IPv4 also, and may establish redundant peerings) brings lots of > benefits. It does not impact at your ASBR resources, reduces the number of > connections between ASBRs & routing gets simplified, allows > oversubscription > between ASBRs, does not require your to act at the borders (ASBRs) each > time a > "site" is added or removed from a customer VPN (despite where this site is > connected). > That's interesting actually - sounds pretty straight forward. So far it seems like some overseas operators are actually doing this or contemplating doing it. Anyone in the continental US researching and/or implemented (ing) either of the options? Kenny > > > > From egirard at focustsi.com Mon Nov 9 17:29:42 2009 From: egirard at focustsi.com (Eric Girard) Date: Mon, 9 Nov 2009 17:29:42 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: Peter, I'm not familiar with the IBM, but when I deploy the 3x20 for the HP chassis, I just disable to the Fa0 port to cut it off from the HP Onboard Administrator, and then proceed to configure it as a 'regular' switch with a management VLAN that comes in on the regular uplinks to the rest of the network. Hope that helps. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Monday, November 09, 2009 1:18 PM To: cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Nov 9 17:53:42 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 10 Nov 2009 09:53:42 +1100 Subject: [c-nsp] Troubelshooting Output Drops on 7301 References: <56F211C5E3F24F47B103EA1B253822BE044AAEEF@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAEF5@vic-cr-ex1.staff.netspace.net.au> Hi All, Is it bad to change the hold-queue from it's default of 40 on the Cisco 7301? I came across this article which isn't specific to the 7301, but in the article they recommended changing the hold-queue on a 1G interface to "hold-queue 1024 out". http://fasterdata.es.net/cisco.html Once I set the interface with a "hold-queue 1024 out", it seems the output drops have decreased significantly. Prior to doing this I was seeing a lot of output drops and doing a show int would always see the output drop counter increasing. They seem to have stopped with increasing the hold-queue. Are there any advantages or disadvantages to tampering with the hold queue in terms of it having any performance or load implications??? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From jcdarby at usgs.gov Mon Nov 9 19:22:58 2009 From: jcdarby at usgs.gov (Justin C Darby) Date: Mon, 9 Nov 2009 19:22:58 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: , <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: Enable protected mode on the AMM, then 'platform chassis-management protected-mode' on your switch. The switch will require a reload and sever the fastethernet management ports automatically. We do this all the time here. :) Note that this seriously breaks any existing configuration in some circumstances (which I won't get to here). I strongly suggest you use the provided stacking cables at least between two switches in one Bladecenter chassis if your switch does stacking (I use 3110x's, mostly, so it's required to get 10GbE uplink redundancy). Justin -----cisco-nsp-bounces at puck.nether.net wrote: ----- To: Peter Rathlev , cisco-nsp From: Eric Girard Sent by: cisco-nsp-bounces at puck.nether.net Date: 11/10/2009 07:33AM Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? Peter, I'm not familiar with the IBM, but when I deploy the 3x20 for the HP chassis, I just disable to the Fa0 port to cut it off from the HP Onboard Administrator, and then proceed to configure it as a 'regular' switch with a management VLAN that comes in on the regular uplinks to the rest of the network. Hope that helps. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Monday, November 09, 2009 1:18 PM To: cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Mon, 2009-11-09 at 19:09 +0100, Peter Rathlev wrote: > What exactly is "Fa0" and where would I insert a cable into this port? > It doesn't seem to exist physically on the front of the module. Hmm... it seems that the bladecenter management interface actually carries this traffic, i.e. the switch management is the same VLAN as I place the Bladecenter AMM in. Is there any way around this? I don't like placing server stuff (like the AMM) together with my switches. :-) -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From judah.scott.iam at gmail.com Mon Nov 9 21:30:54 2009 From: judah.scott.iam at gmail.com (Judah Scott) Date: Mon, 9 Nov 2009 18:30:54 -0800 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 Message-ID: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> What is the difference between the three CRS L3+ forwarding engines? The datasheets look like straight copy-paste besides the weight and power-ratings. The only downside to FP40 that I have found so far relates to the inability to use SIP-800 (and as a results, older SPAs). Can anyone point me to more complete comparisons? Thanks in advance. -J Scott From mrz at velvet.org Mon Nov 9 23:10:25 2009 From: mrz at velvet.org (matthew zeier) Date: Mon, 9 Nov 2009 20:10:25 -0800 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> On Nov 9, 2009, at 2:29 PM, Eric Girard wrote: > Peter, > I'm not familiar with the IBM, but when I deploy the 3x20 for the > HP chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a > 'regular' switch with a management VLAN that comes in on the regular > uplinks to the rest of the network. Hope that helps. What do you gain from this? I did that with the first switch but don't anymore. fa0 sits on NMS along with the OA. Means I don't need to carry the NMS Vlan on the 3x20. (though I do wish HP/Cisco would integrate the serial console like HP's done with their own switches) From mauritz at three6five.com Tue Nov 10 01:37:18 2009 From: mauritz at three6five.com (Mauritz Lewies) Date: Tue, 10 Nov 2009 09:37:18 +0300 Subject: [c-nsp] overruns In-Reply-To: References: Message-ID: <1257835038.5732.15.camel@mauritzlewies> Hi Is flow-control enabled on the other end? Seems like you are connecting to a device that doesn't support flow-control. regards On Mon, 2009-11-09 at 11:22 +0200, Mohammad Khalil wrote: > hey all > > i have Cisco 7606 connected to WiMAX ASN GW via port channel > now i have the following issue > router#sh int po10 | inc overrun > 0 input errors, 0 CRC, 0 frame, 8032 overrun, 0 ignored > router#sh int po10 | inc ove > router#sh int po20 | inc overrun > 0 input errors, 0 CRC, 0 frame, 4305576 overrun, 0 ignored > > router#sh run int po10 > Building configuration... > > Current configuration : 216 bytes > ! > interface Port-channel10 > description CORE_VLAN to ASN Gateway > switchport > switchport access vlan 10 > switchport trunk encapsulation dot1q > switchport mode access > flowcontrol receive on > flowcontrol send on > end > > router#sh run int po20 > Building configuration... > > Current configuration : 215 bytes > ! > interface Port-channel20 > description RAS-VLAN to ASN Gateway > switchport > switchport access vlan 20 > switchport trunk encapsulation dot1q > switchport mode access > flowcontrol receive on > flowcontrol send on > end > > router#sh int port-channel 10 etherchannel > Age of the Port-channel = 284d:17h:52m:00s > Logical slot/port = 14/1 Number of ports = 5 > GC = 0x00000000 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = - > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------+------------------+----------- > 0 21 Gi3/3 On 2 > 1 42 Gi3/11 On 2 > 2 84 Gi3/19 On 2 > 3 08 Gi3/27 On 1 > 4 10 Gi3/35 On 1 > > Time since last port bundled: 154d:01h:08m:46s Gi3/35 > Time since last port Un-bundled: 154d:01h:08m:50s Gi3/35 > > > router#sh int port-channel 20 etherchannel > Age of the Port-channel = 284d:17h:52m:09s > Logical slot/port = 14/2 Number of ports = 5 > GC = 0x00000000 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = - > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------+------------------+----------- > 0 21 Gi3/4 On 2 > 1 42 Gi3/12 On 2 > 2 84 Gi3/20 On 2 > 3 08 Gi3/28 On 1 > 4 10 Gi3/36 On 1 > > Time since last port bundled: 154d:00h:55m:38s Gi3/36 > Time since last port Un-bundled: 154d:00h:55m:41s Gi3/36 > > example of the interfaces: > > > CR1.KJ-Building#sh run int g3/36 > Building configuration... > > Current configuration : 284 bytes > ! > interface GigabitEthernet3/36 > description RAS_VLAN (porrtchannel 20) > switchport > switchport access vlan 20 > switchport mode access > no logging event link-status > load-interval 30 > speed 1000 > duplex full > flowcontrol receive on > flowcontrol send on > channel-group 20 mode on > end > > CR1.KJ-Building#sh run int g3/35 > Building configuration... > > Current configuration : 300 bytes > ! > interface GigabitEthernet3/35 > description CORE_VLAN to ASN Gateway (porrtchannel 10) > switchport > switchport access vlan 10 > switchport mode access > no logging event link-status > load-interval 30 > speed 1000 > duplex full > flowcontrol receive on > flowcontrol send on > channel-group 10 mode on > end > > and on the other router > > router#sh int po10 | inc overrun > 0 input errors, 0 CRC, 0 frame, 1643 overrun, 0 ignored > router#sh int po20 | inc overrun > 0 input errors, 0 CRC, 0 frame, 591813 overrun, 0 ignored > > > anyone can help ?? > > > > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Tue Nov 10 02:11:57 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 09 Nov 2009 23:11:57 -0800 Subject: [c-nsp] Using "autocommand" securely? Message-ID: <4AF9123D.6050400@rollernet.us> I have an old PM25 that obviously doesn't support telnet that I use for serial console access, so I thought of using the following quick and dirty way of giving it some external transport security via SSH to a cisco and autocommanding to telnet: username bettysue noescape nohangup user-maxlinks 1 password x username bettysue autocommand telnet 1.2.3.4 5678 Is there anything bad or insecure about doing this i.e. any way to get to the IOS prompt or to abuse the router itself? ~Seth From ras at e-gerbil.net Tue Nov 10 02:36:00 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 10 Nov 2009 01:36:00 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF856AC.5070805@gmail.com> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> Message-ID: <20091110073600.GE51443@gerbil.cluepon.net> On Mon, Nov 09, 2009 at 09:51:40AM -0800, Jared Gillis wrote: > While I agree with these statements, our issue is not tree > recalculation/convergence. Our issue and driving need for IS-IS > multiarea is the fact that we have 3750ME's which can only hold ~2k > routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust > the TCAM unless we can do route summarization (i.e. upstream L2's send > default/ATT only). So why can't you put the the routes into iBGP, use your IGP only for the loopbacks, and learn a default route from your upstream devices? -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From perc69 at gmail.com Tue Nov 10 02:46:28 2009 From: perc69 at gmail.com (Per Carlson) Date: Tue, 10 Nov 2009 08:46:28 +0100 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 In-Reply-To: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> References: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> Message-ID: <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> Hi. > What is the difference between the three CRS L3+ forwarding engines? ?The > datasheets look like straight copy-paste besides the weight and > power-ratings. That's true for MSC and MSC-B. They are virtually the same, but the B-version draws less power (and requires a newer XR-version). > The only downside to FP40 that I have found so far relates > to the inability to use SIP-800 (and as a results, older SPAs). The FP40 is a completely different breed, and as you have found out, supports different PLIMS than MSC/MSC-B. These linecards where originally designed for the ASR14k (a CRS1-light device), but it were pulled from the market before getting released (more or less). The downsides of FP40, compared to MSC/MSC-B, are less hardware queues and not being able to do 40G at minimal packet sizes. You can use older SPA's in any of the "Flexible Interface Modules" (http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-553671.html and http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-549654.html). -- Pelle From mvanton at gmail.com Tue Nov 10 04:34:14 2009 From: mvanton at gmail.com (vince anton) Date: Tue, 10 Nov 2009 10:34:14 +0100 Subject: [c-nsp] 7600 for ip transit uplink In-Reply-To: <1ebb7fa90911090555r1ae975a1p80686ddc8de3cb22@mail.gmail.com> References: <87e0d3ae0911090256q505fd15do217eb55976d6b8d3@mail.gmail.com> <1ebb7fa90911090555r1ae975a1p80686ddc8de3cb22@mail.gmail.com> Message-ID: <87e0d3ae0911100134xdc842c3h8d9713f428d27ec@mail.gmail.com> thanks for your replies anthony, yes you are correct, its surely 10GE (6704 or SPA being the question), and not SDH/OC192 I currently have 6704 links to my internal core working just fine, but those are LAN links as intended by design of the card :) the choice and suitability of the interface to the upstream carrier is the question here, as the cost of a 10G interface on the already existing 6704 card is low (basically the cost of the XENPAK), compared to the cost of a SIP/ES20 which is $$$ then again if there are serious issues with using the LAN port for an upstream, it _may_ perhaps justify the price if we gain on stability, etc.. would be interesting to know the _technical_ reasons why cisco frown at this. thanks anton From peter at rathlev.dk Tue Nov 10 07:22:20 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 13:22:20 +0100 Subject: [c-nsp] uRPF bug on C6k SXI1? Message-ID: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> Hi, I've discovered what seems to be a bug on C6k at least in SXI1. I haven't been able to find anything about it in the bug toolkit. It might be related to CSCsk65860 though. If I configure a SVI in a VRF and add "ip verify source reachable-via any" and afterwards enable "ip verify source reachable-via any allow-default" the switch seems to drop a lot of traffic, something like every 12th packet. If I remove the "ip verify"-command and then add the version with "allow-default" directly, I have no problems. Without uRPF there's no problem either. Only when first entering the command without "allow-default" and then adding "allow-default" does the problem appear. Have anybody seen anything like this? Would anybody know how to debug this? When the problem appears, the "show ip interface VlanX" aren't showing any uRPF drops: R1#sh ip int vlan 901 Vlan901 is up, line protocol is up [...] IP verify source reachable-via ANY, allow default 0 verification drops 0 suppressed verification drops IP multicast multilayer switching is disabled R2# Sending traffic out of this interface gives the errors: R2#ping vrf RM03313 10.100.28.1 so 10.100.141.2 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.100.28.1, timeout is 2 seconds: Packet sent with a source address of 10.100.141.2 !!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!! !!.!!!!!!!!!!!.!!!!!!!!!!!.!!! Success rate is 92 percent (92/100), round-trip min/avg/max = 1/1/4 ms R2# When removing/re-adding the uRPF command the forwarding works fine: R2#ping vrf RM03313 10.100.28.1 so 10.100.141.2 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.100.28.1, timeout is 2 seconds: Packet sent with a source address of 10.100.141.2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms R2# We're glad we found a fix, but maybe others have been pulling out hair over this one. :-) -- Peter From peter at rathlev.dk Tue Nov 10 07:25:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 13:25:16 +0100 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: References: , <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> Message-ID: <1257855916.22754.13.camel@abehat.dyn.net.rm.dk> On Mon, 2009-11-09 at 17:29 -0500, Eric Girard wrote: > I'm not familiar with the IBM, but when I deploy the 3x20 for the HP > chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a 'regular' > switch with a management VLAN that comes in on the regular uplinks to > the rest of the network. Hope that helps. I'm apparantly not allowed to shut the interface, at least not with the switch not in protected mode. On Mon, 2009-11-09 at 19:22 -0500, Justin C Darby wrote: > Enable protected mode on the AMM, then 'platform chassis-management > protected-mode' on your switch. The switch will require a reload and sever > the fastethernet management ports automatically. As I wrote in the original post, the paperwork to get permission to do this isn't trivial, but of course it is the only correct answer. Thanks for the replies everyone. :-) -- Peter From p.mayers at imperial.ac.uk Tue Nov 10 08:23:08 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 10 Nov 2009 13:23:08 +0000 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> Message-ID: <4AF9693C.4000301@imperial.ac.uk> Peter Rathlev wrote: > Hi, > > I've discovered what seems to be a bug on C6k at least in SXI1. I > haven't been able to find anything about it in the bug toolkit. It might > be related to CSCsk65860 though. > > If I configure a SVI in a VRF and add "ip verify source reachable-via > any" and afterwards enable "ip verify source reachable-via any > allow-default" the switch seems to drop a lot of traffic, something like > every 12th packet. Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted (use a SPAN session to find out) and this rate-limiting what's causing the drops? If so, it could be a hardware/tcam programming error; we've seen a few of these in obscure cases on SXI, and I've not found a reliable way to clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or the various "clear" commands (e.g. "clear cef" etc.) > > If I remove the "ip verify"-command and then add the version with > "allow-default" directly, I have no problems. Without uRPF there's no > problem either. Only when first entering the command without > "allow-default" and then adding "allow-default" does the problem appear. We haven't seen that, but have seen other issues where (apparently) CEF entries are programmed incorrectly resulting in traffic being CPU punted and having to pass through CoPP, and thus being very lossy. See e.g. http://www.gossamer-threads.com/lists/cisco/nsp/112984 From nadengine at googlemail.com Tue Nov 10 08:58:32 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 15:58:32 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> Message-ID: <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer ( I've attached a diagram in question.jpg for ease of explanation) in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad From zivl at gilat.net Tue Nov 10 09:13:06 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 10 Nov 2009 16:13:06 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Message-ID: Hi Nad, This list accepts only text only messages, so the picture isn't attached to the message we've got. I suggest you to upload your diagram to some free image hosting site such as http://imageshack.us/ and post the link here -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of shadow floating Sent: Tuesday, November 10, 2009 3:59 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Network design change Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer ( I've attached a diagram in question.jpg for ease of explanation) in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From sony.scaria at gmail.com Tue Nov 10 09:25:31 2009 From: sony.scaria at gmail.com (sony.scaria at gmail.com) Date: Tue, 10 Nov 2009 14:25:31 +0000 Subject: [c-nsp] BGP Community-MED [7:137451] Message-ID: <903160314-1257863127-cardhu_decombobulator_blackberry.rim.net-718747546-@bda135.bisx.produk.on.blackberry> Metric will be carried into an AS, but will not pass it to a 3rd AS. When the same update is carried to the 3rd AS, the MED value is set to 0. Ps: an optional non transitive attribute must be deleted by a router that has not implemented the attribute. Sony. ------Original Message------ From: R.B. Kumar Sender: nobody at groupstudy.com To: cisco at groupstudy.com ReplyTo: R.B. Kumar Subject: BGP Community-MED [7:137451] Sent: Nov 10, 2009 16:56 Hi Friends, A basic CCNA level query. Hope you experts donot bother to help me on this I know that BGP MED is having OPTIONAL NON-TRANSITIVE attribute. But I also know that MED is capable of moving to immediate next neighbour AS. MED is a hint to external neighbors about the preferred path into an autonomous system (AS) that has multiple entry points But since it is passing to next AS, How it is catagorized as NON-TRANSITIVE ? Since it is seen in neighbour AS, I thought it should be TRANSITIVE . But to my surprise it is OPTIONAL NON-TRANSITIVE Please help me where i have understood wrongly regards & Thanks in advance RBK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=137451&t=137451 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Sent on my BlackBerry? from Vodafone From mtinka at globaltransit.net Tue Nov 10 09:31:40 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:31:40 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091109072346.GK51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> Message-ID: <200911102232.01323.mtinka@globaltransit.net> On Monday 09 November 2009 03:23:46 pm Richard A Steenbergen wrote: > I'm not questioning your decision, I'm just stating it > for the archives and for everyone else who has to make > this same decision at some point in the future: If you > have to ask, just don't do it. I see way too many people > trying to deploy areas with 10 router networks because > they read somewhere that it was what they were supposed > to do to scale, or because people saw it on an exam > somewhere. This makes sense, and I appreciate where you're coming from. However, wearing my "instructor" hat when we give workshops in various places around the world, we tend to teach folk how to build large scale networks, based on our own experiences doing the same. In some cases, we say build scaling into your operations even when it may seem "unnecessary", because the general assumption is that your network is going to grow. Sure, it could take 5, 10, 15 years, depending on whom you ask, but if there's a chance it does grow, you don't want to re-work your entire design to add scaling into the mix; especially since adding scalability in from the start doesn't add any incremental cost in terms of $$ or complexity. And I'm not just talking about OSPF or IS-IS specifically (since router CPU's are much faster these days, assuming operators can afford such platforms), but networking in general, especially for some features or protocols where thinking about scalability from day one isn't such a bad idea, even if it might make little sense today. I'm sure many of us, in our careers as network operators, have wished that we had done something differently in the past not to suffer the pain of today - even if it seemed infeasible, at the time, that we'd get to where we are today. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Nov 10 09:40:39 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:40:39 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF83918.9010505@templin.org> References: <4AF21CA5.4050804@gmail.com> <20091109072346.GK51443@gerbil.cluepon.net> <4AF83918.9010505@templin.org> Message-ID: <200911102241.01282.mtinka@globaltransit.net> On Monday 09 November 2009 11:45:28 pm Pete Templin wrote: > +1. I've recently finished a complete overhaul of a > 14-router 5-POP network that had 6 areas (one for each > POP), and had area 0 split into two independent areas 0. > Access routers in any POP had no idea that access routers > existed in other POPs, etc. I may be missing it in your message above, but if you're able to share, did you collapse the entire backbone into a single Area, or did you maintain the splits? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From egirard at focustsi.com Tue Nov 10 09:48:27 2009 From: egirard at focustsi.com (Eric Girard) Date: Tue, 10 Nov 2009 09:48:27 -0500 Subject: [c-nsp] Catalyst Blade Switch 3012 inband management? In-Reply-To: <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> References: <1257790166.9387.9.camel@abehat.dyn.net.rm.dk> <1257790653.9387.13.camel@abehat.dyn.net.rm.dk> <852C4695-13C6-447A-AAF8-3AC7E27B58EA@velvet.org> Message-ID: I'm don't think there is a big gain, but typically the OA tends to just get cabled back into the chassis switch anyways so the management VLAN is already there, and I have seen the internal switch inside the OA go bad before. I've also seen it be a political issue between the server team and the network team, so it's just easier to keep it separate. The console issue is interesting, because the MDS 9124 has the internal console, but the switches do not. Eric -----Original Message----- From: matthew zeier [mailto:mrz at velvet.org] Sent: Monday, November 09, 2009 11:10 PM To: Eric Girard Cc: Peter Rathlev; cisco-nsp Subject: Re: [c-nsp] Catalyst Blade Switch 3012 inband management? On Nov 9, 2009, at 2:29 PM, Eric Girard wrote: > Peter, > I'm not familiar with the IBM, but when I deploy the 3x20 for the > HP chassis, I just disable to the Fa0 port to cut it off from the HP > Onboard Administrator, and then proceed to configure it as a > 'regular' switch with a management VLAN that comes in on the regular > uplinks to the rest of the network. Hope that helps. What do you gain from this? I did that with the first switch but don't anymore. fa0 sits on NMS along with the OA. Means I don't need to carry the NMS Vlan on the 3x20. (though I do wish HP/Cisco would integrate the serial console like HP's done with their own switches) From mtinka at globaltransit.net Tue Nov 10 09:47:40 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 10 Nov 2009 22:47:40 +0800 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> References: <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <9AF22D15085E7D409ED5710CBC779E930A3194@COHNTCS09.ci.henderson.nv.us> Message-ID: <200911102247.42128.mtinka@globaltransit.net> On Tuesday 10 November 2009 01:56:07 am Michael Balasko wrote: > All that being said we bought the 5K's to do 10G > distribution for our core so your mileage may vary > depending on needs. To digress a little, we considered using the Nexus 5000 as a 10Gbps core aggregation switch, because it's way cheaper than the WS-X6704/8 line cards. But given that we'd be looking at adding more bandwidth in terms of N x 10Gbps, it made more sense to consider boxes that will scale to native 40Gbps and 100Gbps Ethernet interfaces. But, if a network is sure they'll never need anymore 10Gbps port density or large bandwidth to serve several downstream/upstream routers, the Nexus 5000 is definitely good value for 10Gbps Ethernet aggregation, current software issues aside, of course. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From nadengine at googlemail.com Tue Nov 10 10:46:49 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 17:46:49 +0200 Subject: [c-nsp] Network design change In-Reply-To: References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> Message-ID: <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> thanks alot Ziv i'll try to put it in a txt format: Site A Site B internet internet | | Firewall A Firewall B | | link under investigation | | | |--------(DMZ Switch) -------------------------------------------------------------------------------- (DMZ Switch)---| | | | | | | | | Higjh speed link | Core Switch A ------------------------------------------------------------------------------------------------------------------Core Switch B Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad 2009/11/10 Ziv Leyes : > Hi Nad, > This list accepts only text only messages, so the picture isn't attached to the message we've got. > I suggest you to upload your diagram to some free image hosting site such as http://imageshack.us/ and post the link here > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nadengine at googlemail.com Tue Nov 10 10:54:14 2009 From: nadengine at googlemail.com (shadow floating) Date: Tue, 10 Nov 2009 17:54:14 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> Message-ID: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> thanks alot Ziv the link for the diagram is here : http://img18.imageshack.us/img18/77/questionhk.jpg Hi All, My company has two sites in to 2 different locations (plz see the diagram from picture in the link) that are connected via high speed link at the core layer ?in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. ?Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad From zivl at gilat.net Tue Nov 10 11:09:23 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 10 Nov 2009 18:09:23 +0200 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> Message-ID: I don't see any problem with that solution, it seems to be quite good for what you're trying to achieve, and I don't think there are major security issues, assuming that the DMZ is a well protected from internet zone and properly isolated from the internal network. What kind of point to point link are you planning to implement? -----Original Message----- From: shadow floating [mailto:nadengine at googlemail.com] Sent: Tuesday, November 10, 2009 5:54 PM To: Ziv Leyes; cisco-nsp at puck.nether.net Subject: [c-nsp] Network design change thanks alot Ziv the link for the diagram is here : http://img18.imageshack.us/img18/77/questionhk.jpg Hi All, My company has two sites in to 2 different locations (plz see the diagram from picture in the link) that are connected via high speed link at the core layer ?in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - ? via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. ?Is that better from security point of view? appreciating your great help and advice thanks alot Regards, Nad ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From frosya84 at mail.ru Tue Nov 10 11:08:00 2009 From: frosya84 at mail.ru (Ruzhanskaya Olga) Date: Tue, 10 Nov 2009 19:08:00 +0300 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 Message-ID: Hello List! We have 2 7206VXR-NPEG2 routers in different towns (T1 and T2), with the same configuration template, same IOS - 12.2(31)SB11. Each of them have one interface for client's services termination; one for transport connection to core routers (P router). The challenge is : traffic load on T1 is twice as much on T2, but the CPU load is almost the same. Details: 1) There are the same number/load of Internet services with uRPF enabled on both routers 2) The same number acls 3) In "sh proc cpu sorted" the main cycles are used for packet forwarding -------------------------------------------------------------------------- Here are some outputs from T2 (less traffic, same CPU load),uplink, 5 minutes after cleared counters: T2#sh int gi0/2 | i 30 30 second input rate 459618000 bits/sec, 74812 packets/sec 30 second output rate 276334000 bits/sec, 59440 packets/sec T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/1000/0 (size/max total/drops) T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Here are some outputs from T1 (more traffic, same CPU load),uplink, 5 minutes after cleared counters: T1# sh int gi0/2 | i 30 30 second input rate 780209000 bits/sec, 111772 packets/sec 30 second output rate 356832000 bits/sec, 105820 packets/sec T1# sh int gi0/2 | i queue Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) T1# sh int gi0/2 | i error 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets -------------------------------------------------------------------------- Any suggestions are appreciated. Best regards, Olga From eng_mssk at hotmail.com Tue Nov 10 11:23:10 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 10 Nov 2009 18:23:10 +0200 Subject: [c-nsp] streaming Message-ID: hey all i have a wimax connection and i tested everything is ok from browsing to download speed except for streaming what are possible causes for streaming to be so slow while other applications are fairly fast thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From cchurc05 at harris.com Tue Nov 10 11:28:57 2009 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 10 Nov 2009 11:28:57 -0500 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 In-Reply-To: References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5634FE@MLBMXUS2.cs.myharris.net> The T2 router has vastly different queue sizes. It would appear that it has some type of QOS applied to it, where the other one doesn't. That would explain the additional CPU usage. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruzhanskaya Olga Sent: Tuesday, November 10, 2009 11:08 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 Hello List! We have 2 7206VXR-NPEG2 routers in different towns (T1 and T2), with the same configuration template, same IOS - 12.2(31)SB11. Each of them have one interface for client's services termination; one for transport connection to core routers (P router). The challenge is : traffic load on T1 is twice as much on T2, but the CPU load is almost the same. Details: 1) There are the same number/load of Internet services with uRPF enabled on both routers 2) The same number acls 3) In "sh proc cpu sorted" the main cycles are used for packet forwarding -------------------------------------------------------------------------- Here are some outputs from T2 (less traffic, same CPU load),uplink, 5 minutes after cleared counters: T2#sh int gi0/2 | i 30 30 second input rate 459618000 bits/sec, 74812 packets/sec 30 second output rate 276334000 bits/sec, 59440 packets/sec T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/1000/0 (size/max total/drops) T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Here are some outputs from T1 (more traffic, same CPU load),uplink, 5 minutes after cleared counters: T1# sh int gi0/2 | i 30 30 second input rate 780209000 bits/sec, 111772 packets/sec 30 second output rate 356832000 bits/sec, 105820 packets/sec T1# sh int gi0/2 | i queue Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) T1# sh int gi0/2 | i error 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets -------------------------------------------------------------------------- Any suggestions are appreciated. Best regards, Olga _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From n00dles at nix-jutsu.net Tue Nov 10 11:42:50 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Tue, 10 Nov 2009 16:42:50 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport Message-ID: <20091110164250.GA1003@atsuko> Hello all, We have a strange issue between PIX 501's running and our 800 series routers, we are using verious 800s with a spread of IOS versions. The problem manifests itself as a drop of connectivity between the two devices, that being we lose layer 3 forwarding out of the switch-port module on the 800. We are of the opinion we have ethernet connectivity between devices as the mac-address table is being populated after being cleared, and linkstate show up/up but we cannot ping, nor can the device ARP for the PIX. Static ARP entrys also no not fix the issue, the only way we have found so far to fix the problem is to reboot the 800. Has anyone experienced this kind of problem before? Regards -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From cisco-nsp at slepicka.net Tue Nov 10 11:44:34 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Tue, 10 Nov 2009 10:44:34 -0600 Subject: [c-nsp] Network design change In-Reply-To: <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> References: <5c1b7500911082223g50f822aeyab155222a8b49c13@mail.gmail.com> <5c1b7500911100558n65492e2fq8117252cee67998a@mail.gmail.com> <5c1b7500911100746o4fb1c265l1f0e813c39c4d2a4@mail.gmail.com> <5c1b7500911100754t27c64876r83f9049a872f0322@mail.gmail.com> Message-ID: <4AF99872.3000806@slepicka.net> >>this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Just keep in mind that traffic through the firewalls usually* needs to be symmetric. Be sure to account for that in your design. * https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html shadow floating wrote: > thanks alot Ziv > the link for the diagram is here : > http://img18.imageshack.us/img18/77/questionhk.jpg > > Hi All, > My company has two sites in to 2 different locations (plz see the > diagram from picture in the link) that are > connected via high speed link at the core layer in each site I've 1 > DMZ , the network team wants to connect the DMZ switches in both sites > for better performance and "security" - the link under investigation > is shown in red in the picture - via high speed link without passing > at all by the core network layer, as they say that will aid more in > the replication between server A and backup server A in the DMZs and > also this will help if any of the 2 firewalls had failure to access > both DMZs from any firewall. > Is that better from security point of view? > > appreciating your great help and advice > thanks alot > > Regards, > Nad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Tue Nov 10 12:13:50 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 10 Nov 2009 15:13:50 -0200 Subject: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI Message-ID: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Hi, Just curious: what happens on a label-enabled interface when a packet comes with a label that hasn't been negotiated thru LDP ? Is it a default permit, a default deny, anything that can be changed or tuned ? Rubens From avayner at cisco.com Tue Nov 10 12:29:14 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 10 Nov 2009 18:29:14 +0100 Subject: [c-nsp] streaming In-Reply-To: References: Message-ID: Muhammad, What do you mean streaming is slow? What kind of streaming? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 10, 2009 18:23 To: cisco-nsp at puck.nether.net Subject: [c-nsp] streaming hey all i have a wimax connection and i tested everything is ok from browsing to download speed except for streaming what are possible causes for streaming to be so slow while other applications are fairly fast thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1 :092010 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From berghauz at gmail.com Tue Nov 10 12:31:17 2009 From: berghauz at gmail.com (Alexey Polyakov) Date: Tue, 10 Nov 2009 20:31:17 +0300 Subject: [c-nsp] Voice Vlan on metro 3400 Message-ID: <13d85870911100931s44cee41dib6377aad487da6aa@mail.gmail.com> Hello everybody. Can anybody clarify, is the feature "Voice VLAN" supported on ME3400 switch? It's feature very usefull on 2950/2960 with cisco phones, but on 3400, i cant find it. WBR Aleksey Polyakoff ICQ:9001016 Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." From cisco-nsp at slepicka.net Tue Nov 10 12:54:08 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Tue, 10 Nov 2009 11:54:08 -0600 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <4AF49BA1.3060508@inex.ie> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> <4AF49BA1.3060508@inex.ie> Message-ID: <4AF9A8C0.9060800@slepicka.net> You can read about the architecture here: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-462176.html I'll give you my understanding of it -- I appreciate any corrections if I miss the mark on something. >>I don't know whether the packets are buffered on input or on output. Both. Each port has a set of 416 virtual output queues (on the 5020 -- don't know if this is true for the 5010 or if there are half as many). A VOQ is, essentially, a queue for each egress port. In other words, on ingress, a packet is put into one of 416 queues (52 egress ports * 8 queues -- one for each 802.1p CoS). Congestion on one egress port doesn't impact traffic destined for other ports. Internally, the packets are moved around at greater than 10Gb speed (+20%), so there is egress buffering as well. This allows multiple packets to be queued up and sent out at 10Gb rate without interruption and is also used for flow control buffering. >>per-port buffers...quite a bit smaller than on other products 480KB per port shared between per-CoS ingress and egress buffers. Most are assigned to ingress, but I don't know the ratio. There is also buffering on the fabric itself, though I'm not entirely sure what its impact is in this scenario (I think it's primarily just used as an optimization to increase throughput). James Nick Hilliard wrote: > On 06/11/2009 21:35, Gert Doering wrote: >> Out of curiosity: how does it cut-through if it has to multiplex >> multiple >> ports, as in: packets coming in on port A and B and leaving on C? As >> soon as two packets overlap (time-wise) on A and B, you can't do >> cut-through... > > The switch has per-port buffers; from what i remember, quite a bit > smaller than on other products, as the unit is cut-through. You also > need these buffers when you're operating 1G ports in store-n-forward > mode. I don't know whether the packets are buffered on input or on > output. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From judah.scott.iam at gmail.com Tue Nov 10 13:17:58 2009 From: judah.scott.iam at gmail.com (Judah Scott) Date: Tue, 10 Nov 2009 10:17:58 -0800 Subject: [c-nsp] CRS-1 MSC, MSC-B, FP40 In-Reply-To: <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> References: <3172b9cb0911091830g76239312wb64bac8bf9dc7a5a@mail.gmail.com> <746ca6da0911092346v345b0e67p4a4c2408a10a3655@mail.gmail.com> Message-ID: <3172b9cb0911101017p15da784pb6081f9db79c0b96@mail.gmail.com> Thanks for the responses! -J Scott On Mon, Nov 9, 2009 at 11:46 PM, Per Carlson wrote: > Hi. > > > What is the difference between the three CRS L3+ forwarding engines? The > > datasheets look like straight copy-paste besides the weight and > > power-ratings. > > That's true for MSC and MSC-B. They are virtually the same, but the > B-version draws less power (and requires a newer XR-version). > > > The only downside to FP40 that I have found so far relates > > to the inability to use SIP-800 (and as a results, older SPAs). > > The FP40 is a completely different breed, and as you have found out, > supports different PLIMS than MSC/MSC-B. These linecards where > originally designed for the ASR14k (a CRS1-light device), but it were > pulled from the market before getting released (more or less). The > downsides of FP40, compared to MSC/MSC-B, are less hardware queues and > not being able to do 40G at minimal packet sizes. > > You can use older SPA's in any of the "Flexible Interface Modules" > ( > http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-553671.html > and > http://www.cisco.com/en/US/prod/collateral/routers/ps5763/data_sheet_c78-549654.html > ). > > -- > Pelle > From mark.meijerink at sara.nl Tue Nov 10 13:14:26 2009 From: mark.meijerink at sara.nl (Mark Meijerink) Date: Tue, 10 Nov 2009 19:14:26 +0100 Subject: [c-nsp] RSA and rancid Message-ID: <4AF9AD82.2040904@sara.nl> Hi there, I am looking for a way to combine RSA tokens to authenticate to devices and use rancid to make backups of my device configuration. The RSA tokens use radius as authentication method. The problem is that rancid is an automated process and the rancid process is not able to watch on a RSA token and fill in the authentication key. This sounds a bit strange but I don't know any other way to describe the problem. Is anyone of you using RSA tokens and rancid? If so, please explain how you make this work. Thanks in advance for your comments. Regards, Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jared.a.gillis at gmail.com Tue Nov 10 14:21:09 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Tue, 10 Nov 2009 11:21:09 -0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091110073600.GE51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> <20091110073600.GE51443@gerbil.cluepon.net> Message-ID: <4AF9BD25.80405@gmail.com> Richard A Steenbergen wrote: > On Mon, Nov 09, 2009 at 09:51:40AM -0800, Jared Gillis wrote: >> While I agree with these statements, our issue is not tree >> recalculation/convergence. Our issue and driving need for IS-IS >> multiarea is the fact that we have 3750ME's which can only hold ~2k >> routes in the TCAM in our IS-IS domain, and we'll very rapidly exhaust >> the TCAM unless we can do route summarization (i.e. upstream L2's send >> default/ATT only). > > So why can't you put the the routes into iBGP, use your IGP only for the > loopbacks, and learn a default route from your upstream devices? That's exactly what we are doing, but still expect to exhaust the TCAM before too long, especially if we add support for IPv6 (which is a long-term goal). -Jared From swmike at swm.pp.se Tue Nov 10 14:26:00 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 10 Nov 2009 20:26:00 +0100 (CET) Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <4AF9BD25.80405@gmail.com> References: <4AF21CA5.4050804@gmail.com> <200911081520.34864.mtinka@globaltransit.net> <200911081917.29547.mtinka@globaltransit.net> <4AF856AC.5070805@gmail.com> <20091110073600.GE51443@gerbil.cluepon.net> <4AF9BD25.80405@gmail.com> Message-ID: On Tue, 10 Nov 2009, Jared Gillis wrote: > That's exactly what we are doing, but still expect to exhaust the TCAM > before too long, especially if we add support for IPv6 (which is a > long-term goal). Do you realistically see IPv6 support working in the 3750MEs ? Looking at the scalability numbers I've been kind of sceptic... -- Mikael Abrahamsson email: swmike at swm.pp.se From leonardo.souza at nec.com.br Tue Nov 10 14:31:32 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 17:31:32 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> Hi list, I would like to know whether SUP720-3BXL supports IPv4 fragmented packets in hardware or not. If it can be supported in hardware, in which cases would the PFC3 punt the IPv4 fragmented packets to MSFC? Unfortunately I could not find/receive a good reference about it so far. Thanks. From rubensk at gmail.com Tue Nov 10 14:40:44 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 10 Nov 2009 17:40:44 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> Message-ID: <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> Leonardo, Do you mean the ability to fragment packets when traversing to smaller MTU links, or matching fragmented packets in ACLs (fragment ACL clause) ? On my experience it doesn't support the former, and the later is PFC-supported but not available on every IOS release. Rubens On Tue, Nov 10, 2009 at 5:31 PM, Leonardo Gama Souza wrote: > Hi list, > > > > I would like to know whether SUP720-3BXL supports IPv4 fragmented > packets in hardware or not. > > If it can be supported in hardware, in which cases would the PFC3 punt > the IPv4 fragmented packets to MSFC? > > Unfortunately I could not find/receive a good reference about it so far. > > > > Thanks. > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From leonardo.souza at nec.com.br Tue Nov 10 14:50:02 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 17:50:02 -0200 Subject: [c-nsp] RES: IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> Hi, Actually I meant the ability to forward fragmented packets in hardware. The router is not fragmenting the packets at all. -----Mensagem original----- De: Rubens Kuhl [mailto:rubensk at gmail.com] Enviada em: ter?a-feira, 10 de novembro de 2009 17:41 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL Leonardo, Do you mean the ability to fragment packets when traversing to smaller MTU links, or matching fragmented packets in ACLs (fragment ACL clause) ? On my experience it doesn't support the former, and the later is PFC-supported but not available on every IOS release. Rubens On Tue, Nov 10, 2009 at 5:31 PM, Leonardo Gama Souza wrote: > Hi list, > > > > I would like to know whether SUP720-3BXL supports IPv4 fragmented > packets in hardware or not. > > If it can be supported in hardware, in which cases would the PFC3 punt > the IPv4 fragmented packets to MSFC? > > Unfortunately I could not find/receive a good reference about it so far. > > > > Thanks. > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Tue Nov 10 14:59:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 10 Nov 2009 20:59:01 +0100 Subject: [c-nsp] RES: IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> Message-ID: <20091110195901.GI163@greenie.muc.de> Hi, On Tue, Nov 10, 2009 at 05:50:02PM -0200, Leonardo Gama Souza wrote: > Actually I meant the ability to forward fragmented packets in hardware. > The router is not fragmenting the packets at all. There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From philxor at gmail.com Tue Nov 10 15:09:42 2009 From: philxor at gmail.com (Phil Bedard) Date: Tue, 10 Nov 2009 15:09:42 -0500 Subject: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI In-Reply-To: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> References: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Message-ID: By default it will drop the traffic. If you know the incoming label you can create a static binding, but you can't create a static binding for the default route... Not sure of any other mechanisms. In JunOS you can create an "MPLS default route" which takes unknown labeled packets and lets you manipulate them as you see fit. But this isn't JunOS. :) Phil On Nov 10, 2009, at 12:13 PM, Rubens Kuhl wrote: > Hi, > > Just curious: what happens on a label-enabled interface when a packet > comes with a label that hasn't been negotiated thru LDP ? Is it a > default permit, a default deny, anything that can be changed or tuned > ? > > > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Tue Nov 10 15:20:13 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 18:20:13 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <20091110195901.GI163@greenie.muc.de> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Hi, >There is nothing special about *forwarding* fragmented packets - unless >you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? From leonardo.souza at nec.com.br Tue Nov 10 16:00:22 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 10 Nov 2009 19:00:22 -0200 Subject: [c-nsp] RES: Default behaviour of MPLS enabled interfaces on 6500 SXI In-Reply-To: References: <6bb5f5b10911100913m7785f7d0hb9671c707c419c66@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E3C@spsrvmail03.nec.br> Maybe: mpls static crossconnect in_label out_interface out_label -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Phil Bedard Enviada em: ter?a-feira, 10 de novembro de 2009 18:10 Para: Rubens Kuhl Cc: Cisco-nsp Assunto: Re: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI By default it will drop the traffic. If you know the incoming label you can create a static binding, but you can't create a static binding for the default route... Not sure of any other mechanisms. In JunOS you can create an "MPLS default route" which takes unknown labeled packets and lets you manipulate them as you see fit. But this isn't JunOS. :) Phil On Nov 10, 2009, at 12:13 PM, Rubens Kuhl wrote: > Hi, > > Just curious: what happens on a label-enabled interface when a packet > comes with a label that hasn't been negotiated thru LDP ? Is it a > default permit, a default deny, anything that can be changed or tuned > ? > > > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sthaug at nethelp.no Tue Nov 10 16:03:57 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 10 Nov 2009 22:03:57 +0100 (CET) Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <20091110.220357.74737002.sthaug@nethelp.no> > >There is nothing special about *forwarding* fragmented packets - unless > >you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? Normal ACL or possible a QoS policy based on an ACL. > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? No. Each fragment is matched against the ACL on its own. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ras at e-gerbil.net Tue Nov 10 16:13:40 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 10 Nov 2009 15:13:40 -0600 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <200911102232.01323.mtinka@globaltransit.net> References: <4AF21CA5.4050804@gmail.com> <200911091432.32320.mtinka@globaltransit.net> <20091109072346.GK51443@gerbil.cluepon.net> <200911102232.01323.mtinka@globaltransit.net> Message-ID: <20091110211340.GH51443@gerbil.cluepon.net> On Tue, Nov 10, 2009 at 10:31:40PM +0800, Mark Tinka wrote: > > > However, wearing my "instructor" hat when we give workshops > in various places around the world, we tend to teach folk > how to build large scale networks, based on our own > experiences doing the same. > > In some cases, we say build scaling into your operations > even when it may seem "unnecessary", because the general > assumption is that your network is going to grow. Sure, it > could take 5, 10, 15 years, depending on whom you ask, but > if there's a chance it does grow, you don't want to re-work > your entire design to add scaling into the mix; especially > since adding scalability in from the start doesn't add any > incremental cost in terms of $$ or complexity. I have nothing against advocating that you design your network to scale from the very beginning, and (without trying to channel Vijay Gill here) IMHO if oyu don't design your netwrok to scale then in all likelihood it WON'T scale. But there is also a point where you start making more trouble for yourself than you save, and may actually inhibit your growth by adding unnecessary additional complexity. Smart network engineering is about knowing the network you are trying to build, and figuring out where that magic line is so you don't cross it. I think your argument applies perfectly to situations like "but I only have a few hundred /30s between my 10 3560s, why can't I just redistribute connected/static into my IGP and call it a day". Yes you COULD, but if you grow your network by even a very small amount you'll start to bump the CAM limits on your stackable switches, and thus you should probably engineer your network to scale past that limit from the very beginning. Taking the time to design a system with only loopbacks into IGP + iBGP loopback peering and redistribution of other routes into BGP may be more time consuming than just slapping a redist into your IGP, but it will save you more time in the end. On the other hand, what level of scale do you need before IGP areas actually start to pay off, and make it worth the added complexity and other issues you will impose (inter-area TE problems, etc)? You'd need to take your 10 routers to what? 100? 1000? 10000? At what point does your newly expanded network look absolutely nothing like your original network, to the point that nothing you decided about your 10 router network has any bearing on your new network? If you're really designing some massive dial network with the potential for 10000 pops, or the next IBM Global Services network, you may have a legitimate reason for needing the IGP areas. But if you're building a more concentrated network there just may never be a situation where there is any benefit no matter how big you grow (i.e. I don't think Level 3 has any need for them :P). There is no right answer for everyone, your network may look very different from mine, etc. We can both make arguments for simplistic theories like "you should always design to scale" vs "keep it simple stupid" until we're blue in the face, but at the end of the day this is an engineering question to which there is no one correct answer. Did I mention I got a lot of D's in class from arguing with the teacher? :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From c-nsp at djvh.nl Tue Nov 10 16:18:19 2009 From: c-nsp at djvh.nl (Dirk-Jan van Helmond) Date: Tue, 10 Nov 2009 22:18:19 +0100 Subject: [c-nsp] RSA and rancid In-Reply-To: <4AF9AD82.2040904@sara.nl> References: <4AF9AD82.2040904@sara.nl> Message-ID: <61FA706B-E242-45F6-A3CE-E380D1F2EDA8@djvh.nl> Hi Mark, Don't use RSA authentication for automated processes? If the authentication isn't being sent plaintext, there is no added security in using one time passwords for automated processes. Regards, Dirk-Jan On Nov 10, 2009, at 7:14 PM, Mark Meijerink wrote: > Hi there, > > I am looking for a way to combine RSA tokens to authenticate to devices and use rancid to make backups of my device > configuration. > > The RSA tokens use radius as authentication method. The problem is that rancid is an automated process and the rancid > process is not able to watch on a RSA token and fill in the authentication key. This sounds a bit strange but I don't > know any other way to describe the problem. > > Is anyone of you using RSA tokens and rancid? If so, please explain how you make this work. Thanks in advance for your > comments. > > Regards, > Mark > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue Nov 10 16:26:10 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 22:26:10 +0100 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? Message-ID: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: > Just keep in mind that traffic through the firewalls usually* needs to > be symmetric. Be sure to account for that in your design. > > * > https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html I've read about this, but I fail to see what the point is. If the firewall doesn't do stateful inspection, then why use a firewall? Why not just a router/switch with L4 ACLs? What am I missing? -- Peter From gert at greenie.muc.de Tue Nov 10 16:37:14 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 10 Nov 2009 22:37:14 +0100 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <20091110213714.GK163@greenie.muc.de> Hi, On Tue, Nov 10, 2009 at 06:20:13PM -0200, Leonardo Gama Souza wrote: > >There is nothing special about *forwarding* fragmented packets - unless > >you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? No. Routers will never reassemble transit traffic. (Some firewall devices do, so maybe the IOS firewalling feature set will do funny things with fragments, but normal IOS will never ever reassemble packets not destined to itself) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From moua0100 at umn.edu Tue Nov 10 16:42:10 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 10 Nov 2009 15:42:10 -0600 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <4AF9DE32.2050902@umn.edu> I've always been leery of this feature; I've consider using it in the past to troubleshoot badly written apps that mucks up tcp 3-way handshakes/4-way teardowns; I can see this as a quick & dirty mechanism to bypass the stateful inspection engine without taking the firewall logically out of the data path; I'd be careful with using this feature without serious consideration of consequences; I also don't like the fact that it changes the default "stateful inspection" behavior. I'd also be interested to hear what other folks think about this.. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Peter Rathlev wrote: > On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: > >> Just keep in mind that traffic through the firewalls usually* needs to >> be symmetric. Be sure to account for that in your design. >> >> * >> https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html >> > > I've read about this, but I fail to see what the point is. If the > firewall doesn't do stateful inspection, then why use a firewall? Why > not just a router/switch with L4 ACLs? > > What am I missing? > > From peter at rathlev.dk Tue Nov 10 16:54:52 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Nov 2009 22:54:52 +0100 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <4AF9693C.4000301@imperial.ac.uk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> <4AF9693C.4000301@imperial.ac.uk> Message-ID: <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> Hi Phil, Thanks for the input. On Tue, 2009-11-10 at 13:23 +0000, Phil Mayers wrote: > Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted > (use a SPAN session to find out) and this rate-limiting what's causing > the drops? No CoPP or rate-limiters configured, only defaults. Is there any way to see counters for the rate-limiters? The "show > If so, it could be a hardware/tcam programming error; we've seen a few > of these in obscure cases on SXI, and I've not found a reliable way to > clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or > the various "clear" commands (e.g. "clear cef" etc.) Well, I tried shutting/unshutting the SVI, and now I can't seem to recreate the problem. :-( > > If I remove the "ip verify"-command and then add the version with > > "allow-default" directly, I have no problems. Without uRPF there's > > no problem either. Only when first entering the command without > > "allow-default" and then adding "allow-default" does the problem > > appear. > > We haven't seen that, but have seen other issues where (apparently) > CEF entries are programmed incorrectly resulting in traffic being CPU > punted and having to pass through CoPP, and thus being very lossy. I would really like to have looked more into this, but with the problem gone, I'm stuck: If it would happen again, is there any way to check what the rate-limiters/CoPP drops via some counters? -- Regards, Peter From rwest at zyedge.com Tue Nov 10 16:54:28 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 10 Nov 2009 16:54:28 -0500 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <4AF9DE32.2050902@umn.edu> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> <4AF9DE32.2050902@umn.edu> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E2A17CDA@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Ge Moua > Sent: Tuesday, November 10, 2009 4:42 PM > To: Peter Rathlev > Cc: cisco-nsp > Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass? > > I've always been leery of this feature; I've consider using it in the > past to troubleshoot badly written apps that mucks up tcp 3-way > handshakes/4-way teardowns; I can see this as a quick & dirty mechanism > to bypass the stateful inspection engine without taking the firewall > logically out of the data path; I'd be careful with using this feature > without serious consideration of consequences; I also don't like the > fact that it changes the default "stateful inspection" behavior. > > I'd also be interested to hear what other folks think about this.. > I've used it when there is only a layer 2 switch at a branch office and a CE managed MPLS router is on the same segment. If the ASA is the default route in this scenario and traffic is sent to the MPLS router, the handshakes don't complete and the traffic is dropped. There are other ways around this, of course, but it's an option to allow the ASA to route on its inside interface before it examines the flow. Netscreens have no issue with this and Checkpoints just need to know about the internal network and they will route as well. -ryan From eng_mssk at hotmail.com Tue Nov 10 17:06:43 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 11 Nov 2009 00:06:43 +0200 Subject: [c-nsp] streaming In-Reply-To: References: Message-ID: any site with streaming ir buddering , like youtube and stuff like that slow, means the buffering is so slow > Subject: RE: [c-nsp] streaming > Date: Tue, 10 Nov 2009 18:29:14 +0100 > From: avayner at cisco.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > Muhammad, > > What do you mean streaming is slow? > What kind of streaming? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Tuesday, November 10, 2009 18:23 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] streaming > > > hey all > > i have a wimax connection and i tested everything is ok from browsing to > download speed except for streaming > what are possible causes for streaming to be so slow while other > applications are fairly fast > > thanks in advance > > _________________________________________________________________ > Windows Live: Keep your friends up to date with what you do online. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1 > :092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From dwinkworth at att.net Tue Nov 10 16:57:49 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 10 Nov 2009 13:57:49 -0800 (PST) Subject: [c-nsp] backup lsp/second path-option priority... In-Reply-To: <4AF9A8C0.9060800@slepicka.net> References: <4AF473CD.7000405@inex.ie> <20091106213521.GL163@greenie.muc.de> <4AF49BA1.3060508@inex.ie> <4AF9A8C0.9060800@slepicka.net> Message-ID: <344830.44368.qm@web180016.mail.gq1.yahoo.com> I am trying to configure something like this: A primary LSP with 5g bandwidth... and lower priority.. A secondary LSP with 500m bandwidth and higher priority.. Essentially, if all links are up, then the primary paths will be used and we will have maximum bandwidth utilization... If we loose a link, then the secondary LSPs will kick in for those failed primaries, and if necessary, the secondary LSP will preempt other primary LSPs.? Any thoughts on how to accomplish this in IOS?? Thanks... From rdobbins at arbor.net Tue Nov 10 18:31:44 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 10 Nov 2009 23:31:44 +0000 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > I've read about this, but I fail to see what the point is. The point is that there shouldn't be firewalls in front of servers in the first place, given that every packet which comes in is unsolicited and therefore the stateful inspection is both completely obviated and forms a DDoS chokepoint; and yet folks have been so conditioned by security snake-oil marketing to put firewalls in front of their servers that they do it anyways, complain to their vendors when said firewalls fall over with relatively small amounts of traffic due to state-table exhaustion, and thus need a way to disable the stateful inspection they paid so much to achieve so that they can still claim that they've a firewall in front of their servers, even though said firewalls are iatrogenic in nature. ;> Folks should do as you say, hardening their servers/apps/services, enforcing policy via stateless ACLs in hardware, and deploying reaction tools such as S/RTBH. Firewalls in front of servers is generally a Bad Idea, period. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From gsgranados at comcast.net Tue Nov 10 18:44:26 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 10 Nov 2009 15:44:26 -0800 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <01b201ca625f$c63ad500$2408120a@am.thmulti.com> And don't forget stop running Microsoft products! Secure and Microsoft can't be used in the same text let alone sentence unless it's in the negative. This is a big part of the firewall conditioning. People are so used to hopelessly insecure operating environments that this makes sense as a solution when in reality all one need do is run a real OS properly hardened. ----- Original Message ----- From: "Dobbins, Roland" To: "Cisco-nsp" Sent: Tuesday, November 10, 2009 3:31 PM Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass? > > On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > >> I've read about this, but I fail to see what the point is. > > The point is that there shouldn't be firewalls in front of servers in the > first place, given that every packet which comes in is unsolicited and > therefore the stateful inspection is both completely obviated and forms a > DDoS chokepoint; and yet folks have been so conditioned by security > snake-oil marketing to put firewalls in front of their servers that they > do it anyways, complain to their vendors when said firewalls fall over > with relatively small amounts of traffic due to state-table exhaustion, > and thus need a way to disable the stateful inspection they paid so much > to achieve so that they can still claim that they've a firewall in front > of their servers, even though said firewalls are iatrogenic in nature. > > ;> > > Folks should do as you say, hardening their servers/apps/services, > enforcing policy via stateless ACLs in hardware, and deploying reaction > tools such as S/RTBH. Firewalls in front of servers is generally a Bad > Idea, period. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ashnet2009 at gmail.com Tue Nov 10 18:47:29 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Tue, 10 Nov 2009 18:47:29 -0500 Subject: [c-nsp] OT : AristaNetworks Switches Message-ID: <896a291f0911101547r20c131d6sb5fd3503380aa6ef@mail.gmail.com> Hi Folks, A bit offtopic but wondering if anybody has had the chance of evaluating/Deploying AristaNetwork Switching products. they are currently offering low latency 10Gig switching products and appear to be competing in the same space as Nexus platform. Any feedback would be greatly appreciated, Thanks in advance From john at vanoppen.com Tue Nov 10 19:27:24 2009 From: john at vanoppen.com (John van Oppen) Date: Tue, 10 Nov 2009 16:27:24 -0800 Subject: [c-nsp] OT : AristaNetworks Switches References: <896a291f0911101547r20c131d6sb5fd3503380aa6ef@mail.gmail.com> Message-ID: We have a few of them in production, since this is non-cisco shoot me an email off-list and I can chat about them. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ash Net Sent: Tuesday, November 10, 2009 3:47 PM To: Cisco-nsp Subject: [c-nsp] OT : AristaNetworks Switches Hi Folks, A bit offtopic but wondering if anybody has had the chance of evaluating/Deploying AristaNetwork Switching products. they are currently offering low latency 10Gig switching products and appear to be competing in the same space as Nexus platform. Any feedback would be greatly appreciated, Thanks in advance _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From adwhite at inchix.net Wed Nov 11 02:16:54 2009 From: adwhite at inchix.net (Andrew White) Date: Wed, 11 Nov 2009 18:16:54 +1100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> Message-ID: <9e2e3bc20911102316s66f49b3as14ea4a9cc603ff95@mail.gmail.com> On Tue, Nov 10, 2009 at 4:02 AM, Jason Gurtz wrote: >> Any reason why you wouldn't go for fcoe on nexus 5k? :) > > It does look like that is what the box is really for. ?To answer the > question, it all depends on what SAN goes in. ?A lot of the newer stuff > with better value is iSCSI only and eschews FC in any form. > Well i'm not to sure on the better value point - I doubt it will be long before netapp and the likes pop a fcoe cna into their kit. Current prices of gen-2 cna's are not really any more expensive than a dual port 10ge card so why wouldn't you go fcoe? No ip, no tcp windows, no need to chew cpu on hosts no managing authentication > Maybe I better question to ask is how does the nexus 5k fare against 49xx > switch doing iSCSI? I don't think it would make much difference really, 5k will have less latency not that it really matters for iscsi :) > > ~JasonG > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Wed Nov 11 01:46:17 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 11 Nov 2009 14:46:17 +0800 Subject: [c-nsp] IS-IS Multiarea on 12.2 SR In-Reply-To: <20091110211340.GH51443@gerbil.cluepon.net> References: <4AF21CA5.4050804@gmail.com> <200911102232.01323.mtinka@globaltransit.net> <20091110211340.GH51443@gerbil.cluepon.net> Message-ID: <200911111446.39608.mtinka@globaltransit.net> On Wednesday 11 November 2009 05:13:40 am Richard A Steenbergen wrote: > :-). > I have nothing against advocating that you design your > network to scale from the very beginning, and (without > trying to channel Vijay Gill here) IMHO if oyu don't > design your netwrok to scale then in all likelihood it > WON'T scale. Agree. > But there is also a point where you start > making more trouble for yourself than you save, and may > actually inhibit your growth by adding unnecessary > additional complexity. Also agree, e.g., it is possible to build too much redundancy that just ends up being complex, it is possible to have too many upstream service providers that your eBGP routing policy becomes too complicated and fails to work as expected, e.t.c. We say, "Scale, but KISS". > Smart network engineering is about > knowing the network you are trying to build, and figuring > out where that magic line is so you don't cross it. Also agree. Again, we don't say "Scale for scaling's sake", on the assumption that it is possible for those learning to misunderstand the message and think scaling = complexity, and that complexity may be justified by the need to scale. Unfortunately, without getting into the full details about the workshops we give, I can understand why you may think we may be advocating for "blind scaling", for lack of a better term. But on the contrary, our messages are very specific to areas where scaling is important, without adding undue complexity, and keeping things as simple as they should be. So yes, in principle, agree here also. > I think your argument applies perfectly to situations > like "but I only have a few hundred /30s between my 10 > 3560s, why can't I just redistribute connected/static > into my IGP and call it a day". :-), not at all, actually. We NEVER advocate for any customer prefixes (including /30 point-to-points) to be anywhere near the IGP. We also NEVER advocate for any kind of redistribution (although we realize a lot of folks tend to trade-off when it comes to this, mostly due to mind-set, laziness, e.t.c.). I once gave a workshop where the entire class agreed that redistribution isn't necessarily a good thing when done blindly and with laziness as an unconscious motive. We all agreed that if it was possible, avoid it, unless you really know what you're doing, e.g., l3vpn's for PE-CE routing, redistribution controlled with route-maps, e.t.c. Then what happens, one of the attendees goes back and actually continues to redistribute all Connected and Static entries without prejudice because when he joined the trade, it was engrained in him either by books, mentors, vendor marketing, e.t.c. - as instructors, we can also only go so far :-\. > Yes you COULD, but if you > grow your network by even a very small amount you'll > start to bump the CAM limits on your stackable switches, > and thus you should probably engineer your network to > scale past that limit from the very beginning. Agree - of course, there are dynamics that cannot be captured during workshops, e.g., will you use regular routers at the edge or TCAM-limited so-called Layer 3 switches instead; to run with your example, Richard. Like you say, there is no magic solution. Our message, while specific, is also generalized in many areas; scale as long as you keep simplicity in mind, but adapt to your individual environments and make your own decisions because no two networks have the same "pocket-depth", nor do they have the same topology. So yes, in principle, agree here also. > Taking the > time to design a system with only loopbacks into IGP + > iBGP loopback peering and redistribution of other routes > into BGP may be more time consuming than just slapping a > redist into your IGP, but it will save you more time in > the end. But this is exactly what our workshops advocate. Nowhere do we say you should do anything else :-). IGP only for infrastructure + Loopbacks. iBGP for all customer prefixes. Is our message. But you do get some folk who've heard this for the first time at the workshop and fail to comprehend why an IGP is not used for "all internal" routing entries. So they'll gladly do the workshop with you, as well as the labs, but go back home and continue to bloat their IGP. Again, as instructors, we can only go so far. So yes, agree here also (is it getting old, hehe?). > On the other hand, what level of scale do you need before > IGP areas actually start to pay off, and make it worth > the added complexity and other issues you will impose > (inter-area TE problems, etc)? You'd need to take your 10 > routers to what? 100? 1000? 10000? At what point does > your newly expanded network look absolutely nothing like > your original network, to the point that nothing you > decided about your 10 router network has any bearing on > your new network? If you're really designing some massive > dial network with the potential for 10000 pops, or the > next IBM Global Services network, you may have a > legitimate reason for needing the IGP areas. But if > you're building a more concentrated network there just > may never be a situation where there is any benefit no > matter how big you grow (i.e. I don't think Level 3 has > any need for them :P). Again, I agree - that's why I mentioned, in my previous post to you, that our message on "Scale as early as possible (in correspondence with your individual environment and with simplicity at heart)", transcends just IGP routing; there's a lot more to it that will influence the choices the operators that attend our workshops will make. We look at the issues holistically, not individually, and hope that the attendees make the most reasonable design decision based on the "most neutral" information provided, e.g.: - Solve the iBGP mesh problem with route reflectors or confederations. Route reflectors are simpler than confederations, but there have been corner cases where confederations have been desirable. Because those corner cases are few and far between, and we think simplicity in this case is trumps "corner case", we recommend the use route reflectors. - We get attendees asking what model of XR 12000 series or CRS-1 is better for their core just because the Cisco product positioning says so, or which model in the T-series range is better just because Juniper product positioning says so. Our advice is neutral, "Don't drink the marketing cool aid. Many networks have 7200-VXR's or M7i's as core, because that's all they've ever needed in their plans - and they work". - Static routing in a 5-router network will work well, but just because it is small, doesn't mean you should wait until you explode to 100 routers before you consider moving to dynamic routing, especially if router and network resources are not an issue. Here, we're recommending to scale early because we assume the network might either grow, or become too complex to manage as the number of routing entries increases, or both. - RFD (Route Flap Dampening) has a specific solution to solve. But given that router control planes are getting faster, global connectivity is getting more stable with more sub-sea and terrestrial connectivity coming online, e.t.c., many networks realize that the troubles RFD causes may not be worth the perceived benefits. So, if you have to deploy it, think about what it means to your business/network - if it were I (the instructor), I wouldn't for A, B, C, D reasons. Our goal is not to simply say, "Take our word for it, it's the rule". Our goal is to foster open and unrestricted thinking, with some basic guidelines, of course. So yes, in principle, agree here also. > There is no right answer for > everyone, your network may look very different from mine, > etc. Agree, based on my arguments above. We try to provide fundamental principles with basic guidelines, not rules. The idea is knowledge transfer, not technology transfer. To analogize, "It is wrong to kill someone, but just because we haven't explicitly mentioned that stabbing them without causing them death is equally as wrong, doesn't mean we're sanctioning it - learn to think beyond the marketing/snazzy slides/RFC's/vendor-centric fora/news media/standards bodies meetings, e.t.c.". > We can both make arguments for simplistic theories > like "you should always design to scale" vs "keep it > simple stupid"... I know this is just an example you're giving, but to nit- pick, there's no reason why you can't scale and maintain simplicity at the same time - and I'm sure you agree also that you can scale while maintaining simplicity, depending on the situation at hand. But my actual comment on this one is, some ideologies compliment each other, they are not always necessarily presented (to be considered) in contrast. But in general, ... > until we're blue in the face, but at the > end of the day this is an engineering question to which > there is no one correct answer. ... I take your point, and I agree, again, per my arguments above. > I guess the issue here was that you may not be familiar with the kinds of workshops we run, so it may not be unreasonable to assume we're teaching "scalability" for its own "sake". In fact, to illustrate the kind of confusion we put our attendees through, on the one hand, we say, "Aggregate your eBGP announcements as much as possible, and where you can, aggregate your iBGP announcements just as much". On the other, we say, "Route summarization in a link state IGP helps scale the network, but it may break optimal routing, so in this case, we trade-off scalability for optimality". Attendees get very confused about why we "selectively" scale, and the devil is in the details, as I'm sure you can appreciate. However, those that manage to understand the tactics we use to open up their minds, then ask, "But doesn't the use of Route Leaking in IS-IS moot the need for multiple levels on the basis of building a multi-level IS-IS network just for scaling? So then what is the point of having multiple levels in IS-IS in the first place?" When we hear questions like these, we know we have reached success :-). There's tons of other cases, but this is the general idea. We encourage workshops given by other operators, because there's nothing like it when compared to reading vendor certification material, reading RFC spec's, reading vendor product marketing data sheets, or attending classes given by individuals that have learned how IP networks work, but have never run a network. > Did I mention I got a lot of D's in class from arguing > with the teacher? +1 :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From arne.svennevik at met.no Wed Nov 11 03:59:37 2009 From: arne.svennevik at met.no (arne.svennevik at met.no) Date: Wed, 11 Nov 2009 08:59:37 +0000 (UTC) Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <1943528331.2437241257929684801.JavaMail.root@imap1a> Message-ID: <394222653.2437631257929977020.JavaMail.root@imap1a> ----- "Nick Hilliard" wrote: > Incidentally, if you're planning to use the N5K as a fancy 1G switch, > note that the system will change the switching mode from cut-through to > store-n-forward for GE ports; cut-through is only supported for 10G > transceivers. This may matter for iSCSI. Looking at the specs an alternative would be a central 5010 and two 2148 FEX as top-of-rack 1G. Using up to 40 of the 1G ports and 4 x 10G for uplink to N5K would make it line-rate, right? Has anyone got any experiences with this setup? Arne From alex at digriz.org.uk Wed Nov 11 05:12:49 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 11 Nov 2009 10:12:49 +0000 Subject: [c-nsp] RSA and rancid References: <4AF9AD82.2040904@sara.nl> <61FA706B-E242-45F6-A3CE-E380D1F2EDA8@djvh.nl> Message-ID: <1afqs6-3dp.ln1@chipmunk.wormnet.eu> Dirk-Jan van Helmond wrote: > > Don't use RSA authentication for automated processes? > Use local accounts, or if your devices support it SSH public keys are a handy option. To be honest you would be crazy to rely just on RSA authentication as if your RADIUS server is dead you will not be able to log into *any* of your switching infrastructure...oh your RADIUS server might be dead because of a network issue :) Also why VoIP is great, no support calls to deal with when there are problems :) So in short, you *have* to have a local backup account...even if it is only accessible via a serial console server. > If the authentication isn't being sent plaintext, there is no added > security in using one time passwords for automated processes. > I have to take grumblings against that. OTP's go a good way to stop bruteforce attacks[1] and also goes a long way to *prove* that the person logging in has not had their credentials p0wned. Cheers [1] well if you are using naff pincode jobs (RSA or HOTP for example), then maybe it is pointless not but rfc2289 is rather good -- Alexander Clouter .sigmonster says: Girls are better looking in snowstorms. -- Archie Goodwin From jimmi at netpoint.com.br Wed Nov 11 06:52:40 2009 From: jimmi at netpoint.com.br (jimmi) Date: Wed, 11 Nov 2009 08:52:40 -0300 Subject: [c-nsp] MPLS Multi-AS options... In-Reply-To: <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> References: <4a80ecce0911051140s693a3f61u9baf714a029e0927@mail.gmail.com> <200911071534.30804.mtinka@globaltransit.net> <20091109180657.M51920@netpoint.com.br> <4a80ecce0911091357l3879e60bk5153056c3c0c1096@mail.gmail.com> Message-ID: <20091111115124.M44452@netpoint.com.br> Kenny, Mark, and who else are interesting on this matter. It will be a pleasure to discuss and share information regarding it, but if you don't mind I rather doing it private, without coping the whole list. Just let me know how else are interesting. ---------- Original Message ----------- From: Kenny Sallee To: jimmi Cc: mtinka at globaltransit.net, cisco-nsp at puck.nether.net Sent: Mon, 9 Nov 2009 13:57:19 -0800 Subject: Re: [c-nsp] MPLS Multi-AS options... > Hi Jimmi - thanks for sharing - some comments / questions inline below > > On Mon, Nov 9, 2009 at 10:07 AM, jimmi wrote: > > > > > Folks. > > > > I read these papers long time ago, so I do not remember anymore exactly > > what > > this options labels (A, B, AB,...) definition means. > > > > Quick recap for you: > Option A = back to back VRF's via sub-interfaces and BGP peering PER > VRF > (lots of resources) Option B = exchange of VPN-IPv4 addresses and > agreement on RT's and label switched path from ingress PE to egress > PE routers Option AB (aka option D as I've learned): VRF's and sub- > interface per client and a single eBGP session to carry VPN-IPv4 addresses > > > > > What I can tell you guys is that I operate a network which has a Inter-AS > > peering were we exchange IPv4 & VPNv4 prefixes and traffic while > > maintaining > > QoS services compability at both sides (ASs) for long time, and customers > > which VPNs have sites serviced by both ASs have their QoS requirements > > honored > > at both ASs Backbones and last mile connections. > > > > Sounds like your are doing option B? > > > > > I already had real "Inter-AS + QoS compatibility" experience with Cisco > > being > > the only platform, and where Cisco interoperate with (two) different > > vendors, > > and that worked just fine. > > > > On your ASBR - do you have to create VRF's for every customer that crosses > the ASBR? Do you mind sharing the relveant parts of your configuration > (sanitized of course) if possible? > > > > > This deployment where you just had to establish a single eBGP peering at > > VPNv4 > > address-family to exchange VPNv4 prefixes and traffic (of course you may > > exchange IPv4 also, and may establish redundant peerings) brings lots of > > benefits. It does not impact at your ASBR resources, reduces the number of > > connections between ASBRs & routing gets simplified, allows > > oversubscription > > between ASBRs, does not require your to act at the borders (ASBRs) each > > time a > > "site" is added or removed from a customer VPN (despite where this site is > > connected). > > > > That's interesting actually - sounds pretty straight forward. So > far it seems like some overseas operators are actually doing this or > contemplating doing it. Anyone in the continental US researching > and/or implemented (ing) either of the options? > > Kenny > > > > > > > > > ------- End of Original Message ------- From lists at quux.de Wed Nov 11 09:03:08 2009 From: lists at quux.de (Jens Link) Date: Wed, 11 Nov 2009 15:03:08 +0100 Subject: [c-nsp] RSA and rancid In-Reply-To: <4AF9AD82.2040904@sara.nl> (Mark Meijerink's message of "Tue\, 10 Nov 2009 19\:14\:26 +0100") References: <4AF9AD82.2040904@sara.nl> Message-ID: <87k4xxjh0j.fsf@laphroiag.quux.de> Mark Meijerink writes: > Is anyone of you using RSA tokens and rancid? If so, please explain how > you make this work. Thanks in advance for your comments. Friend of mine told me that a combination of a web cam, fuzzyOCR and some Perl code is working fine for token based auto logins. I haven't worked with RSA tokens for a long while but I think there was an option to not use a token for logging in. HTH Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From p.mayers at imperial.ac.uk Wed Nov 11 11:31:36 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 11 Nov 2009 16:31:36 +0000 Subject: [c-nsp] uRPF bug on C6k SXI1? In-Reply-To: <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> References: <1257855740.22754.9.camel@abehat.dyn.net.rm.dk> <4AF9693C.4000301@imperial.ac.uk> <1257890092.1166.34.camel@abehat.dyn.net.rm.dk> Message-ID: <4AFAE6E8.8080401@imperial.ac.uk> Peter Rathlev wrote: > Hi Phil, > > Thanks for the input. > > On Tue, 2009-11-10 at 13:23 +0000, Phil Mayers wrote: >> Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted >> (use a SPAN session to find out) and this rate-limiting what's causing >> the drops? > > No CoPP or rate-limiters configured, only defaults. Is there any way to > see counters for the rate-limiters? The "show > >> If so, it could be a hardware/tcam programming error; we've seen a few >> of these in obscure cases on SXI, and I've not found a reliable way to >> clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or >> the various "clear" commands (e.g. "clear cef" etc.) > > Well, I tried shutting/unshutting the SVI, and now I can't seem to > recreate the problem. :-( Yep, that sounds familiar. We've seen the problem with dodgy CEF prefixes "suddenly" go away when SVIs are shut/no shut. Someone suggested the next-hop MTU getting set wrong in the hardware and causing CPU punts, and that this can happen when SVIs come up/down very occasionally :o( > >>> If I remove the "ip verify"-command and then add the version with >>> "allow-default" directly, I have no problems. Without uRPF there's >>> no problem either. Only when first entering the command without >>> "allow-default" and then adding "allow-default" does the problem >>> appear. >> We haven't seen that, but have seen other issues where (apparently) >> CEF entries are programmed incorrectly resulting in traffic being CPU >> punted and having to pass through CoPP, and thus being very lossy. > > I would really like to have looked more into this, but with the problem > gone, I'm stuck: If it would happen again, is there any way to check > what the rate-limiters/CoPP drops via some counters? Well, CoPP drop can be see with: sh policy-map control-plane ...but if you haven't got it setup, you'll see nothing. sh mls rate-limit ...shows the current config for MLS rate limiters, but again if you've not got it setup then the defaults are some pretty conservative multicast punts and nothing else IIRC. Hmm. From vuillaumes at gmail.com Wed Nov 11 12:17:21 2009 From: vuillaumes at gmail.com (samuel vuillaume) Date: Wed, 11 Nov 2009 12:17:21 -0500 Subject: [c-nsp] VPLS and SSTP or STP Message-ID: HI guys, Just a quick question. Here's my context --------------------------------------------------- CPE1----------*QinQ + L2PT port* (7600)------VPLS-----------(7600) *Trunk port* ------NNI---------CPE2 CPE1 and CPE2 run PVST+ and both 7600 don't run any STP On QinQ + L2PT port (7600), i ran a debug netdr and: - i can see PVST+ traffic coming CPE1 - i can't see PVST+ traffic coming from CPE2 ((from (7600) Trunk portChassis) On (7600) Trunk port, i ran the same debug, debug netdr and: - i can see L2PT traffic coming ((QinQ + L2PT port (7600)) originated from CPE1 My question is on a *basic Trunk port* (as above facing CPE2), How VPLS should handle those SSTP BDPUs (01:00:0C...CD) ? Apparently they're dropped, and only untagged STP BPDU 01:80...... are allowed. IMPORTANT: the NNI VLAN is already double tagged. Any thoughts would be appreciated.... tks Sam From ben at cuckoo.org Wed Nov 11 12:33:14 2009 From: ben at cuckoo.org (Ben White) Date: Wed, 11 Nov 2009 17:33:14 +0000 Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 In-Reply-To: References: Message-ID: Packet fragmentation and re-assembly on one path to one of the sites could explain it. Maybe 'show ip traffic' could glean some useful information. -- Ben From thomas at habets.pp.se Wed Nov 11 06:00:45 2009 From: thomas at habets.pp.se (Thomas Habets) Date: Wed, 11 Nov 2009 12:00:45 +0100 (CET) Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <20091110213714.GK163@greenie.muc.de> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> <20091110213714.GK163@greenie.muc.de> Message-ID: On Tue, 10 Nov 2009, Gert Doering wrote: > No. Routers will never reassemble transit traffic. Never is a strong word. It seems "ip virtual-reassembly" do it. It looks like it at least reassembles them in memory and delays them before forwarding them (as fragments) from the debug and counters. On a virtual 7200: Router#show ip virtual-reassembly fa1/0 FastEthernet1/0: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 16 Fragments per reassembly (max-fragments): 32 Reassembly timeout (timeout): 3 seconds Drop fragments: OFF Current reassembly count:0 Current fragment count:0 Total reassembly count:23 Total reassembly timeout count:3 Not that you'd want to do it, but still. --------- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From lukasz at bromirski.net Wed Nov 11 18:29:04 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 12 Nov 2009 00:29:04 +0100 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> <20091110213714.GK163@greenie.muc.de> Message-ID: <4AFB48C0.5050003@bromirski.net> On 2009-11-11 12:00, Thomas Habets wrote: > On Tue, 10 Nov 2009, Gert Doering wrote: >> No. Routers will never reassemble transit traffic. > > Never is a strong word. It seems "ip virtual-reassembly" do it. It looks > like it at least reassembles them in memory and delays them before > forwarding them (as fragments) from the debug and counters. On a virtual > 7200: Sure. But that functionality is not found on core routers, but on border routers running CBAC/ZBFW or IPS functionalities, that need a whole packet to do it's work on it. As Gert noted, fragmented IP packet is forwarded in hardware (or "normally") as long as it contains valid header information. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From chpreddi at gmail.com Wed Nov 11 20:18:07 2009 From: chpreddi at gmail.com (Pratap Reddy) Date: Thu, 12 Nov 2009 12:18:07 +1100 Subject: [c-nsp] Cisco 12000 Series Packet over SONET/SDH (POS) Line Cards (2-Port OC-192c POS ) Message-ID: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> Hi, I am planing to use Cisco 12000 series Two port OC-192 line card. I would like to have some feedback on this line card. This line card supports Synchronous Digital Hierarchy (SDH). Does any one configured it as Gig enabling WAN. I used SPA-1x10GE-WL-V2 on 12000-SIP-600 as 10Gig enabling WAN. So I am trying to check if 2-Port OC-192c POS can also be configured for 10Gig enabling WAN. Cheers. Pratap. From gwendel at gmail.com Wed Nov 11 21:07:50 2009 From: gwendel at gmail.com (Greg Wendel) Date: Wed, 11 Nov 2009 21:07:50 -0500 Subject: [c-nsp] What's the value of ASA/FWSM TCP state bypass? In-Reply-To: References: <1257888370.1166.6.camel@abehat.dyn.net.rm.dk> Message-ID: <8dfae3430911111807t79f5f95u69e1e71a86f32396@mail.gmail.com> Roland, iatrogenic. induced inadvertently ... http://www.merriam-webster.com/dictionary/IATROGENIC It is not often I have to look up a word on this board. Well played sir. On Tue, Nov 10, 2009 at 6:31 PM, Dobbins, Roland wrote: > > On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > > > I've read about this, but I fail to see what the point is. > > The point is that there shouldn't be firewalls in front of servers in the > first place, given that every packet which comes in is unsolicited and > therefore the stateful inspection is both completely obviated and forms a > DDoS chokepoint; and yet folks have been so conditioned by security > snake-oil marketing to put firewalls in front of their servers that they do > it anyways, complain to their vendors when said firewalls fall over with > relatively small amounts of traffic due to state-table exhaustion, and thus > need a way to disable the stateful inspection they paid so much to achieve > so that they can still claim that they've a firewall in front of their > servers, even though said firewalls are iatrogenic in nature. > > ;> > > Folks should do as you say, hardening their servers/apps/services, > enforcing policy via stateless ACLs in hardware, and deploying reaction > tools such as S/RTBH. Firewalls in front of servers is generally a Bad > Idea, period. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From mksmith at adhost.com Wed Nov 11 21:11:26 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Wed, 11 Nov 2009 18:11:26 -0800 Subject: [c-nsp] RSA and rancid In-Reply-To: <87k4xxjh0j.fsf@laphroiag.quux.de> Message-ID: On 11/11/09 6:03 AM, "Jens Link" wrote: > Mark Meijerink writes: > >> Is anyone of you using RSA tokens and rancid? If so, please explain how >> you make this work. Thanks in advance for your comments. > > Friend of mine told me that a combination of a web cam, fuzzyOCR and > some Perl code is working fine for token based auto logins. > > I haven't worked with RSA tokens for a long while but I think there was > an option to not use a token for logging in. > If you are running an ACS/TACACS+ server on the back end you should be able to specify local-database authentication for your Rancid user and RSA token for everything else. Regards, Mike From rubensk at gmail.com Wed Nov 11 21:13:21 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Thu, 12 Nov 2009 00:13:21 -0200 Subject: [c-nsp] IPv4 fragmented packets on SUP720-3BXL In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2DFB@spsrvmail03.nec.br> <6bb5f5b10911101140n37e8cba6o27d79bd9c6d584c0@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E18@spsrvmail03.nec.br> <20091110195901.GI163@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DC2E2D@spsrvmail03.nec.br> Message-ID: <6bb5f5b10911111813m30da24dbkcc582766c798a2bd@mail.gmail.com> >>There is nothing special about *forwarding* fragmented packets - unless >>you have an ACL or anything else that wants to look at Layer 4 info. > > That would be Netflow or some QoS policy attached to the interface, for > instance? > I guess the router should reassembly the fragmented packets before > applying any policing on the traffic arriving on the interface... > Am I right? It assumes that any fragment matches clauses with L4 info, because it lacks stateful context from the first fragment to eval it. Rubens From swmike at swm.pp.se Thu Nov 12 01:31:16 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 12 Nov 2009 07:31:16 +0100 (CET) Subject: [c-nsp] Cisco 12000 Series Packet over SONET/SDH (POS) Line Cards (2-Port OC-192c POS ) In-Reply-To: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> References: <910ab33c0911111718w7a6c0224la49b86871a82a4ca@mail.gmail.com> Message-ID: On Thu, 12 Nov 2009, Pratap Reddy wrote: > Hi, > > I am planing to use Cisco 12000 series Two port OC-192 line card. > > I would like to have some feedback on this line card. > > This line card supports Synchronous Digital Hierarchy (SDH). > Does any one configured it as Gig enabling WAN. > I used SPA-1x10GE-WL-V2 on 12000-SIP-600 as 10Gig enabling WAN. > So I am trying to check if 2-Port OC-192c POS can also be configured > for 10Gig enabling WAN. No, it's Packet over Sonet using HDLC or PPP, it doesn't do ethernet at all. Also, it requires 12800 upgrade/fabric to work (if it's the old Engine6 card you're referring to). PS. I interpreted "10Gig enabling WAN" as 10GBASE-LW (WANPHY), if it's something else then all bets are off. -- Mikael Abrahamsson email: swmike at swm.pp.se From n00dles at nix-jutsu.net Thu Nov 12 04:12:46 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Thu, 12 Nov 2009 09:12:46 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport In-Reply-To: <00dc01ca6229$164da950$42e8fbf0$@net> References: <20091110164250.GA1003@atsuko> <00dc01ca6229$164da950$42e8fbf0$@net> Message-ID: <20091112091246.GA52721@atsuko> On Tuesday, 10 November 2009 at K:13:13 -0600, Jesse Alexander wrote: > I have seen this issue happen with a customer 800 series, and I think there > were just too many IP's for it to handle. If I remember correctly, they > were using an 871. In my case, we think it couldn't handle a /22 (I think > it was a /22, it was a couple of years ago). Each site of which there a large number(a chain of hotels) each has a /27, we are currently seeing the issue on 10-15 sites randomly. I'm doubtful that the kit is unable to handle the load. > The customer would be fine for a period of time (a few hours or less), then > would not be able to reach the world until they rebooted it. Because we > didn't manage the 800, we had no visibility to it, so I cannot tell you > the specific reason. Because the issue went away after he customer > upgraded their hardware, we can only assume that the 800 was insufficient > for their needs. Our customer wont consider swaping kit out, your experiance sounds more advanced than ours we are only seeing the issue sporadicly. > > -Jesse > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > n00dles at nix-jutsu.net > Sent: Tuesday, November 10, 2009 10:43 AM > To: cisco-nsp at puck.nether.net > Cc: networks at timico.net > Subject: Re: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport > > Hello all, > > We have a strange issue between PIX 501's running 6.3(5) and our 800 series > routers, we are using verious 800s(857/877) with a spread of IOS versions. > The problem manifests itself as a drop of connectivity between the two > devices, that being we lose layer 3 forwarding out of the switch-port > module on the 800. > > We are of the opinion we have ethernet connectivity between devices as > the mac-address table is being populated after being cleared, and > linkstate show up/up but we cannot ping, nor can the device ARP for > the PIX. > > Static ARP entrys also no not fix the issue, the only way we have found > so far to fix the problem is to reboot the 800. > > Has anyone experienced this kind of problem before? > > Regards > > -- > _ > Chris Nicholls ASCII ribbon campaign ( ) > Timico Network Operations - against HTML, vCards and X > chris at timico.net - proprietary attachments in e-mail / \ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---end quoted text--- -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From n00dles at nix-jutsu.net Thu Nov 12 04:37:34 2009 From: n00dles at nix-jutsu.net (n00dles at nix-jutsu.net) Date: Thu, 12 Nov 2009 09:37:34 +0000 Subject: [c-nsp] Cisco 800 stops forwarding layer 3 via switchport In-Reply-To: <73636ae00911111004m5ed306d3p3f7aea90aea6ee25@mail.gmail.com> References: <20091110164250.GA1003@atsuko> <73636ae00911111004m5ed306d3p3f7aea90aea6ee25@mail.gmail.com> Message-ID: <20091112093734.GB52721@atsuko> On Wednesday, 11 November 2009 at K:04:55 +0000, Paul Cosgrove wrote: > Not personally, but I have heard of similar issues which affect old > versions of the PIX software. Does disabling/enabling or > disconnecting/reconnecting the interface also resolve the issue? Sadly not that I'm aware of, the customer "manages" the PIXs involed which are really only doing NAT from the looks of the config they have provided. > On Tue, Nov 10, 2009 at 4:42 PM, <[1]n00dles at nix-jutsu.net> wrote: > > Hello all, > We have a strange issue between PIX 501's running 6.3and our 800 series > routers, we are using verious 800s(857/877) with a spread of IOS versions. > The > problem manifests itself as a drop of connectivity between the two > devices, that being we lose layer 3 forwarding out of the > switch-port > module on the 800. > We are of the opinion we have ethernet connectivity between devices > as > the mac-address table is being populated after being cleared, and > linkstate show up/up but we cannot ping, nor can the device ARP for > the PIX. > Static ARP entrys also no not fix the issue, the only way we have > found > so far to fix the problem is to reboot the 800. > Has anyone experienced this kind of problem before? > Regards > -- > _ > Chris Nicholls ASCII ribbon campaign ( ) > Timico Network Operations - against HTML, vCards and X > [2]chris at timico.net - proprietary attachments in e-mail / > \ > _______________________________________________ > cisco-nsp mailing list [3]cisco-nsp at puck.nether.net > [4]https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at [5]http://puck.nether.net/pipermail/cisco-nsp/ > > References > > 1. mailto:n00dles at nix-jutsu.net > 2. mailto:chris at timico.net > 3. mailto:cisco-nsp at puck.nether.net > 4. https://puck.nether.net/mailman/listinfo/cisco-nsp > 5. http://puck.nether.net/pipermail/cisco-nsp/ ---end quoted text--- -- _ Chris Nicholls ASCII ribbon campaign ( ) Timico Network Operations - against HTML, vCards and X chris at timico.net - proprietary attachments in e-mail / \ From niklas.rehnberg at gmail.com Thu Nov 12 07:27:07 2009 From: niklas.rehnberg at gmail.com (niklas rehnberg) Date: Thu, 12 Nov 2009 13:27:07 +0100 Subject: [c-nsp] (multi chass)i mc lag feature 7600 Message-ID: Hi, Has anyone any information about when the 7600 will support mc-lag? //Niklas From achatz at forthnet.gr Thu Nov 12 07:57:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 12 Nov 2009 14:57:26 +0200 Subject: [c-nsp] (multi chass)i mc lag feature 7600 In-Reply-To: References: Message-ID: <4AFC0636.9060602@forthnet.gr> ES cards under SRE are supposed to support it. -- Tassos niklas rehnberg wrote on 12/11/2009 14:27: > Hi, > Has anyone any information about when the 7600 will support mc-lag? > > //Niklas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From madunix at gmail.com Thu Nov 12 08:10:02 2009 From: madunix at gmail.com (madunix) Date: Thu, 12 Nov 2009 15:10:02 +0200 Subject: [c-nsp] Fiber Message-ID: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> I need to know your opinion about fiber to desk i.e. pros and cons.. Thanks in advance. From swmike at swm.pp.se Thu Nov 12 08:24:33 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 12 Nov 2009 14:24:33 +0100 (CET) Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: On Thu, 12 Nov 2009, madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. Fiber is much more sensitive to dust, bending and other kind of things that might happen day-to-day with people who don't really know or care about data communication. It's also more expensive generally (everything involved, NICs, switches and cables is more expensive). Why would you want to do it? I don't really see any pros what so ever to do it. -- Mikael Abrahamsson email: swmike at swm.pp.se From iam at st-andrews.ac.uk Thu Nov 12 08:29:28 2009 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Thu, 12 Nov 2009 13:29:28 +0000 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC0DB8.4020708@st-andrews.ac.uk> madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Well, it does rather depend on your requirements. My opinion is that it's good: where you're not allowed copper, like oil refineries where copper cable won't work due to massive interference where you must have runs to desktops that are over 90m (tho I've some long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) Downsides are obviously: cost of adapters for PCs cost of fibre switches single-technology (you don't get 10/100/1000 fibre standards, so you have to do all one-standard) it's more sensitive to being bashed, stood on, etc Back in the day, when they thought copper was dead, Brand-Rex developed a shotgun copper+blown-fibre tube called BloTwist. (http://www.ezziengineering.com/pdf/cables/BloliteBro.pdf) . Of all the places our local Brand-Rex guy knows they fitted it, not one has used the fibre capability to date. What actually is your requirement? -- ian Ian McDonald, ITS, University of St Andrews The University of St Andrews is a charity registered in Scotland: SC013532 From shaw38 at gmail.com Thu Nov 12 09:49:36 2009 From: shaw38 at gmail.com (Steve Shaw) Date: Thu, 12 Nov 2009 09:49:36 -0500 Subject: [c-nsp] WDM Splitter Message-ID: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> Guys, Has anyone used one of these WDM splitter cables from cisco (WDM-1300-1550-S)? https://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b_ps708_Products_Data_Sheet.html If I'm reading the data sheet correctly, since it splits off the 1300 and 1550 wavelengths you *should* be able to get 2x10-GE out of a single pair with an LR and ER optic at either end. Thanks, Steve From nick at inex.ie Thu Nov 12 10:13:04 2009 From: nick at inex.ie (Nick Hilliard) Date: Thu, 12 Nov 2009 15:13:04 +0000 Subject: [c-nsp] Fiber In-Reply-To: References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC2600.3070707@inex.ie> On 12/11/2009 13:24, Mikael Abrahamsson wrote: > Why would you want to do it? I don't really see any pros what so ever to > do it. it's useful if you want 10G to the desk. Otherwise, it's too fragile and sensitive for the average office environment. Nick From mhuff at ox.com Thu Nov 12 09:01:35 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 12 Nov 2009 09:01:35 -0500 Subject: [c-nsp] Fiber In-Reply-To: <4AFC0DB8.4020708@st-andrews.ac.uk> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC0DB8.4020708@st-andrews.ac.uk> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> > where you're not allowed copper, like oil refineries > where copper cable won't work due to massive interference > where you must have runs to desktops that are over 90m (tho I've some > long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) Now that 10G over copper Cat6a (802.3an 10GBASE-T) has been finalized there aren't any good reason to go with fiber except for physical requirements like Ian stated. Also Desktop fiber aggregation is much more expensive in terms of line cards, diversity of switch choices, lack of desktop NICs. Usually I hear FTTD being done to "future proof" the wiring. Most of the times the fiber never ends up being used. Cat6a is backwards compatible with 5e, so if you are doing a new wiring plant, that's enough "future proof" for the next reasonable term. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com? | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 From damin at nacs.net Thu Nov 12 09:48:27 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Thu, 12 Nov 2009 09:48:27 -0500 Subject: [c-nsp] L2TP Configuration Debugging Message-ID: <02f101ca63a7$3487be40$9d973ac0$@net> Hello, I am attempting to help a customer debug an interconnect issue on his L2TP configuration. Unfortunately, this particular customer is not very Cisco savvy, and I am not very L2TP on Cisco savvy, so I would like to recruit someone for an hour (paid) to assist in debugging this tunnel configuration. Specifically, we are attempting to get DSL PPPoE sessions to establish the tunnel to a remote router for authentication / transport. Please let me know if you are interested in assisting, and what your hourly rate is. Thanks! From travis.marlow at everestgt.com Thu Nov 12 10:22:34 2009 From: travis.marlow at everestgt.com (Travis Marlow) Date: Thu, 12 Nov 2009 09:22:34 -0600 Subject: [c-nsp] SP QoS Service Class Message-ID: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> I'm trying to plan for a QoS implementation for an Internet Access provider. I just finished reading RFC 4594 and it recommends VoIP signalling traffic be marked CS5. Every other reference I have seen always has it at AF31 or CS3. Is anyone else using the RFC recommendation? Would any SP be willing to share a general configuration for service classes they have defined. Sorry for the duplicate, I sent from the wrong email address before. From madunix at gmail.com Thu Nov 12 11:12:47 2009 From: madunix at gmail.com (madunix) Date: Thu, 12 Nov 2009 18:12:47 +0200 Subject: [c-nsp] Fiber In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC0DB8.4020708@st-andrews.ac.uk> <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> Message-ID: <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> am just trying to take advantage of using light technologies in LAN for our new building, due to long distance between the offices over 90m, i know fiber is fast expensive and copper gigabit still far cheaper, and fiber to desktop isn't required for a majority of applications. Thanks On Thu, Nov 12, 2009 at 4:01 PM, Matthew Huff wrote: >> where you're not allowed copper, like oil refineries >> where copper cable won't work due to massive interference >> where you must have runs to desktops that are over 90m (tho I've some >> long runs on cat6 that work at 100M, just keep them below 200m, and use quality cable) > > Now that 10G over copper Cat6a (802.3an 10GBASE-T) has been finalized there aren't any good reason to go with fiber except for physical requirements like Ian stated. Also Desktop fiber aggregation is much more expensive in terms of line cards, diversity of switch choices, lack of desktop NICs. Usually I hear FTTD being done to "future proof" the wiring. Most of the times the fiber never ends up being used. Cat6a is backwards compatible with 5e, so if you are doing a new wiring plant, that's enough "future proof" for the next reasonable term. > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com? | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From koug at intracom.gr Thu Nov 12 10:38:28 2009 From: koug at intracom.gr (John Kougoulos) Date: Thu, 12 Nov 2009 17:38:28 +0200 (GTB Standard Time) Subject: [c-nsp] Fiber In-Reply-To: <4AFC2600.3070707@inex.ie> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC2600.3070707@inex.ie> Message-ID: > > it's useful if you want 10G to the desk. Otherwise, it's too fragile and > sensitive for the average office environment. > Maybe plastic optical fibers are not so fragile/sensitive, but I haven't seen them in production John From Charlie.Greenaway at btinet.bt.com Thu Nov 12 11:16:23 2009 From: Charlie.Greenaway at btinet.bt.com (Charlie Greenaway) Date: Thu, 12 Nov 2009 16:16:23 -0000 Subject: [c-nsp] L2TP Configuration Debugging Message-ID: <7EA99F102607DF43BDF25CC6847500870450E566@lhmail.btinet.local> Gregory, Please drop me a line with the configuration of the router acting as PPPoE client and the router acting as the LNS. Also, please detail what is in the RADIUS profile (if a AAA server is being used). No promises but I'll check it over and offer up some suggestions if I have any. Best regards, Charlie G Charlie Greenaway - CCIE#11226 (Security/R&S) Solutions Architect | BT iNet | Tel: +44 (0)1993 885897 Email: charlie.greenaway at btinet.bt.com | Web:?www.btinet.bt.com -------------------------- Hello, I am attempting to help a customer debug an interconnect issue on his L2TP configuration. Unfortunately, this particular customer is not very Cisco savvy, and I am not very L2TP on Cisco savvy, so I would like to recruit someone for an hour (paid) to assist in debugging this tunnel configuration. Specifically, we are attempting to get DSL PPPoE sessions to establish the tunnel to a remote router for authentication / transport. Please let me know if you are interested in assisting, and what your hourly rate is. Thanks! This e-mail contains BT iNet information, which may be privileged or confidential. It?s meant only for use by the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you have received this e-mail in error, please let me know immediately on the e-mail address above. Thank you. We monitor our e-mail system, and may record your e-mails. BT iNet is a trading name of BT Convergent Solutions Limited Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 3238603 From akg1330 at gmail.com Thu Nov 12 10:20:16 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Thu, 12 Nov 2009 10:20:16 -0500 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <4AFC27B0.9000408@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 madunix wrote: > I need to know your opinion about fiber to desk i.e. pros and cons.. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ We have an extensive fiber to the desk network. The pros are that it allowed us to centralize equipment much farther away from the clients than the 100m distance limitation of twisted pair. This allowed for better port utilization, better environmentals (power and cooling in one place rather than lots of closets) The current plant we're on has supported us from 10BaseFL, 100BaseFX, ATM155, and will continue to support us through 1000BaseX (though we might run into some distance limitations on some of our stations). So, the plant has last much longer than a copper plant would have. Cons: The electronics are more expensive: fiber switchports will cost mor and you'll need media converters or fiber NICs, the fiber patch cords are more expensive. Connectors: There has been one copper connector for twisted pair ethernet, while we have several for fiber No speed negotiation: we do have some devices that are 10Base-T only or 100Base-T only, so that presents a challenge (different client equipment to allow for rate adaptation. New problems that are arising: No realistic PoE option: we have a growing demand for network powered devices (APs and phones). There are power injecting media converters, but they are more expensive. What specifically is leading you to FTTD? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8J7AACgkQQr/gMVyFYyRmFwCgiZ1XuiekECwHV8j/dIotw9e6 oJoAn19+LKKiZ8lfp0HpKZZabvDw7KEI =6iNY -----END PGP SIGNATURE----- From akg1330 at gmail.com Thu Nov 12 10:28:01 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Thu, 12 Nov 2009 10:28:01 -0500 Subject: [c-nsp] WDM Splitter In-Reply-To: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> References: <1d3cfae10911120649v22a91a9fm1e4f25542ee81da8@mail.gmail.com> Message-ID: <4AFC2981.30000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Shaw wrote: > Guys, > > Has anyone used one of these WDM splitter cables from cisco > (WDM-1300-1550-S)? > > https://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b_ps708_Products_Data_Sheet.html > > If I'm reading the data sheet correctly, since it splits off the 1300 and > 1550 wavelengths you *should* be able to get 2x10-GE out of a single > pair with an LR and ER optic at either end. > > Thanks, > > Steve > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ It sounds like your application is something along the lines of what is depicted in Figure 12. WDM Splitter Cable for Non-CWDM Applications? I haven't used that specific part to do a 1310/1550 10G network, but we have a similar part from Fiberdyne (a Dual Window Mux) to do a SONET (at 1310) overlay on a DWDM signal. We also have a 1000BaseLX overlay onto DWDM systems and have even done a video signal at 1310 using these parts. As long as you could run either optic over this cable without the combiner/splitter, you should be fine. It will introduce a bit of loss, so make sure you account for that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8KYEACgkQQr/gMVyFYyRpVACeOPaqaiI5qcC+H1eJYoMNu0jC asAAn1XhR5ve8IaOxcGnoaCxodgvGZi5 =pJ78 -----END PGP SIGNATURE----- From mtinka at globaltransit.net Thu Nov 12 11:51:38 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 13 Nov 2009 00:51:38 +0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <200911130051.46421.mtinka@globaltransit.net> On Thursday 12 November 2009 09:10:02 pm madunix wrote: > I need to know your opinion about fiber to desk i.e. pros > and cons.. I tend to agree with Matthew and the others that have commented on this. The issue of distance and bandwidth notwithstanding, we've experienced situations where delivering fibre to somebody's home or desk is considered more for marketing mileage than any technical reasons. However, that also tends to set you up for a potential PR disaster since customers tend to "eat that **** up", and misunderstand it at the same time. Unless you're trying to solve a distance problem, and/or your customer requires anything more than 1Gbps (well, Cat-6a, as others have mentioned, has been standardized - but diffusion may take a while) then consider copper. Otherwise, the additional potential cost in maintaining it does not really justify passing over copper solutions, IMHO. Moreover, fibre deployments to the home or desk require CPE, which, in very many cases, speak copper on the other end. So what's really the point? Needless to say, laptops, routers, switches, set-top boxes, wi-fi AP's, PC's, Mac's, game consoles, Tv's, e.t.c., all ship with RJ-45 dual- or tri- rate copper ports as standard these days. So no need for CPE, no need for additional customer training, e.t.c. Again, distance and bandwidth notwithstanding, this, in my mind, tends to question the long-term sustainability of FTTH, either through PON (Passive Optical Networks) or Active Ethernet. Since FTTH is looked at as a potential replacement for regular ADSL (i.e., consumer broadband), how many users can eat up a 1Gbps connection, assuming their ISP let them? This is not considering bandwidth used by IPTv and such, as customers buy channels for IPTv services, not bandwidth to drive the channels (that's the service provider's problem). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mawhi at vestas.com Thu Nov 12 11:50:15 2009 From: mawhi at vestas.com (Matthew White) Date: Thu, 12 Nov 2009 08:50:15 -0800 Subject: [c-nsp] Fiber In-Reply-To: References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <4AFC2600.3070707@inex.ie> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Kougoulos > Sent: Thursday, November 12, 2009 7:38 AM > To: Nick Hilliard > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Fiber > > > > > it's useful if you want 10G to the desk. Otherwise, it's > too fragile and > > sensitive for the average office environment. > > Don't forget the wiring closet side. Much more care needs to be taken with designing a structured cabling layout for fiber than for copper. With the added cost for patch cords, etc... I don't see any advantages over copper. -mtw From gtb at slac.stanford.edu Thu Nov 12 12:03:23 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Thu, 12 Nov 2009 09:03:23 -0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> Message-ID: <6F51B50ECF32084788B9B3A8469A71B52916559D39@EXCHCLUSTER1-02.win.slac.stanford.edu> > I need to know your opinion about fiber to desk i.e. pros and cons.. If one needs fiber for distance, electrical isolation, limited space/cooling for access switches, etc., one may want to look at various FTTx technologies (xPON and friends) which can provide fiber to "near" the desk with a relatively low cost drop to copper (the ONT) at the desk. Note that FTTx is (mostly) a residential subscriber type of solution (more bandwidth *to* the desk than from it), and that may not meet the needs of servers or "power users" (that are really more like servers). As with all else, your particular situation will vary. A presentation by Sandia at the Internet2/ESCC Joint Techs meeting in Indiana in June of 2009 discussed their particular FTTx plans (and may provide some thoughts): http://www.internet2.edu/presentations/jt2009jul/20090720-brenkosh.pdf Gary From mtinka at globaltransit.net Thu Nov 12 12:04:00 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 13 Nov 2009 01:04:00 +0800 Subject: [c-nsp] Fiber In-Reply-To: <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> References: <4d3f56c90911120510t7fc29e03le9ef5222dcb92c34@mail.gmail.com> <483E6B0272B0284BA86D7596C40D29F9D77551D4AD@PUR-EXCH07.ox.com> <4d3f56c90911120812r7b195462q94b6c4c4727b1d74@mail.gmail.com> Message-ID: <200911130104.05791.mtinka@globaltransit.net> On Friday 13 November 2009 12:12:47 am madunix wrote: > am just trying to take advantage of using light > technologies in LAN for our new building, due to long > distance between the offices over 90m, i know fiber is > fast expensive and copper gigabit still far cheaper, and > fiber to desktop isn't required for a majority of > applications. If the cost of deploying a fibre-based LAN (in terms of fibre spools, optics, CPE/converters, NIC's, maintenance, e.t.c.) outweighs the cost of doing a FTTB (Basement) and feeding trunk fibre pairs up to strategically-positioned copper-based Ethernet switches where you're not having to worry about cable distance to users, then you have your answer. Else, you'd need to make the hard choices :-). And don't just look at capex. Consider opex too (both financial and otherwise). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From sethm at rollernet.us Thu Nov 12 13:41:59 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 12 Nov 2009 10:41:59 -0800 Subject: [c-nsp] Client-to-client wireless on 877W Message-ID: <4AFC56F7.6070307@rollernet.us> Does anyone know offhand how to enable local wireless bridge (client to client communication) on the radio on a Cisco 877W? I swear I thought I saw it in the docs somewhere a year ago when I set this thing up, but for the life of me I can't find it now or I'm not searching for whatever Cisco likes to call this function. ~Seth From jason at pins.net Thu Nov 12 15:39:25 2009 From: jason at pins.net (Jason Berenson) Date: Thu, 12 Nov 2009 15:39:25 -0500 Subject: [c-nsp] SP QoS Service Class In-Reply-To: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> References: <6C6B0D3E366A42FABDC5B13B3AF9955C@corp.surewest.com> Message-ID: <4AFC727D.4060706@pins.net> Travis, This map has worked pretty well for us. The idea behind splitting out RTP from signaling is if signaling doesn't get through, the call will drop. I welcome constructive criticism. :) class-map match-any Core_Voice_Signaling match access-group name Core_Voice_Signaling class-map match-any Core_Voice_RTP match access-group name Core_Voice_RTP ! policy-map voice class Core_Voice_Signaling bandwidth percent 5 class Core_Voice_RTP priority percent 70 class class-default fair-queue random-detect dscp-based ! ip access-list extended Core_Voice_RTP remark DSCP 24 = TOS 3 permit udp any any dscp cs3 remark DSCP ef permit udp any any dscp ef ip access-list extended Core_Voice_Signaling remark MGCP Signaling permit udp any any eq 2727 permit udp any eq 2727 any permit udp any any eq 2427 permit udp any eq 2427 any remark Samsung Signaling permit udp any any eq 6000 permit udp any eq 6000 any permit tcp any any eq 6100 permit tcp any eq 6100 any remark Cisco Skinny Signaling permit udp any any eq 2000 permit udp any eq 2000 any permit tcp any any eq 2000 permit tcp any eq 2000 any remark Allworx Signaling permit udp any any eq 2088 permit udp any eq 2088 any permit tcp any any eq 8081 permit tcp any eq 8081 any remark ADIX Signaling permit tcp any any eq 50000 permit tcp any eq 50000 any remark SIP Signalling permit udp any any eq 5060 permit udp any eq 5060 any permit udp any any eq 5061 permit udp any eq 5061 any permit tcp any any eq 5060 permit tcp any eq 5060 any permit tcp any any eq 5061 permit tcp any eq 5061 any ! -Jason Travis Marlow wrote: > I'm trying to plan for a QoS implementation for an Internet Access provider. > I just finished reading RFC 4594 and it recommends VoIP signalling traffic > be marked CS5. Every other reference I have seen always has it at AF31 or > CS3. Is anyone else using the RFC recommendation? Would any SP be willing to > share a general configuration for service classes they have defined. > > Sorry for the duplicate, I sent from the wrong email address before. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Thu Nov 12 21:32:46 2009 From: tdurack at gmail.com (Tim Durack) Date: Thu, 12 Nov 2009 21:32:46 -0500 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Message-ID: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> Anyone know how glean traffic behaves on a Sup720 with CoPP configured? We have gradually locked down our CoPP config, to the point that our final class is a default deny for any unclassified traffic. Unfortunately this has the unwanted side-effect of dropping glean traffic, with the knock-on effect of some arp resolution problems. In our tests, it appears that configuring an explicit class-default works around this, but I can't find any documentation. So far TAC hasn't come up with anything either. On the Nexus, docs specifically state that glean traffic is directed to the default class. -- Tim:> From rintrum at gmail.com Thu Nov 12 22:30:32 2009 From: rintrum at gmail.com (Rin) Date: Fri, 13 Nov 2009 10:30:32 +0700 Subject: [c-nsp] MAC address use on 7600 Message-ID: <002101ca6411$aa38ef00$feaacd00$@com> Hi group, Can someone explain why router 7600 uses the same MAC address for all VLAN interfaces and ES20 ports? Catalyst 3560 has different MAC address for each VLAN interface. Thanks, Rin From jim at tgasolutions.com Thu Nov 12 23:16:30 2009 From: jim at tgasolutions.com (Jim McBurnett) Date: Thu, 12 Nov 2009 23:16:30 -0500 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com> <689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com> <4AF7BCEF.20506@skoal.name> <689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com> <1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> Message-ID: It is on the price list. $5300.. I have on in production and one on order for a customer.. Nice switch... Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, November 09, 2009 9:31 AM To: Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ketimun at gmail.com Fri Nov 13 01:56:42 2009 From: ketimun at gmail.com (selamat pagi) Date: Fri, 13 Nov 2009 07:56:42 +0100 Subject: [c-nsp] router boots into ROMMON Message-ID: My 7600 boots ignores the boot statement and goes into ROMMON. >From ROMMON I can boot with following command: rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* rommon 1 > set PS1=rommon ! > LOG_PREFIX_VERSION=1 CONFIG_FILE= SWITCH_NUMBER=0 SLOTCACHE=cards; CRASHINFO=crashinfo_FAILED CV= BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; ** config: boot-start-marker boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin boot-end-marker 7600#*sh boot* BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; CONFIG_FILE variable = BOOTLDR variable = Configuration register is 0x2102 Any ideas what could be wrong ? Cheers, ketimun From wim.holemans at UA.AC.BE Fri Nov 13 02:15:04 2009 From: wim.holemans at UA.AC.BE (Holemans Wim) Date: Fri, 13 Nov 2009 08:15:04 +0100 Subject: [c-nsp] 3750G vs. Nexus for a SAN In-Reply-To: References: <9e2e3bc20911080349n7dbf4693v8878ae549d052dd2@mail.gmail.com><689ea7e40911080733j6d31e4abld05787ec89432c2e@mail.gmail.com><4AF7BCEF.20506@skoal.name><689ea7e40911090605p276a9f52yf77820f62ea719c0@mail.gmail.com><1r9gf5drp3n1c2odkcn4f473thtpg38ujl@hojmark.net> Message-ID: What version of IOS does it run ? Base version or lite version ? Wim Holemans Network Services University of Antwerp -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jim McBurnett Sent: vrijdag 13 november 2009 5:17 To: Asbjorn Hojmark - Lists; Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN It is on the price list. $5300.. I have on in production and one on order for a customer.. Nice switch... Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, November 09, 2009 9:31 AM To: Brian Landers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: > [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cphillips at wbsconnect.com Fri Nov 13 02:28:49 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Thu, 12 Nov 2009 23:28:49 -0800 Subject: [c-nsp] router boots into ROMMON In-Reply-To: References: Message-ID: <4AFD0AB1.7090302@wbsconnect.com> Config register looks fine. Most obvious thing would be that the bin file doesn't exist. What does "dir sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin" return? Does the file exist? selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. >>From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? > > Cheers, ketimun > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ketimun at gmail.com Fri Nov 13 03:31:30 2009 From: ketimun at gmail.com (selamat pagi) Date: Fri, 13 Nov 2009 09:31:30 +0100 Subject: [c-nsp] Fwd: router boots into ROMMON In-Reply-To: References: <4AFD0A9D.5080901@skoal.name> Message-ID: Fantastic, that's the solution confreg on SP was 0, re-configuring conf-reg solved the issue :-) Many, mans thanks !!!!! 7600#remote command switch show boot BOOT variable = bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; CONFIG_FILE variable = BOOTLDR variable does not exist Configuration register is 0x0 (will be 0x2102 at next reload) > From peter at rathlev.dk Fri Nov 13 03:32:34 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 13 Nov 2009 09:32:34 +0100 Subject: [c-nsp] router boots into ROMMON In-Reply-To: References: Message-ID: <1258101154.10157.1.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-13 at 07:56 +0100, selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. > >From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? Try "remote command switch show boot" to see if the sup also has correct boot information. Resetting the boot variable and issuing "copy running-config startup-config" should correct any differences between the two. -- Peter From llc at dansketelecom.com Fri Nov 13 03:07:50 2009 From: llc at dansketelecom.com (Lars Lystrup Christensen) Date: Fri, 13 Nov 2009 09:07:50 +0100 Subject: [c-nsp] router boots into ROMMON In-Reply-To: <4AFD0AB1.7090302@wbsconnect.com> References: <4AFD0AB1.7090302@wbsconnect.com> Message-ID: <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> Well... I've seen the same problem in the past. The problem is that the ROMMON is not in sync with the config file. Try set the config register using the ROMMON as the ROMMON might have a setting denying it to use the config register in config file. ______________________________________ Med venlig hilsen / Kind regards Lars Lystrup Christensen Implementerings-/NOC-tekniker, CCIE(tm) #20292 Danske Telecom A/S Park All? 350A 2605 Br?ndby -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Phillips Sent: 13. november 2009 08:29 To: selamat pagi Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] router boots into ROMMON Config register looks fine. Most obvious thing would be that the bin file doesn't exist. What does "dir sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin" return? Does the file exist? selamat pagi wrote: > My 7600 boots ignores the boot statement and goes into ROMMON. >>From ROMMON I can boot with following command: > > rommon 2 >* boot bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin* > > > rommon 1 > set > PS1=rommon ! > > LOG_PREFIX_VERSION=1 > CONFIG_FILE= > SWITCH_NUMBER=0 > SLOTCACHE=cards; > CRASHINFO=crashinfo_FAILED > CV= > BOOT=bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > > ** > config: > boot-start-marker > boot system flash sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin > boot-end-marker > > 7600#*sh boot* > BOOT variable = sup-bootdisk:c7600s72033-ipservices-mz.122-33.SRD.bin,1; > CONFIG_FILE variable = > BOOTLDR variable = > Configuration register is 0x2102 > > Any ideas what could be wrong ? > > Cheers, ketimun > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From savage at savage.za.org Fri Nov 13 04:15:59 2009 From: savage at savage.za.org (Chris Knipe) Date: Fri, 13 Nov 2009 11:15:59 +0200 Subject: [c-nsp] 4006 weirdness Message-ID: <20091113111559.15115i73mjfjphhs@webmail1.konsoleh.co.za> Hi, I have a legacy 4006 Chasis with a SUP3, recently started giving issues. I know it's EOL, and more than likely needs to be replaced, but any assistance if possible, would be appreciated. I'm getting CRC32 errors for NVRAM, always at byte 0x54000000 i.e. Switch#sh ver Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, data-base: 0x00AA2B8C CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 ROM: Switch uptime is 19 hours, 7 minutes System returned to ROM by reload CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 System restarted at 09:26:23 SAST Fri Nov 13 2009 Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX0520S0M4 Last reset from Reload 96 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of non-volatile configuration memory. Configuration register is 0x0 CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 What's worring me even more at this stage: Switch#sh bootvar CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 BOOT variable does not exist CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 CONFIG_FILE variable does not exist CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 BOOTLDR variable does not exist Configuration register is 0x0 CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 FYI: Switch#sh module Mod Ports Card Type Model Serial No. ----+-----+--------------------------------------+-----------------+----------- 1 2 1000BaseX (GBIC) Supervisor Module WS-X4014 JAB063505JN 2 48 10/100BaseTX (RJ45) WS-X4148-RJ JAB04100A1Q 3 48 10/100BaseTX (RJ45) WS-X4148-RJ JAB0412056T M MAC addresses Hw Fw Sw Stat --+--------------------------------+---+-----------------+---------------+----- CRC32 failed for NVRAM at 0x54000000 Erasing NVRAM area at 0x54000000 1 0006.28c0.ff00 to 0006.28c1.02ff 2.1 12.1(8a)EW, Ok 2 0001.42f6.9210 to 0001.42f6.923f 2.3 Ok 3 0001.42f6.81c0 to 0001.42f6.81ef 2.3 Ok Is the SUP pretty much dead? Everything is still running fine from the face of it, but I'm really concerned about these errors.... Regards, Chris From ivan at ig.sk Fri Nov 13 04:50:05 2009 From: ivan at ig.sk (Ivan Gasparik) Date: Fri, 13 Nov 2009 10:50:05 +0100 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <20091105203853.GY163@greenie.muc.de> References: <20091105203853.GY163@greenie.muc.de> Message-ID: <200911131050.05124.ivan@ig.sk> Hi folks, Does anybody know what causes the router to drop packets as overrun and what as an input queue drops. There are two show interface examples of NPE-G1, both with input hold-queue set to 4096. The first one only shows 153 overrun packets, in the second interface output you can see overruns together with input queue drops: GigabitEthernet0/1 is up, line protocol is up ... Input queue: 0/4096/0/58537 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/4096 (size/max) 1 minute input rate 43040000 bits/sec, 6944 packets/sec 1 minute output rate 23483000 bits/sec, 7180 packets/sec 2609205324 packets input, 3131277093 bytes, 6 no buffer Received 2871721 broadcasts (0 IP multicasts) 0 runts, 0 giants, 2 throttles 153 input errors, 0 CRC, 0 frame, 153 overrun, 0 ignored 0 watchdog, 2871721 multicast, 0 pause input GigabitEthernet0/3 is up, line protocol is up ... Input queue: 0/4096/4258004/961350 (size/max/drops/flushes); Total output drops: 44638280 Queueing strategy: Class-based queueing Output queue: 6/4096/0 (size/max total/drops) 1 minute input rate 15685000 bits/sec, 5120 packets/sec 1 minute output rate 28836000 bits/sec, 5171 packets/sec 2503236491 packets input, 208082741 bytes, 589462 no buffer Received 1329388071 broadcasts (13 IP multicasts) 0 runts, 12 giants, 960 throttles 128042 input errors, 12 CRC, 0 frame, 128018 overrun, 0 ignored 0 watchdog, 1424143105 multicast, 0 pause input Thanks Ivan On Thursday 05 November 2009 21:38:53 Gert Doering wrote: > Hi, > > On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: > > Does anyone have any tips on finding out what is causing it to > > overrun? > > "Hardware too slow error" - packets arrive in short bursts at line rate, > and your router cannot handle that. > > For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they > come in evenly spaced - packetpacketpacket - but if > 1000 packets arrive back-to-back and then a longer pause, it will > overrun the buffers. > > There's not much you can do, except "get a hardware forwarding box" > or "just accept it, and only worry if the errors increase more > frequently". > > We do some of both :-) > > gert > From p.mayers at imperial.ac.uk Fri Nov 13 05:18:17 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 13 Nov 2009 10:18:17 +0000 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> Message-ID: <4AFD3269.6040004@imperial.ac.uk> Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. From andreas.mueller at zdv.uni-tuebingen.de Fri Nov 13 05:50:46 2009 From: andreas.mueller at zdv.uni-tuebingen.de (Andreas Mueller) Date: Fri, 13 Nov 2009 11:50:46 +0100 Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses Message-ID: <4AFD3A06.1070604@zdv.uni-tuebingen.de> Hello, I need to realize an IPv6-island inside an IPv4 network. To connect my IPv6-island to the IPv4-world I need a network-device with the following features: - the IPv6-addresses need to be mapped (dynamically) to IPv4-addresses for internet-connectivity. - the IPv6-Island will contain about a hundred computers. - some servers in the IPv6-island have to be reached from the outside-world by a static-IPv4-address. - the network is based on gigabit ethernet. what possibilities do I have to realize this scenario ? thanks for help && happy weekend, Andreas Mueller -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6155 bytes Desc: S/MIME Cryptographic Signature URL: From sigurbjornl at vodafone.is Fri Nov 13 04:59:00 2009 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Fri, 13 Nov 2009 09:59:00 +0000 Subject: [c-nsp] Gigabit Interface Input Errors In-Reply-To: <200911131050.05124.ivan@ig.sk> Message-ID: Do a show controller Gi0/1 | i rx_resource Chances are the input error count is the same as the rx_resource_error count This is a microburst issue, and sadly, I know of no way to get around it, the only solution is buying a router that is able to handle wirespeed Gig BR, Sibbi > From: Ivan Gasparik > Date: Fri, 13 Nov 2009 10:50:05 +0100 > To: > Subject: Re: [c-nsp] Gigabit Interface Input Errors > > Hi folks, > > Does anybody know what causes the router to drop packets as > overrun and what as an input queue drops. There are two show interface > examples of NPE-G1, both with input hold-queue set to 4096. The first > one only shows 153 overrun packets, in the second interface output > you can see overruns together with input queue drops: > > GigabitEthernet0/1 is up, line protocol is up > ... > Input queue: 0/4096/0/58537 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/4096 (size/max) > 1 minute input rate 43040000 bits/sec, 6944 packets/sec > 1 minute output rate 23483000 bits/sec, 7180 packets/sec > 2609205324 packets input, 3131277093 bytes, 6 no buffer > Received 2871721 broadcasts (0 IP multicasts) > 0 runts, 0 giants, 2 throttles > 153 input errors, 0 CRC, 0 frame, 153 overrun, 0 ignored > 0 watchdog, 2871721 multicast, 0 pause input > > GigabitEthernet0/3 is up, line protocol is up > ... > Input queue: 0/4096/4258004/961350 (size/max/drops/flushes); Total output > drops: 44638280 > Queueing strategy: Class-based queueing > Output queue: 6/4096/0 (size/max total/drops) > 1 minute input rate 15685000 bits/sec, 5120 packets/sec > 1 minute output rate 28836000 bits/sec, 5171 packets/sec > 2503236491 packets input, 208082741 bytes, 589462 no buffer > Received 1329388071 broadcasts (13 IP multicasts) > 0 runts, 12 giants, 960 throttles > 128042 input errors, 12 CRC, 0 frame, 128018 overrun, 0 ignored > 0 watchdog, 1424143105 multicast, 0 pause input > > Thanks > Ivan > > > On Thursday 05 November 2009 21:38:53 Gert Doering wrote: >> Hi, >> >> On Thu, Nov 05, 2009 at 01:41:16PM -0500, Drew Weaver wrote: >>> Does anyone have any tips on finding out what is causing it to >>> overrun? >> >> "Hardware too slow error" - packets arrive in short bursts at line rate, >> and your router cannot handle that. >> >> For example, an NPE-G1 will handle packets at, say, 300 mbit/sec if they >> come in evenly spaced - packetpacketpacket - but if >> 1000 packets arrive back-to-back and then a longer pause, it will >> overrun the buffers. >> >> There's not much you can do, except "get a hardware forwarding box" >> or "just accept it, and only worry if the errors increase more >> frequently". >> >> We do some of both :-) >> >> gert >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Fri Nov 13 07:07:26 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 13 Nov 2009 13:07:26 +0100 (CET) Subject: [c-nsp] router boots into ROMMON In-Reply-To: <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> References: <4AFD0AB1.7090302@wbsconnect.com> <44417CD2F19FEA4F885088340A71D332025A6D12@mail.office.dansketelecom.com> Message-ID: On Fri, 13 Nov 2009, Lars Lystrup Christensen wrote: > Well... I've seen the same problem in the past. The problem is that the > ROMMON is not in sync with the config file. Try set the config register > using the ROMMON as the ROMMON might have a setting denying it to use > the config register in config file. When I had this problem 3-4 years ago, it was enough to set the config-register again from normal config and save the config, for all parts of the router to be in sync again. This was in SXE days... -- Mikael Abrahamsson email: swmike at swm.pp.se From Kiran.Oddiraju at cbre.com Fri Nov 13 08:01:58 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Fri, 13 Nov 2009 13:01:58 -0000 Subject: [c-nsp] Cisco VPN server Message-ID: Hello guys, Can someone please forward me a sample VPN server configuration for Cisco 1800 router. Basically I want my c1800 router as VPN server with DHCP and my clients to be able to access machines on my network and use Cisco softphones. I have been trying with some guides on Cisco website but the vpn client keeps trying to connect and throws me an error 412 'Remote peer no longer responding'. Many thanks, Kiran CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From tdurack at gmail.com Fri Nov 13 08:15:22 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 13 Nov 2009 08:15:22 -0500 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <4AFD3269.6040004@imperial.ac.uk> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com> <4AFD3269.6040004@imperial.ac.uk> Message-ID: <9e246b4d0911130515r7037c9crbc5ac7603da2715d@mail.gmail.com> On Fri, Nov 13, 2009 at 5:18 AM, Phil Mayers wrote: > Tim Durack wrote: >> >> Anyone know how glean traffic behaves on a Sup720 with CoPP configured? > > Glean traffic is matched against CoPP. This is "by design" according to the > (fairly clued up sounding) TAC engineer I spoke to. > > As you've discovered, this is irritating. Indeed. It makes no sense for glean traffic to be lumped in with everything else destined to the control-plane. The only thing that needs to happen with glean traffic is an arp request. It looks like with the Nexus Cisco have improved/corrected this. http://tinyurl.com/yc2c737 states: Different types of packets can reach the control plane: Receive packets Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router. Exception packets Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, then the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set. Redirected packets Packets that are redirected to the supervisor module. Features like Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module. Glean packets If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host. ... Configuring a Control Plane Policy Map You must configure a policy map for CoPP, which include policing parameters. If you do not configure a policer for a class, then the default policer conform action is drop. Glean packets are policed using the default-class. The Cisco NX-OS software supports 1-rate 2-color and 2-rate 3-color policing. >> >> We have gradually locked down our CoPP config, to the point that our >> final class is a default deny for any unclassified traffic. >> Unfortunately this has the unwanted side-effect of dropping glean >> traffic, with the knock-on effect of some arp resolution problems. >> >> In our tests, it appears that configuring an explicit class-default >> works around this, but I can't find any documentation. So far TAC >> hasn't come up with anything either. > > Really? Hmm. So you have a config where glean traffic is *not* being matched > by CoPP? Can you share the exact config? I think I was wrong. Still have the same problem. > I will unicast you the SR# of my case; perhaps the TAC engineers can collude > to produce a response clarifying. > Thanks, will take a look. In my book, this behaviour undermines the value of copp. I can't tightly restrict traffic to the control-plane, as glean traffic could be anything. -- Tim:> Sent from Brooklyn, NY, United States From llc at dansketelecom.com Fri Nov 13 09:26:16 2009 From: llc at dansketelecom.com (Lars Lystrup Christensen) Date: Fri, 13 Nov 2009 15:26:16 +0100 Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses In-Reply-To: <4AFD3A06.1070604@zdv.uni-tuebingen.de> References: <4AFD3A06.1070604@zdv.uni-tuebingen.de> Message-ID: <44417CD2F19FEA4F885088340A71D332025A6D96@mail.office.dansketelecom.com> Hi Andreas I would suggest an ugly a NAT-PT device, capable of doing both v4 and v6. However, there is no guaranties of the serverpart working correctly, as you might have the same issues as with IPv4 NAT. You should be able to do the NAT on any Cisco router capable of doing IPv6 and NAT. Don't use L3 switches, as they might not support this to satisfactory. Take a further look at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html ______________________________________ Med venlig hilsen / Kind regards Lars Lystrup Christensen Implementerings-/NOC-tekniker, CCIE(tm) #20292 Danske Telecom A/S Park All? 350A 2605 Br?ndby -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andreas Mueller Sent: 13. november 2009 11:51 To: cisco-nsp Subject: [c-nsp] Device for mapping IPv6 to IPv4-addresses Hello, I need to realize an IPv6-island inside an IPv4 network. To connect my IPv6-island to the IPv4-world I need a network-device with the following features: - the IPv6-addresses need to be mapped (dynamically) to IPv4-addresses for internet-connectivity. - the IPv6-Island will contain about a hundred computers. - some servers in the IPv6-island have to be reached from the outside-world by a static-IPv4-address. - the network is based on gigabit ethernet. what possibilities do I have to realize this scenario ? thanks for help && happy weekend, Andreas Mueller From jlewis at lewis.org Fri Nov 13 09:31:23 2009 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 13 Nov 2009 09:31:23 -0500 (EST) Subject: [c-nsp] 3550 IOS Message-ID: I was looking at updating software on a 3550 recently and noticed the very latest 12.2SE code claims to only run on the 3550-24-DC. Is this because the 3550-24-DC was for some reason excluded from the EOS/EOL announcement for the rest of the 3550 family (for which End of Software Maintenance was May 2007)? IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while there are versions up to 122-52.SE that claim to be for the 3550-24-DC only. These later versions do seem to work on 3550's other than the 3550-24-DC, but I suppose they're just not officially supported (or officially unsupported)? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sony.scaria at gmail.com Fri Nov 13 09:54:01 2009 From: sony.scaria at gmail.com (sony.scaria at gmail.com) Date: Fri, 13 Nov 2009 14:54:01 +0000 Subject: [c-nsp] router boots into ROMMON Message-ID: <1291397392-1258124034-cardhu_decombobulator_blackberry.rim.net-1192748925-@bda135.bisx.produk.on.blackberry> I had a similar situation days before where I was upgrading the ios and I was using a flash which I took from a similar spare device . I copied the ios, set conf-reg, set boot path, but the router did not boot from the new code. Finally I formatted the flash, copied the ios again, set boot statements to the new path and reloaded. And that worked. Sony. ------Original Message------ From: Mikael Abrahamsson Sender: cisco-nsp-bounces at puck.nether.net To: cisco-nsp Subject: Re: [c-nsp] router boots into ROMMON Sent: Nov 13, 2009 17:37 On Fri, 13 Nov 2009, Lars Lystrup Christensen wrote: > Well... I've seen the same problem in the past. The problem is that the > ROMMON is not in sync with the config file. Try set the config register > using the ROMMON as the ROMMON might have a setting denying it to use > the config register in config file. When I had this problem 3-4 years ago, it was enough to set the config-register again from normal config and save the config, for all parts of the router to be in sync again. This was in SXE days... -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent on my BlackBerry? from Vodafone From drew.weaver at thenap.com Fri Nov 13 10:46:49 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 13 Nov 2009 10:46:49 -0500 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) Message-ID: Hi list happy friday, he BGP scanner issue has been beaten (literally) to death here, but I had a few general performance related questions regarding the 6500.. I notice that if I ping a somewhat busy interface on a 6500 about once a minute or so I get: Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time=172ms TTL=253 Reply from x.x.x.x: bytes=32 time=386ms TTL=253 Reply from x.x.x.x: bytes=32 time=366ms TTL=253 Reply from x.x.x.x: bytes=32 time=410ms TTL=253 Reply from x.x.x.x: bytes=32 time=353ms TTL=253 Reply from x.x.x.x: bytes=32 time=7ms TTL=253 Reply from x.x.x.x: bytes=32 time=66ms TTL=253 Reply from x.x.x.x: bytes=32 time=120ms TTL=253 Request timed out. Reply from x.x.x.x: bytes=32 time=1ms TTL=253 Reply from x.x.x.x: bytes=32 time<1ms TTL=253 and it does seem to correspond to the BGP scanner running the CPU utilization up to 80%, is that the 'norm' for this time of high cpu utilization? Second, I noticed we're having a high number of TTL failures: TTL failures : 24541591 So I implemented a HW rate-limiter as such: mls rate-limit all ttl-failure 500 10 Two questions about this, A) is there any way to find out how many packets are being 'rate-limited' due to this command? and B) do I need to enable mls qos or anything else to 'globally enable' the HW rate-limiter? 3rd, I'm noticing some queuing issues, Input queue: 0/75/13413/13085 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/75/15112/15021 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/2000/4294895378/0 (size/max/drops/flushes); Total output drops:4294941485 Output queue: 0/40 (size/max) Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) Input queue: 0/2000/4294945720/0 (size/max/drops/flushes); Total output drops:1 Output queue: 0/40 (size/max) Input queue: 0/2000/4294804008/0 (size/max/drops/flushes); Total output drops:3 Input queue: 0/75/549064/527178 (size/max/drops/flushes); Total output drops:2784 Output queue: 0/40 (size/max) Input queue: 0/75/372439/361186 (size/max/drops/flushes); Total output drops:90049 I am using the Gig-E interfaces on the Sup720-3BXL as well as WS-X6724-SFPs Is there a disadvantage to using the Interfaces on the SUP720-3BXL vs the 6724? Should one modify settings to improve the queuing? I was under the impression that the X6724 was not over-subscribed but from the looks of those queues it seems to be slightly inadequate. any advice on any of these issues is greatly appreciated. Thanks, -Drew From nick at inex.ie Fri Nov 13 11:20:02 2009 From: nick at inex.ie (Nick Hilliard) Date: Fri, 13 Nov 2009 16:20:02 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: References: Message-ID: <4AFD8732.6020707@inex.ie> On 13/11/2009 15:46, Drew Weaver wrote: > and it does seem to correspond to the BGP scanner running the CPU > utilization up to 80%, is that the 'norm' for this time of high cpu > utilization? in my experience yes. > I was under the impression that the X6724 was not over-subscribed but > from the looks of those queues it seems to be slightly inadequate. 24 GE ports, single 20G fabric connection. Go figure. The output drops may not be caused by over-subscription, btw. It may be just that the port is receiving too much traffic. If your 5 minute graphs look well under 950 megs, take a look at 30 second graphs and see what they are saying. Microbursts can cause all sorts of interest effects which you simply won't see on a 5 minute average. Nick From p.mayers at imperial.ac.uk Fri Nov 13 11:26:05 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 13 Nov 2009 16:26:05 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: References: Message-ID: <4AFD889D.1090204@imperial.ac.uk> > I noticed we're having a high number of TTL failures: > > TTL failures : 24541591 > > So I implemented a HW rate-limiter as such: > > mls rate-limit all ttl-failure 500 10 > > Two questions about this, > > A) is there any way to find out how many packets are being 'rate-limited' due to this command? > and I am not aware of any, but would like to know too! > B) do I need to enable mls qos or anything else to 'globally enable' the HW rate-limiter? No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. From shimshah at cisco.com Fri Nov 13 11:58:53 2009 From: shimshah at cisco.com (Shimol Shah) Date: Fri, 13 Nov 2009 11:58:53 -0500 Subject: [c-nsp] MAC address use on 7600 In-Reply-To: <002101ca6411$aa38ef00$feaacd00$@com> References: <002101ca6411$aa38ef00$feaacd00$@com> Message-ID: <4AFD904D.7070009@cisco.com> Hi Rin, I tested on 7600 and 6500 in my lab. Here are the findings: 1. by default, all of the interfaces are layer 3 interface, since they're configured as "no ip address". All of the MAC-address are the same for layer 3 interfaces, as per design. 2. I changed the interface to switchport, then I found the interface mac-address is changed to unique layer 2 mac address, which comes from the module range(sh mod). Both 7600 and 6500 behave the same. By default, 7604#sh int g2/1 GigabitEthernet2/1 is administratively down, line protocol is down (disabled) Hardware is c7600 1Gb 802.3, address is 0013.5f1e.fe40 (bia 0013.5f1e.fe40) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 1w0d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 7604#sh run int g2/1 Building configuration... Current configuration : 61 bytes ! interface GigabitEthernet2/1 no ip address shutdown end After configuring it to be a switchport, 7604#conf t Enter configuration commands, one per line. End with CNTL/Z. 7604(config)#int g2/1 7604(config-if)#switchport 7604(config-if)#end 7604#sh int g2/ *Apr 10 21:07:30.500: %SYS-5-CONFIG_I: Configured from console by console1 GigabitEthernet2/1 is administratively down, line protocol is down (disabled) Hardware is c7600 1Gb 802.3, address is 001c.584c.5bf4 (bia 001c.584c.5bf4) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 1w0d Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0007.0e62.12e8 to 0007.0e62.12eb 5.2 12.2(33r)SRB 12.2(33)SRC Ok 2 001c.584c.5bf4 to 001c.584c.5bf7 5.2 12.2(33r)SRB 12.2(33)SRC Ok 3 0013.60a4.9a88 to 0013.60a4.9b07 2.0 12.2(33)SRC 12.2(33)SRC Ok The 7600 I am testing is running over 12.2(33)SRC/SRB2 3. Further more, I found the layer 3 interfaces share the same mac while layer 2 interfaces should use unique mac is by design. And all platforms have the same behavior. http://www.cisco.com/warp/customer/473/catmac_41263.html#topic1 For the lower end switches, the interfaces are layer 2 interface by default so you don't see the problem. However for ES-20 beaware of the below bug CSCso79720 All ES20 ports use same MAC address when configured as switchport. Found in 12.2(33)SRC 12.2(33)SRB02 Intergrated in 12.2(33)SRD 12.2(33)SRC02 12.2(33)SRB04 HTH Shimol Rin said the following on 11/12/2009 10:30 PM: > Hi group, > > > > Can someone explain why router 7600 uses the same MAC address for all VLAN > interfaces and ES20 ports? Catalyst 3560 has different MAC address for each > VLAN interface. > > > > Thanks, > > Rin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Fri Nov 13 12:27:27 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 13 Nov 2009 18:27:27 +0100 Subject: [c-nsp] 3550 IOS In-Reply-To: References: Message-ID: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> On Fri, 2009-11-13 at 09:31 -0500, Jon Lewis wrote: > IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while > there are versions up to 122-52.SE that claim to be for the 3550-24-DC > only. These later versions do seem to work on 3550's other than the > 3550-24-DC, but I suppose they're just not officially supported (or > officially unsupported)? Of course only Cisco can answer that, but the newer images seem to run fine on WS-C3550-12G and WS-C3550-24-EMI models at least. We're running 12.2(50)SE1 and SE3 on several. I would suspect that they have simply stopped testing the releases on the EoL'ed platforms, so some weird combination of firmware/hardware issues might bite our behinds some day. The 3550 was a very good platform IMHO. Far better than the 3560. -- Peter From jasongurtz at npumail.com Fri Nov 13 12:31:48 2009 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 13 Nov 2009 12:31:48 -0500 Subject: [c-nsp] Info on the C2350 Message-ID: Just got of the horn with a Cisco SE and he related that this switch is basically a 3560E with toned down features introduced for the "competitive market." Is that 4MB shared per 16 ports for the buffers then? The guy was pushing nexus 5k hard (and FCoE) but I think that's outside of the budget as is, unfortunately, the 49xx. I've been burning the brain on all the iSCSI vs. FC[oE] vs. NFS and have come to the conclusion that in a VMWare environment the only thing FC has over hardware accelerated iSCSI is lower latency. Since we're not a super or scientific computing facility I'm not sure that even that matters. Thanks for all the responses on the previous thread; I learned a lot. ~JasonG From jeff-kell at utc.edu Fri Nov 13 12:49:16 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 13 Nov 2009 12:49:16 -0500 Subject: [c-nsp] 3550 IOS In-Reply-To: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> References: <1258133247.19798.4.camel@abehat.dyn.net.rm.dk> Message-ID: <4AFD9C1C.3090608@utc.edu> Peter Rathlev wrote: > On Fri, 2009-11-13 at 09:31 -0500, Jon Lewis wrote: > >> IIRC, 122-44.SE6 is the last IOS for the generic 3550 family, while >> there are versions up to 122-52.SE that claim to be for the 3550-24-DC >> only. > Of course only Cisco can answer that, but the newer images seem to run > fine on WS-C3550-12G and WS-C3550-24-EMI models at least. We're running > 12.2(50)SE1 and SE3 on several. TAC tells me 12.2(44)SE6 is the latest supported release. I had tried 12.2(50) on a 3550-12, but backed off "just in case". I could *almost* swear I pulled down the 12.2(50) from the regular software download links after the September vulnerability announcements as it was (and still is) the "recommended fixed release" for the 12.2SE train, but as others have noted, that is not the case today if you follow the 3550 model links (other than the 24-DC). Jeff From rdobbins at arbor.net Fri Nov 13 14:36:24 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 13 Nov 2009 19:36:24 +0000 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: <4AFD889D.1090204@imperial.ac.uk> References: <4AFD889D.1090204@imperial.ac.uk> Message-ID: <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> On Nov 13, 2009, at 11:26 PM, Phil Mayers wrote: > No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. Correct. Also note that HWRL policies have precedence over CoPP. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From ler762 at gmail.com Fri Nov 13 16:53:43 2009 From: ler762 at gmail.com (Lee) Date: Fri, 13 Nov 2009 16:53:43 -0500 Subject: [c-nsp] sup720 etherchannel port preferences? Message-ID: Is there any performance difference for a two port etherchannel created on a single WS-X6748 card vs. one port on two different WS-X6748 cards? We've got a backup server that's maxing out it's 1Gb link and want to give it some more bandwidth, so I was wondering if it made any difference on which ports or which cards (all the cards being 6748s) you configured an etherchannel. Thanks, Lee From John.Herbert at ins.com Sat Nov 14 10:25:23 2009 From: John.Herbert at ins.com (John.Herbert at ins.com) Date: Sat, 14 Nov 2009 09:25:23 -0600 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: <4AFD3269.6040004@imperial.ac.uk> References: <9e246b4d0911121832h63c38877qaffab0867f2ee03c@mail.gmail.com>, <4AFD3269.6040004@imperial.ac.uk> Message-ID: Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Sat Nov 14 13:35:59 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 15 Nov 2009 02:35:59 +0800 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* Message-ID: <200911150235.59896.mtinka@globaltransit.net> So after chasing this thing since SRC, and having gone through all the various rebuilds until now, I'm not proud to say that the evil BFD + watchdog nmi timeout bug persists. It wasn't but just a day ago that an NPE-G1 we upgraded to SRC5, and on which we enabled BFD in the hopes that that bug had finally been found and fixed (TAC confirmed it is fixed in SRC5 - like it was in SRC1 to SRC4 - as well as other IOS branches sharing this platform-independent code), experienced an uncommanded reboot citing a watchdog timeout. Just like before. Oh well, no BFD on those, then. And something tells me even by SRC10 (should the code base last that long), Cisco will not have found a solution for it. What quality networking, we have these days... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Sat Nov 14 16:27:17 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 14 Nov 2009 22:27:17 +0100 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <200911150235.59896.mtinka@globaltransit.net> References: <200911150235.59896.mtinka@globaltransit.net> Message-ID: <20091114212717.GM163@greenie.muc.de> Hi, On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > What quality networking, we have these days... Hey, at least you *have* BFD. Unlike us folks with SXH and SXI that want to use BFD on SVI interfaces... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From dr at cluenet.de Sat Nov 14 16:31:27 2009 From: dr at cluenet.de (Daniel Roesen) Date: Sat, 14 Nov 2009 22:31:27 +0100 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <200911150235.59896.mtinka@globaltransit.net> References: <200911150235.59896.mtinka@globaltransit.net> Message-ID: <20091114213127.GA18999@srv03.cluenet.de> On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > What quality networking, we have these days... I think it's called "Carrier grade" these days... Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From p.mayers at imperial.ac.uk Sat Nov 14 17:24:09 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 14 Nov 2009 22:24:09 +0000 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Message-ID: I'm a bit confused about what you're trying to say here. The mls glean rate limiter is completley different to copp. The op's problem, and one i have observed too, is that copp is applied to all cpu traffic, including the original packet which was punted to glean. IMHO, and tac have advised me of the same, enabling the mls glean limiter is second only to enabling the receive limiter in terms of risk. It's not useful in the general case, because it's not source- or svi-specific. In short - copp is a good, source specific tool to control received packets, but the issue under discussion is that, on 6500, it applies to packets that trigger glean too, which is usually unhelpful. It's definitely unhelpful if you want to put a 0.0.0.0/0 destination in your copp acls. -original message- Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean From: "John.Herbert at ins.com" Date: 14/11/2009 15:25 Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From John.Herbert at ins.com Sat Nov 14 17:42:53 2009 From: John.Herbert at ins.com (John.Herbert at ins.com) Date: Sat, 14 Nov 2009 16:42:53 -0600 Subject: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean In-Reply-To: References: Message-ID: Ah I see - I misunderstood the issue being described. Appreciate the clarification, and I stand corrected. j. ________________________________________ From: Phil Mayers [p.mayers at imperial.ac.uk] Sent: Saturday, November 14, 2009 17:24 To: Herbert, John Cc: tdurack at gmail.com; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean I'm a bit confused about what you're trying to say here. The mls glean rate limiter is completley different to copp. The op's problem, and one i have observed too, is that copp is applied to all cpu traffic, including the original packet which was punted to glean. IMHO, and tac have advised me of the same, enabling the mls glean limiter is second only to enabling the receive limiter in terms of risk. It's not useful in the general case, because it's not source- or svi-specific. In short - copp is a good, source specific tool to control received packets, but the issue under discussion is that, on 6500, it applies to packets that trigger glean too, which is usually unhelpful. It's definitely unhelpful if you want to put a 0.0.0.0/0 destination in your copp acls. -original message- Subject: RE: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean From: "John.Herbert at ins.com" Date: 14/11/2009 15:25 Ok, so apologies if I'm repeating things you know very well already... Hardware CoPP for CEF Glean is disabled by default, so assuming you have enabled hardware CoPP, if you chose to enable glean rate-limiting (with the "mls rate-limit unicast cef glean " command) then presumably you put values in that command to determine the limits. If you're dropping cef glean traffic under normal usage, then (ignoring potential IOS bugs) that suggests that your limits are too low perhaps? To be clear (and I think from what you've said, you already know this), the CEF Glean RL includes traffic that's punted to the CPU because it needs an ARP to be performed to complete the next hop adjacency, but should not affect the ARP request itself. However, if you are dropping the glean packets that would have generated the ARP request in the first place then I can see how that could spiral out of control quickly by generating more glean packets because of the lack of ARP entry. If in doubt (and again, you may have done this before starting on the CoPP work), it may be worth either getting some netflow data to identify if you have excessive cef glean traffic, and/or set up a monitor session on the control plane to see if there's something odd going on. j. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk] Sent: Friday, November 13, 2009 5:18 To: Tim Durack Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C6K, SUP720, 12.2(33)SXI, CoPP, glean Tim Durack wrote: > Anyone know how glean traffic behaves on a Sup720 with CoPP configured? Glean traffic is matched against CoPP. This is "by design" according to the (fairly clued up sounding) TAC engineer I spoke to. As you've discovered, this is irritating. > > We have gradually locked down our CoPP config, to the point that our > final class is a default deny for any unclassified traffic. > Unfortunately this has the unwanted side-effect of dropping glean > traffic, with the knock-on effect of some arp resolution problems. > > In our tests, it appears that configuring an explicit class-default > works around this, but I can't find any documentation. So far TAC > hasn't come up with anything either. Really? Hmm. So you have a config where glean traffic is *not* being matched by CoPP? Can you share the exact config? I will unicast you the SR# of my case; perhaps the TAC engineers can collude to produce a response clarifying. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mail4hh at pobox.com Sat Nov 14 19:58:08 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sat, 14 Nov 2009 16:58:08 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu Message-ID: During a high network usage event, the cpu load increased to 90% sustained, while a 'show processes cpu' did not reveal any culprits. I suspected IP Input may be consuming a high amount of cpu, but it was only at 2.7% The 3550 is working as a L3 router with two static entries for the default gw (for load balancing on our uplink). Traffic levels at the time of the high cpu usage were ~120Mbps. I also examined broadcast packet counts and traffic destined for the router itself. They also did not reveal anything out of the ordinary. Do you have any suggestions on what I should be looking at to determine the source of the high cpu usage? Thank you, Hector From maillist at thelan.no Sat Nov 14 21:59:12 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Sun, 15 Nov 2009 03:59:12 +0100 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: Message-ID: <4AFF6E80.6030607@thelan.no> Hector Herrera wrote: > During a high network usage event, the cpu load increased to 90% > sustained, while a 'show processes cpu' did not reveal any culprits. > I suspected IP Input may be consuming a high amount of cpu, but it was > only at 2.7% > > The 3550 is working as a L3 router with two static entries for the > default gw (for load balancing on our uplink). > > Traffic levels at the time of the high cpu usage were ~120Mbps. > > I also examined broadcast packet counts and traffic destined for the > router itself. They also did not reveal anything out of the ordinary. > > Do you have any suggestions on what I should be looking at to > determine the source of the high cpu usage? > What did the topmost line in the "show processes cpu" say? At the five second average you got two values; one is for interrupts and the other is for process cpu usage. My guess is you was seing a lot of interrupts which means traffic was punted to the CPU. Take a look at some of the other threads on c-nsp to find out what kind of traffic was being punted ("show cef not-cef-switched" is a good start). Hope this was helpfull -- Harald Firing Karlsen From mail4hh at pobox.com Sun Nov 15 01:43:03 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sat, 14 Nov 2009 22:43:03 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <4AFF6E80.6030607@thelan.no> References: <4AFF6E80.6030607@thelan.no> Message-ID: Thank you for your responses. I collected the commands to run the next time the cpu utilization spikes. I did manage to capture the output of 'show cef not-cef-switched' and it shows a very large number under the "unsupported" column. All the other columns are zero. Reading on the list archives I found a few commands to diagnose the "unsupported" column and according to the output, it appears that it's caused by TTL-expired being send to the cpu for processing. Does this mean that the hardware can't handle the TTL expired load or that TTL-expired messages are strictly a software process on this hardware (3550-12t)? If I have such a large number of TTL-expired messages, does that mean I have a routing loop somewhere? If so, I have three uplink interfaces, how do I find out which interface is causing the punts? Here is the output from the commands I ran: van-hc16-423-router#show ip cef switching stat Reason Drop Punt Punt2Host RP LES No route 0 0 37 RP LES Packet destined for us 0 273716 0 RP LES No adjacency 8587 0 0 RP LES TTL expired 0 0 1676276 RP LES Unclassified reason 1 0 0 RP LES Neighbor resolution req 210055 3 0 RP LES Total 218643 273719 1676313 All Total 218643 273719 1676313 van-hc16-423-router#show ip cef switching stat feature IPv4 CEF input features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 IPv4 CEF output features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF post-encap features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF for us features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF punt features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF local features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 van-hc16-423-router#sh ip arp summ 16 IP ARP entries, with 0 of them incomplete van-hc16-423-router#sh sdm prefer The current template is the routing extended-match template. The selected template optimizes the resources in the switch to support this level of features for 16 routed interfaces and 1K VLANs. number of unicast mac addresses: 6K number of igmp groups: 6K number of qos aces: 1K number of security aces: 1K number of unicast routes: 12K number of multicast routes: 6K van-hc16-423-router#sh ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 0 1 64 152 static 0 0 0 0 bgp 4280 0 0 0 0 External: 0 Internal: 0 Local: 0 internal 1 1172 Total 1 1 64 1324 van-hc16-423-router#sh ip route vrf PublicRouter sum van-hc16-423-router#sh ip route vrf PublicRouter summary IP routing table name is PublicRouter(1) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 0 4 256 608 static 1 0 128 152 bgp 4280 1274 1134 154112 367036 External: 2408 Internal: 0 Local: 0 internal 66 77352 Total 1341 1138 154496 445148 van-hc16-423-router# On Sat, Nov 14, 2009 at 6:59 PM, Harald Firing Karlsen wrote: > Hector Herrera wrote: >> >> During a high network usage event, the cpu load increased to 90% >> sustained, while a 'show processes cpu' did not reveal any culprits. >> I suspected IP Input may be consuming a high amount of cpu, but it was >> only at 2.7% >> >> The 3550 is working as a L3 router with two static entries for the >> default gw (for load balancing on our uplink). >> >> Traffic levels at the time of the high cpu usage were ~120Mbps. >> >> I also examined broadcast packet counts and traffic destined for the >> router itself. ?They also did not reveal anything out of the ordinary. >> >> Do you have any suggestions on what I should be looking at to >> determine the source of the high cpu usage? >> > > What did the topmost line in the "show processes cpu" say? At the five > second average you got two values; one is for interrupts and the other is > for process cpu usage. My guess is you was seing a lot of interrupts which > means traffic was punted to the CPU. Take a look at some of the other > threads on c-nsp to find out what kind of traffic was being punted ("show > cef not-cef-switched" is a good start). > > Hope this was helpfull > > -- > Harald Firing Karlsen > -- Hector Herrera President Pier Programming Services Ltd. From swmike at swm.pp.se Sun Nov 15 03:30:39 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 15 Nov 2009 09:30:39 +0100 (CET) Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: On Sat, 14 Nov 2009, Hector Herrera wrote: > If I have such a large number of TTL-expired messages, does that mean I > have a routing loop somewhere? If so, I have three uplink interfaces, > how do I find out which interface is causing the punts? Try "show int switching" (hidden command, you can't tab-complete). -- Mikael Abrahamsson email: swmike at swm.pp.se From mail4hh at pobox.com Sun Nov 15 04:43:45 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sun, 15 Nov 2009 01:43:45 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: Great, so now I know: from 'show ip cef switching stat' I learned that there is a large number of packets with an expired TTL (TTL-expired is handled by the IP process, ie. software routing) from 'show interface switching' (hidden command) I learned the interface that has a high number of packets In and packets Out in the row "IP Process" Since the number of packets in the two commands above are very close to each other, I think I have identified the network interface with the large number of TTL-expired packets. It is a BGP interface, so my best guess is that a BGP neighbour is advertising routes that they don't actually carry in their routing tables and for some reason they are sending the packets back to me, and the question now is to locate the culprit route advertisement and contact the neighbor. Right? Still, for the next time I see high cpu usage, the commands to use are: 'show process cpu' and look at the first few lines to determine if it's interrupts or processes consuming the cpu time. If it's processes, look at the list of processes for any that are using large percentages. To diagnose high cpu consumption by interrupts, CPU Profiling (http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af0.shtml) is a possible tool. Thank you all for your help! Hector From swmike at swm.pp.se Sun Nov 15 05:12:47 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 15 Nov 2009 11:12:47 +0100 (CET) Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: On Sun, 15 Nov 2009, Hector Herrera wrote: > Since the number of packets in the two commands above are very close to > each other, I think I have identified the network interface with the > large number of TTL-expired packets. It is a BGP interface, so my best > guess is that a BGP neighbour is advertising routes that they don't > actually carry in their routing tables and for some reason they are > sending the packets back to me, and the question now is to locate the > culprit route advertisement and contact the neighbor. Right? Yes, or they didn't null-route their aggregate prefix and has default route to you (or you didn't null-route your prefix and you have a default route to them). Best way is probably to port-mirror the port and look for the ICMP messages generated. You might also have luck with "debug icmp" on the 3550 and see whereto the ICMP messages are sent. There might also be a debug command to actually tell you what unreachables are being sent. Make sure you have "no logging console", and remember it's always a risk to debug things... -- Mikael Abrahamsson email: swmike at swm.pp.se From asturluismi at gmail.com Sun Nov 15 08:58:04 2009 From: asturluismi at gmail.com (luismi) Date: Sun, 15 Nov 2009 14:58:04 +0100 Subject: [c-nsp] IRIS Project Message-ID: <1258293484.12313.0.camel@hal9000> IS there anyone in this mailing list involved with the IRIS project? From asturluismi at gmail.com Sun Nov 15 09:12:24 2009 From: asturluismi at gmail.com (luismi) Date: Sun, 15 Nov 2009 15:12:24 +0100 Subject: [c-nsp] BDF over port-channels? Message-ID: <1258294344.12313.1.camel@hal9000> Is it supported in any IOS? Does anyone if it is going to be supported in the future? From eng_mssk at hotmail.com Sun Nov 15 10:00:52 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 17:00:52 +0200 Subject: [c-nsp] Kron Message-ID: hey all i have configured kron to backup my configuration files and all is working fine now i want to take ping values and store it in a file on the TFTP server but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect so how is the way to do that ?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From avayner at cisco.com Sun Nov 15 10:15:56 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 15 Nov 2009 16:15:56 +0100 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: Mohammad, Wouldn't IP SLA be a better way to do it? You can also create an EEM script that would be triggered by IP SLA threshold values, so you will get a custom alert. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, November 15, 2009 17:01 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Kron hey all i have configured kron to backup my configuration files and all is working fine now i want to take ping values and store it in a file on the TFTP server but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect so how is the way to do that ?? Thanks in advance _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail(r). http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4 :092009 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sun Nov 15 10:16:22 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 15 Nov 2009 16:16:22 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258294344.12313.1.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> Message-ID: Which platforms? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Sunday, November 15, 2009 16:12 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BDF over port-channels? Is it supported in any IOS? Does anyone if it is going to be supported in the future? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Sun Nov 15 10:37:42 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 17:37:42 +0200 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: hi Arie the problem is that the IOS installed on my switches does not support event manager feature thats why i am looking for kron > Subject: RE: [c-nsp] Kron > Date: Sun, 15 Nov 2009 16:15:56 +0100 > From: avayner at cisco.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > Mohammad, > > Wouldn't IP SLA be a better way to do it? > You can also create an EEM script that would be triggered by IP SLA > threshold values, so you will get a custom alert. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Sunday, November 15, 2009 17:01 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Kron > > > hey all > > i have configured kron to backup my configuration files and all is > working fine > now i want to take ping values and store it in a file on the TFTP server > but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING > is incorrect > so how is the way to do that ?? > > Thanks in advance > > > _________________________________________________________________ > Windows Live Hotmail: Your friends can get your Facebook updates, right > from Hotmail(r). > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4 > :092009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From rwest at zyedge.com Sun Nov 15 10:54:49 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 15 Nov 2009 10:54:49 -0500 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: You could graph your rtr/ip sla stats using mrtg or cacti. Sent from handheld. On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" wrote: > > hi Arie > > the problem is that the IOS installed on my switches does not > support event manager feature thats why i am looking for kron > >> Subject: RE: [c-nsp] Kron >> Date: Sun, 15 Nov 2009 16:15:56 +0100 >> From: avayner at cisco.com >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net >> >> Mohammad, >> >> Wouldn't IP SLA be a better way to do it? >> You can also create an EEM script that would be triggered by IP SLA >> threshold values, so you will get a custom alert. >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad >> Khalil >> Sent: Sunday, November 15, 2009 17:01 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Kron >> >> >> hey all >> >> i have configured kron to backup my configuration files and all is >> working fine >> now i want to take ping values and store it in a file on the TFTP >> server >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ >> PING >> is incorrect >> so how is the way to do that ?? >> >> Thanks in advance >> >> >> _________________________________________________________________ >> Windows Live Hotmail: Your friends can get your Facebook updates, >> right >> from Hotmail(r). >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- >> xm:SI_SB_4 >> :092009 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _________________________________________________________________ > Windows Live: Keep your friends up to date with what you do online. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Sun Nov 15 10:41:32 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Nov 2009 10:41:32 -0500 (EST) Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: On Sun, 15 Nov 2009, Mohammad Khalil wrote: > i have configured kron to backup my configuration files and all is working fine > now i want to take ping values and store it in a file on the TFTP server > but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/PING is incorrect > so how is the way to do that ?? The file "PING" on your TFTP server needs to exist and it needs to have the correct permissions to allow writing. The other question is related to the use of recording the ping results. If you're keeping them as documentation of a specific link or router being reachable, that's one thing, but if you plan to record them for some kind of performance measurement, those numbers might be of limited value at best. I'm also not sure that the syntax you have above will work. jms From eng_mssk at hotmail.com Sun Nov 15 13:08:36 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 15 Nov 2009 20:08:36 +0200 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: yes ryan thats what i am trying to do , i want to measure latency between 2 sites but my metro ethernet switches does not support ip sla or event manager thats y i am trying to find an alternatives by exporting ping results on a scheduled basis and use a script for graphing them > From: rwest at zyedge.com > To: eng_mssk at hotmail.com > CC: avayner at cisco.com; cisco-nsp at puck.nether.net > Date: Sun, 15 Nov 2009 10:54:49 -0500 > Subject: Re: [c-nsp] Kron > > You could graph your rtr/ip sla stats using mrtg or cacti. > > Sent from handheld. > > On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" > wrote: > > > > > hi Arie > > > > the problem is that the IOS installed on my switches does not > > support event manager feature thats why i am looking for kron > > > >> Subject: RE: [c-nsp] Kron > >> Date: Sun, 15 Nov 2009 16:15:56 +0100 > >> From: avayner at cisco.com > >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > >> > >> Mohammad, > >> > >> Wouldn't IP SLA be a better way to do it? > >> You can also create an EEM script that would be triggered by IP SLA > >> threshold values, so you will get a custom alert. > >> > >> Arie > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad > >> Khalil > >> Sent: Sunday, November 15, 2009 17:01 > >> To: cisco-nsp at puck.nether.net > >> Subject: [c-nsp] Kron > >> > >> > >> hey all > >> > >> i have configured kron to backup my configuration files and all is > >> working fine > >> now i want to take ping values and store it in a file on the TFTP > >> server > >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ > >> PING > >> is incorrect > >> so how is the way to do that ?? > >> > >> Thanks in advance > >> > >> > >> _________________________________________________________________ > >> Windows Live Hotmail: Your friends can get your Facebook updates, > >> right > >> from Hotmail(r). > >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- > >> xm:SI_SB_4 > >> :092009 > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _________________________________________________________________ > > Windows Live: Keep your friends up to date with what you do online. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 From rwest at zyedge.com Sun Nov 15 13:20:16 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 15 Nov 2009 13:20:16 -0500 Subject: [c-nsp] Kron In-Reply-To: References: Message-ID: Are you sure it doesn't support RTR? Sent from handheld. On Nov 15, 2009, at 1:08 PM, "Mohammad Khalil" > wrote: yes ryan thats what i am trying to do , i want to measure latency between 2 sites but my metro ethernet switches does not support ip sla or event manager thats y i am trying to find an alternatives by exporting ping results on a scheduled basis and use a script for graphing them > From: rwest at zyedge.com > To: eng_mssk at hotmail.com > CC: avayner at cisco.com; cisco-nsp at puck.nether.net > Date: Sun, 15 Nov 2009 10:54:49 -0500 > Subject: Re: [c-nsp] Kron > > You could graph your rtr/ip sla stats using mrtg or cacti. > > Sent from handheld. > > On Nov 15, 2009, at 10:39 AM, "Mohammad Khalil" > > wrote: > > > > > hi Arie > > > > the problem is that the IOS installed on my switches does not > > support event manager feature thats why i am looking for kron > > > >> Subject: RE: [c-nsp] Kron > >> Date: Sun, 15 Nov 2009 16:15:56 +0100 > >> From: avayner at cisco.com > >> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > >> > >> Mohammad, > >> > >> Wouldn't IP SLA be a better way to do it? > >> You can also create an EEM script that would be triggered by IP SLA > >> threshold values, so you will get a custom alert. > >> > >> Arie > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad > >> Khalil > >> Sent: Sunday, November 15, 2009 17:01 > >> To: cisco-nsp at puck.nether.net > >> Subject: [c-nsp] Kron > >> > >> > >> hey all > >> > >> i have configured kron to backup my configuration files and all is > >> working fine > >> now i want to take ping values and store it in a file on the TFTP > >> server > >> but the command for example ping y.y.y.y| redirect tftp://x.x.x.x/ > >> PING > >> is incorrect > >> so how is the way to do that ?? > >> > >> Thanks in advance > >> > >> > >> _________________________________________________________________ > >> Windows Live Hotmail: Your friends can get your Facebook updates, > >> right > >> from Hotmail(r). > >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action > >> /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- > >> xm:SI_SB_4 > >> :092009 > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _________________________________________________________________ > > Windows Live: Keep your friends up to date with what you do online. > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. From ras at e-gerbil.net Sun Nov 15 13:59:10 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 15 Nov 2009 12:59:10 -0600 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <20091114212717.GM163@greenie.muc.de> References: <200911150235.59896.mtinka@globaltransit.net> <20091114212717.GM163@greenie.muc.de> Message-ID: <20091115185910.GL51443@gerbil.cluepon.net> On Sat, Nov 14, 2009 at 10:27:17PM +0100, Gert Doering wrote: > Hi, > > On Sun, Nov 15, 2009 at 02:35:59AM +0800, Mark Tinka wrote: > > What quality networking, we have these days... > > Hey, at least you *have* BFD. Unlike us folks with SXH and SXI that > want to use BFD on SVI interfaces... They pulled BFD from SVI's on SR code too. Not that it's any more broken than BFD on physical interfaces really. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gert at greenie.muc.de Sun Nov 15 14:19:36 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 15 Nov 2009 20:19:36 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258294344.12313.1.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> Message-ID: <20091115191936.GP163@greenie.muc.de> Hi, On Sun, Nov 15, 2009 at 03:12:24PM +0100, luismi wrote: > Is it supported in any IOS? > Does anyone if it is going to be supported in the future? On 7600s, it should work, if you are using "routed mode" port channels (or subinterfaces). On vlan interfaces, it is not there (yet?). On GSRs, I have no idea. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mtinka at globaltransit.net Sun Nov 15 17:17:50 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 16 Nov 2009 06:17:50 +0800 Subject: [c-nsp] SRC5, And The BFD Bug Remains :-( - *sigh* In-Reply-To: <20091115185910.GL51443@gerbil.cluepon.net> References: <200911150235.59896.mtinka@globaltransit.net> <20091114212717.GM163@greenie.muc.de> <20091115185910.GL51443@gerbil.cluepon.net> Message-ID: <200911160618.10525.mtinka@globaltransit.net> On Monday 16 November 2009 02:59:10 am Richard A Steenbergen wrote: > They pulled BFD from SVI's on SR code too. Not that it's > any more broken than BFD on physical interfaces really. > :) I have it configured on physical interfaces on a 7604/RSP720-3CXL running 12.2(33)SRC5. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From asturluismi at gmail.com Sun Nov 15 22:43:46 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 16 Nov 2009 04:43:46 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000> Message-ID: <1258343026.13091.0.camel@hal9000> 7200 npe-g2 and 7600 rsp720-pfc3 El dom, 15-11-2009 a las 16:16 +0100, Arie Vayner (avayner) escribi?: > Which platforms? > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Sunday, November 15, 2009 16:12 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] BDF over port-channels? > > Is it supported in any IOS? > Does anyone if it is going to be supported in the future? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Sun Nov 15 23:31:07 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 16 Nov 2009 15:31:07 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Hi All, We migrated a link between two pops onto a Switched Ethernet circuit and since then we can't pass MPLS VPN traffic between those two pops from PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. ------------------------- BGP log on PE1: ------------------------- Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: sent to neighbor 172.16.99.4 4/0 (hold time expired) 0 bytes ------------------------- Topology: ------------------------- POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 [P2 --> PE2 (lo99:172.16.99.4)] ------------------------- P1: ------------------------- interface GigabitEthernet4/0/1 description Connection to P2 bandwidth 150000 ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation auto mpls ip ------------------------- P2: ------------------------- interface GigabitEthernet0/2 description Connection to P1 bandwidth 150000 ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type gbic speed auto duplex auto negotiation auto mpls ip Interesting thing to note is that if I remove "mpls ip" from P1's interface, the MP-BGP sessions are formed between PE1 and PE2 and stay up. When I put "mpls ip" back on the interface, the MP-BGP session times out with the error messgage in the BGP log above. The only thing that has changed is the introduction of the new Switched Ethernet circuit. I was thinking that it might have something to do with jumbo frames but our UpStream Providers tells me that they have configured jumbo frames on either end of the link plus I can ping end from P1 to P2 with byte sizes larger than 8000 bytes. Has anyone got any ideas as to why the MP-BGP sessions all of a sudden can no longer stay up and what further debug/troubleshooting i can do? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ecralar at hotmail.com Mon Nov 16 01:52:29 2009 From: ecralar at hotmail.com (Alex) Date: Mon, 16 Nov 2009 06:52:29 -0000 Subject: [c-nsp] Can not establish MP-BGP sessions In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Message-ID: Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit and > since then we can't pass MPLS VPN traffic between those two pops from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent > Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 > load-interval 30 > negotiation auto > mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 > load-interval 30 > media-type gbic > speed auto > duplex auto > negotiation auto > mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session times > out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new Switched > Ethernet circuit. I was thinking that it might have something to do with > jumbo frames but our UpStream Providers tells me that they have > configured jumbo frames on either end of the link plus I can ping end > from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mschedrin at gmail.com Mon Nov 16 05:18:07 2009 From: mschedrin at gmail.com (Mikhail Schedrin) Date: Mon, 16 Nov 2009 13:18:07 +0300 Subject: [c-nsp] SCE 8000 troubles Message-ID: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> Hi all. My SCE8000 logs a lot of error messages: > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > congestion bypassed 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > occurred. Please report to Cisco's customer support 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > executed with 1363 errors. 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support After these messages SCE can stop shaping, reboot, stop syncing subscribers etc. I could not find any explanation in documentation about such errors. Did anyone meet such problems? -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 From jp at softnet.si Mon Nov 16 05:56:17 2009 From: jp at softnet.si (Primoz Jeroncic) Date: Mon, 16 Nov 2009 11:56:17 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL Message-ID: Hi We are slowly moving toward IPv6 implementation in production, so I came to ACLs. I would want to have some protection for our servers, so I went to configure IPv6 ACL, which is based on our IPv4 ACL. Problem is, that it looks like I can't make host based ACL entries on c3560. If I try to add line for SMTP server I get following: interface FastEthernet0/1 no switchport ipv6 address xxxx:xxxx:0:3::1/64 ipv6 enable ipv6 traffic-filter fw-ipv6 out test(config)#ipv6 access-list fw-ipv6 test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 % Host address xxxx:xxxx:0:3::2 can not be supported % ACE can not be added % Failed to add access list If I try to do same thing on c12008, it works without problems. Any idea how to solve this problem? PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From copse at xy.org Mon Nov 16 06:31:28 2009 From: copse at xy.org (Roger Wiklund) Date: Mon, 16 Nov 2009 12:31:28 +0100 Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected Message-ID: Hi I have a strange problem. I have a Serial interface with one /30 IP configure as a link network between PE and CE. interface Serial1/0 description MPLS Circuit bandwidth 34368 ip address 206.115.103.122 255.255.255.252 ip nbar protocol-discovery encapsulation ppp framing g751 dsu bandwidth 34010 serial restart-delay 0 no cdp enable max-reserved-bandwidth 90 service-policy output shape-etm router#sh conf | i 206.115.103.121 neighbor 206.115.103.121 remote-as X But Im seeing 2 IPs, Im actually seeing the PEs IP addressing, as beeing directly connected, and as I have redist connect it's beeing advertised to the PE. router#show ip route connected C 206.115.103.120/30 is directly connected, Serial1/0 C 206.115.103.121/32 is directly connected, Serial1/0 router#show ip bgp nei 206.115.103.121 advertised-routes *> 206.115.103.120/30 0.0.0.0 0 32768 ? *> 206.115.103.121/32 0.0.0.0 0 32768 ? Have you ever seen this before? Cisco 7204VXR (NPE400) processor (revision B) with 229376K/32768K bytes of memory. (C7200-IS-M), Version 12.4(25b) Regards Roger From sthaug at nethelp.no Mon Nov 16 06:31:56 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 16 Nov 2009 12:31:56 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <20091116.123156.74736630.sthaug@nethelp.no> > We are slowly moving toward IPv6 implementation in production, so I > came to ACLs. I would want to have some protection for our servers, > so I went to configure IPv6 ACL, which is based on our IPv4 ACL. > Problem is, that it looks like I can't make host based ACL entries > on c3560. If I try to add line for SMTP server I get following: I seem to remember 3560 has 144 bit TCAM entries - which cannot easily support 128 bit IPv6 + 16 bit source port + 16 bit destination port. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From olof.kasselstrand at gmail.com Mon Nov 16 06:43:19 2009 From: olof.kasselstrand at gmail.com (Olof Kasselstrand) Date: Mon, 16 Nov 2009 12:43:19 +0100 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: Hi, What happends if you drop the "host" keyword and add /128 to the host address? // Olof On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic wrote: > Hi > > We are slowly moving toward IPv6 implementation in production, so I came to > ACLs. I would want to have some protection for our servers, > so I went to configure IPv6 ACL, which is based on our IPv4 ACL. > Problem is, that it looks like I can't make host based ACL entries > on c3560. If I try to add line for SMTP server I get following: > > interface FastEthernet0/1 > ?no switchport > ?ipv6 address xxxx:xxxx:0:3::1/64 > ?ipv6 enable > ?ipv6 traffic-filter fw-ipv6 out > > test(config)#ipv6 access-list fw-ipv6 > test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 > % Host address xxxx:xxxx:0:3::2 can not be supported > % ACE can not be added > % Failed to add access list > > If I try to do same thing on c12008, it works without problems. > > Any idea how to solve this problem? > > PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if > this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". > > Have fun, > Primoz Jeroncic > Support - IP Connectivity & Routing > ------------------------------------------------------------------- > Softnet d.o.o. ?tel: ?+386 1 562 31 40 ? | > Borovec 2 ? ? ? fax: ?+386 1 562 18 55 ? | ? ? ? 1 + 1 = 3 > 1236 Trzin ? ? ?primoz(at)softnet.si ? ? | for larger values of 1 > Slovenija ? ? ? http://flea.softnet.si/ > ------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tim at pelican.org Mon Nov 16 06:47:19 2009 From: tim at pelican.org (Tim Franklin) Date: Mon, 16 Nov 2009 11:47:19 +0000 (GMT) Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: Message-ID: <22434271.01258372039851.JavaMail.root@jennyfur.pelican.org> > router#show ip route connected > > C 206.115.103.120/30 is directly connected, Serial1/0 > C 206.115.103.121/32 is directly connected, Serial1/0 > router#show ip bgp nei 206.115.103.121 advertised-routes This is completely normal for a point-to-point circuit - you get a connected route for the network configured on your end, and you also get the host address of your peer, as determined during the PPP negotiation. (There's no reason that opposite ends of a PPP link have to be in the same subnet - the peer could have a completely unrelated address). If you want to remove it, just configure 'no peer neighbor-route' on the interface. You'll need to bounce the interface for this to take effect. Regards, Tim. From dale.shaw+cisco-nsp at gmail.com Mon Nov 16 06:53:14 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Mon, 16 Nov 2009 22:53:14 +1100 Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: References: Message-ID: <3329cbb40911160353j7a2d29b9h57ec017aa9318698@mail.gmail.com> Hi Roger, On Mon, Nov 16, 2009 at 10:31 PM, Roger Wiklund wrote: > > I have a strange problem. I have a Serial interface with one /30 IP > configure as a link network between PE and CE. > [....] > > Have you ever seen this before? Yeah. Check out: http://blog.ioshints.info/2008/02/remove-unwanted-ppp-peer-route.html cheers, Dale From amsoares at netcabo.pt Mon Nov 16 07:15:24 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 12:15:24 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE Message-ID: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From leonardo.souza at nec.com.br Mon Nov 16 07:41:09 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 10:41:09 -0200 Subject: [c-nsp] RES: FABRIC-3-ERR_HANDLE In-Reply-To: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Mon Nov 16 07:48:47 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 12:48:47 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> Message-ID: <1175087E65814145B873862D6AB00596@int.convex.pt> No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Mon Nov 16 07:48:36 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 10:48:36 -0200 Subject: [c-nsp] RES: SCE 8000 troubles In-Reply-To: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> References: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> Which were the subscribers and unidirectional flows usage at the moment of the problem? I've never seen such errors. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Mikhail Schedrin Enviada em: segunda-feira, 16 de novembro de 2009 08:18 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] SCE 8000 troubles Hi all. My SCE8000 logs a lot of error messages: > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > congestion bypassed 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > congestion bypassed 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > occurred. Please report to Cisco's customer support 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > executed with 1363 errors. 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > occurred. Please report to Cisco's customer support After these messages SCE can stop shaping, reboot, stop syncing subscribers etc. I could not find any explanation in documentation about such errors. Did anyone meet such problems? -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Mon Nov 16 08:06:15 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 16 Nov 2009 11:06:15 -0200 Subject: [c-nsp] RES: FABRIC-3-ERR_HANDLE In-Reply-To: <1175087E65814145B873862D6AB00596@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> Hi, Sounds weird. You're right. It seems a problem with csc0. I guess it's only 4 because there's only one CSC active at any time. -----Mensagem original----- De: Antonio Soares [mailto:amsoares at netcabo.pt] Enviada em: segunda-feira, 16 de novembro de 2009 10:49 Para: Leonardo Gama Souza; cisco-nsp at puck.nether.net Assunto: RE: [c-nsp] FABRIC-3-ERR_HANDLE No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.tahina at moov.mg Mon Nov 16 08:10:10 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Mon, 16 Nov 2009 16:10:10 +0300 Subject: [c-nsp] routing with 2 upstreams issue Message-ID: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Hi All, I'm connected to 2 upstreams, is there any performance issue if upload from 192.168.1.0/24 is via upstream 1 but download for this class is from upstream 2 ? BR From thegameiam at yahoo.com Mon Nov 16 07:17:21 2009 From: thegameiam at yahoo.com (David Barak) Date: Mon, 16 Nov 2009 04:17:21 -0800 (PST) Subject: [c-nsp] c7200, only one IP configured, seeing 2 as connected In-Reply-To: Message-ID: <656731.77506.qm@web31808.mail.mud.yahoo.com> Hi Roger, PPP by default will inject the /32 address of the "far" end into the connected route table. You can modify this with either a route-map on your redistribute connected statement, or more simply add "no peer neighbor-route" under your interface configuration which will modify the PPP behavior. -David Barak Roger Wiklund wrote: > Hi > I have a strange problem. I have a Serial interface with one /30 IP > configure as a link network between PE and CE. > interface Serial1/0 > description MPLS Circuit > bandwidth 34368 > ip address 206.115.103.122 255.255.255.252 > ip nbar protocol-discovery > encapsulation ppp > framing g751 > dsu bandwidth 34010 > serial restart-delay 0 > no cdp enable > max-reserved-bandwidth 90 > service-policy output shape-etm > router#sh conf | i 206.115.103.121 > neighbor 206.115.103.121 remote-as X > But Im seeing 2 IPs, Im actually seeing the PEs IP addressing, as beeing > directly connected, and as I have redist connect it's beeing advertised to > the PE. > router#show ip route connected > C 206.115.103.120/30 is directly connected, Serial1/0 > C 206.115.103.121/32 is directly connected, Serial1/0 > router#show ip bgp nei 206.115.103.121 advertised-routes > *> 206.115.103.120/30 > 0.0.0.0 0 32768 ? > *> 206.115.103.121/32 > 0.0.0.0 0 32768 ? > Have you ever seen this before? > Cisco 7204VXR (NPE400) processor (revision B) with 229376K/32768K bytes of > memory. > (C7200-IS-M), Version 12.4(25b) > Regards > Roger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jp at softnet.si Mon Nov 16 08:22:25 2009 From: jp at softnet.si (Primoz Jeroncic) Date: Mon, 16 Nov 2009 14:22:25 +0100 (CET) Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: On Mon, 16 Nov 2009, Olof Kasselstrand wrote: > Hi, > > What happends if you drop the "host" keyword and add /128 to the host address? Hi Olof Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128. Primoz > > // Olof > > On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic wrote: >> Hi >> >> We are slowly moving toward IPv6 implementation in production, so I came to >> ACLs. I would want to have some protection for our servers, >> so I went to configure IPv6 ACL, which is based on our IPv4 ACL. >> Problem is, that it looks like I can't make host based ACL entries >> on c3560. If I try to add line for SMTP server I get following: >> >> interface FastEthernet0/1 >> ?no switchport >> ?ipv6 address xxxx:xxxx:0:3::1/64 >> ?ipv6 enable >> ?ipv6 traffic-filter fw-ipv6 out >> >> test(config)#ipv6 access-list fw-ipv6 >> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 >> % Host address xxxx:xxxx:0:3::2 can not be supported >> % ACE can not be added >> % Failed to add access list >> >> If I try to do same thing on c12008, it works without problems. >> >> Any idea how to solve this problem? >> >> PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if >> this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing". >> >> Have fun, >> Primoz Jeroncic >> Support - IP Connectivity & Routing >> ------------------------------------------------------------------- >> Softnet d.o.o. ?tel: ?+386 1 562 31 40 ? | >> Borovec 2 ? ? ? fax: ?+386 1 562 18 55 ? | ? ? ? 1 + 1 = 3 >> 1236 Trzin ? ? ?primoz(at)softnet.si ? ? | for larger values of 1 >> Slovenija ? ? ? http://flea.softnet.si/ >> ------------------------------------------------------------------- >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From amsoares at netcabo.pt Mon Nov 16 08:28:57 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 13:28:57 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> Message-ID: <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> But if '0' is csc0 and '1' is csc1, it means the problem could be with csc in slot16. This is exactly the csc in standby: 12k2#execute-on slot 8 sh controlle fia ========= Standby RP (Slot 8) ========= Fabric configuration: 10Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 Fab epoch no 0 Halt count 0 What kind of problems may have a csc in standby mode ? I don't mind replacing the csc but this doesn't make any sense to me. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 13:06 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, Sounds weird. You're right. It seems a problem with csc0. I guess it's only 4 because there's only one CSC active at any time. -----Mensagem original----- De: Antonio Soares [mailto:amsoares at netcabo.pt] Enviada em: segunda-feira, 16 de novembro de 2009 10:49 Para: Leonardo Gama Souza; cisco-nsp at puck.nether.net Assunto: RE: [c-nsp] FABRIC-3-ERR_HANDLE No problems with that output: 12k2>show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OK OK OK OK OK OK SLOT1 OK OK OK OK OK OK OK OK OK SLOT2 OK OK OK OK OK OK OK OK OK SLOT3 OK OK OK OK OK OK OK OK OK SLOT4 OK OK OK OK OK OK OK OK OK SLOT5 OK OK OK OK OK OK OK OK OK SLOT6 OK OK OK OK OK OK OK OK OK SLOT7 OK OK OK OK OK OK OK OK OK SLOT8 OK OK OK OK OK OK OK OK OK SLOT9 OK OK OK OK OK OK OK OK OK SLOT10 OK OK OK OK OK OK OK OK OK SLOT11 OK OK OK OK OK OK OK OK OK SLOT12 OK OK OK OK OK OK OK OK OK SLOT13 OK OK OK OK OK OK OK OK OK SLOT14 OK OK OK OK OK OK OK OK OK SLOT15 OK OK OK OK OK OK OK OK OK Fabric error handling : enabled 12k2> But i get the same type of pattern when doing the "execute-on slot x show controllers fia" for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 XXXXX 0 0 0 0 xor error0 0 0 0 cell dropsYYYY YYYY YYYY YYYY XXXX and YYYY have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Leonardo Gama Souza [mailto:leonardo.souza at nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp at puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Mon Nov 16 08:45:54 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 16 Nov 2009 08:45:54 -0500 Subject: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) In-Reply-To: <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> References: <4AFD889D.1090204@imperial.ac.uk> <4D393834-9022-4207-86BB-59731CF7BF68@arbor.net> Message-ID: So is anyone aware of a newer version of the 6724 that has better buffers or are we supposed to just use SIP-600s and the 10x1GE-V2 in the 6500s? thanks, -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland Sent: Friday, November 13, 2009 2:36 PM To: Cisco-nsp Subject: Re: [c-nsp] Couple performance questions regarding CAT 6500 (SUP 720-3BXL) On Nov 13, 2009, at 11:26 PM, Phil Mayers wrote: > No. It's separate from QoS, you don't need QoS enabled for the MLS rate limiters. Correct. Also note that HWRL policies have precedence over CoPP. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Nov 16 08:51:51 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 00:51:51 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> Hi Alex, 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why MP-BGP won't come up bc I don't seem to have two way comms bt PE routers' BGP update-source lo99 address. POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 --> PE2 (lo99:172.16.99.4)] Eg: Ping PE1 > PE2 (OK!) PE1#ping 172.16.99.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms Eg: Ping PE2 > PE1 (NOT OK!) PE2#ping 172.16.99.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Ping PE2 > P1 (OK!) Ping P2 > P1 (OK!) *** Seems like I can't get any traffic/labels beyond P1 to get to PE1.*** Forwarding table entry for PE1(lo99) looks ok on P1. P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 203.17.102.113 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come up. PE1#sh ip bgp vpnv4 all summary BGP router identifier 203.17.101.20, local AS number 4854 BGP table version is 11983, main routing table version 11983 15 network entries using 2115 bytes of memory 15 path entries using 1020 bytes of memory 6/3 BGP path/bestpath attribute entries using 840 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 1 BGP community entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 4119 total bytes of memory BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 Active 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 Active 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 Active 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 Active 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 7 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 Active 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 5 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 2 If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but ofcourse I have no mpls vpn traffic because those links no are no longer mpls enabled. Note that all Active BGP peers are PE devices which sit on the POP2 side. So all BGP peers on POP1 can establish BGP sessions with each other but not to BGP peers at POP2. Like wise PE's at POP2 can establish BGP sessions with each other and not with PE's located at POP1. The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you can't ping PE2 > PE1. PE2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 617 3034 172.16.99.13/32 0 Gi0/0.11 203.10.110.211 P2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 203.17.96.97 P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 203.17.102.113 The fact that PE's at POP2 can not communicate with PE's at POP1 is why I think BGP isn't coming up between PE1 and PE2. I don't know why mpls traffic/labels are not being swapped and forwarded beyond P1 to reach PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to me - any ideas??? Like I said we haven't changed any config except moving from our existing circuit to a new protected switched ethernet circuit. Thanks. Andy -----Original Message----- From: Alex [mailto:ecralar at hotmail.com] Sent: Monday, 16 November 2009 5:52 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit > and since then we can't pass MPLS VPN traffic between those two pops > from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > auto mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > gbic speed auto duplex auto negotiation auto mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session > times out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new > Switched Ethernet circuit. I was thinking that it might have something > to do with jumbo frames but our UpStream Providers tells me that they > have configured jumbo frames on either end of the link plus I can ping > end from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received > this email by mistake and delete this email from your system. Please > note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From mschedrin at gmail.com Mon Nov 16 08:59:43 2009 From: mschedrin at gmail.com (Mikhail Schedrin) Date: Mon, 16 Nov 2009 16:59:43 +0300 Subject: [c-nsp] SCE 8000 troubles In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> References: <73ec141e0911160218l25441436sa30055fa8d98d7f@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23FA@spsrvmail03.nec.br> Message-ID: <73ec141e0911160559y4c06d41dp8d8219a0f4812e2b@mail.gmail.com> More than 50K of subscribers and more than 8 Gbit/s. Do you use SM server? 2009/11/16 Leonardo Gama Souza > Which were the subscribers and unidirectional flows usage at the moment of > the problem? > I've never seen such errors. > > -----Mensagem original----- > De: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] Em nome de Mikhail Schedrin > Enviada em: segunda-feira, 16 de novembro de 2009 08:18 > Para: cisco-nsp at puck.nether.net > Assunto: [c-nsp] SCE 8000 troubles > > Hi all. > My SCE8000 logs a lot of error messages: > > > 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware > > congestion bypassed > > 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware > > congestion bypassed > > 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware > > congestion bypassed > > > > 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning > > 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem > > occurred. Please report to Cisco's customer support > > > 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file > > executed with 1363 errors. > > 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > > occurred. Please report to Cisco's customer support > > 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error > > occurred. Please report to Cisco's customer support > > After these messages SCE can stop shaping, reboot, stop syncing > subscribers > etc. > I could not find any explanation in documentation about such errors. > Did anyone meet such problems? > > -- > ? ?????????, > ?????? ?????? > ????????? ?????? ??2 > SkyNet Telecom http://sknt.ru > ?????-????????? > ???. +7 812 600-75-35 ext. 554 > ???. +7 911 934-79-83 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ? ?????????, ?????? ?????? ????????? ?????? ??2 SkyNet Telecom http://sknt.ru ?????-????????? ???. +7 812 600-75-35 ext. 554 ???. +7 911 934-79-83 From tim at selfnet.de Mon Nov 16 08:58:19 2009 From: tim at selfnet.de (Tim) Date: Mon, 16 Nov 2009 14:58:19 +0100 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <20091116135819.GA32363@samstag.members.selfnet.de> Primoz, On Mon, Nov 16, 2009 at 11:56:17AM +0100, Primoz Jeroncic wrote: > test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25 > % Host address xxxx:xxxx:0:3::2 can not be supported > % ACE can not be added > % Failed to add access list > > If I try to do same thing on c12008, it works without problems. > > Any idea how to solve this problem? """ IPv6 ACL Limitations ... The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: - IPv6 source and destination addresses?ACL matching is supported only on prefixes from /0 to /64 and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports only these host addresses with no loss of information: - aggregatable global unicast addresses - link local addresses """ http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4334642 Cheers, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From dudepron at gmail.com Mon Nov 16 11:09:50 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:09:50 -0500 Subject: [c-nsp] Can not establish MP-BGP sessions In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> Message-ID: <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> What is the HW on both ends? Possible one has a bug that is causing headaches. On Mon, Nov 16, 2009 at 08:51, Andy Saykao < andy.saykao at staff.netspace.net.au> wrote: > Hi Alex, > > 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from > PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why > MP-BGP won't come up bc I don't seem to have two way comms bt PE > routers' BGP update-source lo99 address. > > POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 > --> PE2 (lo99:172.16.99.4)] > > Eg: Ping PE1 > PE2 (OK!) > PE1#ping 172.16.99.4 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms > > Eg: Ping PE2 > PE1 (NOT OK!) > PE2#ping 172.16.99.13 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > Ping PE2 > P1 (OK!) > Ping P2 > P1 (OK!) > > *** Seems like I can't get any traffic/labels beyond P1 to get to > PE1.*** > > Forwarding table entry for PE1(lo99) looks ok on P1. > > P1#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 > 203.17.102.113 > > 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come > up. > > PE1#sh ip bgp vpnv4 all summary > BGP router identifier 203.17.101.20, local AS number 4854 > BGP table version is 11983, main routing table version 11983 > 15 network entries using 2115 bytes of memory > 15 path entries using 1020 bytes of memory > 6/3 BGP path/bestpath attribute entries using 840 bytes of memory > 2 BGP rrinfo entries using 48 bytes of memory > 1 BGP AS-PATH entries using 24 bytes of memory > 1 BGP community entries using 24 bytes of memory > 2 BGP extended community entries using 48 bytes of memory > 0 BGP route-map cache entries using 0 bytes of memory > 0 BGP filter-list cache entries using 0 bytes of memory > BGP using 4119 total bytes of memory > BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down > State/PfxRcd > 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 > Active > 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 > Active > 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 > Active > 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 > Active > 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 > 7 > 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 > Active > 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 > 5 > 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 > 2 > > If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but > ofcourse I have no mpls vpn traffic because those links no are no longer > mpls enabled. > > Note that all Active BGP peers are PE devices which sit on the POP2 > side. So all BGP peers on POP1 can establish BGP sessions with each > other but not to BGP peers at POP2. Like wise PE's at POP2 can establish > BGP sessions with each other and not with PE's located at POP1. > > The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you > can't ping PE2 > PE1. > > PE2#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 617 3034 172.16.99.13/32 0 Gi0/0.11 > 203.10.110.211 > > P2#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 > 203.17.96.97 > > P1#sh mpls forwarding-table 172.16.99.13 32 > Local Outgoing Prefix Bytes Label Outgoing Next Hop > Label Label or VC or Tunnel Id Switched interface > 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 > 203.17.102.113 > > The fact that PE's at POP2 can not communicate with PE's at POP1 is why > I think BGP isn't coming up between PE1 and PE2. I don't know why mpls > traffic/labels are not being swapped and forwarded beyond P1 to reach > PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to > me - any ideas??? Like I said we haven't changed any config except > moving from our existing circuit to a new protected switched ethernet > circuit. > > Thanks. > > Andy > > > > > -----Original Message----- > From: Alex [mailto:ecralar at hotmail.com] > Sent: Monday, 16 November 2009 5:52 PM > To: Andy Saykao; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Can not establish MP-BGP sessions > > Hi Andy, > Couple of questions: > 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when > "mpls ip" is ON on both Gi4/0/1 and Gi0/2? > 2/ Can you establish BGP session between _interface_ addresses when > "mpls ip" is ON on both Gi4/0/1 and Gi0/2? > Rgds > Alex > > -------------------------------------------------- > From: "Andy Saykao" > Date: 16 November 2009 04:31 > To: > Subject: [c-nsp] Can not establish MP-BGP sessions > > > Hi All, > > > > We migrated a link between two pops onto a Switched Ethernet circuit > > and since then we can't pass MPLS VPN traffic between those two pops > > from > > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > > > ------------------------- > > BGP log on PE1: > > ------------------------- > > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > > sent to neighbor > > 172.16.99.4 4/0 (hold time expired) 0 bytes > > > > ------------------------- > > Topology: > > ------------------------- > > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > > [P2 --> PE2 (lo99:172.16.99.4)] > > > > ------------------------- > > P1: > > ------------------------- > > interface GigabitEthernet4/0/1 > > description Connection to P2 > > bandwidth 150000 > > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > > auto mpls ip > > > > ------------------------- > > P2: > > ------------------------- > > interface GigabitEthernet0/2 > > description Connection to P1 > > bandwidth 150000 > > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > > gbic speed auto duplex auto negotiation auto mpls ip > > > > Interesting thing to note is that if I remove "mpls ip" from P1's > > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > > > up. When I put "mpls ip" back on the interface, the MP-BGP session > > times out with the error messgage in the BGP log above. > > > > The only thing that has changed is the introduction of the new > > Switched Ethernet circuit. I was thinking that it might have something > > > to do with jumbo frames but our UpStream Providers tells me that they > > have configured jumbo frames on either end of the link plus I can ping > > > end from P1 to P2 with byte sizes larger than 8000 bytes. > > > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > > > can no longer stay up and what further debug/troubleshooting i can do? > > > > Thanks. > > > > Andy > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > are addressed. > > Please notify the sender immediately by email if you have received > > this email by mistake and delete this email from your system. Please > > note that any views or opinions presented in this email are solely > > those of the author and do not necessarily represent those of the > organisation. > > Finally, the recipient should check this email and any attachments for > > > the presence of viruses. The organisation accepts no liability for any > > > damage caused by any virus transmitted by this email. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Nov 16 11:11:39 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:11:39 -0500 Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <7.0.1.0.2.20091116160625.0624b640@moov.mg> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Message-ID: <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> Only if the BW or quality of the 2 networks is an issue. Asymmetrical routing happens a lot in the internet. On Mon, Nov 16, 2009 at 08:10, RAZAFINDRATSIFA Rivo Tahina wrote: > Hi All, > > I'm connected to 2 upstreams, is there any performance issue if upload from > 192.168.1.0/24 is via upstream 1 but download for this class is from > upstream 2 ? > > BR > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Nov 16 11:19:12 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 16 Nov 2009 11:19:12 -0500 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> Message-ID: <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> It is normal to have a CSC in standby mode. If something goes wrong with the other CSC, it takes over. Step 1 - Gather data before making any changes term length 0 - so you don?t have to hit enter show log show tech show monitor event-trace fab show monitor event-trace agent-ctrl show monitor event-trace board_mgr show monitor event-trace lci execute-on all show controllers fia (x5 times or so) show controllers errors fabric counters (x5 times or so) show controllers errors (x5 times or so) show controllers xbar (x5 times or so) show controllers sca (x5 times or so) show controllers clock show controllers fab-clk Step 2 - Determine if the issue is with a single or multiple slots, including the RP slots Step 3 - Check location of the primary clock scheduler and if both CSC are active (from show controllers clock) and the number of SFC. If only 1 CSC, troubleshoot missing CSC first. Ensure that you will have 4 active fabric cards before OIRing card since line cards may go out of service due to lack to fabric BW. Step 4 - *CRC- and LOS errors in control path from CSC to SFC cards* Explanation <#CRC_and_LOS_errors_control_path> >From *show controllers xbar*, on 120XX chassis look at Interrupt status field, on 124XX and 128XX, look at Control LOS status and Control CRC error fields. If 0 then go to step 5. Check to see which card is primary from *show controllers clock* and if both are present. If incrementing and the error is on all fabric cards, then OIR primary CSC If incrementing and the error is only one 1 fabric card, then OIR fabric If *show controllers xbar* does not show more errors, then the issue was seating, otherwise RMA card Step 5 ? *CSC Clocking and Synchronization problems * Explaination <#CSC_clocking_and_sync> From *show controllers clock* and *show controllers errors* (CLKSTS field) Check to see which card is primary from *show controllers clock*. If all the cards are using primary clock (default is CSC_0), then go to step 6 Cards not using same clock must be in IOS RUN, RP ACTV or RP STBY, if not, go to step 6 If multiple cards not using primary, OIR primary CSC, if still, RMA primary CSC If single card not using primary, OIR suspect card, if still, RMA suspect card Step 6 ? *ToFab FIA Halt* Explanation <#ToFab_FIA_Halt> If a syslog message or from *execute-on all show controllers fia* we observe errors If the RP has failed over and we have line cards also halted, then suspect the chassis or backplane. If only a line card is halted, the router tries to recover several times, if it cannot recover, the RP resets the line card and runs additional tests. If the line card fails, then RMA the line card Step 7 - *CRC and LOS errors between fabric cards and line cards/RPs* Explanation from LC/RP to Fabric <#CRC_and_LOS_Errors_from_LC> Explanation from Fabric to LC/RP <#CRC_and_LOS_Errors_from_Fabric> Errors are observed from *show controller error* (not useful on 120XX) and *show controller errors fabric counters*. The DAT_LOS (124XX and 128XX) and DAT_CRC (128XX only) identify the cards. On a 120XX, the cause of errors from LC/RP to fabric can only be determined by removing 1 card at a time to see if the errors stop. Since the possibility is high that a in use line card is the problem, start with the backbone facing cards first one at a time, then customer facing one at a time, then cards not in use one at a time. If multiple cards show DAT_CRC and DAT_LOS errors, then cause is most likely a fabric card determined from the bitmap. Reseat suspect card to see if errors continue. If so, RMA card. Show controller errors fabric counters show errors from the fabric. The bitmask will determine which one is suspect. Reset suspect card to see if errors continue. If so, RMA card. From streiner at cluebyfour.org Mon Nov 16 11:46:15 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 16 Nov 2009 11:46:15 -0500 (EST) Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> <480dad640911160811s59c568dat532b4e6a67cdc049@mail.gmail.com> Message-ID: On Mon, 16 Nov 2009, Aaron wrote: > Only if the BW or quality of the 2 networks is an issue. Asymmetrical > routing happens a lot in the internet. Asymmetric routing is pretty much an unavoidable fact of life once your packets leave your borders, but it is not 'bad'. It can make troubleshooting connectivity issues more involved, but those issues often need to be researched in both directions anyway. jms From Jeff.Wojciechowski at midlandpaper.com Mon Nov 16 11:45:51 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Mon, 16 Nov 2009 10:45:51 -0600 Subject: [c-nsp] 2801 WIC errors Message-ID: <6B8401A83219DF499C34DEAEE9A5999220CFFDB026@XBOX.midlandpaper.com> Hi All, I have a 2801 running 12.4(22)T3 with WIC1-DSU-T1-V2 giving me some WIC related error logging messages: wait_ft1_wic_mailbox failed and %SERVICE_MODULE-4-WICNOTREADY: Unit Serial0/2/0 not ready for next command, -Traceback= 0x60D0DAE4 0x60458EEC 0x60458F9C 0x6045A20C 0x6045A5F4 0x6045AE8C 0x6044FDD8 0x60456620 0x60454774 0x604556EC 0x60D5E75C 0x60D3B9F8 0x60D3BB48 0x60D5E75C 0x60D84644 0x61B0D864 Best I can tell is that both log entries occur when I do a 'show service-module' which interestingly enough has incomplete information: Module type is T1/fractional Hardware revision is 1.0, Software revision is 20090901, Image checksum is 0x44F2D8, Protocol revision is 0.1 Receiver has no alarms. Framing is ESF, Line Code is B8ZS, Current clock source is line, Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536 Kbits/sec. Last module self-test (done at startup): results unretrievable Last clearing of alarm counters 5d02h loss of signal : 0, loss of frame : 0, AIS alarm : 0, Remote alarm : 0, Module access errors : 0, Total Data (last 96 15 minute intervals): Failed to read total data Failed to read current interval data I've got a ticket open with TAC and service isn't interrupted but am curious the if this the experts on the list think this is a bad WIC or something else? Thanks in advance, Jeff From amsoares at netcabo.pt Mon Nov 16 12:01:05 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Mon, 16 Nov 2009 17:01:05 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF23E5@spsrvmail03.nec.br> <1175087E65814145B873862D6AB00596@int.convex.pt> <9E07F8717FE8BC4FBAE6860F61EA6C1D02DF2427@spsrvmail03.nec.br> <58024F3C430E43B3AC381AEA154305D1@int.convex.pt> <480dad640911160819h5023a937h610607ae7a02052f@mail.gmail.com> Message-ID: Thank you very much for this detailed troubleshooting procedure. There was a command that gave me something: sh control errors fab count SLOT 6 : CellDrop (lane0..3) 765 765 765 765 CRC CRC CRC CRC CRC LOS LOS LOS LOS LOS Counter XBAR0 XBAR1 XBAR2 XBAR3 XBAR4 XBAR0 XBAR1 XBAR2 XBAR3 XBAR4 Lane0 33601 0 0 0 0 0 0 0 0 0 Lane1 15058 0 0 0 0 0 0 0 0 0 Lane2 4509 0 0 0 0 0 0 0 0 0 Lane3 1619 0 0 0 0 0 0 0 0 0 So this once again points to something wrong with CSC0. I will replace it to see if the problem goes away. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt ________________________________ From: Aaron [mailto:dudepron at gmail.com] Sent: segunda-feira, 16 de Novembro de 2009 16:19 To: Antonio Soares Cc: Leonardo Gama Souza; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE It is normal to have a CSC in standby mode. If something goes wrong with the other CSC, it takes over. Step 1 - Gather data before making any changes term length 0 - so you don?t have to hit enter show log show tech show monitor event-trace fab show monitor event-trace agent-ctrl show monitor event-trace board_mgr show monitor event-trace lci execute-on all show controllers fia (x5 times or so) show controllers errors fabric counters (x5 times or so) show controllers errors (x5 times or so) show controllers xbar (x5 times or so) show controllers sca (x5 times or so) show controllers clock show controllers fab-clk Step 2 - Determine if the issue is with a single or multiple slots, including the RP slots Step 3 - Check location of the primary clock scheduler and if both CSC are active (from show controllers clock) and the number of SFC. If only 1 CSC, troubleshoot missing CSC first. Ensure that you will have 4 active fabric cards before OIRing card since line cards may go out of service due to lack to fabric BW. Step 4 - CRC- and LOS errors in control path from CSC to SFC cards Explanation >From show controllers xbar, on 120XX chassis look at Interrupt status field, on 124XX and 128XX, look at Control LOS status and Control CRC error fields. If 0 then go to step 5. Check to see which card is primary from show controllers clock and if both are present. If incrementing and the error is on all fabric cards, then OIR primary CSC If incrementing and the error is only one 1 fabric card, then OIR fabric If show controllers xbar does not show more errors, then the issue was seating, otherwise RMA card Step 5 ? CSC Clocking and Synchronization problems Explaination From show controllers clock and show controllers errors (CLKSTS field) Check to see which card is primary from show controllers clock. If all the cards are using primary clock (default is CSC_0), then go to step 6 Cards not using same clock must be in IOS RUN, RP ACTV or RP STBY, if not, go to step 6 If multiple cards not using primary, OIR primary CSC, if still, RMA primary CSC If single card not using primary, OIR suspect card, if still, RMA suspect card Step 6 ? ToFab FIA Halt Explanation If a syslog message or from execute-on all show controllers fia we observe errors If the RP has failed over and we have line cards also halted, then suspect the chassis or backplane. If only a line card is halted, the router tries to recover several times, if it cannot recover, the RP resets the line card and runs additional tests. If the line card fails, then RMA the line card Step 7 - CRC and LOS errors between fabric cards and line cards/RPs Explanation from LC/RP to Fabric Explanation from Fabric to LC/RP Errors are observed from show controller error (not useful on 120XX) and show controller errors fabric counters. The DAT_LOS (124XX and 128XX) and DAT_CRC (128XX only) identify the cards. On a 120XX, the cause of errors from LC/RP to fabric can only be determined by removing 1 card at a time to see if the errors stop. Since the possibility is high that a in use line card is the problem, start with the backbone facing cards first one at a time, then customer facing one at a time, then cards not in use one at a time. If multiple cards show DAT_CRC and DAT_LOS errors, then cause is most likely a fabric card determined from the bitmap. Reseat suspect card to see if errors continue. If so, RMA card. Show controller errors fabric counters show errors from the fabric. The bitmask will determine which one is suspect. Reset suspect card to see if errors continue. If so, RMA card. From pc.chiodi at gmail.com Mon Nov 16 12:06:50 2009 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Mon, 16 Nov 2009 09:06:50 -0800 (PST) Subject: [c-nsp] routing with 2 upstreams issue In-Reply-To: <7.0.1.0.2.20091116160625.0624b640@moov.mg> References: <7.0.1.0.2.20091116160625.0624b640@moov.mg> Message-ID: <8d284266-1b46-4ac6-a50b-1966e21b454d@s15g2000yqs.googlegroups.com> Hi, On Nov 16, 2:10?pm, RAZAFINDRATSIFA Rivo Tahina wrote: > Hi All, > > I'm connected to 2 upstreams, is there any performance issue if > upload from 192.168.1.0/24 is via upstream 1 but download for this > class is from upstream 2 ? I would be worried more about security issues than performance issues. If you have stateful firewalls or other stateful tools they may lose track about flows entering and exiting your network. For example, you can find an overview about this topic here: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=5 bye -- http://piercarlochiodi.tel From sethm at rollernet.us Mon Nov 16 12:18:44 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 16 Nov 2009 09:18:44 -0800 Subject: [c-nsp] c3560 IPv6 and ACL In-Reply-To: References: Message-ID: <4B018974.5080007@rollernet.us> Primoz Jeroncic wrote: > On Mon, 16 Nov 2009, Olof Kasselstrand wrote: > >> Hi, >> >> What happends if you drop the "host" keyword and add /128 to the host >> address? > > Hi Olof > > Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128. > Not supported. Never will be. Here's why: http://mailman.nanog.org/pipermail/nanog/2009-October/014101.html Use EUI-64 or "fake" EUI-64 addressing on this platform. ~Seth From jonas at bjorklund.cn Mon Nov 16 13:20:09 2009 From: jonas at bjorklund.cn (Jonas) Date: Mon, 16 Nov 2009 19:20:09 +0100 (CET) Subject: [c-nsp] SUP2 boot problem Message-ID: Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas From jared at puck.nether.net Mon Nov 16 13:31:29 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Nov 2009 13:31:29 -0500 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> Is that the latest rommon for sup2? You may also want to make sure your MFSC2 has the latest rommon as well, (assuming you have a MFSC2 in your sup2, which it would appear is the case). c6msfc2-rm2.srec.122-17r.S5 is that image. You also want to check the monlib on the ata disk. - Jared On Nov 16, 2009, at 1:20 PM, Jonas wrote: > Hello, > > Im trying to upgrade an old SUP2. > I can boot 12.1.27 from bootflash: without problem. > When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. > > > > System Bootstrap, Version 7.1(1) > Copyright (c) 1994-2001 by cisco Systems, Inc. > c6k_sup2 processor with 262144 Kbytes of main memory > > Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Command error complete on disk0: > open: read error...requested 0x4 bytes, got 0xffffffff > trouble reading device magic number > loadprog: error - on file open > boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Exit at the end of BOOT string > rommon 1 > > > > > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? > > /Jonas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Mon Nov 16 13:36:10 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 16 Nov 2009 13:36:10 -0500 Subject: [c-nsp] Engine 5 link bonding support. Message-ID: Hi, I have a 12810 /w 12.0(32)SY10 and I am unable to add gigabit ethernet interfaces from my SPA-10X1GE-V2 to a port channel. I guess I just assumed incorrectly that since it was a newer image it should work. Which image should I use that has all of the same features as 12.0(32)SY10 but will allow link bonding with E5 interfaces? On the feature navigator it says that 12.0(32)SY10 supports link bonding. thanks, -Drew From cchurc05 at harris.com Mon Nov 16 13:44:25 2009 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 16 Nov 2009 13:44:25 -0500 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5E2CD1@MLBMXUS2.cs.myharris.net> I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Mon Nov 16 13:48:00 2009 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 16 Nov 2009 13:48:00 -0500 Subject: [c-nsp] SUP2 boot problem References: Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5E2CDA@MLBMXUS2.cs.myharris.net> Forgot to mention, 'sh flash all' will show you the monlib stuff. Chuck -----Original Message----- From: Church, Charles Sent: Monday, November 16, 2009 1:44 PM To: 'Jonas'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] SUP2 boot problem I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: "boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Command error complete on disk0: open: read error...requested 0x4 bytes, got 0xffffffff trouble reading device magic number loadprog: error - on file open boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" Exit at the end of BOOT string rommon 1 > When I do "reset" from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Mon Nov 16 13:57:49 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 16 Nov 2009 10:57:49 -0800 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <6F51B50ECF32084788B9B3A8469A71B52916559D5E@EXCHCLUSTER1-02.win.slac.stanford.edu> > Autoboot executing command: "boot > disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Command error complete on disk0: > open: read error...requested 0x4 bytes, got 0xffffffff > trouble reading device magic number > loadprog: error - on file open > boot: cannot load "disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin" > Exit at the end of BOOT string You should check to be sure that the monlib is correct, but my recollection is that the "trouble reading device magic number" error is often the result of a particular PCMCIA flash disk having "different" timings than Cisco supports in the bootstrap program. I also recall that even some Cisco branded cards were field notice recalled for the same problem. The "challenge" is that not all SUP2's will exhibit the same problem with the same cards, and even those that fail booting will almost always work when you boot to IOS (which, presumably, uses different timings for accessing the flash disks.) So, you might try swapping in another PCMCIA card to see if that works for you. You may need to try a few different vendors. The ones that I have found that tend to work are 64MB SANDISK and 48MB VIKING cards, but I am sure there are other variants; those are just the ones that worked for me (and that is where I stopped experimenting). Gary From eninja at gmail.com Mon Nov 16 14:07:18 2009 From: eninja at gmail.com (e ninja) Date: Mon, 16 Nov 2009 11:07:18 -0800 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: Antonio, You should *never* troubleshoot fabric errors with *any* exec-on commands. They run over the fabric that may or may not be compromised. 1. Are any other LCs apart from slot 6 reporting CRC errors? 2. grab two "sh contr fia" from the RP and an attach to all the LCs and send over. Eninja On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares wrote: > Hello group, > > I have a 12k reporting this: > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 > > In one week, i have 4 of these messages. > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > What could be the problem ? > > The "show controllers fia" do not show any problem. > > The "execute-on slot 6 show controllers fia" show this: > > Switch cards present: 0x1F > Switch cards monitored: 0x1F > 0 1 2 3 4 > -------- -------- -------- -------- -------- > los 0 0 0 0 0 > state Off Off Off Off Off > crc16 53989 0 0 0 0 > xor error0 0 0 0 > cell drops1020 1020 1020 1020 > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Mon Nov 16 14:19:44 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 16 Nov 2009 20:19:44 +0100 (CET) Subject: [c-nsp] Engine 5 link bonding support. In-Reply-To: References: Message-ID: On Mon, 16 Nov 2009, Drew Weaver wrote: > On the feature navigator it says that 12.0(32)SY10 supports link > bonding. It does on all non-E5 linecards, just not E5. For E5, you have to go to 33S. -- Mikael Abrahamsson email: swmike at swm.pp.se From petelists at templin.org Mon Nov 16 13:55:16 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 16 Nov 2009 12:55:16 -0600 Subject: [c-nsp] SUP2 boot problem In-Reply-To: References: Message-ID: <4B01A014.5050802@templin.org> Jonas wrote: > Hello, > > Im trying to upgrade an old SUP2. > I can boot 12.1.27 from bootflash: without problem. > When I do reload from IOS with 12.2.18 and boot from disk0: it will give > the error below and stay i rommon. disk0: is a 64MB flash disk. Is your 12.1.27 image a hybrid image or native image? You probably need to boot into some sort of native image, then format disk0: and TFTP your IOS image onto the disk0:. It needs to be formatted from within IOS (and presumably native IOS) to be readable at boot time, AFAIK. Pete (who just did some native conversions last week) From oboehmer at cisco.com Mon Nov 16 14:50:53 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 16 Nov 2009 20:50:53 +0100 Subject: [c-nsp] Engine 5 link bonding support. In-Reply-To: References: Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE03E7@XMB-AMS-103.cisco.com> > > I have a 12810 /w 12.0(32)SY10 and I am unable to add gigabit ethernet > interfaces from my SPA-10X1GE-V2 to a port channel. > > I guess I just assumed incorrectly that since it was a newer image it should > work. > > Which image should I use that has all of the same features as 12.0(32)SY10 > but will allow link bonding with E5 interfaces? you need 12.0(33)S or later, which introduced link bundling on Engine 5 interfaces. Please check the feature documentation at http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lnkbndl.html for reference and restrictions/caveats.. oli From clane1875 at gmail.com Mon Nov 16 16:14:33 2009 From: clane1875 at gmail.com (Chris Lane) Date: Mon, 16 Nov 2009 16:14:33 -0500 Subject: [c-nsp] 3750 High cpu Message-ID: <2e1cd850911161314m73648331n2dec465ae3bbe36a@mail.gmail.com> Not sure what Adjust regions is. After a google search nothing turns up. here is my cpu output: sh proc cpu sorted | e 0.00 CPU utilization for five seconds: 72%/49%; one minute: 69%; five minutes: 69% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 56 1458890966 8848611 164876 7.50% 4.92% 4.59% 0 Adjust Regions Following another thread suggested looking at mac address table: sh mac-address-table count | i Space Total Mac Address Space Available: 4968 -- sh platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 784/6272 81/582 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 784/6272 81/582 IPv4 unicast indirectly-connected routes: 272/2176 146/1072 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces: 528/528 18/18 IPv4 security aces: 1024/1024 57/57 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization Any help would be appreciated Chris //CL From mulitskiy at acedsl.com Mon Nov 16 16:43:59 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 16 Nov 2009 16:43:59 -0500 Subject: [c-nsp] c6500: traffic routed to Null0 is seen in SPAN as CPU traffic Message-ID: <200911161644.00031.mulitskiy@acedsl.com> Hello, I have the following hardware/software: 6509, SUP32, 12.2(33)SXH4. Here's the story. I was doing CPU traffic profiling for CoPP. I've created CoPP with class-default basically measuring traffic, but not limiting it: policy-map CPP-IN class class-default police 256000 conform-action transmit exceed-action transmit To my surprise I saw about 20M of traffic in CoPP class-default, most in hardware counters: CORE1#sh policy-map control-plane input class class-default Control Plane Interface Service-policy input: CPP-IN Hardware Counters: class-map: class-default (match-any) Match: any police : 256000 bps 8000 limit 8000 extended limit Earl in slot 5 : 106459028196 bytes 5 minute offered rate 17580264 bps aggregate-forwarded 106459028196 bytes action: transmit exceeded 0 bytes action: transmit aggregate-forward 16774272 bps exceed 0 bps Software Counters: Class-map: class-default (match-any) 3242699 packets, 201814640 bytes 5 minute offered rate 10000 bps, drop rate 0 bps Match: any 3242700 packets, 201814640 bytes 5 minute rate 10000 bps police: cir 256000 bps, bc 8000 bytes conformed 3243173 packets, 201843118 bytes; actions: transmit exceeded 19 packets, 1140 bytes; actions: transmit conformed 9000 bps, exceed 0 bps Then I've enabled local SPAN session with RP CPU as a source. Here's the config: interface Null0 no ip unreachables ! monitor session 1 type local source cpu rp tx destination interface Fa3/7 ingress learning ! ip route 10.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.0.2.0 255.255.255.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 Again to my surprise when I'm running tcpdump on the machine attached to Fa3/7 I see traffic to those null-routed subnets. I always thought that null-routed traffic on a hardware platform shouldn't hit CPU. There's no CPU problem on this box. The box is forwarding about 200M of traffic with CPU normally staying at 5%. So I wonder if this is just cosmetic as I think I would definitely see more CPU usage on SUP32 if it really handled about 20M of traffic in software. Has anybody see it? Any ideas? Thanks, Michael From andy.saykao at staff.netspace.net.au Mon Nov 16 17:48:04 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 09:48:04 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF22@vic-cr-ex1.staff.netspace.net.au> P1=7301 and the other end P2=7606. The PE's are 7301 running 12.2(31)SB13 Odd thing is that it was all working prior to switching across this our new switched ethernet circuit. ________________________________ From: Aaron [mailto:dudepron at gmail.com] Sent: Tuesday, 17 November 2009 3:10 AM To: Andy Saykao Cc: Alex; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions What is the HW on both ends? Possible one has a bug that is causing headaches. On Mon, Nov 16, 2009 at 08:51, Andy Saykao wrote: Hi Alex, 1/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - I can not ping from PE2 > PE1 BUT I can ping from PE1 > PE2. That's my real problem why MP-BGP won't come up bc I don't seem to have two way comms bt PE routers' BGP update-source lo99 address. POP1 [PE1 (lo99:172.16.99.13) --> P1 ] --switched ethernet--> POP2 [P2 --> PE2 (lo99:172.16.99.4)] Eg: Ping PE1 > PE2 (OK!) PE1#ping 172.16.99.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms Eg: Ping PE2 > PE1 (NOT OK!) PE2#ping 172.16.99.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.99.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Ping PE2 > P1 (OK!) Ping P2 > P1 (OK!) *** Seems like I can't get any traffic/labels beyond P1 to get to PE1.*** Forwarding table entry for PE1(lo99) looks ok on P1. P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158269119 Gi0/0.152 203.17.102.113 2/ When "mpls ip" is ON on both Gi4/0/1 and Gi0/2 - BGP does not come up. PE1#sh ip bgp vpnv4 all summary BGP router identifier 203.17.101.20, local AS number 4854 BGP table version is 11983, main routing table version 11983 15 network entries using 2115 bytes of memory 15 path entries using 1020 bytes of memory 6/3 BGP path/bestpath attribute entries using 840 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 1 BGP community entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 4119 total bytes of memory BGP activity 1539/1500 prefixes, 6326/6263 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.99.4 4 4854 147048 148587 0 0 0 06:48:13 Active 172.16.99.5 4 4854 147196 148642 0 0 0 06:48:08 Active 172.16.99.7 4 4854 147468 148593 0 0 0 06:48:16 Active 172.16.99.9 4 4854 146473 148502 0 0 0 06:48:01 Active 172.16.99.14 4 4854 147066 149123 11983 0 0 10:43:13 7 172.16.99.16 4 4854 146464 148574 0 0 0 06:47:52 Active 172.16.99.19 4 4854 149509 151673 11983 0 0 10:43:59 5 172.16.99.20 4 4854 149448 151672 11983 0 0 10:43:58 2 If I disable "mpls ip" on either Gi4/0/1 and Gi0/2, BGP does come up but ofcourse I have no mpls vpn traffic because those links no are no longer mpls enabled. Note that all Active BGP peers are PE devices which sit on the POP2 side. So all BGP peers on POP1 can establish BGP sessions with each other but not to BGP peers at POP2. Like wise PE's at POP2 can establish BGP sessions with each other and not with PE's located at POP1. The forwarding table from PE2 > P2 > P1 looks ok - so not sure why you can't ping PE2 > PE1. PE2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 617 3034 172.16.99.13/32 0 Gi0/0.11 203.10.110.211 P2#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 3034 8668 172.16.99.13/32 1582342 Gi4/0/1 203.17.96.97 P1#sh mpls forwarding-table 172.16.99.13 32 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 8668 Pop Label 172.16.99.13/32 158253163 Gi0/0.152 203.17.102.113 The fact that PE's at POP2 can not communicate with PE's at POP1 is why I think BGP isn't coming up between PE1 and PE2. I don't know why mpls traffic/labels are not being swapped and forwarded beyond P1 to reach PE1. MPLS config, ldp, mpls forwarding table and bindings all look ok to me - any ideas??? Like I said we haven't changed any config except moving from our existing circuit to a new protected switched ethernet circuit. Thanks. Andy -----Original Message----- From: Alex [mailto:ecralar at hotmail.com] Sent: Monday, 16 November 2009 5:52 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Can not establish MP-BGP sessions Hi Andy, Couple of questions: 1/ Can you ping between PE1 and PE2 _loopbacks_ across the circuit when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? 2/ Can you establish BGP session between _interface_ addresses when "mpls ip" is ON on both Gi4/0/1 and Gi0/2? Rgds Alex -------------------------------------------------- From: "Andy Saykao" Date: 16 November 2009 04:31 To: Subject: [c-nsp] Can not establish MP-BGP sessions > Hi All, > > We migrated a link between two pops onto a Switched Ethernet circuit > and since then we can't pass MPLS VPN traffic between those two pops > from > PE1 to PE2 because PE1 and PE2 can not establish a MP-BGP session. > > ------------------------- > BGP log on PE1: > ------------------------- > Nov 16 14:26:48.693 AEDT: %BGP-5-ADJCHANGE: neighbor 172.16.99.4 Down > BGP Notification sent Nov 16 14:26:48.693 AEDT: %BGP-3-NOTIFICATION: > sent to neighbor > 172.16.99.4 4/0 (hold time expired) 0 bytes > > ------------------------- > Topology: > ------------------------- > POP1 [PE1 (lo99:172.16.99.13) --- Switched Ethernet --> P1 ] --> POP2 > [P2 --> PE2 (lo99:172.16.99.4)] > > ------------------------- > P1: > ------------------------- > interface GigabitEthernet4/0/1 > description Connection to P2 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 negotiation > auto mpls ip > > ------------------------- > P2: > ------------------------- > interface GigabitEthernet0/2 > description Connection to P1 > bandwidth 150000 > ip address 203.17.96.x 255.255.255.252 load-interval 30 media-type > gbic speed auto duplex auto negotiation auto mpls ip > > Interesting thing to note is that if I remove "mpls ip" from P1's > interface, the MP-BGP sessions are formed between PE1 and PE2 and stay > up. When I put "mpls ip" back on the interface, the MP-BGP session > times out with the error messgage in the BGP log above. > > The only thing that has changed is the introduction of the new > Switched Ethernet circuit. I was thinking that it might have something > to do with jumbo frames but our UpStream Providers tells me that they > have configured jumbo frames on either end of the link plus I can ping > end from P1 to P2 with byte sizes larger than 8000 bytes. > > Has anyone got any ideas as to why the MP-BGP sessions all of a sudden > can no longer stay up and what further debug/troubleshooting i can do? > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received > this email by mistake and delete this email from your system. Please > note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From jared at puck.nether.net Mon Nov 16 18:11:09 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Nov 2009 18:11:09 -0500 Subject: [c-nsp] how not to write a release note Message-ID: <20091116231109.GA74400@puck.nether.net> Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From ras at e-gerbil.net Mon Nov 16 18:34:02 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 16 Nov 2009 17:34:02 -0600 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <20091116233402.GY51443@gerbil.cluepon.net> On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Still not as funny as this one: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. We really need a wall of shame website where people can submit the true gems. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From reuben-cisco-nsp at reub.net Mon Nov 16 18:27:27 2009 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 17 Nov 2009 10:27:27 +1100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <4B01DFDF.2070504@reub.net> Well there's always this one, for a laugh: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. I thought that was a joke, but it's not.. Reuben On 17/11/2009 10:11 AM, Jared Mauch wrote: > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. > > - Jared > From Michael.Balasko at cityofhenderson.com Mon Nov 16 19:49:08 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 16 Nov 2009 16:49:08 -0800 Subject: [c-nsp] OT: RE: how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A31BA@COHNTCS09.ci.henderson.nv.us> Create a node on everything2.com like this one.... http://www.everything2.com/title/support.microsoft.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard A Steenbergen Sent: Monday, November 16, 2009 3:34 PM To: Jared Mauch Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how not to write a release note On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Still not as funny as this one: CSCso05336 Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload. Conditions: The symptom is observed only in the first 36 hours following a reload. Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload. We really need a wall of shame website where people can submit the true gems. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From newton at atdot.dotat.org Mon Nov 16 20:52:39 2009 From: newton at atdot.dotat.org (Mark Newton) Date: Tue, 17 Nov 2009 12:22:39 +1030 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <261B798C-EE02-4E02-878A-847AD3D2612B@atdot.dotat.org> On 17/11/2009, at 10:04 AM, Richard A Steenbergen wrote: > On Mon, Nov 16, 2009 at 06:11:09PM -0500, Jared Mauch wrote: >> CSCta14457 - A Cisco device may report alignment errors >> "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. >> >> Does not say anything about what may trigger it, eg: mtu, >> packet fragmentation, etc.. > > Still not as funny as this one: > > CSCso05336 My favourite is this, from the (disastrous) 7401ASR platform: CSCdy18641 Symptoms A router may reload unexpectedly when a Layer 2 Tunneling Protocol (L2TP) connection is established. Conditions This symptom is observed on a Cisco 7401ASR router that is used as a Layer 2 Tunneling Protocol (L2TP) network server (LNS). Workaround There is no workaround. This one was particularly notable because when Cisco originally started pimping the 7401 they said that one of the specific roles it had been designed for was "Broadband aggregation" with "Intelligent L2TP tunneling support." http://www.cisco.com/en/US/products/hw/routers/ps354/products_quick_reference_guide09186a0080091fd1.html I don't think they were ever actually useful for any role at all. The only way I ever managed to get them to work reliably was to turn off PXF, which totally killed their performance. Worst platform ever. - mark -------------------------------------------------------------------- I tried an internal modem, newton at atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- From andy.saykao at staff.netspace.net.au Tue Nov 17 00:21:15 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 16:21:15 +1100 Subject: [c-nsp] Can not establish MP-BGP sessions References: <56F211C5E3F24F47B103EA1B253822BE044AAF1E@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAF1F@vic-cr-ex1.staff.netspace.net.au> <480dad640911160809u681057f5hb714468412ad0067@mail.gmail.com> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF34@vic-cr-ex1.staff.netspace.net.au> This has been resolved. Thanks for everyone's help. Turns out it was something within our Provider's network which does the backhaul for us that had some mac-access group configured on their switch and was blocking the PE's loopbacks from communicating with each other. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From andy.saykao at staff.netspace.net.au Tue Nov 17 02:03:34 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 17 Nov 2009 18:03:34 +1100 Subject: [c-nsp] debug mpls packet Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> Hi All, Does anyone know what the middle number represents in a "debug mpls packet" ( eg: {7963 6 254} )? I can't find this information anywhere. router#debug mpls packet gigabitEthernet 0/2 Packet debugging is on on idb GigabitEthernet0/2 router# Nov 17 16:26:07.670 AEDT: MPLS turbo: Gi0/2: rx: Len 97 Stack {7963 6 254} - ipv4 data Nov 17 16:26:08.442 AEDT: MPLS turbo: Gi0/2: rx: Len 78 Stack {7963 6 254} - ipv4 data Nov 17 16:26:11.882 AEDT: MPLS turbo: Gi0/2: rx: Len 82 Stack {18 0 254} {2750 0 255} - ipv4 data Nov 17 16:26:11.882 AEDT: MPLS turbo: Gi0/1: tx: Len 82 Stack {8878 0 253} {2750 0 255} - ipv4 data {7963 6 254} 7693 = Label 6 = ??? 254 = I presume is the TTL What does the 6 represent?? In the other label, it's a ZERO instead {18 0 254} . Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From oboehmer at cisco.com Tue Nov 17 02:25:15 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 08:25:15 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> > > Does anyone know what the middle number represents in a "debug mpls > packet" ( eg: {7963 6 254} )? > I can't find this information anywhere. > > 7693 = Label > 6 = ??? > 254 = I presume is the TTL > > What does the 6 represent?? it's the EXP value. you're right about the last being the TTL. oli From bandwidth.user at gmail.com Tue Nov 17 02:43:32 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 15:43:32 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> Message-ID: <4B025424.2030104@gmail.com> Oliver Boehmer (oboehmer) wrote: >> Does anyone know what the middle number represents in a "debug mpls >> packet" ( eg: {7963 6 254} )? >> I can't find this information anywhere. >> >> 7693 = Label >> 6 = ??? >> 254 = I presume is the TTL >> >> What does the 6 represent?? > > it's the EXP value. you're right about the last being the TTL. > > oli Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? Roy From oboehmer at cisco.com Tue Nov 17 02:49:39 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 08:49:39 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B025424.2030104@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> > >> Does anyone know what the middle number represents in a "debug mpls > >> packet" ( eg: {7963 6 254} )? > >> I can't find this information anywhere. > >> > >> 7693 = Label > >> 6 = ??? > >> 254 = I presume is the TTL > >> > >> What does the 6 represent?? > > > > it's the EXP value. you're right about the last being the TTL. > > > > oli > > Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? Hmm, why do you think so? Looking at the code, it only prints the 3 exp. bits. oli From bandwidth.user at gmail.com Tue Nov 17 03:05:32 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 16:05:32 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> Message-ID: <4B02594C.8010004@gmail.com> Oliver Boehmer (oboehmer) wrote: >>>> Does anyone know what the middle number represents in a "debug mpls >>>> packet" ( eg: {7963 6 254} )? >>>> I can't find this information anywhere. >>>> >>>> 7693 = Label >>>> 6 = ??? >>>> 254 = I presume is the TTL >>>> >>>> What does the 6 represent?? >>> it's the EXP value. you're right about the last being the TTL. >>> >>> oli >> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? > > Hmm, why do you think so? Looking at the code, it only prints the 3 exp. > bits. Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into one value. Roy From avayner at cisco.com Tue Nov 17 03:11:28 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 09:11:28 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: Jared, I took a quick look and this has to do with QOS. I have sent an internal query for more info. Will advise. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Tuesday, November 17, 2009 01:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] how not to write a release note Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bandwidth.user at gmail.com Tue Nov 17 03:19:21 2009 From: bandwidth.user at gmail.com (roy) Date: Tue, 17 Nov 2009 16:19:21 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B02594C.8010004@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> Message-ID: <4B025C89.8090705@gmail.com> roy wrote: > Oliver Boehmer (oboehmer) wrote: >>>>> Does anyone know what the middle number represents in a "debug mpls >>>>> packet" ( eg: {7963 6 254} )? >>>>> I can't find this information anywhere. >>>>> >>>>> 7693 = Label >>>>> 6 = ??? >>>>> 254 = I presume is the TTL >>>>> >>>>> What does the 6 represent?? >>>> it's the EXP value. you're right about the last being the TTL. >>>> >>>> oli >>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >> >> Hmm, why do you think so? Looking at the code, it only prints the 3 exp. >> bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into > one value. Referring to EXP/CoS + S, that is. Roy From p.mayers at imperial.ac.uk Tue Nov 17 03:47:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 17 Nov 2009 08:47:01 +0000 Subject: [c-nsp] SXI3 / rogue DHCP feature? Message-ID: <4B026305.3000203@imperial.ac.uk> Hmm: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb87454 """ Symptom: This bug deals with a feature requested by customer. Customer wants to send DHCPDISCOVER probes on untrusted ports to detect the Rogue DHCP Servers. """ Yet the release notes list "no new features". Shame; it's an interesting-sounding idea! From asturluismi at gmail.com Tue Nov 17 04:31:00 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 10:31:00 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091115191936.GP163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> Message-ID: <1258450260.31116.0.camel@hal9000> Did you try it' El dom, 15-11-2009 a las 20:19 +0100, Gert Doering escribi?: > Hi, > > On Sun, Nov 15, 2009 at 03:12:24PM +0100, luismi wrote: > > Is it supported in any IOS? > > Does anyone if it is going to be supported in the future? > > On 7600s, it should work, if you are using "routed mode" port channels > (or subinterfaces). On vlan interfaces, it is not there (yet?). > > On GSRs, I have no idea. > > gert > From gert at greenie.muc.de Tue Nov 17 04:54:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 10:54:52 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258450260.31116.0.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> Message-ID: <20091117095452.GB163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 10:31:00AM +0100, luismi wrote: > Did you try it' No. Our most relevant port-channels all are "switchport" type interfaces, and there is no BFD on SVI :-( But given the 6500/7600 architecture, I would be fairly confident that it works. On the other hand, well, BFD on SVI *did* work in the past... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From asturluismi at gmail.com Tue Nov 17 04:58:31 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 10:58:31 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116233402.GY51443@gerbil.cluepon.net> References: <20091116231109.GA74400@puck.nether.net> <20091116233402.GY51443@gerbil.cluepon.net> Message-ID: <1258451911.31116.1.camel@hal9000> I can't believe it, I need to check it. > Still not as funny as this one: > > CSCso05336 > > Symptoms: A Cisco 1811 router reloads when trying to connect to > irc.freenode.net during the first 36 hours following a reload. > > Conditions: The symptom is observed only in the first 36 hours > following a reload. > > Workaround: Do not connect to irc.freenode.net the first 36 hours > following a reload. > > We really need a wall of shame website where people can submit the true > gems. :) > From asturluismi at gmail.com Tue Nov 17 05:01:48 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 11:01:48 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117095452.GB163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> Message-ID: <1258452108.31116.2.camel@hal9000> I see a message like "BDF not supported over port-channels" in my routers. Also "sh bfd ..." doesn't show anything. El mar, 17-11-2009 a las 10:54 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 10:31:00AM +0100, luismi wrote: > > Did you try it' > > No. Our most relevant port-channels all are "switchport" type interfaces, > and there is no BFD on SVI :-( > > But given the 6500/7600 architecture, I would be fairly confident that it > works. On the other hand, well, BFD on SVI *did* work in the past... > > gert From gert at greenie.muc.de Tue Nov 17 05:09:20 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 11:09:20 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258452108.31116.2.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> Message-ID: <20091117100920.GE163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > I see a message like "BDF not supported over port-channels" in my > routers. Which IOS version is that? On what platform? You could be a bit more proactive in your questions... this makes it much easier to give meaningful responses, really... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jonas at bjorklund.cn Tue Nov 17 06:57:42 2009 From: jonas at bjorklund.cn (=?ISO-8859-1?Q?Jonas_Bj=F6rklund?=) Date: Tue, 17 Nov 2009 12:57:42 +0100 (CET) Subject: [c-nsp] SUP2 boot problem In-Reply-To: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> References: <3EC97F92-E5BF-4B68-B50E-4CBA8F88186B@puck.nether.net> Message-ID: On Mon, 16 Nov 2009, Jared Mauch wrote: > Is that the latest rommon for sup2? > > You may also want to make sure your MFSC2 has the latest rommon as well, (assuming you have a MFSC2 in your sup2, which it would appear is the case). > > c6msfc2-rm2.srec.122-17r.S5 is that image. I upgraded rommon and it didnt help. I format a new flashcard from the SUP2 as the other cardm but this time it worked much better. Thanks! /Jonas From oboehmer at cisco.com Tue Nov 17 07:19:11 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 17 Nov 2009 13:19:11 +0100 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B02594C.8010004@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> > >>>> Does anyone know what the middle number represents in a "debug mpls > >>>> packet" ( eg: {7963 6 254} )? > >>>> I can't find this information anywhere. > >>>> > >>>> 7693 = Label > >>>> 6 = ??? > >>>> 254 = I presume is the TTL > >>>> > >>>> What does the 6 represent?? > >>> it's the EXP value. you're right about the last being the TTL. > >>> > >>> oli > >> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? > > > > Hmm, why do you think so? Looking at the code, it only prints the 3 exp. > > bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into > one value. still not sure what you refer to, and why you think the debug discussed shows the 4-bit Exp+S value rather than the 3-bit Exp only? oli From asturluismi at gmail.com Tue Nov 17 07:20:58 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 13:20:58 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117100920.GE163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> Message-ID: <1258460458.31116.3.camel@hal9000> I wrote it in a previous email but here is again :D 7200 npe-g2 and 7600 rsp720-pfc3 I am using 12.2SRC but it is not supported there an I would like to know if it is supported in another train. El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > > I see a message like "BDF not supported over port-channels" in my > > routers. > > Which IOS version is that? On what platform? > > You could be a bit more proactive in your questions... this makes it > much easier to give meaningful responses, really... :-) > > gert From amsoares at netcabo.pt Tue Nov 17 07:36:48 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Tue, 17 Nov 2009 12:36:48 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> Almost all LC's are reporting errors in the column "CRC XBAR0". So i think that replacing the CSC0 will be the best to do at the moment. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _____ From: e ninja [mailto:eninja at gmail.com] Sent: segunda-feira, 16 de Novembro de 2009 19:07 To: Antonio Soares Cc: cisco-nsp at puck.nether.net; eninja at gmail.com Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE Antonio, You should never troubleshoot fabric errors with any exec-on commands. They run over the fabric that may or may not be compromised. 1. Are any other LCs apart from slot 6 reporting CRC errors? 2. grab two "sh contr fia" from the RP and an attach to all the LCs and send over. Eninja On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares wrote: Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The "show controllers fia" do not show any problem. The "execute-on slot 6 show controllers fia" show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 17 09:12:04 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 15:12:04 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <20091117141204.GG163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 These are very very *VERY* different platforms... > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. ... so it might very well be supported on one of them, and not on the other... Just for the record - my assumption was wrong. I just tried to configure BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter the bfd commands on the port-channel interfaces. Physical interfaces only. (Which makes some sort of sense, *iff* the BFD-handling is done in the line card - where it belongs, to be independent of whatever load the main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart enough to run BFD locally. So whatever...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From eninja at gmail.com Tue Nov 17 09:13:14 2009 From: eninja at gmail.com (Eninja) Date: Tue, 17 Nov 2009 15:13:14 +0100 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <4BF89FC5C247499FA7D25C31066665F6@int.convex.pt> Message-ID: Cool. ITMT, you may want to shut down CSC0 with a 'hw-module...' to minimize further impact to the fabric and clear fabric errors on all LCs. A fresh 'sh contr fia' (repeated a few times) thereafter should reveal 0 CRCs. Eninja On Nov 17, 2009, at 1:36 PM, "Antonio Soares" wrote: > Almost all LC's are reporting errors in the column "CRC XBAR0". So i > think that replacing the CSC0 will be the best to do at the moment. > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > > From: e ninja [mailto:eninja at gmail.com] > Sent: segunda-feira, 16 de Novembro de 2009 19:07 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net; eninja at gmail.com > Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE > > Antonio, > > You should never troubleshoot fabric errors with any exec-on > commands. They run over the fabric that may or may not be compromised. > Are any other LCs apart from slot 6 reporting CRC errors? > grab two "sh contr fia" from the RP and an attach to all the LCs and > send over. > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > Hello group, > > I have a 12k reporting this: > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from > slot 6 > > In one week, i have 4 of these messages. > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > What could be the problem ? > > The "show controllers fia" do not show any problem. > > The "execute-on slot 6 show controllers fia" show this: > > Switch cards present: 0x1F > Switch cards monitored: 0x1F > 0 1 2 3 4 > -------- -------- -------- -------- -------- > los 0 0 0 0 0 > state Off Off Off Off Off > crc16 53989 0 0 0 0 > xor error0 0 0 0 > cell drops1020 1020 1020 1020 > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at princeton.edu Tue Nov 17 09:51:01 2009 From: jfitz at princeton.edu (Jeff Fitzwater) Date: Tue, 17 Nov 2009 09:51:01 -0500 Subject: [c-nsp] SXI(3) code status? Message-ID: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. Does anyone else have GOOD or BAD new on SXI(3)? Jeff Fitzwater OIT Network Systems Princeton University From jeff-kell at utc.edu Tue Nov 17 10:09:21 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 17 Nov 2009 10:09:21 -0500 Subject: [c-nsp] Flowcontrol conflict 4506 SupIV / 6509 Sup720 Message-ID: <4B02BCA1.3060402@utc.edu> This may end up a TAC case after I gather more information this morning, but thought I'd run this by the list in case it rang any bells (or you had similar configurations)... We had a maintenance window last night to push out some IOS upgrades to our distribution layer, complete with a scheduled reload to try to minimize downtime. Everything went well with one notable exception, a two-port etherchannel trunk between a 4506 and 6509 (that was working just fine beforehand). From the 6509 side (which was the side noting the issue): Nov 16 21:58:08.727 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to up Nov 16 21:58:08.727 EST: %LINK-3-UPDOWN: Interface Port-channel8, changed state to up Nov 16 21:58:08.731 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel8, changed state to up Nov 16 21:58:08.743 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/43, changed state to up Nov 16 21:58:08.983 EST: %LINK-3-UPDOWN: Interface Vlan224, changed state to down Nov 16 21:58:08.987 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan224, changed state to down Nov 16 21:58:09.147 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:09.175 EST: %LINK-3-UPDOWN: Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:08.650 EST: %EC-SP-5-CANNOT_BUNDLE2: Gi1/22 is not compatible with Gi2/43 and will be suspended (flow control send of Gi1/22 is desired, Gi2/43 is off) Nov 16 21:58:08.658 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet1/22, changed state to down Nov 16 21:58:08.698 EST: %EC-SP-5-COMPATIBLE: Gi1/22 is compatible with port-channel members I've never configured flowcontrol anywhere... and this is the first issue I've seen. The 6509 was untouched, the 4506 was changed/reloaded. The channel did not come up until I did a flowcontrol send off (which now does not appear anywhere in the config, making it even more confusing). 4506 side is the two SupIV supervisor ports. Was running 12.2(50)SG1 and working, rebooted into 12.2(53)SG1. 6509 blade 1 is a 6724-SFP, blade 2 is a 6748-SFP. The 6509 has 13 port-channels configured across these two blades and there have been no issues with any other port-channel. The 6509 has another port-channel to another 4506 configured practically the same (different switchport allowed vlans) and had no issues. Anyone see this before? Any words of wisdom regarding avoiding potential flowcontrol issues? Jeff From rubensk at gmail.com Tue Nov 17 10:22:51 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 17 Nov 2009 13:22:51 -0200 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> Message-ID: <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. Rubens On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: > I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. > > > Does anyone else have ?GOOD or BAD new on SXI(3)? > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Tue Nov 17 10:31:18 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 17 Nov 2009 10:31:18 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. I strongly recommend using it over prior versions of SXI. Due to the removal of hardware support we replaced the older 63xx/62xx series cards. - Jared On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: > SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), > OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. > > > Rubens > > > > On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >> >> >> Does anyone else have GOOD or BAD new on SXI(3)? >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cnsp at shreddedmail.com Tue Nov 17 11:33:33 2009 From: cnsp at shreddedmail.com (Rick Ernst) Date: Tue, 17 Nov 2009 08:33:33 -0800 Subject: [c-nsp] No SVI throughput/bandwidth counters on Catalyst 4948 Message-ID: I started deploying Catalyst 4948 switches as TOR devices about 3 months ago. The policing and packet-handling have been behaving quite nicely. Physical ports are mapped to SVIs and the SVIs have policers attached. The primary reason for SVIs is to allow a paired 4948 to act as an HSRP partner across a dot1q trunk for the individual interfaces. Up until last night, everything seemed to be working fine. We moved our Checkpoint firewall from behind the core down to behind aggregation (new mantra; no customers attach at the core - everybody is a customer. We had some ad-hoc stuff attached to the core that I'm slowly pruning). >From spot-checking, all of the SVIs and physical interfaces report bits/sec and packets/sec properly, other than the new interfaces I lit up for the firewall. Only the physical port interfaces show activity on bits/packets/sec. I am, however, seeing L3 Switched counters. The only differences I can think of are; a) firewall isn't policed, and b) Checkpoint does weird stuff with unicast-IP-on-multicast-MAC for its load-balancing and failover. I added a policer to the firewall interface, and added the magic static arp on (that Checkpoint uses) to an existing interface and the behavior didn't change. Checkpoint interface is weird, others are OK. Any suggestions on what to look for? Thanks, ----- --> Working: interface GigabitEthernet1/1 switchport access vlan 101 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end #show int g1/1 GigabitEthernet1/1 is up, line protocol is up (connected) 5 minute input rate 215000 bits/sec, 53 packets/sec 5 minute output rate 258000 bits/sec, 47 packets/sec interface Vlan101 description Normal customer ip address x.y.34.226 255.255.255.248 no ip redirects no ip proxy-arp standby 101 ip x.y.34.225 standby 101 timers 5 15 standby 101 priority 110 standby 101 preempt service-policy input BW_12M service-policy output BW_12M end #show int vlan 101 Vlan101 is up, line protocol is up 5 minute input rate 210000 bits/sec, 55 packets/sec 5 minute output rate 236000 bits/sec, 46 packets/sec L3 in Switched: ucast: 487633 pkt, 188595448 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 439823 pkt, 245564925 bytes - mcast: 0 pkt, 0 bytes --> Weird: interface GigabitEthernet1/46 description Checkpoint Firewall "A" switchport access vlan 146 switchport mode access spanning-tree portfast end #show int g1/46 GigabitEthernet1/46 is up, line protocol is up (connected) 5 minute input rate 25263000 bits/sec, 3476 packets/sec 5 minute output rate 15737000 bits/sec, 5351 packets/sec interface Vlan146 description Checkpoint Firewall "A" ip address x.y.1.82 255.255.255.248 no ip redirects no ip proxy-arp standby 146 ip x.y.1.81 standby 146 timers 5 15 standby 146 priority 110 standby 146 preempt end #show int vlan 146 Vlan146 is up, line protocol is up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L3 in Switched: ucast: 94104774 pkt, 91006951231 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 44127262 pkt, 16712790232 bytes - mcast: 0 pkt, 0 bytes From lukasz at bromirski.net Tue Nov 17 11:50:33 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 17 Nov 2009 17:50:33 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117141204.GG163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> Message-ID: <4B02D459.1060309@bromirski.net> On 2009-11-17 15:12, Gert Doering wrote: > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) You're right. The current 6500 LCs don't have capability to run BFD in fully distributed mode. All BFD-bound functionality is job of the active Supervisor. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From gert at greenie.muc.de Tue Nov 17 11:57:44 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 17:57:44 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B02D459.1060309@bromirski.net> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <4B02D459.1060309@bromirski.net> Message-ID: <20091117165744.GL163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 05:50:33PM +0100, ?ukasz Bromirski wrote: > On 2009-11-17 15:12, Gert Doering wrote: > > >(Which makes some sort of sense, *iff* the BFD-handling is done in the > >line card - where it belongs, to be independent of whatever load the > >main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > >enough to run BFD locally. So whatever...) > > You're right. The current 6500 LCs don't have capability to run BFD > in fully distributed mode. All BFD-bound functionality is job of the > active Supervisor. Out of curiosity: since the boot messages suggest that 67xx cards with CFC or DFC run "some sort of local IOS" - would those be smart enough? What about SIP and ES cards? So many things still to learn about this platform :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From cphillips at wbsconnect.com Tue Nov 17 12:05:02 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Tue, 17 Nov 2009 09:05:02 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: <4B02D7BE.1020000@wbsconnect.com> Jared, After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? Thanks in advance! Jared Mauch wrote: > SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. > > I strongly recommend using it over prior versions of SXI. > > Due to the removal of hardware support we replaced the older 63xx/62xx series cards. > > - Jared > > On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: > >> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >> >> >> Rubens >> >> >> >> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>> >>> >>> Does anyone else have GOOD or BAD new on SXI(3)? >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Tue Nov 17 12:11:04 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 17 Nov 2009 18:11:04 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117141204.GG163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> Message-ID: <1258477864.31116.4.camel@hal9000> I was just curious, because I would like to deploy BFD but I saw those messages on my routers because the port-channels configurations and I would like to know if it was supported in other train or something similar. El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > I wrote it in a previous email but here is again :D > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > These are very very *VERY* different platforms... > > > I am using 12.2SRC but it is not supported there an I would like to know > > if it is supported in another train. > > ... so it might very well be supported on one of them, and not on the > other... > > Just for the record - my assumption was wrong. I just tried to configure > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > the bfd commands on the port-channel interfaces. Physical interfaces > only. > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) > > gert From jared at puck.nether.net Tue Nov 17 12:12:32 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 17 Nov 2009 12:12:32 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <4B02D7BE.1020000@wbsconnect.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> Message-ID: <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> Release 12.2(33)SXH and later releases do not support the following hardware: These Ethernet Switching Modules: ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ ?WS-X6248A-TEL 48-port 10/100TX RJ-21 ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 ?WS-X6248-TEL 48-port 10/100TX RJ-21 ?WS-X6324-100FX-SM 24-port 100FX Ethernet ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. You will see something like this in 'show power': 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. - Jared On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: > Jared, > > After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? > > Thanks in advance! > > Jared Mauch wrote: >> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >> I strongly recommend using it over prior versions of SXI. >> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >> - Jared >> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>> >>> >>> Rubens >>> >>> >>> >>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>> >>>> >>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>> >>>> >>>> Jeff Fitzwater >>>> OIT Network Systems >>>> Princeton University >>>> >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Nov 17 12:21:38 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 17 Nov 2009 11:21:38 -0600 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <4B02DBA2.1050801@justinshore.com> luismi wrote: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 > > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. 12.2SR is all you can run on the RSP720. SX and SR will both run on the Sup720 but certain LCs are not supported in SR and visa versa. I only run and recommend 12.4T on 7200s so I can't speak to the 12.2 features for that platform. Justin From edigheorghiu at gmail.com Tue Nov 17 12:25:12 2009 From: edigheorghiu at gmail.com (Eduard Gheorghiu) Date: Tue, 17 Nov 2009 19:25:12 +0200 Subject: [c-nsp] IOS XR version you use Message-ID: Hi everyone! I look for a good choice of XR to upgrade to from 3.5. In terms of features there are no mandatory ones that could drive us to do 3.8 instead of 3.6 Does anyone of you use 3.8 in a production environment? Please share any thoughts on this. BR Eduard From achatz at forthnet.gr Tue Nov 17 12:35:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 17 Nov 2009 19:35:26 +0200 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258460458.31116.3.camel@hal9000> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> Message-ID: <4B02DEDE.8060003@forthnet.gr> According to Cisco: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 ============================================================ For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. ============================================================ Also there is CSCek67622: ============================================================ BFD should not be configurable on etherchannel intf Symptoms: The bfd interval command is accepted on EtherChannel and EtherChannel member interfaces. Conditions: This symptom is observed on a Cisco router while BFD is not supported on EtherChannels. Workaround: Do not enter the bfd interval command on EtherChannel and EtherChannel member interfaces. ============================================================ It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... -- Tassos luismi wrote on 17/11/2009 14:20: > I wrote it in a previous email but here is again :D > > 7200 npe-g2 and 7600 rsp720-pfc3 > > I am using 12.2SRC but it is not supported there an I would like to know > if it is supported in another train. > > El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: >> Hi, >> >> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: >>> I see a message like "BDF not supported over port-channels" in my >>> routers. >> Which IOS version is that? On what platform? >> >> You could be a bit more proactive in your questions... this makes it >> much easier to give meaningful responses, really... :-) >> >> gert > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tassos From NMaio at guesswho.com Tue Nov 17 13:24:04 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Tue, 17 Nov 2009 13:24:04 -0500 Subject: [c-nsp] 7600 ES card and module Message-ID: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> Just a quick question or two. Does anybody have good/bad experience with a 7600-ES20-10G3CXL in a 7606 with 720-3bxl? I am looking to terminate a 1310nm or 1550nm 10Ge from another provider. No dense or coarse wave. Also I am trying to figure out if the XFP-10GLR-OC192SR module will work with this. Am I reading this correctly that this module is supported for both POS and regular 10G Ethernet? Thanks, Nick From drew.weaver at thenap.com Tue Nov 17 13:49:12 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 17 Nov 2009 13:49:12 -0500 Subject: [c-nsp] Portchannel, ttl 1 packets filling input queue. Message-ID: Hey all, I had been suffering from some input/output queue drops on the Catalyst side of a connection between a [Cat6500 (Sup 720-3BXL) WS-6724-SFP] and a GSR 12810 /w SIP-601 & SPA10x1GE-V2. Since this link was tremendously busy I thought perhaps it was simply a matter of micro bursts exceeding the maximum bandwidth of the interface, and instead of upgrading to 10GE for a microburst, I decided to create a port-channel. So I created the port channel using two ports on the 6724-SFP and two ports on the SPA10x1GE-V2. Since the GSR doesn't support anything but etherchannel (for what reason I can't tell you) I used etherchannel. I noticed as soon as this port-channel interface came up that the input queue was immediately getting drops/flushes so I did some: sh buffers input-interface port-channel 1 dump several times in there I saw this: source: x.x.x.x, destination: y.y.y.y, id: 0x0000, ttl: 1, TOS: 0 prot: 17, source port 32136, destination port 9810 where x.x.x.x is a host on my network and y.y.y.y is a host on the Internet. pretty much every time I ran it I saw several packets like this (all with TTL 1). This continued until I broke the port-channel and put everything back to how it was. I ran that same command: sh buffers input-interface g4/19 1 dump On the physical interface connecting the two (without the port channel) and I didn't get the same results. Does anyone know of any bugs or anything with port-channel, or any caveats that might explain what I am running into? thanks, -Drew From dudepron at gmail.com Tue Nov 17 14:02:00 2009 From: dudepron at gmail.com (Aaron) Date: Tue, 17 Nov 2009 14:02:00 -0500 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> Message-ID: <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> So, what is the difference in output from doing exec-on vs attach? You are still connecting via the same method. On Mon, Nov 16, 2009 at 14:07, e ninja wrote: > Antonio, > > You should *never* troubleshoot fabric errors with *any* exec-on commands. > They run over the fabric that may or may not be compromised. > > 1. Are any other LCs apart from slot 6 reporting CRC errors? > 2. grab two "sh contr fia" from the RP and an attach to all the LCs and > send over. > > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > > > Hello group, > > > > I have a 12k reporting this: > > > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot > 6 > > > > In one week, i have 4 of these messages. > > > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > > > What could be the problem ? > > > > The "show controllers fia" do not show any problem. > > > > The "execute-on slot 6 show controllers fia" show this: > > > > Switch cards present: 0x1F > > Switch cards monitored: 0x1F > > 0 1 2 3 4 > > -------- -------- -------- -------- -------- > > los 0 0 0 0 0 > > state Off Off Off Off Off > > crc16 53989 0 0 0 0 > > xor error0 0 0 0 > > cell drops1020 1020 1020 1020 > > > > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > > > > Thanks. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S) > > amsoares at netcabo.pt > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at princeton.edu Tue Nov 17 14:34:52 2009 From: jfitz at princeton.edu (Jeff Fitzwater) Date: Tue, 17 Nov 2009 14:34:52 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> Message-ID: <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. The other flavors are not supported. Jeff On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: > Release 12.2(33)SXH and later releases do not support the following hardware: > > These Ethernet Switching Modules: > > ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ > > ?WS-X6248A-TEL 48-port 10/100TX RJ-21 > > ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 > > ?WS-X6248-TEL 48-port 10/100TX RJ-21 > > ?WS-X6324-100FX-SM 24-port 100FX Ethernet > > ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ > > ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 > > ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ > > Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. > > You will see something like this in 'show power': > 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) > 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) > > It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. > > - Jared > > On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: > >> Jared, >> >> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? >> >> Thanks in advance! >> >> Jared Mauch wrote: >>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>> I strongly recommend using it over prior versions of SXI. >>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>> - Jared >>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>> >>>> >>>> Rubens >>>> >>>> >>>> >>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>> >>>>> >>>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>>> >>>>> >>>>> Jeff Fitzwater >>>>> OIT Network Systems >>>>> Princeton University >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mduksa at gmail.com Tue Nov 17 14:43:42 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Tue, 17 Nov 2009 11:43:42 -0800 Subject: [c-nsp] Cisco 7600 Broadband Licensing Message-ID: Hi, Does anyone know if licensing is need on Cisco 7600 (and if so do you know the product number) for broadband activation on ES+ cards (not interested in SIP)? Let say that we want to enable subscriber management (PPPoE or IPoE) on ES+ cards, what licenses do we need? I know that bunch of BB licenses exist for ASR1K but could not find anything on 7600. Thanks, Marlon From kgraham at industrial-marshmallow.com Tue Nov 17 14:45:20 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 17 Nov 2009 11:45:20 -0800 (PST) Subject: [c-nsp] how not to write a release note In-Reply-To: <20091116231109.GA74400@puck.nether.net> References: <20091116231109.GA74400@puck.nether.net> Message-ID: <577377.68121.qm@web502.biz.mail.mud.yahoo.com> > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. Though that one is higher profile, still not as bad as: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/release/notes/ol_6897.html#wp274407 ...listed as a "Limitation and Restriction" (as opposed to "Open Caveat") with no bug citation. At least there's some good bug release-note authors out there, as evidenced byCSCse14048: Cisco X2-10GB-LR transceiver modules with a version identification number lower than V03 might show intermittent frame check sequence (FCS) errors or be ejected from the switch during periods of operational shock greater than 50g. There is no workaround. (still waiting to be able to recommend that as a possible problem to a c-nsp poster...) From avayner at cisco.com Tue Nov 17 15:53:32 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 21:53:32 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <1258477864.31116.4.camel@hal9000> References: <1258294344.12313.1.camel@hal9000><20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000><20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000><20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000><20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: Just out of curiosity, what are the port-channel on the 7200/7600 is used for? Is it a point to point routed port, or with L2 VLANs switched on top of it? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, November 17, 2009 19:11 To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BDF over port-channels? I was just curious, because I would like to deploy BFD but I saw those messages on my routers because the port-channels configurations and I would like to know if it was supported in other train or something similar. El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > Hi, > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > I wrote it in a previous email but here is again :D > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > These are very very *VERY* different platforms... > > > I am using 12.2SRC but it is not supported there an I would like to know > > if it is supported in another train. > > ... so it might very well be supported on one of them, and not on the > other... > > Just for the record - my assumption was wrong. I just tried to configure > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > the bfd commands on the port-channel interfaces. Physical interfaces > only. > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > line card - where it belongs, to be independent of whatever load the > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > enough to run BFD locally. So whatever...) > > gert _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aptgetd at gmail.com Tue Nov 17 15:46:42 2009 From: aptgetd at gmail.com (sky vader) Date: Tue, 17 Nov 2009 12:46:42 -0800 Subject: [c-nsp] snmpwalk for switch port status Message-ID: <4B030BB2.8090801@gmail.com> Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky From avayner at cisco.com Tue Nov 17 15:57:54 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 17 Nov 2009 21:57:54 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: References: <20091116231109.GA74400@puck.nether.net> Message-ID: Well, as feedback for the issue raised, the bug you flagged is not causing anything other than a traceback message... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner (avayner) Sent: Tuesday, November 17, 2009 10:11 To: Jared Mauch; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how not to write a release note Jared, I took a quick look and this has to do with QOS. I have sent an internal query for more info. Will advise. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Tuesday, November 17, 2009 01:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] how not to write a release note Seems cisco is getting lazy.. SXI3 is out and this has to be one of the worst release notes ever: CSCta14457 - A Cisco device may report alignment errors "%ALIGN-3-TRACE" error messages accompanied with a traceback may be reported. Does not say anything about what may trigger it, eg: mtu, packet fragmentation, etc.. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 17 17:07:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Nov 2009 23:07:41 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258477864.31116.4.camel@hal9000> Message-ID: <20091117220741.GO163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 09:53:32PM +0100, Arie Vayner (avayner) wrote: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? Just for the records: on the 6500 with SXF or SXH3a, it wasn't possible to turn on BFD on a routed point-to-point port-channel. Switched + SVI is known to be unsupported and unconfigurable since SXH... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From moua0100 at umn.edu Tue Nov 17 16:16:50 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 17 Nov 2009 15:16:50 -0600 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000><20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000><20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000><20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000><20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: <4B0312C2.1090503@umn.edu> we've got some p2p routed ports over here ! interface Port-channel1 description [removed] mtu 4470 ip address 192.168.11.105 255.255.255.252 no negotiation auto snmp trap link-status hold-queue 150 in ! Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Arie Vayner (avayner) wrote: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, November 17, 2009 19:11 > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BDF over port-channels? > > I was just curious, because I would like to deploy BFD but I saw those > messages on my routers because the port-channels configurations and I > would like to know if it was supported in other train or something > similar. > > El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > >> Hi, >> >> On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: >> >>> I wrote it in a previous email but here is again :D >>> >>> 7200 npe-g2 and 7600 rsp720-pfc3 >>> >> These are very very *VERY* different platforms... >> >> >>> I am using 12.2SRC but it is not supported there an I would like to know >>> if it is supported in another train. >>> >> ... so it might very well be supported on one of them, and not on the >> other... >> >> Just for the record - my assumption was wrong. I just tried to configure >> BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter >> the bfd commands on the port-channel interfaces. Physical interfaces >> only. >> >> (Which makes some sort of sense, *iff* the BFD-handling is done in the >> line card - where it belongs, to be independent of whatever load the >> main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart >> enough to run BFD locally. So whatever...) >> >> gert >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abidin.kahraman at gmail.com Tue Nov 17 17:16:15 2009 From: abidin.kahraman at gmail.com (Abidin Kahraman) Date: Tue, 17 Nov 2009 22:16:15 +0000 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B02DEDE.8060003@forthnet.gr> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <4B02DEDE.8060003@forthnet.gr> Message-ID: <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> BFD over port-channel is supported on SRD1. HTH Abidin On 17 Nov 2009, at 17:35, Tassos Chatzithomaoglou wrote: > According to Cisco: > > http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 > > ============================================================ > For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. > ============================================================ > > Also there is CSCek67622: > ============================================================ > BFD should not be configurable on etherchannel intf > Symptoms: The bfd interval command is accepted on > EtherChannel and EtherChannel member interfaces. > > Conditions: This symptom is observed on a Cisco router while BFD is not > supported on EtherChannels. > > Workaround: Do not enter the bfd interval command on > EtherChannel and EtherChannel member interfaces. > ============================================================ > > It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... > > > -- > Tassos > > luismi wrote on 17/11/2009 14:20: >> I wrote it in a previous email but here is again :D >> 7200 npe-g2 and 7600 rsp720-pfc3 >> I am using 12.2SRC but it is not supported there an I would like to know >> if it is supported in another train. >> El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: >>> Hi, >>> >>> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: >>>> I see a message like "BDF not supported over port-channels" in my >>>> routers. >>> Which IOS version is that? On what platform? >>> >>> You could be a bit more proactive in your questions... this makes it >>> much easier to give meaningful responses, really... :-) >>> >>> gert >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Tue Nov 17 18:35:09 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 18 Nov 2009 00:35:09 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <20091117165744.GL163@greenie.muc.de> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <4B02D459.1060309@bromirski.net> <20091117165744.GL163@greenie.muc.de> Message-ID: <4B03332D.3050208@bromirski.net> On 2009-11-17 17:57, Gert Doering wrote: > Out of curiosity: since the boot messages suggest that 67xx cards with > CFC or DFC run "some sort of local IOS" - would those be smart enough? No, the 'some sort of IOS' is there to perform only monitoring/ supervising work, not to add some intelligence. Mainly mirroring the SP work, so programming the DFCs, or bridging the requests to PFC on active Sup. > What about SIP and ES cards? SIP-200/400 and ES40 may get distributed BFD support in future. AFAIK no current plans for rebuilds of SRC/SRD apart from scalability enhancements in centralized mode, and AFAIK SRE also won't contain any news here, but I may be wrong of course. SRE is still to be delivered. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From dwbielawa at liberty.edu Tue Nov 17 19:32:38 2009 From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS)) Date: Tue, 17 Nov 2009 19:32:38 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC003F7501F6E@LUEMS04VS.University.liberty.edu> We use switchmap (http://switchmap.sourceforge.net/) it outputs name, description, admin status, oper status, vlan, and mac addresses. It outputs to plain text, as well as HTML. Thank You Daniel Bielawa Network Engineer Liberty University Network Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sky vader Sent: Tuesday, November 17, 2009 3:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmpwalk for switch port status Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Tue Nov 17 19:48:34 2009 From: eninja at gmail.com (Eninja) Date: Wed, 18 Nov 2009 01:48:34 +0100 Subject: [c-nsp] how not to write a release note In-Reply-To: References: <20091116231109.GA74400@puck.nether.net> Message-ID: <9C4C5F69-52F1-4306-B3C9-55256889026D@gmail.com> That is not true. Alignment corrections are very CPU intensive activity that may easily overwhelm a device if it occurs frequently. Thus, per thread, users need to know (via properly written release notes) the causes of software defects so they can take steps to workaround or rectify them. Eninja On Nov 17, 2009, at 9:57 PM, "Arie Vayner (avayner)" wrote: > Well, as feedback for the issue raised, the bug you flagged is not > causing anything other than a traceback message... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner > (avayner) > Sent: Tuesday, November 17, 2009 10:11 > To: Jared Mauch; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] how not to write a release note > > Jared, > > I took a quick look and this has to do with QOS. > I have sent an internal query for more info. Will advise. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch > Sent: Tuesday, November 17, 2009 01:11 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] how not to write a release note > > > Seems cisco is getting lazy.. SXI3 is out and this has to be > one of the worst release notes ever: > > CSCta14457 - A Cisco device may report alignment errors > "%ALIGN-3-TRACE" error messages accompanied with a traceback may be > reported. > > Does not say anything about what may trigger it, eg: mtu, > packet fragmentation, etc.. > > - Jared > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only > mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Tue Nov 17 21:51:08 2009 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 17 Nov 2009 20:51:08 -0600 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: Do the relevant scripts with NAGIOS meet your needs? See, for example, check_snmp_int. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sky vader Sent: Tuesday, November 17, 2009 2:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmpwalk for switch port status Hi, Can anyone point me in right direction for a perl script that will snmpwalk the MIB for switch port status whether "up" or "down" including total number of ports available? I have approximately 400 switches that I would like to query via script and pipe the results to a file for every device. I'm currently querying it manually (see below) which is not scaling :-) $ snmpwalk -c interfaces.ifTable.ifEntry.ifOperStatus | grep down Any pointers will be greatly appreciated. regards sky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bandwidth.user at gmail.com Tue Nov 17 22:38:48 2009 From: bandwidth.user at gmail.com (roy) Date: Wed, 18 Nov 2009 11:38:48 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> Message-ID: <4B036C48.40300@gmail.com> Oliver Boehmer (oboehmer) wrote: > >>>>>> Does anyone know what the middle number represents in a "debug > mpls >>>>>> packet" ( eg: {7963 6 254} )? >>>>>> I can't find this information anywhere. >>>>>> >>>>>> 7693 = Label >>>>>> 6 = ??? >>>>>> 254 = I presume is the TTL >>>>>> >>>>>> What does the 6 represent?? >>>>> it's the EXP value. you're right about the last being the TTL. >>>>> >>>>> oli >>>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >>> Hmm, why do you think so? Looking at the code, it only prints the 3 > exp. >>> bits. >> Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into >> one value. > > still not sure what you refer to, and why you think the debug discussed > shows the 4-bit Exp+S value rather than the 3-bit Exp only? If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label EXP TTL}. All things held constant; label at 20, TTL at 8, then EXP must be 3+1. Roy From deadheadblues at gmail.com Tue Nov 17 23:09:32 2009 From: deadheadblues at gmail.com (Hobbs) Date: Tue, 17 Nov 2009 21:09:32 -0700 Subject: [c-nsp] debug mpls packet In-Reply-To: <4B036C48.40300@gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> <4B036C48.40300@gmail.com> Message-ID: <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> On Tue, Nov 17, 2009 at 8:38 PM, roy wrote: > Oliver Boehmer (oboehmer) wrote: > >> >> >>> Does anyone know what the middle number represents in a "debug >>>>>>> >>>>>> mpls >> >>> packet" ( eg: {7963 6 254} )? >>>>>>> I can't find this information anywhere. >>>>>>> >>>>>>> 7693 = Label >>>>>>> 6 = ??? >>>>>>> 254 = I presume is the TTL >>>>>>> >>>>>>> What does the 6 represent?? >>>>>>> >>>>>> it's the EXP value. you're right about the last being the TTL. >>>>>> >>>>>> oli >>>>>> >>>>> Could it be the 3-bit EXP and 1-bit Bottom of Stack Flag combined? >>>>> >>>> Hmm, why do you think so? Looking at the code, it only prints the 3 >>>> >>> exp. >> >>> bits. >>>> >>> Cisco must have combined RFC3032 [2.1. Encoding the Label Stack] into >>> one value. >>> >> >> still not sure what you refer to, and why you think the debug discussed >> shows the 4-bit Exp+S value rather than the 3-bit Exp only? >> > > If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as > Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label EXP TTL}. > All things held constant; label at 20, TTL at 8, then EXP must be 3+1. > > Roy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Reading too much into it. It's just not showing the stack bit. The output is for information. You don't need to know the stack bit, its the only label. And if there were more than one, then it would show all labels. From Skeeve at eintellego.net Tue Nov 17 23:05:03 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Wed, 18 Nov 2009 15:05:03 +1100 Subject: [c-nsp] BGP Community Problem (I think) Message-ID: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> Hey all, I am confused as to why a BGP feed I take and take with a community and redistribute are some 50k routes different. Details follow: Platform is: SYD-A-BDR-A#sh ver Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 13:29 by prod_rel_team ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) BOOTLDR: Cisco IOS Software, 7200 Software (C7200-BOOT-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) SYD-A-BDR-A uptime is 1 year, 43 weeks, 4 days, 20 hours, 26 minutes System returned to ROM by Reload Command at 08:32:21 UTC Mon Jan 8 2001 System restarted at 16:49:17 AEST Thu Jan 17 2008 System image file is "disk2:c7200-advipservicesk9-mz.124-15.T1.bin" - Inbound full route feed 114.x.x.65 4 4xxx 26710538 2546241 130268709 0 0 9w1d 302167 114.x.x.66 4 4xxx 25400126 1834326 130268709 1 0 2w5d 302163 - Tagged with community route-map PRI-IN permit 10 match as-path 50 set weight 80 set community 17xxx:2000 additive ! route-map PRI-IN permit 12 match as-path 52 set weight 90 set community 17xxx:2002 additive ! route-map PRI-IN permit 20 match as-path 2 set weight 80 set community 17xxx:2001 additive - Relevant config ip as-path access-list 2 permit .* ip as-path access-list 50 permit ^4xxx$ ip as-path access-list 52 permit ^4xxx_7xx_1xxx ! ip community-list 200 permit 17xxx:2000 ip community-list 201 permit 17xxx:2001 ip community-list 202 permit 17xxx:2002 - Now, this all seems to work. SYD-A-BDR-A#show ip bgp neighbors 114.x.x.66 received-routes | i Total Total number of prefixes 302163 SYD-A-BDR-A#show ip bgp community-list 201 | redirect tftp://x.x.x.x/dump/20091118.txt [root at dump]# more 20091118.txt | grep 193.66 | wc -l 301542 [root at dump]# more 20091118.txt | grep 193.65 | wc -l 301543 Now... there is a small difference which can be attributed to a variety of things... nothing I'm worried about since it is so close (500 routes). Next: route-map BNEA-OUT permit 10 match ip address prefix-list US-SEND-BNE-BLOCKS ! (Just local routes) ! route-map BNEA-OUT permit 20 match community 201 ! route-map BNEA-OUT permit 30 description Community 17xxx:250 mapped to CL 125 ! (Redistributing peering routes) match community 125 ! So.. we're tagging 301k routes inbound and examining the community list seems to be showing that is working fine, and then we are, using Community List 201 - sending that 301k + Local + Peering (7900 routes) to another PoP. But... SYD-A-BDR-A#show ip bgp neighbors 203.x.x.6 advertised-routes | i Total Total number of prefixes 250915 So this is missing about 51k routes + Peering routes of about 8k... but the peering routes seem to be there, so that makes it about 60k transit routes that are missing that are not being sent 'in router' onto the next neighbour. I hope I've included most significant information... if this doesn't make sense, let me know and I will explain in more detail? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. From deadheadblues at gmail.com Tue Nov 17 23:52:15 2009 From: deadheadblues at gmail.com (Hobbs) Date: Tue, 17 Nov 2009 21:52:15 -0700 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> Message-ID: <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> On Tue, Nov 17, 2009 at 9:05 PM, Skeeve Stevens wrote: > Hey all, > > I am confused as to why a BGP feed I take and take with a community and > redistribute are some 50k routes different. > > Details follow: > > Platform is: > > SYD-A-BDR-A#sh ver > Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version > 12.4(15)T1, RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2007 by Cisco Systems, Inc. > Compiled Wed 18-Jul-07 13:29 by prod_rel_team > > ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) > BOOTLDR: Cisco IOS Software, 7200 Software (C7200-BOOT-M), Version > 12.4(15)T1, RELEASE SOFTWARE (fc2) > > SYD-A-BDR-A uptime is 1 year, 43 weeks, 4 days, 20 hours, 26 minutes > System returned to ROM by Reload Command at 08:32:21 UTC Mon Jan 8 2001 > System restarted at 16:49:17 AEST Thu Jan 17 2008 > System image file is "disk2:c7200-advipservicesk9-mz.124-15.T1.bin" > > > > - Inbound full route feed > > > 114.x.x.65 4 4xxx 26710538 2546241 130268709 0 0 9w1d 302167 > 114.x.x.66 4 4xxx 25400126 1834326 130268709 1 0 2w5d 302163 > > - Tagged with community > > route-map PRI-IN permit 10 > match as-path 50 > set weight 80 > set community 17xxx:2000 additive > ! > route-map PRI-IN permit 12 > match as-path 52 > set weight 90 > set community 17xxx:2002 additive > ! > route-map PRI-IN permit 20 > match as-path 2 > set weight 80 > set community 17xxx:2001 additive > > > - Relevant config > > ip as-path access-list 2 permit .* > ip as-path access-list 50 permit ^4xxx$ > ip as-path access-list 52 permit ^4xxx_7xx_1xxx > ! > ip community-list 200 permit 17xxx:2000 > ip community-list 201 permit 17xxx:2001 > ip community-list 202 permit 17xxx:2002 > > > - Now, this all seems to work. > > SYD-A-BDR-A#show ip bgp neighbors 114.x.x.66 received-routes | i Total > Total number of prefixes 302163 > > SYD-A-BDR-A#show ip bgp community-list 201 | redirect > tftp://x.x.x.x/dump/20091118.txt > > [root at dump]# more 20091118.txt | grep 193.66 | wc -l > 301542 > [root at dump]# more 20091118.txt | grep 193.65 | wc -l > 301543 > > Now... there is a small difference which can be attributed to a variety of > things... nothing I'm worried about since it is so close (500 routes). > > Next: > > route-map BNEA-OUT permit 10 > match ip address prefix-list US-SEND-BNE-BLOCKS ! (Just local routes) > ! > route-map BNEA-OUT permit 20 > match community 201 > ! > route-map BNEA-OUT permit 30 > description Community 17xxx:250 mapped to CL 125 ! (Redistributing > peering routes) > match community 125 > ! > > > So.. we're tagging 301k routes inbound and examining the community list > seems to be showing that is working fine, and then we are, using Community > List 201 - sending that 301k + Local + Peering (7900 routes) to another PoP. > > But... > > SYD-A-BDR-A#show ip bgp neighbors 203.x.x.6 advertised-routes | i Total > Total number of prefixes 250915 > > So this is missing about 51k routes + Peering routes of about 8k... but the > peering routes seem to be there, so that makes it about 60k transit routes > that are missing that are not being sent 'in router' onto the next > neighbour. > > I hope I've included most significant information... if this doesn't make > sense, let me know and I will explain in more detail? > > > ...Skeeve > > > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > www.linkedin.com/in/skeeve ; facebook.com/eintellego > -- > NOC, NOC, who's there? > > Disclaimer: Limits of Liability and Disclaimer: This message is for the > named person's use only. It may contain sensitive and private proprietary or > legally privileged information. You must not, directly or indirectly, use, > disclose, distribute, print, or copy any part of this message if you are not > the intended recipient. eintellego Pty Ltd and each legal entity in the > Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail > communications through its networks. Any views expressed in this message > are those of the individual sender, except where the message states > otherwise and the sender is authorised to state them to be the views of any > such entity. Any reference to costs, fee quotations, contractual > transactions and variations to contract terms is subject to separate > confirmation in writing signed by an authorised representative of > eintellego. Whilst all efforts are made to safeguard inbound and outbound > e-mails, we cannot guarantee that attachments are! > virus-free or compatible with your systems and do not accept any liability > in respect of viruses or computer problems experienced. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Not sure off-hand, but you can do show ip bgp neighbor and far down in the output you will see a section showing stats about why prefixes were dropped (route-map, dist-list, etc). What does it say? From metaliza at nithia.cz Wed Nov 18 00:25:03 2009 From: metaliza at nithia.cz (=?UTF-8?B?TWV0YWzDrXph?=) Date: Wed, 18 Nov 2009 06:25:03 +0100 Subject: [c-nsp] 3560/3750 policy routing In-Reply-To: <4AF02FBB.70108@kenweb.org> References: <1257202865.18763.17.camel@abehat.net.rm.dk> <4AEFE25C.3040508@nithia.cz> <4AF02FBB.70108@kenweb.org> Message-ID: <4B03852F.1010605@nithia.cz> ML wrote: > Metal?za wrote: >> Peter Rathlev wrote: >>> On Mon, 2009-11-02 at 17:21 -0500, Ryan West wrote: >>>>> We're using a couple of 3560s for PBR with no problems forwarding >>>>> 100 Mbps+. There's no CPU load from the forwarding itself. We >>>>> haven't tried actually pushing it yet but are planning to try >>>>> sometime soon. >>>>> >>>>> The 3560 needs the "routing" SDM template for this to work; I guess >>>>> the 3750 also needs this. >>>>> >>>> What IOS version? I definitely had the proper SDM template applied, it >>>> won't work otherwise. >>>> >>> >>> It has been running IOS 12.2(50)SE1 IP Services "all its life" (some >>> months). >>> >> >> Hi guys, >> >> I have a similar problem: >> >> We have been using PBR for forwarding through an IP-in-IP tunnel: >> >> interface Tunnel0 >> ip address 192.168.1.2 255.255.255.252 >> tunnel source 147.32.98.1 >> tunnel destination 147.32.127.190 >> tunnel mode ipip >> >> ip access-list extended private-2-hill >> permit ip 10.13.0.0 0.0.255.255 147.32.112.0 0.0.15.255 >> permit ip 10.13.0.0 0.0.255.255 147.32.30.0 0.0.1.255 >> permit ip 10.13.0.0 0.0.255.255 147.32.99.0 0.0.0.255 >> ! >> route-map private-2-hill permit 10 >> match ip address private-2-hill >> set interface Tunnel0 >> ! >> interface Vlan201 >> ip address 10.13.0.1 255.255.0.0 >> ip policy route-map private-2-hill >> ! >> local policy route-map private-2-hill >> This had been all functional on 3560 with 12.2(44)SE. At first there >> had been set ip next-hop, but that hadn't worked, so I've switched to >> set interface. >> >> After replacement of IOS to 12.2(52)SE the "set interface" command >> was refused after appliance of route map to an SVI. But local PBR >> still worked. So I've changed to set ip next-hop (which has been >> accepted by IOS) but with no effect in forwarding (but the local PBR >> still have worked - because of the SW-based traffic?). >> >> After some debugging I've realized that there is broken PBR in the >> 12.2(52)SE for the 3560. >> >> Or am I wrong and have missed something? >> > > I had the same problem on an ME3400. I could not use the remote end > of a GRE tunnel for PBR. Finally I have solved it! It's simple:-) set ip next-hop 192.168.1.1 192.168.1.2 More generallly: set ip next-hop -- ----------------------------------------------------------- Metaliza @ NitHiA icq #: 63193671 skype: metaliza001 From bandwidth.user at gmail.com Wed Nov 18 00:25:42 2009 From: bandwidth.user at gmail.com (roy) Date: Wed, 18 Nov 2009 13:25:42 +0800 Subject: [c-nsp] debug mpls packet In-Reply-To: <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE044AAF3A@vic-cr-ex1.staff.netspace.net.au> <6E4D2678AC543844917CA081C9D6B33FAE0494@XMB-AMS-103.cisco.com> <4B025424.2030104@gmail.com> <6E4D2678AC543844917CA081C9D6B33FAE04B2@XMB-AMS-103.cisco.com> <4B02594C.8010004@gmail.com> <6E4D2678AC543844917CA081C9D6B33FB316CA@XMB-AMS-103.cisco.com> <4B036C48.40300@gmail.com> <6de7e5460911172009w6dde3fcap1c770eff67415dd@mail.gmail.com> Message-ID: <4B038556.1070908@gmail.com> Hobbs wrote: > > > On Tue, Nov 17, 2009 at 8:38 PM, roy > wrote: > > Oliver Boehmer (oboehmer) wrote: > > > > Does anyone know what the middle number > represents in a "debug > > mpls > > packet" ( eg: {7963 6 254} )? > I can't find this information anywhere. > > 7693 = Label > 6 = ??? > 254 = I presume is the TTL > > What does the 6 represent?? > > it's the EXP value. you're right about the last > being the TTL. > > oli > > Could it be the 3-bit EXP and 1-bit Bottom of Stack > Flag combined? > > Hmm, why do you think so? Looking at the code, it only > prints the 3 > > exp. > > bits. > > Cisco must have combined RFC3032 [2.1. Encoding the Label > Stack] into > one value. > > > still not sure what you refer to, and why you think the debug > discussed > shows the 4-bit Exp+S value rather than the 3-bit Exp only? > > > If I may, MPLS Fundamentals refers to the stack on Fig 2-1 as > Label/EXP/BoS/TTL. It then breaks this on Example 3-8 with {label > EXP TTL}. All things held constant; label at 20, TTL at 8, then EXP > must be 3+1. > > Roy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Reading too much into it. It's just not showing the stack bit. The > output is for information. You don't need to know the stack bit, its the > only label. And if there were more than one, then it would show all labels. Right on, too much reading. I didn't take the text as it is. Oli was on spot. Cheers! Roy From Skeeve at eintellego.net Wed Nov 18 01:40:53 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Wed, 18 Nov 2009 17:40:53 +1100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> Message-ID: <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> But, the router isn't even sending them to the next router... between tagging them and re-sending them, they just aren't there.... so I would assume the neighbour they are being sent to is nothing to do with it? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? > > Not sure off-hand, but you can do show ip bgp neighbor and far down in > the > output you will see a section showing stats about why prefixes were > dropped > (route-map, dist-list, etc). What does it say? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From illcritikz at gmail.com Wed Nov 18 02:05:05 2009 From: illcritikz at gmail.com (Ben Steele) Date: Wed, 18 Nov 2009 18:05:05 +1100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> Message-ID: <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> As Hobbs mentioned do a "sh ip bgp neighbor " and look for the prefix activity part which will tell you about prefixes that didn't get sent to that peer for various reasons. Have you looked at the communities attached to the prefixes you have learnt from your other peer that you aren't advertising?, do they have either no-advertise/no-export/local-as etc. on them? is the peer your receiving the feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens wrote: > But, the router isn't even sending them to the next router... between > tagging them and re-sending them, they just aren't there.... so I would > assume the neighbour they are being sent to is nothing to do with it? > > ...Skeeve > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > www.linkedin.com/in/skeeve ; facebook.com/eintellego > -- > NOC, NOC, who's there? > > > > > > Not sure off-hand, but you can do show ip bgp neighbor and far down in > > the > > output you will see a section showing stats about why prefixes were > > dropped > > (route-map, dist-list, etc). What does it say? > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From uvh at siemens.com Wed Nov 18 02:24:58 2009 From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342)) Date: Wed, 18 Nov 2009 08:24:58 +0100 Subject: [c-nsp] IP Traffic Types/Applications Supported by Cisco NAT? Message-ID: <5FD7A7EC774B114092B1603D69E42C9B02E9920C@BDKB1EEA.ww007.siemens.net> Hey All, Is there any work around to get SNMP over 1-to-1 NAT on Cisco? I found an old overview from CCIE Routing TCP/IP, Volume II 2002, does anyone know where i could find an updated revision? Traffic Types/Applications Supported Any TCP/UDP traffic that does not carry source and/or destination IP addresses in the application data stream HTTP TFTP Telnet archie finger NTP NFS rlogin, rsh, rcp Traffic Types/Applications Supported with IP Addresses in Their Data Stream ICMP FTP (including PORT and PASV) NetBIOS over TCP/IP (datagram, name, and session services) Progressive Networks' RealAudio White Pines' CuSeeMe Xing Technologies' StreamWorks DNS A and PTR queries and responses H.323/NetMeeting [12.0(1)/12.0(1)T and later] VDOLive [11.3(4)/11.3(4)T and later] Vxtreme [11.3(4)/11.3(4)T and later] IP Multicast [12.0(1)T] (source address translation only) Traffic Types/Applications Not Supported Routing table updates DNS zone transfers BOOTP talk, ntalk SNMP NetShow Med venlig hilsen / Best Regards Ulrich Vestergaard B. Hansen Network Engineer / Siemens From gert at greenie.muc.de Wed Nov 18 02:30:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 18 Nov 2009 08:30:01 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <4B0312C2.1090503@umn.edu> References: <1258477864.31116.4.camel@hal9000> <4B0312C2.1090503@umn.edu> Message-ID: <20091118073001.GQ163@greenie.muc.de> Hi, On Tue, Nov 17, 2009 at 03:16:50PM -0600, Ge Moua wrote: > we've got some p2p routed ports over here > > ! > interface Port-channel1 > description [removed] > mtu 4470 > ip address 192.168.11.105 255.255.255.252 > no negotiation auto > snmp trap link-status > hold-queue 150 in > ! ... and where's the BFD? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From dv at dv.ru Wed Nov 18 02:13:17 2009 From: dv at dv.ru (Dmitry Valdov) Date: Wed, 18 Nov 2009 10:13:17 +0300 (MSK) Subject: [c-nsp] 7600 ES card and module In-Reply-To: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> References: <2AA600764E54964491083B1E0EC81A302F8723C3E5@EXCLUS.nationala-1advertising.com> Message-ID: <20091118100222.K47791@xkis.kis.ru> Hello, On Tue, 17 Nov 2009, NMaio at guesswho.com wrote: > Does anybody have good/bad experience with a 7600-ES20-10G3CXL in a 7606 with 720-3bxl? We have 2 routers in this configuration. The only difference that the chassics are 7609. We're running MPLS/VPLS with ES20 cards without any problem for more than a year. Why do you need such smart and expensive cards to conect to other provider? What functionality do you need? > Also I am trying to figure out if the XFP-10GLR-OC192SR module will work with this. Am I reading this correctly that this module is supported for both POS and regular 10G Ethernet? Seems like that. I've never use it in POS mode but in Eth mode it works good with ES20 cards. -- Dmitry Valdov CCIE #15379 (R&S and SP) From eninja at gmail.com Wed Nov 18 02:40:11 2009 From: eninja at gmail.com (Eninja) Date: Wed, 18 Nov 2009 08:40:11 +0100 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> Message-ID: 'Exec-on' commands are sent via IPC over the switch fabric and 'attach' sessions go over the mbus. Eninja On Nov 17, 2009, at 8:02 PM, Aaron wrote: > So, what is the difference in output from doing exec-on vs attach? > You are still connecting via the same method. > > On Mon, Nov 16, 2009 at 14:07, e ninja wrote: > Antonio, > > You should *never* troubleshoot fabric errors with *any* exec-on > commands. > They run over the fabric that may or may not be compromised. > > 1. Are any other LCs apart from slot 6 reporting CRC errors? > 2. grab two "sh contr fia" from the RP and an attach to all the > LCs and > send over. > > Eninja > > > On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares > wrote: > > > Hello group, > > > > I have a 12k reporting this: > > > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error > from slot 6 > > > > In one week, i have 4 of these messages. > > > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > > > What could be the problem ? > > > > The "show controllers fia" do not show any problem. > > > > The "execute-on slot 6 show controllers fia" show this: > > > > Switch cards present: 0x1F > > Switch cards monitored: 0x1F > > 0 1 2 3 4 > > -------- -------- -------- -------- -------- > > los 0 0 0 0 0 > > state Off Off Off Off Off > > crc16 53989 0 0 0 0 > > xor error0 0 0 0 > > cell drops1020 1020 1020 1020 > > > > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > > > > Thanks. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S) > > amsoares at netcabo.pt > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From thehink at gmail.com Wed Nov 18 04:38:36 2009 From: thehink at gmail.com (andrew) Date: Wed, 18 Nov 2009 01:38:36 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> Message-ID: <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> Here is some BAD on SXI3 ... with redundant supervisor, SSH breaks upon supervisor switchover. -andrew On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater wrote: > The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. > > The other flavors are not supported. > > Jeff > > On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: > >> Release 12.2(33)SXH and later releases do not support the following hardware: >> >> These Ethernet Switching Modules: >> >> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >> >> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >> >> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >> >> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >> >> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >> >> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >> >> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >> >> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >> >> ? ? ? Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. >> >> You will see something like this in 'show power': >> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not supported) >> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not supported) >> >> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. >> >> ? ? ? - Jared >> >> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >> >>> Jared, >>> >>> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. ?Do you have a URL or can you be more specific? >>> >>> Thanks in advance! >>> >>> Jared Mauch wrote: >>>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>>> I strongly recommend using it over prior versions of SXI. >>>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>>> - Jared >>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>> >>>>> >>>>> Rubens >>>>> >>>>> >>>>> >>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>>> >>>>>> >>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>> >>>>>> >>>>>> Jeff Fitzwater >>>>>> OIT Network Systems >>>>>> Princeton University >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -andrew From cphillips at wbsconnect.com Wed Nov 18 05:00:08 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Wed, 18 Nov 2009 02:00:08 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> Message-ID: <4B03C5A8.30506@wbsconnect.com> Define breaks. Breaks as in your ssh connection drops and you have to login again, or breaks as in your ssh connection drops and the ssh service doesn't restart? andrew wrote: > Here is some BAD on SXI3 ... > > with redundant supervisor, SSH breaks upon supervisor switchover. > > -andrew > > On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater wrote: >> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. >> >> The other flavors are not supported. >> >> Jeff >> >> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >> >>> Release 12.2(33)SXH and later releases do not support the following hardware: >>> >>> These Ethernet Switching Modules: >>> >>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>> >>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>> >>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>> >>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>> >>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>> >>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>> >>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>> >>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>> >>> Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. >>> >>> You will see something like this in 'show power': >>> 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) >>> 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) >>> >>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. >>> >>> - Jared >>> >>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>> >>>> Jared, >>>> >>>> After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? >>>> >>>> Thanks in advance! >>>> >>>> Jared Mauch wrote: >>>>> SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. >>>>> I strongly recommend using it over prior versions of SXI. >>>>> Due to the removal of hardware support we replaced the older 63xx/62xx series cards. >>>>> - Jared >>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>> >>>>>> >>>>>> Rubens >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater wrote: >>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. >>>>>>> >>>>>>> >>>>>>> Does anyone else have GOOD or BAD new on SXI(3)? >>>>>>> >>>>>>> >>>>>>> Jeff Fitzwater >>>>>>> OIT Network Systems >>>>>>> Princeton University >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- Chris Phillips Director of Network Engineering & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com From asturluismi at gmail.com Wed Nov 18 05:04:58 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 18 Nov 2009 11:04:58 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de><1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de><1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de><1258460458.31116.3.camel@hal9000> <20091117141204.GG163@greenie.muc.de> <1258477864.31116.4.camel@hal9000> Message-ID: <1258538698.12346.1.camel@hal9000> We used here against 3750 with cross-stack etherchannel configuration, and it is working very good so far. El mar, 17-11-2009 a las 21:53 +0100, Arie Vayner (avayner) escribi?: > Just out of curiosity, what are the port-channel on the 7200/7600 is used for? > Is it a point to point routed port, or with L2 VLANs switched on top of it? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, November 17, 2009 19:11 > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BDF over port-channels? > > I was just curious, because I would like to deploy BFD but I saw those > messages on my routers because the port-channels configurations and I > would like to know if it was supported in other train or something > similar. > > El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribi?: > > Hi, > > > > On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: > > > I wrote it in a previous email but here is again :D > > > > > > 7200 npe-g2 and 7600 rsp720-pfc3 > > > > These are very very *VERY* different platforms... > > > > > I am using 12.2SRC but it is not supported there an I would like to know > > > if it is supported in another train. > > > > ... so it might very well be supported on one of them, and not on the > > other... > > > > Just for the record - my assumption was wrong. I just tried to configure > > BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter > > the bfd commands on the port-channel interfaces. Physical interfaces > > only. > > > > (Which makes some sort of sense, *iff* the BFD-handling is done in the > > line card - where it belongs, to be independent of whatever load the > > main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart > > enough to run BFD locally. So whatever...) > > > > gert > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Wed Nov 18 05:15:20 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 18 Nov 2009 18:15:20 +0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> Message-ID: <200911181815.22693.mtinka@globaltransit.net> On Tuesday 17 November 2009 11:31:18 pm Jared Mauch wrote: > I strongly recommend using it over prior versions of SXI. As part of our recent round of upgrades, we moved from SXH3 to SXI2a. It did fix a non-severe AAA bug we hit when we first moved to SXH3. If we'd waited 4 extra days, we'd have rolled over to SXI3 instead, but for our applications (pure Layer 2 Ethernet switching with the boxes running as an IS-IS DIS), SXI2a should be super-stable for us for another 10 years, even (okay, maybe not, hehe). Newer line cards notwithstanding, if it weren't for the AAA bug, we'd probably have stayed on SXH3 also (which served us well for some 1.3 years). We simply aren't using any of the other features to run any potentially crippling kinky stuff on the box. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From asturluismi at gmail.com Wed Nov 18 05:24:03 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 18 Nov 2009 11:24:03 +0100 Subject: [c-nsp] BDF over port-channels? In-Reply-To: <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> References: <1258294344.12313.1.camel@hal9000> <20091115191936.GP163@greenie.muc.de> <1258450260.31116.0.camel@hal9000> <20091117095452.GB163@greenie.muc.de> <1258452108.31116.2.camel@hal9000> <20091117100920.GE163@greenie.muc.de> <1258460458.31116.3.camel@hal9000> <4B02DEDE.8060003@forthnet.gr> <2A7FD41E-5764-40C0-A659-DE93EC34A5F0@gmail.com> Message-ID: <1258539843.12346.2.camel@hal9000> That is what I was looking for. do you use it in 7600 and/or 7200? El mar, 17-11-2009 a las 22:16 +0000, Abidin Kahraman escribi?: > BFD over port-channel is supported on SRD1. > > HTH > Abidin > > On 17 Nov 2009, at 17:35, Tassos Chatzithomaoglou wrote: > > > According to Cisco: > > > > http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 > > > > ============================================================ > > For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. > > ============================================================ > > > > Also there is CSCek67622: > > ============================================================ > > BFD should not be configurable on etherchannel intf > > Symptoms: The bfd interval command is accepted on > > EtherChannel and EtherChannel member interfaces. > > > > Conditions: This symptom is observed on a Cisco router while BFD is not > > supported on EtherChannels. > > > > Workaround: Do not enter the bfd interval command on > > EtherChannel and EtherChannel member interfaces. > > ============================================================ > > > > It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... > > > > > > -- > > Tassos > > > > luismi wrote on 17/11/2009 14:20: > >> I wrote it in a previous email but here is again :D > >> 7200 npe-g2 and 7600 rsp720-pfc3 > >> I am using 12.2SRC but it is not supported there an I would like to know > >> if it is supported in another train. > >> El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribi?: > >>> Hi, > >>> > >>> On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: > >>>> I see a message like "BDF not supported over port-channels" in my > >>>> routers. > >>> Which IOS version is that? On what platform? > >>> > >>> You could be a bit more proactive in your questions... this makes it > >>> much easier to give meaningful responses, really... :-) > >>> > >>> gert > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > > Tassos > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From thehink at gmail.com Wed Nov 18 05:29:06 2009 From: thehink at gmail.com (andrew) Date: Wed, 18 Nov 2009 02:29:06 -0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <4B03C5A8.30506@wbsconnect.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> Message-ID: <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> Breaks as in after forcing a sup switchover while on console subsequent SSH connections are refused, as it seems the private key is missing/unreadable. This is logged: Nov 18 10:16:08.211: SSH2 0: RSA_sign: private key not found Nov 18 10:16:08.211: SSH2 0: signature creation failed, status -1 Clearing RSA keys and re-generating did not help. Clear RSA keys, *reboot box*, and re-generate did fix. On Wed, Nov 18, 2009 at 2:00 AM, Chris Phillips wrote: > Define breaks. ?Breaks as in your ssh connection drops and you have to login > again, or breaks as in your ssh connection drops and the ssh service doesn't > restart? > > andrew wrote: >> >> Here is some BAD on SXI3 ... >> >> with redundant supervisor, SSH breaks upon supervisor switchover. >> >> -andrew >> >> On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater >> wrote: >>> >>> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It >>> did however work in SXI, which we are running now. >>> >>> The other flavors are not supported. >>> >>> Jeff >>> >>> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >>> >>>> Release 12.2(33)SXH and later releases do not support the following >>>> hardware: >>>> >>>> These Ethernet Switching Modules: >>>> >>>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>>> >>>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>>> >>>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>>> >>>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>>> >>>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>>> >>>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>>> >>>> ? ? ?Now, the caveat is that they did not actually remove the hardware >>>> support for some of these until SXI1, so while the release notes say one >>>> thing, the actual support varies. >>>> >>>> You will see something like this in 'show power': >>>> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> >>>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I >>>> can't recall if that was the case for SXI2/2a/or 1. >>>> >>>> ? ? ?- Jared >>>> >>>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>>> >>>>> Jared, >>>>> >>>>> After quickly glancing at the release notes, I was unable to find >>>>> anything about the removal of hardware support for the 63xx series cards. >>>>> ?Do you have a URL or can you be more specific? >>>>> >>>>> Thanks in advance! >>>>> >>>>> Jared Mauch wrote: >>>>>> >>>>>> SXI3 has a number of bug fixes for our network, including one that >>>>>> would cause the next-hop to be populated as 'drop' in hardware. >>>>>> I strongly recommend using it over prior versions of SXI. >>>>>> Due to the removal of hardware support we replaced the older 63xx/62xx >>>>>> series cards. >>>>>> - Jared >>>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>>> >>>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>>> >>>>>>> >>>>>>> Rubens >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater >>>>>>> wrote: >>>>>>>> >>>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, >>>>>>>> which it did not recognize in previous versions, and so far no complaints >>>>>>>> but then again it's not in a real world yet. >>>>>>>> >>>>>>>> >>>>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>>>> >>>>>>>> >>>>>>>> Jeff Fitzwater >>>>>>>> OIT Network Systems >>>>>>>> Princeton University >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> > > -- > Chris Phillips > Director of Network Engineering & Peering Coordinator > WBS Connect > cphillips at wbsconnect.com > (866) WBS-CONX > (720) 259-8361 - direct > (303) 968-4383 - mobile > www.wbsconnect.com > -- -andrew From Reinhold.Fischer at gmx.net Wed Nov 18 05:30:14 2009 From: Reinhold.Fischer at gmx.net (Reinhold Fischer) Date: Wed, 18 Nov 2009 11:30:14 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> Message-ID: <20091118103014.GA1529@fart> We upgraded tonight one of our boxes to SXI3. The WS-X6324-100FX-MM works with this version of code! hth, Reinhold On Tue, Nov 17, 2009 at 09:51:01AM -0500, Jeff Fitzwater wrote: > I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. > > > Does anyone else have GOOD or BAD new on SXI(3)? > > > Jeff Fitzwater > OIT Network Systems > Princeton University From tomas at soitron.com Wed Nov 18 05:40:39 2009 From: tomas at soitron.com (Daniska, Tomas) Date: Wed, 18 Nov 2009 11:40:39 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <200911181815.22693.mtinka@globaltransit.net> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu><6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <200911181815.22693.mtinka@globaltransit.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302855601@kenya.tronet.as> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Wednesday, November 18, 2009 11:15 AM > To: cisco-nsp at puck.nether.net > Cc: Jared Mauch > Subject: Re: [c-nsp] SXI(3) code status? > > On Tuesday 17 November 2009 11:31:18 pm Jared Mauch wrote: > > > I strongly recommend using it over prior versions of SXI. > > As part of our recent round of upgrades, we moved from SXH3 > to SXI2a. It did fix a non-severe AAA bug we hit when we > first moved to SXH3. Which one that was? We've been hit by a bug when using TAC+ out of a VRF. Initial user authentication is OK, but the subsequent enable auth outgoing packets do not have the proper VRF set and go out the GRT instead. Funny enough, the return packet returns via the VRF and the box eats it. We've filed CSCtc86306 for this hoping to have this fixed by SXI3, but after exchanging lots of e-mails with India TAC the status was that they do understand the issue and suddenly they've just stated it works as expected. The SXI3 goal is missed now, and ages to come until the next maintenance build... Aug 28 17:00:37.285: AAA/MEMORY: create_user (0xF7E8CF8) user='xxxxxxxx' ruser='NULL' ds0=0 port='tty2' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) <=== they somehow forgot to fill this in for enable auth -- deejay __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4616 (20091117) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From perc69 at gmail.com Wed Nov 18 06:11:37 2009 From: perc69 at gmail.com (Per Carlson) Date: Wed, 18 Nov 2009 12:11:37 +0100 Subject: [c-nsp] IOS XR version you use In-Reply-To: References: Message-ID: <746ca6da0911180311o4e4e729cqdbde8800cf29ab7a@mail.gmail.com> Hi. > I look for a good choice of XR to upgrade to from 3.5. In terms of features > there are no mandatory ones that could drive us to do 3.8 instead of 3.6 > Does anyone of you use 3.8 in a production environment? Please share any > thoughts on this. We are using 3.5.4 (CRS and XR12k) and do plan a move to 3.6.3 on both platforms. XR 3.8 didn't give us any needed features either, and the lower exposure in "the wild" made the choice of 3.6 rather easy. -- Pelle From jan.gregor at chronix.org Wed Nov 18 05:28:14 2009 From: jan.gregor at chronix.org (Jan Gregor) Date: Wed, 18 Nov 2009 11:28:14 +0100 Subject: [c-nsp] ASA IPSec weirdness Message-ID: <4B03CC3E.1080607@chronix.org> Hello all, recently I got issue with L2L IPSec tunnel on one of our ASA firewalls. The problem is that when remote site initiates the connection, ASA negotiates the assotiation as thought it is an VPN Client (ipsec-ra is also configured on same firewall). Not working association (asa is responder): Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xCD25D187 (3441807751) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2709, crypto-map: VPNClientMap Working association (asa is initiator): Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xF9214935 (4179708213) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2710, crypto-map: outside_map ASA configuration looks like this: crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA crypto dynamic-map VPNClientMap 1 set reverse-route crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer a.a.a.a crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap I have tried everything that I could think of - xauth disabling (which i think is default on asa), upgrading router asa software, ... Nothing worked and disabling the vpn clients is not an option for me :/ . Anyone stumbled across something similar in the past and was able to fix it? Thanks for any pointers. Best regards, Jan Gregor From eng_mssk at hotmail.com Wed Nov 18 06:24:27 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 18 Nov 2009 13:24:27 +0200 Subject: [c-nsp] Flow Control Message-ID: Dear all i have 5 giga ethernet interfaces connected via port channel to WiMAX ASN gateway the device is cisco CISCO7606-S with IOS c7600s72033-advipservicesk9-mz.122-33.SRB2.bin when i issue the command sh run int po20 interface Port-channel20 switchport switchport access vlan 20 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end sh int po20 | inc flow input flow-control is off, output flow-control is off does that mean that the other device dont support flow control ? or i need something else to enable flow control ? because i suffer from overruns on the port channel ? is that the problem ? Thanks in advance _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From howie at thingy.com Wed Nov 18 05:46:52 2009 From: howie at thingy.com (Howard Jones) Date: Wed, 18 Nov 2009 10:46:52 +0000 Subject: [c-nsp] 32-bit ASN for 7200 G2? Message-ID: <4B03D09C.6060800@thingy.com> I'm researching IOS versions for upgrading our transit routers to support 32-bit ASNs, and it seems that I need to use basically the absolute latest 12.4T release (12.4.24T) to get that support. I can't get it in 12.2S or 12.4 mainline at all. Is that really the case? What does everyone else use on their G2/7201s? This is just for BGP internet peering connections and OSPF. Nothing at all fancy, I just don't like the bleeding edge :-) Thanks, Howie From rwest at zyedge.com Wed Nov 18 07:04:02 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 18 Nov 2009 07:04:02 -0500 Subject: [c-nsp] ASA IPSec weirdness In-Reply-To: <4B03CC3E.1080607@chronix.org> References: <4B03CC3E.1080607@chronix.org> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E586338C@zy-ex1.zyedge.local> Jan, -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Gregor Sent: Wednesday, November 18, 2009 5:28 AM Hello all, recently I got issue with L2L IPSec tunnel on one of our ASA firewalls. The problem is that when remote site initiates the connection, ASA negotiates the assotiation as thought it is an VPN Client (ipsec-ra is also configured on same firewall). Not working association (asa is responder): Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xCD25D187 (3441807751) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2709, crypto-map: VPNClientMap Working association (asa is initiator): Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x ... inbound esp sas: spi: 0xF9214935 (4179708213) transform: esp-3des esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2710, crypto-map: outside_map ASA configuration looks like this: crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA crypto dynamic-map VPNClientMap 1 set reverse-route crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer a.a.a.a crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap ---------------- Are you sure they are landing on your tunnel with the right address? The fact that it's hitting your dyn map makes me think they are coming from another address. Do you have control of the remote end, do you know what type of device it is? Can you enable some isakmp debugs to capture more traffic. As the responder, you'll be able to gather the most useful debug, you should be able to figure out what's going with a debug cry isa 255. -ryan From lukasz at bromirski.net Wed Nov 18 07:11:03 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 18 Nov 2009 13:11:03 +0100 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03D09C.6060800@thingy.com> References: <4B03D09C.6060800@thingy.com> Message-ID: <4B03E457.6070802@bromirski.net> On 2009-11-18 11:46, Howard Jones wrote: > I'm researching IOS versions for upgrading our transit routers to > support 32-bit ASNs, and it seems that I need to use basically the > absolute latest 12.4T release (12.4.24T) to get that support. I can't > get it in 12.2S or 12.4 mainline at all. Yeah, the 12.4(24)T, rebuilds of it and the new 15.0M line. It will also appear in the 12.2SRE. If you're afraid of following the edge, 4-byte ASN support is also present in the 12.0(33)S rebuilds. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From bacon at walleyesoftware.com Wed Nov 18 07:29:47 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Wed, 18 Nov 2009 06:29:47 -0600 Subject: [c-nsp] BGP primer recco Message-ID: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> Hi folks - Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. Willing to buy 2-3 to get the right one. I know the very fundamentals of BGP, and conversant in most other IOS topics (route-maps and route redist, weights, IGPs). I can set up a basic neighbor and get IBGP vs EBGP, but need to understand community strings and weighting in BGP-world - used to an EIGRP/OSPF world primarily. Goal is to know how to effectively multi-home our enterprise (3 offices, 4 ISPs, we have an assigned ASN and /24), including redirecting inet traffic between the sites over our private WAN links. Not looking to run a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest to multi-home. My needs are limited; also, it isn't just for the public internet, I also need to present multi-home over BGP to trading partners from our multiple sites over multiple links. I intend to keep the two routing domains separate tho.) So essentially I need "BGP for non-dummies that is also a good reference book". (Yes, I also have the mandatory on-call friend-who-does-this-for-a-living to pester, but he does it for a living for someone else, and I want him to remain a friend. :) ) Thanks, -bacon From pl+list at pmacct.net Wed Nov 18 07:00:56 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Wed, 18 Nov 2009 12:00:56 +0000 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03D09C.6060800@thingy.com> References: <4B03D09C.6060800@thingy.com> Message-ID: <20091118120056.GA21017@moussaka.pmacct.net> Hi, You can wait a couple of weeks and get the feature on 12.2SRE. 32-bit ASN should be around on 12.0S images aswell. Cheers, Paolo On Wed, Nov 18, 2009 at 10:46:52AM +0000, Howard Jones wrote: > I'm researching IOS versions for upgrading our transit routers to > support 32-bit ASNs, and it seems that I need to use basically the > absolute latest 12.4T release (12.4.24T) to get that support. I can't > get it in 12.2S or 12.4 mainline at all. > > Is that really the case? > > What does everyone else use on their G2/7201s? This is just for BGP > internet peering connections and OSPF. Nothing at all fancy, I just > don't like the bleeding edge :-) > > Thanks, > > Howie From abalashov at evaristesys.com Wed Nov 18 07:38:48 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 18 Nov 2009 07:38:48 -0500 Subject: [c-nsp] BGP primer recco In-Reply-To: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> Message-ID: <4B03EAD8.8040506@evaristesys.com> I enjoyed the O'Reilly BGP book - has always served me well. Jeff Bacon wrote: > Hi folks - > > Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. > Willing to buy 2-3 to get the right one. > > I know the very fundamentals of BGP, and conversant in most other IOS > topics (route-maps and route redist, weights, IGPs). I can set up a > basic neighbor and get IBGP vs EBGP, but need to understand community > strings and weighting in BGP-world - used to an EIGRP/OSPF world > primarily. > > Goal is to know how to effectively multi-home our enterprise (3 offices, > 4 ISPs, we have an assigned ASN and /24), including redirecting inet > traffic between the sites over our private WAN links. Not looking to run > a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest > to multi-home. My needs are limited; also, it isn't just for the public > internet, I also need to present multi-home over BGP to trading partners > from our multiple sites over multiple links. I intend to keep the two > routing domains separate tho.) > > So essentially I need "BGP for non-dummies that is also a good reference > book". > > (Yes, I also have the mandatory on-call > friend-who-does-this-for-a-living to pester, but he does it for a living > for someone else, and I want him to remain a friend. :) ) > > Thanks, > -bacon > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 From rmikisa at gmail.com Wed Nov 18 07:40:06 2009 From: rmikisa at gmail.com (Mikisa Richard) Date: Wed, 18 Nov 2009 15:40:06 +0300 Subject: [c-nsp] VPN traffic In-Reply-To: References: Message-ID: <000601ca684c$46aff3e0$d40fdba0$@com> Dear all, In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it possible to debug the actual traffic in the tunnel. Scenario: Site to site tunnel comes up but either side cannot reach the remote nodes beyond the firewalls. Regards, Richard From teklish76 at yahoo.com Wed Nov 18 08:03:12 2009 From: teklish76 at yahoo.com (teklay gebremichael) Date: Wed, 18 Nov 2009 05:03:12 -0800 (PST) Subject: [c-nsp] vlan across a routed link Message-ID: <995578.89071.qm@web43135.mail.sp1.yahoo.com> i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks From rwest at zyedge.com Wed Nov 18 08:24:26 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 18 Nov 2009 08:24:26 -0500 Subject: [c-nsp] VPN traffic In-Reply-To: <000601ca684c$46aff3e0$d40fdba0$@com> References: <000601ca684c$46aff3e0$d40fdba0$@com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E5863390@zy-ex1.zyedge.local> Hi, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mikisa Richard > Sent: Wednesday, November 18, 2009 7:40 AM > > Dear all, > > In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it > possible to > debug the actual traffic in the tunnel. Scenario: Site to site tunnel > comes > up but either side cannot reach the remote nodes beyond the firewalls. > Can you describe your scenario in a little more detail? Is the firewall inline with all traffic? If it's not, you're probably hitting a routing issue. With just informational level buffer logging, you should be able to see why the traffic might be failing. If you want to process the traffic through your ACLs and watch for hits there, you can disable sysopt permit-vpn. -ryan From B.Anszperger at aster.pl Wed Nov 18 07:51:30 2009 From: B.Anszperger at aster.pl (Bartlomiej Anszperger) Date: Wed, 18 Nov 2009 13:51:30 +0100 Subject: [c-nsp] 32-bit ASN for 7200 G2? In-Reply-To: <4B03E457.6070802@bromirski.net> References: <4B03D09C.6060800@thingy.com> <4B03E457.6070802@bromirski.net> Message-ID: <4B03EDD2.5090308@aster.pl> ?ukasz Bromirski pisze: > If you're afraid of following the edge, 4-byte ASN support is also > present in the 12.0(33)S rebuilds. And from 12.0(32)SY8 onwards, please refer to http://www.cisco.com/en/US/docs/ios/12_0/12_0sy/release/notes/120SYrn.html#wp2884958 Best regards -- Bartek From olof.kasselstrand at gmail.com Wed Nov 18 08:32:21 2009 From: olof.kasselstrand at gmail.com (Olof Kasselstrand) Date: Wed, 18 Nov 2009 14:32:21 +0100 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> <4422cf660911172305u22fffd33lfa3b5044dc1e7e08@mail.gmail.com> Message-ID: Hi, Are you using soft-reconfigure on the routers? That will cause this kind of behavior. // Olof On Wed, Nov 18, 2009 at 8:05 AM, Ben Steele wrote: > As Hobbs mentioned do a "sh ip bgp neighbor " and look for > the prefix activity part which will tell you about prefixes that didn't get > sent to that peer for various reasons. > > Have you looked at the communities attached to the prefixes you have learnt > from your other peer that you aren't advertising?, do they have either > no-advertise/no-export/local-as etc. on them? is the peer your receiving the > feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? > > > On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens wrote: > >> But, the router isn't even sending them to the next router... between >> tagging them and re-sending them, they just aren't there.... so I would >> assume the neighbour they are being sent to is nothing to do with it? >> >> ...Skeeve >> >> -- >> Skeeve Stevens, CEO/Technical Director >> eintellego Pty Ltd - The Networking Specialists >> skeeve at eintellego.net / www.eintellego.net >> Phone: 1300 753 383, Fax: (+612) 8572 9954 >> Cell +61 (0)414 753 383 / skype://skeeve >> www.linkedin.com/in/skeeve ; facebook.com/eintellego >> -- >> NOC, NOC, who's there? >> >> >> > >> > Not sure off-hand, but you can do show ip bgp neighbor and far down in >> > the >> > output you will see a section showing stats about why prefixes were >> > dropped >> > (route-map, dist-list, etc). What does it say? >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From braaen at zcorum.com Wed Nov 18 09:02:49 2009 From: braaen at zcorum.com (Brian Raaen) Date: Wed, 18 Nov 2009 09:02:49 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B030BB2.8090801@gmail.com> References: <4B030BB2.8090801@gmail.com> Message-ID: <200911180902.49735.braaen@zcorum.com> try this, written for Debian Linux so may or may not need modification to run on your system. #!/bin/bash comunity= host= group= list= output= if [ "$#" == "0" ] then echo "$0: No Arguments.... please put at least a host" >&2 echo "Usage: $0 [-c community_string] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 1 fi while getopts :c:l:o:h opt do case $opt in c) community="$OPTARG" ;; l) list="$OPTARG" ;; o) output="$OPTARG" ;; h) echo "Usage: $0 [-c community_string] [-g nagios_contact_group] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 0 ;; '?') echo "$0: invalid option -$OPTARG" >&2 echo "Usage: $0 [-c community_string] [-g nagios_contact_group] [-l list_of_snmp_indexes_file] [-o file_to_output_to] hostname" >&2 exit 1 ;; esac done shift $((OPTIND - 1)) host="$1" if [ ! $community ] then community="public" fi if [ $list ] then list=`cat $list` else list=`snmpwalk -v 2c -c $community -Oe $host 1.3.6.1.2.1.31.1.1.1.1 | egrep -v "( STRING: Nu0| STRING: T1 | STRING: Lo| STRING: LI| = STRING: Vi| = STRING: Vt)" | sed 's/.*\.\([0-9]*\) = STRING:.*/\1/'` fi for i in $list do index=$i type=`snmpget -v 2c -c $community -Oev $host 1.3.6.1.2.1.2.2.1.2. $index | sed 's/^STRING: //'` description=`snmpget -v 2c -c $community -Oev $host 1.3.6.1.2.1.31.1.1.1.18.$index | sed 's/^STRING: //'` status=`snmpget -v 2c -c $community -Ov $host .1.3.6.1.2.1.2.2.1.7. $index | sed 's/^INTEGER: \(.*\)(.)/\1/'` protocol=`snmpget -v 2c -c $community -Ov $host .1.3.6.1.2.1.2.2.1.8. $index | sed 's/^INTEGER: \(.*\)(.)/\1/'` if [ $output ] then echo -e "$type\t$status\t$protocol\t$description" >>$output else echo -e "$type\t$status\t$protocol\t$description" fi done -- ---------------------- Brian Raaen Network Engineer braaen at zcorum.com On Tuesday 17 November 2009, sky vader wrote: > Hi, > > Can anyone point me in right direction for a perl script that will > snmpwalk the MIB for switch port status whether "up" or "down" including > total number of ports available? > > I have approximately 400 switches that I would like to query via script > and pipe the results to a file for every device. > > I'm currently querying it manually (see below) which is not scaling :-) > > $ snmpwalk -c > interfaces.ifTable.ifEntry.ifOperStatus | grep down > > > Any pointers will be greatly appreciated. > > > regards > sky > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Wed Nov 18 09:25:38 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 18 Nov 2009 14:25:38 +0000 Subject: [c-nsp] vlan across a routed link In-Reply-To: <995578.89071.qm@web43135.mail.sp1.yahoo.com> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> Message-ID: <4B0403E2.8030204@imperial.ac.uk> teklay gebremichael wrote: > i work in a university which has three campuses. on each campuse, > there is one cisco 6509 switch as a core switch. all other switches > (L2) are in vtp client except the core switches. the campuses are > connected with a routed link. so, one campuse, has 10.128.0.0/16 > subnet and the others have a subnet of 10.129.0.0/16 and > 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise > individaul vlans. > > here is my problem. > > i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but > computers in this vlan are located in the 10.128.0.0/16 campuse and > 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and > 10.130.0.0/16 is not trunk it is routed with ip address. so can any > body suggest me how to implement such senario which allows one vlan > (in this case 192.168.1.0/24) to be visible from the two campuses? > i.e to propage that specific valn across a routed link not a trunk > link. thanks You will need to convert the link from routed to switchport. That is, transform this: interface Gi1/1 ip address a.b.c.d ...to: interface Gi1/1 switchport switchport mode trunk switchport trunk native vlan 4000 switchport trunk allowed vlan yourvlan,4000 int Vlan4000 ip address a.b.c.d From eric.hoelzle at gmail.com Wed Nov 18 09:25:57 2009 From: eric.hoelzle at gmail.com (Eric Hoelzle) Date: Wed, 18 Nov 2009 09:25:57 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <200911180902.49735.braaen@zcorum.com> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> Message-ID: <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> Here's a version in perl that runs on windows or *nix. Net::SNMP required. I have an older version using net::snmp::info that reads more cleanly, but had trouble getting that module to work under ActiveState perl at my current job. -- Eric --------[ begin paste ]----- use Net::SNMP; $ARGC = $#ARGV + 1; if ($ARGC != 2) { die "\nUsage: deadports.pl hostname num_days\n\n"; } $pulldays = $ARGV[1]; $hostname = $ARGV[0]; $community = 'CHANGEME'; print "Unused Port report on $hostname for $pulldays days."; ## set up SNMP session my ($session, $error) = Net::SNMP->session( -version => 'snmpv2c', -translate => '0', -hostname => $hostname, -community => $community, -port => 161 ); if (!defined($session)) { printf("ERROR: %s.\n", $error); exit 1; } ## OIDs my $sysUpTime = '1.3.6.1.2.1.1.3.0'; my $sysName = '1.3.6.1.2.1.1.5.0'; my $oid_ifTable = '1.3.6.1.2.1.2.2'; my $oid_ifIndex = '1.3.6.1.2.1.2.2.1.1'; my $oid_ifdescr = '1.3.6.1.2.1.2.2.1.2.'; my $oid_ifoperstatus = '1.3.6.1.2.1.2.2.1.8.'; my $oid_iflastchange = '1.3.6.1.2.1.2.2.1.9.'; my $oid_ifadminstatus = '1.3.6.1.2.1.2.2.1.7.'; ## Counters $tot_ports = 0; $pull_ports = 0; ## # these subs go gather the data basic. # get_sysuptime has a print at the end as well. ## &get_sysuptime; ## can't run a report for more days that we have uptime if (($uptime/8640000) < $pulldays) { print "Sorry, the Device hasn't been up $pulldays days yet.\n\n"; exit 0; } &get_ifindex; ## # for each interface returned by get_ifindex, gather detail data # and print out the status if it's a candidate to be pulled ## foreach $ifindex(@ifindexes) { @args = ($oid_ifdescr . $ifindex, $oid_ifoperstatus . $ifindex, $oid_ifadminstatus . $ifindex, $oid_iflastchange . $ifindex); #print "@args\n"; my $result = $session->get_request( -varbindlist => \@args ); my $desc = $result->{$oid_ifdescr . $ifindex}; my $operstatus = $result->{$oid_ifoperstatus . $ifindex}; my $lastchange = $result->{$oid_iflastchange . $ifindex}; my $adminstatus = $result->{$oid_ifadminstatus . $ifindex}; my $status_time_days = ($uptime - $lastchange) / 8640000; $tot_ports++; ## are we a pull candidate? if ifoperstatus 2 == down we are if ($operstatus == '2' && $status_time_days >= $pulldays) { $pull_ports++; $rounded_days = sprintf("%.2f", $status_time_days); if ($adminstatus == '1' ) { print "$desc has been down for $rounded_days days \n"; } if ($adminstatus == '2' ) { print "$desc is ADMINDOWN and has been down for $rounded_days days \n"; } ## die if we see a negative number if ($rounded_days < 0) { die "\nUh-oh...Looks like we've actually been up more than 498 days.\nThat rocks, but is unfortunate for our purposes.\nReboot this gear and try again later.\n"; } } } ## done. go home. print "\nTotal interfaces found: $tot_ports\nPorts Unsed for the last $pulldays Days: $pull_ports"; $session->close; exit 0; ## # subs below here ## sub get_ifindex { my $tbl_ifIndex = $session->get_table( -baseoid => $oid_ifIndex ); if (!defined($tbl_ifIndex)) { printf("ERROR: %s.\n", $session->error); $session->close; exit 1; } foreach $key (keys %$tbl_ifIndex) { #print "$key => $$tbl_ifIndex{$key}\n"; push (@ifindexes, $$tbl_ifIndex{$key}); } @ifindexes = sort(@ifindexes); } sub get_sysuptime { my $result = $session->get_request( -varbindlist => [$sysUpTime] ); $uptime = $result->{$sysUpTime}; my $result = $session->get_request( -varbindlist => [$sysName] ); $sysname = $result->{$sysName}; printf("\nDevice'%s' has been up for %.2f days\n\n", $sysname, $uptime/8640000 ); } ------[ end paste ]---- From deadheadblues at gmail.com Wed Nov 18 09:33:51 2009 From: deadheadblues at gmail.com (Hobbs) Date: Wed, 18 Nov 2009 07:33:51 -0700 Subject: [c-nsp] BGP Community Problem (I think) In-Reply-To: <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D973957E7FBC6@BUSINESSEX.business.ad> <6de7e5460911172052u4016161es4423b7bfaf3fcb5d@mail.gmail.com> <292AF25E62B8894C921B893B53A19D973957E7FBF3@BUSINESSEX.business.ad> Message-ID: <6de7e5460911180633j458fd754u317d5a1dd5ab4b99@mail.gmail.com> On Tue, Nov 17, 2009 at 11:40 PM, Skeeve Stevens wrote: > But, the router isn't even sending them to the next router... between > tagging them and re-sending them, they just aren't there.... so I would > assume the neighbour they are being sent to is nothing to do with it? > > Between tagging them and re-sending them is exactly where this command can be useful :) From oboehmer at cisco.com Wed Nov 18 09:39:42 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 18 Nov 2009 15:39:42 +0100 Subject: [c-nsp] vlan across a routed link In-Reply-To: <4B0403E2.8030204@imperial.ac.uk> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> <4B0403E2.8030204@imperial.ac.uk> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> > teklay gebremichael wrote: > > i work in a university which has three campuses. on each campuse, > > there is one cisco 6509 switch as a core switch. all other switches > > (L2) are in vtp client except the core switches. the campuses are > > connected with a routed link. so, one campuse, has 10.128.0.0/16 > > subnet and the others have a subnet of 10.129.0.0/16 and > > 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise > > individaul vlans. > > > > here is my problem. > > > > i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but > > computers in this vlan are located in the 10.128.0.0/16 campuse and > > 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and > > 10.130.0.0/16 is not trunk it is routed with ip address. so can any > > body suggest me how to implement such senario which allows one vlan > > (in this case 192.168.1.0/24) to be visible from the two campuses? > > i.e to propage that specific valn across a routed link not a trunk > > link. thanks > > You will need to convert the link from routed to switchport. That is, > transform this: right, but think about the implications before doing so. You will extend your spanning tree domain over all the different sites, so this just asks for disaster to happen. And don't mention "hey, I only do this for a single Vlan". Once you start offering this "service", users will ask for it, and you end up doing this for many. Please consider technologies for this where you don't need to extend spanning tree. for example L2VPN (EoMPLS, VPLS), or loop-free topologies using VSS where you can disable STP between campuses.. oli From eric at roxanne.org Wed Nov 18 08:49:14 2009 From: eric at roxanne.org (Eric Gauthier) Date: Wed, 18 Nov 2009 08:49:14 -0500 Subject: [c-nsp] BGP primer recco In-Reply-To: <4B03EAD8.8040506@evaristesys.com> References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> <4B03EAD8.8040506@evaristesys.com> Message-ID: <20091118134914.GA30806@roxanne.org> "Internet Routing Architectures" by Halabi. Eric :) > I enjoyed the O'Reilly BGP book - has always served me well. > > Jeff Bacon wrote: > > >Hi folks - > > > >Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. > >Willing to buy 2-3 to get the right one. > > > >I know the very fundamentals of BGP, and conversant in most other IOS > >topics (route-maps and route redist, weights, IGPs). I can set up a > >basic neighbor and get IBGP vs EBGP, but need to understand community > >strings and weighting in BGP-world - used to an EIGRP/OSPF world > >primarily. > > > >Goal is to know how to effectively multi-home our enterprise (3 offices, > >4 ISPs, we have an assigned ASN and /24), including redirecting inet > >traffic between the sites over our private WAN links. Not looking to run > >a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest > >to multi-home. My needs are limited; also, it isn't just for the public > >internet, I also need to present multi-home over BGP to trading partners > >from our multiple sites over multiple links. I intend to keep the two > >routing domains separate tho.) > > > >So essentially I need "BGP for non-dummies that is also a good reference > >book". > > > >(Yes, I also have the mandatory on-call > >friend-who-does-this-for-a-living to pester, but he does it for a living > >for someone else, and I want him to remain a friend. :) ) > > > >Thanks, > >-bacon > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Alex Balashov - Principal > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Wed Nov 18 10:10:22 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 18 Nov 2009 20:10:22 +0500 (PKT) Subject: [c-nsp] vlan across a routed link In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> <4B0403E2.8030204@imperial.ac.uk> <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> Message-ID: <39149.196.46.241.57.1258557022.squirrel@nexmail1.nexlinx.net.pk> what?s wrong in extending your spanning-tree domain, as long as numbers of nodes are not too many? People are using trunk links between different sites across the world in an enterprise environment, and this is for what you use a trunk link. I would prefer the usage of trunk links and routed VLAN interfaces over EoMPLS and VPLS. (keeping in mind the throughput issues on EoMPLS, mtu problems and overall network complexity) Regards, Masood >> teklay gebremichael wrote: >> > i work in a university which has three campuses. on each campuse, >> > there is one cisco 6509 switch as a core switch. all other switches >> > (L2) are in vtp client except the core switches. the campuses are >> > connected with a routed link. so, one campuse, has 10.128.0.0/16 >> > subnet and the others have a subnet of 10.129.0.0/16 and >> > 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise >> > individaul vlans. >> > >> > here is my problem. >> > >> > i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but >> > computers in this vlan are located in the 10.128.0.0/16 campuse and >> > 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and >> > 10.130.0.0/16 is not trunk it is routed with ip address. so can any >> > body suggest me how to implement such senario which allows one vlan >> > (in this case 192.168.1.0/24) to be visible from the two campuses? >> > i.e to propage that specific valn across a routed link not a trunk >> > link. thanks >> >> You will need to convert the link from routed to switchport. That is, >> transform this: > > right, but think about the implications before doing so. You will extend > your spanning tree domain over all the different sites, so this just > asks for disaster to happen. And don't mention "hey, I only do this for > a single Vlan". Once you start offering this "service", users will ask > for it, and you end up doing this for many. > > Please consider technologies for this where you don't need to extend > spanning tree. for example L2VPN (EoMPLS, VPLS), or loop-free topologies > using VSS where you can disable STP between campuses.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From MatlockK at exempla.org Wed Nov 18 10:20:04 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 18 Nov 2009 08:20:04 -0700 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> Seeing this script reminded me of a pet peeve I have with Cisco. Why oh why did they use a 32-bit int for the uptime of the switch and port, and use 1/100th second resolution, so after 497 days the counter rolls over back to 0? Was a 64 bit int (or 1/10 a second resolution) not good enough? :) The chassis knows the real uptime (a 'show ver' shows it), why not expose that value to SNMP, and the same for the port last changed state? Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Hoelzle Sent: Wednesday, November 18, 2009 7:26 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status Here's a version in perl that runs on windows or *nix. Net::SNMP required. I have an older version using net::snmp::info that reads more cleanly, but had trouble getting that module to work under ActiveState perl at my current job. -- Eric --------[ begin paste ]----- use Net::SNMP; $ARGC = $#ARGV + 1; if ($ARGC != 2) { die "\nUsage: deadports.pl hostname num_days\n\n"; } $pulldays = $ARGV[1]; $hostname = $ARGV[0]; $community = 'CHANGEME'; print "Unused Port report on $hostname for $pulldays days."; ## set up SNMP session my ($session, $error) = Net::SNMP->session( -version => 'snmpv2c', -translate => '0', -hostname => $hostname, -community => $community, -port => 161 ); if (!defined($session)) { printf("ERROR: %s.\n", $error); exit 1; } ## OIDs my $sysUpTime = '1.3.6.1.2.1.1.3.0'; my $sysName = '1.3.6.1.2.1.1.5.0'; my $oid_ifTable = '1.3.6.1.2.1.2.2'; my $oid_ifIndex = '1.3.6.1.2.1.2.2.1.1'; my $oid_ifdescr = '1.3.6.1.2.1.2.2.1.2.'; my $oid_ifoperstatus = '1.3.6.1.2.1.2.2.1.8.'; my $oid_iflastchange = '1.3.6.1.2.1.2.2.1.9.'; my $oid_ifadminstatus = '1.3.6.1.2.1.2.2.1.7.'; ## Counters $tot_ports = 0; $pull_ports = 0; ## # these subs go gather the data basic. # get_sysuptime has a print at the end as well. ## &get_sysuptime; ## can't run a report for more days that we have uptime if (($uptime/8640000) < $pulldays) { print "Sorry, the Device hasn't been up $pulldays days yet.\n\n"; exit 0; } &get_ifindex; ## # for each interface returned by get_ifindex, gather detail data # and print out the status if it's a candidate to be pulled ## foreach $ifindex(@ifindexes) { @args = ($oid_ifdescr . $ifindex, $oid_ifoperstatus . $ifindex, $oid_ifadminstatus . $ifindex, $oid_iflastchange . $ifindex); #print "@args\n"; my $result = $session->get_request( -varbindlist => \@args ); my $desc = $result->{$oid_ifdescr . $ifindex}; my $operstatus = $result->{$oid_ifoperstatus . $ifindex}; my $lastchange = $result->{$oid_iflastchange . $ifindex}; my $adminstatus = $result->{$oid_ifadminstatus . $ifindex}; my $status_time_days = ($uptime - $lastchange) / 8640000; $tot_ports++; ## are we a pull candidate? if ifoperstatus 2 == down we are if ($operstatus == '2' && $status_time_days >= $pulldays) { $pull_ports++; $rounded_days = sprintf("%.2f", $status_time_days); if ($adminstatus == '1' ) { print "$desc has been down for $rounded_days days \n"; } if ($adminstatus == '2' ) { print "$desc is ADMINDOWN and has been down for $rounded_days days \n"; } ## die if we see a negative number if ($rounded_days < 0) { die "\nUh-oh...Looks like we've actually been up more than 498 days.\nThat rocks, but is unfortunate for our purposes.\nReboot this gear and try again later.\n"; } } } ## done. go home. print "\nTotal interfaces found: $tot_ports\nPorts Unsed for the last $pulldays Days: $pull_ports"; $session->close; exit 0; ## # subs below here ## sub get_ifindex { my $tbl_ifIndex = $session->get_table( -baseoid => $oid_ifIndex ); if (!defined($tbl_ifIndex)) { printf("ERROR: %s.\n", $session->error); $session->close; exit 1; } foreach $key (keys %$tbl_ifIndex) { #print "$key => $$tbl_ifIndex{$key}\n"; push (@ifindexes, $$tbl_ifIndex{$key}); } @ifindexes = sort(@ifindexes); } sub get_sysuptime { my $result = $session->get_request( -varbindlist => [$sysUpTime] ); $uptime = $result->{$sysUpTime}; my $result = $session->get_request( -varbindlist => [$sysName] ); $sysname = $result->{$sysName}; printf("\nDevice'%s' has been up for %.2f days\n\n", $sysname, $uptime/8640000 ); } ------[ end paste ]---- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Wed Nov 18 10:36:25 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 18 Nov 2009 15:36:25 +0000 Subject: [c-nsp] vlan across a routed link In-Reply-To: <39149.196.46.241.57.1258557022.squirrel@nexmail1.nexlinx.net.pk> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> <4B0403E2.8030204@imperial.ac.uk> <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> <39149.196.46.241.57.1258557022.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <4B041479.2090706@imperial.ac.uk> masood at nexlinx.net.pk wrote: > what?s wrong in extending your spanning-tree domain, as long as numbers of > nodes are not too many? People are using trunk links between different > sites across the world in an enterprise environment, and this is for what > you use a trunk link. I would prefer the usage of trunk links and routed > VLAN interfaces over EoMPLS and VPLS. (keeping in mind the throughput > issues on EoMPLS, mtu problems and overall network complexity) Well, I think it depends on your existing setup and requirements. The original poster states that they currently have *no* vlans between sites; therefore any move to do this is a new service, with all the learning experiences and issues associated. The OP also says they're using VTP. I agree with Oli: It makes sense to avoid this if possible. But it's a matter of personal opinion. From howie at thingy.com Wed Nov 18 10:41:42 2009 From: howie at thingy.com (Howard Jones) Date: Wed, 18 Nov 2009 15:41:42 +0000 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> Message-ID: <4B0415B6.1050108@thingy.com> Matlock, Kenneth L wrote: > Seeing this script reminded me of a pet peeve I have with Cisco. Why oh > why did they use a 32-bit int for the uptime of the switch and port, and > use 1/100th second resolution, so after 497 days the counter rolls over > back to 0? Was a 64 bit int (or 1/10 a second resolution) not good > enough? :) > > The chassis knows the real uptime (a 'show ver' shows it), why not > expose that value to SNMP, and the same for the port last changed state? > Because then it would not be following RFC 1907/3418, which specify it's a 32-bit int. It's not Cisco's fault (leaving aside that they are one of the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow standards, would you? ;-) From dudepron at gmail.com Wed Nov 18 10:44:30 2009 From: dudepron at gmail.com (Aaron) Date: Wed, 18 Nov 2009 10:44:30 -0500 Subject: [c-nsp] BGP primer recco In-Reply-To: <20091118134914.GA30806@roxanne.org> References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> <4B03EAD8.8040506@evaristesys.com> <20091118134914.GA30806@roxanne.org> Message-ID: <480dad640911180744r1d6e6c9cm656395b095cd81a5@mail.gmail.com> [image: cover] BGP4 Inter-Domain Routing in the Internet by John W. Stewart Is a short read. Aaron On Wed, Nov 18, 2009 at 08:49, Eric Gauthier wrote: > > "Internet Routing Architectures" by Halabi. > > Eric :) > > > I enjoyed the O'Reilly BGP book - has always served me well. > > > > Jeff Bacon wrote: > > > > >Hi folks - > > > > > >Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. > > >Willing to buy 2-3 to get the right one. > > > > > >I know the very fundamentals of BGP, and conversant in most other IOS > > >topics (route-maps and route redist, weights, IGPs). I can set up a > > >basic neighbor and get IBGP vs EBGP, but need to understand community > > >strings and weighting in BGP-world - used to an EIGRP/OSPF world > > >primarily. > > > > > >Goal is to know how to effectively multi-home our enterprise (3 offices, > > >4 ISPs, we have an assigned ASN and /24), including redirecting inet > > >traffic between the sites over our private WAN links. Not looking to run > > >a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest > > >to multi-home. My needs are limited; also, it isn't just for the public > > >internet, I also need to present multi-home over BGP to trading partners > > >from our multiple sites over multiple links. I intend to keep the two > > >routing domains separate tho.) > > > > > >So essentially I need "BGP for non-dummies that is also a good reference > > >book". > > > > > >(Yes, I also have the mandatory on-call > > >friend-who-does-this-for-a-living to pester, but he does it for a living > > >for someone else, and I want him to remain a friend. :) ) > > > > > >Thanks, > > >-bacon > > > > > >_______________________________________________ > > >cisco-nsp mailing list cisco-nsp at puck.nether.net > > >https://puck.nether.net/mailman/listinfo/cisco-nsp > > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > > Alex Balashov - Principal > > Evariste Systems > > Web : http://www.evaristesys.com/ > > Tel : (+1) (678) 954-0670 > > Direct : (+1) (678) 954-0671 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From MatlockK at exempla.org Wed Nov 18 10:53:14 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 18 Nov 2009 08:53:14 -0700 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4B0415B6.1050108@thingy.com> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> <4B0415B6.1050108@thingy.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3C4D@LMC-MAIL2.exempla.org> Well, what I meant.. :) They COULD expose a NEW OID for those values :) I agree that their hands are tied as far as the RFC, but that doesn't preclude a new OID tree. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: Howard Jones [mailto:howie at thingy.com] Sent: Wednesday, November 18, 2009 8:42 AM To: Matlock, Kenneth L Cc: Eric Hoelzle; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status Matlock, Kenneth L wrote: > Seeing this script reminded me of a pet peeve I have with Cisco. Why oh > why did they use a 32-bit int for the uptime of the switch and port, and > use 1/100th second resolution, so after 497 days the counter rolls over > back to 0? Was a 64 bit int (or 1/10 a second resolution) not good > enough? :) > > The chassis knows the real uptime (a 'show ver' shows it), why not > expose that value to SNMP, and the same for the port last changed state? > Because then it would not be following RFC 1907/3418, which specify it's a 32-bit int. It's not Cisco's fault (leaving aside that they are one of the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow standards, would you? ;-) From eric.hoelzle at gmail.com Wed Nov 18 11:04:12 2009 From: eric.hoelzle at gmail.com (Eric Hoelzle) Date: Wed, 18 Nov 2009 11:04:12 -0500 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3C4D@LMC-MAIL2.exempla.org> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> <4B0415B6.1050108@thingy.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4D@LMC-MAIL2.exempla.org> Message-ID: <3c92c0cf0911180804h306f1da4qa9a2cce727cb0cac@mail.gmail.com> If you have CLI access as well, you can get the box uptime that way and do some math. In my world, 500 days uptime is an exception so a reboot is acceptable. Scripts like this are usually for access layer capacity planning or cleanup. -- Eric On Wed, Nov 18, 2009 at 10:53 AM, Matlock, Kenneth L wrote: > Well, what I meant.. :) > > They COULD expose a NEW OID for those values :) > > I agree that their hands are tied as far as the RFC, but that doesn't > preclude a new OID tree. > > Ken Matlock > Network Analyst > Exempla Healthcare > (303) 467-4671 > matlockk at exempla.org > > > > -----Original Message----- > From: Howard Jones [mailto:howie at thingy.com] > Sent: Wednesday, November 18, 2009 8:42 AM > To: Matlock, Kenneth L > Cc: Eric Hoelzle; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] snmpwalk for switch port status > > Matlock, Kenneth L wrote: >> Seeing this script reminded me of a pet peeve I have with Cisco. Why > oh >> why did they use a 32-bit int for the uptime of the switch and port, > and >> use 1/100th second resolution, so after 497 days the counter rolls > over >> back to 0? Was a 64 bit int (or 1/10 a second resolution) not good >> enough? :) >> >> The chassis knows the real uptime (a 'show ver' shows it), why not >> expose that value to SNMP, and the same for the port last changed > state? >> > Because then it would not be following RFC 1907/3418, which specify it's > a 32-bit int. It's not Cisco's fault (leaving aside that they are one of > the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow > standards, would you? ;-) > From MatlockK at exempla.org Wed Nov 18 11:18:03 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 18 Nov 2009 09:18:03 -0700 Subject: [c-nsp] snmpwalk for switch port status In-Reply-To: <3c92c0cf0911180804h306f1da4qa9a2cce727cb0cac@mail.gmail.com> References: <4B030BB2.8090801@gmail.com> <200911180902.49735.braaen@zcorum.com> <3c92c0cf0911180625yb84326ch45ac409a2e6c0776@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4A@LMC-MAIL2.exempla.org> <4B0415B6.1050108@thingy.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3C4D@LMC-MAIL2.exempla.org> <3c92c0cf0911180804h306f1da4qa9a2cce727cb0cac@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3C4E@LMC-MAIL2.exempla.org> And that's what I resorted to using (CLI access using expect, and then pipe it to another script to parse it) Unfortunately in my world, 500 days uptime is on the low side. We have multiple chassis that have been up and running (and stable) for 6+ years uptime now (and yes, we've mitigated the security issues on the code revisions we're running). I manage the network for 3 hospitals, and 30+ clinics, so as you can imagine getting a downtime to 'upgrade' the code is problematic (let alone the whole testing/validation process). It's a lot more complicated to parse the CLI output, instead of just getting a single value via SNMP. Doable? Yes. More work than necessary? Yes. :) Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: Eric Hoelzle [mailto:eric.hoelzle at gmail.com] Sent: Wednesday, November 18, 2009 9:04 AM To: Matlock, Kenneth L Cc: Howard Jones; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status If you have CLI access as well, you can get the box uptime that way and do some math. In my world, 500 days uptime is an exception so a reboot is acceptable. Scripts like this are usually for access layer capacity planning or cleanup. -- Eric On Wed, Nov 18, 2009 at 10:53 AM, Matlock, Kenneth L wrote: > Well, what I meant.. :) > > They COULD expose a NEW OID for those values :) > > I agree that their hands are tied as far as the RFC, but that doesn't > preclude a new OID tree. > > Ken Matlock > Network Analyst > Exempla Healthcare > (303) 467-4671 > matlockk at exempla.org > > > > -----Original Message----- > From: Howard Jones [mailto:howie at thingy.com] > Sent: Wednesday, November 18, 2009 8:42 AM > To: Matlock, Kenneth L > Cc: Eric Hoelzle; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] snmpwalk for switch port status > > Matlock, Kenneth L wrote: >> Seeing this script reminded me of a pet peeve I have with Cisco. Why > oh >> why did they use a 32-bit int for the uptime of the switch and port, > and >> use 1/100th second resolution, so after 497 days the counter rolls > over >> back to 0? Was a 64 bit int (or 1/10 a second resolution) not good >> enough? :) >> >> The chassis knows the real uptime (a 'show ver' shows it), why not >> expose that value to SNMP, and the same for the port last changed > state? >> > Because then it would not be following RFC 1907/3418, which specify it's > a 32-bit int. It's not Cisco's fault (leaving aside that they are one of > the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow > standards, would you? ;-) > From William.Murphy at uth.tmc.edu Wed Nov 18 12:10:28 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Wed, 18 Nov 2009 11:10:28 -0600 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> Message-ID: We have VSS running so would the same apply if I force switchover with VSS? Is it only "redundancy force-switchover" command or will failover for other cause yield same result? Thanks... Bill -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of andrew Sent: Wednesday, November 18, 2009 4:29 AM To: Chris Phillips Cc: cisco-nsp at puck.nether.net; Jared Mauch Subject: Re: [c-nsp] SXI(3) code status? Breaks as in after forcing a sup switchover while on console subsequent SSH connections are refused, as it seems the private key is missing/unreadable. This is logged: Nov 18 10:16:08.211: SSH2 0: RSA_sign: private key not found Nov 18 10:16:08.211: SSH2 0: signature creation failed, status -1 Clearing RSA keys and re-generating did not help. Clear RSA keys, *reboot box*, and re-generate did fix. On Wed, Nov 18, 2009 at 2:00 AM, Chris Phillips wrote: > Define breaks. ?Breaks as in your ssh connection drops and you have to login > again, or breaks as in your ssh connection drops and the ssh service doesn't > restart? > > andrew wrote: >> >> Here is some BAD on SXI3 ... >> >> with redundant supervisor, SSH breaks upon supervisor switchover. >> >> -andrew >> >> On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater >> wrote: >>> >>> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It >>> did however work in SXI, which we are running now. >>> >>> The other flavors are not supported. >>> >>> Jeff >>> >>> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >>> >>>> Release 12.2(33)SXH and later releases do not support the following >>>> hardware: >>>> >>>> These Ethernet Switching Modules: >>>> >>>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>>> >>>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>>> >>>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>>> >>>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>>> >>>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>>> >>>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>>> >>>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>>> >>>> ? ? ?Now, the caveat is that they did not actually remove the hardware >>>> support for some of these until SXI1, so while the release notes say one >>>> thing, the actual support varies. >>>> >>>> You will see something like this in 'show power': >>>> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>> supported) >>>> >>>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I >>>> can't recall if that was the case for SXI2/2a/or 1. >>>> >>>> ? ? ?- Jared >>>> >>>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>>> >>>>> Jared, >>>>> >>>>> After quickly glancing at the release notes, I was unable to find >>>>> anything about the removal of hardware support for the 63xx series cards. >>>>> ?Do you have a URL or can you be more specific? >>>>> >>>>> Thanks in advance! >>>>> >>>>> Jared Mauch wrote: >>>>>> >>>>>> SXI3 has a number of bug fixes for our network, including one that >>>>>> would cause the next-hop to be populated as 'drop' in hardware. >>>>>> I strongly recommend using it over prior versions of SXI. >>>>>> Due to the removal of hardware support we replaced the older 63xx/62xx >>>>>> series cards. >>>>>> - Jared >>>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>>> >>>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>>> >>>>>>> >>>>>>> Rubens >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater >>>>>>> wrote: >>>>>>>> >>>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, >>>>>>>> which it did not recognize in previous versions, and so far no complaints >>>>>>>> but then again it's not in a real world yet. >>>>>>>> >>>>>>>> >>>>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>>>> >>>>>>>> >>>>>>>> Jeff Fitzwater >>>>>>>> OIT Network Systems >>>>>>>> Princeton University >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> > > -- > Chris Phillips > Director of Network Engineering & Peering Coordinator > WBS Connect > cphillips at wbsconnect.com > (866) WBS-CONX > (720) 259-8361 - direct > (303) 968-4383 - mobile > www.wbsconnect.com > -- -andrew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From juuso.lehtinen at gmail.com Wed Nov 18 12:16:45 2009 From: juuso.lehtinen at gmail.com (Juuso Lehtinen) Date: Wed, 18 Nov 2009 19:16:45 +0200 Subject: [c-nsp] BGP primer recco In-Reply-To: <20091118134914.GA30806@roxanne.org> References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net> <4B03EAD8.8040506@evaristesys.com> <20091118134914.GA30806@roxanne.org> Message-ID: I second that. I also recommend Routing TCP/IP Volume 2 by Jeff Doyle and Jennifer DeHaven Caroll. Published by Cisco Press. -Juuso On Wed, Nov 18, 2009 at 3:49 PM, Eric Gauthier wrote: > > "Internet Routing Architectures" by Halabi. > > Eric :) > > > I enjoyed the O'Reilly BGP book - has always served me well. > > > > Jeff Bacon wrote: > > > > >Hi folks - > > > > > >Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. > > >Willing to buy 2-3 to get the right one. > > > > > >I know the very fundamentals of BGP, and conversant in most other IOS > > >topics (route-maps and route redist, weights, IGPs). I can set up a > > >basic neighbor and get IBGP vs EBGP, but need to understand community > > >strings and weighting in BGP-world - used to an EIGRP/OSPF world > > >primarily. > > > > > >Goal is to know how to effectively multi-home our enterprise (3 offices, > > >4 ISPs, we have an assigned ASN and /24), including redirecting inet > > >traffic between the sites over our private WAN links. Not looking to run > > >a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest > > >to multi-home. My needs are limited; also, it isn't just for the public > > >internet, I also need to present multi-home over BGP to trading partners > > >from our multiple sites over multiple links. I intend to keep the two > > >routing domains separate tho.) > > > > > >So essentially I need "BGP for non-dummies that is also a good reference > > >book". > > > > > >(Yes, I also have the mandatory on-call > > >friend-who-does-this-for-a-living to pester, but he does it for a living > > >for someone else, and I want him to remain a friend. :) ) > > > > > >Thanks, > > >-bacon > > > > > >_______________________________________________ > > >cisco-nsp mailing list cisco-nsp at puck.nether.net > > >https://puck.nether.net/mailman/listinfo/cisco-nsp > > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > > Alex Balashov - Principal > > Evariste Systems > > Web : http://www.evaristesys.com/ > > Tel : (+1) (678) 954-0670 > > Direct : (+1) (678) 954-0671 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gsgranados at comcast.net Wed Nov 18 12:36:09 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 18 Nov 2009 09:36:09 -0800 Subject: [c-nsp] BGP primer recco References: <5A69C25361FED34F83ABF05F50475245072BC71B@wally.walleyetrading.net><4B03EAD8.8040506@evaristesys.com><20091118134914.GA30806@roxanne.org> Message-ID: <00c601ca6875$a5ddcf80$2408120a@am.thmulti.com> And of course, Routing and the Internet. ----- Original Message ----- From: "Juuso Lehtinen" To: "Eric Gauthier" Cc: "Jeff Bacon" ; Sent: Wednesday, November 18, 2009 9:16 AM Subject: Re: [c-nsp] BGP primer recco >I second that. I also recommend Routing TCP/IP Volume 2 by Jeff Doyle and > Jennifer DeHaven Caroll. Published by Cisco Press. > > -Juuso > > On Wed, Nov 18, 2009 at 3:49 PM, Eric Gauthier wrote: > >> >> "Internet Routing Architectures" by Halabi. >> >> Eric :) >> >> > I enjoyed the O'Reilly BGP book - has always served me well. >> > >> > Jeff Bacon wrote: >> > >> > >Hi folks - >> > > >> > >Need to learn BGP. Cisco-focused ok. Looking for the right book to >> > >buy. >> > >Willing to buy 2-3 to get the right one. >> > > >> > >I know the very fundamentals of BGP, and conversant in most other IOS >> > >topics (route-maps and route redist, weights, IGPs). I can set up a >> > >basic neighbor and get IBGP vs EBGP, but need to understand community >> > >strings and weighting in BGP-world - used to an EIGRP/OSPF world >> > >primarily. >> > > >> > >Goal is to know how to effectively multi-home our enterprise (3 >> > >offices, >> > >4 ISPs, we have an assigned ASN and /24), including redirecting inet >> > >traffic between the sites over our private WAN links. Not looking to >> > >run >> > >a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest >> > >to multi-home. My needs are limited; also, it isn't just for the >> > >public >> > >internet, I also need to present multi-home over BGP to trading >> > >partners >> > >from our multiple sites over multiple links. I intend to keep the two >> > >routing domains separate tho.) >> > > >> > >So essentially I need "BGP for non-dummies that is also a good >> > >reference >> > >book". >> > > >> > >(Yes, I also have the mandatory on-call >> > >friend-who-does-this-for-a-living to pester, but he does it for a >> > >living >> > >for someone else, and I want him to remain a friend. :) ) >> > > >> > >Thanks, >> > >-bacon >> > > >> > >_______________________________________________ >> > >cisco-nsp mailing list cisco-nsp at puck.nether.net >> > >https://puck.nether.net/mailman/listinfo/cisco-nsp >> > >archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > >> > -- >> > Alex Balashov - Principal >> > Evariste Systems >> > Web : http://www.evaristesys.com/ >> > Tel : (+1) (678) 954-0670 >> > Direct : (+1) (678) 954-0671 >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tmyoungjr at gmail.com Wed Nov 18 12:43:15 2009 From: tmyoungjr at gmail.com (Timothy Young) Date: Wed, 18 Nov 2009 12:43:15 -0500 Subject: [c-nsp] Cisco 1721 NAT (possibly) debugging Message-ID: <1dc345f80911180943k196b25aax733f03326c1d85f9@mail.gmail.com> Here's my scenario as I understand it (i've inherited this w/ no option to ask the prior involved parties sadly). We are a VOIP service provider. We have a commercial customer with a 1721 onsite. The 1721 was provided, configured and left onsite. We setup NAT, and enough QoS for the VOIP to play nice on their network (it's not huge by any means). We did not do any port forwarding or special configuration beyond again the bare essentials to get them functional. Fast forward a few months. This same customer is attempting to demo some video teleconferencing via the same router / connection. What they claim happens is that when initiating a call from the inside out to a remote site, the video works fine. When initiating from the remote site into the office where this 1721 sits, a connection is never completed. Now, we did not forward any ports, but upon closer inspection of the 1721 it seems their consultant at some point has (we were not aware that they were given the credentials to the router, that has been rectified). What I am looking for is a way to troubleshoot this, I am not a NAT person in the cisco world, so where to begin debugging or the like is what I'm looking for. Below are the exact instructions from the vendor for required port forwarding and then what i think are the relevant config snippets (of note - the public IP in the port forwarding is the same for every line and most of the private side IPs are the same too - its generally just for one device). Any assistance would be greatly appreciated. I do have to go over their config with them on their device also just to verify they're using the right info. thanks tim ==== 1.1. Forward port 1720 TCP to the private IP of the LifeSize system. 1.2. Forward TCP ports 60,000 and 60,001 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 2 TCP ports in the 60,000 - 64,999 range. 1.3. Forward UDP ports 60,000 to 60,007 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 8 UDP ports in the 60,000 - 64,999 range. (NOTE: 2 TCP and 8 UDP is the minimum number of ports required for a single point-to-point H.323 video call.) ==== Cisco IOS Software, C1700 Software (C1700-IPBASEK9-M), Version 12.4(23), RELEASE SOFTWARE (fc1) Cisco 1721 (MPC860P) processor (revision 0x100) with 58441K/7095K bytes of memory. Processor board ID FOC0711072N (2350872456), with hardware revision 0000 MPC860P processor: part number 5, mask 2 1 FastEthernet interface 1 Serial interface WIC T1-DSU 32K bytes of NVRAM. 16384K bytes of processor board System flash (Read/Write) interface FastEthernet0 ip address 192.168.x.x 255.255.255.0 ip nat inside interface Serial0 ip address x.x.x.x 255.255.255.252 ip nat outside ip nat inside source list 100 interface Serial0 overload ip nat inside source static tcp z.z.z.z 443 v.v.v.v 443 extendable ip nat inside source static tcp y.y.y.y 1720 v.v.v.v 1720 extendable ip nat inside source static tcp z.z.z.z 3389 v.v.v.v 3389 extendable ip nat inside source static tcp y.y.y.y 60000 v.v.v.v 60000 extendable ip nat inside source static udp y.y.y.y 60000 v.v.v.v 60000 extendable ip nat inside source static tcp y.y.y.y 60001 v.v.v.v 60001 extendable ip nat inside source static udp y.y.y.y 60001 v.v.v.v 60001 extendable ip nat inside source static tcp y.y.y.y 60002 v.v.v.v 60002 extendable ip nat inside source static udp y.y.y.y 60002 v.v.v.v 60002 extendable ip nat inside source static tcp y.y.y.y 60003 v.v.v.v 60003 extendable ip nat inside source static udp y.y.y.y 60003 v.v.v.v 60003 extendable ip nat inside source static tcp y.y.y.y 60004 v.v.v.v 60004 extendable ip nat inside source static udp y.y.y.y 60004 v.v.v.v 60004 extendable ip nat inside source static tcp y.y.y.y 60005 v.v.v.v 60005 extendable ip nat inside source static udp y.y.y.y 60005 v.v.v.v 60005 extendable ip nat inside source static tcp y.y.y.y 60006 v.v.v.v 60006 extendable ip nat inside source static udp y.y.y.y 60006 v.v.v.v 60006 extendable ip nat inside source static tcp y.y.y.y 60007 v.v.v.v 60007 extendable ip nat inside source static udp y.y.y.y 60007 v.v.v.v 60007 extendable ip nat inside source static tcp y.y.y.y 60008 v.v.v.v 60008 extendable ip nat inside source static udp y.y.y.y 60008 v.v.v.v 60008 extendable ip nat inside source static tcp y.y.y.y 60009 v.v.v.v 60009 extendable ip nat inside source static udp y.y.y.y 60009 v.v.v.v 60009 extendable ip nat inside source static tcp y.y.y.y 60010 v.v.v.v 60010 extendable ip nat inside source static udp y.y.y.y 60010 v.v.v.v 60010 extendable ip nat inside source static tcp y.y.y.y 60011 v.v.v.v 60011 extendable ip nat inside source static udp y.y.y.y 60011 v.v.v.v 60011 extendable ip nat inside source static tcp y.y.y.y 60012 v.v.v.v 60012 extendable ip nat inside source static udp y.y.y.y 60012 v.v.v.v 60012 extendable ip nat inside source static tcp y.y.y.y 60013 v.v.v.v 60013 extendable ip nat inside source static udp y.y.y.y 60013 v.v.v.v 60013 extendable ip nat inside source static tcp y.y.y.y 60014 v.v.v.v 60014 extendable ip nat inside source static udp y.y.y.y 60014 v.v.v.v 60014 extendable ip nat inside source static tcp y.y.y.y 60015 v.v.v.v 60015 extendable ip nat inside source static udp y.y.y.y 60015 v.v.v.v 60015 extendable ip nat inside source static tcp y.y.y.y 60016 v.v.v.v 60016 extendable ip nat inside source static udp y.y.y.y 60016 v.v.v.v 60016 extendable ip nat inside source static tcp y.y.y.y 60017 v.v.v.v 60017 extendable ip nat inside source static udp y.y.y.y 60017 v.v.v.v 60017 extendable ip nat inside source static tcp y.y.y.y 60018 v.v.v.v 60018 extendable ip nat inside source static udp y.y.y.y 60018 v.v.v.v 60018 extendable ip nat inside source static tcp y.y.y.y 60019 v.v.v.v 60019 extendable ip nat inside source static udp y.y.y.y 60019 v.v.v.v 60019 extendable ip nat inside source static tcp y.y.y.y 60020 v.v.v.v 60020 extendable ip nat inside source static udp y.y.y.y 60020 v.v.v.v 60020 extendable ip nat inside source static tcp y.y.y.y 60021 v.v.v.v 60021 extendable ip nat inside source static udp y.y.y.y 60021 v.v.v.v 60021 extendable ip nat inside source static tcp y.y.y.y 60022 v.v.v.v 60022 extendable ip nat inside source static udp y.y.y.y 60022 v.v.v.v 60022 extendable ip nat inside source static tcp y.y.y.y 60023 v.v.v.v 60023 extendable ip nat inside source static udp y.y.y.y 60023 v.v.v.v 60023 extendable ! access-list 100 permit ip 192.0.0.0 0.255.255.255 any access-list 100 permit ip any any From gsgranados at comcast.net Wed Nov 18 14:40:07 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 18 Nov 2009 11:40:07 -0800 Subject: [c-nsp] need a suggestion for a good lab switch Message-ID: <019501ca6886$f34b38a0$2408120a@am.thmulti.com> Hi all, I have a lab that uses a Foundry 4802 for routing / switching. This item is ready to end its lease and I need to replace it with something more current. I'm looking for 48 ports of preferably 10/100/1000 ethernet, layer 3 routing capability (mostly static routing) and spanning tree support. Good multicast support would be a requirement as well. Which Cisco products would folks suggest would fit the bill? Any pointers would be appreciated. Also, in parallel with this and to save list traffic is there a good general product card type page that shows the various Cisco products, a brief explaination of their configurations / options and model number? Is there a central spot with all that in one place? I appreciate the pointers. Thanks Scott From NMaio at guesswho.com Wed Nov 18 14:53:46 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Wed, 18 Nov 2009 14:53:46 -0500 Subject: [c-nsp] need a suggestion for a good lab switch In-Reply-To: <019501ca6886$f34b38a0$2408120a@am.thmulti.com> References: <019501ca6886$f34b38a0$2408120a@am.thmulti.com> Message-ID: <2AA600764E54964491083B1E0EC81A302F87332E18@EXCLUS.nationala-1advertising.com> Scott, The Cisco Catalyst Switch Guide might be what you are looking for. http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf Note: there is also a Router Guide. Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 18, 2009 2:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] need a suggestion for a good lab switch Hi all, I have a lab that uses a Foundry 4802 for routing / switching. This item is ready to end its lease and I need to replace it with something more current. I'm looking for 48 ports of preferably 10/100/1000 ethernet, layer 3 routing capability (mostly static routing) and spanning tree support. Good multicast support would be a requirement as well. Which Cisco products would folks suggest would fit the bill? Any pointers would be appreciated. Also, in parallel with this and to save list traffic is there a good general product card type page that shows the various Cisco products, a brief explaination of their configurations / options and model number? Is there a central spot with all that in one place? I appreciate the pointers. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ed.whitesell+lists at gmail.com Wed Nov 18 15:09:31 2009 From: ed.whitesell+lists at gmail.com (Ed W) Date: Wed, 18 Nov 2009 14:09:31 -0600 Subject: [c-nsp] Router advice Message-ID: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> Greetings, I've been out of the market on the latest Cisco routers for a while and I'm looking for some info about a router to use in a small co-located environment. Basic requirements: 2 Copper FastE/GigE 50-75 Mbps throughput HSRP NetFlow Basic ACLs/null routing for Bogons, etc. No dynamic routing No NAT/PAT Preferably 1U More than 2 FE interfaces, IPv6 support and room to grow into a BGP session or two would be nice, but not required. Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP channels mixed in (G711 & G729) My first thought after some research was a 2800 series, but NetFlow seems like a possible red flag. I'd be open to hearing about other vendors' options that meet the requirements (offlist of course), but no "Build Your Own"/Quagga options. Thanks, Ed From sethm at rollernet.us Wed Nov 18 15:22:54 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 18 Nov 2009 12:22:54 -0800 Subject: [c-nsp] Router advice In-Reply-To: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> Message-ID: <4B04579E.5050502@rollernet.us> Ed W wrote: > Greetings, > > I've been out of the market on the latest Cisco routers for a while and I'm > looking for some info about a router to use in a small co-located > environment. > > Basic requirements: > 2 Copper FastE/GigE > 50-75 Mbps throughput > HSRP > NetFlow > Basic ACLs/null routing for Bogons, etc. > No dynamic routing > No NAT/PAT > > Preferably 1U > More than 2 FE interfaces, IPv6 support and room to grow into a BGP session > or two would be nice, but not required. > Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP > channels mixed in (G711 & G729) > > My first thought after some research was a 2800 series, but NetFlow seems > like a possible red flag. > The 2800's support netflow just fine, but you won't get that kind of performance out of a 2811 (fastest 1U), nor anything else in the 2800 line over a handful of single large packet flows. 3845 *maybe* depending on features, but it's 3U. If you need 1U then go for a 7201 which is basically a 1U 7200VXR NPE-G2. ~Seth From asr at latency.net Wed Nov 18 15:27:48 2009 From: asr at latency.net (Adam Rothschild) Date: Wed, 18 Nov 2009 15:27:48 -0500 Subject: [c-nsp] Issues with Cisco Catalyst 4900M Message-ID: <20091118202748.GA52880@latency.net> Hi all, Anybody out there running into CPU exhaustion issues on this box (or a non-fixed-configuration Sup6E, ...), linked to the "low priority" management process and its dependencies? I'm specifically tracking CSCta54369 ("High CPU caused due to K5AclCamStatsMan hw process") along with CSCta77487 ("High cpu in K5L3 review jobs with incomplete arps and big routing table"). Cisco's troubleshooting guide[1] provides an interesting top-level overview of the architecture, though stops short of dispensing meaningful configuration pointers, assuming they exist. I've got a TAC case going, meanwhile any clues and/or experiences from the field, on- or off-list, would be greatly appreciated. :-) Thanks in advance, -a [1] http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml From tdurack at gmail.com Wed Nov 18 15:39:44 2009 From: tdurack at gmail.com (Tim Durack) Date: Wed, 18 Nov 2009 15:39:44 -0500 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> Message-ID: <9e246b4d0911181239m58044442jcf9c2426bb1f0d92@mail.gmail.com> SXI3 has also removed "patching" ability: "Installer/patching capability is removed starting from some of the new images in SXI. Installer patching support will continue on SXH and SXF. For Cisco IOS 12.2(33)SXI3, ION patching is no longer supported." Not that patching has ever really been supported in any meaningful fashion (when was the last time you found a patch to apply?) Would be real nice if the release notes actually specified some of this stuff, instead of us having to dig around and find. Would be even better if Cisco admitted defeat and ported NX-OS to C6K... Tim:> On Wed, Nov 18, 2009 at 12:10 PM, Murphy, William wrote: > We have VSS running so would the same apply if I force switchover with VSS? > Is it only "redundancy force-switchover" command or will failover for other > cause yield same result? > > Thanks... > > Bill > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of andrew > Sent: Wednesday, November 18, 2009 4:29 AM > To: Chris Phillips > Cc: cisco-nsp at puck.nether.net; Jared Mauch > Subject: Re: [c-nsp] SXI(3) code status? > > Breaks as in after forcing a sup switchover while on console > subsequent SSH connections are refused, as it seems the private key is > missing/unreadable. > > > This is logged: > > Nov 18 10:16:08.211: SSH2 0: RSA_sign: private key not found > Nov 18 10:16:08.211: SSH2 0: signature creation failed, status -1 > > > Clearing RSA keys and re-generating did not help. > > Clear RSA keys, *reboot box*, and re-generate did fix. > > > > > > On Wed, Nov 18, 2009 at 2:00 AM, Chris Phillips > wrote: >> Define breaks. ?Breaks as in your ssh connection drops and you have to > login >> again, or breaks as in your ssh connection drops and the ssh service > doesn't >> restart? >> >> andrew wrote: >>> >>> Here is some BAD on SXI3 ... >>> >>> with redundant supervisor, SSH breaks upon supervisor switchover. >>> >>> -andrew >>> >>> On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater >>> wrote: >>>> >>>> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. > It >>>> did however work in SXI, which we are running now. >>>> >>>> The other flavors are not supported. >>>> >>>> Jeff >>>> >>>> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >>>> >>>>> Release 12.2(33)SXH and later releases do not support the following >>>>> hardware: >>>>> >>>>> These Ethernet Switching Modules: >>>>> >>>>> ?WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>>>> >>>>> ?WS-X6248A-TEL 48-port 10/100TX RJ-21 >>>>> >>>>> ?WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>>>> >>>>> ?WS-X6248-TEL 48-port 10/100TX RJ-21 >>>>> >>>>> ?WS-X6324-100FX-SM 24-port 100FX Ethernet >>>>> >>>>> ?WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>>>> >>>>> ?WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>>>> >>>>> ?WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>>>> >>>>> ? ? ?Now, the caveat is that they did not actually remove the hardware >>>>> support for some of these until SXI1, so while the release notes say > one >>>>> thing, the actual support varies. >>>>> >>>>> You will see something like this in 'show power': >>>>> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>>> supported) >>>>> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off (not >>>>> supported) >>>>> >>>>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I >>>>> can't recall if that was the case for SXI2/2a/or 1. >>>>> >>>>> ? ? ?- Jared >>>>> >>>>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>>>> >>>>>> Jared, >>>>>> >>>>>> After quickly glancing at the release notes, I was unable to find >>>>>> anything about the removal of hardware support for the 63xx series > cards. >>>>>> ?Do you have a URL or can you be more specific? >>>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> Jared Mauch wrote: >>>>>>> >>>>>>> SXI3 has a number of bug fixes for our network, including one that >>>>>>> would cause the next-hop to be populated as 'drop' in hardware. >>>>>>> I strongly recommend using it over prior versions of SXI. >>>>>>> Due to the removal of hardware support we replaced the older > 63xx/62xx >>>>>>> series cards. >>>>>>> - Jared >>>>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>>>> >>>>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), >>>>>>>> OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>>>> >>>>>>>> >>>>>>>> Rubens >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> I have been running the SXI(3) on a test router with 100M MM 6324, >>>>>>>>> which it did not recognize in previous versions, and so far no > complaints >>>>>>>>> but then again it's not in a real world yet. >>>>>>>>> >>>>>>>>> >>>>>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>>>>> >>>>>>>>> >>>>>>>>> Jeff Fitzwater >>>>>>>>> OIT Network Systems >>>>>>>>> Princeton University >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >>> >>> >> >> -- >> Chris Phillips >> Director of Network Engineering & Peering Coordinator >> WBS Connect >> cphillips at wbsconnect.com >> (866) WBS-CONX >> (720) 259-8361 - direct >> (303) 968-4383 - mobile >> www.wbsconnect.com >> > > > > -- > -andrew > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tim:> From gsgranados at comcast.net Wed Nov 18 15:50:10 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 18 Nov 2009 12:50:10 -0800 Subject: [c-nsp] Router advice References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> Message-ID: <01b901ca6890$bd9fdb70$2408120a@am.thmulti.com> I'm thinking 7200 series makes sense for you although I believe they are more than 1U. ----- Original Message ----- From: "Ed W" To: Sent: Wednesday, November 18, 2009 12:09 PM Subject: [c-nsp] Router advice > Greetings, > > I've been out of the market on the latest Cisco routers for a while and > I'm > looking for some info about a router to use in a small co-located > environment. > > Basic requirements: > 2 Copper FastE/GigE > 50-75 Mbps throughput > HSRP > NetFlow > Basic ACLs/null routing for Bogons, etc. > No dynamic routing > No NAT/PAT > > Preferably 1U > More than 2 FE interfaces, IPv6 support and room to grow into a BGP > session > or two would be nice, but not required. > Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP > channels mixed in (G711 & G729) > > My first thought after some research was a 2800 series, but NetFlow seems > like a possible red flag. > > I'd be open to hearing about other vendors' options that meet the > requirements (offlist of course), but no "Build Your Own"/Quagga options. > > Thanks, > Ed > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From BBlackford at nwresd.k12.or.us Wed Nov 18 15:54:19 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Wed, 18 Nov 2009 12:54:19 -0800 Subject: [c-nsp] Router advice In-Reply-To: <01b901ca6890$bd9fdb70$2408120a@am.thmulti.com> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <01b901ca6890$bd9fdb70$2408120a@am.thmulti.com> Message-ID: <6069A203FD01884885C037F81DD75080173BBAC049@wsc-mail-01.intra.nwresd.k12.or.us> The 7201 is 1RU. It's basically an NPE-G2 shoehorned into a 1RU chassis. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 18, 2009 12:50 PM To: Ed W; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Router advice I'm thinking 7200 series makes sense for you although I believe they are more than 1U. ----- Original Message ----- From: "Ed W" To: Sent: Wednesday, November 18, 2009 12:09 PM Subject: [c-nsp] Router advice > Greetings, > > I've been out of the market on the latest Cisco routers for a while and > I'm > looking for some info about a router to use in a small co-located > environment. > > Basic requirements: > 2 Copper FastE/GigE > 50-75 Mbps throughput > HSRP > NetFlow > Basic ACLs/null routing for Bogons, etc. > No dynamic routing > No NAT/PAT > > Preferably 1U > More than 2 FE interfaces, IPv6 support and room to grow into a BGP > session > or two would be nice, but not required. > Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP > channels mixed in (G711 & G729) > > My first thought after some research was a 2800 series, but NetFlow seems > like a possible red flag. > > I'd be open to hearing about other vendors' options that meet the > requirements (offlist of course), but no "Build Your Own"/Quagga options. > > Thanks, > Ed > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at slepicka.net Wed Nov 18 16:18:55 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 18 Nov 2009 15:18:55 -0600 Subject: [c-nsp] Issues with Cisco Catalyst 4900M In-Reply-To: <20091118202748.GA52880@latency.net> References: <20091118202748.GA52880@latency.net> Message-ID: <4B0464BF.2080409@slepicka.net> Not specifically seeing these issues, but I have at least one 4900M and a few 4500 Sup6E's running 12.2(52/53)SG that are experiencing CPU issues. When configured with sub-second OSPF hello timers, they drop adjacencies when I copy a file (ftp/tftp) to bootflash. High CPU utilization in the Exec/Virtual Exec process. I suspect something is messed up with the scheduling/prioritization of processes. This may be causing the issues that you're seeing as well. BTW -- the OSPF issue is bug id CSCsw84727. Cisco says it's fixed in 12.2(52 and 53)SG, but it's obviously not. Still waiting on resolution for this one. Adam Rothschild wrote: > Hi all, > > Anybody out there running into CPU exhaustion issues on this box (or a > non-fixed-configuration Sup6E, ...), linked to the "low priority" > management process and its dependencies? > > I'm specifically tracking CSCta54369 ("High CPU caused due to > K5AclCamStatsMan hw process") along with CSCta77487 ("High cpu in K5L3 > review jobs with incomplete arps and big routing table"). > > Cisco's troubleshooting guide[1] provides an interesting top-level > overview of the architecture, though stops short of dispensing > meaningful configuration pointers, assuming they exist. > > I've got a TAC case going, meanwhile any clues and/or experiences from > the field, on- or off-list, would be greatly appreciated. :-) > > Thanks in advance, > -a > > [1] http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisco-nsp at slepicka.net Wed Nov 18 16:24:14 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 18 Nov 2009 15:24:14 -0600 Subject: [c-nsp] Issues with Cisco Catalyst 4900M In-Reply-To: <4B0464BF.2080409@slepicka.net> References: <20091118202748.GA52880@latency.net> <4B0464BF.2080409@slepicka.net> Message-ID: <4B0465FE.2090208@slepicka.net> Just a quick follow-up on this one (took me a while to find the email). Cisco's response: CSCsw84727 not present in 12.2(52)SG. As the fix was non trivial, it is undergoing testing. It will be in Fall08 SG4 (12.2.(50)SG4). And in the Zanzibar release 12.2.(54)SG. James Slepicka wrote: > Not specifically seeing these issues, but I have at least one 4900M > and a few 4500 Sup6E's running 12.2(52/53)SG that are experiencing CPU > issues. When configured with sub-second OSPF hello timers, they drop > adjacencies when I copy a file (ftp/tftp) to bootflash. High CPU > utilization in the Exec/Virtual Exec process. I suspect something is > messed up with the scheduling/prioritization of processes. This may > be causing the issues that you're seeing as well. > > BTW -- the OSPF issue is bug id CSCsw84727. Cisco says it's fixed in > 12.2(52 and 53)SG, but it's obviously not. Still waiting on > resolution for this one. > > Adam Rothschild wrote: >> Hi all, >> >> Anybody out there running into CPU exhaustion issues on this box (or a >> non-fixed-configuration Sup6E, ...), linked to the "low priority" >> management process and its dependencies? >> >> I'm specifically tracking CSCta54369 ("High CPU caused due to >> K5AclCamStatsMan hw process") along with CSCta77487 ("High cpu in K5L3 >> review jobs with incomplete arps and big routing table"). >> >> Cisco's troubleshooting guide[1] provides an interesting top-level >> overview of the architecture, though stops short of dispensing >> meaningful configuration pointers, assuming they exist. >> >> I've got a TAC case going, meanwhile any clues and/or experiences from >> the field, on- or off-list, would be greatly appreciated. :-) >> >> Thanks in advance, >> -a >> >> [1] >> http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mawhi at vestas.com Wed Nov 18 16:24:28 2009 From: mawhi at vestas.com (Matthew White) Date: Wed, 18 Nov 2009 13:24:28 -0800 Subject: [c-nsp] Router advice In-Reply-To: <6069A203FD01884885C037F81DD75080173BBAC049@wsc-mail-01.intra.nwresd.k12.or.us> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <01b901ca6890$bd9fdb70$2408120a@am.thmulti.com> <6069A203FD01884885C037F81DD75080173BBAC049@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: I don't know if the 7201 will accept PVDMs, so if you need to do voice xcoding on your box that may be a show stopper. According to Cisco's marketing speak the new 2900s will do "up to 75Mbps with services such as security, mobility, WAN Optimization...." However it is 2U. -mtw > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford > Sent: Wednesday, November 18, 2009 12:54 PM > To: 'Scott Granados'; Ed W; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Router advice > > The 7201 is 1RU. It's basically an NPE-G2 shoehorned into a > 1RU chassis. > > -b > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Wednesday, November 18, 2009 12:50 PM > To: Ed W; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Router advice > > I'm thinking 7200 series makes sense for you although I > believe they are > more than 1U. > > ----- Original Message ----- > From: "Ed W" > To: > Sent: Wednesday, November 18, 2009 12:09 PM > Subject: [c-nsp] Router advice > > > > Greetings, > > > > I've been out of the market on the latest Cisco routers for > a while and > > I'm > > looking for some info about a router to use in a small co-located > > environment. > > > > Basic requirements: > > 2 Copper FastE/GigE > > 50-75 Mbps throughput > > HSRP > > NetFlow > > Basic ACLs/null routing for Bogons, etc. > > No dynamic routing > > No NAT/PAT > > > > Preferably 1U > > More than 2 FE interfaces, IPv6 support and room to grow into a BGP > > session > > or two would be nice, but not required. > > Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) > and some VOIP > > channels mixed in (G711 & G729) > > > > My first thought after some research was a 2800 series, but > NetFlow seems > > like a possible red flag. > > > > I'd be open to hearing about other vendors' options that meet the > > requirements (offlist of course), but no "Build Your > Own"/Quagga options. > > > > Thanks, > > Ed > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Wed Nov 18 16:28:53 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 18 Nov 2009 13:28:53 -0800 Subject: [c-nsp] Router advice In-Reply-To: <4B045E1D.7070003@itpro.co.nz> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> Message-ID: <4B046715.9010303@rollernet.us> Ivan wrote: > You may also want to check out the new ISR models (ISR G2 > http://www.cisco.com/go/isrg2). > I get the impression from reading about the new "universal" image that they phone home for license keys before it will activate features. Is this accurate? ~Seth From cisco-nsp at itpro.co.nz Wed Nov 18 15:50:37 2009 From: cisco-nsp at itpro.co.nz (Ivan) Date: Thu, 19 Nov 2009 09:50:37 +1300 Subject: [c-nsp] Router advice In-Reply-To: <4B04579E.5050502@rollernet.us> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> Message-ID: <4B045E1D.7070003@itpro.co.nz> You may also want to check out the new ISR models (ISR G2 http://www.cisco.com/go/isrg2). Ivan Seth Mattinen wrote: > Ed W wrote: > >> Greetings, >> >> I've been out of the market on the latest Cisco routers for a while and I'm >> looking for some info about a router to use in a small co-located >> environment. >> >> Basic requirements: >> 2 Copper FastE/GigE >> 50-75 Mbps throughput >> HSRP >> NetFlow >> Basic ACLs/null routing for Bogons, etc. >> No dynamic routing >> No NAT/PAT >> >> Preferably 1U >> More than 2 FE interfaces, IPv6 support and room to grow into a BGP session >> or two would be nice, but not required. >> Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP >> channels mixed in (G711 & G729) >> >> My first thought after some research was a 2800 series, but NetFlow seems >> like a possible red flag. >> >> > > The 2800's support netflow just fine, but you won't get that kind of > performance out of a 2811 (fastest 1U), nor anything else in the 2800 > line over a handful of single large packet flows. 3845 *maybe* depending > on features, but it's 3U. If you need 1U then go for a 7201 which is > basically a 1U 7200VXR NPE-G2. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mhernand1 at comcast.net Wed Nov 18 16:56:56 2009 From: mhernand1 at comcast.net (manolo hernandez) Date: Wed, 18 Nov 2009 16:56:56 -0500 Subject: [c-nsp] Router advice In-Reply-To: <4B046715.9010303@rollernet.us> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> Message-ID: <4B046DA8.3080805@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Seth Mattinen wrote: > Ivan wrote: >> You may also want to check out the new ISR models (ISR G2 >> http://www.cisco.com/go/isrg2). >> > > I get the impression from reading about the new "universal" image that > they phone home for license keys before it will activate features. Is > this accurate? > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > What if the device is not connected to the internet? Manolo -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLBG2oAAoJEOcnyWxdB1IrmboIAMPjIzElaklqYAmweAjN5MSU 6Ga27JDll+/nZF73cjZlP6ZtgEvhi3zDGnPYjUr4Tjl1qdi8Tn1I6lq67XbxuKue sRte3bBSvghF70MF4W9ctlbJbxIbhY+HLHDA5A1tLkZ65fliDaFgF6Y4XjHFSscm wnMY+EEZVvPTUJjIniUGlFAQj4Cn4TBPtOsRvvImdvJrPnF2uuMuDWOY7ucn62pL EVqZEwrJU23KkTzAguiHjoqoNdS6nhDmUOPrmiRWNgtjdsew97ewQui5EJsRpRC2 2NR0iYERLPUI3ao27lcpVJnzKJMjg97uJ5m+boHdcOxzMhdBK1mATCerAhrAHEY= =pLJa -----END PGP SIGNATURE----- From peter at rathlev.dk Wed Nov 18 17:04:15 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 18 Nov 2009 23:04:15 +0100 Subject: [c-nsp] need a suggestion for a good lab switch In-Reply-To: <019501ca6886$f34b38a0$2408120a@am.thmulti.com> References: <019501ca6886$f34b38a0$2408120a@am.thmulti.com> Message-ID: <1258581855.9573.1.camel@abehat.dyn.net.rm.dk> On Wed, 2009-11-18 at 11:40 -0800, Scott Granados wrote: > I have a lab that uses a Foundry 4802 for routing / switching. > This item is ready to end its lease and I need to replace it with > something more current. I'm looking for 48 ports of preferably > 10/100/1000 ethernet, layer 3 routing capability (mostly static > routing) and spanning tree support. Good multicast support would be a > requirement as well. Which Cisco products would folks suggest would > fit the bill? Any pointers would be appreciated. Also, in parallel > with this and to save list traffic is there a good general product > card type page that shows the various Cisco products, a brief > explaination of their configurations / options and model number? Is > there a central spot with all that in one place? I appreciate the > pointers. The 3560 seems to fit this bill. AFAIK it's the smallest switch to support L3 forwarding. We have used them extensively as OSPF access routers with no problems. -- Peter From cchurc05 at harris.com Wed Nov 18 17:05:08 2009 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 18 Nov 2009 17:05:08 -0500 Subject: [c-nsp] One-way traffic using L2TPv3 Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B5E338D@MLBMXUS2.cs.myharris.net> Anyone, Labbing up L2TPv3 on a couple routers back to back, having some issues with just one way traffic. Topology looks like this: Ixia(port3)----Fa1/8(3660)Fa0/0----Fa0/0(3660)Fa1/8----(port4)Ixia Both Ixia ports are sending traffic, but only port4 is receiving any traffic. Port Fa1/8 on the right 3660 shows packets coming in, but 'sh l2tun sess pack' on the right 3660 doesn't show any packets in, which the fa0/0 interface counters confirm. Any idea what would cause this one-way behavior? When I put the 4 ports in a bridge groups (Ieee), traffic flowed as expected, so I know the Ixia isn't to blame. Relevant config: R3 (left) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip flow ingress duplex auto speed auto ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.2 400 encapsulation l2tpv3 pw-class test-pclass ! R4(right) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.252 ip flow ingress duplex auto speed auto hold-queue 150 out ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.1 400 encapsulation l2tpv3 pw-class test-pclass ! Any ideas? IOS is 12.4(10) IK9S , platform is 3660. Thanks, Chuck -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 18 17:14:36 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 18 Nov 2009 23:14:36 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <9e246b4d0911181239m58044442jcf9c2426bb1f0d92@mail.gmail.com> References: <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> <9e246b4d0911181239m58044442jcf9c2426bb1f0d92@mail.gmail.com> Message-ID: <20091118221436.GJ163@greenie.muc.de> Hi, On Wed, Nov 18, 2009 at 03:39:44PM -0500, Tim Durack wrote: > SXI3 has also removed "patching" ability: > > "Installer/patching capability is removed starting from some of the > new images in SXI. Installer patching support will continue on SXH and > SXF. For Cisco IOS 12.2(33)SXI3, ION patching is no longer supported." Hooray. There goes the hope that ION will eventually fulfill the original promise "BGP bug? no problem, install patch, restart bgpd, no reboot needed"... > Would be even better if Cisco admitted defeat and ported NX-OS to C6K... Indeed. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saxon.jones at gmail.com Wed Nov 18 17:37:18 2009 From: saxon.jones at gmail.com (Saxon Jones) Date: Wed, 18 Nov 2009 15:37:18 -0700 Subject: [c-nsp] Router advice In-Reply-To: <4B046DA8.3080805@comcast.net> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> <4B046DA8.3080805@comcast.net> Message-ID: <86b512c30911181437v5e933946ued6e84cbcd354b52@mail.gmail.com> If it's anything like the catalyst 3750-E and 3560-E you go to their website and enter the model and serial numbers and it gives you a license file which you copy onto the device. At no point does the device need to contact the licensing servers. ______________________________ Saxon Jones Email: saxon.jones at gmail.com Telephone: (780) 669-0899 Toll-free: (866) 701-8022 United Kingdom: 0(1315)168664 2009/11/18 manolo hernandez > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Seth Mattinen wrote: > > Ivan wrote: > >> You may also want to check out the new ISR models (ISR G2 > >> http://www.cisco.com/go/isrg2). > >> > > > > I get the impression from reading about the new "universal" image that > > they phone home for license keys before it will activate features. Is > > this accurate? > > > > ~Seth > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > What if the device is not connected to the internet? > > > > Manolo > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.12 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJLBG2oAAoJEOcnyWxdB1IrmboIAMPjIzElaklqYAmweAjN5MSU > 6Ga27JDll+/nZF73cjZlP6ZtgEvhi3zDGnPYjUr4Tjl1qdi8Tn1I6lq67XbxuKue > sRte3bBSvghF70MF4W9ctlbJbxIbhY+HLHDA5A1tLkZ65fliDaFgF6Y4XjHFSscm > wnMY+EEZVvPTUJjIniUGlFAQj4Cn4TBPtOsRvvImdvJrPnF2uuMuDWOY7ucn62pL > EVqZEwrJU23KkTzAguiHjoqoNdS6nhDmUOPrmiRWNgtjdsew97ewQui5EJsRpRC2 > 2NR0iYERLPUI3ao27lcpVJnzKJMjg97uJ5m+boHdcOxzMhdBK1mATCerAhrAHEY= > =pLJa > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisconsp at data102.com Wed Nov 18 18:51:33 2009 From: cisconsp at data102.com (randal k) Date: Wed, 18 Nov 2009 16:51:33 -0700 Subject: [c-nsp] ACE20-SBC experiences? Message-ID: Anybody on the list have experience with Cisco's ACE20-SBC session border controller linecard? I have been learning as much as I can about it, and I'd like to verify that it is indeed the panacea for all things VoIP that it claims to be. Also of note, does it work only with the 7600, or does the 6500 chassis work as well (documentation says yes, to the former, zero information on the latter). General anecdotes very much appreciated -- Cheers, Randal From mtinka at globaltransit.net Wed Nov 18 06:01:58 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 18 Nov 2009 19:01:58 +0800 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302855601@kenya.tronet.as> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <200911181815.22693.mtinka@globaltransit.net> <6B43981C32F8464CB24CEE209DA32BD302855601@kenya.tronet.as> Message-ID: <200911181902.00316.mtinka@globaltransit.net> On Wednesday 18 November 2009 06:40:39 pm Daniska, Tomas wrote: > Which one that was? We've been hit by a bug when using > TAC+ out of a VRF. Initial user authentication is OK, but > the subsequent enable auth outgoing packets do not have > the proper VRF set and go out the GRT instead. Funny > enough, the return packet returns via the VRF and the box > eats it. In our case, using TACACS+ also, initial user authentications works fine, but the switch refuses to authenticate against the regular enable password and instead chooses the fallback password. In all honesty, we didn't debug this for too long because we only have 4 units in operation (core), were too busy with other stuff, and we could just work around it by adjusting RANCID's .cloginrc details (which were the most important). The issue is fixed in SXI2a (perhaps even earlier, in later versions post SXH3), and we didn't do anything to our TACACS+ backend. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 18 21:45:03 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 19 Nov 2009 10:45:03 +0800 Subject: [c-nsp] vlan across a routed link In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> <4B0403E2.8030204@imperial.ac.uk> <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> Message-ID: <200911191045.09477.mtinka@globaltransit.net> On Wednesday 18 November 2009 10:39:42 pm Oliver Boehmer (oboehmer) wrote: > Please consider technologies for this where you don't > need to extend spanning tree. for example L2VPN (EoMPLS, > VPLS), or loop-free topologies using VSS where you can > disable STP between campuses.. Or just IP, if all locations are being connected to forward IP traffic. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 18 21:54:46 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 19 Nov 2009 10:54:46 +0800 Subject: [c-nsp] vlan across a routed link In-Reply-To: <39149.196.46.241.57.1258557022.squirrel@nexmail1.nexlinx.net.pk> References: <995578.89071.qm@web43135.mail.sp1.yahoo.com> <6E4D2678AC543844917CA081C9D6B33FB31F9C@XMB-AMS-103.cisco.com> <39149.196.46.241.57.1258557022.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <200911191054.48173.mtinka@globaltransit.net> On Wednesday 18 November 2009 11:10:22 pm masood at nexlinx.net.pk wrote: > what?s wrong in extending your spanning-tree domain, as > long as numbers of nodes are not too many? You can't know that the number of nodes or VLAN's won't grow. And chances are, they will. > People are > using trunk links between different sites across the > world in an enterprise environment, and this is for what > you use a trunk link. Fair point. Digressing a little from the OP's post, control planes for Ethernet in the LAN (and small WAN) have different characteristics from various points of view when considered for large scale, probably Metro deployments. > I would prefer the usage of trunk > links and routed VLAN interfaces over EoMPLS and VPLS. YMMV, but the performance of IP and EoMPLS shouldn't be that different since it's all done in hardware. VPLS is a little more complex by its nature. > (keeping in mind the throughput issues on EoMPLS, mtu > problems and overall network complexity) I'm not sure increased MTU requirements makes a network any more complex. Besides, in a campus LAN/WAN with your own fibre, you can control the MTU on each of the links, which is great. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From bandhani at gmail.com Wed Nov 18 23:46:51 2009 From: bandhani at gmail.com (Farhan Jaffer) Date: Thu, 19 Nov 2009 09:46:51 +0500 Subject: [c-nsp] IOS XR version you use In-Reply-To: <746ca6da0911180311o4e4e729cqdbde8800cf29ab7a@mail.gmail.com> References: <746ca6da0911180311o4e4e729cqdbde8800cf29ab7a@mail.gmail.com> Message-ID: <11b0f2da0911182046y1983b116ybedf356585442cfd@mail.gmail.com> 3.6.2 (only on CRS) so far. We upgraded 3-4 months back on Cisco AS recommendation. No added features needed for 3.8. -FJ On Wed, Nov 18, 2009 at 4:11 PM, Per Carlson wrote: > Hi. > > > I look for a good choice of XR to upgrade to from 3.5. In terms of > features > > there are no mandatory ones that could drive us to do 3.8 instead of 3.6 > > Does anyone of you use 3.8 in a production environment? Please share any > > thoughts on this. > > We are using 3.5.4 (CRS and XR12k) and do plan a move to 3.6.3 on both > platforms. XR 3.8 didn't give us any needed features either, and the > lower exposure in "the wild" made the choice of 3.6 rather easy. > > -- > Pelle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Christophe.Cardon at bec.dk Thu Nov 19 03:34:25 2009 From: Christophe.Cardon at bec.dk (Christophe Cardon) Date: Thu, 19 Nov 2009 09:34:25 +0100 Subject: [c-nsp] SXI(3) code status? References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> Message-ID: <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> You are hitting bug id CSCtd21722 which we have reported to Cisco last week. Problem also with SNMP ACL bypass with SXI3 on VSS setup. If you configure ACL to protect access to SNMP RO or RW, the ACL is not filtering and access is granted to anyone (if you know the community string of course). -----Oprindelig meddelelse----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Murphy, William Sendt: 18. november 2009 18:10 Til: andrew; Chris Phillips Cc: cisco-nsp at puck.nether.net; Jared Mauch Emne: Re: [c-nsp] SXI(3) code status? We have VSS running so would the same apply if I force switchover with VSS? Is it only "redundancy force-switchover" command or will failover for other cause yield same result? Thanks... Bill -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of andrew Sent: Wednesday, November 18, 2009 4:29 AM To: Chris Phillips Cc: cisco-nsp at puck.nether.net; Jared Mauch Subject: Re: [c-nsp] SXI(3) code status? Breaks as in after forcing a sup switchover while on console subsequent SSH connections are refused, as it seems the private key is missing/unreadable. This is logged: Nov 18 10:16:08.211: SSH2 0: RSA_sign: private key not found Nov 18 10:16:08.211: SSH2 0: signature creation failed, status -1 Clearing RSA keys and re-generating did not help. Clear RSA keys, *reboot box*, and re-generate did fix. On Wed, Nov 18, 2009 at 2:00 AM, Chris Phillips wrote: > Define breaks. ?Breaks as in your ssh connection drops and you have to login > again, or breaks as in your ssh connection drops and the ssh service doesn't > restart? > > andrew wrote: >> >> Here is some BAD on SXI3 ... >> >> with redundant supervisor, SSH breaks upon supervisor switchover. >> >> -andrew >> >> On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater >> >> wrote: >>> >>> The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It >>> did however work in SXI, which we are running now. >>> >>> The other flavors are not supported. >>> >>> Jeff >>> >>> On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: >>> >>>> Release 12.2(33)SXH and later releases do not support the following >>>> hardware: >>>> >>>> These Ethernet Switching Modules: >>>> >>>> -WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ >>>> >>>> -WS-X6248A-TEL 48-port 10/100TX RJ-21 >>>> >>>> -WS-X6248-RJ-45 48-port 10/100TX RJ-45 >>>> >>>> -WS-X6248-TEL 48-port 10/100TX RJ-21 >>>> >>>> -WS-X6324-100FX-SM 24-port 100FX Ethernet >>>> >>>> -WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ >>>> >>>> -WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 >>>> >>>> -WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ >>>> >>>> ? ? ?Now, the caveat is that they did not actually remove the >>>> hardware support for some of these until SXI1, so while the release >>>> notes say one >>>> thing, the actual support varies. >>>> >>>> You will see something like this in 'show power': >>>> 4 ? ?WS-X6248A-TEL ? ? ? 112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off >>>> (not >>>> supported) >>>> 8 ? ?WS-X6248-RJ-45 ? ? ?112.98 ?2.69 ? ? - ? ? - ? ? on ? ?off >>>> (not >>>> supported) >>>> >>>> It does appear the WS-X6324-100FX-MM card does power on for SXI3, >>>> but I can't recall if that was the case for SXI2/2a/or 1. >>>> >>>> ? ? ?- Jared >>>> >>>> On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: >>>> >>>>> Jared, >>>>> >>>>> After quickly glancing at the release notes, I was unable to find >>>>> anything about the removal of hardware support for the 63xx series cards. >>>>> ?Do you have a URL or can you be more specific? >>>>> >>>>> Thanks in advance! >>>>> >>>>> Jared Mauch wrote: >>>>>> >>>>>> SXI3 has a number of bug fixes for our network, including one >>>>>> that would cause the next-hop to be populated as 'drop' in hardware. >>>>>> I strongly recommend using it over prior versions of SXI. >>>>>> Due to the removal of hardware support we replaced the older 63xx/62xx >>>>>> series cards. >>>>>> - Jared >>>>>> On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: >>>>>>> >>>>>>> SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... >>>>>>> :-(), OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. >>>>>>> >>>>>>> >>>>>>> Rubens >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater >>>>>>> wrote: >>>>>>>> >>>>>>>> I have been running the SXI(3) on a test router with 100M MM >>>>>>>> 6324, which it did not recognize in previous versions, and so >>>>>>>> far no complaints >>>>>>>> but then again it's not in a real world yet. >>>>>>>> >>>>>>>> >>>>>>>> Does anyone else have ?GOOD or BAD new on SXI(3)? >>>>>>>> >>>>>>>> >>>>>>>> Jeff Fitzwater >>>>>>>> OIT Network Systems >>>>>>>> Princeton University >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> > > -- > Chris Phillips > Director of Network Engineering & Peering Coordinator WBS Connect > cphillips at wbsconnect.com > (866) WBS-CONX > (720) 259-8361 - direct > (303) 968-4383 - mobile > www.wbsconnect.com > -- -andrew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Thu Nov 19 05:14:16 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 19 Nov 2009 12:14:16 +0200 Subject: [c-nsp] metroethernet 3750 traffic policing Message-ID: i have Cisco metroethernet 3750 i want to limit the traffic in outbound direction as i read the limit can be made in the inbound direction what else can i do to limit the traffic ?? thanks _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 From joohwil at gmail.com Thu Nov 19 06:28:31 2009 From: joohwil at gmail.com (John Wilkes) Date: Thu, 19 Nov 2009 12:28:31 +0100 Subject: [c-nsp] Spanning tree limits on 4500 Message-ID: <7d490c2d0911190328w4358a920m4ffb888a37fc6a79@mail.gmail.com> What are the limits for spanning tree on Cisco 4500? I'm interested both in MST and PVST+. Is it a set "STP instances" like normal switches, or virtual/logical ports like 6500? And what are the numbers? Any funky commands to check? I searched the archives but couldn't find anything on 4500s. From peter at rathlev.dk Thu Nov 19 07:11:07 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 19 Nov 2009 13:11:07 +0100 Subject: [c-nsp] Coax E1 over IP Message-ID: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> Hi everyone, We currently have a bunch of RAD FOM-E1/T1 modems. They work in pairs converting E1 (entering via coax) to optical signaling carried via single mode fiber to another modem that converts back to coax. Since we have practically no way of monitoring the RAD modems, and since it seems wasteful to use a pair on SMF just for a 2048kbps signal we would like instead to utilize some kind of "E1 over IP". Would anybody know how this can be achieved? We're thinking about Cisco 2800 routers that could convert an incoming coax E1 signal to IP and then route this over our core network. Does that make sense? I can't seem to find any coax interfaces for the 2800, only RJ45 interfaces. Are we out of luck on that one? And would anyone have any pointers to a "E1 over IP" basic configuration we could look at? Thanks in advance. -- Peter From peter at rathlev.dk Thu Nov 19 07:35:29 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 19 Nov 2009 13:35:29 +0100 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> Message-ID: <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> On Thu, 2009-11-19 at 13:23 +0100, Aled Morris wrote: > Have you looked at NM-CEM-4TE1 for the 2800? I've looked briefly at it, but it only seems to have RJ45 connectors[1], not BNC for coax. Otherwise it seems to fit the purpose. What can one do to take an E1 circuit from coax? -- Peter [1]: According to http://www.cisco.com/en/US/prod/collateral/routers/ps282/product_data_sheet09186a00802045f5_ps5855_Products_Data_Sheet.html From simon at slimey.org Thu Nov 19 07:46:05 2009 From: simon at slimey.org (Simon Lockhart) Date: Thu, 19 Nov 2009 12:46:05 +0000 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> Message-ID: <20091119124605.GE23204@virtual.bogons.net> On Thu Nov 19, 2009 at 01:35:29PM +0100, Peter Rathlev wrote: > What can one do to take an E1 circuit from coax? Put it through an RJ45 to Coax balun? The difference between RJ45 and Coax is purely electrical, and baluns to convert are easily available and at low cost. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From peter at rathlev.dk Thu Nov 19 07:52:23 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 19 Nov 2009 13:52:23 +0100 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <20091119124352.GA13633@amused.net> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <20091119124352.GA13633@amused.net> Message-ID: <1258635143.2837.21.camel@abehat.dyn.net.rm.dk> On Thu, 2009-11-19 at 23:43 +1100, Patrick Cole wrote: > Offtopic slightly but RAD make a whole range of IPmuxes to do exactly > what you are after: > > http://www.rad.com/3-2563/Pseudowire_Remote_Gateways/ Our RADs have been rock solid for many many years, but all other things equal we would prefer Cisco equipment, since this fits in our existing management systems. Interestingly the RAD IPmux-1E also seems to only have RJ45 connectors (like the NM-CEM-4TE1), but the data sheet states that "RJ-45 to BNC adapter cable is supplied". Is it as easy as that? Can we just insert an adapter cable to convert from coax to RJ45 and then use e.g. the NM-CEM-4TE1? -- Peter From koug at intracom.gr Thu Nov 19 08:16:26 2009 From: koug at intracom.gr (John Kougoulos) Date: Thu, 19 Nov 2009 15:16:26 +0200 (GTB Standard Time) Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258635143.2837.21.camel@abehat.dyn.net.rm.dk> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <20091119124352.GA13633@amused.net> <1258635143.2837.21.camel@abehat.dyn.net.rm.dk> Message-ID: > > Is it as easy as that? Can we just insert an adapter cable to convert > from coax to RJ45 and then use e.g. the NM-CEM-4TE1? Yes. Cisco also has such cables eg. I think CAB-ADPT-75-120 was the part number, but I guess it will be much cheaper if you get a eg. Krone From sigurbjornl at vodafone.is Thu Nov 19 07:44:14 2009 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Thu, 19 Nov 2009 12:44:14 +0000 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> Message-ID: You need a Balun to convert the 75 ohm unbalanced (Coax) to a 120 ohm balanced RJ45. Those are widely available and not very expensive. http://en.wikipedia.org/wiki/Balun BR, Sibbi > From: Peter Rathlev > Date: Thu, 19 Nov 2009 13:35:29 +0100 > To: Aled Morris > Cc: cisco-nsp > Subject: Re: [c-nsp] Coax E1 over IP > > On Thu, 2009-11-19 at 13:23 +0100, Aled Morris wrote: >> Have you looked at NM-CEM-4TE1 for the 2800? > > I've looked briefly at it, but it only seems to have RJ45 connectors[1], > not BNC for coax. Otherwise it seems to fit the purpose. > > What can one do to take an E1 circuit from coax? > > -- > Peter > > [1]: According to > http://www.cisco.com/en/US/prod/collateral/routers/ps282/product_data_sheet091 > 86a00802045f5_ps5855_Products_Data_Sheet.html > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From z at amused.net Thu Nov 19 07:43:52 2009 From: z at amused.net (Patrick Cole) Date: Thu, 19 Nov 2009 23:43:52 +1100 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> Message-ID: <20091119124352.GA13633@amused.net> Peter, Offtopic slightly but RAD make a whole range of IPmuxes to do exactly what you are after: http://www.rad.com/3-2563/Pseudowire_Remote_Gateways/ Pat Thu, Nov 19, 2009 at 01:11:07PM +0100, Peter Rathlev wrote: > Hi everyone, > > We currently have a bunch of RAD FOM-E1/T1 modems. They work in pairs > converting E1 (entering via coax) to optical signaling carried via > single mode fiber to another modem that converts back to coax. > > Since we have practically no way of monitoring the RAD modems, and since > it seems wasteful to use a pair on SMF just for a 2048kbps signal we > would like instead to utilize some kind of "E1 over IP". > > Would anybody know how this can be achieved? We're thinking about Cisco > 2800 routers that could convert an incoming coax E1 signal to IP and > then route this over our core network. Does that make sense? I can't > seem to find any coax interfaces for the 2800, only RJ45 interfaces. Are > we out of luck on that one? > > And would anyone have any pointers to a "E1 over IP" basic configuration > we could look at? > > Thanks in advance. > > -- > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amsoares at netcabo.pt Thu Nov 19 08:49:23 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 19 Nov 2009 13:49:23 -0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure Message-ID: <6E32FD5EA07847DAA281986CD62FF534@int.convex.pt> Group, This is happening to a Catalyst 4507R: %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, the chassis will overheat. If not resolved, in 4 minutes all line cards will be placed into Reset-Mode %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan tray failure %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay I verified that only 1 out of 6 of the fans composing the Fan Tray is stopped. Any way to stop this automatic shutdown ? It's hard to understand why a Catalyst with Dual Supervisors and Dual Power Supplies will stop because of this. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From peter at rathlev.dk Thu Nov 19 08:53:45 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 19 Nov 2009 14:53:45 +0100 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <20091119124605.GE23204@virtual.bogons.net> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> <20091119124605.GE23204@virtual.bogons.net> Message-ID: <1258638825.2837.82.camel@abehat.dyn.net.rm.dk> On Thu, 2009-11-19 at 12:46 +0000, Simon Lockhart wrote: > On Thu Nov 19, 2009 at 01:35:29PM +0100, Peter Rathlev wrote: > > What can one do to take an E1 circuit from coax? > > Put it through an RJ45 to Coax balun? The difference between RJ45 and > Coax is purely electrical, and baluns to convert are easily available > and at low cost. Ah but of course. This "balun" thingamabob was exactly what we needed to know about. This goes to show that we really don't know anything about these technologies. :-) Thanks Simon and Sigurbj?rn. Then we just need to figure out how to configure this. Since I don't know anything about it at all I don't know what to search for. Would anybody have any pointers for this? -- Peter From jan.gregor at chronix.org Thu Nov 19 09:44:26 2009 From: jan.gregor at chronix.org (Jan Gregor) Date: Thu, 19 Nov 2009 15:44:26 +0100 Subject: [c-nsp] ASA IPSec weirdness In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124E586338C@zy-ex1.zyedge.local> References: <4B03CC3E.1080607@chronix.org> <6E21B2BDEF6E714EA0B5BA8D5D0E140124E586338C@zy-ex1.zyedge.local> Message-ID: <4B0559CA.2020400@chronix.org> Hello, Ryan West wrote: > Jan, > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Gregor > Sent: Wednesday, November 18, 2009 5:28 AM > > Hello all, > > recently I got issue with L2L IPSec tunnel on one of our ASA firewalls. > > The problem is that when remote site initiates the connection, ASA > negotiates the assotiation as thought it is an VPN Client (ipsec-ra is > also configured on same firewall). > Not working association (asa is responder): > Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x > ... > inbound esp sas: > spi: 0xCD25D187 (3441807751) > transform: esp-3des esp-sha-hmac none > in use settings ={L2L, Tunnel, } > slot: 0, conn_id: 2709, crypto-map: VPNClientMap > > Working association (asa is initiator): > Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x > ... > inbound esp sas: > spi: 0xF9214935 (4179708213) > transform: esp-3des esp-sha-hmac none > in use settings ={L2L, Tunnel, } > slot: 0, conn_id: 2710, crypto-map: outside_map > > ASA configuration looks like this: > crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA > crypto dynamic-map VPNClientMap 1 set reverse-route > crypto map outside_map 1 match address outside_1_cryptomap > crypto map outside_map 1 set peer a.a.a.a > crypto map outside_map 1 set transform-set ESP-3DES-SHA > crypto map outside_map 1 set security-association lifetime seconds 3600 > crypto map outside_map 2 match address outside_2_cryptomap > crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap > > ---------------- > > Are you sure they are landing on your tunnel with the right address? The fact that it's hitting your dyn map makes me think they are coming from another address. Do you have control of the remote end, do you know what type of device it is? Can you enable some isakmp debugs to capture more traffic. As the responder, you'll be able to gather the most useful debug, you should be able to figure out what's going with a debug cry isa 255. > > -ryan You got it almost right. Problem was that remote endpoind tried to establish the vpn with different local proxy, unknown to asa. This caused mismatch in all crypto map instances and fell into VPN Client map. Since both phase 1 and phase 2 policies were same for both L2L VPN and VPN Clients, association established "ok", which pretty efectivelly disabled any further IPSec associations to the same peer :). Since the ASA is doing VPN connection to multiple sites, it was quite some reading through debug logs, but "debug crypto isakmp 255" really did the trick. Many thanks. Best regards, Jan Gregor From SHughes at GREnergy.com Thu Nov 19 10:30:10 2009 From: SHughes at GREnergy.com (Hughes, Scott GRE-MG) Date: Thu, 19 Nov 2009 09:30:10 -0600 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258638825.2837.82.camel@abehat.dyn.net.rm.dk> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> <20091119124605.GE23204@virtual.bogons.net> <1258638825.2837.82.camel@abehat.dyn.net.rm.dk> Message-ID: We use the CEM modules. They are quite cool. We use them to provide DR for analog T1's. I wrote a small tutorial. http://www.scotthughes.org/cem-failover 2 things to consider: -The cards don't work in the G2 (3945, etc) ISR routers. Haven't tried it, but that's what I've been told. -Ask your sales team on the end of sale status on these cards. That may be an issue for you. Scott Sent from my iPhone. On Nov 19, 2009, at 7:56 AM, "Peter Rathlev" wrote: > On Thu, 2009-11-19 at 12:46 +0000, Simon Lockhart wrote: >> On Thu Nov 19, 2009 at 01:35:29PM +0100, Peter Rathlev wrote: >>> What can one do to take an E1 circuit from coax? >> >> Put it through an RJ45 to Coax balun? The difference between RJ45 and >> Coax is purely electrical, and baluns to convert are easily available >> and at low cost. > > Ah but of course. This "balun" thingamabob was exactly what we > needed to > know about. This goes to show that we really don't know anything about > these technologies. :-) > > Thanks Simon and Sigurbj?rn. > > Then we just need to figure out how to configure this. Since I don't > know anything about it at all I don't know what to search for. Would > anybody have any pointers for this? > > -- > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. From asturluismi at gmail.com Thu Nov 19 11:12:14 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 19 Nov 2009 17:12:14 +0100 Subject: [c-nsp] Recommended steps to avoid 100% CPU while executing "debug ip nat" Message-ID: <1258647134.13579.2.camel@hal9000> Hi all, We have executed this morning "debug ip nat" in a 7206VXR with ver bad results. The router was overloaded for a while and at the end we needed to reboot it. I was doing some research but I would like to hear from you too. As a plan we have deployed CoPP configuration for management traffic, and I am thinking on play with the "scheduler" command, the problem is that I don't know what could be the correct "scheduler" configurations. Any ideas/suggestions? From amsoares at netcabo.pt Thu Nov 19 11:30:24 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 19 Nov 2009 16:30:24 -0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure Message-ID: <29EF4C157D774EC4B7ECEF85EDFD8A64@int.convex.pt> More details about the system: IOS cat4000-i9s-mz.122-18.EW7.bin Dual Sup-IV (4515). We are going to replace the Fan Tray in about 2 hours. Then we will verify in the lab with more detail how many fans are failing. I'll keep you updated. But no matter how many Fans are faulty, i was expecting that, even if the entire Fan Tray fails, there was a way to override the system auto-shutdown. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: quinta-feira, 19 de Novembro de 2009 13:49 To: 'cisco-nsp at puck.nether.net' Subject: Catalyst 4507R Single Point of Failure Group, This is happening to a Catalyst 4507R: %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, the chassis will overheat. If not resolved, in 4 minutes all line cards will be placed into Reset-Mode %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan tray failure %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay I verified that only 1 out of 6 of the fans composing the Fan Tray is stopped. Any way to stop this automatic shutdown ? It's hard to understand why a Catalyst with Dual Supervisors and Dual Power Supplies will stop because of this. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From oboehmer at cisco.com Thu Nov 19 11:47:49 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 19 Nov 2009 17:47:49 +0100 Subject: [c-nsp] Recommended steps to avoid 100% CPU while executing "debugip nat" In-Reply-To: <1258647134.13579.2.camel@hal9000> References: <1258647134.13579.2.camel@hal9000> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB8E25E@XMB-AMS-103.cisco.com> > > We have executed this morning "debug ip nat" in a 7206VXR with ver bad > results. > The router was overloaded for a while and at the end we needed to reboot > it. > well, any "busy" debug can kill a box, but the following recommendations can help to mitigate the risk (not get rid of it completely) - disable console logging (this should be a best practice) - disable sending debugs to syslog (logging trap informational) - don't do "term moni" while turning on debugs, to reduce the telnet/ssh/tcp load, instead log the debugs into the logging buffer instead (need to increase it), and use "show log" to view the results. > I was doing some research but I would like to hear from you too. > As a plan we have deployed CoPP configuration for management traffic, > and I am thinking on play with the "scheduler" command, the problem is > that I don't know what could be the correct "scheduler" configurations. on the 7200, I've seen scheduler allocate 3000 1000 and 4000 1000 being used successfully (default is 4000 200), to give more response to user processes. There could be a minor performance dip as you devote more CPU time to user processes, not sure if you'll be able to observe any in real life.. oli From sukiwish at gmail.com Thu Nov 19 11:51:22 2009 From: sukiwish at gmail.com (Don Wishnek) Date: Thu, 19 Nov 2009 11:51:22 -0500 Subject: [c-nsp] redistributing eigrp routes into bgp with tag intact Message-ID: Is there any way I can get a route tagged in eigrp redistributed into bgp with the tag intact? From jay at west.net Thu Nov 19 12:53:24 2009 From: jay at west.net (Jay Hennigan) Date: Thu, 19 Nov 2009 09:53:24 -0800 Subject: [c-nsp] Coax E1 over IP In-Reply-To: <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> References: <1258632667.2837.13.camel@abehat.dyn.net.rm.dk> <9ef3fe9c0911190423g502567dbm7dd65641e75f9219@mail.gmail.com> <1258634129.2837.16.camel@abehat.dyn.net.rm.dk> Message-ID: <4B058614.6040406@west.net> Peter Rathlev wrote: > On Thu, 2009-11-19 at 13:23 +0100, Aled Morris wrote: >> Have you looked at NM-CEM-4TE1 for the 2800? > > I've looked briefly at it, but it only seems to have RJ45 connectors[1], > not BNC for coax. Otherwise it seems to fit the purpose. > > What can one do to take an E1 circuit from coax? Use the Cisco part number CAB-E1-RJ45BNC= or generic equivalent to connect to the RJ-45 on the router and the BNC connectors on the E1 smartjack. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From leonardo.souza at nec.com.br Thu Nov 19 12:56:13 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Thu, 19 Nov 2009 15:56:13 -0200 Subject: [c-nsp] RES: Recommended steps to avoid 100% CPU while executing"debugip nat" In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB8E25E@XMB-AMS-103.cisco.com> References: <1258647134.13579.2.camel@hal9000> <6E4D2678AC543844917CA081C9D6B33FB8E25E@XMB-AMS-103.cisco.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02E21F95@spsrvmail03.nec.br> Also when possible, filter the debug by using 'debug condition xxxx'. []?s From merlyn at Geeks.ORG Thu Nov 19 12:44:13 2009 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Thu, 19 Nov 2009 11:44:13 -0600 Subject: [c-nsp] Router advice In-Reply-To: <4B046715.9010303@rollernet.us> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> Message-ID: <20091119174413.GA66808@geeks.org> On Wed, Nov 18, 2009 at 01:28:53PM -0800, Seth Mattinen wrote: > Ivan wrote: > > You may also want to check out the new ISR models (ISR G2 > > http://www.cisco.com/go/isrg2). > > > > I get the impression from reading about the new "universal" image that > they phone home for license keys before it will activate features. Is > this accurate? No, you get base level features out of the box, and you can activate the advanced features that are licensed on a trial basis for x days until you can get your PACs from the Cisco license website and apply it permamently to that box. From oboehmer at cisco.com Thu Nov 19 14:08:09 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 19 Nov 2009 20:08:09 +0100 Subject: [c-nsp] redistributing eigrp routes into bgp with tag intact In-Reply-To: References: Message-ID: <6E4D2678AC543844917CA081C9D6B33FB8E2F3@XMB-AMS-103.cisco.com> > Is there any way I can get a route tagged in eigrp redistributed into bgp > with the tag intact? don't think this is possible, so you would need to do it manually when you are using discrete values for EIGRP tag: route-map foo permit 10 match tag set community ! route-map foo permit 20 match tag set community ! Not really scalable to do this for all 4294967296 possible tag values ;-) oli From ashnet2009 at gmail.com Thu Nov 19 14:21:04 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 19 Nov 2009 14:21:04 -0500 Subject: [c-nsp] ASR-1002 Feedback Message-ID: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> Hi Folks, We're looking for a new Edge routing platform for our Core DC locations. This platform will terminate our internet links and bigger private links. ASR1002 on paper appears to be a good fit for our requirements. In the recent past, there have been reported issues with IOS stability and Featureset (Netflow/Mcast etc) issues with the Product. At this point, I'm looking for some feedback as to where the Platform is at from a software/hw reliability standpoint (ESP5 vs 10/POS/Ethernet (1/10G) SPA's) today. Any major issues/limitations or shortcomings (# of ports in an EtherChannel?) that currently exist and overall feel of the Enterprise folks who've deployed the Router in production. Any feedback is greatly appreciated. Thanks in advance From sethm at rollernet.us Thu Nov 19 14:53:22 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 19 Nov 2009 11:53:22 -0800 Subject: [c-nsp] Router advice In-Reply-To: <20091119174413.GA66808@geeks.org> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> <20091119174413.GA66808@geeks.org> Message-ID: <4B05A232.4000005@rollernet.us> Doug McIntyre wrote: > On Wed, Nov 18, 2009 at 01:28:53PM -0800, Seth Mattinen wrote: >> Ivan wrote: >>> You may also want to check out the new ISR models (ISR G2 >>> http://www.cisco.com/go/isrg2). >>> >> I get the impression from reading about the new "universal" image that >> they phone home for license keys before it will activate features. Is >> this accurate? > > No, you get base level features out of the box, and you can activate > the advanced features that are licensed on a trial basis for x days > until you can get your PACs from the Cisco license website and apply > it permamently to that box. > Are they backup-able? That is, can you get the device back to full functionality from local copies without access to the website? What happens if hardware gets stolen or somebody yanks the flash card and loses it? Can you still keep spares in storage? ~Seth From Charles.Church at harris.com Thu Nov 19 15:00:54 2009 From: Charles.Church at harris.com (Church, Charles) Date: Thu, 19 Nov 2009 15:00:54 -0500 Subject: [c-nsp] One-way traffic using L2TPv3 In-Reply-To: <290EF89F13F04F4E924BB235A46D18F1043B6738BC@MLBMXUS2.cs.myharris.net> References: <290EF89F13F04F4E924BB235A46D18F1043B5E338D@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F1043B6738BC@MLBMXUS2.cs.myharris.net> Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B6738FA@MLBMXUS2.cs.myharris.net> Hey all, Just for the record, it seems my issue was tied into using an xconnect statement on a port on a 16 port ESW module, even though there was a 'no switchport' on there. Upgrading to 12.4(25b) didn't fix it, in fact, it made it worse, no traffic in either direction. But when I moved the xconnect to the built-in ethernet port, and used subints for VLANs, no issue, worked like it should. P.S. Throughput seems pretty good. Random frame sizes (even dist) from 600 bytes to 1400 bytes (avoiding any fragmentation) had 95 mbit bi-directionally at 90% CPU on the 3660. All interrupt traffic. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Wednesday, November 18, 2009 5:05 PM To: nsp-cisco Subject: [c-nsp] One-way traffic using L2TPv3 Anyone, Labbing up L2TPv3 on a couple routers back to back, having some issues with just one way traffic. Topology looks like this: Ixia(port3)----Fa1/8(3660)Fa0/0----Fa0/0(3660)Fa1/8----(port4)Ixia Both Ixia ports are sending traffic, but only port4 is receiving any traffic. Port Fa1/8 on the right 3660 shows packets coming in, but 'sh l2tun sess pack' on the right 3660 doesn't show any packets in, which the fa0/0 interface counters confirm. Any idea what would cause this one-way behavior? When I put the 4 ports in a bridge groups (Ieee), traffic flowed as expected, so I know the Ixia isn't to blame. Relevant config: R3 (left) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip flow ingress duplex auto speed auto ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.2 400 encapsulation l2tpv3 pw-class test-pclass ! R4(right) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.252 ip flow ingress duplex auto speed auto hold-queue 150 out ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.1 400 encapsulation l2tpv3 pw-class test-pclass ! Any ideas? IOS is 12.4(10) IK9S , platform is 3660. Thanks, Chuck From pshem.k at gmail.com Thu Nov 19 15:26:46 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Fri, 20 Nov 2009 09:26:46 +1300 Subject: [c-nsp] ASR-1002 Feedback In-Reply-To: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> References: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> Message-ID: <20fe625b0911191226n11a5ac28od2ae7ab8d3ef26c@mail.gmail.com> Hi, We've been using various ASR1k variants for the last few months. Generally the experience's been positive. Devices deliver what is expected in terms of performance without even breaking a sweat. We used them mainly as border routers (in a PE configuration). One thing that you have to pay some attention to is features - since the platform is relatively new (and effectively hardware-based, so features take some time to add) some things that you might need might not be there yet. At some stage (around 2.2.1 if I recall correctly) you could configure PortChannel, but it wouldn't work. One other feature that we're missing is 6VPE (that is coming in a few months), but I'm sure that there are some others too. I admit that my experience is SP based, but I believe that the ASR1k is the way of the feature for small-ish Ethernet aggregation. kind regards Pshem 2009/11/20 Ash Net : > Hi Folks, > > We're looking for a new Edge routing platform for our Core DC > locations. This platform will terminate our internet links and bigger > private links. ASR1002 on paper appears to be a good fit for our > requirements. In the recent past, there have been reported issues with > IOS stability and Featureset ?(Netflow/Mcast etc) issues with the > Product. > > At this point, I'm looking for some feedback as to where the Platform > is at from a software/hw reliability standpoint (ESP5 vs > 10/POS/Ethernet (1/10G) SPA's) today. Any major issues/limitations or > shortcomings (# of ports in an EtherChannel?) that currently exist and > overall feel of the Enterprise folks who've deployed the Router in > production. > > Any feedback is greatly appreciated. > > Thanks in advance > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From geert.nijs at gmail.com Thu Nov 19 17:39:57 2009 From: geert.nijs at gmail.com (Geert Nijs) Date: Thu, 19 Nov 2009 23:39:57 +0100 Subject: [c-nsp] Hi all Message-ID: Hello all, I am new to the list. I have been looking around in the archives, and i was surprised with the technical knowledge present in this list. I don't really have a service provider background, but more of an enterprise switching/datacenter switching background. Looking forward to some interesting discussions, cheers, Geert Nijs CCIE#13729 From rgolodner at infratection.com Thu Nov 19 17:54:50 2009 From: rgolodner at infratection.com (Richard Golodner) Date: Thu, 19 Nov 2009 16:54:50 -0600 Subject: [c-nsp] Hi all In-Reply-To: References: Message-ID: <1258671290.9870.16.camel@Andromeda> On Thu, 2009-11-19 at 23:39 +0100, Geert Nijs wrote: > the technical knowledge present in this list The information and help available here is the best and welcome to the list. I have been benefiting from C-NSP for years and the people are also very kind. Try and help when you can and the community will answer back when you need some advice or assistance. I am not a service provider, just a guy who uses and works on Cisco gear. Most sincerely, Richard From fwc at mt.net Thu Nov 19 22:52:05 2009 From: fwc at mt.net (Forrest W. Christian) Date: Thu, 19 Nov 2009 20:52:05 -0700 Subject: [c-nsp] RFC-1483 on Cisco 12000 Message-ID: <4B061265.4080200@mt.net> I have a new-to-me Cisco 12008 which I am working on swapping in as a replacement for a 7206VXR which was moving way too much traffic.... GRP,, Engine 1 Giga-E, Engine 0 Quad ATM OC3. Things have gone really well, and I'm quite happy so far... But ended up with one surprise. Didn't realize the 12008 won't bridge a ATM PVC to a VLAN (or any ethernet for that matter)... Basically we have a few things which we extend an 802.1q vlan across a point to point ATM circuit to a far end for. I have a couple of ideas on how to get around it, but would really prefer that the 12008 do the work. Doesn't look like an option for me - but figured I'd ask if anyone knows of something I missed.... The other ends of the ATM circuit are various old and new ciscos, some with MPLS, and some not, although it doesn't look like the 12008 will do EoMPLS either with the engines I have. Probably will look at some other options using a tunnel or similar. -forrest From mrz at velvet.org Thu Nov 19 23:30:06 2009 From: mrz at velvet.org (matthew zeier) Date: Thu, 19 Nov 2009 20:30:06 -0800 Subject: [c-nsp] ASR-1002 Feedback In-Reply-To: <20fe625b0911191226n11a5ac28od2ae7ab8d3ef26c@mail.gmail.com> References: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> <20fe625b0911191226n11a5ac28od2ae7ab8d3ef26c@mail.gmail.com> Message-ID: <4B061B4E.7000203@velvet.org> On 11/19/2009 12:26 PM, Pshem Kowalczyk wrote: > Hi, > > We've been using various ASR1k variants for the last few months. > Generally the experience's been positive. Devices deliver what is > expected in terms of performance without even breaking a sweat. We What sort of performance are you seeing? Cisco's site a bit obtuse in that area. From kgraham at industrial-marshmallow.com Fri Nov 20 00:09:49 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 19 Nov 2009 21:09:49 -0800 (PST) Subject: [c-nsp] SXI(3) code status? In-Reply-To: <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <6bb5f5b10911170722h7a0d70ceq9b3a4101e93363ab@mail.gmail.com> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> Message-ID: <6109.62231.qm@web507.biz.mail.mud.yahoo.com> > Problem also with SNMP ACL bypass with SXI3 on VSS setup. If you configure ACL > to protect access to SNMP RO or RW, the ACL is not filtering and access is > granted to anyone (if you know the community string of course). Ouch, will want to track this before moving off of SXH rebuilds and SXI2a... Do you have the bugid for that (presumably not present pre-SXI3)? From geert.nijs at gmail.com Fri Nov 20 02:39:00 2009 From: geert.nijs at gmail.com (Geert Nijs) Date: Fri, 20 Nov 2009 08:39:00 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <6109.62231.qm@web507.biz.mail.mud.yahoo.com> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> <6109.62231.qm@web507.biz.mail.mud.yahoo.com> Message-ID: i am also interested in a bug id. i am running the same setup, still version SXI1, but has been running fine. yet another thing for me on my to-do-list: verify this on sxi1 regards, Geert 2009/11/20 Kevin Graham > > > > Problem also with SNMP ACL bypass with SXI3 on VSS setup. If you > configure ACL > > > to protect access to SNMP RO or RW, the ACL is not filtering and access > is > > granted to anyone (if you know the community string of course). > > Ouch, will want to track this before moving off of SXH rebuilds and > SXI2a... Do > you have the bugid for that (presumably not present pre-SXI3)? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dgranzer at gmail.com Fri Nov 20 02:56:49 2009 From: dgranzer at gmail.com (David Granzer) Date: Fri, 20 Nov 2009 08:56:49 +0100 Subject: [c-nsp] RFC-1483 on Cisco 12000 In-Reply-To: <4B061265.4080200@mt.net> References: <4B061265.4080200@mt.net> Message-ID: <844ef89c0911192356r352af707pd6d0cbb26f7b6167@mail.gmail.com> Hi, there are feature BPVCs (bridged-style permanent virtual circuits ), see http://www.cisco.com/en/US/tech/tk39/tk48/technologies_configuration_example09186a0080094ceb.shtml David On Fri, Nov 20, 2009 at 4:52 AM, Forrest W. Christian wrote: > I have a new-to-me Cisco 12008 which I am working on swapping in as a > replacement for a 7206VXR which was moving way too much traffic.... GRP,, > Engine 1 Giga-E, Engine 0 Quad ATM OC3. > > Things have gone really well, and I'm quite happy so far... ? But ended up > with one surprise. ?Didn't realize the 12008 won't bridge a ATM PVC to a > VLAN (or any ethernet for that matter)... > Basically we have a few things which we extend an 802.1q vlan across a point > to point ATM circuit to a far end for. ? I have a couple of ideas on how to > get around it, but would really prefer that the 12008 do the work. ? Doesn't > look like an option for me - but figured I'd ask if anyone knows of > something I missed.... ? The other ends of the ATM circuit are various old > and new ciscos, some with MPLS, and some not, although it doesn't look like > the 12008 will do EoMPLS either with the engines I have. > > Probably will look at some other options using a tunnel or similar. > > -forrest > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pshem.k at gmail.com Fri Nov 20 03:15:22 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Fri, 20 Nov 2009 21:15:22 +1300 Subject: [c-nsp] ASR-1002 Feedback In-Reply-To: <4B061B4E.7000203@velvet.org> References: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> <20fe625b0911191226n11a5ac28od2ae7ab8d3ef26c@mail.gmail.com> <4B061B4E.7000203@velvet.org> Message-ID: <20fe625b0911200015p7e99417dwbdf01620dfef94c3@mail.gmail.com> Hi, 2009/11/20 matthew zeier : > > > What sort of performance are you seeing? ?Cisco's site a bit obtuse in that > area. We're running the router as PE internet borders. With 6 full feeds into vrf and between 2Gb/s and 4Gb/s of inbound traffic the load is negligible (with ESP20). What sort of performance metrics are you after? kind regards Pshem From Christophe.Cardon at bec.dk Fri Nov 20 03:48:38 2009 From: Christophe.Cardon at bec.dk (Christophe Cardon) Date: Fri, 20 Nov 2009 09:48:38 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <4B02D7BE.1020000@wbsconnect.com> <5E33255E-2403-439C-B602-CF5CBFA7F708@puck.nether.net> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> <6109.62231.qm@web507.biz.mail.mud.yahoo.com> Message-ID: <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34883@EX08.res.bec.dk> Bug id is CSCee55603 We have found it in SXI2a and is still in SXI3. Cisco TAC says that the fix for the bug will be integrated in SXI4 which is planned for 2010. ________________________________ Fra: Geert Nijs [mailto:geert.nijs at gmail.com] Sendt: 20. november 2009 08:39 Til: Kevin Graham Cc: Christophe Cardon; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] SXI(3) code status? i am also interested in a bug id. i am running the same setup, still version SXI1, but has been running fine. yet another thing for me on my to-do-list: verify this on sxi1 regards, Geert 2009/11/20 Kevin Graham > > Problem also with SNMP ACL bypass with SXI3 on VSS setup. If you configure ACL > to protect access to SNMP RO or RW, the ACL is not filtering and access is > granted to anyone (if you know the community string of course). Ouch, will want to track this before moving off of SXH rebuilds and SXI2a... Do you have the bugid for that (presumably not present pre-SXI3)? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Fri Nov 20 05:18:30 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 20 Nov 2009 10:18:30 -0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure Message-ID: <1D9DD017C63549FA96342A12D6EA4EF2@int.convex.pt> The Fan Tray (4597) was replaced and now everthing is fine. I will try to test the Faulty Fan Tray during the day and i will let you know what i found. Still looking for an answer to this question: - Is there any way to disable the system auto-shutdown ? Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: quinta-feira, 19 de Novembro de 2009 16:30 To: 'cisco-nsp at puck.nether.net' Subject: RE: Catalyst 4507R Single Point of Failure More details about the system: IOS cat4000-i9s-mz.122-18.EW7.bin Dual Sup-IV (4515). We are going to replace the Fan Tray in about 2 hours. Then we will verify in the lab with more detail how many fans are failing. I'll keep you updated. But no matter how many Fans are faulty, i was expecting that, even if the entire Fan Tray fails, there was a way to override the system auto-shutdown. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: quinta-feira, 19 de Novembro de 2009 13:49 To: 'cisco-nsp at puck.nether.net' Subject: Catalyst 4507R Single Point of Failure Group, This is happening to a Catalyst 4507R: %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, the chassis will overheat. If not resolved, in 4 minutes all line cards will be placed into Reset-Mode %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan tray failure %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay I verified that only 1 out of 6 of the fans composing the Fan Tray is stopped. Any way to stop this automatic shutdown ? It's hard to understand why a Catalyst with Dual Supervisors and Dual Power Supplies will stop because of this. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From geert.nijs at gmail.com Fri Nov 20 06:12:38 2009 From: geert.nijs at gmail.com (Geert Nijs) Date: Fri, 20 Nov 2009 12:12:38 +0100 Subject: [c-nsp] SXI(3) code status? In-Reply-To: <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34883@EX08.res.bec.dk> References: <56C2297B-DADF-4B68-BC64-CD1F275F4075@princeton.edu> <023457E3-56D7-4202-9F6D-6695B5CF016C@princeton.edu> <7cc5ada00911180138xd810528vcd5d99aeedeae616@mail.gmail.com> <4B03C5A8.30506@wbsconnect.com> <7cc5ada00911180229v353468c3g13724d9d48eb533e@mail.gmail.com> <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34480@EX08.res.bec.dk> <6109.62231.qm@web507.biz.mail.mud.yahoo.com> <2460F1476CDEBC45835CD3506BA8BF3801A5B6C34883@EX08.res.bec.dk> Message-ID: ok, i verified the bug id, but it is clearly related to VRFs. In my case, i am not yet using VRFs, so i should be safe: just verified on SXI1 code and SNMP ACL works (again: no VRFs configured). regards, Geert 2009/11/20 Christophe Cardon > Bug id is CSCee55603 > > We have found it in SXI2a and is still in SXI3. Cisco TAC says that the > fix for the bug will be integrated in SXI4 which is planned for 2010. > > ------------------------------ > *Fra:* Geert Nijs [mailto:geert.nijs at gmail.com] > *Sendt:* 20. november 2009 08:39 > *Til:* Kevin Graham > *Cc:* Christophe Cardon; cisco-nsp at puck.nether.net > *Emne:* Re: [c-nsp] SXI(3) code status? > > i am also interested in a bug id. i am running the same setup, still > version SXI1, but has been running fine. > yet another thing for me on my to-do-list: verify this on sxi1 > > regards, > Geert > > 2009/11/20 Kevin Graham > >> >> >> > Problem also with SNMP ACL bypass with SXI3 on VSS setup. If you >> configure ACL >> >> > to protect access to SNMP RO or RW, the ACL is not filtering and access >> is >> > granted to anyone (if you know the community string of course). >> >> Ouch, will want to track this before moving off of SXH rebuilds and >> SXI2a... Do >> you have the bugid for that (presumably not present pre-SXI3)? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From amsoares at netcabo.pt Fri Nov 20 06:52:37 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 20 Nov 2009 11:52:37 -0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure Message-ID: Group, I'm now testing the faulty fan tray. I confirm that only one Fan is stopped. What happens with a different IOS/SUP is a surprise: 00:12:27: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or thermistor/s in system fan tray have failed 00:13:57: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay 00:24:52: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or thermistor/s in system fan tray have failed 00:31:27: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay IOS=cat4500-ipbase-mz.122-31.SGA8.bin So on this IOS, the auto-shutdown "feature" is not available. I will now downgrade to "cat4000-i9s-mz.122-18.EW7.bin" to see if i'm able to replicate the problem. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: sexta-feira, 20 de Novembro de 2009 10:19 To: 'cisco-nsp at puck.nether.net' Subject: RE: Catalyst 4507R Single Point of Failure The Fan Tray (4597) was replaced and now everthing is fine. I will try to test the Faulty Fan Tray during the day and i will let you know what i found. Still looking for an answer to this question: - Is there any way to disable the system auto-shutdown ? Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: quinta-feira, 19 de Novembro de 2009 16:30 To: 'cisco-nsp at puck.nether.net' Subject: RE: Catalyst 4507R Single Point of Failure More details about the system: IOS cat4000-i9s-mz.122-18.EW7.bin Dual Sup-IV (4515). We are going to replace the Fan Tray in about 2 hours. Then we will verify in the lab with more detail how many fans are failing. I'll keep you updated. But no matter how many Fans are faulty, i was expecting that, even if the entire Fan Tray fails, there was a way to override the system auto-shutdown. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: quinta-feira, 19 de Novembro de 2009 13:49 To: 'cisco-nsp at puck.nether.net' Subject: Catalyst 4507R Single Point of Failure Group, This is happening to a Catalyst 4507R: %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, the chassis will overheat. If not resolved, in 4 minutes all line cards will be placed into Reset-Mode %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan tray failure %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay I verified that only 1 out of 6 of the fans composing the Fan Tray is stopped. Any way to stop this automatic shutdown ? It's hard to understand why a Catalyst with Dual Supervisors and Dual Power Supplies will stop because of this. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From felixnkansah at gmail.com Fri Nov 20 07:31:24 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 20 Nov 2009 12:31:24 +0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure In-Reply-To: References: Message-ID: <18dba4e50911200431r65c10747q2d56de14be52c19c@mail.gmail.com> Never seen this problem before. It's fun to learn that the auto-shutdown feature is IOS feature-based. Thanks for sharing. On Fri, Nov 20, 2009 at 11:52 AM, Antonio Soares wrote: > Group, > > I'm now testing the faulty fan tray. I confirm that only one Fan is > stopped. What happens with a different IOS/SUP is a surprise: > > 00:12:27: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or thermistor/s > in system fan tray have failed > 00:13:57: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > 00:24:52: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or thermistor/s > in system fan tray have failed > 00:31:27: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > > IOS=cat4500-ipbase-mz.122-31.SGA8.bin > > So on this IOS, the auto-shutdown "feature" is not available. > > I will now downgrade to "cat4000-i9s-mz.122-18.EW7.bin" to see if i'm able > to replicate the problem. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: sexta-feira, 20 de Novembro de 2009 10:19 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > The Fan Tray (4597) was replaced and now everthing is fine. > I will try to test the Faulty Fan Tray during the day and i will let you > know what i found. > > Still looking for an answer to this question: > > - Is there any way to disable the system auto-shutdown ? > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 16:30 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > More details about the system: > > IOS cat4000-i9s-mz.122-18.EW7.bin > > Dual Sup-IV (4515). > > We are going to replace the Fan Tray in about 2 hours. Then we will verify > in the lab with more detail how many fans are failing. > > I'll keep you updated. > > But no matter how many Fans are faulty, i was expecting that, even if the > entire Fan Tray fails, there was a way to override the > system auto-shutdown. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 13:49 > To: 'cisco-nsp at puck.nether.net' > Subject: Catalyst 4507R Single Point of Failure > > Group, > > This is happening to a Catalyst 4507R: > > %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed > %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, > the chassis will overheat. If not resolved, in 4 minutes > all line cards will be placed into Reset-Mode > %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan > tray failure > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline > %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay > > I verified that only 1 out of 6 of the fans composing the Fan Tray is > stopped. > > Any way to stop this automatic shutdown ? > > It's hard to understand why a Catalyst with Dual Supervisors and Dual Power > Supplies will stop because of this. > > > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From masood at nexlinx.net.pk Fri Nov 20 07:34:23 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Fri, 20 Nov 2009 17:34:23 +0500 (PKT) Subject: [c-nsp] Catalyst 4507R Single Point of Failure In-Reply-To: References: Message-ID: <49087.196.46.241.57.1258720463.squirrel@nexmail1.nexlinx.net.pk> not sure if this works on 4500... no environment-monitor shutdown temperature Kind Regards, Masood Blog: http://weblogs.com.pk/jahil/ > Group, > > I'm now testing the faulty fan tray. I confirm that only one Fan is > stopped. What happens with a different IOS/SUP is a surprise: > > 00:12:27: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or > thermistor/s in system fan tray have failed > 00:13:57: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > 00:24:52: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or > thermistor/s in system fan tray have failed > 00:31:27: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > > IOS=cat4500-ipbase-mz.122-31.SGA8.bin > > So on this IOS, the auto-shutdown "feature" is not available. > > I will now downgrade to "cat4000-i9s-mz.122-18.EW7.bin" to see if i'm able > to replicate the problem. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: sexta-feira, 20 de Novembro de 2009 10:19 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > The Fan Tray (4597) was replaced and now everthing is fine. > I will try to test the Faulty Fan Tray during the day and i will let you > know what i found. > > Still looking for an answer to this question: > > - Is there any way to disable the system auto-shutdown ? > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 16:30 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > More details about the system: > > IOS cat4000-i9s-mz.122-18.EW7.bin > > Dual Sup-IV (4515). > > We are going to replace the Fan Tray in about 2 hours. Then we will verify > in the lab with more detail how many fans are failing. > > I'll keep you updated. > > But no matter how many Fans are faulty, i was expecting that, even if the > entire Fan Tray fails, there was a way to override the > system auto-shutdown. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 13:49 > To: 'cisco-nsp at puck.nether.net' > Subject: Catalyst 4507R Single Point of Failure > > Group, > > This is happening to a Catalyst 4507R: > > %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed > %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, > the chassis will overheat. If not resolved, in 4 minutes > all line cards will be placed into Reset-Mode > %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan > tray failure > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline > %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay > > I verified that only 1 out of 6 of the fans composing the Fan Tray is > stopped. > > Any way to stop this automatic shutdown ? > > It's hard to understand why a Catalyst with Dual Supervisors and Dual > Power Supplies will stop because of this. > > > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amsoares at netcabo.pt Fri Nov 20 09:04:25 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 20 Nov 2009 14:04:25 -0000 Subject: [c-nsp] Catalyst 4507R Single Point of Failure In-Reply-To: <49087.196.46.241.57.1258720463.squirrel@nexmail1.nexlinx.net.pk> References: <49087.196.46.241.57.1258720463.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <9A26FA7B76C94523B42EE83B9656088D@int.convex.pt> That command is not available on the 4500. Please share with us the IOS/Platform where this is available. It seems exactly what we need. In the meanwhile, the problem is reproduced in the lab: 00:04:03: %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed 00:04:03: %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, the chassis will overheat. If not resolved, in 4 minutes all line cards will be placed into Reset-Mode So basically we learned that there are some IOS's with the auto-shutdown feature and that it can't be disabled. Now it would be nice to know where the behavior changed ! Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: masood at nexlinx.net.pk [mailto:masood at nexlinx.net.pk] Sent: sexta-feira, 20 de Novembro de 2009 12:34 To: Antonio Soares Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst 4507R Single Point of Failure not sure if this works on 4500... no environment-monitor shutdown temperature Kind Regards, Masood Blog: http://weblogs.com.pk/jahil/ > Group, > > I'm now testing the faulty fan tray. I confirm that only one Fan is > stopped. What happens with a different IOS/SUP is a surprise: > > 00:12:27: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or > thermistor/s in system fan tray have failed > 00:13:57: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > 00:24:52: %C4K_IOSMODPORTMAN-4-FANTRAYPARTIALFAILURE: A fan or > thermistor/s in system fan tray have failed > 00:31:27: %C4K_IOSMODPORTMAN-4-FANTRAYGOOD: Fan tray is okay > > IOS=cat4500-ipbase-mz.122-31.SGA8.bin > > So on this IOS, the auto-shutdown "feature" is not available. > > I will now downgrade to "cat4000-i9s-mz.122-18.EW7.bin" to see if i'm able > to replicate the problem. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: sexta-feira, 20 de Novembro de 2009 10:19 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > The Fan Tray (4597) was replaced and now everthing is fine. > I will try to test the Faulty Fan Tray during the day and i will let you > know what i found. > > Still looking for an answer to this question: > > - Is there any way to disable the system auto-shutdown ? > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 16:30 > To: 'cisco-nsp at puck.nether.net' > Subject: RE: Catalyst 4507R Single Point of Failure > > More details about the system: > > IOS cat4000-i9s-mz.122-18.EW7.bin > > Dual Sup-IV (4515). > > We are going to replace the Fan Tray in about 2 hours. Then we will verify > in the lab with more detail how many fans are failing. > > I'll keep you updated. > > But no matter how many Fans are faulty, i was expecting that, even if the > entire Fan Tray fails, there was a way to override the > system auto-shutdown. > > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Antonio Soares [mailto:amsoares at netcabo.pt] > Sent: quinta-feira, 19 de Novembro de 2009 13:49 > To: 'cisco-nsp at puck.nether.net' > Subject: Catalyst 4507R Single Point of Failure > > Group, > > This is happening to a Catalyst 4507R: > > %C4K_IOSMODPORTMAN-4-FANTRAYBAD: Fan tray has failed > %C4K_CHASSIS-2-INSUFFICIENTFANSDETECTED: Too few working fans in fan tray, > the chassis will overheat. If not resolved, in 4 minutes > all line cards will be placed into Reset-Mode > %C4K_CHASSIS-2-INSUFFICIENTFANSSHUTDOWN: Resetting linecards due to fan > tray failure > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 3 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 4 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 6 is offline > %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 7 is offline > %C4K_IOSMODPORTMAN-6-FANTRAYGOOD: Fan tray is okay > > I verified that only 1 out of 6 of the fans composing the Fan Tray is > stopped. > > Any way to stop this automatic shutdown ? > > It's hard to understand why a Catalyst with Dual Supervisors and Dual > Power Supplies will stop because of this. > > > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mike-cisconsplist at tiedyenetworks.com Fri Nov 20 09:12:37 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Fri, 20 Nov 2009 06:12:37 -0800 Subject: [c-nsp] reverse path filtering doesn't seem to work Message-ID: <4B06A3D5.3070507@tiedyenetworks.com> Gang, I have a 3725 with some t1 interfaces. I want to be a good netizen and establish urpf on my customer facing interfaces to ensure they can't send me spoofed traffic. When I enable 'ip verify unicast source reachable-via rx' however, suddenly I can't ping the router on the other side. Here's the relevant configs: interface Serial0/0 ip unnumbered Loopback0 ip access-group egress-antispoof out service-module t1 clock source internal service-module t1 remote-alarm-enable service-module t1 fdl both end ip route x.x.74.0 255.255.255.248 Serial0/0 ip access-list extended egress-antispoof deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 240.0.0.0 15.255.255.255 any permit ip any any Yes in my route table I have a directly connected route as per above: Known via "static", distance 1, metric 0 (connected) Redistributing via ospf 1 Advertised by ospf 1 subnets Routing Descriptor Blocks: * directly connected, via Serial0/0 Route metric is 0, traffic share count is 1 I am pinging from the router cli to x.x.74.1 and with the 'ip verify unicast' enabled, packets seem to be dropped. My expectation is simply that the above static route should be enough to tell 'ip verify' to allow x.x.74.0/29 as a source on this interface. Does anyone know what the deal might be? Mike- From RWerber at epiknetworks.com Fri Nov 20 02:28:05 2009 From: RWerber at epiknetworks.com (Ryan Werber) Date: Thu, 19 Nov 2009 23:28:05 -0800 Subject: [c-nsp] RFC-1483 on Cisco 12000 References: <4B061265.4080200@mt.net> Message-ID: <61DCB7099770A24094E1A2B5D6C639C62B2A30@exchange151.Epik.local> >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Forrest W. Christian >I have a new-to-me Cisco 12008 which I am working on swapping in as a >replacement for a 7206VXR which was moving way too much traffic.... >GRP,, Engine 1 Giga-E, Engine 0 Quad ATM OC3. Please be aware that ATM card is not longer supported and will not work in a more recent IOS. It will also disable dcef on a full-BGP table, which disables the card. > Things have gone really well, and I'm quite happy so far... But ended >up with one surprise. Didn't realize the 12008 won't bridge a ATM PVC >to a VLAN (or any ethernet for that matter)... >Basically we have a few things which we extend an 802.1q vlan across a >point to point ATM circuit to a far end for. I have a couple of ideas >on how to get around it, but would really prefer that the 12008 do the >work. Doesn't look like an option for me - but figured I'd ask if >anyone knows of something I missed.... The other ends of the ATM >circuit are various old and new ciscos, some with MPLS, and some not, >although it doesn't look like the 12008 will do EoMPLS either with the >engines I have. >Probably will look at some other options using a tunnel or similar. With what you have, (I believe) you are out of luck. Local switching for 'any-to-any' is only supported on the ISE engines (3+) - all of which are still very expensive. Option #1 (which I know works) enable mpls end to end, and acquire an 3GE-GBIC-SC - which is the 3 port. these can be found for under 1000$ on eBay. The reason is the 1GE-GBIC is an engine1 which cannot do "Edge" mpls functionality. the 3GE-GBIC is an engine2 which can. Then, you do mpls l2transport and a xconnect. Documentation on setting this up is easily found on ciscos site. Option #2 To do anything with l2tp I believe you need a tunneling card, which requires an engine2 (backbone) card. POS-OC48 is most likely going to be the cheapest at like 500$ on eBay. I have not done this myself, nor recommend it. it wastes a slot. Option #3 do L2TP to the recently retired 7200 and do the encapsulation over IP. This I believe is your only 0$ cost option. I would check to see if all of your devices will do L2tp. Evidence of mpls edge support #show diags 2 | i 3GE FRU: Linecard/Module: 3GE-GBIC-SC= #show mpls l2transport hw-capability interface gi2/1 Transport type Eth VLAN Core functionality: MPLS label disposition supported Distributed processing supported Control word processing supported Sequence number processing not supported Edge functionality: MPLS label imposition supported Distributed processing supported Control word processing supported Sequence number processing not supported #show diags 0 | i GE FRU: Linecard/Module: GE-GBIC-SC-B= #show mpls l2transport hw-capability interface gi0/0 Transport type Eth VLAN Core functionality: MPLS label disposition supported Distributed processing supported Control word processing supported Sequence number processing not supported Edge functionality: Not supported Hope this helps Ryan Werber Sr. Network Engineer Epik Networks From mike-cisconsplist at tiedyenetworks.com Fri Nov 20 09:54:51 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Fri, 20 Nov 2009 06:54:51 -0800 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06A918.6010308@ibctech.ca> References: <4B06A3D5.3070507@tiedyenetworks.com> <4B06A918.6010308@ibctech.ca> Message-ID: <4B06ADBB.2040900@tiedyenetworks.com> Steve Bertrand wrote: > > Hi Mike, > > It's not clear to me whether you are pinging from CPE->you or you->CPE. > > I said I was pinging from my router cli - the side that I want to implement urpf on. > Is this serial link the only connection that the CPE has? Do you have > uRPF enabled on your side, as well as the CPE? > I only enable it on my router and never touch the CPE. When I turn it on, on my router, I can no longer ping the CPE from my router. When I disable urpf on my router, I can again ping it. > ...and perhaps a silly question... does this work if you disable uRPF? > As I said, yes it does work when urpf if off. From aselios at gmail.com Fri Nov 20 10:26:49 2009 From: aselios at gmail.com (Alejandro Selios) Date: Fri, 20 Nov 2009 13:26:49 -0200 Subject: [c-nsp] QoS Cisco Serie 800 and 1800 Message-ID: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> Hi, I want to configure QoS on a Cisco's 800 and 1800 series router and I couldn't make it work the way I want. I've configured three classes of service called GOLD, SILVER and BRONZE, designed for low latency, low loss and data respectively. * I want the GOLD class to have a maximum bandwidth of 25%, even if there is traffic in the other classes. * The SILVER class has a minimum bandwidth of 50% and, if there's no traffic in the GOLD queue, I want this class to take the available bandwidth which is not used by the GOLD class. Thats means that the SILVER class has a 50% of assured bandwidth and can increase to a maximum of 75% of the total bandwidth. * The BRONZE class has no assured bandwidth and can only take the bandwidth which is not used for the other classes. The problem is that with Cisco's QoS tools I have not reached the desired goal. I have tried with different configurations and IOS and I couldn't get any successful result . Below I attach the policy configuration that I have tried (just to give you an example). Is there any way in which I can achieve the behavior that was described above?. Thanks in advance. Standard Configuration ------------------------------------- policy-map QoS_POLICY class GOLD priority percent 25 police cir percent 25 pir percent 25 set dscp ef class SILVER set dscp af41 bandwidth percent 50 shape average percent 75 class class-default fair-queue set dscp af12 bandwidth percent 25 Hierarchical Configuration --------------------------------------------- policy-map GOLD+SILVER class GOLD priority percent 33 police rate percent 33 class class-default fair-queue policy-map QOS class GOLD+SILVER shape average percent 75 bandwidth percent 75 service-policy GOLD+SILVER class class-default fair-queue Note: This configuration was applied in a subinterface (xDSL, 802.1q ethernet) and for the outgoing traffic. From steve at ibctech.ca Fri Nov 20 09:35:04 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Fri, 20 Nov 2009 09:35:04 -0500 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06A3D5.3070507@tiedyenetworks.com> References: <4B06A3D5.3070507@tiedyenetworks.com> Message-ID: <4B06A918.6010308@ibctech.ca> Mike wrote: > Gang, > > I have a 3725 with some t1 interfaces. I want to be a good netizen and > establish urpf on my customer facing interfaces to ensure they can't > send me spoofed traffic. When I enable 'ip verify unicast source > reachable-via rx' however, suddenly I can't ping the router on the other > side. Here's the relevant configs: > > > interface Serial0/0 > ip unnumbered Loopback0 > ip access-group egress-antispoof out > service-module t1 clock source internal > service-module t1 remote-alarm-enable > service-module t1 fdl both > end > > ip route x.x.74.0 255.255.255.248 Serial0/0 > > ip access-list extended egress-antispoof > deny ip 10.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip 224.0.0.0 31.255.255.255 any > deny ip 169.254.0.0 0.0.255.255 any > deny ip 240.0.0.0 15.255.255.255 any > permit ip any any > > > > > Yes in my route table I have a directly connected route as per above: > > Known via "static", distance 1, metric 0 (connected) > Redistributing via ospf 1 > Advertised by ospf 1 subnets > Routing Descriptor Blocks: > * directly connected, via Serial0/0 > Route metric is 0, traffic share count is 1 > > I am pinging from the router cli to x.x.74.1 and with the 'ip verify > unicast' enabled, packets seem to be dropped. My expectation is simply > that the above static route should be enough to tell 'ip verify' to > allow x.x.74.0/29 as a source on this interface. Does anyone know what > the deal might be? Hi Mike, It's not clear to me whether you are pinging from CPE->you or you->CPE. Is this serial link the only connection that the CPE has? Do you have uRPF enabled on your side, as well as the CPE? ...and perhaps a silly question... does this work if you disable uRPF? Steve From cluestore at gmail.com Fri Nov 20 11:35:54 2009 From: cluestore at gmail.com (Clue Store) Date: Fri, 20 Nov 2009 10:35:54 -0600 Subject: [c-nsp] QoS Cisco Serie 800 and 1800 In-Reply-To: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> References: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> Message-ID: <580af3b90911200835l1acab543jef1bd9c469b99181@mail.gmail.com> Hi Alejandro, If you're doing this with xDSL, you will have to apply the service-policy to the PVC for outgoing to make it work. Here's an example of what I use. I know your class-maps and policy-maps are different, but you should be able to get the point. class-map match-any VoIP match ip rtp 16384 16383 match access-group name VoicePorts policy-map Voice class VoIP priority percent 75 class class-default fair-queue interface ATM0.1 point-to-point pvc 1/100 vbr-rt 384 384 tx-ring-limit 3 service-policy output Voice ip access-list extended VoicePorts permit udp any host x.x.x.x range 22026 62025 permit udp any host x.x.x.x range 22026 62025 HTH, Clue On Fri, Nov 20, 2009 at 9:26 AM, Alejandro Selios wrote: > Hi, > > I want to configure QoS on a Cisco's 800 and 1800 series router and I > couldn't make it work the way I want. I've configured three classes of > service called GOLD, SILVER and BRONZE, designed for low latency, low loss > and data respectively. > > * I want the GOLD class to have a maximum bandwidth of 25%, even if there > is > traffic in the other classes. > > * The SILVER class has a minimum bandwidth of 50% and, if there's no > traffic > in the GOLD queue, I want this class to take the available bandwidth which > is not used by the GOLD class. Thats means that the SILVER class has a 50% > of assured bandwidth and can increase to a maximum of 75% of the total > bandwidth. > > * The BRONZE class has no assured bandwidth and can only take the bandwidth > which is not used for the other classes. > > The problem is that with Cisco's QoS tools I have not reached the desired > goal. I have tried with different configurations and IOS and I couldn't get > any successful result . Below I attach the policy configuration that I have > tried (just to give you an example). > > Is there any way in which I can achieve the behavior that was described > above?. > > Thanks in advance. > > > Standard Configuration > ------------------------------------- > > policy-map QoS_POLICY > class GOLD > priority percent 25 > police cir percent 25 pir percent 25 > set dscp ef > class SILVER > set dscp af41 > bandwidth percent 50 > shape average percent 75 > class class-default > fair-queue > set dscp af12 > bandwidth percent 25 > > > > > Hierarchical Configuration > --------------------------------------------- > policy-map GOLD+SILVER > class GOLD > priority percent 33 > police rate percent 33 > class class-default > fair-queue > > policy-map QOS > class GOLD+SILVER > shape average percent 75 > bandwidth percent 75 > service-policy GOLD+SILVER > class class-default > fair-queue > > > Note: This configuration was applied in a subinterface (xDSL, 802.1q > ethernet) and for the outgoing traffic. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Fri Nov 20 11:46:37 2009 From: petelists at templin.org (Pete Templin) Date: Fri, 20 Nov 2009 10:46:37 -0600 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06A3D5.3070507@tiedyenetworks.com> References: <4B06A3D5.3070507@tiedyenetworks.com> Message-ID: <4B06C7ED.3060002@templin.org> Mike wrote: > Gang, > > I have a 3725 with some t1 interfaces. I want to be a good netizen and > establish urpf on my customer facing interfaces to ensure they can't > send me spoofed traffic. When I enable 'ip verify unicast source > reachable-via rx' however, suddenly I can't ping the router on the other > side. Here's the relevant configs: I don't know how well it'll work on an unnumbered interface etc., but I always add the option 'allow-self-ping' to my commands, i.e. 'ip ve u s r r allow-s'. I suspect that's related to your troubles. pt From aselios at gmail.com Fri Nov 20 12:51:01 2009 From: aselios at gmail.com (Alejandro Selios) Date: Fri, 20 Nov 2009 15:51:01 -0200 Subject: [c-nsp] QoS Cisco Serie 800 and 1800 In-Reply-To: <580af3b90911200835l1acab543jef1bd9c469b99181@mail.gmail.com> References: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> <580af3b90911200835l1acab543jef1bd9c469b99181@mail.gmail.com> Message-ID: <67bd1e050911200951s13b2d1fdx3b4753f4b6878789@mail.gmail.com> Thanks Clue for your quick answer. In the original mail I didn't mention it, but I applied the service-policy to the PVC like you said. (Below attach the complete configuration for both cases). Another issue is that Cisco's 800 and 1800 series routers only have 2 level of prioritization. Cisco's routers allow to configure a priority queue and CBWFQ (class base weighted fair queue) but does not has the flexibly to specify a scheduler policy or any other queuing policies. I think that weighted fair queue will leave as dead end, I think the way to follow is a strict priority queuing with a customizable scheduler policy. I'm looking for a way to do that in Cisco's routers. I'll appreciate any help you can give me. Cisco 878/877 -------------------------------------- class-map match-all GOLD match access-group name GOLD_ACL class-map match-all SILVER match access-group name SILVER_ACL policy-map QoS_POLICY class GOLD priority percent 25 police cir percent 25 pir percent 25 set dscp ef class SILVER set dscp af41 bandwidth percent 50 shape average percent 75 class class-default fair-queue set dscp af12 bandwidth percent 25 interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive max-reserved-bandwidth 100 ! interface ATM0.35 point-to-point description INTERFAZ DE ACCESO ip address x.x.x.x 255.255.255.254 atm route-bridged ip pvc 0/35 vbr-nrt 576 576 oam-pvc 0 encapsulation aal5snap service-policy output QoS_POLICY Cisco 1841 -------------------------------------- class-map match-all GOLD match access-group name GOLD_ACL class-map match-all SILVER match access-group name SILVER_ACL policy-map QoS_POLICY class GOLD priority percent 25 police cir percent 25 pir percent 25 set dscp ef class SILVER set dscp af41 bandwidth percent 50 shape average percent 75 class class-default fair-queue set dscp af12 bandwidth percent 25 policy-map SHAPER class class-default shape average 1000000 service-policy QoS_POLICY ! ! ! interface FastEthernet0/0 description INTERFAZ DE ACCESO no ip address load-interval 30 duplex auto speed auto ! interface FastEthernet0/0.100 encapsulation dot1Q 100 ip address x.x.x.x 255.255.255.252 service-policy output SHAPER Thanks, 2009/11/20 Clue Store > Hi Alejandro, > > If you're doing this with xDSL, you will have to apply the service-policy > to the PVC for outgoing to make it work. Here's an example of what I use. I > know your class-maps and policy-maps are different, but you should be able > to get the point. > > class-map match-any VoIP > match ip rtp 16384 16383 > match access-group name VoicePorts > > policy-map Voice > class VoIP > priority percent 75 > > class class-default > fair-queue > > > interface ATM0.1 point-to-point > pvc 1/100 > vbr-rt 384 384 > tx-ring-limit 3 > service-policy output Voice > > > ip access-list extended VoicePorts > permit udp any host x.x.x.x range 22026 62025 > permit udp any host x.x.x.x range 22026 62025 > > > > > HTH, > Clue > > On Fri, Nov 20, 2009 at 9:26 AM, Alejandro Selios wrote: > >> Hi, >> >> I want to configure QoS on a Cisco's 800 and 1800 series router and I >> couldn't make it work the way I want. I've configured three classes of >> service called GOLD, SILVER and BRONZE, designed for low latency, low loss >> and data respectively. >> >> * I want the GOLD class to have a maximum bandwidth of 25%, even if there >> is >> traffic in the other classes. >> >> * The SILVER class has a minimum bandwidth of 50% and, if there's no >> traffic >> in the GOLD queue, I want this class to take the available bandwidth which >> is not used by the GOLD class. Thats means that the SILVER class has a 50% >> of assured bandwidth and can increase to a maximum of 75% of the total >> bandwidth. >> >> * The BRONZE class has no assured bandwidth and can only take the >> bandwidth >> which is not used for the other classes. >> >> The problem is that with Cisco's QoS tools I have not reached the desired >> goal. I have tried with different configurations and IOS and I couldn't >> get >> any successful result . Below I attach the policy configuration that I >> have >> tried (just to give you an example). >> >> Is there any way in which I can achieve the behavior that was described >> above?. >> >> Thanks in advance. >> >> >> Standard Configuration >> ------------------------------------- >> >> policy-map QoS_POLICY >> class GOLD >> priority percent 25 >> police cir percent 25 pir percent 25 >> set dscp ef >> class SILVER >> set dscp af41 >> bandwidth percent 50 >> shape average percent 75 >> class class-default >> fair-queue >> set dscp af12 >> bandwidth percent 25 >> >> >> >> >> Hierarchical Configuration >> --------------------------------------------- >> policy-map GOLD+SILVER >> class GOLD >> priority percent 33 >> police rate percent 33 >> class class-default >> fair-queue >> >> policy-map QOS >> class GOLD+SILVER >> shape average percent 75 >> bandwidth percent 75 >> service-policy GOLD+SILVER >> class class-default >> fair-queue >> >> >> Note: This configuration was applied in a subinterface (xDSL, 802.1q >> ethernet) and for the outgoing traffic. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From ashnet2009 at gmail.com Fri Nov 20 12:53:44 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Fri, 20 Nov 2009 12:53:44 -0500 Subject: [c-nsp] ASR-1002 Feedback In-Reply-To: <20fe625b0911200015p7e99417dwbdf01620dfef94c3@mail.gmail.com> References: <896a291f0911191121j27327b46ta4085a445ee646ba@mail.gmail.com> <20fe625b0911191226n11a5ac28od2ae7ab8d3ef26c@mail.gmail.com> <4B061B4E.7000203@velvet.org> <20fe625b0911200015p7e99417dwbdf01620dfef94c3@mail.gmail.com> Message-ID: <896a291f0911200953j4263831ckd1e3b3de91955f9b@mail.gmail.com> Thanks for the feedback PShem On 11/20/09, Pshem Kowalczyk wrote: > Hi, > > 2009/11/20 matthew zeier : >> >> >> What sort of performance are you seeing? ?Cisco's site a bit obtuse in >> that >> area. > > We're running the router as PE internet borders. With 6 full feeds > into vrf and between 2Gb/s and 4Gb/s of inbound traffic the load is > negligible (with ESP20). What sort of performance metrics are you > after? > > kind regards > Pshem > From justin at justinshore.com Fri Nov 20 14:06:54 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 20 Nov 2009 13:06:54 -0600 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06C7ED.3060002@templin.org> References: <4B06A3D5.3070507@tiedyenetworks.com> <4B06C7ED.3060002@templin.org> Message-ID: <4B06E8CE.3000203@justinshore.com> Pete Templin wrote: > I don't know how well it'll work on an unnumbered interface etc., but I > always add the option 'allow-self-ping' to my commands, i.e. 'ip ve u s > r r allow-s'. I suspect that's related to your troubles. I'm using uRPF and IP Unnumbered on DS1s today and all seems to be well. I can ping the directly-connected target of the static route from the PE too: interface Serial1/0/3:0 ip unnumbered Loopback197 ip verify unicast source reachable-via rx no ip redirects no ip unreachables no ip proxy-arp load-interval 30 snmp trap ip verify drop-rate no cdp enable service-policy input Armstrong-in service-policy output Armstrong-out Mike, can you make sure that IOS thinks uRPF is actually enabled? sh ip int se0/0 | i uRPF 7206-1.bway#sh ip int se1/0/3:0 | i uRPF Input features: Stateful Inspection, CCE Input Classification, uRPF, QoS Marking, MCI Check Are you seeing the drops in the sh ip int output or somewhere else? Justin From andy at nosignal.org Fri Nov 20 23:22:11 2009 From: andy at nosignal.org (Andy Davidson) Date: Sat, 21 Nov 2009 04:22:11 +0000 Subject: [c-nsp] (BGP identifier wrong) error on majority of ebgp peers Message-ID: <4B076AF3.2030908@nosignal.org> Hi, I have a Cisco 6509 with SUP720-3BXL. It has over a hundred bgp peers configured, two full tables, 4 ibgp, several peerings at an IXP. Seemingly without a config change, there are some sessions which refuse to establish, because of a bgp notification : %BGP-3-NOTIFICATION: received from neighbor XXX 2/3 (BGP identifier wrong) 4 bytes XXX The router-id has not been changed - it was using the address from Loopback 0. The router-id *is* unique, and the remote side of the peering is using a different address. We tried modifying the local router-id to match an address used on a point-to-point link and clearing all sessions - same error. This router was loaded with SXF3, moved to SXF16, moved to SXI3 - same error seen with all three. We removed the router bgp xx config and pasted it back in - when the sessions established the same error was noticed. There appears to be no commonality (eg. linecard) between the sessions which establish, and those which don't - for example, some over the shared ixp link establish fine, and some do not due to this router-id clash notification. It is always the same sessions which either come up, or refuse to come up each time. The ibgp sessions always establish (fortunately). Has anyone seen this before ? Thanks andy From andy at nosignal.org Sat Nov 21 00:28:49 2009 From: andy at nosignal.org (Andy Davidson) Date: Sat, 21 Nov 2009 05:28:49 +0000 Subject: [c-nsp] (BGP identifier wrong) error on majority of ebgp peers In-Reply-To: <30B3DF511CEC5C4DAE4D0D29050475341B1BC2B45E@AAA.pmgi.local> References: <4B076AF3.2030908@nosignal.org> <30B3DF511CEC5C4DAE4D0D29050475341B1BC2B45E@AAA.pmgi.local> Message-ID: <4B077A91.8090405@nosignal.org> Minzhi (Catherine) Wu wrote: > Seems it is a Cisco bug, > > ..following error message: %BGP-3-NOTIFICATION: sent to neighbor 1::1 passive 2/3 (BGP identifier wrong) 4 bytes 01000003 Conditions...Workaround: Enter the clear ip bgp command. *CSCsy29534... > 06 Oct 2009 - www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRcavs1.html Hi, Thanks for the mail. Clearing the session does not cause it to re-establish (please see original message for the debugging we have tried.) Andy From cwu at ffn.com Sat Nov 21 00:23:36 2009 From: cwu at ffn.com (Minzhi (Catherine) Wu) Date: Fri, 20 Nov 2009 21:23:36 -0800 Subject: [c-nsp] (BGP identifier wrong) error on majority of ebgp peers In-Reply-To: <4B076AF3.2030908@nosignal.org> References: <4B076AF3.2030908@nosignal.org> Message-ID: <30B3DF511CEC5C4DAE4D0D29050475341B1BC2B45E@AAA.pmgi.local> Seems it is a Cisco bug, ..following error message: %BGP-3-NOTIFICATION: sent to neighbor 1::1 passive 2/3 (BGP identifier wrong) 4 bytes 01000003 Conditions...Workaround: Enter the clear ip bgp command. *CSCsy29534... 06 Oct 2009 - www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRcavs1.html -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Davidson Sent: Friday, November 20, 2009 8:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] (BGP identifier wrong) error on majority of ebgp peers Hi, I have a Cisco 6509 with SUP720-3BXL. It has over a hundred bgp peers configured, two full tables, 4 ibgp, several peerings at an IXP. Seemingly without a config change, there are some sessions which refuse to establish, because of a bgp notification : %BGP-3-NOTIFICATION: received from neighbor XXX 2/3 (BGP identifier wrong) 4 bytes XXX The router-id has not been changed - it was using the address from Loopback 0. The router-id *is* unique, and the remote side of the peering is using a different address. We tried modifying the local router-id to match an address used on a point-to-point link and clearing all sessions - same error. This router was loaded with SXF3, moved to SXF16, moved to SXI3 - same error seen with all three. We removed the router bgp xx config and pasted it back in - when the sessions established the same error was noticed. There appears to be no commonality (eg. linecard) between the sessions which establish, and those which don't - for example, some over the shared ixp link establish fine, and some do not due to this router-id clash notification. It is always the same sessions which either come up, or refuse to come up each time. The ibgp sessions always establish (fortunately). Has anyone seen this before ? Thanks andy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. From dave.cardwell1 at googlemail.com Sat Nov 21 05:47:10 2009 From: dave.cardwell1 at googlemail.com (Dave Cardwell) Date: Sat, 21 Nov 2009 10:47:10 +0000 Subject: [c-nsp] QoS Cisco Serie 800 and 1800 In-Reply-To: <67bd1e050911200951s13b2d1fdx3b4753f4b6878789@mail.gmail.com> References: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> <580af3b90911200835l1acab543jef1bd9c469b99181@mail.gmail.com> <67bd1e050911200951s13b2d1fdx3b4753f4b6878789@mail.gmail.com> Message-ID: <2db6d9920911210247n1cfdbcf8ub452bbddaff61cd5@mail.gmail.com> Hi Alejandro, If you can run 15.0 code you may want try HQF, rather then CBWFQ. There is a good description at the link below: http://blog.ioshints.info/2009/11/first-hqf-impressions-excellent-job.html?utm_source=feedburner&utm_medium=RSS&utm_campaign=IOS+hints+Feed Hope it helps, Dave On Fri, Nov 20, 2009 at 5:51 PM, Alejandro Selios wrote: > Thanks Clue for your quick answer. > > In the original mail I didn't mention it, but I applied the service-policy > to the PVC like you said. (Below attach the complete configuration for both > cases). > > Another issue is that Cisco's 800 and 1800 series routers only have 2 level > of prioritization. Cisco's routers allow to configure a priority queue and > CBWFQ (class base weighted fair queue) but does not has the flexibly to > specify a scheduler policy or any other queuing policies. > > I think that weighted fair queue will leave as dead end, I think the way to > follow is a strict priority queuing with a customizable scheduler policy. > I'm looking for a way to do that in Cisco's routers. > > I'll appreciate any help you can give me. > > > Cisco 878/877 > -------------------------------------- > class-map match-all GOLD > ?match access-group name GOLD_ACL > class-map match-all SILVER > ?match access-group name SILVER_ACL > > > policy-map QoS_POLICY > ?class GOLD > ?priority percent 25 > ?police cir percent 25 pir percent 25 > ?set dscp ef > ?class SILVER > ?set dscp af41 > ? bandwidth percent 50 > ? shape average percent 75 > ?class class-default > ? fair-queue > ? set dscp af12 > ? bandwidth percent 25 > > interface ATM0 > ?no ip address > ?load-interval 30 > ?no atm ilmi-keepalive > ?max-reserved-bandwidth 100 > ! > interface ATM0.35 point-to-point > ?description INTERFAZ DE ACCESO > ?ip address x.x.x.x 255.255.255.254 > ?atm route-bridged ip > ?pvc 0/35 > ?vbr-nrt 576 576 > ?oam-pvc 0 > ?encapsulation aal5snap > ?service-policy output QoS_POLICY > > > > Cisco 1841 > -------------------------------------- > > class-map match-all GOLD > ?match access-group name GOLD_ACL > class-map match-all SILVER > ?match access-group name SILVER_ACL > > > policy-map QoS_POLICY > ?class GOLD > ?priority percent 25 > ?police cir percent 25 pir percent 25 > ?set dscp ef > ?class SILVER > ?set dscp af41 > ? bandwidth percent 50 > ? shape average percent 75 > ?class class-default > ? fair-queue > ? set dscp af12 > ? bandwidth percent 25 > > policy-map SHAPER > ?class class-default > ? ?shape average 1000000 > ?service-policy QoS_POLICY > ! > ! > ! > interface FastEthernet0/0 > ?description INTERFAZ DE ACCESO > ?no ip address > ?load-interval 30 > ?duplex auto > ?speed auto > ! > interface FastEthernet0/0.100 > ?encapsulation dot1Q 100 > ?ip address x.x.x.x 255.255.255.252 > ?service-policy output SHAPER > > > > Thanks, > > > > > > > 2009/11/20 Clue Store > >> Hi Alejandro, >> >> If you're doing this with xDSL, you will have to apply the service-policy >> to the PVC for outgoing to make it work. Here's an example of what I use. I >> know your class-maps and policy-maps are different, but you should be able >> to get the point. >> >> class-map match-any VoIP >> ?match ip rtp 16384 16383 >> ?match access-group name VoicePorts >> >> policy-map Voice >> ?class VoIP >> ? priority percent 75 >> >> ?class class-default >> ? fair-queue >> >> >> interface ATM0.1 point-to-point >> ?pvc 1/100 >> ? vbr-rt 384 384 >> ? tx-ring-limit 3 >> ? service-policy output Voice >> >> >> ip access-list extended VoicePorts >> ?permit udp any host x.x.x.x range 22026 62025 >> ?permit udp any host x.x.x.x range 22026 62025 >> >> >> >> >> HTH, >> Clue >> >> On Fri, Nov 20, 2009 at 9:26 AM, Alejandro Selios wrote: >> >>> Hi, >>> >>> I want to configure QoS on a Cisco's 800 and 1800 series router and I >>> couldn't make it work the way I want. I've configured three classes of >>> service called GOLD, SILVER and BRONZE, designed for low latency, low loss >>> and data respectively. >>> >>> * I want the GOLD class to have a maximum bandwidth of 25%, even if there >>> is >>> traffic in the other classes. >>> >>> * The SILVER class has a minimum bandwidth of 50% and, if there's no >>> traffic >>> in the GOLD queue, I want this class to take the available bandwidth which >>> is not used by the GOLD class. Thats means that the SILVER class has a 50% >>> of assured bandwidth and can increase to a maximum of 75% of the total >>> bandwidth. >>> >>> * The BRONZE class has no assured bandwidth and can only take the >>> bandwidth >>> which is not used for the other classes. >>> >>> The problem is that with Cisco's QoS tools I have not reached the desired >>> goal. I have tried with different configurations and IOS and I couldn't >>> get >>> any successful result . Below I attach the policy configuration that I >>> have >>> tried (just to give you an example). >>> >>> Is there any way in which I can achieve the behavior that was described >>> above?. >>> >>> Thanks in advance. >>> >>> >>> Standard Configuration >>> ------------------------------------- >>> >>> policy-map QoS_POLICY >>> ?class GOLD >>> ? priority percent 25 >>> ? police cir percent 25 pir percent 25 >>> ? set dscp ef >>> ?class SILVER >>> ? set dscp af41 >>> ? ?bandwidth percent 50 >>> ? ?shape average percent 75 >>> ?class class-default >>> ? ?fair-queue >>> ? ?set dscp af12 >>> ? ?bandwidth percent 25 >>> >>> >>> >>> >>> Hierarchical Configuration >>> --------------------------------------------- >>> policy-map GOLD+SILVER >>> ?class GOLD >>> ? ?priority percent 33 >>> ? ?police rate percent 33 >>> ?class class-default >>> ? ?fair-queue >>> >>> policy-map QOS >>> ?class GOLD+SILVER >>> ? ?shape average percent 75 >>> ? ?bandwidth percent 75 >>> ? ?service-policy GOLD+SILVER >>> ?class class-default >>> ? ?fair-queue >>> >>> >>> Note: This configuration was applied in a subinterface (xDSL, 802.1q >>> ethernet) and for the outgoing traffic. >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aselios at gmail.com Sat Nov 21 14:50:54 2009 From: aselios at gmail.com (Alejandro Selios) Date: Sat, 21 Nov 2009 17:50:54 -0200 Subject: [c-nsp] QoS Cisco Serie 800 and 1800 In-Reply-To: <2db6d9920911210247n1cfdbcf8ub452bbddaff61cd5@mail.gmail.com> References: <67bd1e050911200726y19f5b486k8778c227011892d9@mail.gmail.com> <580af3b90911200835l1acab543jef1bd9c469b99181@mail.gmail.com> <67bd1e050911200951s13b2d1fdx3b4753f4b6878789@mail.gmail.com> <2db6d9920911210247n1cfdbcf8ub452bbddaff61cd5@mail.gmail.com> Message-ID: <67bd1e050911211150o6aef832fkaef9c4367fc123d@mail.gmail.com> Hi Dave, I've been tried configure HQF but runing 12.4T IOS and didn't work. I'm going to get the 15.0 IOS and I'll try again with HQF. Thanks 2009/11/21 Dave Cardwell > Hi Alejandro, > > If you can run 15.0 code you may want try HQF, rather then CBWFQ. > > There is a good description at the link below: > > http://blog.ioshints.info/2009/11/first-hqf-impressions-excellent-job.html?utm_source=feedburner&utm_medium=RSS&utm_campaign=IOS+hints+Feed > > Hope it helps, > Dave > > On Fri, Nov 20, 2009 at 5:51 PM, Alejandro Selios > wrote: > > Thanks Clue for your quick answer. > > > > In the original mail I didn't mention it, but I applied the > service-policy > > to the PVC like you said. (Below attach the complete configuration for > both > > cases). > > > > Another issue is that Cisco's 800 and 1800 series routers only have 2 > level > > of prioritization. Cisco's routers allow to configure a priority queue > and > > CBWFQ (class base weighted fair queue) but does not has the flexibly to > > specify a scheduler policy or any other queuing policies. > > > > I think that weighted fair queue will leave as dead end, I think the way > to > > follow is a strict priority queuing with a customizable scheduler policy. > > I'm looking for a way to do that in Cisco's routers. > > > > I'll appreciate any help you can give me. > > > > > > Cisco 878/877 > > -------------------------------------- > > class-map match-all GOLD > > match access-group name GOLD_ACL > > class-map match-all SILVER > > match access-group name SILVER_ACL > > > > > > policy-map QoS_POLICY > > class GOLD > > priority percent 25 > > police cir percent 25 pir percent 25 > > set dscp ef > > class SILVER > > set dscp af41 > > bandwidth percent 50 > > shape average percent 75 > > class class-default > > fair-queue > > set dscp af12 > > bandwidth percent 25 > > > > interface ATM0 > > no ip address > > load-interval 30 > > no atm ilmi-keepalive > > max-reserved-bandwidth 100 > > ! > > interface ATM0.35 point-to-point > > description INTERFAZ DE ACCESO > > ip address x.x.x.x 255.255.255.254 > > atm route-bridged ip > > pvc 0/35 > > vbr-nrt 576 576 > > oam-pvc 0 > > encapsulation aal5snap > > service-policy output QoS_POLICY > > > > > > > > Cisco 1841 > > -------------------------------------- > > > > class-map match-all GOLD > > match access-group name GOLD_ACL > > class-map match-all SILVER > > match access-group name SILVER_ACL > > > > > > policy-map QoS_POLICY > > class GOLD > > priority percent 25 > > police cir percent 25 pir percent 25 > > set dscp ef > > class SILVER > > set dscp af41 > > bandwidth percent 50 > > shape average percent 75 > > class class-default > > fair-queue > > set dscp af12 > > bandwidth percent 25 > > > > policy-map SHAPER > > class class-default > > shape average 1000000 > > service-policy QoS_POLICY > > ! > > ! > > ! > > interface FastEthernet0/0 > > description INTERFAZ DE ACCESO > > no ip address > > load-interval 30 > > duplex auto > > speed auto > > ! > > interface FastEthernet0/0.100 > > encapsulation dot1Q 100 > > ip address x.x.x.x 255.255.255.252 > > service-policy output SHAPER > > > > > > > > Thanks, > > > > > > > > > > > > > > 2009/11/20 Clue Store > > > >> Hi Alejandro, > >> > >> If you're doing this with xDSL, you will have to apply the > service-policy > >> to the PVC for outgoing to make it work. Here's an example of what I > use. I > >> know your class-maps and policy-maps are different, but you should be > able > >> to get the point. > >> > >> class-map match-any VoIP > >> match ip rtp 16384 16383 > >> match access-group name VoicePorts > >> > >> policy-map Voice > >> class VoIP > >> priority percent 75 > >> > >> class class-default > >> fair-queue > >> > >> > >> interface ATM0.1 point-to-point > >> pvc 1/100 > >> vbr-rt 384 384 > >> tx-ring-limit 3 > >> service-policy output Voice > >> > >> > >> ip access-list extended VoicePorts > >> permit udp any host x.x.x.x range 22026 62025 > >> permit udp any host x.x.x.x range 22026 62025 > >> > >> > >> > >> > >> HTH, > >> Clue > >> > >> On Fri, Nov 20, 2009 at 9:26 AM, Alejandro Selios >wrote: > >> > >>> Hi, > >>> > >>> I want to configure QoS on a Cisco's 800 and 1800 series router and I > >>> couldn't make it work the way I want. I've configured three classes of > >>> service called GOLD, SILVER and BRONZE, designed for low latency, low > loss > >>> and data respectively. > >>> > >>> * I want the GOLD class to have a maximum bandwidth of 25%, even if > there > >>> is > >>> traffic in the other classes. > >>> > >>> * The SILVER class has a minimum bandwidth of 50% and, if there's no > >>> traffic > >>> in the GOLD queue, I want this class to take the available bandwidth > which > >>> is not used by the GOLD class. Thats means that the SILVER class has a > 50% > >>> of assured bandwidth and can increase to a maximum of 75% of the total > >>> bandwidth. > >>> > >>> * The BRONZE class has no assured bandwidth and can only take the > >>> bandwidth > >>> which is not used for the other classes. > >>> > >>> The problem is that with Cisco's QoS tools I have not reached the > desired > >>> goal. I have tried with different configurations and IOS and I couldn't > >>> get > >>> any successful result . Below I attach the policy configuration that I > >>> have > >>> tried (just to give you an example). > >>> > >>> Is there any way in which I can achieve the behavior that was described > >>> above?. > >>> > >>> Thanks in advance. > >>> > >>> > >>> Standard Configuration > >>> ------------------------------------- > >>> > >>> policy-map QoS_POLICY > >>> class GOLD > >>> priority percent 25 > >>> police cir percent 25 pir percent 25 > >>> set dscp ef > >>> class SILVER > >>> set dscp af41 > >>> bandwidth percent 50 > >>> shape average percent 75 > >>> class class-default > >>> fair-queue > >>> set dscp af12 > >>> bandwidth percent 25 > >>> > >>> > >>> > >>> > >>> Hierarchical Configuration > >>> --------------------------------------------- > >>> policy-map GOLD+SILVER > >>> class GOLD > >>> priority percent 33 > >>> police rate percent 33 > >>> class class-default > >>> fair-queue > >>> > >>> policy-map QOS > >>> class GOLD+SILVER > >>> shape average percent 75 > >>> bandwidth percent 75 > >>> service-policy GOLD+SILVER > >>> class class-default > >>> fair-queue > >>> > >>> > >>> Note: This configuration was applied in a subinterface (xDSL, 802.1q > >>> ethernet) and for the outgoing traffic. > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From mike-cisconsplist at tiedyenetworks.com Sat Nov 21 15:20:37 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Sat, 21 Nov 2009 12:20:37 -0800 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06E8CE.3000203@justinshore.com> References: <4B06A3D5.3070507@tiedyenetworks.com> <4B06C7ED.3060002@templin.org> <4B06E8CE.3000203@justinshore.com> Message-ID: <4B084B95.9030408@tiedyenetworks.com> Justin Shore wrote: > Pete Templin wrote: > >> I don't know how well it'll work on an unnumbered interface etc., but >> I always add the option 'allow-self-ping' to my commands, i.e. 'ip ve >> u s r r allow-s'. I suspect that's related to your troubles. > > I'm using uRPF and IP Unnumbered on DS1s today and all seems to be > well. I can ping the directly-connected target of the static route > from the PE too: > > interface Serial1/0/3:0 > ip unnumbered Loopback197 > ip verify unicast source reachable-via rx > no ip redirects > no ip unreachables > no ip proxy-arp > load-interval 30 > snmp trap ip verify drop-rate > no cdp enable > service-policy input Armstrong-in > service-policy output Armstrong-out > > Mike, can you make sure that IOS thinks uRPF is actually enabled? > > sh ip int se0/0 | i uRPF > > 7206-1.bway#sh ip int se1/0/3:0 | i uRPF > Input features: Stateful Inspection, CCE Input Classification, uRPF, > QoS Marking, MCI Check > > > Are you seeing the drops in the sh ip int output or somewhere else? > Yes it's enabled per the above. The drops only occur when I use: ip verify unicast source reachable-via rx However, I discovered that if I instead use: ip verify unicast source reachable-via any allow-default That seems to at least not drop packets, but I haven't tested to see wether it really will drop everything but the subnet routed down this link. If I can ask, you seem to have something more than 'loopback 0' - tell me, how are your routes configured - I am assuming you just have a static route pointing thru the interface and not at 'loopback' anything, yes? Mike From mail4hh at pobox.com Sat Nov 21 20:01:22 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sat, 21 Nov 2009 17:01:22 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: I had another opportunity to debug the high cpu usage on the 3550-12t. show proc cpu indicated that cpu load was 39% interrupt, 40% total So it's definitively a high interrupt rate that is using up the cpu. I also debugged the switching mechanism, and although I have high amounts of TTL-expired events, they only occur at a rate of 2-3 per second. I proceeded to profile the cpu usage with: profile profile start ... 10 mins later profile stop show profile terse Granularity was 8 due to the largest free block being about half the size of the main:text section. This gave me a listing of all the memory ranges and a count of how many times the cpu was found to be in that memory location. System Total = 000141506 Interrupt Total = 000056163 (39 percent) Sched Total = 000094547 (66 percent) Interrupt [00] = 000056163 (39 percent) The interrupt breakdown is (top 3): 0x475F50 with 3281 counts (~5.4 per sec.) 0x4B82B8 with 1667 counts (~2.7 per sec) 0x4B8F90 with 1456 counts (~2.4 per sec) My question is: How do I convert those memory addresses into something that would tell me what interrupts are being triggered so much? Thank you, Hector From merlyn at Geeks.ORG Sun Nov 22 02:21:27 2009 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Sun, 22 Nov 2009 01:21:27 -0600 Subject: [c-nsp] Router advice In-Reply-To: <4B05A232.4000005@rollernet.us> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> <20091119174413.GA66808@geeks.org> <4B05A232.4000005@rollernet.us> Message-ID: <20091122072127.GA95969@geeks.org> On Thu, Nov 19, 2009 at 11:53:22AM -0800, Seth Mattinen wrote: > Doug McIntyre wrote: > > On Wed, Nov 18, 2009 at 01:28:53PM -0800, Seth Mattinen wrote: > >> Ivan wrote: > >>> You may also want to check out the new ISR models (ISR G2 > >>> http://www.cisco.com/go/isrg2). > >>> > >> I get the impression from reading about the new "universal" image that > >> they phone home for license keys before it will activate features. Is > >> this accurate? > > > > No, you get base level features out of the box, and you can activate > > the advanced features that are licensed on a trial basis for x days > > until you can get your PACs from the Cisco license website and apply > > it permamently to that box. > > > > Are they backup-able? That is, can you get the device back to full > functionality from local copies without access to the website? What > happens if hardware gets stolen or somebody yanks the flash card and > loses it? Can you still keep spares in storage? The PACs are tied to the serial number of the box. You can backup the number you get back from the PAC tool, but if you swap hardware, then you need to go to TAC to get a new PAC. Sure, you can stock spares, then if you need to bring up a spare box, you get 30 days of trial license, and you go to TAC and tell them you need a new PAC because the old box is borked, and you work it out with TAC. If any of your disaster items happen, you go back to TAC and explain while running live on your 30 day trial license to get new PACs. Its a very simple solution that in practice works easily. You seem to want to pick on this thread for Cisco's license enforcement. I don't work for them. But I can certainly see a need for it from their point of view. I do already use Cisco licensing on other hardware that has been doing this exact thing for sometime (ie. SanOS and PIX), and haven't encountered any the sky-is-falling problems with any of it. It seems fair to me, compared to what I'd guess are many IOS boxes not being properly licensed for what they are running due to Cisco's pretty open licensing policies of years past. From justin at justinshore.com Sun Nov 22 03:08:56 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 22 Nov 2009 02:08:56 -0600 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B084B95.9030408@tiedyenetworks.com> References: <4B06A3D5.3070507@tiedyenetworks.com> <4B06C7ED.3060002@templin.org> <4B06E8CE.3000203@justinshore.com> <4B084B95.9030408@tiedyenetworks.com> Message-ID: <4B08F198.10406@justinshore.com> Mike wrote: > Yes it's enabled per the above. The drops only occur when I use: > > ip verify unicast source reachable-via rx > > However, I discovered that if I instead use: > > ip verify unicast source reachable-via any allow-default > > That seems to at least not drop packets, but I haven't tested to see > wether it really will drop everything but the subnet routed down this link. > > If I can ask, you seem to have something more than 'loopback 0' - tell > me, how are your routes configured - I am assuming you just have a > static route pointing thru the interface and not at 'loopback' anything, > yes? Lo197 is addressed with a /24. Each customer gets a /32 from that /24 via a static route pointing to the local PE interface (Se1/0/3:0 or Mu1000 for example). If the customer needs a larger allocation I route that to their /32 (could also route it to the local PE interface as well). In cases where the CE is managed I also route a private IP over to it and assign it to a local loopback on the CE. We use this for all management tasks and never use the CE's public IP. You're right; it is fairly simple. We're using this quite a bit these days. Some customers insist on a dedicated /30 but it doesn't gain them anything really. After explaining this they usually agree to a /32 instead. No sense in squandering a limited resource if we can avoid it. I'm leaning towards an IOS bug for your particular issue. Is you IOS release fairly modern? Justin From sethm at rollernet.us Sun Nov 22 05:31:16 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 22 Nov 2009 02:31:16 -0800 Subject: [c-nsp] Router advice In-Reply-To: <20091122072127.GA95969@geeks.org> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> <20091119174413.GA66808@geeks.org> <4B05A232.4000005@rollernet.us> <20091122072127.GA95969@geeks.org> Message-ID: <4B0912F4.7090008@rollernet.us> Doug McIntyre wrote: > > The PACs are tied to the serial number of the box. You can backup the > number you get back from the PAC tool, but if you swap hardware, then > you need to go to TAC to get a new PAC. > > Sure, you can stock spares, then if you need to bring up a spare box, > you get 30 days of trial license, and you go to TAC and tell them you > need a new PAC because the old box is borked, and you work it out with > TAC. If any of your disaster items happen, you go back to TAC and > explain while running live on your 30 day trial license to get new PACs. > Its a very simple solution that in practice works easily. > > You seem to want to pick on this thread for Cisco's license > enforcement. I don't work for them. But I can certainly see a need for > it from their point of view. I do already use Cisco licensing on other > hardware that has been doing this exact thing for sometime (ie. SanOS > and PIX), and haven't encountered any the sky-is-falling problems with > any of it. It seems fair to me, compared to what I'd guess are many > IOS boxes not being properly licensed for what they are running due to > Cisco's pretty open licensing policies of years past. > *shrug* None of the hardware I use uses "universal" images, nor do I open TAC cases that often (last one was September 2008 for a bricked 877W). The idea they could decide at any time to deny a license transfer is scary. I'd rather stock spare hardware than pay for same day TAC that I've never used, and it would really suck if Cisco changed their mind now that they have the option to do so. My intention is not to pick on them, but voice concerns. ~Seth From juuso.lehtinen at gmail.com Sun Nov 22 07:46:34 2009 From: juuso.lehtinen at gmail.com (Juuso Lehtinen) Date: Sun, 22 Nov 2009 14:46:34 +0200 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 Message-ID: Hi, I have Catalyst 3560 and 2960 switches connected by a two member Etherchannel trunk using built in copper GE interfaces. For some reason Ethernet autonegotiation ends up assigning unmatching speeds for one link (10M in one switch, 100M in other) and the interfaces end up in suspended state. MGMT-14#show int status | inc 35|36 Gi0/35 connected trunk a-full a-1000 10/100/1000BaseTX Gi0/36 suspended trunk a-full a-100 10/100/1000BaseTX MGMT-13#show int status | inc 23|24 Gi0/23 connected trunk a-full a-1000 10/100/1000BaseTX Gi0/24 suspended trunk a-full a-10 10/100/1000BaseTX Any ideas what might be causing this. I wonder if I'm running into some kind of minimum cable length problem. Switches are sitting adjacent to each other in a rack and connected with very short cables (0.5m ~ 2 ft). -Juuso Lehtinen From sthaug at nethelp.no Sun Nov 22 09:26:13 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sun, 22 Nov 2009 15:26:13 +0100 (CET) Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: Message-ID: <20091122.152613.74716061.sthaug@nethelp.no> > I have Catalyst 3560 and 2960 switches connected by a two member > Etherchannel trunk using built in copper GE interfaces. For some reason > Ethernet autonegotiation ends up assigning unmatching speeds for one link > (10M in one switch, 100M in other) and the interfaces end up in suspended > state. > > MGMT-14#show int status | inc 35|36 > Gi0/35 connected trunk a-full a-1000 > 10/100/1000BaseTX > Gi0/36 suspended trunk a-full a-100 > 10/100/1000BaseTX > > MGMT-13#show int status | inc 23|24 > Gi0/23 connected trunk a-full a-1000 > 10/100/1000BaseTX > Gi0/24 suspended trunk a-full a-10 > 10/100/1000BaseTX > > Any ideas what might be causing this. I wonder if I'm running into some kind > of minimum cable length problem. Switches are sitting adjacent to each other > in a rack and connected with very short cables (0.5m ~ 2 ft). There is *no* minimum cable length requirement for 1000baseT. I would start by replacing the cable connecting the two suspended ports. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From nick at inex.ie Sun Nov 22 11:05:20 2009 From: nick at inex.ie (Nick Hilliard) Date: Sun, 22 Nov 2009 16:05:20 +0000 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: Message-ID: <4B096140.9060001@inex.ie> On 22/11/2009 12:46, Juuso Lehtinen wrote: > Any ideas what might be causing this. I wonder if I'm running into some kind > of minimum cable length problem. Switches are sitting adjacent to each other > in a rack and connected with very short cables (0.5m ~ 2 ft). Are you sure you're using the correct cable type? Either you should use a regular 568-B straight-thru cable, or else you should use a full GE crossover cable, which is wired like this: 1. white/orange -> white/green 2. orange/white -> green/white 3. white/green -> white/orange 4. blue/white -> brown/white 5. white/blue -> white/brown 6. green/white -> orange/white 7. white/brown -> white/blue 8. brown/white -> blue/white Note that for a 100M cross-over, you only cross orange with green, but for GE, you need to cross blue with brown too. Even if you're sure about the cabling, it's no harm to test it out with a decent cable tester. Maybe there's something strange going on with the UTP termination plugs? Cable length is only a problem where you use co-ax, as the co-axial cable medium can encourage all sorts of strange effects (signal reflection, timing problems, etc). Nick From daniele at orlandi.com Sun Nov 22 10:37:21 2009 From: daniele at orlandi.com (Daniele Orlandi) Date: Sun, 22 Nov 2009 16:37:21 +0100 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: Message-ID: <200911221637.22466.daniele@orlandi.com> On Sunday 22 November 2009 13:46:34 Juuso Lehtinen wrote: > > Any ideas what might be causing this. I wonder if I'm running into some > kind of minimum cable length problem. Switches are sitting adjacent to > each other in a rack and connected with very short cables (0.5m ~ 2 ft). You aren't using a cross cable, are you? Bye, -- Daniele "Vihai" Orlandi Bieco Illuminista #184213 From dwinkworth at att.net Sun Nov 22 10:42:29 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Sun, 22 Nov 2009 07:42:29 -0800 (PST) Subject: [c-nsp] Router advice In-Reply-To: <20091122072127.GA95969@geeks.org> References: <2b5adb5d0911181209va57dcc2q7bedf77c8282a009@mail.gmail.com> <4B04579E.5050502@rollernet.us> <4B045E1D.7070003@itpro.co.nz> <4B046715.9010303@rollernet.us> <20091119174413.GA66808@geeks.org> <4B05A232.4000005@rollernet.us> <20091122072127.GA95969@geeks.org> Message-ID: <58511.17051.qm@web180015.mail.gq1.yahoo.com> Its not like we can run Cisco IOS on any other vendor's equipment. If I buy an ISR from Cisco, I have to pay them additional money to use the software that only Cisco can create.. for that box? Its an arbitrary "blood-rock" scheme. You pay twice to use the equipment you buy from them. Its an argument against licensing in general in cases where you are dealing with *both* closed software and closed hardware from the same vendor. Nevertheless, its reality now. It would be interesting to see key-generators or IOS jailbreakers soon. ________________________________ From: Doug McIntyre To: cisco-nsp at puck.nether.net Sent: Sun, November 22, 2009 1:21:27 AM Subject: Re: [c-nsp] Router advice On Thu, Nov 19, 2009 at 11:53:22AM -0800, Seth Mattinen wrote: > Doug McIntyre wrote: > > On Wed, Nov 18, 2009 at 01:28:53PM -0800, Seth Mattinen wrote: > >> Ivan wrote: > >>> You may also want to check out the new ISR models (ISR G2 > >>> http://www.cisco.com/go/isrg2). > >>> > >> I get the impression from reading about the new "universal" image that > >> they phone home for license keys before it will activate features. Is > >> this accurate? > > > > No, you get base level features out of the box, and you can activate > > the advanced features that are licensed on a trial basis for x days > > until you can get your PACs from the Cisco license website and apply > > it permamently to that box. > > > > Are they backup-able? That is, can you get the device back to full > functionality from local copies without access to the website? What > happens if hardware gets stolen or somebody yanks the flash card and > loses it? Can you still keep spares in storage? The PACs are tied to the serial number of the box. You can backup the number you get back from the PAC tool, but if you swap hardware, then you need to go to TAC to get a new PAC. Sure, you can stock spares, then if you need to bring up a spare box, you get 30 days of trial license, and you go to TAC and tell them you need a new PAC because the old box is borked, and you work it out with TAC. If any of your disaster items happen, you go back to TAC and explain while running live on your 30 day trial license to get new PACs. Its a very simple solution that in practice works easily. You seem to want to pick on this thread for Cisco's license enforcement. I don't work for them. But I can certainly see a need for it from their point of view. I do already use Cisco licensing on other hardware that has been doing this exact thing for sometime (ie. SanOS and PIX), and haven't encountered any the sky-is-falling problems with any of it. It seems fair to me, compared to what I'd guess are many IOS boxes not being properly licensed for what they are running due to Cisco's pretty open licensing policies of years past. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From juuso.lehtinen at gmail.com Sun Nov 22 11:52:59 2009 From: juuso.lehtinen at gmail.com (Juuso Lehtinen) Date: Sun, 22 Nov 2009 18:52:59 +0200 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: <4B096140.9060001@inex.ie> References: <4B096140.9060001@inex.ie> Message-ID: Thanks to all for answers, Cables straight-thru, and identical cables are used for the working and suspended trunks. I will try replacing the cable with a new one tomorrow. If that does not help, will try disabling autonegotiation. On Sun, Nov 22, 2009 at 6:05 PM, Nick Hilliard wrote: > On 22/11/2009 12:46, Juuso Lehtinen wrote: > >> Any ideas what might be causing this. I wonder if I'm running into some >> kind >> of minimum cable length problem. Switches are sitting adjacent to each >> other >> in a rack and connected with very short cables (0.5m ~ 2 ft). >> > > Are you sure you're using the correct cable type? Either you should use a > regular 568-B straight-thru cable, or else you should use a full GE > crossover cable, which is wired like this: > > 1. white/orange -> white/green > 2. orange/white -> green/white > 3. white/green -> white/orange > 4. blue/white -> brown/white > 5. white/blue -> white/brown > 6. green/white -> orange/white > 7. white/brown -> white/blue > 8. brown/white -> blue/white > > Note that for a 100M cross-over, you only cross orange with green, but for > GE, you need to cross blue with brown too. > > Even if you're sure about the cabling, it's no harm to test it out with a > decent cable tester. Maybe there's something strange going on with the UTP > termination plugs? > > Cable length is only a problem where you use co-ax, as the co-axial cable > medium can encourage all sorts of strange effects (signal reflection, timing > problems, etc). > > Nick > > From nick at inex.ie Sun Nov 22 12:28:07 2009 From: nick at inex.ie (Nick Hilliard) Date: Sun, 22 Nov 2009 17:28:07 +0000 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: <4B096140.9060001@inex.ie> Message-ID: <4B0974A7.5030204@inex.ie> On 22/11/2009 16:52, Juuso Lehtinen wrote: > Cables straight-thru, and identical cables are used for the working and > suspended trunks. > > I will try replacing the cable with a new one tomorrow. If that does not > help, will try disabling autonegotiation. If you disable autonegotiation, you will need to use a GE cross-over cable, as disabling speed negotiation on a cisco switch usually (but not always) disables mdi/mdix negotiation. Nick From william.mccall at gmail.com Sun Nov 22 14:20:29 2009 From: william.mccall at gmail.com (William McCall) Date: Sun, 22 Nov 2009 13:20:29 -0600 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> Message-ID: Sorry to re-open. Good job to HP for generating noise. Anyone want to buy some procurve switches? On Mon, Nov 2, 2009 at 12:34 AM, christian koch wrote: > On Sun, Nov 1, 2009 at 9:54 PM, Omachonu Ogali wrote: > >> How much is "buzz" worth? About the same as YouTube views. (In South Park >> speak, "theoretical dollars"). >> >> If you can't convert *positive* buzz into revenue, your marketing efforts >> will serve as nothing more than "brand awareness" campaigns. >> >> By this point in the conversation, it should be obvious the buzz is turning >> negative: >> a) overtones of disinterest due to dubious marketing, >> b) people biting the bait on what seems to be a month long viral campaign >> that *still* has 15 more days to go before phase 2, >> c) conversation shift from the mystery product, to debating whether the >> marketing works -- and we still don't know what's being marketed other than >> common sense ("You hate vendor lock-in, I hate vendor lock-in, let's be >> friends") >> > > well said, and agreed > > -ck > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- William McCall, CCIE #25044 From sethm at rollernet.us Sun Nov 22 14:32:16 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 22 Nov 2009 11:32:16 -0800 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> Message-ID: <4B0991C0.6000308@rollernet.us> William McCall wrote: > Sorry to re-open. Good job to HP for generating noise. Anyone want to > buy some procurve switches? > I have a few that I've been comparing to Cisco in the L2-only arena. Had to deal with support once for a switch stuck in a reboot loop. They overnighted me a new one after one call. Much faster and more pleasant experience than a comparable 4 day experience with TAC replacing an 877W that wouldn't even post. The university I worked at as a student did a whole campus replacement of Cisco for ProCurve. ~Seth From matt at melbourne.org.uk Sun Nov 22 15:28:24 2009 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Sun, 22 Nov 2009 20:28:24 -0000 Subject: [c-nsp] Flow Control and 10GE interfaces Message-ID: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> Hi, What is the general recommendation regarding enabling flow control on Ethernet interfaces. Is it a legacy issue when devices had smaller buffers, or is it still required for specific applications? We are having issues with an Enterprise NAS solution where servers using it for storage are claiming to be losing connectivity. The NAS is connected to the switch fabric (a pair of Catalyst 6509s) by two 2*10GE port-channels (10GBase-SR optics); receive flow control is enabled on the switch side "flowcontrol receive on", but no input or output pause frames are being received/sent according to the member interface statistics. The vendor is now suggesting that flowcontrol needs to be enabled end-to-end - e.g. on aggregation switches downstream from the Catalyst 6509s towards the servers and on the hosts. However, the utilisation on the NAS port-channels is only ~400Mbps. Does enabling flowcontrol make sense here? Cheers, Matt -- Matthew Melbourne From daniele at orlandi.com Sun Nov 22 17:17:17 2009 From: daniele at orlandi.com (Daniele Orlandi) Date: Sun, 22 Nov 2009 23:17:17 +0100 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: <4B0974A7.5030204@inex.ie> References: <4B0974A7.5030204@inex.ie> Message-ID: <200911222317.17616.daniele@orlandi.com> On Sunday 22 November 2009 18:28:07 Nick Hilliard wrote: > > If you disable autonegotiation, you will need to use a GE cross-over cable, I don't think so, because with GE there are no RX and TX pairs to be crossed as all four pairs are both for transmission and reception. -- Daniele "Vihai" Orlandi Bieco Illuminista #184213 From eninja at gmail.com Sun Nov 22 19:01:57 2009 From: eninja at gmail.com (e ninja) Date: Sun, 22 Nov 2009 16:01:57 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: Hector, It is interesting that the cisco article tells you how to profile your cpu but not how to interpret the results ;-) There is only one way to interpret the results - contact Cisco to report the abnormality. They will have to decode the address/es using the symbol files for your device software which will reveal the culprit function/s. It should be pretty straight forward to isolate cause and rectify thereafter. FYI, seeing CPU spikes to X% during high traffic is not abnormal for most non-distributed platforms that are groaning under an inappropriate switching algorithm or overload. Out of curiosity, is 40% cpu utilization above your benchmarked baseline? If no, ignore. Also, any alignment corrections? device#sh align Eninja PS. Note to CPU profiler PM, help customers to help themselves - enhance cpu profiler to display decoded addresses in *show profile terse* results and display culprit functions so users can resolve these simple issues themselves. Justification - reduction in TAC calls. On Sat, Nov 21, 2009 at 5:01 PM, Hector Herrera wrote: > I had another opportunity to debug the high cpu usage on the 3550-12t. > > show proc cpu indicated that cpu load was 39% interrupt, 40% total > > So it's definitively a high interrupt rate that is using up the cpu. > > I also debugged the switching mechanism, and although I have high > amounts of TTL-expired events, they only occur at a rate of 2-3 per > second. > > I proceeded to profile the cpu usage with: > > profile > profile start > ... 10 mins later > profile stop > show profile terse > > Granularity was 8 due to the largest free block being about half the > size of the main:text section. > > This gave me a listing of all the memory ranges and a count of how > many times the cpu was found to be in that memory location. > > System Total = 000141506 > Interrupt Total = 000056163 (39 percent) > Sched Total = 000094547 (66 percent) > > Interrupt [00] = 000056163 (39 percent) > > The interrupt breakdown is (top 3): > > 0x475F50 with 3281 counts (~5.4 per sec.) > 0x4B82B8 with 1667 counts (~2.7 per sec) > 0x4B8F90 with 1456 counts (~2.4 per sec) > > My question is: > > How do I convert those memory addresses into something that would tell > me what interrupts are being triggered so much? > > Thank you, > > Hector > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mail4hh at pobox.com Sun Nov 22 19:45:18 2009 From: mail4hh at pobox.com (Hector Herrera) Date: Sun, 22 Nov 2009 16:45:18 -0800 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: On Sun, Nov 22, 2009 at 4:01 PM, e ninja wrote: > Hector, > > It is interesting that the cisco article tells you how to profile your cpu > but not how to interpret the results ;-) > > There is only one way to interpret the results - contact Cisco to report the > abnormality. They will have to decode the address/es using the symbol files > for your device software which will reveal the culprit function/s. It should > be pretty straight forward to isolate cause and rectify thereafter. I did receive an email from someone at Cisco offering to look up the functions. Thank you :-) I can't wait to see the outcome. > FYI, seeing CPU spikes to X% during high traffic is not abnormal for most > non-distributed platforms that are groaning under an inappropriate switching > algorithm or overload. > > Out of curiosity, is 40% cpu utilization above your benchmarked baseline? If > no, ignore. Also, any alignment corrections? device#sh align Your question made me go back and review my notes. CPU load appears to be directly correlated to the amount of traffic on the switch. At 50Mbps the cpu load is 40%, at 200Mbps the load is 100%. At 20Mbps the load (currently) is 10% I wonder if expecting the 3550-12t platform to handle more than 200Mbps is too much to ask? The specs indicate it's capable of 17Mpps. According to the logs, at 200Mbps (with the 100% cpu load) the router was forwarding 45Kpps, much less than the advertised capacity. Perhaps it is a bad design on my part. I learned that the 3550-12t has three forwarding engines, one for each set of four interfaces (0/1 to 0/4, 0/5 to 0/8 and 0/9 to 0/12) With that in mind, I configured a VRF with four routed interfaces (0/1 to 0/4). 0/3 is a BGP interface. 0/4 is the LAN. 0/1 and 0/2 are configured in a load-balancing static default route. The forwarding engine is configured to use per-destination load-balancing. If I understand it correctly, Cisco's load-balancing in per-destination mode has an initial cost when the destination is not present in the routing table, but once it is there, CEF takes care of the forwarding. Since the traffic on the network is stream based (Live video streams), with very few new destinations (less than 500 per hour), but a constant stream of packets which should be handled by CEF. So I'm still at a loss ... Should I expect better performance from the 3550-12t or am I trying to squeeze blood out of stones? Hector From tsw at animatele.com Sun Nov 22 19:34:32 2009 From: tsw at animatele.com (Ilya Balashov) Date: Mon, 23 Nov 2009 03:34:32 +0300 Subject: [c-nsp] difference between WS-F6700-DFC3BXL and WS-F6700-DFC3CXL Message-ID: <99E12404-FF93-4B97-AD8B-5DABAE6DF36A@animatele.com> Hi I'm looking for upgrade my 7606 filled with X6704-GE and X6748-SFP (all with CFC right now) My first phase will be swap SUP720-3BXL for RSP720-3CXL. but i'm in doubt about second phase! i can't find any information about WS-F6700-DFC3BXL vs WS-F6700-DFC3CXL, but price is different in 2-2.5 times! can anybody help with information or suggestion? Best regards, Ilya Balashov tsw at animatele.com From mtinka at globaltransit.net Sun Nov 22 20:55:09 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 23 Nov 2009 09:55:09 +0800 Subject: [c-nsp] difference between WS-F6700-DFC3BXL and WS-F6700-DFC3CXL In-Reply-To: <99E12404-FF93-4B97-AD8B-5DABAE6DF36A@animatele.com> References: <99E12404-FF93-4B97-AD8B-5DABAE6DF36A@animatele.com> Message-ID: <200911230955.15129.mtinka@globaltransit.net> On Monday 23 November 2009 08:34:32 am Ilya Balashov wrote: > I'm looking for upgrade my 7606 filled with X6704-GE and > X6748-SFP (all with CFC right now) My first phase will > be swap SUP720-3BXL for RSP720-3CXL. but i'm in doubt > about second phase! > i can't find any information about WS-F6700-DFC3BXL vs > WS-F6700-DFC3CXL, but price is different in 2-2.5 times! Odd - we upgraded from the DFC-3BXL to the DFC-3CXL for the same price. In terms of differences, search the archives for details on this, it has been discussed a few times. Bottom line, one of the key differences, in terms of features, is that the -3CXL supports several more MAC addresses. Apart from that, not so much difference. Note, though, that the -3CXL benefits only kick in when you have a -3CXL supervisor module. If you have a -3BXL supervisor module, the -3CXL DFC benefits will not be enjoyed. Advice, go with the -3CXL anyway. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From andy.saykao at staff.netspace.net.au Sun Nov 22 21:53:20 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 23 Nov 2009 13:53:20 +1100 Subject: [c-nsp] tacacs+ versions Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF53@vic-cr-ex1.staff.netspace.net.au> Hi All, For those running tacacs+, are you using the version from www.shrubbery.net/tac_plus/ or the version from www.networkforums.net? I've played with both and like the version from www.networkforums.net because it's packaged to incoporate mysql db and a front-end wedgui for easy administration and reporting BUT documentation is lacking and it's not that intuitive to get going (I still haven't been able to create different privilege levels yet). The version from www.shrubbery.net/tac_plus/ was easy to install and I had it up and running in no time but there is no mysql db integration (although this seems possible) and no front-end webgui to administer users/groups and provide reporting capabilities. Shrubbery's version with it's mailing list seems to have a more active community as opposed to the forum at networkforums. What are people's experience of using either version? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mtinka at globaltransit.net Sun Nov 22 22:06:16 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 23 Nov 2009 11:06:16 +0800 Subject: [c-nsp] tacacs+ versions In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF53@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF53@vic-cr-ex1.staff.netspace.net.au> Message-ID: <200911231106.21188.mtinka@globaltransit.net> On Monday 23 November 2009 10:53:20 am Andy Saykao wrote: > The version from www.shrubbery.net/tac_plus/ > was easy to install > and I had it up and running in no time but there is no > mysql db integration (although this seems possible) and > no front-end webgui to administer users/groups and > provide reporting capabilities. We use this one. Quick and easy to install (and upgrade), especially via the FreeBSD ports. It just works. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From CJones at enterprisedata.com.au Sun Nov 22 22:25:17 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Mon, 23 Nov 2009 14:25:17 +1100 Subject: [c-nsp] tacacs+ versions In-Reply-To: <200911231106.21188.mtinka@globaltransit.net> References: <56F211C5E3F24F47B103EA1B253822BE044AAF53@vic-cr-ex1.staff.netspace.net.au> <200911231106.21188.mtinka@globaltransit.net> Message-ID: <61C1A30B39817D4DACC0C5CA4DF79CCAD491EB14@syd1exstore01.entdata.local> Second this - we've had this running (with LDAP authentication via pam_ldap) for some time now. Very easy to get up and running, great support from the community, and extendable via external authorization handlers if you need to do anything custom. Regards, Chris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, 23 November 2009 2:06 PM To: cisco-nsp at puck.nether.net Cc: Andy Saykao Subject: Re: [c-nsp] tacacs+ versions On Monday 23 November 2009 10:53:20 am Andy Saykao wrote: > The version from www.shrubbery.net/tac_plus/ > was easy to install > and I had it up and running in no time but there is no > mysql db integration (although this seems possible) and > no front-end webgui to administer users/groups and > provide reporting capabilities. We use this one. Quick and easy to install (and upgrade), especially via the FreeBSD ports. It just works. Cheers, Mark. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From justin at justinshore.com Mon Nov 23 00:31:38 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 22 Nov 2009 23:31:38 -0600 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> Message-ID: <4B0A1E3A.6010100@justinshore.com> William McCall wrote: > Sorry to re-open. Good job to HP for generating noise. Anyone want to > buy some procurve switches? I don't own a boat, hence no need for a boat anchor. Justin From gert at greenie.muc.de Mon Nov 23 02:28:04 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 08:28:04 +0100 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: References: <4AFF6E80.6030607@thelan.no> Message-ID: <20091123072804.GT163@greenie.muc.de> Hi, On Sun, Nov 22, 2009 at 04:45:18PM -0800, Hector Herrera wrote: > So I'm still at a loss ... Should I expect better performance from the > 3550-12t or am I trying to squeeze blood out of stones? Normally, hardware-forwarding boxes should never show significant CPU load. So some of your traffic is software-forwarded - and you need to figure out what and why. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Mon Nov 23 02:46:56 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 08:46:56 +0100 Subject: [c-nsp] delay eBGP sessions on startup? Message-ID: <20091123074656.GU163@greenie.muc.de> Hi, so I'm now following the design that everbody claims is "best" (loopbacks in OSPF, everything else in BGP), and I've found a few corner cases that are seriously worse than "customer routes in OSPF". Number one - consider the following (simplified) network: Upstream 1 <---> ISP-Router 1 <---> ISP-Router 2 <---> Upstream 2 | Customer X both ISP-Routers announce the ISP's aggregate (let's call it 200.1.0.0/16) to their respective upstream providers (static route to null0, "network" statement). This needs to be done, to make sure that the aggregate is always visible, even if one of the routers is down. Customer X uses addresses from 200.1.0.0/16, let's give him 200.1.1.1/32. So, when "ISP-Router 1" boots, the following happens, more or less in this order: 1. bootup complete 2. OSPF neighbor establishes with ISP-Router 2 3. eBGP-Session to "Upstream 1" establishes, 200.1.0.0/16 is announced (only a single prefix is announced outbound) 4. iBGP-Session to "ISP-Router 2" establishes, 200k prefixes start propagating ISP-R2 -> ISP-R1 (full table at ISP-R2) 5. Traffic starts flowing from "Upstream 1" to "ISP-Router 1" (because the Upstream router is installing the 200.1.0.0/16 route right away) 6. <20-60 seconds delay> 7. ISP-R1 has processed all the BGP prefixes from ISP-R2, has built a FIB, and programmed everything in its hardware forwarding engines. 8. Traffic from "Upstream 1" to "Customer X" can be forwarded properly the crucial element here is: between the items "5" and "8", packets coming from "Upstream 1" to "Customer X" are *dropped*, because ISP-R1 has no full internal reachability information yet, but is still announcing reachability for the aggregate to "Upstream 1". The 20-60 seconds delay comes from the fact that even if the eBGP and iBGP sessions are established at roughly the same time, the eBGP session only has to announce one single prefix ("instantaneous"), while the iBGP session will see ~200k prefixes, "Customer X" being just one of them, fairly far down at the end (200.1.1.1/32). So - now I'm wondering if it's only me? Shouldn't this problem bite other folks as well? The "other" design (customer routes in IGP) doesn't suffer from it, as IGP is usually done converging before BGP starts. But we don't want that. One possible solution would be to have a knob that tells IOS "delay bringing up eBGP sessions and/or announcement of routes on eBGP sessions for seconds after initial BGP startup". This would make sure that iBGP has converged before eBGP starts, and no transient black-holing is seen. Is that possible? I have googled and stared at the command-line help for a while, but couldn't find anything useful. Routers in question are 6500s with SXI2a. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From oboehmer at cisco.com Mon Nov 23 02:48:27 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 23 Nov 2009 08:48:27 +0100 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <20091123072804.GT163@greenie.muc.de> References: <4AFF6E80.6030607@thelan.no> <20091123072804.GT163@greenie.muc.de> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB8EBCD@XMB-AMS-103.cisco.com> > On Sun, Nov 22, 2009 at 04:45:18PM -0800, Hector Herrera wrote: > > So I'm still at a loss ... Should I expect better performance from the > > 3550-12t or am I trying to squeeze blood out of stones? > > Normally, hardware-forwarding boxes should never show significant CPU > load. So some of your traffic is software-forwarded - and you need to > figure out what and why. ack.. I don't have much experience with this platform., but http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/troub leshooting/cpu_util.html seems to be a good start.. oli From gert at greenie.muc.de Mon Nov 23 03:10:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 09:10:25 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091123074656.GU163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> Message-ID: <20091123081025.GV163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 08:46:56AM +0100, Gert Doering wrote: > One possible solution would be to have a knob that tells IOS "delay bringing > up eBGP sessions and/or announcement of routes on eBGP sessions for > seconds after initial BGP startup". This would make sure that iBGP has > converged before eBGP starts, and no transient black-holing is seen. Indeed there is a knob that seems to go into the right direction (thanks to Marco Eulenfeld for pointing this out to me): "bgp update-delay " "the bgp update-delay command is used to tune the maximum time the software will wait after the first neighbor is established until it starts calculating best paths and sending out advertisements". Now, what does "maximum time" mean? Will it wait, or will it not? The documentation that I found claims that the default value is "120", which would certainly not agree with the observed behaviour. OTOH, Marco claims that he has seen "0" as a default... Will test, and report. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From sthaug at nethelp.no Mon Nov 23 03:45:17 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 23 Nov 2009 09:45:17 +0100 (CET) Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <20091123072804.GT163@greenie.muc.de> References: <20091123072804.GT163@greenie.muc.de> Message-ID: <20091123.094517.74658458.sthaug@nethelp.no> > Normally, hardware-forwarding boxes should never show significant CPU > load. With the exception of the old 3500XL series using 50% or more of the CPU to drive the front panel LEDs :-) (Yes, I know, EoL years ago...) Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ras at e-gerbil.net Mon Nov 23 03:58:43 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 23 Nov 2009 02:58:43 -0600 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091123081025.GV163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> <20091123081025.GV163@greenie.muc.de> Message-ID: <20091123085843.GG51443@gerbil.cluepon.net> On Mon, Nov 23, 2009 at 09:10:25AM +0100, Gert Doering wrote: > "bgp update-delay " > > "the bgp update-delay command is used to tune the maximum time the > software will wait after the first neighbor is established until it > starts calculating best paths and sending out advertisements". > > Now, what does "maximum time" mean? Will it wait, or will it not? > > The documentation that I found claims that the default value is "120", > which would certainly not agree with the observed behaviour. OTOH, > Marco claims that he has seen "0" as a default... The docs make it look like more of a graceful-restart specific timer, not like advertisement-interval (intentionally delaying the propagation of new updates to try and consolidate them) or the "on-startup" delay behaviors available in the IGPs. http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a008016317c.shtml The "bgp update-delay n" command may be entered on the Cisco NSF-capable router. The update-delay specifies the time interval- after the first peer has reconnected during which the restarting router expects to receive all BGP updates and the EOR marker from all of its configured peers. The default value of n is 120 seconds, and n is always measured in seconds. If the restarting router has a large number of peers, each with a large number of updates to be sent, this value may need to be increased from its default value. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From masood at nexlinx.net.pk Mon Nov 23 04:30:10 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 23 Nov 2009 14:30:10 +0500 (PKT) Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091123085843.GG51443@gerbil.cluepon.net> References: <20091123074656.GU163@greenie.muc.de> <20091123081025.GV163@greenie.muc.de> <20091123085843.GG51443@gerbil.cluepon.net> Message-ID: <30837.196.46.241.57.1258968610.squirrel@nexmail1.nexlinx.net.pk> probably Cisco needs a knob very similar to vendor Juniper out-delay. you can delay the time between when BGP and the routing table exchange route information. http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing/html/bgp-config58.html#1016387 Regards, Masood > On Mon, Nov 23, 2009 at 09:10:25AM +0100, Gert Doering wrote: >> "bgp update-delay " >> >> "the bgp update-delay command is used to tune the maximum time the >> software will wait after the first neighbor is established until it >> starts calculating best paths and sending out advertisements". >> >> Now, what does "maximum time" mean? Will it wait, or will it not? >> >> The documentation that I found claims that the default value is "120", >> which would certainly not agree with the observed behaviour. OTOH, >> Marco claims that he has seen "0" as a default... > > The docs make it look like more of a graceful-restart specific timer, > not like advertisement-interval (intentionally delaying the propagation > of new updates to try and consolidate them) or the "on-startup" delay > behaviors available in the IGPs. > > http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a008016317c.shtml > > The "bgp update-delay n" command may be entered on the Cisco NSF-capable > router. The update-delay specifies the time interval- after the first > peer has reconnected during which the restarting router expects to > receive all BGP updates and the EOR marker from all of its configured > peers. The default value of n is 120 seconds, and n is always measured > in seconds. If the restarting router has a large number of peers, each > with a large number of updates to be sent, this value may need to be > increased from its default value. > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pavel.skovajsa at gmail.com Mon Nov 23 05:31:42 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 23 Nov 2009 11:31:42 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <30837.196.46.241.57.1258968610.squirrel@nexmail1.nexlinx.net.pk> References: <20091123074656.GU163@greenie.muc.de> <20091123081025.GV163@greenie.muc.de> <20091123085843.GG51443@gerbil.cluepon.net> <30837.196.46.241.57.1258968610.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <323aca890911230231t26c4133ck7ed9f2311922a0c3@mail.gmail.com> Hi all, The situation is due to the fact that the upstream solution architecture is not symetric + the fact that BGP is not designed for milisecond convergence. Hence are my "silly" ideas in the order they appear in "memory": 1. One of the solutions would be to make the architecture symetric - make Upstream 1 <---> ISP-Router 1 send 200k routes between themselves. 2. Try to get the situation symetric as much as possible with "Advanced Complicated BGP" tweaking a. As default MTU for BGP session is 536, use "ip tcp path-mtu-discovery" on neighboars or "neighbor x.x.x.x transport path-mtu-discovery". This should get the 200k on the other side faster. b. Bind the advertizing of the big 200.1.0.0/16 to RTR tracker that tracks the availability of certain route c. ....BGP scanner tweaking.... d. etc. etc. see Networkers presentations: BRKIPM-3005 - Advances in BGP BRKIPM-3004 - IOS-XR IGP, BGP and PIM Convergence 3. Shutdown the BGP with Upstream_1 in startup, and unshut it manually. :)) 4. Shutdown the BGP with Upstream_1 in startup, and unshut it automatically with clever EEM. :)) I my opinion asking Cisco for a knob is a last resort, should be used only when all the ideas fail. -pavel skovajsa On Mon, Nov 23, 2009 at 10:30 AM, wrote: > probably Cisco needs a knob very similar to vendor Juniper out-delay. you > can delay the time between when BGP and the routing table exchange route > information. > > http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing/html/bgp-config58.html#1016387 > > Regards, > Masood > >> On Mon, Nov 23, 2009 at 09:10:25AM +0100, Gert Doering wrote: >>> ? "bgp update-delay " >>> >>> "the bgp update-delay command is used to tune the maximum time the >>> software will wait after the first neighbor is established until it >>> starts calculating best paths and sending out advertisements". >>> >>> Now, what does "maximum time" mean? ?Will it wait, or will it not? >>> >>> The documentation that I found claims that the default value is "120", >>> which would certainly not agree with the observed behaviour. ?OTOH, >>> Marco claims that he has seen "0" as a default... >> >> The docs make it look like more of a graceful-restart specific timer, >> not like advertisement-interval (intentionally delaying the propagation >> of new updates to try and consolidate them) or the "on-startup" delay >> behaviors available in the IGPs. >> >> http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a008016317c.shtml >> >> The "bgp update-delay n" command may be entered on the Cisco NSF-capable >> router. The update-delay specifies the time interval- after the first >> peer has reconnected during which the restarting router expects to >> receive all BGP updates and the EOR marker from all of its configured >> peers. The default value of n is 120 seconds, and n is always measured >> in seconds. If the restarting router has a large number of peers, each >> with a large number of updates to be sent, this value may need to be >> increased from its default value. >> >> -- >> Richard A Steenbergen ? ? ? http://www.e-gerbil.net/ras >> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pavel.skovajsa at gmail.com Mon Nov 23 05:42:08 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 23 Nov 2009 11:42:08 +0100 Subject: [c-nsp] difference between WS-F6700-DFC3BXL and WS-F6700-DFC3CXL In-Reply-To: <200911230955.15129.mtinka@globaltransit.net> References: <99E12404-FF93-4B97-AD8B-5DABAE6DF36A@animatele.com> <200911230955.15129.mtinka@globaltransit.net> Message-ID: <323aca890911230242v33db7bd0l63572fcee9aec5dc@mail.gmail.com> HI Ilya, Not sure where you pricing came from but this is in GPL: RSP720-3CXL-GE= Cisco 7600 Route Switch Processor 720Gbps fabric,PFC3CXL, GE B $40,000 WS-F6700-DFC3BXL Catalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx B $15,000 vs. WS-F6700-DFC3CXL Catalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx B $15,000 For the information about the difference between the DFC cards read this: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html and this: http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns668/net_qanda0900aecd80534905.html Hope it helps -pavel skovajsa On Mon, Nov 23, 2009 at 2:55 AM, Mark Tinka wrote: > On Monday 23 November 2009 08:34:32 am Ilya Balashov wrote: > >> I'm looking for upgrade my 7606 filled with X6704-GE and >> ?X6748-SFP (all with CFC right now) My first phase will >> ?be swap SUP720-3BXL for RSP720-3CXL. but i'm in doubt >> ?about second phase! >> i can't find any information about WS-F6700-DFC3BXL vs >> ?WS-F6700-DFC3CXL, but price is different in 2-2.5 times! > > Odd - we upgraded from the DFC-3BXL to the DFC-3CXL for the > same price. > > In terms of differences, search the archives for details on > this, it has been discussed a few times. Bottom line, one of > the key differences, in terms of features, is that the -3CXL > supports several more MAC addresses. Apart from that, not so > much difference. > > Note, though, that the -3CXL benefits only kick in when you > have a -3CXL supervisor module. If you have a -3BXL > supervisor module, the -3CXL DFC benefits will not be > enjoyed. > > Advice, go with the -3CXL anyway. > > Cheers, > > Mark. > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pavel.skovajsa at gmail.com Mon Nov 23 05:46:47 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 23 Nov 2009 11:46:47 +0100 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: <200911222317.17616.daniele@orlandi.com> References: <4B0974A7.5030204@inex.ie> <200911222317.17616.daniele@orlandi.com> Message-ID: <323aca890911230246l1afb566dtc5af63f457d3f4eb@mail.gmail.com> Hi, I would approach this the indirect way - try shuffling the switches around to see which combinations work & which not. This is the "universal engineer" approach :) -pavel skovajsa On Sun, Nov 22, 2009 at 11:17 PM, Daniele Orlandi wrote: > On Sunday 22 November 2009 18:28:07 Nick Hilliard wrote: >> >> If you disable autonegotiation, you will need to use a GE cross-over cable, > > I don't think so, because with GE there are no RX and TX pairs to be crossed > as all four pairs are both for transmission and reception. > > -- > ?Daniele "Vihai" Orlandi > ?Bieco Illuminista #184213 > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Mon Nov 23 05:46:40 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 11:46:40 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <323aca890911230231t26c4133ck7ed9f2311922a0c3@mail.gmail.com> References: <20091123074656.GU163@greenie.muc.de> <20091123081025.GV163@greenie.muc.de> <20091123085843.GG51443@gerbil.cluepon.net> <30837.196.46.241.57.1258968610.squirrel@nexmail1.nexlinx.net.pk> <323aca890911230231t26c4133ck7ed9f2311922a0c3@mail.gmail.com> Message-ID: <20091123104640.GX163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 11:31:42AM +0100, Pavel Skovajsa wrote: > The situation is due to the fact that the upstream solution > architecture is not symetric + the fact that BGP is not designed for > milisecond convergence. Indeed. But actually you don't need millisecond convergence here, if you ensure convergence in the right sequence - IGP first (with overload bit), iBGP next, clear IGP overload bit, eBGP. The problem is that eBGP routes are announced before iBGP has converged, and as such, the routers cannot do the right thing here. > Hence are my "silly" ideas in the order they appear in "memory": > > 1. One of the solutions would be to make the architecture symetric - > make Upstream 1 <---> ISP-Router 1 send 200k routes between > themselves. This would not help at all. Why? Because at startup, "ISP Router 1" only has *one* prefix. Only after the 200k routes from ISP-R2 and upstream 1 have been received, ISP-R1 could even begin to announce them. Not that I would *want* to announce "the full table" to the upstream routers. > 2. Try to get the situation symetric as much as possible with > "Advanced Complicated BGP" tweaking > a. As default MTU for BGP session is 536, use "ip tcp > path-mtu-discovery" on neighboars or "neighbor x.x.x.x transport > path-mtu-discovery". This should get the 200k on the other side > faster. This would improve things slightly, but won't solve the general problem. > b. Bind the advertizing of the big 200.1.0.0/16 to RTR tracker > that tracks the availability of certain route Won't help. If ISP-R2 is down, ISP-R1 still has to announce the /16 (there are customers directly connected to ISP-R1 that need the /16 to be in BGP). > c. ....BGP scanner tweaking.... Won't help. Scanner is not involved yet. > d. etc. etc. see Networkers presentations: > BRKIPM-3005 - Advances in BGP > BRKIPM-3004 - IOS-XR IGP, BGP and PIM Convergence I'll look at these (thanks). > 3. Shutdown the BGP with Upstream_1 in startup, and unshut it manually. :)) > 4. Shutdown the BGP with Upstream_1 in startup, and unshut it > automatically with clever EEM. :)) These two would solve this, but "3." will only help for planned reboots (we hardly ever do planned reboots, unplanned crashes and/or power problem are more frequent), and "4." introduces extra complexity that we really do not want to see there... Are EEM applets and startup invocation visible in "show running-config"? (This is a serious question - of course the router configuration needs to be backed up, and restored easily. If extra work besides "copy tftp start" is needed to get a replacement device in place, this is bad). > I my opinion asking Cisco for a knob is a last resort, should be used > only when all the ideas fail. EEM is a hack that increases complexity in a non-deterministic way, and should only be used when all the more generic approaches fail. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From juuso.lehtinen at gmail.com Mon Nov 23 07:16:47 2009 From: juuso.lehtinen at gmail.com (Juuso Lehtinen) Date: Mon, 23 Nov 2009 14:16:47 +0200 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: <4B096140.9060001@inex.ie> Message-ID: I replaced the cable today with similar straight-thru cable. Links seem to autonegotiate now to a-1000. Tried plugging and unplugging cable several times, and every time autonegotiation went fine. Still a bit confused about the root cause of this problem. I was able to fix the autonegotiation on the old cable yesterday by executing 'media-type rj45' on suspended port. After that, port seemed to perform autonegotion again and suspended state was raised. Didn't see the problem resurface again even after reverting back to 'media-type auto-select'. -Juuso On Sun, Nov 22, 2009 at 6:52 PM, Juuso Lehtinen wrote: > Thanks to all for answers, > > Cables straight-thru, and identical cables are used for the working and > suspended trunks. > > I will try replacing the cable with a new one tomorrow. If that does not > help, will try disabling autonegotiation. > > > > On Sun, Nov 22, 2009 at 6:05 PM, Nick Hilliard wrote: > >> On 22/11/2009 12:46, Juuso Lehtinen wrote: >> >>> Any ideas what might be causing this. I wonder if I'm running into some >>> kind >>> of minimum cable length problem. Switches are sitting adjacent to each >>> other >>> in a rack and connected with very short cables (0.5m ~ 2 ft). >>> >> >> Are you sure you're using the correct cable type? Either you should use a >> regular 568-B straight-thru cable, or else you should use a full GE >> crossover cable, which is wired like this: >> >> 1. white/orange -> white/green >> 2. orange/white -> green/white >> 3. white/green -> white/orange >> 4. blue/white -> brown/white >> 5. white/blue -> white/brown >> 6. green/white -> orange/white >> 7. white/brown -> white/blue >> 8. brown/white -> blue/white >> >> Note that for a 100M cross-over, you only cross orange with green, but for >> GE, you need to cross blue with brown too. >> >> Even if you're sure about the cabling, it's no harm to test it out with a >> decent cable tester. Maybe there's something strange going on with the UTP >> termination plugs? >> >> Cable length is only a problem where you use co-ax, as the co-axial cable >> medium can encourage all sorts of strange effects (signal reflection, timing >> problems, etc). >> >> Nick >> >> > From ross at kallisti.us Mon Nov 23 08:41:58 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 23 Nov 2009 08:41:58 -0500 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> Message-ID: <20091123134158.GA1538@kallisti.us> On Sun, Nov 22, 2009 at 08:28:24PM -0000, Matthew Melbourne wrote: > What is the general recommendation regarding enabling flow control on > Ethernet interfaces. Is it a legacy issue when devices had smaller buffers, > or is it still required for specific applications? We are having issues with > an Enterprise NAS solution where servers using it for storage are claiming > to be losing connectivity. The NAS is connected to the switch fabric (a pair > of Catalyst 6509s) by two 2*10GE port-channels (10GBase-SR optics); receive > flow control is enabled on the switch side "flowcontrol receive on", but no > input or output pause frames are being received/sent according to the member > interface statistics. > > The vendor is now suggesting that flowcontrol needs to be enabled end-to-end > - e.g. on aggregation switches downstream from the Catalyst 6509s towards > the servers and on the hosts. However, the utilisation on the NAS > port-channels is only ~400Mbps. Does enabling flowcontrol make sense here? Storage vendors seem to blame a plethora of issues on disabled Ethernet Flow Control. Every discussion that I've ever had with any of them, every document that I've ever read, totally fails to understand what ethernet flow control does and how it works. No one is even aware of the head of line blocking problem. Remember - when you pause your NAS, you pause it for EVERYONE. Maybe I've talked to the wrong folks, but no one seems to understand this. It's almost like EMC thinks they designed their NAS for a single client... The answer is very simple: if someone thinks that ethernet flow control is the answer, the burden of proof is on them to answer difficult questions about what the actual problem is, what flow control is going to solve, and why they think that it won't cause more problems than its worth. At best it does nothing, realistically it interferes with TCP flow control, and at worst it pauses your storage and breaks every client. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From Charles.Church at harris.com Mon Nov 23 09:23:35 2009 From: Charles.Church at harris.com (Church, Charles) Date: Mon, 23 Nov 2009 09:23:35 -0500 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> Hey all, Ran across this by accident on a 871 running 12.4(24)T2: DE-Atlanta(config)#ntp server ? A.B.C.D IP address of peer WORD Hostname of peer X:X:X:X::X IPv6 address of peer ip Use IP for DNS resolution ipv6 Use IPv6 for DNS resolution vrf VPN Routing/Forwarding Information DE-Atlanta(config)#ntp server ip ? WORD Hostname of peer DE-Atlanta(config)#ntp server ip pool.ntp.org ? burst Send a burst when peer is reachable iburst Send a burst when peer is unreachable key Configure peer authentication key maxpoll Maximum poll interval minpoll Minimum poll interval prefer Prefer this peer when possible source Interface for source address version Configure NTP version DE-Atlanta(config)#ntp server ip pool.ntp.org Translating "pool.ntp.org"...domain server (12.127.16.67) [OK] DE-Atlanta#sh run | i ntp ntp server ip pool.ntp.org ntp server 64.73.32.134 ntp server 207.46.197.32 DE-Atlanta#sh ntp ass address ref clock st when poll reach delay offset disp ~38.229.71.1 192.168.0.16 2 3 64 7 0.000 658.174 1938.4 ~64.73.32.134 4.213.182.128 2 40 64 3 0.000 665.796 3937.7 ~207.46.197.32 169.229.70.64 3 44 64 3 0.000 655.923 3949.7 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured DE-Atlanta# ----------------------------------------------------------------------------------------------------------------- Been wanting this for years. Any idea what this feature is called? Didn't see anything in the release notes or feature navigator about it. Curious if it honors DNS TTLs, etc. I do see that it's negotiated V4 on these peers, but I don't think it's a function of NTP V4. Thanks, Chuck From rsm at fast-serv.com Mon Nov 23 09:39:46 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Mon, 23 Nov 2009 09:39:46 -0500 Subject: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 In-Reply-To: References: <4B096140.9060001@inex.ie> Message-ID: <20091123143924.M8165@fast-serv.com> Bad cable... It happens. -- Randy ---------- Original Message ----------- From: Juuso Lehtinen To: cisco-nsp at puck.nether.net Sent: Mon, 23 Nov 2009 14:16:47 +0200 Subject: Re: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960 > I replaced the cable today with similar straight-thru cable. Links > seem to autonegotiate now to a-1000. Tried plugging and unplugging > cable several times, and every time autonegotiation went fine. From pavel.skovajsa at gmail.com Mon Nov 23 09:47:40 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 23 Nov 2009 15:47:40 +0100 Subject: [c-nsp] Secondary VLAN deployment on Metro ETTH Message-ID: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> Hi all, I am planning to implement Secondary VLANs feature on a Metro ETTH based on ME3400+76k. I have read various docs about the best I found is on http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/ I have couple questions/scenarios I want to doublecheck with you: 1. Anybody using VPTv3 do disseminate the PVLAN info? 2. What if there are 3rd party switches in the environment placed randomly between the ME3400? Here is my train of thought: - From the explanations in the various docs I understood that the MAC address table for *downstream traffic* is stored in primary VLAN table - The reverse upstream traffic is stored in secondary VLAN MAC table -> hence it follows (not written anywhere) that in order to properly switch the traffic and not flood it, the PVLAN implementation must do lookups in JOINED primary+secondary mac address table. Now the problem might lie in having 3rd party switches placed *between* ME3400 - they have no idea about the PVLANs hence forward it according to their VLAN tables -> which are are NOT joined -> hence the traffic is flooded on them. -pavel skovajsa From doberry at zcorum.com Mon Nov 23 10:04:02 2009 From: doberry at zcorum.com (D.J. O'Berry) Date: Mon, 23 Nov 2009 10:04:02 -0500 Subject: [c-nsp] Identifying the modem based off of cpe ip Message-ID: <4B0AA462.3090501@zcorum.com> Hello all, I'm writing in to ask this. I know that you can run a sho cable modem (ip of modem) to look at a specific modem on a Cisco. What I'm looking for is a way to show a modem based off of the cpe ip/mac behind it. I know that older 3com and Terayon Bluewaves had this option in their code. -- D.J. O'Berry Network Design Engineer ZCorum 866-467-9791 ext 7041 doberry at zcorum.com From florin at futurefreedom.ro Mon Nov 23 10:22:09 2009 From: florin at futurefreedom.ro (florin at futurefreedom.ro) Date: Mon, 23 Nov 2009 15:22:09 +0000 Subject: [c-nsp] Identifying the modem based off of cpe ip Message-ID: <384569292-1258989764-cardhu_decombobulator_blackberry.rim.net-1135212599-@bda217.bisx.produk.on.blackberry> Hey, Just do a show cable modem cpe_ip. It works on ubr72xxvxr and ubr10k. ------Original Message------ From: D.J. O'Berry Sender: cisco-nsp-bounces at puck.nether.net To: 'Cisco-nsp' ReplyTo: doberry at zcorum.com Subject: [c-nsp] Identifying the modem based off of cpe ip Sent: Nov 23, 2009 17:04 Hello all, I'm writing in to ask this. I know that you can run a sho cable modem (ip of modem) to look at a specific modem on a Cisco. What I'm looking for is a way to show a modem based off of the cpe ip/mac behind it. I know that older 3com and Terayon Bluewaves had this option in their code. -- D.J. O'Berry Network Design Engineer ZCorum 866-467-9791 ext 7041 doberry at zcorum.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent from my BlackBerry? wireless device From gert at greenie.muc.de Mon Nov 23 10:48:26 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 16:48:26 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091123134158.GA1538@kallisti.us> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> Message-ID: <20091123154826.GY163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 08:41:58AM -0500, Ross Vandegrift wrote: > The answer is very simple: if someone thinks that ethernet flow > control is the answer, the burden of proof is on them to answer > difficult questions about what the actual problem is, what flow > control is going to solve, and why they think that it won't cause more > problems than its worth. At best it does nothing, realistically it > interferes with TCP flow control, and at worst it pauses your storage > and breaks every client. I tend to disagree with this statement in this broadness. We've seen problems where lack of flow control combined with a switch with too-tiny buffers and bursty ingress traffic led to buffer overflow on egress, and packet loss. If the switch would use flow control here to space the ingress traffic better (that is: stop and restart the flow for milliseconds at a time), packet loss would be avoidable. Of course, this can indeed fire backwards - as in: one egress port is way overloaded, and flow control spreads the pain from there to all other egress ports served by the ingress port in question. So indeed, flow control is not a panacea. I agree with this :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From oboehmer at cisco.com Mon Nov 23 10:53:29 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 23 Nov 2009 16:53:29 +0100 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> Message-ID: <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> > Hey all, > > Ran across this by accident on a 871 running 12.4(24)T2: > > > DE-Atlanta(config)#ntp server ip ? > WORD Hostname of peer > > DE-Atlanta(config)#ntp server ip pool.ntp.org ? > burst Send a burst when peer is reachable > iburst Send a burst when peer is unreachable > key Configure peer authentication key > maxpoll Maximum poll interval > minpoll Minimum poll interval > prefer Prefer this peer when possible > source Interface for source address > version Configure NTP version > > > Been wanting this for years. Any idea what this feature is called? Didn't > see anything in the release notes or feature navigator about it. Looks like it's part of the NTPv4 feature commit. > Curious if > it honors DNS TTLs, etc. I do see that it's negotiated V4 on these peers, > but I don't think it's a function of NTP V4. I think the config doesn't honor TTL, so the implementation is rather "basic".. oli From p.mayers at imperial.ac.uk Mon Nov 23 11:05:16 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 23 Nov 2009 16:05:16 +0000 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091123154826.GY163@greenie.muc.de> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <20091123154826.GY163@greenie.muc.de> Message-ID: <4B0AB2BC.1080304@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Nov 23, 2009 at 08:41:58AM -0500, Ross Vandegrift wrote: >> The answer is very simple: if someone thinks that ethernet flow >> control is the answer, the burden of proof is on them to answer >> difficult questions about what the actual problem is, what flow >> control is going to solve, and why they think that it won't cause more >> problems than its worth. At best it does nothing, realistically it >> interferes with TCP flow control, and at worst it pauses your storage >> and breaks every client. > > I tend to disagree with this statement in this broadness. We've seen > problems where lack of flow control combined with a switch with too-tiny > buffers and bursty ingress traffic led to buffer overflow on egress, and > packet loss. If the switch would use flow control here to space the > ingress traffic better (that is: stop and restart the flow for milliseconds > at a time), packet loss would be avoidable. > > Of course, this can indeed fire backwards - as in: one egress port is > way overloaded, and flow control spreads the pain from there to all other > egress ports served by the ingress port in question. > > So indeed, flow control is not a panacea. I agree with this :-) An interesting wrinkle (to some) is that stock flow control is not QoS (i.e. 802.1p codepoint) aware - it's all-or-nothing, meaning your low-bandwidth diffserv/EF flow gets paused as well as your less-then best-effort 999.9mbit/sec FTP transfer :o( There's a flow control extension somewhere for per-802.1p flow control, but I can't find the references for this. QoS seems to have gone out of fashion however, so whether this is relevant is another matter ;o) From doberry at zcorum.com Mon Nov 23 10:30:47 2009 From: doberry at zcorum.com (D.J. O'Berry) Date: Mon, 23 Nov 2009 10:30:47 -0500 Subject: [c-nsp] Identifying the modem based off of cpe ip In-Reply-To: <384569292-1258989764-cardhu_decombobulator_blackberry.rim.net-1135212599-@bda217.bisx.produk.on.blackberry> References: <384569292-1258989764-cardhu_decombobulator_blackberry.rim.net-1135212599-@bda217.bisx.produk.on.blackberry> Message-ID: <4B0AAAA7.6050404@zcorum.com> Thanks. Never seen that in the command list of options, so never thought Cisco could do it. florin at futurefreedom.ro wrote: > Hey, > > Just do a show cable modem cpe_ip. It works on ubr72xxvxr and ubr10k. > > ------Original Message------ > From: D.J. O'Berry > Sender: cisco-nsp-bounces at puck.nether.net > To: 'Cisco-nsp' > ReplyTo: doberry at zcorum.com > Subject: [c-nsp] Identifying the modem based off of cpe ip > Sent: Nov 23, 2009 17:04 > > Hello all, > > I'm writing in to ask this. I know that you can run a sho cable modem > (ip of modem) to look at a specific modem on a Cisco. What I'm looking > for is a way to show a modem based off of the cpe ip/mac behind it. I > know that older 3com and Terayon Bluewaves had this option in their code. > > -- D.J. O'Berry Network Design Engineer ZCorum 866-467-9791 ext 7041 doberry at zcorum.com From asturluismi at gmail.com Mon Nov 23 11:28:31 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 23 Nov 2009 17:28:31 +0100 Subject: [c-nsp] TCL script to check empty ACL in PBR Message-ID: <1258993711.5367.1.camel@hal9000> Before start to think how I could do that... Is there anyone here with a TCL script to check if an ACL is empty so it is detroying the PBR sequence? Regards. From gert at greenie.muc.de Mon Nov 23 11:31:15 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 17:31:15 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <4B0AB2BC.1080304@imperial.ac.uk> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <20091123154826.GY163@greenie.muc.de> <4B0AB2BC.1080304@imperial.ac.uk> Message-ID: <20091123163115.GA163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 04:05:16PM +0000, Phil Mayers wrote: > >So indeed, flow control is not a panacea. I agree with this :-) > > An interesting wrinkle (to some) is that stock flow control is not QoS > (i.e. 802.1p codepoint) aware - it's all-or-nothing, meaning your > low-bandwidth diffserv/EF flow gets paused as well as your less-then > best-effort 999.9mbit/sec FTP transfer :o( Oh. Even better point. So yes, flow control definitely needs to be activated with care. "Big buffers" is it, then :-) - plus "big pipes!". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jeremy at mojohost.com Mon Nov 23 10:39:00 2009 From: jeremy at mojohost.com (Jeremy Reid) Date: Mon, 23 Nov 2009 10:39:00 -0500 (EST) Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and Catalyst 4500 series equipment? In-Reply-To: <562333522.29291258990633916.JavaMail.root@zmail.mojohost.com> Message-ID: <336105772.29311258990739959.JavaMail.root@zmail.mojohost.com> Hey Group, Has anyone recently been seeing unusual/extended delivery dates being provided on Cisco ASR1000 series or Catalyst 4500 gear? We've had some sizable orders in place since July and we keep getting the ship date extended out each time it approaches. Currently, shipping estimates are out yet another month, bringing this to a 4-5 month wait (should the latest estimate actually come in when promised). I know the ASR line is relatively new, but the 45K is a 'commodity' product at this point, so we were not expecting these kind of lead times and now have several projects in jepoardy as a result. The word we are getting from our VAR and Cisco directly is that they had spun down some manufacturing plants based on the economic downturn and its taking them some time to ramp things back up to satify a stronger than expected order cycle. While I guess this sounds plausible, I have no real way of knowing if its just a line or not. My question for the group is, has anyone recently received any new ASR1000 or Catalyst 4500 series equipment, and if so, how long was your wait? Anyone have items on order and receiving word that it take longer than usual to ship? Feedback is very appreciated. Thanks, -Jeremy -- Jeremy Reid Network Engineer, MojoHost From Charlie.Greenaway at btinet.bt.com Mon Nov 23 12:13:48 2009 From: Charlie.Greenaway at btinet.bt.com (Charlie Greenaway) Date: Mon, 23 Nov 2009 17:13:48 -0000 Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and In-Reply-To: References: Message-ID: <7EA99F102607DF43BDF25CC68475008704622213@lhmail.btinet.local> Hi Jeremy, Yes, we have experienced some delays. This is something you will have to take up with your Cisco account team. Best regards, Charlie G Charlie Greenaway - CCIE#11226 (Security/R&S) Solutions Architect | BT iNet | Tel: +44 (0)1993 885897 Email: charlie.greenaway at btinet.bt.com | Web:?www.btinet.bt.com This e-mail contains BT iNet information, which may be privileged or confidential. It?s meant only for use by the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you have received this e-mail in error, please let me know immediately on the e-mail address above. Thank you. We monitor our e-mail system, and may record your e-mails. BT iNet is a trading name of BT Convergent Solutions Limited Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 3238603 From gsgranados at comcast.net Mon Nov 23 12:24:03 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 23 Nov 2009 09:24:03 -0800 Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and References: <7EA99F102607DF43BDF25CC68475008704622213@lhmail.btinet.local> Message-ID: <007c01ca6c61$c7ecc190$2608120a@am.thmulti.com> We've seen delays as well. I know some of the used hardware providers are having a spike in business because Cisco isn't able to fill some orders in a decent time period. ----- Original Message ----- From: "Charlie Greenaway" To: Cc: Sent: Monday, November 23, 2009 9:13 AM Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and Hi Jeremy, Yes, we have experienced some delays. This is something you will have to take up with your Cisco account team. Best regards, Charlie G Charlie Greenaway - CCIE#11226 (Security/R&S) Solutions Architect | BT iNet | Tel: +44 (0)1993 885897 Email: charlie.greenaway at btinet.bt.com | Web: www.btinet.bt.com This e-mail contains BT iNet information, which may be privileged or confidential. It's meant only for use by the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you have received this e-mail in error, please let me know immediately on the e-mail address above. Thank you. We monitor our e-mail system, and may record your e-mails. BT iNet is a trading name of BT Convergent Solutions Limited Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 3238603 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmplank at gmail.com Mon Nov 23 12:24:40 2009 From: jmplank at gmail.com (Jason Plank) Date: Mon, 23 Nov 2009 12:24:40 -0500 Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and Catalyst 4500 series equipment? In-Reply-To: <336105772.29311258990739959.JavaMail.root@zmail.mojohost.com> References: <562333522.29291258990633916.JavaMail.root@zmail.mojohost.com> <336105772.29311258990739959.JavaMail.root@zmail.mojohost.com> Message-ID: We have seen the same type of delays. Make enough noise and assuming you are "important" enough it may help you. On Mon, Nov 23, 2009 at 10:39 AM, Jeremy Reid wrote: > Hey Group, > > Has anyone recently been seeing unusual/extended delivery dates being provided on Cisco ASR1000 series or Catalyst 4500 gear? We've had some sizable orders in place since July and we keep getting the ship date extended out each time it approaches. Currently, shipping estimates are out yet another month, bringing this to a 4-5 month wait (should the latest estimate actually come in when promised). > > I know the ASR line is relatively new, but the 45K is a 'commodity' product at this point, so we were not expecting these kind of lead times and now have several projects in jepoardy as a result. > > The word we are getting from our VAR and Cisco directly is that they had spun down some manufacturing plants based on the economic downturn and its taking them some time to ramp things back up to satify a stronger than expected order cycle. While I guess this sounds plausible, I have no real way of knowing if its just a line or not. > > My question for the group is, has anyone recently received any new ASR1000 or Catalyst 4500 series equipment, and if so, how long was your wait? Anyone have items on order and receiving word that it take longer than usual to ship? > > Feedback is very appreciated. > > Thanks, > > -Jeremy > > > -- > > Jeremy Reid > Network Engineer, MojoHost > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From Pawel_Sikora at netia.pl Mon Nov 23 11:48:32 2009 From: Pawel_Sikora at netia.pl (Pawel Sikora) Date: Mon, 23 Nov 2009 17:48:32 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <4B0AB2BC.1080304@imperial.ac.uk> Message-ID: Gert Doering wrote: >An interesting wrinkle (to some) is that stock flow control is not QoS >(i.e. 802.1p codepoint) aware - it's all-or-nothing, meaning your >low-bandwidth diffserv/EF flow gets paused as well as your less-then >best-effort 999.9mbit/sec FTP transfer :o( >There's a flow control extension somewhere for per-802.1p flow control, >but I can't find the references for this. Not so distant idea, Nexus 5000 supports it afaik: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-542809.html Pawel/ From asturluismi at gmail.com Mon Nov 23 13:08:16 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 23 Nov 2009 19:08:16 +0100 Subject: [c-nsp] reverse path filtering doesn't seem to work In-Reply-To: <4B06A3D5.3070507@tiedyenetworks.com> References: <4B06A3D5.3070507@tiedyenetworks.com> Message-ID: <1258999696.5367.13.camel@hal9000> try "debug ip cef drops verify" and "debug ip cef drops suppressed-verify" so you can see what is going on inside the router with urpf El vie, 20-11-2009 a las 06:12 -0800, Mike escribi?: > above static route should be enough to tell 'ip verify' to > allow x.x.74.0/29 as a source on this interface. Does anyone know > what > the deal might be? > > From jihodges at zcorum.com Mon Nov 23 13:40:15 2009 From: jihodges at zcorum.com (Jimmy Hodges) Date: Mon, 23 Nov 2009 13:40:15 -0500 Subject: [c-nsp] IPv6 NAT-PT IOS image Message-ID: <4B0AD70F.4010909@zcorum.com> Team, What Cisco IOS version is capable of running IPv6 NAT-PT and creating IPv6 ACLs on a 7204 VXR? So far I've tried both of the following but neither support but functions. Thanks again for your time. ADVANCED ENTERPRISE SERVICES c7200-adventerprisek9-mz.124-24.T1.bin Release Date: 23/Jun/2009 Size: 43985.34 KB (45040980 bytes) Minimum Memory: DRAM:512 MB Flash:64 MB UPGRADE FROM 3.0 TO 4.0 (3DES) c7200-g6ik9s-mz.124-25b.bin Release Date: 14/Aug/2009 Size: 28053.70 KB (28726980 bytes) Minimum Memory: DRAM:512 MB Flash:48 MB -- Jimmy Hodges Network Design Engineer ZCorum ISP Alliance jihodges at zcorum.com From b.turnbow at twt.it Mon Nov 23 12:50:35 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 23 Nov 2009 18:50:35 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <4B0AB2BC.1080304@imperial.ac.uk> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us><20091123154826.GY163@greenie.muc.de> <4B0AB2BC.1080304@imperial.ac.uk> Message-ID: -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: luned? 23 novembre 2009 17.05 To: Gert Doering Cc: Matthew Melbourne; cisco-nsp at puck.nether.net; Ross Vandegrift Subject: Re: [c-nsp] Flow Control and 10GE interfaces Gert Doering wrote: > Hi, > > On Mon, Nov 23, 2009 at 08:41:58AM -0500, Ross Vandegrift wrote: >> The answer is very simple: if someone thinks that ethernet flow >> control is the answer, the burden of proof is on them to answer >> difficult questions about what the actual problem is, what flow >> control is going to solve, and why they think that it won't cause more >> problems than its worth. At best it does nothing, realistically it >> interferes with TCP flow control, and at worst it pauses your storage >> and breaks every client. > > I tend to disagree with this statement in this broadness. We've seen > problems where lack of flow control combined with a switch with too-tiny > buffers and bursty ingress traffic led to buffer overflow on egress, and > packet loss. If the switch would use flow control here to space the > ingress traffic better (that is: stop and restart the flow for milliseconds > at a time), packet loss would be avoidable. > > Of course, this can indeed fire backwards - as in: one egress port is > way overloaded, and flow control spreads the pain from there to all other > egress ports served by the ingress port in question. > > So indeed, flow control is not a panacea. I agree with this :-) >An interesting wrinkle (to some) is that stock flow control is not QoS >(i.e. 802.1p codepoint) aware - it's all-or-nothing, meaning your >low-bandwidth diffserv/EF flow gets paused as well as your less-then >best-effort 999.9mbit/sec FTP transfer :o( >There's a flow control extension somewhere for per-802.1p flow control, >but I can't find the references for this. The nexus family does PFC (no it's not a card, they reused the acronym) http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-542809.html Basically enables sending a pause per class. They did it for FCOE and it is proprietary , the white paper has the standard mumbo jumbo about how it is becoming a standard and everyone is adapting cisco's proposal.. Brian >QoS seems to have gone out of fashion however, so whether this is >relevant is another matter ;o) _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From clinton at scripty.com Mon Nov 23 14:15:59 2009 From: clinton at scripty.com (Clinton Work) Date: Mon, 23 Nov 2009 12:15:59 -0700 Subject: [c-nsp] Spanning tree limits on 4500 In-Reply-To: <7d490c2d0911190328w4358a920m4ffb888a37fc6a79@mail.gmail.com> References: <7d490c2d0911190328w4358a920m4ffb888a37fc6a79@mail.gmail.com> Message-ID: <4B0ADF6F.8070207@scripty.com> The Catalyst 4500 supports 3000 logical instances with the SupV from what I was able to find. With MST, the capacity is further increased: MST logical instances = access ports + ( trunk ports * MST instances) John Wilkes wrote: > What are the limits for spanning tree on Cisco 4500? I'm interested > both in MST and PVST+. > > Is it a set "STP instances" like normal switches, or virtual/logical > ports like 6500? And what are the numbers? Any funky commands to > check? > > I searched the archives but couldn't find anything on 4500s. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kgraham at industrial-marshmallow.com Mon Nov 23 13:29:24 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 23 Nov 2009 10:29:24 -0800 (PST) Subject: [c-nsp] Delayed IGP default-originate? Message-ID: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> Similar to Gert's question on on delayed eBGP startup, is there a good way to delay IGP default-route generation? Since our DFZ routers have a 0/0 nailed down to Null0, OSPF begins generating the default right away, irrespective of BGP state (namely before the router is actually prepared to handle default-routed traffic). A delayed startup for OSPF doesn't work, since that same instance would be needed to find iBGP loopbacks. A route-map matching a "default-network" is the only thing that comes to mind, though designating a magic prefix for this seems broken. I don't believe there's a formal BGP state for "done w/ inital UPDATE churn", but presumably this is where both the eBGP-startup and IGP-default originate would ideally trigger. From kgraham at industrial-marshmallow.com Mon Nov 23 14:40:17 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 23 Nov 2009 11:40:17 -0800 (PST) Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091123134158.GA1538@kallisti.us> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> Message-ID: <411048.27362.qm@web502.biz.mail.mud.yahoo.com> > The answer is very simple: if someone thinks that ethernet flow > control is the answer, the burden of proof is on them to answer > difficult questions about what the actual problem is, what flow > control is going to solve, and why they think that it won't cause more > problems than its worth. At best it does nothing, realistically it > interferes with TCP flow control, and at worst it pauses your storage > and breaks every client. My understanding of this must be broken... If the pause frame is sent only sent when or immediately before RX buffers are exhausted, then TX queuing is triggered (hopefully only briefly before those buffers are exhausted). This would seem to trigger behavior consistent w/ a congested interface (which in fact it is, just prior to reaching line rate, as the receiver can't take it off interface buffers fast enough). Short of host-side implementation details such as one slow MSI-X queue starving others, isn't this providing exactly the congestion feedback that would be expected (queue-on-congestion, drop when queue exceeded)? From jaitken at aitken.com Mon Nov 23 14:57:19 2009 From: jaitken at aitken.com (Jeff Aitken) Date: Mon, 23 Nov 2009 19:57:19 +0000 Subject: [c-nsp] Delayed IGP default-originate? In-Reply-To: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> References: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> Message-ID: <20091123195719.GA56430@eagle.aitken.com> On Mon, Nov 23, 2009 at 10:29:24AM -0800, Kevin Graham wrote: > Similar to Gert's question on on delayed eBGP startup, is there a good way > to delay IGP default-route generation? router isis set-overload-bit on-startup wait-for-bgp router ospf max-metric router-lsa on-startup wait-for-bgp --Jeff From jaitken at aitken.com Mon Nov 23 15:14:30 2009 From: jaitken at aitken.com (Jeff Aitken) Date: Mon, 23 Nov 2009 20:14:30 +0000 Subject: [c-nsp] Delayed IGP default-originate? In-Reply-To: <20091123195719.GA56430@eagle.aitken.com> References: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> <20091123195719.GA56430@eagle.aitken.com> Message-ID: <20091123201430.GB56430@eagle.aitken.com> On Mon, Nov 23, 2009 at 07:57:19PM +0000, Jeff Aitken wrote: > On Mon, Nov 23, 2009 at 10:29:24AM -0800, Kevin Graham wrote: > > Similar to Gert's question on on delayed eBGP startup, is there a good way > > to delay IGP default-route generation? > > router isis > set-overload-bit on-startup wait-for-bgp > > router ospf > max-metric router-lsa on-startup wait-for-bgp > Oops, hit 's' instead of 'e'. I meant to add: these commands do something similar to what you're asking, and I think that they might what you actually want; not only do you not want to generate a default route during initial BGP convergence, you don't even want to be in the path (to a valid BGP NH) during that period, for the same reasons. Sorry, didn't mean to be extra terse. :-) --Jeff From justin at justinshore.com Mon Nov 23 15:19:17 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 23 Nov 2009 14:19:17 -0600 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> Message-ID: <4B0AEE45.90809@justinshore.com> Oliver Boehmer (oboehmer) wrote: > I think the config doesn't honor TTL, so the implementation is rather > "basic".. Would that be basic as in it only resolves the FQDN once when the config is entered, once per boot, or possibly on a schedule later on in the lifecycle of the router? I noticed other changes between 24T1 and 24T2 that bit me this weekend when I upgraded 2 routers that are my NTP servers. First off all the NTP config that was moved way up in the config in an earlier release suddenly got moved back to where it was. Not a big deal but it makes RANCID unhappy. Second, and this is a bad problem, it removed my "ntp source " command from the config. I didn't notice until today that my NTP servers weren't syncing up right. Reviewing the RANCID diff pointed out the problem. This happened on both of the routers that I upgraded from 24T1 to 24T2. I haven't rebooted either router to see if the problem will happen after every 24T2 reboot or if it's tied to the moving around of the config between 24T1 and 24T2. My guess would be the latter, at least I hope that's the case. I've contacted TAC to report this bug. Justin From jared at puck.nether.net Mon Nov 23 15:36:58 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 23 Nov 2009 15:36:58 -0500 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <4B0AEE45.90809@justinshore.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> Message-ID: On Nov 23, 2009, at 3:19 PM, Justin Shore wrote: > I noticed other changes between 24T1 and 24T2 that bit me this weekend when I upgraded 2 routers that are my NTP servers. First off all the NTP config that was moved way up in the config in an earlier release suddenly got moved back to where it was. Not a big deal but it makes RANCID unhappy. Second, and this is a bad problem, it removed my "ntp source " command from the config. I didn't notice until today that my NTP servers weren't syncing up right. Reviewing the RANCID diff pointed out the problem. > > This happened on both of the routers that I upgraded from 24T1 to 24T2. I haven't rebooted either router to see if the problem will happen after every 24T2 reboot or if it's tied to the moving around of the config between 24T1 and 24T2. My guess would be the latter, at least I hope that's the case. I've contacted TAC to report this bug. Cisco does not have a coherent config order that will be output. This is something people need to continue to repeat to Cisco that this stuff actually matters. The folks that do testing of software rarely perform anything from a non-console connection. This has implications on the ability for them to watch and control this. People don't understand that moving lines of code have real-world implication on diff based utilities used to manage routers. *sigh* - Jared From gert at greenie.muc.de Mon Nov 23 16:28:51 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 22:28:51 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <411048.27362.qm@web502.biz.mail.mud.yahoo.com> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> Message-ID: <20091123212851.GB163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 11:40:17AM -0800, Kevin Graham wrote: > Short of host-side implementation details such as one slow MSI-X queue > starving others, isn't this providing exactly the congestion feedback > that would be expected (queue-on-congestion, drop when queue > exceeded)? so you have one ingress port ("the NAS"), 20 egress ports ("the clients"). Egress port 1 fills up. What are you going to do? Flow-control (-> slow down 19 other ports) or drop? (For "3 ingress ports, 1 egress ports, bursty traffic that doesn't exceed the egress port speed *on average*", the answer is different) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From spank_daddy at live.com Mon Nov 23 16:20:17 2009 From: spank_daddy at live.com (loui leaky) Date: Mon, 23 Nov 2009 13:20:17 -0800 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) Message-ID: I am building out a new datacenter. The edge is going to consist of 2 routers. Each device has a 10G interface connected to a different provider with a 1-2G commit. I think comparing price and throughput, I be better off using 7606/RSP720-3CXL/WS-X6708-10GE vs ASR1004 with 10G-SRs(that cisco rep promises will be supported in code rev before end of year). For some reason Cisco guys seems to be pushing the ASR. I'd love to go with it to learn something new but 1004 is limited to 20GB throughput while the 7606 should be able to handle in the hundreds if we should ever need it. I read through the archives of the list and people have some strong opinions against the 7606, especially regarding netflow exports, but maybe that was related to SUP720 issues. I don not plan to offer and services at the edge of my network. Can anyone offer some opinions based on their experience? Thanks, Joel _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/ From gert at greenie.muc.de Mon Nov 23 16:54:39 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 22:54:39 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091123081025.GV163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> <20091123081025.GV163@greenie.muc.de> Message-ID: <20091123215439.GC163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 09:10:25AM +0100, Gert Doering wrote: > "bgp update-delay " [..] > Will test, and report. Well, the default indeed *is* 120 (if set to 120, it won't show up in the running-config, if set to 121 or 119, it will) - and it doesn't seem to do what I had hoped for. That is: after a reboot, the eBGP session still comes up right away, and the aggregate prefix is announced a few seconds later, causing temporary blackholing if the iBGP routes are not there yet. There is a certain race component to it - IOS doesn't seem to bring up the eBGP sessions "right away", but the exact timing depends a bit on the external neighbor behaviour - if the neighbor wants a session as soon as the link comes up, IOS will grant it (and feed the prefix), but it won't initiate the session immediately. Doesn't really solve the problem, but makes reproducing more tricky. *Especially* since every reboot on this box takes 10 minutes... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From kgraham at industrial-marshmallow.com Mon Nov 23 16:57:17 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 23 Nov 2009 13:57:17 -0800 (PST) Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091123212851.GB163@greenie.muc.de> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> <20091123212851.GB163@greenie.muc.de> Message-ID: <236788.43984.qm@web501.biz.mail.mud.yahoo.com> > so you have one ingress port ("the NAS"), 20 egress ports ("the clients"). > > Egress port 1 fills up. > > What are you going to do? Flow-control (-> slow down 19 other ports) > or drop? Agreed, egress queuing and "flowcontrol send" seems logically flawed, but the NAS case I see cited is "flowcontrol receive" on the switch side. In this case, egress port pauses, backs up, and further traffic to it drops -- there's no reason I can see for this have any impact to other ports. In an edge-device (NAS, server, whatever) it seems far more likely that the -host- is what needs the pause (flowcontrol receive), not the switch (flowcontrol send). From gert at greenie.muc.de Mon Nov 23 16:58:19 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 23 Nov 2009 22:58:19 +0100 Subject: [c-nsp] Delayed IGP default-originate? In-Reply-To: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> References: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> Message-ID: <20091123215819.GD163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 10:29:24AM -0800, Kevin Graham wrote: > Similar to Gert's question on on delayed eBGP startup, is there a good way > to delay IGP default-route generation? I'm not sure if it helps for the "default-route" case, but you could try "max-metric router-lsa on-startup 300" (under "router ospf ..."). This is similar to the ISIS overload bit - for the first 300 seconds, OSPF will announce bad metrics, so that no other router will voluntarily pick a path through the newly-booted router (if another path exists). Loopbacks work, since there is no other path. But as I said, I'm not sure if that works for default-route origination as well. gert PS: this is one of my *other* problems - we use EIGRP for "carry loopback" (which has much nicer fast-convergence properties than OSPF and ISIS built right in...), and it has no similar mechanism, as far as I know. *grumble at Cisco*. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From kgraham at industrial-marshmallow.com Mon Nov 23 17:04:32 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 23 Nov 2009 14:04:32 -0800 (PST) Subject: [c-nsp] Delayed IGP default-originate? In-Reply-To: <20091123201430.GB56430@eagle.aitken.com> References: <850738.35733.qm@web508.biz.mail.mud.yahoo.com> <20091123195719.GA56430@eagle.aitken.com> <20091123201430.GB56430@eagle.aitken.com> Message-ID: <336880.20285.qm@web503.biz.mail.mud.yahoo.com> > > router ospf > > max-metric router-lsa on-startup wait-for-bgp [...] > not only do you not want to generate a default route during initial BGP > convergence, you don't even want to be in the path (to a valid BGP NH) during > that period, for the same reasons. Yep, looks like that's it, thanks! Still leaving the LSA there as those LSA's are still candidates in the event nothing else is available is more elegant than I'd hoped for. (Should have read the 'delay eBGP sessions' thread more closely...) From david at hughes.com.au Mon Nov 23 17:25:45 2009 From: david at hughes.com.au (David Hughes) Date: Tue, 24 Nov 2009 08:25:45 +1000 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091123074656.GU163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> Message-ID: Hi Gert, On 23/11/2009, at 5:46 PM, Gert Doering wrote: > both ISP-Routers announce the ISP's aggregate (let's call it 200.1.0.0/16) > to their respective upstream providers (static route to null0, "network" > statement). This needs to be done, to make sure that the aggregate is > always visible, even if one of the routers is down. So you are generating the aggregate at the border? That can certainly leave you black holing traffic under several scenarios (anything that isolates that router). Have you thought about generating the aggregate within your network and propagating it via iBGP. At least the border can't advertise it upstream instantaneously as it won't know about it until iBGP is up. So either a static to NULL0 on a pair of core box somewhere or even an aggregate address statement on the border could help you here. Both should delay the advertisement of the aggregate upstream but I don't know if the timing of the advertisement would be deterministic. You could still have the same issue just for a shorter period. David ... From David at Hughes.com.au Mon Nov 23 17:30:55 2009 From: David at Hughes.com.au (David Hughes) Date: Tue, 24 Nov 2009 08:30:55 +1000 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us><20091123154826.GY163@greenie.muc.de> <4B0AB2BC.1080304@imperial.ac.uk> Message-ID: <4AF358C0-7830-4FBA-9AA6-CA8BBF66BC08@Hughes.com.au> On 24/11/2009, at 3:50 AM, Brian Turnbow wrote: > The nexus family does PFC (no it's not a card, they reused the acronym) > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-542809.html > Basically enables sending a pause per class. > They did it for FCOE and it is proprietary , the white paper has the standard mumbo jumbo about > how it is becoming a standard and everyone is adapting cisco's proposal.. That info is a little dated. Sure, in "Datacentre Ethernet" days when Cisco where out there alone doing this stuff then yeah, it was proprietary. Now that's not the case. It all comes under the CEE banner (Converged Enhanced Ethernet) and is being formalised by the IEEE as Data Centre Bridging. In particular you'd be interested in the following standards : 802.1Qbb (priority based flow control) 802.1Qau (congestion notification) See http://www.ieee802.org/1/pages/dcbridges.html for all the gory details. But, in Cisco kit, only Nexus does it. There other vendors (Brocade / Foundry for example) that can support it and even folk like BNT are making noises. Could be light at the end of the tunnel. David ... From nick at inex.ie Mon Nov 23 16:54:09 2009 From: nick at inex.ie (Nick Hilliard) Date: Mon, 23 Nov 2009 21:54:09 +0000 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091123212851.GB163@greenie.muc.de> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> <20091123212851.GB163@greenie.muc.de> Message-ID: <4B0B0481.90006@inex.ie> On 23/11/2009 21:28, Gert Doering wrote: > What are you going to do? Flow-control (-> slow down 19 other ports) > or drop? The answer to this depends on the application. If you're running regular IP then yes, drop a few packets. No-one will care too much. FCoE is a different matter and dropped packets are an extremely serious problem, and in this case it would seem more useful to exercise flow control and stuff up the transfers of a bunch of other clients in order not to drop anything for the one. FCoE is not IP. Don't confuse them. Nick From bill at ethernext.com Mon Nov 23 19:03:07 2009 From: bill at ethernext.com (Bill Desjardins) Date: Mon, 23 Nov 2009 19:03:07 -0500 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: References: <20091123074656.GU163@greenie.muc.de> Message-ID: Hi Gert, just an idea. I have not tried this and it may also not fit your application... this is on sup2's (SXF17) in my tiny network I have several route reflectors which handle only my customer assignements. nice and small for ibgp convergence. the idea is that the border routers peer with the ibgp RR's and use a bgp conditional statement to advertise your aggregate upstream only upon matching a 'trigger route' received from the ibgp RR. I am no bgp expert and am unsure if the received routes are sorted or not, but if so, you could add a max IPv4 address like 254.254.254.254/32 to place it at the end of the received update. if the updates are not reliably sorted, this is probably all for not though. then with a bgp conditional such as: neighbor x.x.x.x advertise-map EBGPOUT exist-map IBGPDONE you would only advertise out after your IBGP session is near end at least giving you the best chance to avoid blackholes. you should also have solid reliability to multiple RR's to keep it stable. granted a knob would be nice, but at least this method can be centralized and uses commands meant to do this anyway. all your doing is adding an internal 'trigger route' to signify ibgp is about done so send out ebgp advertisements when ya get a chance :) Bill From mtinka at globaltransit.net Mon Nov 23 19:58:27 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 24 Nov 2009 08:58:27 +0800 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: Message-ID: <200911240858.32505.mtinka@globaltransit.net> On Tuesday 24 November 2009 05:20:17 am loui leaky wrote: > I read through the archives of the list and people have > some strong opinions against the 7606, especially > regarding netflow exports, but maybe that was related to > SUP720 issues. I don not plan to offer and services at > the edge of my network. Our only concern with the current EARL in the RSP720 and SUP720 is that it has a number of feature limitations that we've become accustomed to on the 7200 platform, but are supported on the ESP on the ASR1000 platform. Hopefully, the next EARL will resolve these issues, but who knows what other limitations it may have, when they may be resolved, or if support will come both to the 6500 and 7600, or just one of these? Suffice it to say, the ASR1000 provides some decent support for non-Ethernet interfaces as well, without the need to purchase extra SIP modules that you'd need in a 7600, should you require such interfaces in there. Just our view. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ivan_poddubnyy at symantec.com Mon Nov 23 20:57:04 2009 From: ivan_poddubnyy at symantec.com (Ivan Poddubnyy) Date: Mon, 23 Nov 2009 17:57:04 -0800 Subject: [c-nsp] Need help with policy-based firewall (IOS 12.4T) Message-ID: Hi, I have two 2821 routers with policy-based firewall configured on them. There's IPSec GRE tunnel configured between the routers. The problem is traffic can't pass through the tunnel (even though the tunnel is established). Here is message from the logs: =========== Nov 23 17:36:43 10.0.80.252 24385: rtr02.sj: [syslog at 9 s_sn="22618" s_id="rtr02.sj:514" s_tc="1309483" s_dc="28318"]: 033999: .Nov 23 17:36:42.608 PST: %FW-6-DROP_PKT: Dropping Unknown-l4 session 207.211.80.190:0 143.127.138.34:0 on zone-pair sdm-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0 =========== Router-A has IP address 207.211.80.190 Router-B has IP address 143.127.138.34 At the same time, I see messages like this in the logs: ============ Nov 23 17:45:01 10.0.80.252 24410: rtr02.sj: [syslog at 9 s_sn="22643" s_id="rtr02.sj:514" s_tc="1309542" s_dc="28318"]: 034024: .Nov 23 17:45:00.681 PST: %FW-6-PASS_PKT: (target:class)-(sdm-zp-out-self:sdmgre) Passing Unknown-l4 pkt 143.127.138.34:0 => 207.211.80.190:0 with ip ident 0 ============ Now, parts of the config from router-A (router-B is a mirror image of router-A): ------------- rtr02.sj#show runn | sec zone zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit ------------- rtr02.sj#show runn | sec policy-map policy-map type inspect sdm-permit class type inspect sdmgre pass log class type inspect SDM_VPN pass log class type inspect sdmself pass log class class-default drop log ------------- rtr02.sj#show runn | sec class-map class-map type inspect match-all sdmgre match access-group 101 class-map type inspect match-all SDM_VPN match access-group name SDM_VPN ------------- rtr02.sj#show access-lists 101 Extended IP access list 101 10 permit ip host 143.127.138.34 any (1132063 matches) 20 permit gre host 143.127.138.34 any 30 permit esp host 143.127.138.34 any 40 permit ahp host 143.127.138.34 any 50 permit udp host 143.127.138.34 eq isakmp any -------------- rtr02.sj#show access-lists SDM_VPN Extended IP access list SDM_VPN 10 permit gre any any 20 permit ahp any any 30 permit esp any any -------------- So, the DROP log message above is generated by this part of the config from policy-map: class class-default drop log At the same time, policy passes some traffic as can be seen from second log message. And if I replace 'drop' with 'pass' in 'class-default' everything works fine. For obvious reasons I don't want to do it. My first question is, what is 'ip ident 0'? My second question is, why router-A is skipping (for most part) ACLs 101 and SDM_VPN and hitting 'class-default' when traffic is coming from router-B? Any help is appreciated! Thank you! --ivan From mtinka at globaltransit.net Mon Nov 23 21:38:02 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 24 Nov 2009 10:38:02 +0800 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <4B0AEE45.90809@justinshore.com> Message-ID: <200911241038.07039.mtinka@globaltransit.net> On Tuesday 24 November 2009 04:36:58 am Jared Mauch wrote: > Cisco does not have a coherent config order that will be > output. Like when we moved from SRC3 to SRC5 earlier this month, RANCID reported minor but strange changes to the configuration order, e.g., the 'police' command under a policy-map has been given one extra indent. This looks very weird if you also have a 'set mpls experimental' command right above it because it now looks like the 'police' command is a sub-command of the 'set mpls experimental' command: policy-map XXX-XXX-XXX-60Mbps description XXX XXX XXX class XXX-XXX-XXX set dscp 63 set mpls experimental imposition 0 police cir 60000000 bc 11250000 be 22500000 conform-action transmit exceed-action drop violate-action drop Previously, as in the case of moving from SXH3 to SXI2a also, IPv6 static routing and ACL commands keep moving up and down the configuration. I wouldn't be surprised if this has been noticed and gets fixed in SRC6 or later, and then we have RANCID crying all over again. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Mon Nov 23 22:02:47 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 24 Nov 2009 11:02:47 +0800 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: References: <20091123074656.GU163@greenie.muc.de> Message-ID: <200911241102.48298.mtinka@globaltransit.net> On Tuesday 24 November 2009 06:25:45 am David Hughes wrote: > So you are generating the aggregate at the border? That > can certainly leave you black holing traffic under > several scenarios (anything that isolates that router). > Have you thought about generating the aggregate within > your network and propagating it via iBGP. At least the > border can't advertise it upstream instantaneously as it > won't know about it until iBGP is up. Reading through this thread since yesterday, this is also one of the first things I'd recommend be done. In our case, our route reflectors generate our aggregates. All other peering routers simply pass them on if they receive them from the route reflectors via iBGP. Particularly useful if you have a peering router that was generating your aggregate at an exchange point, but suddenly lost its backhaul to your core, and along with it, its iBGP session. Not that I'm recommending it, but one of the unintended benefits we've seen of running a BGP-free core (for IPv4, that is) is that given how long core boxes take to boot, and how slow they may sometimes be in fully converging their BGP tables (while potentially blackholing traffic in the process, hence the little useful knobs in OSPF and IS-IS), not having to run BGP in the core means only edge routers are affected by a system restart. This would limit outages to a smaller part of the network than if a core router were restarting. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From justin at justinshore.com Mon Nov 23 22:43:11 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 23 Nov 2009 21:43:11 -0600 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> Message-ID: <4B0B564F.1010100@justinshore.com> Jared Mauch wrote: > On Nov 23, 2009, at 3:19 PM, Justin Shore wrote: > >> I noticed other changes between 24T1 and 24T2 that bit me this weekend when I upgraded 2 routers that are my NTP servers. First off all the NTP config that was moved way up in the config in an earlier release suddenly got moved back to where it was. Not a big deal but it makes RANCID unhappy. Second, and this is a bad problem, it removed my "ntp source " command from the config. I didn't notice until today that my NTP servers weren't syncing up right. Reviewing the RANCID diff pointed out the problem. >> >> This happened on both of the routers that I upgraded from 24T1 to 24T2. I haven't rebooted either router to see if the problem will happen after every 24T2 reboot or if it's tied to the moving around of the config between 24T1 and 24T2. My guess would be the latter, at least I hope that's the case. I've contacted TAC to report this bug. > > Cisco does not have a coherent config order that will be output. > > This is something people need to continue to repeat to Cisco that this stuff actually matters. The folks that do testing of software rarely perform anything from a non-console connection. This has implications on the ability for them to watch and control this. People don't understand that moving lines of code have real-world implication on diff based utilities used to manage routers. Yeah, I've noticed config lines move after code updates before too and it's really annoying. Usually it's something small like adding or removing exclamation points. Occasionally things get re-ordered. This was the first wholesale move of all related lines I've seen in a while. I talked with TAC about the problem. It took a while to get the engineer to understand the problem but I think we got there. If not I will requeue. He pointed me to a known bug: CSCsx21595. He kept saying that this problem was fixed in 24T2 and only affected 3800s. To the best of my knowledge the problem (removal of existing 'ntp source' config line) was created by 24T2. I never encountered it prior to that on any of my routers, including those running 24T and 24T1. I also experienced the problem on a 7206 (G1). Clearly this isn't isolated to just 3800s. I haven't had a chance to test it on anything else but I fully expect to see the same results on all routers I test it on. I have no reason to expect otherwise. Anyway, the problem is known. I'll give it a few days and push on it if nothing happens. To recreate the problem I imagine one would just need to have a basic NTP config with the ntp source interface defined as a virtual interface (the bug said it depended on that) so use an SVI or loopback. Then upgrade to 24T2. I suspect one would need to upgrade from 24T first and then upgrade to 24T2. I suspect the problem is in the parser when IOS first loads the config from the older release. I'd bet money that the startup-config was intact when I booted and that only the running-config was altered after that first boot. Justin From justin at justinshore.com Mon Nov 23 22:50:00 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 23 Nov 2009 21:50:00 -0600 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <200911241038.07039.mtinka@globaltransit.net> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <4B0AEE45.90809@justinshore.com> <200911241038.07039.mtinka@globaltransit.net> Message-ID: <4B0B57E8.5090308@justinshore.com> Mark Tinka wrote: > Like when we moved from SRC3 to SRC5 earlier this month, RANCID > reported minor but strange changes to the configuration order, > e.g., the 'police' command under a policy-map has been given one > extra indent. This looks very weird if you also have a 'set > mpls experimental' command right above it because it now looks like > the 'police' command is a sub-command of the 'set mpls experimental' > command: > > policy-map XXX-XXX-XXX-60Mbps > description XXX XXX XXX > class XXX-XXX-XXX > set dscp 63 > set mpls experimental imposition 0 > police cir 60000000 bc 11250000 be 22500000 conform-action transmit exceed-action drop violate-action drop > > Previously, as in the case of moving from SXH3 to SXI2a also, IPv6 > static routing and ACL commands keep moving up and down the > configuration. > > I wouldn't be surprised if this has been noticed and gets > fixed in SRC6 or later, and then we have RANCID crying all over > again. I forgot to mention the other non-NTP config change I noticed in 24T2. My IOS object-groups were changed. When I first created object-groups in IOS there wasn't an option to define just a single host. It was added in a later T release. To get around this I defined a range of a single IP (ie, 1.2.3.4 to 1.2.3.4). I never went back and changed them after the 'host' option was added. When I upgraded to 24T2 it changed all those range lines to host lines. Not a bad change but another unexpected one. Justin From justin at justinshore.com Mon Nov 23 22:55:29 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 23 Nov 2009 21:55:29 -0600 Subject: [c-nsp] Anyone seeing excessive shipping delays on ASR1006 and Catalyst 4500 series equipment? In-Reply-To: <336105772.29311258990739959.JavaMail.root@zmail.mojohost.com> References: <336105772.29311258990739959.JavaMail.root@zmail.mojohost.com> Message-ID: <4B0B5931.6010409@justinshore.com> Jeremy Reid wrote: > Hey Group, > > Has anyone recently been seeing unusual/extended delivery dates being provided on Cisco ASR1000 series or Catalyst 4500 gear? We've had some sizable orders in place since July and we keep getting the ship date extended out each time it approaches. Currently, shipping estimates are out yet another month, bringing this to a 4-5 month wait (should the latest estimate actually come in when promised). I have a 1002 on order. The shipping ETA was set at 2.5 months from my order date. We have to have it in hand this calendar year though. If it doesn't ship by 12/31 we're canceling it. We also ordered a 4948. It was set at nearly 4 months. Same thing with it. It either gets here in 2009 or it gets canceled. That's the downside of buying direct. There isn't a distribution buffer in the middle to stock up and deliver from stock. When you place an order for something like an ASR they give the order to manufacturing (heard this from our AM). Other items like a 4948 or ISR are filled as available. Call you AM and make big waves. Research other vendor's options and mention them when you call. Makes the waves a bit bigger. Good luck Justin From oboehmer at cisco.com Tue Nov 24 01:37:09 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 24 Nov 2009 07:37:09 +0100 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <4B0AEE45.90809@justinshore.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33FBE9B09@XMB-AMS-103.cisco.com> > Oliver Boehmer (oboehmer) wrote: > > I think the config doesn't honor TTL, so the implementation is rather > > "basic".. > > Would that be basic as in it only resolves the FQDN once when the config > is entered, once per boot, or possibly on a schedule later on in the > lifecycle of the router? the name seems to be resolved every time the command is parsed, i.e. when it is entered and when the router reloads. oli From gert at greenie.muc.de Tue Nov 24 02:19:29 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Nov 2009 08:19:29 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: References: <20091123074656.GU163@greenie.muc.de> Message-ID: <20091124071929.GE163@greenie.muc.de> Hi, On Tue, Nov 24, 2009 at 08:25:45AM +1000, David Hughes wrote: > > both ISP-Routers announce the ISP's aggregate (let's call it 200.1.0.0/16) > > to their respective upstream providers (static route to null0, "network" > > statement). This needs to be done, to make sure that the aggregate is > > always visible, even if one of the routers is down. > > So you are generating the aggregate at the border? Yes. > That can certainly leave you black holing traffic under several scenarios > (anything that isolates that router). I'm aware of that - and in this specific network scenario, this is considered "highly unlikely". Basically, the network really consists of two routers, which are directly interconnected (direct fiber to the next rack), and both of them are connected via 2 2xGE etherchannels to two L2 switches. So there's 5 different links between those routers - and if someone manages to break *all* of these at the same time, well, blackholing is the least of my worries. (The network is a bit more complex, but the details really don't change this statement) > Have you thought about generating the aggregate within your network and > propagating it via iBGP. At least the border can't advertise it upstream > instantaneously as it won't know about it until iBGP is up. There are no other routers that are considered "reliable enough" in this setup - everything else is stuff like "firewalls" or "3640s used as console server". > So either a static to NULL0 on a pair of core box somewhere or even > an aggregate address statement on the border could help you here. Well, the "two routers" mentioned above are "the core" and "the border routers". There *is* only these two :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Tue Nov 24 02:25:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Nov 2009 08:25:27 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: References: <20091123074656.GU163@greenie.muc.de> Message-ID: <20091124072527.GF163@greenie.muc.de> Hi, On Mon, Nov 23, 2009 at 07:03:07PM -0500, Bill Desjardins wrote: > just an idea. I have not tried this and it may also not fit your > application... this is on sup2's (SXF17) > > in my tiny network I have several route reflectors which handle only > my customer assignements. nice and small for ibgp convergence. > > the idea is that the border routers peer with the ibgp RR's and use a > bgp conditional statement to advertise your aggregate upstream only > upon matching a 'trigger route' received from the ibgp RR. I am no bgp This would work, but won't do the job in our network - this network is really, really small (but has BIG requirements, as always :-) ) - so there are no other BGP routers. Given that there are only these two boxes, and neither can rely on the other one (it could be down...), waiting for a certain route to show up might be fatal - depending on what else is available, the route might just not show up ever. (I'm not sure that I would be able to convince the customer that adding two more BGP boxes and increasing the complexity of the overall configuration is a good thing...) What I'm currently leaning toward is "put all internal routes into OSPF and to hell with best practices"... much less complexity, problem still solved. The estimate is that we'll see something like 50-100 internal routes at maximum, and OSPF will quite happily handle this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From swmike at swm.pp.se Tue Nov 24 02:49:08 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 24 Nov 2009 08:49:08 +0100 (CET) Subject: [c-nsp] for the archives regarding fuse on Cisco GSR PRP-1 Message-ID: Since googling yielded nothing, here goes one for the archives. If a Cisco 12000 PRP-1 displays 022A (and is otherwise dead) the cause of the problem is the small 6mm fuse near the backplane has triggered, and you either have to RMA the PRP-1 or replace the fuse. Fuse called "SMD 4A 451004" which can be found in multiple places fixed the problem for me at least. -- Mikael Abrahamsson email: swmike at swm.pp.se From joohwil at gmail.com Tue Nov 24 03:46:00 2009 From: joohwil at gmail.com (John Wilkes) Date: Tue, 24 Nov 2009 09:46:00 +0100 Subject: [c-nsp] Spanning tree limits on 4500 In-Reply-To: <4B0ADF6F.8070207@scripty.com> References: <7d490c2d0911190328w4358a920m4ffb888a37fc6a79@mail.gmail.com> <4B0ADF6F.8070207@scripty.com> Message-ID: <7d490c2d0911240046u3f7136c2q43a721d82c0d8452@mail.gmail.com> On Mon, Nov 23, 2009 at 8:15 PM, Clinton Work wrote: > The Catalyst 4500 supports 3000 logical instances with the SupV from what I > was able to find. ?With MST, the capacity is further increased: > > MST logical instances = access ports + ( trunk ports * MST instances) So as long as I'm under 3000 in "show spanning-tree summary total" I should be fine? Do you know of any limit to the number of simultaneous VLANs? From md at bts.sk Tue Nov 24 03:00:51 2009 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Tue, 24 Nov 2009 09:00:51 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <411048.27362.qm@web502.biz.mail.mud.yahoo.com> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> Message-ID: <20091124072514.M84074@bts.sk> On Mon, 23 Nov 2009 11:40:17 -0800 (PST), Kevin Graham wrote > > The answer is very simple: if someone thinks that ethernet flow > > > control is the answer, the burden of proof is on them to answer > > difficult questions about what the actual problem is, what flow > > control is going to solve, and why they think that it won't cause more > > problems than its worth. At best it does nothing, realistically it > > interferes with TCP flow control, and at worst it pauses your storage > > and breaks every client. > > My understanding of this must be broken... If the pause frame is sent > only sent when or immediately before RX buffers are exhausted, then > TX queuing is triggered (hopefully only briefly before those buffers > are exhausted). This would seem to trigger behavior consistent w/ a > congested interface (which in fact it is, just prior to reaching line > rate, as the receiver can't take it off interface buffers fast enough). Yes, what you described is basically a case where the interface runs at faster speed than the data path behind it. Some examples: oversubcribed 10GE card with only 8 Gbps bandwidth to the switch fabric or system bus, 100 Mpbs ethernet interface in front of 34 Mbps microware link. This is exactly the *only* situation, where classic flow control makes sense and does really help, since it properly triggers output queueing at the sending side when the real data-path speed is reached. Any other usage is likely to cause more problems than benefits. With kind regards, M. From bill at ethernext.com Tue Nov 24 05:05:30 2009 From: bill at ethernext.com (Bill Desjardins) Date: Tue, 24 Nov 2009 05:05:30 -0500 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091124072527.GF163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> <20091124072527.GF163@greenie.muc.de> Message-ID: On Tue, Nov 24, 2009 at 2:25 AM, Gert Doering wrote: > Hi, > > On Mon, Nov 23, 2009 at 07:03:07PM -0500, Bill Desjardins wrote: >> the idea is that the border routers peer with the ibgp RR's and use a >> bgp conditional statement to advertise your aggregate upstream only >> upon matching a 'trigger route' received from the ibgp RR. I am no bgp > > This would work, but won't do the job in our network - this network is > really, really small (but has BIG requirements, as always :-) ) - so there > are no other BGP routers. > > Given that there are only these two boxes, and neither can rely on the > other one (it could be down...), waiting for a certain route to show > up might be fatal - depending on what else is available, the route might > just not show up ever. > > (I'm not sure that I would be able to convince the customer that adding > two more BGP boxes and increasing the complexity of the overall > configuration is a good thing...) > > > What I'm currently leaning toward is "put all internal routes into OSPF > and to hell with best practices"... ?much less complexity, problem > still solved. The estimate is that we'll see something like 50-100 > internal routes at maximum, and OSPF will quite happily handle this. if the only ibgp is between these 2 borders, than best ibgp practice would seem to be a bit far off anyway. ospf and be done with it. if IGP routes grow to an uncomfortable level, then you can revisit the design then. simplicity and reliability would be my first choice. > gert Bill From amsoares at netcabo.pt Tue Nov 24 06:45:52 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Tue, 24 Nov 2009 11:45:52 -0000 Subject: [c-nsp] Runts in the network Message-ID: Hello Group, I have 7200's acting as PE's and running 12.4.23 that show an abnormal numbers of runts. The interfaces where this can be seen are E1 channel-groups configured for frame-relay. This is the typical configuration: ! frame-relay switching ! controller E1 x/y channel-group 0 timeslots 1-31 ! interface Serialx/y:0 encapsulation frame-relay frame-relay traffic-shaping frame-relay lmi-type ansi frame-relay ip rtp header-compression frame-relay intf-type dce ! interface Serialx/y:0.100 point-to-point ip vrf forwarding MY-VRF ip address x.x.x.x x.x.x.x ip rip advertise 10 frame-relay interface-dlci 100 class MY-CLASS frame-relay ip rtp header-compression ! The E1 is completely clean but the serial interface shows runts: ROUTER#sh int sx/y:0 Serialx/y:0 is up, line protocol is up (...) Received 0 broadcasts, 12 runts, 0 giants, 0 throttles 12 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort (...) ROUTER# This happens everywhere in the network and there are many 7200's. The PA is the PA-MC-8TE1+. What could be the source of the problem ? I know what a runt is but i would like to understand why i have it all over the network. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From eng_mssk at hotmail.com Tue Nov 24 08:32:09 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 24 Nov 2009 15:32:09 +0200 Subject: [c-nsp] Metro Ethernet Switches Message-ID: hey all i have a cisco metro switch with IOS 12.2 35SE when i upgraded the IOS image to 12.2 52 SE the tacacs could not work well as it was in the previous image even though i had the same configuration any thoughts ? _________________________________________________________________ Keep your friends updated?even when you?re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 From ianh at ianh.net.au Tue Nov 24 08:42:43 2009 From: ianh at ianh.net.au (Ian Henderson) Date: Tue, 24 Nov 2009 21:42:43 +0800 (WST) Subject: [c-nsp] Metro Ethernet Switches In-Reply-To: References: Message-ID: On Tue, 24 Nov 2009, Mohammad Khalil wrote: > the tacacs could not work well as it was in the previous image even > though i had the same configuration any thoughts ? Try adding the plaintext key again ('tacacs-server key xxx'). I've seen some IOS upgrades need it re-obfuscated to make it work. Just copy/pasting the existing obfuscated key won't work. From branto at branto.com Tue Nov 24 09:31:44 2009 From: branto at branto.com (Brant I. Stevens) Date: Tue, 24 Nov 2009 09:31:44 -0500 Subject: [c-nsp] MPLS VPNs on University Campus Message-ID: Hello all, I would like to talk to anyone who has deployed MPLS VPNs for their University Campus Network. Specifically, I'd like to know about their design, operational pitfalls, what you would do again, what wouldn't you do again, etc. Offlist is fine. This information will be kept confidential. Regards, Brant From djweis at internetsolver.com Tue Nov 24 09:05:29 2009 From: djweis at internetsolver.com (Dave Weis) Date: Tue, 24 Nov 2009 08:05:29 -0600 Subject: [c-nsp] Basic QoS on ATM subinterfaces Message-ID: <4B0BE829.3020301@internetsolver.com> Hello All I've got a PA-A3-OC3 that is terminating a large number of PPPoA connections. I need to do basic QoS/prioritization for voice traffic. I am using a subinterface per VPI with a vc-class to reference the virtual-template. I have set up a parent/child policy-map as the documentation suggested but trying to apply it doesn't work: router(config)#int atm4/0 router(config-if)#service-policy output VOICE-PARENT GTS : Not supported on this interface Most of the examples I saw that did work involved one or two interfaces of a known speed. The customers that are connecting to this vary from 256k to 30 megabits. I don't want to individually configure any portion of the solution per customer. I do have control of the radius configuration and can insert attributes that contain the speed that each customer is provisioned for if that would help. Any ideas? Below is what I ended up with. class-map match-all EVERYTHING match access-group name EVERYTHING class-map match-all IS-VOICE match access-group name IS-VOICE ! policy-map IS-VOICE class IS-VOICE priority percent 75 set dscp ef class EVERYTHING set dscp default policy-map VOICE-PARENT class class-default shape average percent 100 service-policy IS-VOICE ! ip access-list standard EVERYTHING permit any ! ip access-list extended IS-VOICE permit ip 192.168.221.0 0.0.0.63 any Thanks! dave -- Dave Weis Internet Solver Your Technology Partner 515-224-9229 www.internetsolver.com From MatlockK at exempla.org Tue Nov 24 09:48:21 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Tue, 24 Nov 2009 07:48:21 -0700 Subject: [c-nsp] Metro Ethernet Switches In-Reply-To: References: Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3C6E@LMC-MAIL2.exempla.org> Another thing to look at is the tacacs source-interface. If you don't have it in there, tie it to a loopback. If you do have it in there, verify the IP of the interface, and also try removing it. I've seen a few times after an upgrade that either removing it, or adding it 'magically' fixed the problem. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian Henderson Sent: Tuesday, November 24, 2009 6:43 AM To: Mohammad Khalil Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Metro Ethernet Switches On Tue, 24 Nov 2009, Mohammad Khalil wrote: > the tacacs could not work well as it was in the previous image even > though i had the same configuration any thoughts ? Try adding the plaintext key again ('tacacs-server key xxx'). I've seen some IOS upgrades need it re-obfuscated to make it work. Just copy/pasting the existing obfuscated key won't work. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MatlockK at exempla.org Tue Nov 24 10:03:57 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Tue, 24 Nov 2009 08:03:57 -0700 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <20091123.094517.74658458.sthaug@nethelp.no> References: <20091123072804.GT163@greenie.muc.de> <20091123.094517.74658458.sthaug@nethelp.no> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3C70@LMC-MAIL2.exempla.org> Heh ,or the old ACC boxes (I think the Danube), where the original design was to not have ANY front-panel LEDs. The 'managers' didn't like that, so all they did was create a simple oscillator circuit that blinked an LED. The LED has NO correlation to the real status of the chassis. The chassis can be locked up solid, and that LED will continue blinking merrily. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no Sent: Monday, November 23, 2009 1:45 AM To: gert at greenie.muc.de Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3550 High CPU - nothing in proc cpu > Normally, hardware-forwarding boxes should never show significant CPU > load. With the exception of the old 3500XL series using 50% or more of the CPU to drive the front panel LEDs :-) (Yes, I know, EoL years ago...) Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tim at pelican.org Tue Nov 24 10:14:27 2009 From: tim at pelican.org (Tim Franklin) Date: Tue, 24 Nov 2009 15:14:27 +0000 (GMT) Subject: [c-nsp] Basic QoS on ATM subinterfaces In-Reply-To: <4B0BE829.3020301@internetsolver.com> Message-ID: <20964580.61259075667371.JavaMail.root@jennyfur.pelican.org> Hi Dave, > I've got a PA-A3-OC3 that is terminating a large number of PPPoA > connections. I need to do basic QoS/prioritization for voice traffic. > I > am using a subinterface per VPI with a vc-class to reference the > virtual-template. > > I have set up a parent/child policy-map as the documentation suggested > > but trying to apply it doesn't work: > > router(config)#int atm4/0 > router(config-if)#service-policy output VOICE-PARENT > GTS : Not supported on this interface No, this won't work. You've got several places you can apply the template: -On the sub-interface -On the PVC, with the outer shaper removed -On the virtual-access (via the virtual-template) If you're bulk-terminating a bunch of PPPoA sessions, I'd suggest that you want it applied to the virtual-access interface. You can do this by either applying it to the virtual-template (if you're sure you always want the same policy for all the users), or push it back from RADIUS as a Cisco-avpair as each virtual-access interface is cloned. Regards, Tim. From djweis at internetsolver.com Tue Nov 24 10:45:20 2009 From: djweis at internetsolver.com (Dave Weis) Date: Tue, 24 Nov 2009 09:45:20 -0600 Subject: [c-nsp] Basic QoS on ATM subinterfaces In-Reply-To: <20964580.61259075667371.JavaMail.root@jennyfur.pelican.org> References: <20964580.61259075667371.JavaMail.root@jennyfur.pelican.org> Message-ID: <4B0BFF90.2010509@internetsolver.com> Tim Franklin wrote: >> I've got a PA-A3-OC3 that is terminating a large number of PPPoA >> connections. I need to do basic QoS/prioritization for voice traffic. >> I >> am using a subinterface per VPI with a vc-class to reference the >> virtual-template. >> >> I have set up a parent/child policy-map as the documentation suggested >> but trying to apply it doesn't work: >> >> router(config)#int atm4/0 >> router(config-if)#service-policy output VOICE-PARENT >> GTS : Not supported on this interface > > No, this won't work. You've got several places you can apply the template: > > -On the sub-interface > -On the PVC, with the outer shaper removed > -On the virtual-access (via the virtual-template) > > If you're bulk-terminating a bunch of PPPoA sessions, I'd suggest that you want it applied to the virtual-access interface. You can do this by either applying it to the virtual-template (if you're sure you always want the same policy for all the users), or push it back from RADIUS as a Cisco-avpair as each virtual-access interface is cloned. OK, something like this: class-map match-all EVERYTHING match access-group name EVERYTHING class-map match-all IS-VOICE match access-group name IS-VOICE ! ! policy-map IS-VOICE class IS-VOICE priority percent 75 set dscp ef class EVERYTHING set dscp default vc-class atm pppoa-1 encapsulation aal5mux ppp Virtual-Template1 interface Virtual-Template1 ip unnumbered Loopback0 ip accounting output-packets no logging event link-status peer default ip address pool adsl1 ppp authentication pap chap radius-ppp ppp authorization radius-ppp ppp link reorders ppp multilink ppp multilink fragment disable service-policy output IS-VOICE ip access-list standard EVERYTHING permit any ! ip access-list extended IS-VOICE permit ip 192.168.221.0 0.0.0.63 any I have applied this configuration but the only interfaces that show up in show queueing are MLP bundles. The PVC's that show up after that section all list the queueing as FIFO still: router#show queueing Current fair queue configuration: Interface Discard Dynamic Reserved Link Priority threshold queues queues queues queues Virtual-Access180 64 256 256 8 1 Virtual-Access207 64 256 256 8 1 Virtual-Access450 64 256 256 8 1 Virtual-Access541 64 256 256 8 1 Virtual-Access573 64 256 256 8 1 Virtual-Access574 64 256 256 8 1 Virtual-Access575 64 256 256 8 1 Virtual-Access595 64 256 256 8 1 Virtual-Access597 64 256 256 8 1 Virtual-Access599 64 256 256 8 1 Virtual-Access640 64 256 256 8 1 Virtual-Access651 64 256 256 8 1 Virtual-Access654 64 256 256 8 1 Current DLCI priority queue configuration: Current priority queue configuration: List Queue Args Current custom queue configuration: VC 15/155 - VC 15/155: Per VC queueing is FIFO. VC 14/99 - VC 14/99: Per VC queueing is FIFO. VC 13/43 - VC 13/43: Per VC queueing is FIFO. VC 11/187 - VC 11/187: Per VC queueing is FIFO. VC 10/531 - VC 10/531: Per VC queueing is FIFO. VC 10/275 - VC 10/275: Per VC queueing is FIFO. VC 15/156 - VC 15/156: Per VC queueing is FIFO. Have I missed something else? Thanks dave -- Dave Weis 515-224-9229 djweis at internetsolver.com http://www.internetsolver.com/ Please check out our Complete Support Service http://www.internetsolver.com/completesupport/ From jeff-kell at utc.edu Tue Nov 24 11:03:39 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 24 Nov 2009 11:03:39 -0500 Subject: [c-nsp] 3550 High CPU - nothing in proc cpu In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3C70@LMC-MAIL2.exempla.org> References: <20091123072804.GT163@greenie.muc.de> <20091123.094517.74658458.sthaug@nethelp.no> <4288131ED5E3024C9CD4782CECCAD2C7065D3C70@LMC-MAIL2.exempla.org> Message-ID: <4B0C03DB.6060108@utc.edu> > From: sthaug at nethelp.no >> Normally, hardware-forwarding boxes should never show significant CPU >> load. >> > With the exception of the old 3500XL series using 50% or more of the > CPU to drive the front panel LEDs :-) Yes, a 3500XL... PCP-2000-IDF-3-2#show proc cpu | e 0.00.*0.00.*0.00 CPU utilization for five seconds: 55%/9%; one minute: 54%; five minutes: 53% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 2 324 145 2234 0.20% 0.24% 0.07% 1 Virtual Exec 19 298827467 725645780 411 4.99% 3.38% 2.15% 0 LED Control Proc 20 22588231 6594172 3425 0.32% 0.28% 0.28% 0 Frank Aging 21 15080761451340714509 1124 12.28% 11.87% 11.73% 0 Port Status Proc or a 2924XL... NVA-CM-1#show proc cpu | e 0.00.*0.00.*0.00 CPU utilization for five seconds: 30%/7%; one minute: 32%; five minutes: 33% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 2 333 84 3964 0.00% 0.30% 0.07% 1 Virtual Exec 19 87700963 110937038 790 1.12% 3.35% 3.93% 0 LED Control Proc 21 361698432 203598505 1776 12.20% 11.28% 11.21% 0 Port Status Proc Jeff From ross at kallisti.us Tue Nov 24 11:24:26 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 24 Nov 2009 11:24:26 -0500 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091124072514.M84074@bts.sk> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> <20091124072514.M84074@bts.sk> Message-ID: <20091124162426.GA13498@kallisti.us> On Tue, Nov 24, 2009 at 09:00:51AM +0100, Marian ??urkovi?? wrote: > On Mon, 23 Nov 2009 11:40:17 -0800 (PST), Kevin Graham wrote > > My understanding of this must be broken... If the pause frame is sent > > only sent when or immediately before RX buffers are exhausted, then > > TX queuing is triggered (hopefully only briefly before those buffers > > are exhausted). This would seem to trigger behavior consistent w/ a > > congested interface (which in fact it is, just prior to reaching line > > rate, as the receiver can't take it off interface buffers fast enough). > > Yes, what you described is basically a case where the interface runs at faster > speed than the data path behind it. > > Some examples: oversubcribed 10GE card with only 8 Gbps bandwidth to the switch > fabric or system bus, 100 Mpbs ethernet interface in front of 34 Mbps microware > link. > > This is exactly the *only* situation, where classic flow control makes sense and > does really help, since it properly triggers output queueing at the sending side > when the real data-path speed is reached. Any other usage is likely to cause > more problems than benefits. But in these cases you're saturated! So why not just drop the frame and let the upper-layer figure out that it needs to back off? You're just delaying the inevitable by invoking flow control and hiding the information from the upper layer. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From drew.weaver at thenap.com Tue Nov 24 11:33:25 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 24 Nov 2009 11:33:25 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Message-ID: Howdy, I've been having some issues with queue drops/CLI sluggishness on a 6500 and I wanted to check what kind of volume of traffic I was getting punted to the RP. I made a span session and began checking out the traffic with tethereal. It seems like a huge (30,000) or so packets every few seconds of just UDP traffic is being punted. The system is a Sup720-3BXL. Does anyone know how to determine what kind of traffic should be punted to the RP and more importantly why this UDP traffic is hitting the RP? It almost looks like p2p traffic, but I also see other types of traffic, tcp 445, DNS, port 80, etc. thanks, -Drew From cisco-nsp at ml.karotte.org Tue Nov 24 11:38:02 2009 From: cisco-nsp at ml.karotte.org (Sebastian Wiesinger) Date: Tue, 24 Nov 2009 17:38:02 +0100 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: <20091124163802.GA12191@danton.fire-world.de> * Drew Weaver [2009-11-24 17:34]: > I've been having some issues with queue drops/CLI sluggishness on a > 6500 and I wanted to check what kind of volume of traffic I was > getting punted to the RP. > > I made a span session and began checking out the traffic with > tethereal. > > It seems like a huge (30,000) or so packets every few seconds of > just UDP traffic is being punted. Hi Drew, can you post a sample from that traffic? Is it mostly the same? > The system is a Sup720-3BXL. > > Does anyone know how to determine what kind of traffic should be > punted to the RP and more importantly why this UDP traffic is > hitting the RP? http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#situations Kind Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From tim at pelican.org Tue Nov 24 11:49:45 2009 From: tim at pelican.org (Tim Franklin) Date: Tue, 24 Nov 2009 16:49:45 +0000 (GMT) Subject: [c-nsp] Basic QoS on ATM subinterfaces In-Reply-To: <26267858.91259081110989.JavaMail.root@jennyfur.pelican.org> Message-ID: <21782950.111259081385955.JavaMail.root@jennyfur.pelican.org> Hi Dave, > interface Virtual-Template1 > ip unnumbered Loopback0 > ip accounting output-packets > no logging event link-status > peer default ip address pool adsl1 > ppp authentication pap chap radius-ppp > ppp authorization radius-ppp > ppp link reorders > ppp multilink > ppp multilink fragment disable > service-policy output IS-VOICE That looks OK to me. > in show queueing are MLP bundles. The PVC's that show up after that > section all list the queueing as FIFO still: To be honest, I've never looked at that. Does 'show policy-map interface virtual-accessNNN' give you the right policy applied, and drops happening in the right class at the right times? (I have a feeling the underlying interface still says FIFO as it is just passing on the PPPoA packets after the virtual-access has decided which packets to encapsulate in which order, but *don't* take that as gospel). I'd also second another poster's point that you'll want the individual VCs configured as something like vbr-nrt, not ubr, or you won't ever get the back-pressure to the service-policy. Regards, Tim. From BBlackford at nwresd.k12.or.us Tue Nov 24 11:54:03 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Tue, 24 Nov 2009 08:54:03 -0800 Subject: [c-nsp] Metro Ethernet Switches In-Reply-To: References: Message-ID: <6069A203FD01884885C037F81DD75080173D6D861D@wsc-mail-01.intra.nwresd.k12.or.us> I recall having some of my aaa config options slightly changing syntax after upgrading. Sounds like you've verified this, but it may be worth double-checking. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 24, 2009 5:32 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Metro Ethernet Switches hey all i have a cisco metro switch with IOS 12.2 35SE when i upgraded the IOS image to 12.2 52 SE the tacacs could not work well as it was in the previous image even though i had the same configuration any thoughts ? _________________________________________________________________ Keep your friends updated-even when you're not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From md at bts.sk Tue Nov 24 12:02:22 2009 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Tue, 24 Nov 2009 18:02:22 +0100 Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091124162426.GA13498@kallisti.us> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> <20091124072514.M84074@bts.sk> <20091124162426.GA13498@kallisti.us> Message-ID: <20091124170222.GA60327@bts.sk> On Tue, Nov 24, 2009 at 11:24:26AM -0500, Ross Vandegrift wrote: > > Yes, what you described is basically a case where the interface runs at faster > > speed than the data path behind it. > > > > Some examples: oversubcribed 10GE card with only 8 Gbps bandwidth to the switch > > fabric or system bus, 100 Mpbs ethernet interface in front of 34 Mbps microware > > link. > > > > This is exactly the *only* situation, where classic flow control makes sense and > > does really help, since it properly triggers output queueing at the sending side > > when the real data-path speed is reached. Any other usage is likely to cause > > more problems than benefits. > > But in these cases you're saturated! So why not just drop the frame and > let the upper-layer figure out that it needs to back off? You're just > delaying the inevitable by invoking flow control and hiding the > information from the upper layer. Not exactly. By using flow control you're in fact signalling the real data-path speed to the sender, i.e. the sender knows it talks to e.g. "34 Mbps ethernet" interface and not to wirespeed 100 Mbps ethernet. It can utilize this info to properly apply QOS or to smooth microbursts using its output buffers - for instance, you'll hardly get IPTV working over such 34 Mbps microwave links without flowcontrol enabled. With kind regards, M. From kgraham at industrial-marshmallow.com Tue Nov 24 12:22:03 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 24 Nov 2009 09:22:03 -0800 (PST) Subject: [c-nsp] Flow Control and 10GE interfaces In-Reply-To: <20091124072514.M84074@bts.sk> References: <281EA4ACE09145C9952ED67C38E466B9@LAPTOP> <20091123134158.GA1538@kallisti.us> <411048.27362.qm@web502.biz.mail.mud.yahoo.com> <20091124072514.M84074@bts.sk> Message-ID: <206779.70008.qm@web507.biz.mail.mud.yahoo.com> > This is exactly the *only* situation, where classic flow control makes sense and > does really help, since it properly triggers output queueing at the sending side > when the real data-path speed is reached. OK, the vitriol towards .3x in this thread was so strong I was concerned I had somehow misunderstood it. > Any other usage is likely to cause more problems than benefits. Documentation that I could find is vague at best, but are any switches actually doing end-to-end .3x and signaling ingress ports on a congested egress queue? (inferring that this is the 'problems' everyone is citing?) At least for simple flowcontrol, propagating across the bus/fabric seems wholly broken and unnecessarily complex. However, sending a pause on a congested port complex (ie. on PINNACLE's interface's to the bus or MEDUSA/HYPERION) towards the port strikes me as both desirable and the most-likely form of implementation. From djweis at internetsolver.com Tue Nov 24 12:29:37 2009 From: djweis at internetsolver.com (Dave Weis) Date: Tue, 24 Nov 2009 11:29:37 -0600 Subject: [c-nsp] Basic QoS on ATM subinterfaces In-Reply-To: <21782950.111259081385955.JavaMail.root@jennyfur.pelican.org> References: <21782950.111259081385955.JavaMail.root@jennyfur.pelican.org> Message-ID: <4B0C1801.90702@internetsolver.com> Hello Tim Tim Franklin wrote: >> interface Virtual-Template1 >> ip unnumbered Loopback0 >> ip accounting output-packets >> no logging event link-status >> peer default ip address pool adsl1 >> ppp authentication pap chap radius-ppp >> ppp authorization radius-ppp >> ppp link reorders >> ppp multilink >> ppp multilink fragment disable >> service-policy output IS-VOICE > > That looks OK to me. > >> in show queueing are MLP bundles. The PVC's that show up after that >> section all list the queueing as FIFO still: > > To be honest, I've never looked at that. Does 'show policy-map interface virtual-accessNNN' give you the right policy applied, and drops happening in the right class at the right times? If I run it against an MLP bundle with a voice device behind it, I do see what I would expect: router#show policy-map int Vi573 Virtual-Access573 Service-policy output: IS-VOICE Class-map: IS-VOICE (match-all) 108729 packets, 22455543 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IS-VOICE Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 75 (%) Bandwidth 224640 (kbps) Burst 5616000 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 QoS Set dscp ef Packets marked 108729 Class-map: EVERYTHING (match-all) 332750 packets, 429378515 bytes 5 minute offered rate 38000 bps, drop rate 0 bps Match: access-group name EVERYTHING QoS Set dscp default Packets marked 332750 Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any If I run it on a non-MLP virtual-access interface I get no output at all from the show policy-map command. > (I have a feeling the underlying interface still says FIFO as it is just passing on the PPPoA packets after the virtual-access has decided which packets to encapsulate in which order, but *don't* take that as gospel). Understood. I did find another document that I'm going to try and adapt: http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080094ad2.shtml > I'd also second another poster's point that you'll want the individual VCs configured as something like vbr-nrt, not ubr, or you won't ever get the back-pressure to the service-policy. Can you configure a VC as vbr-nrt without explicitly putting the rates? All of the PVC's are varying speeds with no explicit configuration for any one PVC. -- Dave Weis 515-224-9229 djweis at internetsolver.com http://www.internetsolver.com/ Please check out our Complete Support Service http://www.internetsolver.com/completesupport/ From b.turnbow at twt.it Tue Nov 24 11:30:31 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 24 Nov 2009 17:30:31 +0100 Subject: [c-nsp] Basic QoS on ATM subinterfaces In-Reply-To: <4B0BFF90.2010509@internetsolver.com> References: <20964580.61259075667371.JavaMail.root@jennyfur.pelican.org> <4B0BFF90.2010509@internetsolver.com> Message-ID: You can't do it with ubr/ubr+ interfaces ,you need to set a different class of service. Here is an example technote http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dave Weis Sent: marted? 24 novembre 2009 16.45 To: Tim Franklin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Basic QoS on ATM subinterfaces Tim Franklin wrote: >> I've got a PA-A3-OC3 that is terminating a large number of PPPoA >> connections. I need to do basic QoS/prioritization for voice traffic. >> I >> am using a subinterface per VPI with a vc-class to reference the >> virtual-template. >> >> I have set up a parent/child policy-map as the documentation suggested >> but trying to apply it doesn't work: >> >> router(config)#int atm4/0 >> router(config-if)#service-policy output VOICE-PARENT >> GTS : Not supported on this interface > > No, this won't work. You've got several places you can apply the template: > > -On the sub-interface > -On the PVC, with the outer shaper removed > -On the virtual-access (via the virtual-template) > > If you're bulk-terminating a bunch of PPPoA sessions, I'd suggest that you want it applied to the virtual-access interface. You can do this by either applying it to the virtual-template (if you're sure you always want the same policy for all the users), or push it back from RADIUS as a Cisco-avpair as each virtual-access interface is cloned. OK, something like this: class-map match-all EVERYTHING match access-group name EVERYTHING class-map match-all IS-VOICE match access-group name IS-VOICE ! ! policy-map IS-VOICE class IS-VOICE priority percent 75 set dscp ef class EVERYTHING set dscp default vc-class atm pppoa-1 encapsulation aal5mux ppp Virtual-Template1 interface Virtual-Template1 ip unnumbered Loopback0 ip accounting output-packets no logging event link-status peer default ip address pool adsl1 ppp authentication pap chap radius-ppp ppp authorization radius-ppp ppp link reorders ppp multilink ppp multilink fragment disable service-policy output IS-VOICE ip access-list standard EVERYTHING permit any ! ip access-list extended IS-VOICE permit ip 192.168.221.0 0.0.0.63 any I have applied this configuration but the only interfaces that show up in show queueing are MLP bundles. The PVC's that show up after that section all list the queueing as FIFO still: router#show queueing Current fair queue configuration: Interface Discard Dynamic Reserved Link Priority threshold queues queues queues queues Virtual-Access180 64 256 256 8 1 Virtual-Access207 64 256 256 8 1 Virtual-Access450 64 256 256 8 1 Virtual-Access541 64 256 256 8 1 Virtual-Access573 64 256 256 8 1 Virtual-Access574 64 256 256 8 1 Virtual-Access575 64 256 256 8 1 Virtual-Access595 64 256 256 8 1 Virtual-Access597 64 256 256 8 1 Virtual-Access599 64 256 256 8 1 Virtual-Access640 64 256 256 8 1 Virtual-Access651 64 256 256 8 1 Virtual-Access654 64 256 256 8 1 Current DLCI priority queue configuration: Current priority queue configuration: List Queue Args Current custom queue configuration: VC 15/155 - VC 15/155: Per VC queueing is FIFO. VC 14/99 - VC 14/99: Per VC queueing is FIFO. VC 13/43 - VC 13/43: Per VC queueing is FIFO. VC 11/187 - VC 11/187: Per VC queueing is FIFO. VC 10/531 - VC 10/531: Per VC queueing is FIFO. VC 10/275 - VC 10/275: Per VC queueing is FIFO. VC 15/156 - VC 15/156: Per VC queueing is FIFO. Have I missed something else? Thanks dave -- Dave Weis 515-224-9229 djweis at internetsolver.com http://www.internetsolver.com/ Please check out our Complete Support Service http://www.internetsolver.com/completesupport/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Tue Nov 24 13:03:31 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 24 Nov 2009 13:03:31 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: Hi, Yeah I followed the exact same instructions you posted when creating the RP span session. Source Port-VLAN Info --------------------- Ingress Source Ports: 4/23 15/1 Egress Source Ports : 4/23 Ingress Source Vlans: Egress Source Vlans : Ingress Filter Vlans : Egress Filter Vlans : Exclude Filter Vlans : Exclude Alt Filter Vlans : Ingress Filter Vlan Count: 0 Egress Filter Vlan Count : 0 Exclude Filter Vlan Count: 0 Exclude Alt Vlan Count : 0 Destination ports: 4/24 Thanks, -Drew From: Lee [mailto:ler762 at gmail.com] Sent: Tuesday, November 24, 2009 1:00 PM To: Drew Weaver Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Hi Drew, On Tue, Nov 24, 2009 at 11:33 AM, Drew Weaver wrote: Howdy, I've been having some issues with queue drops/CLI sluggishness on a 6500 and I wanted to check what kind of volume of traffic I was getting punted to the RP. I made a span session and began checking out the traffic with tethereal. How did you make the span session? I think a regular span session gets you everything - not just punted packets. I haven't actually tried this, but here's the notes I have for setting up a span session to see punted packets: ------------------ Here are the instructions to setup inband span (which monitors traffic sent to the MSFC): Router#monitor session 1 source interface fa 3/3 !--- Use any interface that is administratively shut down. Router#monitor session 1 destination interface fa 3/2 Now, go to the SP console. Here is an example: Router#remote login switch Router-sp#test monitor add 1 rp-inband rx <--- check the syntax as it varies from one IOS to the next so use ? Verify monitor session: Router-sp#test monitor show session 1 Ingress Source Ports: 3/3 15/1 Egress Source Ports: 3/3 Ingress Source Vlans: Egress Source Vlans: Filter Vlans: Destination Ports: 3/2 Go back to the RP and verify the monitor session as well: Router#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Fa3/3 Destination Ports : Fa3/2 SP console: Router-sp#test monitor session 1 show Ingress Source Ports: 3/3 15/1 Egress Source Ports: 3/3 Ingress Source Vlans: Egress Source Vlans: Filter Vlans: Destination Ports: 3/2 To remove the inband span from sp do test monitor session 1 del and from the rp do no mon sess all ------------------------------- Regards, Lee It seems like a huge (30,000) or so packets every few seconds of just UDP traffic is being punted. The system is a Sup720-3BXL. Does anyone know how to determine what kind of traffic should be punted to the RP and more importantly why this UDP traffic is hitting the RP? It almost looks like p2p traffic, but I also see other types of traffic, tcp 445, DNS, port 80, etc. thanks, -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Tue Nov 24 13:07:54 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 24 Nov 2009 13:07:54 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: <20091124163802.GA12191@danton.fire-world.de> References: <20091124163802.GA12191@danton.fire-world.de> Message-ID: Sure, example #1 example #1 2.012467 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012516 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012566 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012616 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012666 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012766 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012816 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012866 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.012916 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013016 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013066 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013116 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013166 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013168 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 2.013216 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472 example #2 1.694327 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694426 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694476 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694526 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694576 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694626 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694726 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694776 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694826 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) 1.694876 local.ip -> internet.ip SIP Status: 200 OK (1 bindings) example #3 1.034938 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.034942 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035037 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035041 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035137 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035187 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035236 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035336 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035341 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035436 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035486 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035536 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035586 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic 1.035636 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic example #4 1.292173 local.ip -> internet.ip DNS Standard query response, No such name 1.292223 local.ip -> internet.ip DNS Standard query response, No such name 1.292273 local.ip -> internet.ip DNS Standard query response, No such name 1.292323 local.ip -> internet.ip DNS Standard query response, No such name 1.292373 local.ip -> internet.ip DNS Standard query response, No such name 1.292423 local.ip -> internet.ip DNS Standard query response, No such name 1.292473 local.ip -> internet.ip DNS Standard query response, No such name 1.292522 local.ip -> internet.ip DNS Standard query response, No such name 1.292573 local.ip -> internet.ip DNS Standard query response, No such name 1.292622 local.ip -> internet.ip DNS Standard query response, No such name 1.292672 local.ip -> internet.ip DNS Standard query response, No such name example #5 1.343640 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.354772 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.354872 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.381130 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.384974 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.393011 10.1.0.162 -> internet.ip ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.414982 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.442681 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.445027 10.1.0.162 -> 192.168.45.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.463498 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.474230 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.501936 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.504232 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.504582 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) 1.519408 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit) each of these examples are just tiny samples, the traffic seems to go on for a long time. Note I sanitized the IPs in example #5 -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian Wiesinger Sent: Tuesday, November 24, 2009 11:38 AM To: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? * Drew Weaver [2009-11-24 17:34]: > I've been having some issues with queue drops/CLI sluggishness on a > 6500 and I wanted to check what kind of volume of traffic I was > getting punted to the RP. > > I made a span session and began checking out the traffic with > tethereal. > > It seems like a huge (30,000) or so packets every few seconds of > just UDP traffic is being punted. Hi Drew, can you post a sample from that traffic? Is it mostly the same? > The system is a Sup720-3BXL. > > Does anyone know how to determine what kind of traffic should be > punted to the RP and more importantly why this UDP traffic is > hitting the RP? http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#situations Kind Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Tue Nov 24 13:20:33 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 24 Nov 2009 13:20:33 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: Hi Lee, I believe you're referring to show 'platform hardware capacity' and nothing looks extremely out of the ordinary. -Drew From: Lee [mailto:ler762 at gmail.com] Sent: Tuesday, November 24, 2009 1:14 PM To: Drew Weaver Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? On Tue, Nov 24, 2009 at 1:03 PM, Drew Weaver > wrote: Hi, Yeah I followed the exact same instructions you posted when creating the RP span session. Well.. it was worth a shot :) Have you seen any syslog messages about a fib or tcam table overflow? Someone else will have to chime in with the show commands to see hardware resource utilization - I'm not at work & don't remember what they are. Sorry.. Lee From ler762 at gmail.com Tue Nov 24 13:00:09 2009 From: ler762 at gmail.com (Lee) Date: Tue, 24 Nov 2009 13:00:09 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: Hi Drew, On Tue, Nov 24, 2009 at 11:33 AM, Drew Weaver wrote: > Howdy, > > I've been having some issues with queue drops/CLI sluggishness on a 6500 > and I wanted to check what kind of volume of traffic I was getting punted to > the RP. > > I made a span session and began checking out the traffic with tethereal. > How did you make the span session? I think a regular span session gets you everything - not just punted packets. I haven't actually tried this, but here's the notes I have for setting up a span session to see punted packets: ------------------ Here are the instructions to setup inband span (which monitors traffic sent to the MSFC): Router#monitor session 1 source interface fa 3/3 !--- Use any interface that is administratively shut down. Router#monitor session 1 destination interface fa 3/2 Now, go to the SP console. Here is an example: Router#remote login switch Router-sp#test monitor add 1 rp-inband rx <--- check the syntax as it varies from one IOS to the next so use ? Verify monitor session: Router-sp#test monitor show session 1 Ingress Source Ports: 3/3 15/1 Egress Source Ports: 3/3 Ingress Source Vlans: Egress Source Vlans: Filter Vlans: Destination Ports: 3/2 Go back to the RP and verify the monitor session as well: Router#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Fa3/3 Destination Ports : Fa3/2 SP console: Router-sp#test monitor session 1 show Ingress Source Ports: 3/3 15/1 Egress Source Ports: 3/3 Ingress Source Vlans: Egress Source Vlans: Filter Vlans: Destination Ports: 3/2 To remove the inband span from sp do test monitor session 1 del and from the rp do no mon sess all ------------------------------- Regards, Lee > It seems like a huge (30,000) or so packets every few seconds of just UDP > traffic is being punted. > > The system is a Sup720-3BXL. > > Does anyone know how to determine what kind of traffic should be punted to > the RP and more importantly why this UDP traffic is hitting the RP? > > It almost looks like p2p traffic, but I also see other types of traffic, > tcp 445, DNS, port 80, etc. > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ler762 at gmail.com Tue Nov 24 13:14:18 2009 From: ler762 at gmail.com (Lee) Date: Tue, 24 Nov 2009 13:14:18 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: On Tue, Nov 24, 2009 at 1:03 PM, Drew Weaver wrote: > Hi, > > > > Yeah I followed the exact same instructions you posted when creating the RP > span session. > Well.. it was worth a shot :) Have you seen any syslog messages about a fib or tcam table overflow? Someone else will have to chime in with the show commands to see hardware resource utilization - I'm not at work & don't remember what they are. Sorry.. Lee From drew.weaver at thenap.com Tue Nov 24 13:44:40 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 24 Nov 2009 13:44:40 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D775E7EDAF@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9D775E7EDAF@PUR-EXCH07.ox.com> Message-ID: Hi, No HSRP, VRRP or GLBP on this box. #sh mac-address-table aging-time Vlan Aging Time ---- ---------- Global 300 no vlan age other than global age configured Routed MAC aging time: 300 seconds This is on our core, though so there are no hosts connected here. -Drew -----Original Message----- From: Matthew Huff [mailto:mhuff at ox.com] Sent: Tuesday, November 24, 2009 1:41 PM To: Drew Weaver; 'Lee' Cc: Cisco-nsp Subject: RE: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Are you using first-hop redundancy like hsrp, glbp, vrrp? This can cause asymmetrical MAC based FIB timeouts which leads to unicast flooding. I didn't think these were RP switched, but it could be. If so, what is your setting for "mac-address-table aging-time" ? We have ours set > fib timeout...so: mac-address-table aging-time 14400 ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com? | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Tuesday, November 24, 2009 1:21 PM To: 'Lee' Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Hi Lee, I believe you're referring to show 'platform hardware capacity' and nothing looks extremely out of the ordinary. -Drew From: Lee [mailto:ler762 at gmail.com] Sent: Tuesday, November 24, 2009 1:14 PM To: Drew Weaver Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? On Tue, Nov 24, 2009 at 1:03 PM, Drew Weaver > wrote: Hi, Yeah I followed the exact same instructions you posted when creating the RP span session. Well.. it was worth a shot :) Have you seen any syslog messages about a fib or tcam table overflow? Someone else will have to chime in with the show commands to see hardware resource utilization - I'm not at work & don't remember what they are. Sorry.. Lee _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kgraham at industrial-marshmallow.com Tue Nov 24 14:03:26 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 24 Nov 2009 11:03:26 -0800 (PST) Subject: [c-nsp] OT: VSS + MEC - port-channel dynamically cloned? In-Reply-To: <1259045489.12138.5.camel@leland-gandi> References: <1259045489.12138.5.camel@leland-gandi> Message-ID: <446578.61955.qm@web505.biz.mail.mud.yahoo.com> [...taking this from nanog to c-nsp...] > Essentially, for all of the MEC connections, the VSS has created a clone > of the configured port-channel to bind the actual physical connections, > rather than binding them under the configured port-channel (and suffixed > the port-channel number with A or B depending on which chassis was first > to bind). I believe this is an LACP artifact; speculation, but when the port-channel is first formed, the far-end aggregator is saved. If the channel is re-formed with a new aggregator, the channel is "cloned" like this. I've only tripped across this on standalone 6500's when bringing up new LACP bundles; destroying and recreating them worked fine (though as you noticed, there's no functional impact from a "cloned" Po interface, just cosmetic). From mhuff at ox.com Tue Nov 24 13:41:09 2009 From: mhuff at ox.com (Matthew Huff) Date: Tue, 24 Nov 2009 13:41:09 -0500 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: <483E6B0272B0284BA86D7596C40D29F9D775E7EDAF@PUR-EXCH07.ox.com> Are you using first-hop redundancy like hsrp, glbp, vrrp? This can cause asymmetrical MAC based FIB timeouts which leads to unicast flooding. I didn't think these were RP switched, but it could be. If so, what is your setting for "mac-address-table aging-time" ? We have ours set > fib timeout...so: mac-address-table aging-time 14400 ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com? | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Tuesday, November 24, 2009 1:21 PM To: 'Lee' Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Hi Lee, I believe you're referring to show 'platform hardware capacity' and nothing looks extremely out of the ordinary. -Drew From: Lee [mailto:ler762 at gmail.com] Sent: Tuesday, November 24, 2009 1:14 PM To: Drew Weaver Cc: Cisco-nsp Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not? On Tue, Nov 24, 2009 at 1:03 PM, Drew Weaver > wrote: Hi, Yeah I followed the exact same instructions you posted when creating the RP span session. Well.. it was worth a shot :) Have you seen any syslog messages about a fib or tcam table overflow? Someone else will have to chime in with the show commands to see hardware resource utilization - I'm not at work & don't remember what they are. Sorry.. Lee _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Nov 24 14:19:21 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 24 Nov 2009 13:19:21 -0600 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: <483E6B0272B0284BA86D7596C40D29F9D775E7EDAF@PUR-EXCH07.ox.com> Message-ID: <4B0C31B9.4050601@justinshore.com> Drew Weaver wrote: > Hi, > > No HSRP, VRRP or GLBP on this box. > > #sh mac-address-table aging-time > Vlan Aging Time > ---- ---------- > Global 300 > no vlan age other than global age configured > > Routed MAC aging time: 300 seconds > > This is on our core, though so there are no hosts connected here. Well, I guess the next step would be to identify the ingress and egress interfaces that for these example packets and dive into the interface config to see if something on the interface is causing the punting. Can you sanitize it and post it? I once saw a situation with netflow on an interface causing all packets ingressing or egressing that interface to get punted. Something in NF got screwed up. Removing it and reapplying it to the interface fixed the problem. Sometimes things just break.(tm) Justin From david at hughes.com.au Tue Nov 24 14:50:45 2009 From: david at hughes.com.au (David Hughes) Date: Wed, 25 Nov 2009 05:50:45 +1000 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091124071929.GE163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> <20091124071929.GE163@greenie.muc.de> Message-ID: <1CD79422-05B0-4D76-96A6-1B29DC9F609F@hughes.com.au> On 24/11/2009, at 5:19 PM, Gert Doering wrote: > Well, the "two routers" mentioned above are "the core" and "the border > routers". There *is* only these two :-) Well, in that case the only thing I can think of is conditional advertisement based on the visibility of an iBGP prefix that you receive from the other router as someone mentioned before. Again, this wouldn't be deterministic and you could quite possibly still blackhole traffic but hopefully for a much shorter time. At least you'd know that the iBGP session had been established and prefixes were flowing even if things hadn't totally reconverged. David ... From achatz at forthnet.gr Tue Nov 24 15:01:47 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 24 Nov 2009 22:01:47 +0200 Subject: [c-nsp] OT: VSS + MEC - port-channel dynamically cloned? In-Reply-To: <446578.61955.qm@web505.biz.mail.mud.yahoo.com> References: <1259045489.12138.5.camel@leland-gandi> <446578.61955.qm@web505.biz.mail.mud.yahoo.com> Message-ID: <4B0C3BAB.8080502@forthnet.gr> I have seen (very frequently) cloned A and B port-channels (debug calls them "secondary aggregators" if i remember right) created on a 6500 after reloading the peer router (C10k). Quite annoying, since the cloned interface is a new interface and snmp counters do not work anymore (neither our eem scripts) . According to tac, this is expected behavior for LACP if there is a misconfiguration (typically when two links of the same channel are attempted to be connected on two different devices on the remote end, like in this case, VSS/MEC) on the moment of the channel bundling. But in my case it was something else and tac couldn't find the root cause. -- Tassos Kevin Graham wrote on 24/11/2009 21:03: > [...taking this from nanog to c-nsp...] > > > >> Essentially, for all of the MEC connections, the VSS has created a clone >> of the configured port-channel to bind the actual physical connections, >> rather than binding them under the configured port-channel (and suffixed >> the port-channel number with A or B depending on which chassis was first >> to bind). > > I believe this is an LACP artifact; speculation, but when the port-channel > is first formed, the far-end aggregator is saved. If the channel is > re-formed with a new aggregator, the channel is "cloned" like this. > > I've only tripped across this on standalone 6500's when bringing up new > LACP bundles; destroying and recreating them worked fine (though as you > noticed, there's no functional impact from a "cloned" Po interface, just > cosmetic). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Tue Nov 24 15:09:24 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 24 Nov 2009 20:09:24 +0000 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: <4B0C3D74.2090507@imperial.ac.uk> Drew Weaver wrote: > Howdy, > > I've been having some issues with queue drops/CLI sluggishness on a > 6500 and I wanted to check what kind of volume of traffic I was > getting punted to the RP. > > I made a span session and began checking out the traffic with > tethereal. > > It seems like a huge (30,000) or so packets every few seconds of just > UDP traffic is being punted. > > The system is a Sup720-3BXL. What's the IOS version? As posted recently, I've seen FIB/TCAM programming errors on some IOSes; try a "shut", "no shut" of the input interfaces (if you can) All kinds of things can cause CPU punts, but primarily you're looking for MTU failures, ICMP redirects (packets coming in on an interface which is also the outbound interface), glean (next-hop needs ARP) and similar. Obviously if you've somehow managed to fall back to CPU forwarding, but that's unlikely from the sounds of it. Bear in mind that certain kinds of traffic (e.g. RPF failures) are "leaked" to the CPU so that it can see & count them; do you have any MLS rate-limiters enabled ("sh mls rate-limit") From dean at eatworms.org.uk Tue Nov 24 14:22:50 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Tue, 24 Nov 2009 19:22:50 -0000 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: <006601ca6d3b$83e15080$8ba3f180$@org.uk> Having spent the day chasing something identical.....for us is was that the traffic was being redirected to another router on the inbound VLAN - every packet needing a redirect gets punted. A few changes to topology and the redirect requirement was removed and the traffic returned to being hardware routed. We also had span the RP before we worked out why the traffic was being punted. Dean -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: 24 November 2009 16:33 To: Cisco-nsp Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? Howdy, I've been having some issues with queue drops/CLI sluggishness on a 6500 and I wanted to check what kind of volume of traffic I was getting punted to the RP. I made a span session and began checking out the traffic with tethereal. It seems like a huge (30,000) or so packets every few seconds of just UDP traffic is being punted. The system is a Sup720-3BXL. Does anyone know how to determine what kind of traffic should be punted to the RP and more importantly why this UDP traffic is hitting the RP? It almost looks like p2p traffic, but I also see other types of traffic, tcp 445, DNS, port 80, etc. thanks, -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 24 15:46:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Nov 2009 21:46:25 +0100 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <1CD79422-05B0-4D76-96A6-1B29DC9F609F@hughes.com.au> References: <20091123074656.GU163@greenie.muc.de> <20091124071929.GE163@greenie.muc.de> <1CD79422-05B0-4D76-96A6-1B29DC9F609F@hughes.com.au> Message-ID: <20091124204625.GL163@greenie.muc.de> Hi, On Wed, Nov 25, 2009 at 05:50:45AM +1000, David Hughes wrote: > > On 24/11/2009, at 5:19 PM, Gert Doering wrote: > > > Well, the "two routers" mentioned above are "the core" and "the border > > routers". There *is* only these two :-) > > Well, in that case the only thing I can think of is conditional > advertisement based on the visibility of an iBGP prefix that you > receive from the other router as someone mentioned before. Sounds like a plan - Router A down -> prefix missing on Router B, remove external announcement there as well. "How to build a redundant network that falls off the 'net if *either* router dies" :-)) > Again, this wouldn't be deterministic and you could quite possibly > still blackhole traffic but hopefully for a much shorter time. At > least you'd know that the iBGP session had been established and > prefixes were flowing even if things hadn't totally reconverged. "internal routes in OSPF" :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Tue Nov 24 15:50:38 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Nov 2009 21:50:38 +0100 Subject: [c-nsp] 6500 - What determines whether certain traffic is punted or not? In-Reply-To: References: Message-ID: <20091124205038.GM163@greenie.muc.de> Hi, On Tue, Nov 24, 2009 at 01:14:18PM -0500, Lee wrote: > Well.. it was worth a shot :) > Have you seen any syslog messages about a fib or tcam table overflow? > Someone else will have to chime in with the show commands to see hardware > resource utilization - I'm not at work & don't remember what they are. > Sorry.. "show mls cef exception status" If you see anything shown as "TRUE" there, reload... (no way to recover). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From lists at memetic.org Tue Nov 24 15:37:58 2009 From: lists at memetic.org (Adam Armstrong) Date: Tue, 24 Nov 2009 20:37:58 +0000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: Message-ID: <4B0C4426.9000807@memetic.org> loui leaky wrote: > I am building out a new datacenter. The edge is going to consist of 2 routers. Each device has a 10G interface connected to a different provider with a 1-2G commit. I think comparing price and throughput, I be better off using 7606/RSP720-3CXL/WS-X6708-10GE vs ASR1004 with 10G-SRs(that cisco rep promises will be supported in code rev before end of year). For some reason Cisco guys seems to be pushing the ASR. I'd love to go with it to learn something new but 1004 is limited to 20GB throughput while the 7606 should be able to handle in the hundreds if we should ever need it. > > I read through the archives of the list and people have some strong opinions against the 7606, especially regarding netflow exports, but maybe that was related to SUP720 issues. I don not plan to offer and services at the edge of my network. These are very, very, very different devices, almost incomparable. The 7600 is a switch which does layer 3, the ASR is the successor to the 7200, that is, a software router. If you need features the 7600 doesn't have, you want an ASR. If you potentially need more throughput than the ASR can handle, you want the 7600. For your use, sounds like you want a 7600, as you have no idea what the differences are, and are therefore unlikely to run into any of them. :) Cisco are pushing the ASR just like they pushed all of the other 'new' hardware. It's what they do, they sell things. Don't take advice on what to buy from the people who are selling it to you. adam. From mack.mcbride at viawest.com Tue Nov 24 16:02:29 2009 From: mack.mcbride at viawest.com (Mack McBride) Date: Tue, 24 Nov 2009 13:02:29 -0800 Subject: [c-nsp] Odd problem with bgp resets on SRD3 Message-ID: I am looking at 2 - 7600s with RSP720-3CXLs w/ 4GB of RAM and 6708-3CXL cards running SRD3. These are not currently production equipment but are connected to upstreams as well as route-reflectors but are not advertising routes as we have advertisements blocked with a deny-all prefix list. We THINK the dumped BGP packet is correctly formatted and the packet dumped is actually the packet before the bad packet. Has anyone else seen similar issues? Does anyone else know if this is a known bug that exists in this code or early versions of the SRD train? I know there are entirely too many caveats in SRC5. Mack McBride Network Architect ViaWest, Inc. We had the following errors occur: Log from 7600-01: Nov 24 02:41:59.696 MST: %BGP-5-ADJCHANGE: neighbor 207.xx.xx.xx Down BGP Notification sent Nov 24 02:41:59.696 MST: %BGP-3-NOTIFICATION: sent to neighbor 207.xx.xx.xx 3/1 (update malformed) 0 bytes Nov 24 02:41:59.696 MST: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from 207.xx.xx.xx: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0064 0200 0000 4940 0101 0040 0208 0203 10E3 00AE 0865 4003 04CF FA73 1540 0600 C007 0608 659A 3604 36C0 0824 10E3 0033 10E3 01F5 10E3 03F7 10E3 09C7 10E3 C350 FE4D 03F7 FE4E 0004 FE4F 0001 FE50 012D 18C0 2104 Nov 24 02:41:59.748 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Down No memory Nov 24 02:41:59.748 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx1 IPv4 Unicast topology base removed from session No memory Nov 24 02:41:59.748 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Down No memory Nov 24 02:41:59.748 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx2 IPv4 Unicast topology base removed from session No memory Nov 24 02:41:59.748 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 207.xx.xx.xx IPv4 Unicast topology base removed from session BGP Notification sent Nov 24 02:42:06.384 MST: %BGP-5-ADJCHANGE: neighbor 207.xx.xx.xx Up Nov 24 02:42:12.640 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Up Nov 24 02:42:12.672 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Up Nov 24 02:42:31.436 MST: %BGP-5-ADJCHANGE: neighbor 207.xx.xx.xx Down BGP Notification sent Nov 24 02:42:31.436 MST: %BGP-3-NOTIFICATION: sent to neighbor 207.xx.xx.xx 3/1 (update malformed) 0 bytes Nov 24 02:42:31.440 MST: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from 207.xx.xx.xx: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0064 0200 0000 4940 0101 0040 0208 0203 10E3 00AE 0865 4003 04CF FA73 1540 0600 C007 0608 659A 3604 42C0 0824 10E3 0033 10E3 01F5 10E3 03F7 10E3 09C7 10E3 C350 FE4D 03F7 FE4E 0004 FE4F 0001 FE50 012D 18C0 2104 Nov 24 02:42:31.504 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Down No memory Nov 24 02:42:31.504 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx1 IPv4 Unicast topology base removed from session No memory Nov 24 02:42:31.504 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Down No memory Nov 24 02:42:31.504 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx2 IPv4 Unicast topology base removed from session No memory Nov 24 02:42:31.504 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 207.xx.xx.xx IPv4 Unicast topology base removed from session BGP Notification sent Nov 24 02:42:38.620 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Up Nov 24 02:42:38.620 MST: %BGP-5-ADJCHANGE: neighbor 207.xx.xx.xx Up Nov 24 02:42:42.928 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Up 7600-02: Nov 24 02:42:16.343 MST: %BGP-5-ADJCHANGE: neighbor 4.xx.xx.xx Down BGP Notification sent Nov 24 02:42:16.343 MST: %BGP-3-NOTIFICATION: sent to neighbor 4.xx.xx.xx 3/1 (update malformed) 0 bytes Nov 24 02:42:16.343 MST: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from 4.xx.xx.xx: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 005F 0200 0000 4440 0101 0040 0208 0203 0D1C 00AE 0865 4003 0404 350B 8580 0404 0000 0000 4006 00C0 0706 0865 9A36 0436 C008 180D 1C00 030D 1C00 160D 1C00 560D 1C02 3F0D 1C02 9A0D 1C07 D818 C021 04 Nov 24 02:42:16.403 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 4.xx.xx.xx IPv4 Unicast topology base removed from session BGP Notification sent Nov 24 02:42:16.403 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Down No memory Nov 24 02:42:16.403 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx1 IPv4 Unicast topology base removed from session No memory Nov 24 02:42:16.403 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Down No memory Nov 24 02:42:16.403 MST: %BGP_SESSION-5-ADJCHANGE: neighbor 74.xx.xx.xx2 IPv4 Unicast topology base removed from session No memory Nov 24 02:42:22.907 MST: %BGP-5-ADJCHANGE: neighbor 4.xx.xx.xx Up Nov 24 02:42:25.551 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx2 Up Nov 24 02:42:29.107 MST: %BGP-5-ADJCHANGE: neighbor 74.xx.xx.xx1 Up From sethm at rollernet.us Tue Nov 24 16:46:39 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 24 Nov 2009 13:46:39 -0800 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0C4426.9000807@memetic.org> References: <4B0C4426.9000807@memetic.org> Message-ID: <4B0C543F.6000100@rollernet.us> Adam Armstrong wrote: > These are very, very, very different devices, almost incomparable. The > 7600 is a switch which does layer 3, the ASR is the successor to the > 7200, that is, a software router. If you need features the 7600 doesn't > have, you want an ASR. If you potentially need more throughput than the > ASR can handle, you want the 7600. > The ASR1k has a TCAM. ~Seth From Dhanalakshmi.Mohanasundaram at in.lafarge.com Tue Nov 24 17:31:53 2009 From: Dhanalakshmi.Mohanasundaram at in.lafarge.com (Dhanalakshmi.Mohanasundaram at in.lafarge.com) Date: Wed, 25 Nov 2009 04:01:53 +0530 Subject: [c-nsp] Dhanalakshmi Mohanasundaram is out of the office. Message-ID: I will be out of the office starting 11/25/2009 and will not return until 12/04/2009. I will respond to your message when I return. In case of any issues Pls contact Mr. Periyasamy Nattar ( Periyasamy.nattar at in.lafareg.com ) "This e-mail is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains. Please e-mail the sender immediately and delete this message from your system. E-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware, that the company may monitor your emails and their content" From justin at justinshore.com Tue Nov 24 18:11:17 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 24 Nov 2009 17:11:17 -0600 Subject: [c-nsp] Metro Ethernet Switches In-Reply-To: <6069A203FD01884885C037F81DD75080173D6D861D@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080173D6D861D@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <4B0C6815.1050001@justinshore.com> Bill Blackford wrote: > I recall having some of my aaa config options slightly changing syntax after upgrading. Sounds like you've verified this, but it may be worth double-checking. I highly recommend using a tool like RANCID to keep an eye on config changes, especially during upgrades. I didn't bother to check the RANCID diff when I did an upgrade over the weekend and discovered a problem yesterday (see NTP thread from yesterday). Had I stayed up and reviewed the email notice I would have found the problem much sooner. At the very least get a copy of Kiwi CatTools and run it before and after an upgrade. It's a good sanity check. Justin From mtinka at globaltransit.net Tue Nov 24 19:10:30 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 25 Nov 2009 08:10:30 +0800 Subject: [c-nsp] OT: VSS + MEC - port-channel dynamically cloned? In-Reply-To: <4B0C3BAB.8080502@forthnet.gr> References: <1259045489.12138.5.camel@leland-gandi> <446578.61955.qm@web505.biz.mail.mud.yahoo.com> <4B0C3BAB.8080502@forthnet.gr> Message-ID: <200911250810.35211.mtinka@globaltransit.net> On Wednesday 25 November 2009 04:01:47 am Tassos Chatzithomaoglou wrote: > According to tac, this is expected behavior for LACP if > there is a misconfiguration (typically when two links of > the same channel are attempted to be connected on two > different devices on the remote end, like in this case, > VSS/MEC) on the moment of the channel bundling. But in > my case it was something else and tac couldn't find the > root cause. We've seen this behaviour when we enabled LACP under SXH3. However, since upgrading to SXI2a late last month, there are no more cloned interfaces. The actual port-channel is the only port-channel. I found the "cloning" weird, at first. But clearly, as much as it wasn't documented, SXI2a "fixed" that issue :-). We're also not seeing this issue on a 7606/RSP720-3CXL running 12.2(33)SRC5. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From david at hughes.com.au Tue Nov 24 21:47:00 2009 From: david at hughes.com.au (David Hughes) Date: Wed, 25 Nov 2009 12:47:00 +1000 Subject: [c-nsp] delay eBGP sessions on startup? In-Reply-To: <20091124204625.GL163@greenie.muc.de> References: <20091123074656.GU163@greenie.muc.de> <20091124071929.GE163@greenie.muc.de> <1CD79422-05B0-4D76-96A6-1B29DC9F609F@hughes.com.au> <20091124204625.GL163@greenie.muc.de> Message-ID: On 25/11/2009, at 6:46 AM, Gert Doering wrote: > Sounds like a plan - Router A down -> prefix missing on Router B, remove > external announcement there as well. > > "How to build a redundant network that falls off the 'net if *either* router > dies" :-)) LOL. Didn't think that one through to its natural conclusion did I :-) David ... From bacon at walleyesoftware.com Tue Nov 24 21:57:06 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Tue, 24 Nov 2009 20:57:06 -0600 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? Message-ID: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> Will the SFPs from the ONS systems work in a cat6500? There's a plethora of ONS-SC-2G SFPs out there, but not so many DWDM-SFP-xxxx modules. I'm guessing that the disparity in supply means they don't work, but would like some confirm. (Have a temporary need to run a gig over a DWDM wave, looking for the cheap way out.) From justin at justinshore.com Tue Nov 24 22:49:37 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 24 Nov 2009 21:49:37 -0600 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <4B0B564F.1010100@justinshore.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> <4B0B564F.1010100@justinshore.com> Message-ID: <4B0CA951.10409@justinshore.com> > I talked with TAC about the problem. It took a while to get the > engineer to understand the problem but I think we got there. If not I > will requeue. He pointed me to a known bug: CSCsx21595. He kept > saying that this problem was fixed in 24T2 and only affected 3800s. To > the best of my knowledge the problem (removal of existing 'ntp source' > config line) was created by 24T2. I never encountered it prior to that > on any of my routers, including those running 24T and 24T1. I also > experienced the problem on a 7206 (G1). Clearly this isn't isolated to > just 3800s. I haven't had a chance to test it on anything else but I > fully expect to see the same results on all routers I test it on. I > have no reason to expect otherwise. > > Anyway, the problem is known. I'll give it a few days and push on it if > nothing happens. To recreate the problem I imagine one would just need > to have a basic NTP config with the ntp source interface defined as a > virtual interface (the bug said it depended on that) so use an SVI or > loopback. Then upgrade to 24T2. I suspect one would need to upgrade > from 24T first and then upgrade to 24T2. I suspect the problem is in > the parser when IOS first loads the config from the older release. I'd > bet money that the startup-config was intact when I booted and that only > the running-config was altered after that first boot. I did some testing in the lab tonight. This problem is certainly not limited to 3845s. I can recreate this problem on every single IOS device I tried that can run 12.4T without fail. I recreated the problem on an 871W, 881, 2811, 2821, and 2 3845s. The problem appears to happen when the device is running a 24T release prior to 24T2 (ie, only 24T or 24T1) and upgrades to 24T2. I tried upgrading from 22T to 24T2 and the problem did not appear. For grins I fixed a 24T2 config and then downgraded to 24T and 22T on the 2 3845s. The problem didn't show up. I also did the same thing with the 3845s running 24T to 22T so that the NTP config would be in the weird location right above the interface config prior to the downgrade. THE PROBLEM CAME BACK. I think that confirms my theory that the NTP config being moved ahead of the interface config is what's causing this problem. When the parser on a IOS version that doesn't place the NTP config ahead of the interface config reads the NTP config, the virtual interfaces haven't yet been created. Thus it rejects that config line. That's my theory and tonight's testing seems to support it. Who knows for sure. I'll let Cisco figure it out. At boot the 'ntp source' command is stripped out every time. During the boot sequence right before the "Press RETURN to get started" line this error is printed: ntp source Loopback0 ^ % Invalid input detected at '^' marker. Note how it points specifically to the number in the interface name. That makes me wonder if the regex in the boor parser was screwed up to expect a space between the interface type and number. It's a thought. I've run out of routers to test this on that can run 12.4(24)T2. I might be able to try it on a 7201 and 7206 later this week but I fully expect the same results. It's a parser bug that needs to be squashed, though it may not manifest again if the DEs don't ever arbitrarily move the NTP config around in the running-config. I'm convinced that it's the cause or certainly part of the problem. Justin From justin at justinshore.com Tue Nov 24 22:53:44 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 24 Nov 2009 21:53:44 -0600 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> Message-ID: <4B0CAA48.5000102@justinshore.com> Jeff Bacon wrote: > Will the SFPs from the ONS systems work in a cat6500? There's a plethora > of ONS-SC-2G SFPs out there, but not so many DWDM-SFP-xxxx modules. I'm > guessing that the disparity in supply means they don't work, but would > like some confirm. > > (Have a temporary need to run a gig over a DWDM wave, looking for the > cheap way out.) I've been told no but it's worth trying. You might be able to use the unsupported-transceiver option too. I REALLY wish all Cisco BUs would pick a set of optics and make them universal across ALL Cisco product lines. This crap of some products supporting only GLC- or some only support SFP- or some only supporting ONS- optics is a damn joke. Yes I know that ONSs use optics with DOM support but now so are most other things too. Create an internal standards group, define what's needed, create 1 set of optics and make all BUs use those optics! Justin From dominic at broadconnect.ca Tue Nov 24 23:18:02 2009 From: dominic at broadconnect.ca (Lin) Date: Tue, 24 Nov 2009 23:18:02 -0500 Subject: [c-nsp] Nat Issues With cisco Routers References: Message-ID: <004001ca6d86$473a9fb0$6702a8c0@dominic> Hi Everyone, I am using a Cisco 1841 router, and behind the router are Polycom IP phones with private ips. When nat is enabled, most of the phones register just fine. However, a few fail to register. The SBC on the Telco end responds with an "482 Loop Detected". It appears the Cisco router is sending the sip registeration request with a the public_ip:port that has already been registered with the SBC! Apparently the same port, on the same public ip, is being mapped to more than one device on the local network. How the hell is this possible? Anybody ever encountered this before? I tried to do a "no ip nat service sip tcp port 5060" command. This removes the "482 Loop Detected Error" and allows the client ip phone to register. However, outgoing calls fail, because the SBC on the other end responds with an "403" error. Apparently, the header being submitted is not acceptable. Anybody come accros this before? Lin From jared at puck.nether.net Wed Nov 25 00:34:26 2009 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 25 Nov 2009 00:34:26 -0500 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <4B0CA951.10409@justinshore.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> <4B0B564F.1010100@justinshore.com> <4B0CA951.10409@justinshore.com> Message-ID: <1D8FD423-2973-4C16-A41E-E4FF810E1B03@puck.nether.net> There is also the issue of the fact that the parser has a startup mode vs a running mode that may contribute to the error seen. Another case where this random experience has hurt operators. Jared Mauch On Nov 24, 2009, at 10:49 PM, Justin Shore wrote: >> I talked with TAC about the problem. It took a while to get the >> engineer to understand the problem but I think we got there. If >> not I will requeue. He pointed me to a known bug: CSCsx21595. He >> kept saying that this problem was fixed in 24T2 and only affected >> 3800s. To the best of my knowledge the problem (removal of >> existing 'ntp source' config line) was created by 24T2. I never >> encountered it prior to that on any of my routers, including those >> running 24T and 24T1. I also experienced the problem on a 7206 >> (G1). Clearly this isn't isolated to just 3800s. I haven't had a >> chance to test it on anything else but I fully expect to see the >> same results on all routers I test it on. I have no reason to >> expect otherwise. >> Anyway, the problem is known. I'll give it a few days and push on >> it if nothing happens. To recreate the problem I imagine one would >> just need to have a basic NTP config with the ntp source interface >> defined as a virtual interface (the bug said it depended on that) >> so use an SVI or loopback. Then upgrade to 24T2. I suspect one >> would need to upgrade from 24T first and then upgrade to 24T2. I >> suspect the problem is in the parser when IOS first loads the >> config from the older release. I'd bet money that the startup- >> config was intact when I booted and that only the running-config >> was altered after that first boot. > > I did some testing in the lab tonight. This problem is certainly > not limited to 3845s. I can recreate this problem on every single > IOS device I tried that can run 12.4T without fail. I recreated the > problem on an 871W, 881, 2811, 2821, and 2 3845s. > > The problem appears to happen when the device is running a 24T > release prior to 24T2 (ie, only 24T or 24T1) and upgrades to 24T2. > I tried upgrading from 22T to 24T2 and the problem did not appear. > For grins I fixed a 24T2 config and then downgraded to 24T and 22T > on the 2 3845s. The problem didn't show up. I also did the same > thing with the 3845s running 24T to 22T so that the NTP config would > be in the weird location right above the interface config prior to > the downgrade. THE PROBLEM CAME BACK. I think that confirms my > theory that the NTP config being moved ahead of the interface config > is what's causing this problem. When the parser on a IOS version > that doesn't place the NTP config ahead of the interface config > reads the NTP config, the virtual interfaces haven't yet been > created. Thus it rejects that config line. That's my theory and > tonight's testing seems to support it. Who knows for sure. I'll let > Cisco figure it out. > > At boot the 'ntp source' command is stripped out every time. During > the boot sequence right before the "Press RETURN to get started" > line this error is printed: > > ntp source Loopback0 > ^ > % Invalid input detected at '^' marker. > > Note how it points specifically to the number in the interface name. > That makes me wonder if the regex in the boor parser was screwed up > to expect a space between the interface type and number. It's a > thought. > > I've run out of routers to test this on that can run 12.4(24)T2. I > might be able to try it on a 7201 and 7206 later this week but I > fully expect the same results. It's a parser bug that needs to be > squashed, though it may not manifest again if the DEs don't ever > arbitrarily move the NTP config around in the running-config. I'm > convinced that it's the cause or certainly part of the problem. > > Justin > From gert at greenie.muc.de Wed Nov 25 02:39:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 25 Nov 2009 08:39:09 +0100 Subject: [c-nsp] New feature, can't find it documented - NTP using DNS In-Reply-To: <4B0CA951.10409@justinshore.com> References: <290EF89F13F04F4E924BB235A46D18F1043B673C4B@MLBMXUS2.cs.myharris.net> <6E4D2678AC543844917CA081C9D6B33FB8F13D@XMB-AMS-103.cisco.com> <4B0AEE45.90809@justinshore.com> <4B0B564F.1010100@justinshore.com> <4B0CA951.10409@justinshore.com> Message-ID: <20091125073909.GP163@greenie.muc.de> Hi, On Tue, Nov 24, 2009 at 09:49:37PM -0600, Justin Shore wrote: > At boot the 'ntp source' command is stripped out every time. During the > boot sequence right before the "Press RETURN to get started" line this > error is printed: > > ntp source Loopback0 > ^ > % Invalid input detected at '^' marker. > > Note how it points specifically to the number in the interface name. Well, "Loopback" is fine, but there is no Loopback *0* yet. So it makes sense to complain about the 0... (Well, there is no Loopback at all, at this point, but the parser might not be *that* smart). [..] > I've run out of routers to test this on that can run 12.4(24)T2. I > might be able to try it on a 7201 and 7206 later this week but I fully > expect the same results. It's a parser bug that needs to be squashed, > though it may not manifest again if the DEs don't ever arbitrarily move > the NTP config around in the running-config. I'm convinced that it's > the cause or certainly part of the problem. I don't think it's a parser bug - it's a confgen bug. The NTP config being stored before the interface config will inevitably result in exactly the problem you have seen: you can't reference "lo0" because it does not exist yet. (Stupid enough that such things are done carelessly, but I can't see ANY justification for doing this in between T sub-releases. T1->T2 should only ever get bug fixes, not gratious code changes "just because we can"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 25 02:42:23 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 25 Nov 2009 08:42:23 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <200911240858.32505.mtinka@globaltransit.net> References: <200911240858.32505.mtinka@globaltransit.net> Message-ID: <20091125074223.GQ163@greenie.muc.de> Hi, On Tue, Nov 24, 2009 at 08:58:27AM +0800, Mark Tinka wrote: > Hopefully, the next EARL will resolve these issues, but who > knows what other limitations it may have, when they may be > resolved, or if support will come both to the 6500 and 7600, > or just one of these? We might see a "Cisco 8200" appear, which is the same as 6500 and 7600, but with a different EEPROM and yet another chassis colour. Supported by a new BU, and all the new and fancy supervisor boards will only support the 8200 (and the 6500, but only if you upgrade the fan module to a FAN-5 and install 15000W PSUs). Another round of fun begins. Yes, this is going to be interesting. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From andy at nosignal.org Wed Nov 25 04:28:18 2009 From: andy at nosignal.org (Andy Davidson) Date: Wed, 25 Nov 2009 09:28:18 +0000 Subject: [c-nsp] (BGP identifier wrong) error on majority of ebgp peers In-Reply-To: <4B076AF3.2030908@nosignal.org> References: <4B076AF3.2030908@nosignal.org> Message-ID: <4B0CF8B2.5050102@nosignal.org> Andy Davidson wrote: > Seemingly without a config change, there are some sessions which refuse to > establish, because of a bgp notification : > %BGP-3-NOTIFICATION: received from neighbor XXX 2/3 (BGP identifier wrong) > 4 bytes XXX > The router-id has not been changed - it was using the address from Loopback > 0. The router-id *is* unique, and the remote side of the peering is using > a different address. Seems this could be a bug affecting the routers of our peers - when we rebuilt the session config our side, the same behaviour was observed, but when the remote party deletes and recreates the config facing us, the session is allowed to establish. Andy From eng_mssk at hotmail.com Wed Nov 25 04:35:51 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 25 Nov 2009 11:35:51 +0200 Subject: [c-nsp] Metro Ethernet Switches In-Reply-To: <4B0C6815.1050001@justinshore.com> References: <6069A203FD01884885C037F81DD75080173D6D861D@wsc-mail-01.intra.nwresd.k12.or.us>, <4B0C6815.1050001@justinshore.com> Message-ID: hi justin thanks for the reply actually i figured out what was the issue it was due to entering 0 (unencrypted) or 7 (encrypted) : > Date: Tue, 24 Nov 2009 17:11:17 -0600 > From: justin at justinshore.com > To: BBlackford at nwresd.k12.or.us > CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Metro Ethernet Switches > > Bill Blackford wrote: > > I recall having some of my aaa config options slightly changing syntax after upgrading. Sounds like you've verified this, but it may be worth double-checking. > > I highly recommend using a tool like RANCID to keep an eye on config > changes, especially during upgrades. I didn't bother to check the > RANCID diff when I did an upgrade over the weekend and discovered a > problem yesterday (see NTP thread from yesterday). Had I stayed up and > reviewed the email notice I would have found the problem much sooner. > At the very least get a copy of Kiwi CatTools and run it before and > after an upgrade. It's a good sanity check. > > Justin > > > > _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 From nick at inex.ie Wed Nov 25 05:07:59 2009 From: nick at inex.ie (Nick Hilliard) Date: Wed, 25 Nov 2009 10:07:59 +0000 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0CAA48.5000102@justinshore.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> Message-ID: <4B0D01FF.9040405@inex.ie> On 25/11/2009 03:53, Justin Shore wrote: > > I REALLY wish all Cisco BUs would pick a set of optics and make them > universal across ALL Cisco product lines. This crap of some products > supporting only GLC- or some only support SFP- or some only supporting > ONS- optics is a damn joke. Yes I know that ONSs use optics with DOM > support but now so are most other things too. Create an internal > standards group, define what's needed, create 1 set of optics and make > all BUs use those optics! > +1 Nick From pavel.skovajsa at gmail.com Wed Nov 25 05:09:12 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Wed, 25 Nov 2009 11:09:12 +0100 Subject: [c-nsp] Secondary VLAN deployment on Metro ETTH In-Reply-To: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> References: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> Message-ID: <323aca890911250209w4d7c1f11hd7ce7c0a04a9c884@mail.gmail.com> Hello, Probably I do not have luck for proper audience for the questions below, whatever the case I have began to test the Private VLAN deployment, and ran into strange packet drop issue. The test topology is simple: C7606 Gi1/22 -----fiber-----> Gi0/1 ME3400-24TS-A -> Fa0/3 client PC The PVLAN is simple enough to post. 7606 running 12.2(33)SRC4: vlan 14 name test private-vlan primary private-vlan association 140 vlan 140 name test_secondary private-vlan isolated interface Vlan14 description test ip vrf forwarding ext ip address 1.1.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp private-vlan mapping 140 interface GigabitEthernet1/22 description To_testing_ME3400-24-TS switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-61,63-4094 switchport mode trunk switchport nonegotiate logging event link-status load-interval 30 no snmp trap link-status ME3400-24-TS-A running 12.2(52)SE: vlan 14 name test private-vlan primary private-vlan association 140 vlan 140 name test_secondary private-vlan isolated interface GigabitEthernet0/1 port-type nni switchport mode trunk ip dhcp snooping trust interface FastEthernet0/3 description test_secondary_vlan switchport private-vlan host-association 14 140 switchport mode private-vlan host load-interval 30 storm-control broadcast level pps 30 storm-control multicast level pps 30 ip dhcp snooping limit rate 100 Before the PVLAN is configured I have nice connectivity from the 7606 to the client PC: 7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400 Type escape sequence to abort. Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/12 ms However the moment I configure PVLAN (see above) I get this: 7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400 Type escape sequence to abort. Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: !!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.! !!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!! !!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!! !!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!! !.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.! !!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!! !!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!! !!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!! !!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!! !!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!! .!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!. !!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!! !!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!! !!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.! !!!!!!!!!!!.!!!!!!!! Success rate is 92 percent (926/1000), round-trip min/avg/max = 1/2/28 ms Which is a very interesting output (besides nice ASCII art) because the packet drop is regular - 12 pings work, 13th does not, 12 pings work, 13th does not ...Thinking about it now, maybe it has to do something with the number 13 :) -pavel skovajsa On Mon, Nov 23, 2009 at 3:47 PM, Pavel Skovajsa wrote: > Hi all, > > I am planning to implement Secondary VLANs feature on a Metro ETTH > based on ME3400+76k. I have read various docs about the best I found > is on http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/ > > I have couple questions/scenarios I want to doublecheck with you: > 1. Anybody using VPTv3 do disseminate the PVLAN info? > 2. What if there are 3rd party switches in the environment placed > randomly between the ME3400? > > Here is my train of thought: > - From the explanations in the various docs I understood that the > MAC address table for *downstream traffic* is stored in primary VLAN > table > - The reverse upstream traffic is stored in secondary VLAN MAC table > -> hence it follows (not written anywhere) that in order to > properly switch the traffic and not flood it, the PVLAN implementation > must do lookups in JOINED primary+secondary mac address table. > > Now the problem might lie in having 3rd party switches placed > *between* ME3400 - they have no idea about the PVLANs hence forward it > according to their VLAN tables -> which are are NOT joined -> hence > the traffic is flooded on them. > > > -pavel skovajsa > From lists at hojmark.org Wed Nov 25 05:43:54 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 25 Nov 2009 11:43:54 +0100 Subject: [c-nsp] Secondary VLAN deployment on Metro ETTH In-Reply-To: <323aca890911250209w4d7c1f11hd7ce7c0a04a9c884@mail.gmail.com> References: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> <323aca890911250209w4d7c1f11hd7ce7c0a04a9c884@mail.gmail.com> Message-ID: On Wed, 25 Nov 2009 11:09:12 +0100, you wrote: > Probably I do not have luck for proper audience for the questions below, > whatever the case I have began to test the Private VLAN deployment, and ran > into strange packet drop issue. > > The test topology is simple: C7606 Gi1/22 -----fiber-----> Gi0/1 > ME3400-24TS-A -> Fa0/3 client PC Why do you want to run PVLAN on the 3400? UNI ports already can't talk to each other. -A From ex_art at mail.ru Wed Nov 25 06:09:41 2009 From: ex_art at mail.ru (Teslenko) Date: Wed, 25 Nov 2009 13:09:41 +0200 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. Message-ID: <4B0D1075.50601@mail.ru> Hello All, We try to introduce Qos in ours IP/MPLS backbone network, constructed on routers 7600th series All 76-s' are P or PE devices should accept from outside MPLS or IP traffic. On PE devices we mark packages and we want, that DSCP was transferred transparently within MPLS domain. But we have problem. We use IOS v12.2 (33) SRC1 now. Testing passed on CISCO7609-S with linear card WS-X6708-10GE ================================== The test #1 ================================== P device CISCO7609-S ingress port on linear card WS-X6708-10GE, egress port on linear card WS-X6724-SFP. Device PE2 the last in a chain, PHP option enable by default The scheme of traffic's movement looks as follows CE--> SW-1> (ingress) PE1 (egress)--> P--> (ingress) PE2 1.1 Interfaces of the P device are configured as follows interface TenGigabitEthernet (WS-X6708-10GE) dampening mtu 4470 ip address yy.yy.yy.yy 255.255.255.252 carrier-delay msec 0 mpls traffic-eng tunnels mpls ip hold-queue 1000 in ip rsvp bandwidth end ! interface GigabitEthernet (WS-X6724-SFP) dampening mtu 4470 ip address xx.xx.xx.xx 255.255.255.252 carrier-delay msec 0 mpls traffic-eng tunnels mpls ip hold-queue 1000 in ip rsvp bandwidth end 1.2. Marking of traffic occur on ingress interface of PE1 >> >> policy-map test-in-dscp-set >> class class-default >> set dscp 39 2.3. Stock-taking dscp labels occur on ingress interface of PE2. >> ------------------------------------------------- listing------------------- >> ping from CE >> Type escape sequence to abort. >> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds: >> Packet sent with a source address of 10.10.10.1 >> !!!!! >> Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/9 ms >> >> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >> GigabitEthernet0/1.662 >> >> Service-policy input: Customer-test-In >> >> Class-map: match-test-dscp (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps >> Match: ip dscp 39 >> 0 packets, 0 bytes >> 30 second rate 0 bps >>----------------- end of listing---------------------------------------- As appears from an example marking do not occur 1.4 MPLS trace looks as follows PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds Type escape sequence to abort. 0 213.xxx.xxx.202 MRU 4470 [Labels: 50 Exp: 0] L 1 213.xxx.xxx.201 MRU 4474 [Labels: implicit-null Exp: 0] 169 ms ! 2 213.xxx.xxx.18 4 ms PE1 encapsulate MPLS header to a package with value of the label = 50 and a field Exp=0 ================================== The test #2 ================================== The scheme of traffic's movement looks as follows CE--> SW-1> (ingress) PE1 (egress) --->(ingress)PE2 2.1 Device PE2 the last in the chain, it have PHP option enable by default MPLS trace looks as follows PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds Type escape sequence to abort. 0 213.xxx.xxx.19 MRU 4470 [Labels: implicit-null Exp: 0] ! 1 213.xxx.xxx.18 4 ms PE1 don't encapsulate MPLS header to a package. Result: >> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >> GigabitEthernet0/1.662 >> >> Service-policy input: Customer-test-In >> >> Class-map: match-test-dscp (match-any) >> 100 packets, 0 bytes >> 30 second offered rate 0 bps >> Match: ip dscp 39 >> 100 packets, 0 bytes >> 30 second rate 0 bps So DSCP label comes on PE2 2.2 Device PE2 the last in a chain, option PHP switched off PE2 (config) # mpls ldp explicit-null PE2 (config) # So PE1 encapsulate MPLS header to a package, And as result packages again comes without DSCP label. Result. When MPLS label was encapsulated to header, as result DCSP label was cleared. Does anybody know decision for this problem? From pavel.skovajsa at gmail.com Wed Nov 25 06:17:09 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Wed, 25 Nov 2009 12:17:09 +0100 Subject: [c-nsp] Secondary VLAN deployment on Metro ETTH In-Reply-To: References: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> <323aca890911250209w4d7c1f11hd7ce7c0a04a9c884@mail.gmail.com> Message-ID: <323aca890911250317w6ed3a1d9t8932de9129d065fe@mail.gmail.com> Hi, yes that is right UNI ports can't talk to each other but only within one ME3400 switch. If you have more switches and want exactly the same "switchport protected" functionality on all of them, one solution is to implement PVLANs. See http://www.rfc-editor.org/internet-drafts/draft-sanjib-private-vlan-10.txt for example. In my opinion this is a nice feature, but its implementation details are too hidden from the engineer (similar as CBWFQ for example), so you can only "trust" that it works and don't have too much options for troubleshooting. We are forced to separate the end customers on our Metro ISP network due to an incident where one customer decided it is a good idea to start flooding nonsense into our L2 segment. PVLAN sounded like a nice solution, but given to issues below I am open to suggestions how to separatate customer on L2. -pavel On Wed, Nov 25, 2009 at 11:43 AM, Asbjorn Hojmark - Lists wrote: > On Wed, 25 Nov 2009 11:09:12 +0100, you wrote: > > > Probably I do not have luck for proper audience for the questions below, > > whatever the case I have began to test the Private VLAN deployment, and > ran > > into strange packet drop issue. > > > > The test topology is simple: C7606 Gi1/22 -----fiber-----> Gi0/1 > > ME3400-24TS-A -> Fa0/3 client PC > > Why do you want to run PVLAN on the 3400? UNI ports already can't talk > to each other. > > -A > From amsoares at netcabo.pt Wed Nov 25 06:22:34 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 25 Nov 2009 11:22:34 -0000 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> Message-ID: <967E202DE1EF41FA824D4EAAE621CE5E@int.convex.pt> Just to let you know that the problem is resolved after the CSC0 replacement. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _____ From: Eninja [mailto:eninja at gmail.com] Sent: quarta-feira, 18 de Novembro de 2009 7:40 To: Aaron Cc: Antonio Soares; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE 'Exec-on' commands are sent via IPC over the switch fabric and 'attach' sessions go over the mbus. Eninja On Nov 17, 2009, at 8:02 PM, Aaron wrote: So, what is the difference in output from doing exec-on vs attach? You are still connecting via the same method. On Mon, Nov 16, 2009 at 14:07, e ninja < eninja at gmail.com> wrote: Antonio, You should *never* troubleshoot fabric errors with *any* exec-on commands. They run over the fabric that may or may not be compromised. 1. Are any other LCs apart from slot 6 reporting CRC errors? 2. grab two "sh contr fia" from the RP and an attach to all the LCs and send over. Eninja On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares < amsoares at netcabo.pt> wrote: > Hello group, > > I have a 12k reporting this: > > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 > > In one week, i have 4 of these messages. > > Slot 6 is a SIP-601 containing 2 x SPA-10G. > > What could be the problem ? > > The "show controllers fia" do not show any problem. > > The "execute-on slot 6 show controllers fia" show this: > > Switch cards present: 0x1F > Switch cards monitored: 0x1F > 0 1 2 3 4 > -------- -------- -------- -------- -------- > los 0 0 0 0 0 > state Off Off Off Off Off > crc16 53989 0 0 0 0 > xor error0 0 0 0 > cell drops1020 1020 1020 1020 > > > IOS=c12kprp-p-mz.120-32.SY6.bin > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pavel.skovajsa at gmail.com Wed Nov 25 06:25:42 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Wed, 25 Nov 2009 12:25:42 +0100 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D01FF.9040405@inex.ie> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D01FF.9040405@inex.ie> Message-ID: <323aca890911250325t5d1ae7h16878a1603c2d027@mail.gmail.com> +1 - there is a part of Cisco called "Transceiver Module Group" that should take care of this. Also there is great matrix for which module goes where on: http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.pdf -pavel skovajsa On Wed, Nov 25, 2009 at 11:07 AM, Nick Hilliard wrote: > On 25/11/2009 03:53, Justin Shore wrote: > >> >> I REALLY wish all Cisco BUs would pick a set of optics and make them >> universal across ALL Cisco product lines. This crap of some products >> supporting only GLC- or some only support SFP- or some only supporting >> ONS- optics is a damn joke. Yes I know that ONSs use optics with DOM >> support but now so are most other things too. Create an internal >> standards group, define what's needed, create 1 set of optics and make >> all BUs use those optics! >> >> > > +1 > > Nick > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amsoares at netcabo.pt Wed Nov 25 06:31:25 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 25 Nov 2009 11:31:25 -0000 Subject: [c-nsp] Runts in the network In-Reply-To: References: Message-ID: Any ideas how to troubleshoot this ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares Sent: ter?a-feira, 24 de Novembro de 2009 11:46 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Runts in the network Hello Group, I have 7200's acting as PE's and running 12.4.23 that show an abnormal numbers of runts. The interfaces where this can be seen are E1 channel-groups configured for frame-relay. This is the typical configuration: ! frame-relay switching ! controller E1 x/y channel-group 0 timeslots 1-31 ! interface Serialx/y:0 encapsulation frame-relay frame-relay traffic-shaping frame-relay lmi-type ansi frame-relay ip rtp header-compression frame-relay intf-type dce ! interface Serialx/y:0.100 point-to-point ip vrf forwarding MY-VRF ip address x.x.x.x x.x.x.x ip rip advertise 10 frame-relay interface-dlci 100 class MY-CLASS frame-relay ip rtp header-compression ! The E1 is completely clean but the serial interface shows runts: ROUTER#sh int sx/y:0 Serialx/y:0 is up, line protocol is up (...) Received 0 broadcasts, 12 runts, 0 giants, 0 throttles 12 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort (...) ROUTER# This happens everywhere in the network and there are many 7200's. The PA is the PA-MC-8TE1+. What could be the source of the problem ? I know what a runt is but i would like to understand why i have it all over the network. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Wed Nov 25 07:02:52 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 25 Nov 2009 17:02:52 +0500 (PKT) Subject: [c-nsp] Runts in the network In-Reply-To: References: Message-ID: <50437.196.46.241.57.1259150572.squirrel@nexmail1.nexlinx.net.pk> you know these are frames with a frame size between 8 and 63 bytes with a valid CRC and no alignment errors. if this is the case, you may or may not have a problem. depending on the type of equipment, the vendor maybe using nonstandard frames. these frames are interpreted as runts. however, runts may be caused by a malfunctioning interface. in ATM cells have a 48 byte information field and a 5 byte header. This 53 byte cell falls within the definition of a under size packet and may be counted as a runt. find out what you have "a bad ethernet card or atm" :) Regards, Masood Blog: http://weblog.com.pk/jahil/ > > Any ideas how to troubleshoot this ? > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares > Sent: ter?a-feira, 24 de Novembro de 2009 11:46 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Runts in the network > > Hello Group, > > I have 7200's acting as PE's and running 12.4.23 that show an abnormal > numbers of runts. The interfaces where this can be seen are > E1 channel-groups configured for frame-relay. This is the typical > configuration: > > ! > frame-relay switching > ! > controller E1 x/y > channel-group 0 timeslots 1-31 > ! > interface Serialx/y:0 > encapsulation frame-relay > frame-relay traffic-shaping > frame-relay lmi-type ansi > frame-relay ip rtp header-compression > frame-relay intf-type dce > ! > interface Serialx/y:0.100 point-to-point > ip vrf forwarding MY-VRF > ip address x.x.x.x x.x.x.x > ip rip advertise 10 > frame-relay interface-dlci 100 > class MY-CLASS > frame-relay ip rtp header-compression > ! > > The E1 is completely clean but the serial interface shows runts: > > ROUTER#sh int sx/y:0 > Serialx/y:0 is up, line protocol is up > (...) > Received 0 broadcasts, 12 runts, 0 giants, 0 throttles > 12 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > (...) > ROUTER# > > This happens everywhere in the network and there are many 7200's. The PA > is the PA-MC-8TE1+. > > What could be the source of the problem ? I know what a runt is but i > would like to understand why i have it all over the network. > > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amsoares at netcabo.pt Wed Nov 25 07:53:00 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 25 Nov 2009 12:53:00 -0000 Subject: [c-nsp] Runts in the network In-Reply-To: <50437.196.46.241.57.1259150572.squirrel@nexmail1.nexlinx.net.pk> References: <50437.196.46.241.57.1259150572.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <733C5629C0BF4BEB8C553E0E871FB0C2@int.convex.pt> Thank you for your feedback. This is actually frame-relay. But your post made me think and i found this interesting statement: "There is no commonly implemented minimum or maximum frame size for Frame Relay, although a network must support at least a 262-octet. Generally, each Frame Relay provider specifies an appropriate value for its network. Frame Relay DTE must allow the maximum acceptable frame size to be configurable. The minimum frame size allowed for Frame Relay is five octets between the opening and closing flags, assuming a two-octet Q.922 address field. This minimum increases to six octets for a three-octet Q.922 address and to seven octets for a four-octet Q.922 address format." Source: http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access&seqNum=119 Anynone knows what is the minimum frame size implemented by Cisco (cisco and ietf encapsulations) ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: masood at nexlinx.net.pk [mailto:masood at nexlinx.net.pk] Sent: quarta-feira, 25 de Novembro de 2009 12:03 To: Antonio Soares Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Runts in the network you know these are frames with a frame size between 8 and 63 bytes with a valid CRC and no alignment errors. if this is the case, you may or may not have a problem. depending on the type of equipment, the vendor maybe using nonstandard frames. these frames are interpreted as runts. however, runts may be caused by a malfunctioning interface. in ATM cells have a 48 byte information field and a 5 byte header. This 53 byte cell falls within the definition of a under size packet and may be counted as a runt. find out what you have "a bad ethernet card or atm" :) Regards, Masood Blog: http://weblog.com.pk/jahil/ > > Any ideas how to troubleshoot this ? > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares > Sent: ter?a-feira, 24 de Novembro de 2009 11:46 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Runts in the network > > Hello Group, > > I have 7200's acting as PE's and running 12.4.23 that show an abnormal > numbers of runts. The interfaces where this can be seen are > E1 channel-groups configured for frame-relay. This is the typical > configuration: > > ! > frame-relay switching > ! > controller E1 x/y > channel-group 0 timeslots 1-31 > ! > interface Serialx/y:0 > encapsulation frame-relay > frame-relay traffic-shaping > frame-relay lmi-type ansi > frame-relay ip rtp header-compression > frame-relay intf-type dce > ! > interface Serialx/y:0.100 point-to-point > ip vrf forwarding MY-VRF > ip address x.x.x.x x.x.x.x > ip rip advertise 10 > frame-relay interface-dlci 100 > class MY-CLASS > frame-relay ip rtp header-compression > ! > > The E1 is completely clean but the serial interface shows runts: > > ROUTER#sh int sx/y:0 > Serialx/y:0 is up, line protocol is up > (...) > Received 0 broadcasts, 12 runts, 0 giants, 0 throttles > 12 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > (...) > ROUTER# > > This happens everywhere in the network and there are many 7200's. The PA > is the PA-MC-8TE1+. > > What could be the source of the problem ? I know what a runt is but i > would like to understand why i have it all over the network. > > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ketimun at gmail.com Wed Nov 25 08:49:41 2009 From: ketimun at gmail.com (selamat pagi) Date: Wed, 25 Nov 2009 14:49:41 +0100 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: <4B0D1075.50601@mail.ru> References: <4B0D1075.50601@mail.ru> Message-ID: What's the config on the ingress interface of PE1 ? Do you use VPNs (vrf interface) ? Is TE active ? cheers, ketimun On Wed, Nov 25, 2009 at 12:09 PM, Teslenko wrote: > Hello All, > > We try to introduce Qos in ours IP/MPLS backbone network, > constructed on routers 7600th series > > All 76-s' are P or PE devices should accept from outside MPLS or IP > traffic. > On PE devices we mark packages and we want, that DSCP was transferred > transparently within MPLS domain. But we have problem. > > We use IOS v12.2 (33) SRC1 now. > > > Testing passed on CISCO7609-S with linear card WS-X6708-10GE > > > ================================== > The test #1 > ================================== > > P device CISCO7609-S ingress port on linear card WS-X6708-10GE, > egress port on linear card WS-X6724-SFP. > Device PE2 the last in a chain, PHP option enable by default > > The scheme of traffic's movement looks as follows > > CE--> SW-1> (ingress) PE1 (egress)--> P--> (ingress) PE2 > > 1.1 Interfaces of the P device are configured as follows > > interface TenGigabitEthernet (WS-X6708-10GE) > dampening > mtu 4470 > ip address yy.yy.yy.yy 255.255.255.252 > carrier-delay msec 0 > mpls traffic-eng tunnels > mpls ip > hold-queue 1000 in > ip rsvp bandwidth > end > ! > interface GigabitEthernet (WS-X6724-SFP) > dampening > mtu 4470 > ip address xx.xx.xx.xx 255.255.255.252 > carrier-delay msec 0 > mpls traffic-eng tunnels > mpls ip > hold-queue 1000 in > ip rsvp bandwidth > end > > > 1.2. Marking of traffic occur on ingress interface of PE1 > > >> > >> policy-map test-in-dscp-set > >> class class-default > >> set dscp 39 > > 2.3. Stock-taking dscp labels occur on ingress interface of PE2. > > >> > ------------------------------------------------- > listing------------------- > >> ping from CE > >> Type escape sequence to abort. > >> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 > seconds: > >> Packet sent with a source address of 10.10.10.1 > >> !!!!! > >> Success rate is 100 percent (100/100), round-trip min/avg/max = > 1/4/9 ms > >> > >> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp > >> GigabitEthernet0/1.662 > >> > >> Service-policy input: Customer-test-In > >> > >> Class-map: match-test-dscp (match-any) > >> 0 packets, 0 bytes > >> 30 second offered rate 0 bps > >> Match: ip dscp 39 > >> 0 packets, 0 bytes > >> 30 second rate 0 bps > >>----------------- end of listing---------------------------------------- > > As appears from an example marking do not occur > > > 1.4 MPLS trace looks as follows > > PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 > Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds > Type escape sequence to abort. > 0 213.xxx.xxx.202 MRU 4470 [Labels: 50 Exp: 0] > L 1 213.xxx.xxx.201 MRU 4474 [Labels: implicit-null Exp: 0] 169 ms > ! 2 213.xxx.xxx.18 4 ms > > PE1 encapsulate MPLS header to a package with value of the label = 50 > and a field > Exp=0 > > ================================== > The test #2 > ================================== > > The scheme of traffic's movement looks as follows > > CE--> SW-1> (ingress) PE1 (egress) --->(ingress)PE2 > > 2.1 Device PE2 the last in the chain, it have PHP option enable by default > > MPLS trace looks as follows > PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 > Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds > Type escape sequence to abort. > 0 213.xxx.xxx.19 MRU 4470 [Labels: implicit-null Exp: 0] > ! 1 213.xxx.xxx.18 4 ms > > PE1 don't encapsulate MPLS header to a package. > Result: > > >> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp > >> GigabitEthernet0/1.662 > >> > >> Service-policy input: Customer-test-In > >> > >> Class-map: match-test-dscp (match-any) > >> 100 packets, 0 bytes > >> 30 second offered rate 0 bps > >> Match: ip dscp 39 > >> 100 packets, 0 bytes > >> 30 second rate 0 bps > > So DSCP label comes on PE2 > > 2.2 Device PE2 the last in a chain, option PHP switched off > > PE2 (config) # mpls ldp explicit-null > PE2 (config) # > > So PE1 encapsulate MPLS header to a package, > And as result packages again comes without DSCP label. > > Result. > When MPLS label was encapsulated to header, as result DCSP label was > cleared. > > Does anybody know decision for this problem? > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mcgrath at fas.harvard.edu Wed Nov 25 08:41:56 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Wed, 25 Nov 2009 08:41:56 -0500 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0CAA48.5000102@justinshore.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> Message-ID: <4B0D3424.30506@fas.harvard.edu> Or Cisco could do something RADICAL and actually support the industry standard optics model like they USED to for GBIC's Sure TAC would only support the Cisco optics which is fair, but being able to use any optic that is physically present is PRICELESS. And I can see customers whining about why TAC will not support the ACME SFP or X2 module. But I've had too many instances where a SFP has blown and the only local replacement was a Finisar or HP from another piece of gear and then needed to rush a change through change control so that I could add 'service unsupported-transceiver' to the config. - our shop is big on change control Otherwise what is the point of a standardized PHY - which ALL other vendors support, We might as well go back to the days of Cabletron MIM's and their ilk. - Scott Justin Shore wrote: > Jeff Bacon wrote: > >> Will the SFPs from the ONS systems work in a cat6500? There's a plethora >> of ONS-SC-2G SFPs out there, but not so many DWDM-SFP-xxxx modules. I'm >> guessing that the disparity in supply means they don't work, but would >> like some confirm. >> >> (Have a temporary need to run a gig over a DWDM wave, looking for the >> cheap way out.) >> > > I've been told no but it's worth trying. You might be able to use the > unsupported-transceiver option too. > > > I REALLY wish all Cisco BUs would pick a set of optics and make them > universal across ALL Cisco product lines. This crap of some products > supporting only GLC- or some only support SFP- or some only supporting > ONS- optics is a damn joke. Yes I know that ONSs use optics with DOM > support but now so are most other things too. Create an internal > standards group, define what's needed, create 1 set of optics and make > all BUs use those optics! > > > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at looney.id.au Wed Nov 25 08:24:53 2009 From: brett at looney.id.au (Brett Looney) Date: Wed, 25 Nov 2009 21:24:53 +0800 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <323aca890911250325t5d1ae7h16878a1603c2d027@mail.gmail.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D01FF.9040405@inex.ie> <323aca890911250325t5d1ae7h16878a1603c2d027@mail.gmail.com> Message-ID: <00c401ca6dd2$af27a090$0d76e1b0$@id.au> > Also there is great matrix for which module goes where on: > http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compa tibility/matrix/OL_6981.pdf While this is a good link, it doesn't tell the whole story for all platforms. For example, in the ME3750 the matrix says that the GLC-T will do 10/100/1000 but it won't (or at least it didn't) - not in all the ports - some SFP ports are gigabit only regardless of the module being tri-speed capable. You'll only find that information in the ME3750 documentation or by trial and error. Obviously, there may be other examples. Yes, we did get caught with this. Consequently, we don't completely trust documentation on the Cisco website. So +1 to Cisco for providing a matrix but -5 for not providing all the information. It's a pity that you need to read multiple sets of documentation to find a single piece of information. B. From julien.couturier at gmx.fr Wed Nov 25 09:03:55 2009 From: julien.couturier at gmx.fr (julien couturier) Date: Wed, 25 Nov 2009 15:03:55 +0100 Subject: [c-nsp] Re : Re: OT: VSS + MEC - port-channel dynamically cloned? Message-ID: <20091125141612.209060@gmx.com> From julien.couturier at gmx.fr Wed Nov 25 10:10:59 2009 From: julien.couturier at gmx.fr (julien couturier) Date: Wed, 25 Nov 2009 16:10:59 +0100 Subject: [c-nsp] Re : OT: VSS + MEC - port-channel dynamically cloned? Message-ID: <20091125151259.209060@gmx.com> From ex_art at mail.ru Wed Nov 25 10:51:47 2009 From: ex_art at mail.ru (Teslenko) Date: Wed, 25 Nov 2009 17:51:47 +0200 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: References: <4B0D1075.50601@mail.ru> Message-ID: <4B0D5293.7090604@mail.ru> selamat pagi ?????: > What's the config on the ingress interface of PE1 ? > Do you use VPNs (vrf interface) ? > Is TE active ? I have understood that it has misled you >>>> ping from CE >>>> Type escape sequence to abort. >>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 >> seconds: >>>> Packet sent with a source address of 10.10.10.1 Really initially the traffic ran between two vrf The scheme of traffic's movement looks as follows [SW-1]--1->(Te1.661)PE1(Te1.662)--2->[SW-1]--3->(Gi0/1)PE2 This test was necessary to understand "Does marking work in general?" Yes, it does. Then was tested MPLS scheme with P router and without P First. With P router [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> P--(/30,MPLS/OSPF)--> PE2 -->(82.xx.xx.160/30)->CE So we saw marking do not occur When we use the scheme without router P all works correctly [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> PE2 -->(82.xx.xx.160/30)->CE But a problem not in P router. It has been stated in previous letter Problem occur when MPLS label is encapsulating to header of packets. This doesn't occur when P not present in scheme, because PE1 became penultimate for PE2. So MPLS label doesn't change, because PHP is enable on PE2 by default. Interface configuration between SW-1 and PE1 looks as follow ================================================== [SW-1]--1->(Te1.661)PE1 ================================================== ------------------ listing ----------------------- 1) SW-1: interface Vlan661 ip address 62.xxx.xx.20 255.255.255.240 End ip route 82.xx.xx.161 255.255.255.255 62.xxx.xx.17 2) PE1: interface Te1.661 encapsulation dot1Q 661 ip address 62.xxx.xx.17 255.255.255.240 no ip redirects no ip proxy-arp ip mtu 1500 service-policy input test-in-dscp-set end PE1#sh policy-map test-in-dscp-set Policy Map test-in-dscp-set Class test set ip dscp 39 Class class-default PE1#sh class-map test Class Map match-all test (id 25) Match access-group 100 PE1#sh run | i access-list 100 access-list 100 permit ip host 62.xxx.xx.20 host 82.xx.xx.161 access-list 100 deny ip any any ----------------- end of listing---------------- Interface configuration on PE2 ================================================= PE2 -->(82.xx.xx.160/30)->CE ================================================= ------------------ listing ----------------------- interface Gi1.205 encapsulation dot1Q 205 ip address 82.xx.xx.162 255.255.255.252 no ip redirects no ip proxy-arp ip mtu 1500 ip flow ingress no cdp enable service-policy output test-Out end PE2#sh policy-map test-Out Policy Map test-Out Class test Class class-default PE2#sh class-map test Class Map match-all test (id 27) Match ip dscp 39 ----------------- end of listing---------------- =============================================== Start Test =============================================== ------------------ listing ----------------------- SW-1#ping 82.xx.xx.161 source 62.xx.xx.20 repeat 10 PE1#sh policy-map interface Te1.661 TenGigabitEthernet1.661 Service-policy input: test class-map: test (match-all) Match: access-group 100 set dscp 39: Earl in slot 1 : 1180 bytes 30 second offered rate 280 bps aggregate-forwarded 1180 bytes Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps PE2# sh policy-map interface Gi1.205 output class test GigabitEthernet1.205 Service-policy output: test-Out Class-map: test (match-all) 0 packets, 0 bytes 30 second offered rate 0 bps Match: ip dscp 39 ----------------- end of listing---------------- > cheers, ketimun > > > On Wed, Nov 25, 2009 at 12:09 PM, Teslenko wrote: > >> Hello All, >> >> We try to introduce Qos in ours IP/MPLS backbone network, >> constructed on routers 7600th series >> >> All 76-s' are P or PE devices should accept from outside MPLS or IP >> traffic. >> On PE devices we mark packages and we want, that DSCP was transferred >> transparently within MPLS domain. But we have problem. >> >> We use IOS v12.2 (33) SRC1 now. >> >> >> Testing passed on CISCO7609-S with linear card WS-X6708-10GE >> >> >> ================================== >> The test #1 >> ================================== >> >> P device CISCO7609-S ingress port on linear card WS-X6708-10GE, >> egress port on linear card WS-X6724-SFP. >> Device PE2 the last in a chain, PHP option enable by default >> >> The scheme of traffic's movement looks as follows >> >> CE--> SW-1> (ingress) PE1 (egress)--> P--> (ingress) PE2 >> >> 1.1 Interfaces of the P device are configured as follows >> >> interface TenGigabitEthernet (WS-X6708-10GE) >> dampening >> mtu 4470 >> ip address yy.yy.yy.yy 255.255.255.252 >> carrier-delay msec 0 >> mpls traffic-eng tunnels >> mpls ip >> hold-queue 1000 in >> ip rsvp bandwidth >> end >> ! >> interface GigabitEthernet (WS-X6724-SFP) >> dampening >> mtu 4470 >> ip address xx.xx.xx.xx 255.255.255.252 >> carrier-delay msec 0 >> mpls traffic-eng tunnels >> mpls ip >> hold-queue 1000 in >> ip rsvp bandwidth >> end >> >> >> 1.2. Marking of traffic occur on ingress interface of PE1 >> >>>> policy-map test-in-dscp-set >>>> class class-default >>>> set dscp 39 >> 2.3. Stock-taking dscp labels occur on ingress interface of PE2. >> >> ------------------------------------------------- >> listing------------------- >>>> ping from CE >>>> Type escape sequence to abort. >>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 >> seconds: >>>> Packet sent with a source address of 10.10.10.1 >>>> !!!!! >>>> Success rate is 100 percent (100/100), round-trip min/avg/max = >> 1/4/9 ms >>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >>>> GigabitEthernet0/1.662 >>>> >>>> Service-policy input: Customer-test-In >>>> >>>> Class-map: match-test-dscp (match-any) >>>> 0 packets, 0 bytes >>>> 30 second offered rate 0 bps >>>> Match: ip dscp 39 >>>> 0 packets, 0 bytes >>>> 30 second rate 0 bps >>>> ----------------- end of listing---------------------------------------- >> As appears from an example marking do not occur >> >> >> 1.4 MPLS trace looks as follows >> >> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 >> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds >> Type escape sequence to abort. >> 0 213.xxx.xxx.202 MRU 4470 [Labels: 50 Exp: 0] >> L 1 213.xxx.xxx.201 MRU 4474 [Labels: implicit-null Exp: 0] 169 ms >> ! 2 213.xxx.xxx.18 4 ms >> >> PE1 encapsulate MPLS header to a package with value of the label = 50 >> and a field >> Exp=0 >> >> ================================== >> The test #2 >> ================================== >> >> The scheme of traffic's movement looks as follows >> >> CE--> SW-1> (ingress) PE1 (egress) --->(ingress)PE2 >> >> 2.1 Device PE2 the last in the chain, it have PHP option enable by default >> >> MPLS trace looks as follows >> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 >> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 seconds >> Type escape sequence to abort. >> 0 213.xxx.xxx.19 MRU 4470 [Labels: implicit-null Exp: 0] >> ! 1 213.xxx.xxx.18 4 ms >> >> PE1 don't encapsulate MPLS header to a package. >> Result: >> >>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >>>> GigabitEthernet0/1.662 >>>> >>>> Service-policy input: Customer-test-In >>>> >>>> Class-map: match-test-dscp (match-any) >>>> 100 packets, 0 bytes >>>> 30 second offered rate 0 bps >>>> Match: ip dscp 39 >>>> 100 packets, 0 bytes >>>> 30 second rate 0 bps >> So DSCP label comes on PE2 >> >> 2.2 Device PE2 the last in a chain, option PHP switched off >> >> PE2 (config) # mpls ldp explicit-null >> PE2 (config) # >> >> So PE1 encapsulate MPLS header to a package, >> And as result packages again comes without DSCP label. >> >> Result. >> When MPLS label was encapsulated to header, as result DCSP label was >> cleared. >> >> Does anybody know decision for this problem? >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Wed Nov 25 10:53:39 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 25 Nov 2009 09:53:39 -0600 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D3424.30506@fas.harvard.edu> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> Message-ID: <4B0D5303.5010908@justinshore.com> Scott McGrath wrote: > Or Cisco could do something RADICAL and actually support the industry > standard optics model like they USED to > for GBIC's I can understand their position on 3rd-party optics not meeting spec and not inter-opting well. I've seen that many times myself on 3rd-party optics. Sure there are standards but not everyone reads the standards in the same way and there isn't a CableLabs-like standards body to certify compatibility of optics that I know of. Still Cicso could pick a major vendor or two like Finisar or Champion and partner with them to produce 3rd-party optics that they'll allow in their chassis without the hack workarounds. Cisco doesn't make all the optics that I need. I need really long single strand optics and Cisco stops at 10k. I need 20k, 40k, and 80k at a minimum. I understand that those optics wouldn't be a huge seller for Cisco but at the very least they could partner with companies that make the optics that Cisco doesn't. By not doing this SPs are forced to cobble together workarounds using media converters or budget optic transport gear. Or pick another vendor that doesn't have a problem with 3rd-party optics and/or makes optics in the lengths SPs need. > Otherwise what is the point of a standardized PHY - which ALL other > vendors support, We might as well > go back to the days of Cabletron MIM's and their ilk. Well, not all other vendors support 3rd-party optics. Fujitsu doesn't. During an RFP Tellabs told us that they don't. I've been told that Juniper is the same way. Cabletron. Now that brings back memories...from this past weekend trying to clean out my garage. Anyone want a good deal on some 2E42-27Rs? :-) Justin From BBlackford at nwresd.k12.or.us Wed Nov 25 11:20:34 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Wed, 25 Nov 2009 08:20:34 -0800 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D5303.5010908@justinshore.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu>,<4B0D5303.5010908@justinshore.com> Message-ID: <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us> I do not believe that Juniper keys their optics. My experience with this is limited though. I am able to get third-party optics to work just fine in EX switches. bblackford at wsc-asw-02-1> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis BH0208188142 EX3200-24T FPC 0 REV 07 750-021261 BH0208188142 EX3200-24T, 8 POE CPU BUILTIN BUILTIN FPC CPU PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP Xcvr 0 NON-JNPR FFX20H700284 SFP-SX Power Supply 0 REV 02 740-020957 AT0508119769 PS 320W AC Fan Tray Fan Tray As you can see it identifies the Xcvr as non-Juniper. On the Cisco side, I have a Vertex 1310M GLC-LH-SM that is working fine in a 3560G. -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD this message was composed using 100% recycled electrons ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore [justin at justinshore.com] Sent: Wednesday, November 25, 2009 7:53 AM To: Scott McGrath Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] is a DWDM SFP a DWDM SFP? Scott McGrath wrote: > Or Cisco could do something RADICAL and actually support the industry > standard optics model like they USED to > for GBIC's I can understand their position on 3rd-party optics not meeting spec and not inter-opting well. I've seen that many times myself on 3rd-party optics. Sure there are standards but not everyone reads the standards in the same way and there isn't a CableLabs-like standards body to certify compatibility of optics that I know of. Still Cicso could pick a major vendor or two like Finisar or Champion and partner with them to produce 3rd-party optics that they'll allow in their chassis without the hack workarounds. Cisco doesn't make all the optics that I need. I need really long single strand optics and Cisco stops at 10k. I need 20k, 40k, and 80k at a minimum. I understand that those optics wouldn't be a huge seller for Cisco but at the very least they could partner with companies that make the optics that Cisco doesn't. By not doing this SPs are forced to cobble together workarounds using media converters or budget optic transport gear. Or pick another vendor that doesn't have a problem with 3rd-party optics and/or makes optics in the lengths SPs need. > Otherwise what is the point of a standardized PHY - which ALL other > vendors support, We might as well > go back to the days of Cabletron MIM's and their ilk. Well, not all other vendors support 3rd-party optics. Fujitsu doesn't. During an RFP Tellabs told us that they don't. I've been told that Juniper is the same way. Cabletron. Now that brings back memories...from this past weekend trying to clean out my garage. Anyone want a good deal on some 2E42-27Rs? :-) Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jonathan.Brashear at hq.speakeasy.net Wed Nov 25 11:33:44 2009 From: Jonathan.Brashear at hq.speakeasy.net (Jonathan Brashear) Date: Wed, 25 Nov 2009 08:33:44 -0800 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu>,<4B0D5303.5010908@justinshore.com> <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <725755F5E728EE4086DAAF1A54DACF4F1A2F6D500F@sea5exbe1.speakeasy.hq> As you've shown, Juniper devices will recognize 3rd party SFPs. However, about a year ago(if memory serves) they changed their T&C to not provide (technical) support for non-Juniper SFPs. If you have a problem with the card that the 3rd party SFP resides on, chances are they're going to tell you to replace the SFP before anything else. Network Engineer, JNCIS-M > 214-981-1954 (office) > 214-642-4075 (cell) > jbrashear at hq.speakeasy.net http://www.speakeasy.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford Sent: Wednesday, November 25, 2009 10:21 AM To: Justin Shore; Scott McGrath Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] is a DWDM SFP a DWDM SFP? I do not believe that Juniper keys their optics. My experience with this is limited though. I am able to get third-party optics to work just fine in EX switches. bblackford at wsc-asw-02-1> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis BH0208188142 EX3200-24T FPC 0 REV 07 750-021261 BH0208188142 EX3200-24T, 8 POE CPU BUILTIN BUILTIN FPC CPU PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP Xcvr 0 NON-JNPR FFX20H700284 SFP-SX Power Supply 0 REV 02 740-020957 AT0508119769 PS 320W AC Fan Tray Fan Tray As you can see it identifies the Xcvr as non-Juniper. On the Cisco side, I have a Vertex 1310M GLC-LH-SM that is working fine in a 3560G. -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD this message was composed using 100% recycled electrons ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore [justin at justinshore.com] Sent: Wednesday, November 25, 2009 7:53 AM To: Scott McGrath Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] is a DWDM SFP a DWDM SFP? Scott McGrath wrote: > Or Cisco could do something RADICAL and actually support the industry > standard optics model like they USED to > for GBIC's I can understand their position on 3rd-party optics not meeting spec and not inter-opting well. I've seen that many times myself on 3rd-party optics. Sure there are standards but not everyone reads the standards in the same way and there isn't a CableLabs-like standards body to certify compatibility of optics that I know of. Still Cicso could pick a major vendor or two like Finisar or Champion and partner with them to produce 3rd-party optics that they'll allow in their chassis without the hack workarounds. Cisco doesn't make all the optics that I need. I need really long single strand optics and Cisco stops at 10k. I need 20k, 40k, and 80k at a minimum. I understand that those optics wouldn't be a huge seller for Cisco but at the very least they could partner with companies that make the optics that Cisco doesn't. By not doing this SPs are forced to cobble together workarounds using media converters or budget optic transport gear. Or pick another vendor that doesn't have a problem with 3rd-party optics and/or makes optics in the lengths SPs need. > Otherwise what is the point of a standardized PHY - which ALL other > vendors support, We might as well > go back to the days of Cabletron MIM's and their ilk. Well, not all other vendors support 3rd-party optics. Fujitsu doesn't. During an RFP Tellabs told us that they don't. I've been told that Juniper is the same way. Cabletron. Now that brings back memories...from this past weekend trying to clean out my garage. Anyone want a good deal on some 2E42-27Rs? :-) Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nicolasleiva at gmail.com Wed Nov 25 11:46:10 2009 From: nicolasleiva at gmail.com (=?ISO-8859-1?Q?Nicol=E1s_Leiva?=) Date: Wed, 25 Nov 2009 13:46:10 -0300 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: <4B0D5293.7090604@mail.ru> References: <4B0D1075.50601@mail.ru> <4B0D5293.7090604@mail.ru> Message-ID: <13a807350911250846hbfe8be9madf08a7e1cf49d15@mail.gmail.com> You might want to review http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mplsqos.html#wp1509501 . Nicolas On Wed, Nov 25, 2009 at 12:51 PM, Teslenko wrote: > selamat pagi ?????: > > What's the config on the ingress interface of PE1 ? > > Do you use VPNs (vrf interface) ? > > Is TE active ? > > I have understood that it has misled you > > >>>> ping from CE > >>>> Type escape sequence to abort. > >>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 > >> seconds: > >>>> Packet sent with a source address of 10.10.10.1 > > > Really initially the traffic ran between two vrf > The scheme of traffic's movement looks as follows > > [SW-1]--1->(Te1.661)PE1(Te1.662)--2->[SW-1]--3->(Gi0/1)PE2 > > This test was necessary to understand "Does marking work in general?" > > Yes, it does. > > Then was tested MPLS scheme with P router and without P > > First. With P router > > [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> P--(/30,MPLS/OSPF)--> PE2 > -->(82.xx.xx.160/30)->CE > > So we saw marking do not occur > When we use the scheme without router P all works correctly > > [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> PE2 -->(82.xx.xx.160/30)->CE > > But a problem not in P router. > It has been stated in previous letter > Problem occur when MPLS label is encapsulating to header of packets. > This doesn't occur when P not present in scheme, > because PE1 became penultimate for PE2. > So MPLS label doesn't change, because PHP is enable on PE2 by default. > > > Interface configuration between SW-1 and PE1 looks as follow > ================================================== > [SW-1]--1->(Te1.661)PE1 > ================================================== > ------------------ listing ----------------------- > 1) SW-1: > interface Vlan661 > ip address 62.xxx.xx.20 255.255.255.240 > End > ip route 82.xx.xx.161 255.255.255.255 62.xxx.xx.17 > > 2) PE1: > interface Te1.661 > encapsulation dot1Q 661 > ip address 62.xxx.xx.17 255.255.255.240 > no ip redirects > no ip proxy-arp > ip mtu 1500 > service-policy input test-in-dscp-set > end > > PE1#sh policy-map test-in-dscp-set > Policy Map test-in-dscp-set > Class test > set ip dscp 39 > Class class-default > > PE1#sh class-map test > Class Map match-all test (id 25) > Match access-group 100 > > PE1#sh run | i access-list 100 > access-list 100 permit ip host 62.xxx.xx.20 host 82.xx.xx.161 > access-list 100 deny ip any any > ----------------- end of listing---------------- > > > Interface configuration on PE2 > ================================================= > PE2 -->(82.xx.xx.160/30)->CE > ================================================= > ------------------ listing ----------------------- > interface Gi1.205 > encapsulation dot1Q 205 > ip address 82.xx.xx.162 255.255.255.252 > no ip redirects > no ip proxy-arp > ip mtu 1500 > ip flow ingress > no cdp enable > service-policy output test-Out > end > > PE2#sh policy-map test-Out > Policy Map test-Out > Class test > Class class-default > > PE2#sh class-map test > Class Map match-all test (id 27) > Match ip dscp 39 > ----------------- end of listing---------------- > > =============================================== > Start Test > =============================================== > ------------------ listing ----------------------- > SW-1#ping 82.xx.xx.161 source 62.xx.xx.20 repeat 10 > > PE1#sh policy-map interface Te1.661 > TenGigabitEthernet1.661 > Service-policy input: test > class-map: test (match-all) > Match: access-group 100 > set dscp 39: > Earl in slot 1 : > 1180 bytes > 30 second offered rate 280 bps > aggregate-forwarded 1180 bytes > Class-map: class-default (match-any) > 0 packets, 0 bytes > 30 second offered rate 0 bps, drop rate 0 bps > Match: any > 0 packets, 0 bytes > 30 second rate 0 bps > > PE2# sh policy-map interface Gi1.205 output class test > GigabitEthernet1.205 > Service-policy output: test-Out > Class-map: test (match-all) > 0 packets, 0 bytes > 30 second offered rate 0 bps > Match: ip dscp 39 > ----------------- end of listing---------------- > > > > > cheers, ketimun > > > > > > On Wed, Nov 25, 2009 at 12:09 PM, Teslenko wrote: > > > >> Hello All, > >> > >> We try to introduce Qos in ours IP/MPLS backbone network, > >> constructed on routers 7600th series > >> > >> All 76-s' are P or PE devices should accept from outside MPLS or IP > >> traffic. > >> On PE devices we mark packages and we want, that DSCP was transferred > >> transparently within MPLS domain. But we have problem. > >> > >> We use IOS v12.2 (33) SRC1 now. > >> > >> > >> Testing passed on CISCO7609-S with linear card WS-X6708-10GE > >> > >> > >> ================================== > >> The test #1 > >> ================================== > >> > >> P device CISCO7609-S ingress port on linear card WS-X6708-10GE, > >> egress port on linear card WS-X6724-SFP. > >> Device PE2 the last in a chain, PHP option enable by default > >> > >> The scheme of traffic's movement looks as follows > >> > >> CE--> SW-1> (ingress) PE1 (egress)--> P--> (ingress) PE2 > >> > >> 1.1 Interfaces of the P device are configured as follows > >> > >> interface TenGigabitEthernet (WS-X6708-10GE) > >> dampening > >> mtu 4470 > >> ip address yy.yy.yy.yy 255.255.255.252 > >> carrier-delay msec 0 > >> mpls traffic-eng tunnels > >> mpls ip > >> hold-queue 1000 in > >> ip rsvp bandwidth > >> end > >> ! > >> interface GigabitEthernet (WS-X6724-SFP) > >> dampening > >> mtu 4470 > >> ip address xx.xx.xx.xx 255.255.255.252 > >> carrier-delay msec 0 > >> mpls traffic-eng tunnels > >> mpls ip > >> hold-queue 1000 in > >> ip rsvp bandwidth > >> end > >> > >> > >> 1.2. Marking of traffic occur on ingress interface of PE1 > >> > >>>> policy-map test-in-dscp-set > >>>> class class-default > >>>> set dscp 39 > >> 2.3. Stock-taking dscp labels occur on ingress interface of PE2. > >> > >> ------------------------------------------------- > >> listing------------------- > >>>> ping from CE > >>>> Type escape sequence to abort. > >>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 > >> seconds: > >>>> Packet sent with a source address of 10.10.10.1 > >>>> !!!!! > >>>> Success rate is 100 percent (100/100), round-trip min/avg/max = > >> 1/4/9 ms > >>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp > >>>> GigabitEthernet0/1.662 > >>>> > >>>> Service-policy input: Customer-test-In > >>>> > >>>> Class-map: match-test-dscp (match-any) > >>>> 0 packets, 0 bytes > >>>> 30 second offered rate 0 bps > >>>> Match: ip dscp 39 > >>>> 0 packets, 0 bytes > >>>> 30 second rate 0 bps > >>>> ----------------- end of > listing---------------------------------------- > >> As appears from an example marking do not occur > >> > >> > >> 1.4 MPLS trace looks as follows > >> > >> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 > >> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 > seconds > >> Type escape sequence to abort. > >> 0 213.xxx.xxx.202 MRU 4470 [Labels: 50 Exp: 0] > >> L 1 213.xxx.xxx.201 MRU 4474 [Labels: implicit-null Exp: 0] 169 ms > >> ! 2 213.xxx.xxx.18 4 ms > >> > >> PE1 encapsulate MPLS header to a package with value of the label = 50 > >> and a field > >> Exp=0 > >> > >> ================================== > >> The test #2 > >> ================================== > >> > >> The scheme of traffic's movement looks as follows > >> > >> CE--> SW-1> (ingress) PE1 (egress) --->(ingress)PE2 > >> > >> 2.1 Device PE2 the last in the chain, it have PHP option enable by > default > >> > >> MPLS trace looks as follows > >> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 > >> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 > seconds > >> Type escape sequence to abort. > >> 0 213.xxx.xxx.19 MRU 4470 [Labels: implicit-null Exp: 0] > >> ! 1 213.xxx.xxx.18 4 ms > >> > >> PE1 don't encapsulate MPLS header to a package. > >> Result: > >> > >>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp > >>>> GigabitEthernet0/1.662 > >>>> > >>>> Service-policy input: Customer-test-In > >>>> > >>>> Class-map: match-test-dscp (match-any) > >>>> 100 packets, 0 bytes > >>>> 30 second offered rate 0 bps > >>>> Match: ip dscp 39 > >>>> 100 packets, 0 bytes > >>>> 30 second rate 0 bps > >> So DSCP label comes on PE2 > >> > >> 2.2 Device PE2 the last in a chain, option PHP switched off > >> > >> PE2 (config) # mpls ldp explicit-null > >> PE2 (config) # > >> > >> So PE1 encapsulate MPLS header to a package, > >> And as result packages again comes without DSCP label. > >> > >> Result. > >> When MPLS label was encapsulated to header, as result DCSP label was > >> cleared. > >> > >> Does anybody know decision for this problem? > >> > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mcgrath at fas.harvard.edu Wed Nov 25 11:17:56 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Wed, 25 Nov 2009 11:17:56 -0500 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D5303.5010908@justinshore.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> <4B0D5303.5010908@justinshore.com> Message-ID: <4B0D58B4.8030305@fas.harvard.edu> I can see their point especially in SP networks and to keep the counterfeit optics at bay but we have the same problem CSCO does not make the optics we need in many cases and in the LAN environment it makes even less sense, As unless a optic is egregiously bad it generally will not matter but a device down will... Don't SUPPORT third party optics but give us the option to use them without resorting to hacks. What's even worse is that most of CSCO's optics are indeed Finisar optics with different firrmware. Justin Shore wrote: > Scott McGrath wrote: > >> Or Cisco could do something RADICAL and actually support the industry >> standard optics model like they USED to >> for GBIC's >> > > I can understand their position on 3rd-party optics not meeting spec and > not inter-opting well. I've seen that many times myself on 3rd-party > optics. Sure there are standards but not everyone reads the standards > in the same way and there isn't a CableLabs-like standards body to > certify compatibility of optics that I know of. Still Cicso could pick > a major vendor or two like Finisar or Champion and partner with them to > produce 3rd-party optics that they'll allow in their chassis without the > hack workarounds. Cisco doesn't make all the optics that I need. I > need really long single strand optics and Cisco stops at 10k. I need > 20k, 40k, and 80k at a minimum. I understand that those optics wouldn't > be a huge seller for Cisco but at the very least they could partner with > companies that make the optics that Cisco doesn't. By not doing this > SPs are forced to cobble together workarounds using media converters or > budget optic transport gear. Or pick another vendor that doesn't have a > problem with 3rd-party optics and/or makes optics in the lengths SPs need. > > >> Otherwise what is the point of a standardized PHY - which ALL other >> vendors support, We might as well >> go back to the days of Cabletron MIM's and their ilk. >> > > Well, not all other vendors support 3rd-party optics. Fujitsu doesn't. > During an RFP Tellabs told us that they don't. I've been told that > Juniper is the same way. > > Cabletron. Now that brings back memories...from this past weekend > trying to clean out my garage. Anyone want a good deal on some > 2E42-27Rs? :-) > > Justin > > > > From karol.mares at gmail.com Wed Nov 25 12:56:11 2009 From: karol.mares at gmail.com (Karol Mares) Date: Wed, 25 Nov 2009 18:56:11 +0100 Subject: [c-nsp] Secondary VLAN deployment on Metro ETTH In-Reply-To: <323aca890911250317w6ed3a1d9t8932de9129d065fe@mail.gmail.com> References: <323aca890911230647h72845a2j96f7c735f5def600@mail.gmail.com> <323aca890911250209w4d7c1f11hd7ce7c0a04a9c884@mail.gmail.com> <323aca890911250317w6ed3a1d9t8932de9129d065fe@mail.gmail.com> Message-ID: <1c18b2480911250956n57c1a7c9qca8ad3efe2ed8be0@mail.gmail.com> On Wed, Nov 25, 2009 at 12:17 PM, Pavel Skovajsa wrote: > Hi, > > yes that is right UNI ports can't talk to each other but only within one > ME3400 switch. If you have more switches and want exactly the same > "switchport protected" functionality on all of them, one solution is to > implement PVLANs. > > See > http://www.rfc-editor.org/internet-drafts/draft-sanjib-private-vlan-10.txtfor > example. > > > That would not help if you have interconnection between several switches i.e ring topology. You would need to use private-vlan turnk functionality which is iirc not supported yet on Cisco 3400 to be able to isolated several vlans between switches. You can use just one private-vlan host or combination of UNI - NNI port type chain between the switches. downlink UNI, uplink NNI and to use proxy-ARP to take care of communication between the hosts. -- iso From tav at ucomline.net Wed Nov 25 12:56:52 2009 From: tav at ucomline.net (Teslenko Andrey) Date: Wed, 25 Nov 2009 19:56:52 +0200 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: <13a807350911250846hbfe8be9madf08a7e1cf49d15@mail.gmail.com> References: <4B0D1075.50601@mail.ru> <4B0D5293.7090604@mail.ru> <13a807350911250846hbfe8be9madf08a7e1cf49d15@mail.gmail.com> Message-ID: <4B0D6FE4.6040707@ucomline.net> Nicol?s Leiva ?????: > You might want to review > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mplsqos.html#wp1509501 There are nothing new for me here I tried to say following When router added mpls label in header of packet then dscp field became clean We tested that PE1--(/30,MPLS/OSPF)--> PE2 PE2: PHP was enabled. Packets came with dscp PE2: PHP was switched off. Packets came without dscp > > Nicolas > > On Wed, Nov 25, 2009 at 12:51 PM, Teslenko wrote: > >> selamat pagi ?????: >>> What's the config on the ingress interface of PE1 ? >>> Do you use VPNs (vrf interface) ? >>> Is TE active ? >> I have understood that it has misled you >> >>>>>> ping from CE >>>>>> Type escape sequence to abort. >>>>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 >>>> seconds: >>>>>> Packet sent with a source address of 10.10.10.1 >> >> Really initially the traffic ran between two vrf >> The scheme of traffic's movement looks as follows >> >> [SW-1]--1->(Te1.661)PE1(Te1.662)--2->[SW-1]--3->(Gi0/1)PE2 >> >> This test was necessary to understand "Does marking work in general?" >> >> Yes, it does. >> >> Then was tested MPLS scheme with P router and without P >> >> First. With P router >> >> [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> P--(/30,MPLS/OSPF)--> PE2 >> -->(82.xx.xx.160/30)->CE >> >> So we saw marking do not occur >> When we use the scheme without router P all works correctly >> >> [SW-1]--> (Te1.661)PE1--(/30,MPLS/OSPF)--> PE2 -->(82.xx.xx.160/30)->CE >> >> But a problem not in P router. >> It has been stated in previous letter >> Problem occur when MPLS label is encapsulating to header of packets. >> This doesn't occur when P not present in scheme, >> because PE1 became penultimate for PE2. >> So MPLS label doesn't change, because PHP is enable on PE2 by default. >> >> >> Interface configuration between SW-1 and PE1 looks as follow >> ================================================== >> [SW-1]--1->(Te1.661)PE1 >> ================================================== >> ------------------ listing ----------------------- >> 1) SW-1: >> interface Vlan661 >> ip address 62.xxx.xx.20 255.255.255.240 >> End >> ip route 82.xx.xx.161 255.255.255.255 62.xxx.xx.17 >> >> 2) PE1: >> interface Te1.661 >> encapsulation dot1Q 661 >> ip address 62.xxx.xx.17 255.255.255.240 >> no ip redirects >> no ip proxy-arp >> ip mtu 1500 >> service-policy input test-in-dscp-set >> end >> >> PE1#sh policy-map test-in-dscp-set >> Policy Map test-in-dscp-set >> Class test >> set ip dscp 39 >> Class class-default >> >> PE1#sh class-map test >> Class Map match-all test (id 25) >> Match access-group 100 >> >> PE1#sh run | i access-list 100 >> access-list 100 permit ip host 62.xxx.xx.20 host 82.xx.xx.161 >> access-list 100 deny ip any any >> ----------------- end of listing---------------- >> >> >> Interface configuration on PE2 >> ================================================= >> PE2 -->(82.xx.xx.160/30)->CE >> ================================================= >> ------------------ listing ----------------------- >> interface Gi1.205 >> encapsulation dot1Q 205 >> ip address 82.xx.xx.162 255.255.255.252 >> no ip redirects >> no ip proxy-arp >> ip mtu 1500 >> ip flow ingress >> no cdp enable >> service-policy output test-Out >> end >> >> PE2#sh policy-map test-Out >> Policy Map test-Out >> Class test >> Class class-default >> >> PE2#sh class-map test >> Class Map match-all test (id 27) >> Match ip dscp 39 >> ----------------- end of listing---------------- >> >> =============================================== >> Start Test >> =============================================== >> ------------------ listing ----------------------- >> SW-1#ping 82.xx.xx.161 source 62.xx.xx.20 repeat 10 >> >> PE1#sh policy-map interface Te1.661 >> TenGigabitEthernet1.661 >> Service-policy input: test >> class-map: test (match-all) >> Match: access-group 100 >> set dscp 39: >> Earl in slot 1 : >> 1180 bytes >> 30 second offered rate 280 bps >> aggregate-forwarded 1180 bytes >> Class-map: class-default (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps, drop rate 0 bps >> Match: any >> 0 packets, 0 bytes >> 30 second rate 0 bps >> >> PE2# sh policy-map interface Gi1.205 output class test >> GigabitEthernet1.205 >> Service-policy output: test-Out >> Class-map: test (match-all) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps >> Match: ip dscp 39 >> ----------------- end of listing---------------- >> >> >> >>> cheers, ketimun >>> >>> >>> On Wed, Nov 25, 2009 at 12:09 PM, Teslenko wrote: >>> >>>> Hello All, >>>> >>>> We try to introduce Qos in ours IP/MPLS backbone network, >>>> constructed on routers 7600th series >>>> >>>> All 76-s' are P or PE devices should accept from outside MPLS or IP >>>> traffic. >>>> On PE devices we mark packages and we want, that DSCP was transferred >>>> transparently within MPLS domain. But we have problem. >>>> >>>> We use IOS v12.2 (33) SRC1 now. >>>> >>>> >>>> Testing passed on CISCO7609-S with linear card WS-X6708-10GE >>>> >>>> >>>> ================================== >>>> The test #1 >>>> ================================== >>>> >>>> P device CISCO7609-S ingress port on linear card WS-X6708-10GE, >>>> egress port on linear card WS-X6724-SFP. >>>> Device PE2 the last in a chain, PHP option enable by default >>>> >>>> The scheme of traffic's movement looks as follows >>>> >>>> CE--> SW-1> (ingress) PE1 (egress)--> P--> (ingress) PE2 >>>> >>>> 1.1 Interfaces of the P device are configured as follows >>>> >>>> interface TenGigabitEthernet (WS-X6708-10GE) >>>> dampening >>>> mtu 4470 >>>> ip address yy.yy.yy.yy 255.255.255.252 >>>> carrier-delay msec 0 >>>> mpls traffic-eng tunnels >>>> mpls ip >>>> hold-queue 1000 in >>>> ip rsvp bandwidth >>>> end >>>> ! >>>> interface GigabitEthernet (WS-X6724-SFP) >>>> dampening >>>> mtu 4470 >>>> ip address xx.xx.xx.xx 255.255.255.252 >>>> carrier-delay msec 0 >>>> mpls traffic-eng tunnels >>>> mpls ip >>>> hold-queue 1000 in >>>> ip rsvp bandwidth >>>> end >>>> >>>> >>>> 1.2. Marking of traffic occur on ingress interface of PE1 >>>> >>>>>> policy-map test-in-dscp-set >>>>>> class class-default >>>>>> set dscp 39 >>>> 2.3. Stock-taking dscp labels occur on ingress interface of PE2. >>>> >>>> ------------------------------------------------- >>>> listing------------------- >>>>>> ping from CE >>>>>> Type escape sequence to abort. >>>>>> Sending 100, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 >>>> seconds: >>>>>> Packet sent with a source address of 10.10.10.1 >>>>>> !!!!! >>>>>> Success rate is 100 percent (100/100), round-trip min/avg/max = >>>> 1/4/9 ms >>>>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >>>>>> GigabitEthernet0/1.662 >>>>>> >>>>>> Service-policy input: Customer-test-In >>>>>> >>>>>> Class-map: match-test-dscp (match-any) >>>>>> 0 packets, 0 bytes >>>>>> 30 second offered rate 0 bps >>>>>> Match: ip dscp 39 >>>>>> 0 packets, 0 bytes >>>>>> 30 second rate 0 bps >>>>>> ----------------- end of >> listing---------------------------------------- >>>> As appears from an example marking do not occur >>>> >>>> >>>> 1.4 MPLS trace looks as follows >>>> >>>> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 >>>> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 >> seconds >>>> Type escape sequence to abort. >>>> 0 213.xxx.xxx.202 MRU 4470 [Labels: 50 Exp: 0] >>>> L 1 213.xxx.xxx.201 MRU 4474 [Labels: implicit-null Exp: 0] 169 ms >>>> ! 2 213.xxx.xxx.18 4 ms >>>> >>>> PE1 encapsulate MPLS header to a package with value of the label = 50 >>>> and a field >>>> Exp=0 >>>> >>>> ================================== >>>> The test #2 >>>> ================================== >>>> >>>> The scheme of traffic's movement looks as follows >>>> >>>> CE--> SW-1> (ingress) PE1 (egress) --->(ingress)PE2 >>>> >>>> 2.1 Device PE2 the last in the chain, it have PHP option enable by >> default >>>> MPLS trace looks as follows >>>> PE1#trace mpls ipv4 213.xxx.xxx.4 255.255.255.255 >>>> Tracing MPLS Label Switched Path to 213.xxx.xxx.4/32, timeout is 2 >> seconds >>>> Type escape sequence to abort. >>>> 0 213.xxx.xxx.19 MRU 4470 [Labels: implicit-null Exp: 0] >>>> ! 1 213.xxx.xxx.18 4 ms >>>> >>>> PE1 don't encapsulate MPLS header to a package. >>>> Result: >>>> >>>>>> PE2#sh policy-map interf Gi0/1.662 in class match-test-dscp >>>>>> GigabitEthernet0/1.662 >>>>>> >>>>>> Service-policy input: Customer-test-In >>>>>> >>>>>> Class-map: match-test-dscp (match-any) >>>>>> 100 packets, 0 bytes >>>>>> 30 second offered rate 0 bps >>>>>> Match: ip dscp 39 >>>>>> 100 packets, 0 bytes >>>>>> 30 second rate 0 bps >>>> So DSCP label comes on PE2 >>>> >>>> 2.2 Device PE2 the last in a chain, option PHP switched off >>>> >>>> PE2 (config) # mpls ldp explicit-null >>>> PE2 (config) # >>>> >>>> So PE1 encapsulate MPLS header to a package, >>>> And as result packages again comes without DSCP label. >>>> >>>> Result. >>>> When MPLS label was encapsulated to header, as result DCSP label was >>>> cleared. >>>> >>>> Does anybody know decision for this problem? >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Andrey Teslenko Leading ip engineer JSC "Farlep-Invest", Ukraine, Odessa Backbone network department Network operation sector mob: 8063 617-01-68 tel: 8048 716-55-72 From justin at justinshore.com Wed Nov 25 14:41:40 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 25 Nov 2009 13:41:40 -0600 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu>, <4B0D5303.5010908@justinshore.com> <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <4B0D8874.3040708@justinshore.com> Bill Blackford wrote: > I do not believe that Juniper keys their optics. My experience with this is limited though. I am able to get third-party optics to work just fine in EX switches. > > bblackford at wsc-asw-02-1> show chassis hardware > Hardware inventory: > Item Version Part number Serial number Description > Chassis BH0208188142 EX3200-24T > FPC 0 REV 07 750-021261 BH0208188142 EX3200-24T, 8 POE > CPU BUILTIN BUILTIN FPC CPU > PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T > PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP > Xcvr 0 NON-JNPR FFX20H700284 SFP-SX > Power Supply 0 REV 02 740-020957 AT0508119769 PS 320W AC > Fan Tray Fan Tray > > As you can see it identifies the Xcvr as non-Juniper. Yeah, my J knowledge is pretty much nill. I'm going on what people with Junipers have told me. I'd love to try it out in Olive though if I could ever find a source for JunOS code that wasn't pre-hacked. > On the Cisco side, I have a Vertex 1310M GLC-LH-SM that is working fine in a 3560G. Vertex... I will have to do some research on them. Is that with or without the unsupported-transceiver hack? Thanks for the pointer. Justin From nick at inex.ie Wed Nov 25 14:44:34 2009 From: nick at inex.ie (Nick Hilliard) Date: Wed, 25 Nov 2009 19:44:34 +0000 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D58B4.8030305@fas.harvard.edu> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> <4B0D5303.5010908@justinshore.com> <4B0D58B4.8030305@fas.harvard.edu> Message-ID: <4B0D8922.1080605@inex.ie> On 25/11/2009 16:17, Scott McGrath wrote: > I can see their point especially in SP networks and to keep the > counterfeit optics at bay but we have the same problem CSCO does not > make the optics we need in many cases and in the LAN environment it > makes even less sense, As unless a optic is egregiously bad it generally > will not matter but a device down will... > > Don't SUPPORT third party optics but give us the option to use them > without resorting to hacks. What's even worse is that most of CSCO's > optics are indeed Finisar optics with different firrmware. Different serial numbers, whatever about the firmware. This isn't "what's worse". Cisco simply doesn't manufacture optical transceivers. Like all other major switch/router manufacturers, they spec from a small number of third party manufacturers (finisar, opnext, etc), just like they do with flash chips and DRAM and so on. It's just economics: it's cheaper and simpler for them to buy rather than build. Yes, there are trash quality optics out there, no doubt about it. Due to massive vendor markups, many of them are labelled with vendor labels and sold as genuine vendor products. Again, this comes entirely down to economics: so long as you make it worth someone's while to build a knock-off, they will do it. And that will damage everyone, including the vendors "service unsupported-transceiver" is not a hack: it's the deconfiguration of a software misfeature whose sole intent is to cripple your equipment's functionality. At the same time, it provides an clear warning that if you use third party products in your kit, Cisco will not support them. This is not unreasonable and it's a much better and more customer focussed approach than some vendors who will simply refuse point-blank to accept third party transceivers. I guess there will always be customers who are gullible enough to accept this sort of b/s vendor gouging. Unfortunately, Cisco (and several other vendors) have chosen not to fully de-crippling third party transceivers, so that even if you use this command, you still lose DOM. I have heard some people claim that they've been told by their vendors that this was to ensure that DOM measurements were accurate. Charitably, this is a weak argument, particular when you take into account that some of the DOM readings on some older (but genuine) transceivers bear no relation to reality, and also that Cisco resell lots of transceivers which won't work in other Cisco kit - unless you use "service unsupported-transceiver" or equivalent. No, it's about money and margins, pure and simple. Most vendors jam on a margin of between 5x and 15x on their transceivers, and that's the sort of margin that's very easy to get addicted to. Nick From lukasz at bromirski.net Wed Nov 25 14:46:37 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 25 Nov 2009 20:46:37 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <20091125074223.GQ163@greenie.muc.de> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> Message-ID: <4B0D899D.2040900@bromirski.net> On 2009-11-25 08:42, Gert Doering wrote: > We might see a "Cisco 8200" appear, which is the same as 6500 and 7600, > but with a different EEPROM and yet another chassis colour. Supported > by a new BU, and all the new and fancy supervisor boards will only > support the 8200 (and the 6500, but only if you upgrade the fan module > to a FAN-5 and install 15000W PSUs). Another round of fun begins. :) The new EARL - EARL8 is already there - as the PFC for Nexus 7k. It will also be the part of next-gen Sup "2T" and DFCs for LCs in the 6500E. It has a new features (they were listed already on this list a couple of times, never complete, but usually focusing on the main advantages), and removes a couple of long-standing limitations. The most important fact (besides scalability extensions) is it will bring a native VPLS and MPLS support for newer and completely new LCs to the 6500E. As for something for the next-gen - 8200... competitors would like 6500 to be dead soon, because after all those rants it still wins the deals, it is still a platform of choice for technical not marketing reasons, and it still, after so many years, excels in different dimensions It is roadmapped far into the future, and there's place for it. OMG, that sounded like.... marketing! :D -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From BBlackford at nwresd.k12.or.us Wed Nov 25 14:53:37 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Wed, 25 Nov 2009 11:53:37 -0800 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D8874.3040708@justinshore.com> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu>,<4B0D5303.5010908@justinshore.com> <6069A203FD01884885C037F81DD75080173D69596A@wsc-mail-01.intra.nwresd.k12.or.us>, <4B0D8874.3040708@justinshore.com> Message-ID: <6069A203FD01884885C037F81DD75080173D695972@wsc-mail-01.intra.nwresd.k12.or.us> My devices don't seem to have the unsupported-transceiver knob, so no. ________________________________________ From: Justin Shore [justin at justinshore.com] Sent: Wednesday, November 25, 2009 11:41 AM To: Bill Blackford Cc: Scott McGrath; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] is a DWDM SFP a DWDM SFP? Bill Blackford wrote: > I do not believe that Juniper keys their optics. My experience with this is limited though. I am able to get third-party optics to work just fine in EX switches. > > bblackford at wsc-asw-02-1> show chassis hardware > Hardware inventory: > Item Version Part number Serial number Description > Chassis BH0208188142 EX3200-24T > FPC 0 REV 07 750-021261 BH0208188142 EX3200-24T, 8 POE > CPU BUILTIN BUILTIN FPC CPU > PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T > PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP > Xcvr 0 NON-JNPR FFX20H700284 SFP-SX > Power Supply 0 REV 02 740-020957 AT0508119769 PS 320W AC > Fan Tray Fan Tray > > As you can see it identifies the Xcvr as non-Juniper. Yeah, my J knowledge is pretty much nill. I'm going on what people with Junipers have told me. I'd love to try it out in Olive though if I could ever find a source for JunOS code that wasn't pre-hacked. > On the Cisco side, I have a Vertex 1310M GLC-LH-SM that is working fine in a 3560G. Vertex... I will have to do some research on them. Is that with or without the unsupported-transceiver hack? Thanks for the pointer. Justin From thomas at habets.pp.se Wed Nov 25 15:08:24 2009 From: thomas at habets.pp.se (Thomas Habets) Date: Wed, 25 Nov 2009 21:08:24 +0100 (CET) Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: <4B0D5293.7090604@mail.ru> References: <4B0D1075.50601@mail.ru> <4B0D5293.7090604@mail.ru> Message-ID: On Wed, 25 Nov 2009, Teslenko wrote: > PE2#sh policy-map test-Out > Policy Map test-Out > Class test > Class class-default > > PE2#sh class-map test > Class Map match-all test (id 27) > Match ip dscp 39 [...] > PE2# sh policy-map interface Gi1.205 output class test > GigabitEthernet1.205 > Service-policy output: test-Out > Class-map: test (match-all) > 0 packets, 0 bytes > 30 second offered rate 0 bps > Match: ip dscp 39 The output counter will not increment if you only match on 6500/7600, and don't actually *set* anything in your policy-map. This is true for getting EXP-x counter values in P at least. Try this on PE2: policy-map test-Out class test set dscp 39 And see if the counter wakes up. Are you sure the tags are as you think on the wire, or are you bravely believing anything that the 6500/7600 tells you? The counter is (can be) a lie. This will of course not actually change anything, since you are setting 39 if it's set to 39. --------- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From gert at greenie.muc.de Wed Nov 25 15:22:33 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 25 Nov 2009 21:22:33 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0D899D.2040900@bromirski.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: <20091125202233.GX163@greenie.muc.de> Hi, On Wed, Nov 25, 2009 at 08:46:37PM +0100, ?ukasz Bromirski wrote: > The new EARL - EARL8 is already there - as the PFC for Nexus 7k. It will > also be the part of next-gen Sup "2T" and DFCs for LCs in the 6500E. Ah, so it will come to 6500, not to 7600. Heh! (I wonder what IOS train will support it, and what hardware and feature support we're going to lose by using that IOS train...) [..] > As for something for the next-gen - 8200... competitors would like 6500 > to be dead soon, because after all those rants it still wins the deals, > it is still a platform of choice for technical not marketing reasons, > and it still, after so many years, excels in different dimensions > It is roadmapped far into the future, and there's place for it. I *really* like the 6500. Really. The only think I massively dislike about it is the pain that Cisco instills in the customers with their poor choice in decision-making. - 6500/7600 split. They ("the 7600 camp") get the fast CPU, we get the reasonable 10G linecards (and got the 10G sup first). - confusing strategy regarding IOS future, especially modular IOS vs. NX-OS - confusing feature adoption between SX, SR and "main line" IOS - removal of BFD on SVI!!! *grumble* (this has bitten me *again* today) - as a customer, you really can't trust Cisco to make reasonable decisions (did I mention the BU split? and IOS and hardware support pain?) - even Cisco's stock price sucks, so the usual argument "but it was good for the stock price!" doesn't hold either. Sorry for that. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From lukasz at bromirski.net Wed Nov 25 15:30:23 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 25 Nov 2009 21:30:23 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <20091125202233.GX163@greenie.muc.de> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <20091125202233.GX163@greenie.muc.de> Message-ID: <4B0D93DF.1050107@bromirski.net> On 2009-11-25 21:22, Gert Doering wrote: > - 6500/7600 split. They ("the 7600 camp") get the fast CPU, we get the > reasonable 10G linecards (and got the 10G sup first). Yeah. We all live in a material world. But the CPU on the MSFC4 on Sup2T will be fast. > - confusing strategy regarding IOS future, especially modular IOS vs. NX-OS Modular IOS is a way to go on the 6500. NX-OS is for Nexus only. > - confusing feature adoption between SX, SR and "main line" IOS SX = 6500, SR = 7600, 7200, couple of other lines. Main line is usually for access boxes, like ISRs and ISRs G2. > - removal of BFD on SVI!!! *grumble* (this has bitten me *again* today) Tim and Scott and a couple of people are looking at the list. I think they heard your scream. > - as a customer, you really can't trust Cisco to make reasonable > decisions (did I mention the BU split? and IOS and hardware support > pain?) - even Cisco's stock price sucks, so the usual argument "but > it was good for the stock price!" doesn't hold either. Hm. Usually price issues are taken care of by account teams. I can't speak about that part. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From justin at justinshore.com Wed Nov 25 15:38:42 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 25 Nov 2009 14:38:42 -0600 Subject: [c-nsp] NTP Debug options shortened Message-ID: <4B0D95D2.2030808@justinshore.com> Did anyone else notice that the NTP debug options has gotten rather short lately in the 12.4T releases? From 24T2: 7206-1# debug ntp ? adjust NTP clock adjustments all NTP all debugging on core NTP core messages events NTP events packet NTP packet debugging refclock NTP refclock messages From 11T1: 7206-2# debug ntp ? adjust NTP clock adjustments authentication NTP authentication events NTP events loopfilter NTP loop filter packets NTP packets params NTP clock parameters refclock NTP reference clocks select NTP clock selection sync NTP clock synchronization validity NTP peer clock validity Did they get renamed? I've looked through the 'debug ?' several times and haven't had any luck finding them. I really need to debug some NTP AUTH issues and am stuck without the debugs. Seems like some important options have left the building. BTW, to all who run NTP and are interested, the bug that was introduced 20T1 and 24T that made the IOS NTP server treat NTP clients as peers including forcing clients through the peer access-group ACL was NOT fixed in 24T2 like the bug notes say. I upgraded my NTP servers to 24T2 last weekend (see list archive) and am now trying to undo all the temp config I put in place troubleshooting CSCsw79186. My clients are still being treated as peers and are still matching my 'peer' access-group ACL instead of my 'serve' ACL. I'm going to re-open the case with Cisco. Justin From gert at greenie.muc.de Wed Nov 25 15:51:29 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 25 Nov 2009 21:51:29 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0D93DF.1050107@bromirski.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <20091125202233.GX163@greenie.muc.de> <4B0D93DF.1050107@bromirski.net> Message-ID: <20091125205129.GC163@greenie.muc.de> Hi, On Wed, Nov 25, 2009 at 09:30:23PM +0100, ?ukasz Bromirski wrote: > On 2009-11-25 21:22, Gert Doering wrote: > > > - 6500/7600 split. They ("the 7600 camp") get the fast CPU, we get the > > reasonable 10G linecards (and got the 10G sup first). > > Yeah. We all live in a material world. But the CPU on the MSFC4 on > Sup2T will be fast. I'm sure it can beat the CPU in my Nokia 6310i. By a small margin. > > - confusing strategy regarding IOS future, especially modular IOS vs. > > NX-OS > > Modular IOS is a way to go on the 6500. NX-OS is for Nexus only. Exactly the point. Too many OS variants. As if IOS didn't have enough branches already. > > - confusing feature adoption between SX, SR and "main line" IOS > > SX = 6500, SR = 7600, 7200, couple of other lines. Main line is usually > for access boxes, like ISRs and ISRs G2. Yes, I'm fully aware of that, and while I can see some short-term value in the reasons that have been given, the long-term evaluation is "pain for customers, and pain for Cisco" ("development resources fragmented away until only a single person remains to supervise the nightly builds"). Think of upgrading your gear from 7200 to 7600. Or from 7600 to GSR. You get highly different operating systems, even if it's still called "IOS", with vastly different feature sets. Some parts will have to be different, of course (like "there is no hardware CEF on 7200") - but things like "BFD on interface type X works on 7200, but not on 7600" or "IPv6 on port-channels do not work in GSR" is just madness. > > - removal of BFD on SVI!!! *grumble* (this has bitten me *again* today) > > Tim and Scott and a couple of people are looking at the list. I think > they heard your scream. I'm not sure. This hasn't been brought up for the first time, and it's not only me, and lots of people have been nagging their account managers about it, but still no word from Cisco on whether we can expect it to show up again, and if yes, where... (SRZ?). > > - as a customer, you really can't trust Cisco to make reasonable > > decisions (did I mention the BU split? and IOS and hardware support > > pain?) - even Cisco's stock price sucks, so the usual argument "but > > it was good for the stock price!" doesn't hold either. > > Hm. Usually price issues are taken care of by account teams. I can't > speak about that part. "stock price" as in "wall street, pin-striped banking guys" :-) They tend to honour stupid decisions if they look good in the financial papers. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 25 15:57:37 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 25 Nov 2009 21:57:37 +0100 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <4B0D58B4.8030305@fas.harvard.edu> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> <4B0D5303.5010908@justinshore.com> <4B0D58B4.8030305@fas.harvard.edu> Message-ID: <20091125205736.GE163@greenie.muc.de> Hi, On Wed, Nov 25, 2009 at 11:17:56AM -0500, Scott McGrath wrote: > I can see their point especially in SP networks and to keep the > counterfeit optics at bay Actually, what Cisco did is *create* a market for counterfeit optics. There's chinese out there that will sell you a crappy and dirt-cheap SFP or GBIC that is branded "Cisco!" and that your Cisco gear would happily accept. While at the same time refusing a quality Finisair SFP because it has no Cisco serial number. There would not be any business for cheap copied SFPs if quality OEM SFPs would just work. > What's even worse is that most of CSCO's optics are indeed Finisar optics > with different firrmware. There's firmware in optics? I thought it's all just serial numbers and checksums in the EPROM... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jared at puck.nether.net Wed Nov 25 16:11:52 2009 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 25 Nov 2009 16:11:52 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <20091125205129.GC163@greenie.muc.de> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <20091125202233.GX163@greenie.muc.de> <4B0D93DF.1050107@bromirski.net> <20091125205129.GC163@greenie.muc.de> Message-ID: <684355FB-DDDA-4588-9775-D901E3EE9EF1@puck.nether.net> On Nov 25, 2009, at 3:51 PM, Gert Doering wrote: >>> >>> - as a customer, you really can't trust Cisco to make reasonable >>> decisions (did I mention the BU split? and IOS and hardware support >>> pain?) - even Cisco's stock price sucks, so the usual argument "but >>> it was good for the stock price!" doesn't hold either. >> >> Hm. Usually price issues are taken care of by account teams. I can't >> speak about that part. > > "stock price" as in "wall street, pin-striped banking guys" :-) > > They tend to honour stupid decisions if they look good in the financial > papers. I actually believe this harms cisco greatly. You should see my account team ready to pull their hair out some days because of the self-inflicted-pain internally and lack of coherent direction. I honestly now see why they acquired linksys, it's about building cheap crap they don't intend to actually properly support and maintain. It's sad because there are a lot of really bright people there who try to do the right thing and will never succeed. Cisco is an enterprise play, not a SP play. Think IBM before they divested numerous business lines (eg hdd mfg to hitachi, laptops to lenovo). I'm waiting to see them realize they are doing more harm than good and follow that playbook. - Jared From tdurack at gmail.com Wed Nov 25 16:17:27 2009 From: tdurack at gmail.com (Tim Durack) Date: Wed, 25 Nov 2009 16:17:27 -0500 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <20091125205736.GE163@greenie.muc.de> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> <4B0D5303.5010908@justinshore.com> <4B0D58B4.8030305@fas.harvard.edu> <20091125205736.GE163@greenie.muc.de> Message-ID: <9e246b4d0911251317r1c3c3c23j32f6694a0f2f2752@mail.gmail.com> On Wed, Nov 25, 2009 at 3:57 PM, Gert Doering wrote: > Hi, > > On Wed, Nov 25, 2009 at 11:17:56AM -0500, Scott McGrath wrote: >> I can see their point especially in SP networks and to keep the >> counterfeit optics at bay > > Actually, what Cisco did is *create* a market for counterfeit optics. It's going to get interesting with SFP+ direct-attach: HP Blade Chassis using direct-attach will no doubt require HP direct-attach components. That means you need an HP switch on the other side. Same thing for Cisco Blade Chassis. Got to love vendor lock-in... -- Tim:> Sent from Brooklyn, NY, United States From gtb at slac.stanford.edu Wed Nov 25 16:21:40 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 25 Nov 2009 13:21:40 -0800 Subject: [c-nsp] is a DWDM SFP a DWDM SFP? In-Reply-To: <20091125205736.GE163@greenie.muc.de> References: <5A69C25361FED34F83ABF05F50475245072BC81D@wally.walleyetrading.net> <4B0CAA48.5000102@justinshore.com> <4B0D3424.30506@fas.harvard.edu> <4B0D5303.5010908@justinshore.com> <4B0D58B4.8030305@fas.harvard.edu> <20091125205736.GE163@greenie.muc.de> Message-ID: <6F51B50ECF32084788B9B3A8469A71B529175C044F@EXCHCLUSTER1-02.win.slac.stanford.edu> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering > Actually, what Cisco did is *create* a market for counterfeit optics. What the BU's did was create a market for grey market (aka counterfeit) optics, memory, flash devices.... I have asserted before that what Cisco *should* have done for these commodity parts is establish a certification program where vendors could "pay to play" for validation and get a "cisco certified" stamp and let the vendors/market determine the pricing for these commodity components. (That too would be an imperfect solution, but it is better than what we have.) Unfortunately it appears that instead the BU's put in the 400% markup for commodity components into their business plans (Profit!!!) and pricing lists. The results (grey market/counterfeit) should have been expected. Maybe the BU managers missed that day in business school. Gary From chris at lavin-llc.com Wed Nov 25 16:07:04 2009 From: chris at lavin-llc.com (chris at lavin-llc.com) Date: Wed, 25 Nov 2009 16:07:04 -0500 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <4B0991C0.6000308@rollernet.us> References: <4AEAF6B8.2090606@att.net> <4288131ED5E3024C9CD4782CECCAD2C7065D3BE0@LMC-MAIL2.exempla.org> <5210A1C9084123478E12AA5924D1F253FBBCE9@w3usmia2.lat.gblxint.com> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> <4B0991C0.6000308@rollernet.us> Message-ID: <3847d10a7751ff28466dec236a1150a4.squirrel@email.fatcow.com> Snippet: >The university I worked at as a student did a > whole campus replacement of Cisco for ProCurve. > > ~Seth I'm involved in an 'alternative switch vendor' discussion and lab testing. ProCurve and Juniper switches are in our lab and undergoing some poking and proding. I am not at all familiar with HP ProCurve. The recent announcement concerns me. What happens if during the overlap analysis HP dumps some of their product line? Did we lose time making an effort to learn new products, configurations and vendor-suggested best practices? Knowing almost everyone's shop runs too thin and too fast, losing ground to incorporate something that may no longer be sold seems like a possible mistake in judgement and a blow to morale. -chris From eninja at gmail.com Wed Nov 25 17:53:06 2009 From: eninja at gmail.com (Eninja) Date: Wed, 25 Nov 2009 23:53:06 +0100 Subject: [c-nsp] FABRIC-3-ERR_HANDLE In-Reply-To: <967E202DE1EF41FA824D4EAAE621CE5E@int.convex.pt> References: <0D2AFF6747EC4FBF8C502CC3A880187F@int.convex.pt> <480dad640911171102g15d06b51u2b3132b34d34ef76@mail.gmail.com> <967E202DE1EF41FA824D4EAAE621CE5E@int.convex.pt> Message-ID: Cool /eninja On Nov 25, 2009, at 12:22 PM, "Antonio Soares" wrote: > Just to let you know that the problem is resolved after the CSC0 > replacement. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > > From: Eninja [mailto:eninja at gmail.com] > Sent: quarta-feira, 18 de Novembro de 2009 7:40 > To: Aaron > Cc: Antonio Soares; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] FABRIC-3-ERR_HANDLE > > 'Exec-on' commands are sent via IPC over the switch fabric and > 'attach' sessions go over the mbus. > > Eninja > > > > On Nov 17, 2009, at 8:02 PM, Aaron wrote: > >> So, what is the difference in output from doing exec-on vs attach? >> You are still connecting via the same method. >> >> On Mon, Nov 16, 2009 at 14:07, e ninja wrote: >> Antonio, >> >> You should *never* troubleshoot fabric errors with *any* exec-on >> commands. >> They run over the fabric that may or may not be compromised. >> >> 1. Are any other LCs apart from slot 6 reporting CRC errors? >> 2. grab two "sh contr fia" from the RP and an attach to all the >> LCs and >> send over. >> >> Eninja >> >> >> On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares >> wrote: >> >> > Hello group, >> > >> > I have a 12k reporting this: >> > >> > %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error >> from slot 6 >> > >> > In one week, i have 4 of these messages. >> > >> > Slot 6 is a SIP-601 containing 2 x SPA-10G. >> > >> > What could be the problem ? >> > >> > The "show controllers fia" do not show any problem. >> > >> > The "execute-on slot 6 show controllers fia" show this: >> > >> > Switch cards present: 0x1F >> > Switch cards monitored: 0x1F >> > 0 1 2 3 4 >> > -------- -------- -------- -------- -------- >> > los 0 0 0 0 0 >> > state Off Off Off Off Off >> > crc16 53989 0 0 0 0 >> > xor error0 0 0 0 >> > cell drops1020 1020 1020 1020 >> > >> > >> > IOS=c12kprp-p-mz.120-32.SY6.bin >> > >> > >> > Thanks. >> > >> > Regards, >> > >> > Antonio Soares, CCIE #18473 (R&S) >> > amsoares at netcabo.pt >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From david at hughes.com.au Wed Nov 25 18:32:37 2009 From: david at hughes.com.au (David Hughes) Date: Thu, 26 Nov 2009 09:32:37 +1000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0D899D.2040900@bromirski.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: On 26/11/2009, at 5:46 AM, ?ukasz Bromirski wrote: > As for something for the next-gen - 8200... competitors would like 6500 > to be dead soon, because after all those rants it still wins the deals, > it is still a platform of choice for technical not marketing reasons, > and it still, after so many years, excels in different dimensions > It is roadmapped far into the future, and there's place for it. From a customer perspective who uses 6500s for L2/L3 aggregation in the DC and MPLS/IP core functionality, I can see them losing their shine. They are a solid platform and I do like them a lot but working with the caveats can be a pain. N7K is starting to look like a winning platform : * 2nd Gen 10GE ports will be reasonably priced * Price for line-rate 1GE-TX LC's is attractive * Switching capacity upgrade path looks fantastic * Smart guys doing smart things (like OTV) * An OS that delivers on all the broken promises of ION / Modular etc Ok, so it's missing some functionality but lots of the important stuff is being worked on. There's no service modules but personally I think thats a good thing. I still have nightmares about running Gen1 FWSM in the same chassis as a Gen1 CSM. (Here's a thought - make a good standalone firewall that can compete with Vendor J, and a good standalone loadbalancer that can compete with Vendor F ) If there's a 4 slot chassis in the 2nd generation then I could see N7K and N5K / N4K as a possible end-to-end platform for L3/MPLS core, L2/L3 aggregation, and L2 access. And it would all run the same software !!! Pinch me - I must be dreaming :) David ... From good1 at live.com Wed Nov 25 18:53:55 2009 From: good1 at live.com (Good One) Date: Thu, 26 Nov 2009 04:53:55 +0500 Subject: [c-nsp] ipv6 cheat sheet Message-ID: Hello guys, Did you find any cheat sheet for IPv6 subnetting anywhere? _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 From ltd at cisco.com Wed Nov 25 19:17:38 2009 From: ltd at cisco.com (Lincoln Dale) Date: Thu, 26 Nov 2009 11:17:38 +1100 Subject: [c-nsp] IRIS Project In-Reply-To: <1258293484.12313.0.camel@hal9000> References: <1258293484.12313.0.camel@hal9000> Message-ID: <8CAB234A-CE92-4F5B-882A-A05366EB77F4@cisco.com> On 16/11/2009, at 12:58 AM, luismi wrote: > IS there anyone in this mailing list involved with the IRIS project? i can put you in contact with the relevant folks if you want. there are links to folks at http://www.cisco.com/web/strategy/government/space-routing.html its been a big week for IRIS. its now launched. http://www.youtube.com/watch?v=P6MUoA7evh4 http://www.spaceflightnow.com/atlas/av024/status.html http://www.prnewswire.com/news-releases/cisco-router-sent-into-space-aboard-intelsat-satellite-71725852.html cheers, lincoln. From ptimmins at clearrate.com Wed Nov 25 19:20:55 2009 From: ptimmins at clearrate.com (Paul G. Timmins) Date: Wed, 25 Nov 2009 19:20:55 -0500 Subject: [c-nsp] ipv6 cheat sheet In-Reply-To: References: Message-ID: You can subnet ipv6 with your eyeballs, just add or subtract 4 from the prefix length for every character you move to the left or right. 1234:1234:1234:1234::/64 1234:1234:1234:123X::/60 1234:1234:1234:12XX::/56 1234:1234:1234:1XXX::/52 1234:1234:1234::/48 etc -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Good One Sent: Wednesday, November 25, 2009 6:54 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ipv6 cheat sheet Hello guys, Did you find any cheat sheet for IPv6 subnetting anywhere? _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action /social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3 :092010 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From THamdi at sbm.com.sa Wed Nov 25 20:00:36 2009 From: THamdi at sbm.com.sa (Tarig Hamdi) Date: Thu, 26 Nov 2009 04:00:36 +0300 Subject: [c-nsp] Tarig Hamdi is out of the office. Message-ID: I will be out of the office starting 11/26/2009 and will not return until 12/12/2009. I will be away for 2 weeks with very limited access to email. From cordmacleod at gmail.com Wed Nov 25 22:16:44 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Wed, 25 Nov 2009 19:16:44 -0800 Subject: [c-nsp] 3560 acl issue Message-ID: <23634D3A-F3BC-4A1D-982E-2D645EA92D62@gmail.com> My 3560 appears to have run into some trouble. My VPN just dropped and all traffic from the VPN address was rejected by the 3560 even though no changes had been made to the device in weeks. I flipped the ACL on the external port by moving it from ACL 100 to ACL 101 and back to ACL100. There is no difference between the two ACLs. The VPN traffic came back immediately. Has any one else seen an issue like this? This is the 2nd time this happened, except before it was a different IP it rejected traffic for. Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1) From graham at g-rock.net Wed Nov 25 23:09:12 2009 From: graham at g-rock.net (Graham Wooden) Date: Wed, 25 Nov 2009 22:09:12 -0600 Subject: [c-nsp] PA-MC-8T1 Message-ID: Hi all, Just wanted to confirm before I spend the money .... I am looking at the WAN card PA-MC-8T1 for some T1 aggregation points, inserted into FlexWAN/6500. As I am reading the data sheet for it, it looks like it can do non-channelized connections, right? Need to consolidate down some non-fractional/channelized T1s... Thanks, -graham From gert at greenie.muc.de Thu Nov 26 02:19:22 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 26 Nov 2009 08:19:22 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: <20091126071922.GI163@greenie.muc.de> Hi, On Thu, Nov 26, 2009 at 09:32:37AM +1000, David Hughes wrote: > If there's a 4 slot chassis in the 2nd generation then I could > see N7K and N5K / N4K as a possible end-to-end platform for L3/MPLS > core, L2/L3 aggregation, and L2 access. And it would all run the > same software !!! Pinch me - I must be dreaming :) But that would impact ASR1k sales. Can't have that. Different BU. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From koug at intracom.gr Thu Nov 26 02:59:01 2009 From: koug at intracom.gr (John Kougoulos) Date: Thu, 26 Nov 2009 09:59:01 +0200 (GTB Standard Time) Subject: [c-nsp] Nat Issues With cisco Routers In-Reply-To: <004001ca6d86$473a9fb0$6702a8c0@dominic> References: <004001ca6d86$473a9fb0$6702a8c0@dominic> Message-ID: On Tue, 24 Nov 2009, Lin wrote: > I tried to do a "no ip nat service sip tcp port 5060" command. This removes > the "482 Loop Detected Error" and allows the client ip phone to register. > However, outgoing calls fail, because the SBC on the other end responds with > an "403" error. Apparently, the header being submitted is not acceptable. > > Anybody come accros this before? > I think that at least in CBAC, IOS 12.2 couldn't understand compact sip messages. I don't know if this is still an issue, but you may try to change your phone to not use compact headers. Regards, John From achatz at forthnet.gr Thu Nov 26 04:53:18 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 26 Nov 2009 11:53:18 +0200 Subject: [c-nsp] XNE on ASR1k already EOL? Message-ID: <4B0E500E.2060409@forthnet.gr> http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/end_of_life_c51-570651.html http://www.cisco.com/en/US/customer/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700 Anyone know what happened? -- Tassos From ketimun at gmail.com Thu Nov 26 05:40:01 2009 From: ketimun at gmail.com (selamat pagi) Date: Thu, 26 Nov 2009 11:40:01 +0100 Subject: [c-nsp] XNE on ASR1k already EOL? In-Reply-To: <4B0E500E.2060409@forthnet.gr> References: <4B0E500E.2060409@forthnet.gr> Message-ID: This is just EOL announcment for XE 2.5. Hardware is not affected by this. Cisco IOS XE Software Release 2.6 is targeted for the first half of calendar year 2010 before the End-of-Sale of Cisco IOS XE Software Release 2.5 HTH, ketimun On Thu, Nov 26, 2009 at 10:53 AM, Tassos Chatzithomaoglou < achatz at forthnet.gr> wrote: > > http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/end_of_life_c51-570651.html > > http://www.cisco.com/en/US/customer/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700 > > Anyone know what happened? > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Thu Nov 26 06:07:51 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 26 Nov 2009 12:07:51 +0100 Subject: [c-nsp] XNE on ASR1k already EOL? In-Reply-To: <4B0E500E.2060409@forthnet.gr> References: <4B0E500E.2060409@forthnet.gr> Message-ID: On Thu, 26 Nov 2009 11:53:18 +0200, you wrote: > http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/end_of_life_c51-570651.html > http://www.cisco.com/en/US/customer/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700 > > Anyone know what happened? It's just a symptom of the fact that they run time-based releases with IOS XE on ASR1K, so 2.5 doesn't live long, and they tell us that well in advance (even before there is an alternative). Some of the releases (2.4, 2.7, 2.10, 2.23 etc) will have extended maintenance. It's all explained here: http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/product_bulletin_c25-448258.html -A From ketimun at gmail.com Thu Nov 26 06:48:02 2009 From: ketimun at gmail.com (selamat pagi) Date: Thu, 26 Nov 2009 12:48:02 +0100 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: References: <4B0D1075.50601@mail.ru> <4B0D5293.7090604@mail.ru> Message-ID: In you last test with setting "mpls ldp explicit-null" on PE2, you tell the previous node NOT to keep the label. Therefore packet arrives with MPLS-label(s). and no packet will match a DSCP-value because you only have EXP-values in the label. When you did your first test, CE-PE1-P-PE2 where there still vrf's configured. That would explain why you did not see DSCP-values, you would have seen EXP-values. You still would have 1 label (vpn-label). To prove this, could you change your policy to match EXP 4 instead of DSCP 39 ? cheers, ketimun On Wed, Nov 25, 2009 at 9:08 PM, Thomas Habets wrote: > On Wed, 25 Nov 2009, Teslenko wrote: > >> PE2#sh policy-map test-Out >> Policy Map test-Out >> Class test >> Class class-default >> >> PE2#sh class-map test >> Class Map match-all test (id 27) >> Match ip dscp 39 >> > [...] > > PE2# sh policy-map interface Gi1.205 output class test >> GigabitEthernet1.205 >> Service-policy output: test-Out >> Class-map: test (match-all) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps >> Match: ip dscp 39 >> > > The output counter will not increment if you only match on 6500/7600, and > don't actually *set* anything in your policy-map. This is true for getting > EXP-x counter values in P at least. > > Try this on PE2: > policy-map test-Out > class test > set dscp 39 > > And see if the counter wakes up. Are you sure the tags are as you think on > the wire, or are you bravely believing anything that the 6500/7600 tells > you? The counter is (can be) a lie. > > This will of course not actually change anything, since you are setting 39 > if it's set to 39. > > --------- > typedef struct me_s { > char name[] = { "Thomas Habets" }; > char email[] = { "thomas at habets.pp.se" }; > char kernel[] = { "Linux" }; > char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; > char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; > char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; > } me_t; > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Nov 26 06:50:15 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 26 Nov 2009 12:50:15 +0100 Subject: [c-nsp] Netflow in 2960 and 3750? Message-ID: <1259236215.32461.30.camel@hal9000> Hi all, is there any option to connect one 2960 and one 3570 to netflow collector? I was doing a research but I didn't find anything about it yet From rdobbins at arbor.net Thu Nov 26 07:00:26 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 26 Nov 2009 12:00:26 +0000 Subject: [c-nsp] Netflow in 2960 and 3750? In-Reply-To: <1259236215.32461.30.camel@hal9000> References: <1259236215.32461.30.camel@hal9000> Message-ID: On Nov 26, 2009, at 7:50 PM, luismi wrote: > I was doing a research but I didn't find anything about it yet I don't believe either of those platforms supports NetFlow, alas. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From sthaug at nethelp.no Thu Nov 26 07:08:29 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 26 Nov 2009 13:08:29 +0100 (CET) Subject: [c-nsp] Netflow in 2960 and 3750? In-Reply-To: <1259236215.32461.30.camel@hal9000> References: <1259236215.32461.30.camel@hal9000> Message-ID: <20091126.130829.41669749.sthaug@nethelp.no> > is there any option to connect one 2960 and one 3570 to netflow > collector? > I was doing a research but I didn't find anything about it yet You can certainly *connect* them to a netflow collector. But assuming you actually want them to *export* netflow info, the answer is no. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From lists at hojmark.org Thu Nov 26 08:14:26 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 26 Nov 2009 14:14:26 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> On Thu, 26 Nov 2009 09:32:37 +1000, you wrote: > If there's a 4 slot chassis in the 2nd generation then I could see > N7K and N5K / N4K as a possible end-to-end platform for L3/MPLS core, > L2/L3 aggregation, and L2 access. And it would all run the same > software !!! Except, of cause, the N7K doesn't currently do MPLS and won't for another year, and when it does it will, as always, be released in fases. Also, Nexus is positioned for the DC, so there will always be lacking features when compared to the SP platforms. 'Don't send a switch to do a router's job'. -A From steve at ibctech.ca Thu Nov 26 08:30:33 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 26 Nov 2009 08:30:33 -0500 Subject: [c-nsp] ipv6 cheat sheet In-Reply-To: References: Message-ID: <4B0E82F9.60702@ibctech.ca> Paul G. Timmins wrote: > You can subnet ipv6 with your eyeballs, just add or subtract 4 from the > prefix length for every character you move to the left or right. > > 1234:1234:1234:1234::/64 > 1234:1234:1234:123X::/60 > 1234:1234:1234:12XX::/56 > 1234:1234:1234:1XXX::/52 > 1234:1234:1234::/48 ipv6gen is handy for visualizing different possible addressing scenarios: % ipv6gen -s 4 -l 2607:f118::/32 48 2607:F118:0000::/48 2607:F118:2000::/48 2607:F118:1000::/48 2607:F118:3000::/48 2607:F118:0800::/48 2607:F118:2800::/48 % ipv6gen -s 4 -l 2607:F118:2800::/48 56 2607:F118:2800:0000::/56 2607:F118:2800:2000::/56 2607:F118:2800:1000::/56 2607:F118:2800:3000::/56 2607:F118:2800:0800::/56 % ipv6gen -s 4 -l 2607:F118:0800::/48 64 2607:F118:0800:0000::/64 2607:F118:0800:2000::/64 2607:F118:0800:1000::/64 2607:F118:0800:3000::/64 etc. Steve From lobotiger at gmail.com Thu Nov 26 09:08:17 2009 From: lobotiger at gmail.com (Lobo) Date: Thu, 26 Nov 2009 09:08:17 -0500 Subject: [c-nsp] QoS for different types of internet customers Message-ID: <4B0E8BD1.40304@gmail.com> We're in the early stages of planning a QoS rollout for our MPLS enabled network and while we have in mind to offer about 4 different classes (Real Time, Gold, Silver, Bronze/Best Effort), we were told by Marketing that they wish to differentiate between different types of Internet customers. Originally and like most standard practices, any internet customer's traffic would normally be put in the BE queue. Now we're getting requests to have say the low, bursty internet customers (1.5Mbps - 3.0Mbps) get put into the BE queue while a dedicated 20Mbps should go into the silver or even gold queue. I have many problems with this like how would you be able to put the 20M customer's traffic in to the gold queue for traffic coming in from the Internet? The only way I can think of is to match on their IP space on each of our gateway routers but this would destroy our gateways since they're already running hot enough. Another issue is, what happens if that customer gets DDoS'd? This would mean that we're guaranteeing that at least 20Mbps of DoS traffic would be able to go through our network and to the customer's site. Oh and at the same time probably affecting the data customers who would be using the gold/silver queues for their services. Do you guys have any advice whether it's more ammunition for me to say no way or some kind of design/configuration that would possibly work? Thanks in advance. Jose From paul at paulstewart.org Thu Nov 26 09:10:31 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 26 Nov 2009 09:10:31 -0500 Subject: [c-nsp] mlppp dot1q question Message-ID: <000601ca6ea2$3713eb10$a53bc130$@org> Hey guys... Is there any way to run subinterfaces across a MLPPP bundle in IOS? thanks, Paul From jarruda-cnsp at jarruda.com Thu Nov 26 08:45:37 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Thu, 26 Nov 2009 08:45:37 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> Message-ID: <4B0E8681.7020709@jarruda.com> Asbjorn Hojmark - Lists wrote: > On Thu, 26 Nov 2009 09:32:37 +1000, you wrote: > >> If there's a 4 slot chassis in the 2nd generation then I could see >> N7K and N5K / N4K as a possible end-to-end platform for L3/MPLS core, >> L2/L3 aggregation, and L2 access. And it would all run the same >> software !!! > > Except, of cause, the N7K doesn't currently do MPLS and won't for > another year, and when it does it will, as always, be released in > fases. > > Also, Nexus is positioned for the DC, so there will always be lacking > features when compared to the SP platforms. > > 'Don't send a switch to do a router's job'. I'm curious, what is the difference ? I remember the debate (bridge x switch) in another generation... Is the N7K is a hard-coded-can't-change forwarding glue (EARL8 at that) platform, TCAM based, hence the 'switch' term ? Or in the feature set (control-plane ? forwarding-plane ?) From rdobbins at arbor.net Thu Nov 26 09:33:07 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 26 Nov 2009 14:33:07 +0000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0E8681.7020709@jarruda.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0E8681.7020709@jarruda.com> Message-ID: On Nov 26, 2009, at 9:45 PM, Julio Arruda wrote: > Is the N7K is a hard-coded-can't-change forwarding glue (EARL8 at that) platform, TCAM based, hence the 'switch' term ? It uses the EARL8 ASIC, yes, and it's considered a layer-3 switch. However, the EARL8 does allow for considerably more flexibility than the previous ASICs (i.e., good NetFlow, good uRPF, not so many weird ACL-construction caveats, etc.), and the NX-OS software platform is much more easy a development platform to deal with than IOS. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From ml at kenweb.org Thu Nov 26 09:48:32 2009 From: ml at kenweb.org (ML) Date: Thu, 26 Nov 2009 09:48:32 -0500 Subject: [c-nsp] ACL doesn't seem to filtering anything Message-ID: <4B0E9540.4060502@kenweb.org> I'm trying to block a customer from using tcp/25 by filtering inbound on their circuit. When I check the counters for the ACL they don't increase and I can see that the customer is still able to use tcp/25 outbound. ACL: access-list 143 permit tcp 23.45.67.0 0.0.0.255 host 12.23.45.25 eq smtp log access-list 143 deny tcp 23.45.67.0 0.0.0.255 any eq smtp log access-list 143 permit ip any any log Interface Config: interface GigabitEthernet1/5 ip address 56.78.90.12 255.255.255.252 ip access-group 143 in ip verify unicast source reachable-via rx no ip redirects no ip proxy-arp ip route-cache flow no cdp enable no mop enabled I just want allow them to use our Smarthost and block all other SMTP. Any thoughts on this one? From lobotiger at gmail.com Thu Nov 26 09:55:50 2009 From: lobotiger at gmail.com (Lobo) Date: Thu, 26 Nov 2009 09:55:50 -0500 Subject: [c-nsp] QoS for different types of internet customers In-Reply-To: <-7690073966675025271@unknownmsgid> References: <4B0E8BD1.40304@gmail.com> <-7690073966675025271@unknownmsgid> Message-ID: <4B0E96F6.1090802@gmail.com> This is how I view it as well...only provide QoS to the MPLS VPN since all the traffic stays on your network. I think what the Sales & Marketing folk are seeing this as, "well our dedicated internet customers pay more than the burst low speed customers so we should be able to guarantee their traffic in times of congestion." It's always about the $$$. Jose William Byrd wrote: > If it helps we only offer QoS to customers with MPLS VPN. Our QoS > product is very similar to what you're talking about. (Gold, Silver, > and Bronze) It doesn't make sense to us to prioritize Internet traffic > as it is all BE once it leaves our network. When we originally turned > all of this up the reasoning to marketing folks was that speed vs. > Bandwidth was usually confusing enough to customers and trying to > explain why end to end QoS across the Internet won't work would be > hell for our support teams. > > Basically the way we broke down our QoS was: > > Bronze - best effort > Silver - premium data for customers > Gold - customer voip / video > > I guess you could call our gold queue the real time queue. > > -- > Will Collier-Byrd > > On Nov 26, 2009, at 9:08 AM, Lobo wrote: > > >> We're in the early stages of planning a QoS rollout for our MPLS >> enabled network and while we have in mind to offer about 4 different >> classes (Real Time, Gold, Silver, Bronze/Best Effort), we were told >> by Marketing that they wish to differentiate between different types >> of Internet customers. Originally and like most standard practices, >> any internet customer's traffic would normally be put in the BE >> queue. Now we're getting requests to have say the low, bursty >> internet customers (1.5Mbps - 3.0Mbps) get put into the BE queue >> while a dedicated 20Mbps should go into the silver or even gold queue. >> >> I have many problems with this like how would you be able to put the >> 20M customer's traffic in to the gold queue for traffic coming in >> from the Internet? The only way I can think of is to match on their >> IP space on each of our gateway routers but this would destroy our >> gateways since they're already running hot enough. Another issue >> is, what happens if that customer gets DDoS'd? This would mean that >> we're guaranteeing that at least 20Mbps of DoS traffic would be able >> to go through our network and to the customer's site. Oh and at the >> same time probably affecting the data customers who would be using >> the gold/silver queues for their services. >> >> Do you guys have any advice whether it's more ammunition for me to >> say no way or some kind of design/configuration that would possibly >> work? >> >> Thanks in advance. >> >> Jose >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> From steve at ibctech.ca Thu Nov 26 10:06:20 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 26 Nov 2009 10:06:20 -0500 Subject: [c-nsp] ACL doesn't seem to filtering anything In-Reply-To: <4B0E9540.4060502@kenweb.org> References: <4B0E9540.4060502@kenweb.org> Message-ID: <4B0E996C.40509@ibctech.ca> ML wrote: > I'm trying to block a customer from using tcp/25 by filtering inbound on > their circuit. When I check the counters for the ACL they don't > increase and I can see that the customer is still able to use tcp/25 > outbound. > > ACL: > > access-list 143 permit tcp 23.45.67.0 0.0.0.255 host 12.23.45.25 eq smtp > log > access-list 143 deny tcp 23.45.67.0 0.0.0.255 any eq smtp log > access-list 143 permit ip any any log Can you add a: access-list 143 permit tcp any any eq smtp log ...at the top of the rule list to verify that they are actually coming from the IP block in the ACL? Steve From gert at greenie.muc.de Thu Nov 26 10:07:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 26 Nov 2009 16:07:52 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0E8681.7020709@jarruda.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0E8681.7020709@jarruda.com> Message-ID: <20091126150752.GM163@greenie.muc.de> Hi, On Thu, Nov 26, 2009 at 08:45:37AM -0500, Julio Arruda wrote: > >'Don't send a switch to do a router's job'. > > I'm curious, what is the difference ? Price, revenue, target market, business unit. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From justin at justinshore.com Thu Nov 26 10:57:11 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 26 Nov 2009 09:57:11 -0600 Subject: [c-nsp] mlppp dot1q question In-Reply-To: <000601ca6ea2$3713eb10$a53bc130$@org> References: <000601ca6ea2$3713eb10$a53bc130$@org> Message-ID: <4B0EA557.40001@justinshore.com> Paul Stewart wrote: > Hey guys... > > > > Is there any way to run subinterfaces across a MLPPP bundle in IOS? I'm assuming that you want to carry a couple VLANs down a MLPPP bundle, correct? If so then one solution is called BCP (Bridge Control Protocol). It's a fairly old protocol. When I researched it I found references to it in the early 12.x code docs. You probably don't want to consider it though. Command #1 in any config guide you find is 'no ip routing'. That's right; you have to disable routing on your router to use it. We were evaluating the Overture ISG 140/180 Ethernet of bonded DS1 product when we came across it. The OV SE told us that sure it interopted nicely with MLPPP on a 7200. What he didn't mention was that you also had to use BCP, effectively cutting the legs out from under our router. If you happen to have an old 7200 with an older CPU sitting around then you have a nice platform to work with. If you don't and the router you spent big $$$ is also doing routing (fancy that) you probably don't want to use BCP. On a side note, I recall while searching for data on BCP that it's also possible on platforms that use SPAs. If memory serves me correctly you don't have to disable routing on those platforms. On those platforms you can literally apply switchport commands to the Serial interfaces. It looked very slick but we didn't have SPA-capable hardware in that POP to work with at the time so it wasn't a solution for us. Search cisco.com for BCP and you'll find some docs. http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76cfgt1.html#wp1159581 http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfgsip.html#wp1182134 http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_bcp_ps10591_TSD_Products_Configuration_Guide_Chapter.html http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.html http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_bcp_ps6922_TSD_Products_Configuration_Guide_Chapter.html Or are you asking if it's possible to break a MLPPP bundle of a couple DS1s into a couple different MLPPP bundles while still maintaining some manner of link redundancy when spanned across the 2 (or more) DS1s? If that's the case then you could look at creating multiple channel-groups in the controller config. Say for example t1 10 channel-group 0 timeslots 1-12 t1 10 channel-group 1 timeslots 13-24 t1 11 channel-group 0 timeslots 1-12 t1 11 channel-group 1 timeslots 13-24 Then put Se1/0/10:0 and Se1/0/11:0 into a MLPPP bundle and Se1/0/10:1 and Se1/0/11:1 into a separate MLPPP bundle. The downside is that there is no sharing of bandwidth between the 2 unique bundles. Best of luck Justin From lukasz at bromirski.net Thu Nov 26 11:19:28 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 26 Nov 2009 17:19:28 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0E8681.7020709@jarruda.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0E8681.7020709@jarruda.com> Message-ID: <4B0EAA90.2090104@bromirski.net> On 2009-11-26 14:45, Julio Arruda wrote: > I'm curious, what is the difference ? I remember the debate (bridge x > switch) in another generation... > Is the N7K is a hard-coded-can't-change forwarding glue (EARL8 at that) > platform, TCAM based, hence the 'switch' term ? > Or in the feature set (control-plane ? forwarding-plane ?) As Roland already pointed out, the forwarding plane is similiar - EARL8 is the logic and it is common for Sup2T and N7K current generation of Sup. There's difference (big one) in the way switch fabric is built, and there's also a difference in the way control plane operates - different hardware behind the CLI for 6500 (even with Sup2T) and the one you find in N7K. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From paul at paulstewart.org Thu Nov 26 11:19:27 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 26 Nov 2009 11:19:27 -0500 Subject: [c-nsp] mlppp dot1q question In-Reply-To: <4B0EA557.40001@justinshore.com> References: <000601ca6ea2$3713eb10$a53bc130$@org> <4B0EA557.40001@justinshore.com> Message-ID: <001d01ca6eb4$39dd1800$ad974800$@org> Thanks very much .. that gives me what I was looking for unfortunately ;) Paul -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: November-26-09 10:57 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] mlppp dot1q question Paul Stewart wrote: > Hey guys... > > > > Is there any way to run subinterfaces across a MLPPP bundle in IOS? I'm assuming that you want to carry a couple VLANs down a MLPPP bundle, correct? If so then one solution is called BCP (Bridge Control Protocol). It's a fairly old protocol. When I researched it I found references to it in the early 12.x code docs. You probably don't want to consider it though. Command #1 in any config guide you find is 'no ip routing'. That's right; you have to disable routing on your router to use it. We were evaluating the Overture ISG 140/180 Ethernet of bonded DS1 product when we came across it. The OV SE told us that sure it interopted nicely with MLPPP on a 7200. What he didn't mention was that you also had to use BCP, effectively cutting the legs out from under our router. If you happen to have an old 7200 with an older CPU sitting around then you have a nice platform to work with. If you don't and the router you spent big $$$ is also doing routing (fancy that) you probably don't want to use BCP. On a side note, I recall while searching for data on BCP that it's also possible on platforms that use SPAs. If memory serves me correctly you don't have to disable routing on those platforms. On those platforms you can literally apply switchport commands to the Serial interfaces. It looked very slick but we didn't have SPA-capable hardware in that POP to work with at the time so it wasn't a solution for us. Search cisco.com for BCP and you'll find some docs. http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/conf iguration/6500series/76cfgt1.html#wp1159581 http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/conf iguration/7600series/76cfgsip.html#wp1182134 http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_bcp_ps10 591_TSD_Products_Configuration_Guide_Chapter.html http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.html http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_bcp_ps69 22_TSD_Products_Configuration_Guide_Chapter.html Or are you asking if it's possible to break a MLPPP bundle of a couple DS1s into a couple different MLPPP bundles while still maintaining some manner of link redundancy when spanned across the 2 (or more) DS1s? If that's the case then you could look at creating multiple channel-groups in the controller config. Say for example t1 10 channel-group 0 timeslots 1-12 t1 10 channel-group 1 timeslots 13-24 t1 11 channel-group 0 timeslots 1-12 t1 11 channel-group 1 timeslots 13-24 Then put Se1/0/10:0 and Se1/0/11:0 into a MLPPP bundle and Se1/0/10:1 and Se1/0/11:1 into a separate MLPPP bundle. The downside is that there is no sharing of bandwidth between the 2 unique bundles. Best of luck Justin From koug at intracom.gr Thu Nov 26 12:03:53 2009 From: koug at intracom.gr (John Kougoulos) Date: Thu, 26 Nov 2009 19:03:53 +0200 (GTB Standard Time) Subject: [c-nsp] mlppp dot1q question In-Reply-To: <000601ca6ea2$3713eb10$a53bc130$@org> References: <000601ca6ea2$3713eb10$a53bc130$@org> Message-ID: > > Is there any way to run subinterfaces across a MLPPP bundle in IOS? > maybe you could also use eg l2tpv3 over mlppp or frame-relay with frf.16.1 and DLCIs? Haven't tried it though... John From jesus_leung at ahm.honda.com Thu Nov 26 13:01:22 2009 From: jesus_leung at ahm.honda.com (jesus_leung at ahm.honda.com) Date: Thu, 26 Nov 2009 10:01:22 -0800 Subject: [c-nsp] CN=Jesus Leung/OU=AHM/OU=AM/O=HONDA is out of the office. Message-ID: I will be out of the office starting 11/26/2009 and will not return until 11/30/2009. I will respond to your message when I return. If you require immediate assistance, please contact Network Operations at 310-783-2518 and someone will be able to assist you. From gert at greenie.muc.de Thu Nov 26 13:08:42 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 26 Nov 2009 19:08:42 +0100 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: References: Message-ID: <20091126180842.GO163@greenie.muc.de> Hi, On Wed, Nov 25, 2009 at 10:09:12PM -0600, Graham Wooden wrote: > Just wanted to confirm before I spend the money .... > > I am looking at the WAN card PA-MC-8T1 for some T1 aggregation points, > inserted into FlexWAN/6500. As I am reading the data sheet for it, it looks > like it can do non-channelized connections, right? Need to consolidate down > some non-fractional/channelized T1s... I have no experience with the PA-MC-8T1, but we use a lot of MC-8E1s in our network. It can do "full rate" E1s (1984 time slots) and of course sub-rate. The total number of interfaces is limited to a number that I forgot, so you can't do 8 x 30 DS0 interfaces - what we did at the time was to run 6x full rate and 2x channelized E1s on them. Now for the FlexWAN: seriously reconsider whether you want to go there, or whether you want to get a used 7200 instead and just put it on top of the 6500, giving you 4 or 6 PA slots for the price of a single FlexWAN with two slots. The problem with the FlexWAN is not that it wouldn't work, but that Cisco has a nasty habit of discontinueing support for 6500 blades that are less-than-mainstream in new IOS trains - FlexWAN is already unsupported in most recent IOS versions (SXH, I think, dropped FW support) and you would need to use "enhanced FlexWAN". (I certainly can understand that old hardware needs to die at some point, but if all you have is a 6500, and you need SXH/SXI to support one half of your hardware, and 'no more recent than SXF' to support the *other* half, you're sort of stuck in "I hate Cisco" land. If you have multiple baskets, it's much easier to balance IOS reality vs. real world needs) ((I also think the FlexWAN was a very nice idea. Fortunately enough, for the longest time it was just too expensive to be more interesting than "just get another 7200" - and when we saw that it was already being dropped, we congratulated ourselves for not having fallen into every single 6500 BU trap)) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Thu Nov 26 13:13:30 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 26 Nov 2009 19:13:30 +0100 Subject: [c-nsp] mlppp dot1q question In-Reply-To: <4B0EA557.40001@justinshore.com> References: <000601ca6ea2$3713eb10$a53bc130$@org> <4B0EA557.40001@justinshore.com> Message-ID: <20091126181330.GP163@greenie.muc.de> Hi, On Thu, Nov 26, 2009 at 09:57:11AM -0600, Justin Shore wrote: > > > >Is there any way to run subinterfaces across a MLPPP bundle in IOS? > > I'm assuming that you want to carry a couple VLANs down a MLPPP bundle, > correct? If so then one solution is called BCP (Bridge Control > Protocol). One could use its more recent incarnation - EoMPLS. Which works across MLPPP "mostly fine" - that is, EoMPLS requires CEF, and there have been nasty bugs with CEF and MLPPP in the past (we haven't bitten ourselves but from what I saw on the list here). But with a recent IOS this should work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From tony at lava.net Thu Nov 26 13:16:41 2009 From: tony at lava.net (Antonio Querubin) Date: Thu, 26 Nov 2009 08:16:41 -1000 (HST) Subject: [c-nsp] mlppp vs multipath bgp on NM-4T Message-ID: I'm weighing the pros/cons of using MLPPP vs dual BGP links over 2 synchronous serial lines attached to an NM-4T in a Cisco 3640. The serial lines have different bandwidths - one serial line will be running at 8 Mbps and the other will be 4 Mbps. Both serial lines terminate on the same router at the remote end. The routers will use BGP to pass routes (BGP on the multilink interface if using MLPPP). The MLPPP method seems simpler as there would be only a single BGP peering link. However, docs suggest MLPPP adds quite a bit of overhead. How much extra overhead would MLPPP add to the 3640 cpu load? Will multipath BGP work even though there is no MPLS-VPN or VRF configured on either router? Will a single traffic flow be able to utilize the full aggregate 12 Mbps of bandwidth if using multipath BGP? Which method would recover more quickly or tolerate the loss of one of the links? Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From thomas at habets.pp.se Thu Nov 26 14:11:28 2009 From: thomas at habets.pp.se (Thomas Habets) Date: Thu, 26 Nov 2009 20:11:28 +0100 (CET) Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: References: <4B0D1075.50601@mail.ru> <4B0D5293.7090604@mail.ru> Message-ID: On Thu, 26 Nov 2009, selamat pagi wrote: > When you did your first test, CE-PE1-P-PE2 where there still vrf's > configured. That would explain why you did not see DSCP-values, you would > have seen EXP-values. You still would have 1 label (vpn-label). No, I had multiple P routers in a row where I matched on EXP and saw this. And I think this was also an issue outgoing from the egress PE when there is no label (only DSCP) and I matched on DSCP. Really, the show-policy-map-interface counters don't work unless you set something in the matching class on 6500/7600. Yes. Really. > To prove this, could you change your policy to match EXP 4 instead of DSCP > 39 ? That's what I did. Since as you say, only the outer label is popped by PHP. Like I said: sniff the traffic if you think things aren't being tagged. They may well be tagged properly. Also you can try traceroute through the network with a traceroute that understands EXP in the TTL expired messages (where the traceroute probes ought to be tagged). Doesn't work all that well if you have no-propagate-ttl though. --------- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From david at hughes.com.au Thu Nov 26 14:44:49 2009 From: david at hughes.com.au (David Hughes) Date: Fri, 27 Nov 2009 05:44:49 +1000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: <76CE3286-49B0-40A2-A10E-B5FEDAB230D2@hughes.com.au> On 26/11/2009, at 10:17 PM, Asbjorn Hojmark wrote: > Also, Nexus is positioned for the DC, so there will always be lacking > features when compared to the SP platforms. Yup, and that's exactly the scenario I was talking about. We run mpls/ip + l2/l3 agg + l2 access for our DC networks and our inter-DC networks. So, yes, when NX-OS has MPLS (and yup, could be 2010) then it'd fit all of that down to the ground. David ... From vuillaumes at gmail.com Thu Nov 26 16:14:04 2009 From: vuillaumes at gmail.com (samuel vuillaume) Date: Thu, 26 Nov 2009 16:14:04 -0500 Subject: [c-nsp] Loop guard and Bridge Assurance Message-ID: Hi Guys, Can someone see a benefit of bridge assurance instead of using loop guard? I understand what BA does, but i can't see any benefits over loop guard. tks Sam From twelcome at mobileemail.vodafonesa.co.za Tue Nov 17 16:25:01 2009 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Tue, 17 Nov 2009 21:25:01 +0000 Subject: [c-nsp] Using BFD as a link monitoring protocol Message-ID: <339910288-1259270716-cardhu_decombobulator_blackberry.rim.net-867042718-@bda192.bisx.produk.on.blackberry> Hi All I need to monitor the state of links between router interfaces, and I have a case where the link may go down (due to fibre break at L2) but the interfaces still appear up when polled (we're on a ring). When a link goes down I need to get sent a trap specifically identifying which link went down, so I've looked at BFD (Bidirectional Forwarding Detection), and the idea is to set up bfd sessions to run between each pair of interfaces that define a link, and a session failure will result in snmp traps being sent identifying which link failed. My question is: Has anyone deployed BFD for this purpose, i.e link failure monitoring, and is this an appropriate application of BFD? Thanks, Traiano Sent via my BlackBerry from Vodacom - let your email find you! From felixnkansah at gmail.com Thu Nov 26 18:23:20 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Thu, 26 Nov 2009 23:23:20 +0000 Subject: [c-nsp] Cisco Tahoma 1.x Message-ID: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> Hi Team, I have been hearing of Cisco Tahoma 1.x guide to carrier ethernet design. Would anyone with access to the document share his/hers with me, if permitted? Thanks. From graham at g-rock.net Thu Nov 26 21:11:28 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 26 Nov 2009 20:11:28 -0600 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: <20091126180842.GO163@greenie.muc.de> Message-ID: Gert, good thinking. I keep forgetting about the c7200 platform. There are some good deals on ones with the NPE200s in them. Heck, cheap enough to have a spare ... Thanks again and take care, -graham On 11/26/09 12:08 PM, "Gert Doering" wrote: > Hi, > > On Wed, Nov 25, 2009 at 10:09:12PM -0600, Graham Wooden wrote: >> Just wanted to confirm before I spend the money .... >> >> I am looking at the WAN card PA-MC-8T1 for some T1 aggregation points, >> inserted into FlexWAN/6500. As I am reading the data sheet for it, it looks >> like it can do non-channelized connections, right? Need to consolidate down >> some non-fractional/channelized T1s... > > I have no experience with the PA-MC-8T1, but we use a lot of MC-8E1s in > our network. It can do "full rate" E1s (1984 time slots) and of course > sub-rate. The total number of interfaces is limited to a number that I > forgot, so you can't do 8 x 30 DS0 interfaces - what we did at the time > was to run 6x full rate and 2x channelized E1s on them. > > Now for the FlexWAN: seriously reconsider whether you want to go there, > or whether you want to get a used 7200 instead and just put it on top > of the 6500, giving you 4 or 6 PA slots for the price of a single FlexWAN > with two slots. The problem with the FlexWAN is not that it wouldn't work, > but that Cisco has a nasty habit of discontinueing support for 6500 blades > that are less-than-mainstream in new IOS trains - FlexWAN is already > unsupported in most recent IOS versions (SXH, I think, dropped FW support) > and you would need to use "enhanced FlexWAN". > > (I certainly can understand that old hardware needs to die at some point, > but if all you have is a 6500, and you need SXH/SXI to support one half > of your hardware, and 'no more recent than SXF' to support the *other* > half, you're sort of stuck in "I hate Cisco" land. If you have multiple > baskets, it's much easier to balance IOS reality vs. real world needs) > > ((I also think the FlexWAN was a very nice idea. Fortunately enough, > for the longest time it was just too expensive to be more interesting > than "just get another 7200" - and when we saw that it was already being > dropped, we congratulated ourselves for not having fallen into every single > 6500 BU trap)) > > gert From dudepron at gmail.com Thu Nov 26 21:30:08 2009 From: dudepron at gmail.com (Aaron) Date: Thu, 26 Nov 2009 21:30:08 -0500 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: References: <20091126180842.GO163@greenie.muc.de> Message-ID: <480dad640911261830x384c2281s2548a1c4f5a88837@mail.gmail.com> It can do what you want. T1 or DS0s. Aaron On Thu, Nov 26, 2009 at 21:11, Graham Wooden wrote: > Gert, good thinking. I keep forgetting about the c7200 platform. > There are some good deals on ones with the NPE200s in them. Heck, cheap > enough to have a spare ... > > Thanks again and take care, > > -graham > > > On 11/26/09 12:08 PM, "Gert Doering" wrote: > > > Hi, > > > > On Wed, Nov 25, 2009 at 10:09:12PM -0600, Graham Wooden wrote: > >> Just wanted to confirm before I spend the money .... > >> > >> I am looking at the WAN card PA-MC-8T1 for some T1 aggregation points, > >> inserted into FlexWAN/6500. As I am reading the data sheet for it, it > looks > >> like it can do non-channelized connections, right? Need to consolidate > down > >> some non-fractional/channelized T1s... > > > > I have no experience with the PA-MC-8T1, but we use a lot of MC-8E1s in > > our network. It can do "full rate" E1s (1984 time slots) and of course > > sub-rate. The total number of interfaces is limited to a number that I > > forgot, so you can't do 8 x 30 DS0 interfaces - what we did at the time > > was to run 6x full rate and 2x channelized E1s on them. > > > > Now for the FlexWAN: seriously reconsider whether you want to go there, > > or whether you want to get a used 7200 instead and just put it on top > > of the 6500, giving you 4 or 6 PA slots for the price of a single FlexWAN > > with two slots. The problem with the FlexWAN is not that it wouldn't > work, > > but that Cisco has a nasty habit of discontinueing support for 6500 > blades > > that are less-than-mainstream in new IOS trains - FlexWAN is already > > unsupported in most recent IOS versions (SXH, I think, dropped FW > support) > > and you would need to use "enhanced FlexWAN". > > > > (I certainly can understand that old hardware needs to die at some point, > > but if all you have is a 6500, and you need SXH/SXI to support one half > > of your hardware, and 'no more recent than SXF' to support the *other* > > half, you're sort of stuck in "I hate Cisco" land. If you have multiple > > baskets, it's much easier to balance IOS reality vs. real world needs) > > > > ((I also think the FlexWAN was a very nice idea. Fortunately enough, > > for the longest time it was just too expensive to be more interesting > > than "just get another 7200" - and when we saw that it was already being > > dropped, we congratulated ourselves for not having fallen into every > single > > 6500 BU trap)) > > > > gert > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Nov 26 21:58:43 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 27 Nov 2009 13:58:43 +1100 Subject: [c-nsp] Loop guard and Bridge Assurance In-Reply-To: References: Message-ID: <37D1DB0B-7F61-4F03-86A4-4F9A09AB2ED9@cisco.com> On 27/11/2009, at 8:14 AM, samuel vuillaume wrote: > Can someone see a benefit of bridge assurance instead of using loop guard? I > understand what BA does, but i can't see any benefits over loop guard. there are a few scenarios where LoopGuard would not be effective at detecting loops and/or unidirectional links. - can only be enabled on root & alternate ports. it CANNOT run on 'designated ports'. - ineffective at detecting a port that has been unidirectional since link-up. Bridge Assurance (BA) is effective at mitigating those remaining scenarios that LoopGuard could not. BA works because it turns STP into operating more like a routing protocol where BPDUs now go both ways on a given link verifying device health/awareness / lack of braindeadness. i.e. it turns STP from traditional "fail open" behavior to "fail closed". compare figure 1 to figure 3 in and it should be clear. cheers, lincoln. From ltd at cisco.com Thu Nov 26 22:33:37 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 27 Nov 2009 14:33:37 +1100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> Message-ID: On 27/11/2009, at 12:14 AM, Asbjorn Hojmark - Lists wrote: >> If there's a 4 slot chassis in the 2nd generation then I could see >> N7K and N5K / N4K as a possible end-to-end platform for L3/MPLS core, >> L2/L3 aggregation, and L2 access. And it would all run the same >> software !!! > > Except, of cause, the N7K doesn't currently do MPLS and won't for > another year, and when it does it will, as always, be released in > fases. > > Also, Nexus is positioned for the DC, so there will always be lacking > features when compared to the SP platforms. certainly when we (Cisco) announced the Nexus platform, we wanted to be very specific in terms of where the Nexus portfolio is positioned - and more precisely where it is not - because NX-OS intentionally is not at parity with IOS, and the initial I/O modules weren't targeted at internet-sized h/w FIB. that there isn't parity with IOS has both good points and bad points. it rules out Nexus for some specific parts of networks. but its also considered a good thing by others - Nexus & NX-OS reliability & availability are second to none, and characteristics such as forwarding remaining in a hardware path in all cases - are welcomed by many as a step forward. fast forward to now from Nexus first release and some of the functionality enabled by Nexus and NX-OS are used by many folks outside of the 'strict' historic DC positioning > > 'Don't send a switch to do a router's job'. "routers" will always have deeper buffers, esoteric queueing structures and more functionality by virtue of the choice of software processing and/or programmable NPUs used. however many folks today consider c6500/c7600 to be "router" platforms and they are fundamentally PFC3 based. N7K M1 I/O forwarding engine is PFC4 which has all the capabilities of PFC3 + much more. while its true that its not programmable in the sense of a NPU is, there is a lot of flexibility in its capabilities which will become apparent as there are subsequent NX-OS releases. i think both have their places. often it comes down to the price/port between a "router port" and a "switch port". even with "L3 switches" the old adage of "switch where you can, route where you must" probably holds true. cheers, lincoln. From andy.saykao at staff.netspace.net.au Fri Nov 27 01:35:31 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 27 Nov 2009 17:35:31 +1100 Subject: [c-nsp] QoS for different types of internet customers References: Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF8C@vic-cr-ex1.staff.netspace.net.au> Sorry to diverse a bit from this discussion, but for customers on the Gold plan such as the one mentioned by Will, do you just prioritize their voip/video traffic so this traffic goes into the LLQ??? What happens to their other traffic - how will it be handled by the QoS policy? Cheers. Andy ------------------------------ Message: 10 Date: Thu, 26 Nov 2009 09:55:50 -0500 From: Lobo To: Cisco-NSP Mailing List Subject: Re: [c-nsp] QoS for different types of internet customers Message-ID: <4B0E96F6.1090802 at gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is how I view it as well...only provide QoS to the MPLS VPN since all the traffic stays on your network. I think what the Sales & Marketing folk are seeing this as, "well our dedicated internet customers pay more than the burst low speed customers so we should be able to guarantee their traffic in times of congestion." It's always about the $$$. Jose >William Byrd wrote: > > Basically the way we broke down our QoS was: > > Bronze - best effort > Silver - premium data for customers > Gold - customer voip / video > > I guess you could call our gold queue the real time queue. > > -- > Will Collier-Byrd This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From oboehmer at cisco.com Fri Nov 27 02:03:20 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 27 Nov 2009 08:03:20 +0100 Subject: [c-nsp] Using BFD as a link monitoring protocol In-Reply-To: <339910288-1259270716-cardhu_decombobulator_blackberry.rim.net-867042718-@bda192.bisx.produk.on.blackberry> References: <339910288-1259270716-cardhu_decombobulator_blackberry.rim.net-867042718-@bda192.bisx.produk.on.blackberry> Message-ID: <6E4D2678AC543844917CA081C9D6B33FC3AB65@XMB-AMS-103.cisco.com> Hi, > I need to monitor the state of links between router interfaces, and I have > a case where the link may go down (due to fibre break at L2) but the > interfaces still appear up when polled (we're on a ring). When a link goes > down I need to get sent a trap specifically identifying which link went > down, so I've looked at BFD (Bidirectional Forwarding Detection), and the > idea is to set up bfd sessions to run between each pair of interfaces that > define a link, and a session failure will result in snmp traps being sent > identifying which link failed. > > My question is: Has anyone deployed BFD for this purpose, i.e link failure > monitoring, and is this an appropriate application of BFD? Well, you can't just run BFD by itself, you need to have an application/client (routing protocols, HSRP, etc.) which is configured to use BFD before BFD establishes a session (not sure if the hidden command "bfd neighbor x.x.x.x" can work around this). In addition, BFD MIB is not yet there except in 12.2SRE. Not sure how many pairs you need to monitor, but you could investigate using IP-SLA probes for this purpose.. oli From gert at greenie.muc.de Fri Nov 27 02:32:40 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 27 Nov 2009 08:32:40 +0100 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: References: <20091126180842.GO163@greenie.muc.de> Message-ID: <20091127073240.GU163@greenie.muc.de> Hi, On Thu, Nov 26, 2009 at 08:11:28PM -0600, Graham Wooden wrote: > Gert, good thinking. I keep forgetting about the c7200 platform. > There are some good deals on ones with the NPE200s in them. Heck, cheap > enough to have a spare ... Watch out. The NPE200 is unsupported since a long time, so "recent IOS" will definitely complain about being unsupported, and might not work correctly. As far as I understand, the NPE225 is still supported (because it's the fastest NPE for the non-VXR platform) and the NPE400/NPE-G1/NPE-G2 on the VXR. Not 100% sure about the NPE400. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From lists at hojmark.org Fri Nov 27 02:41:58 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Fri, 27 Nov 2009 08:41:58 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> Message-ID: On Fri, 27 Nov 2009 14:33:37 +1100, you wrote: >> Except, of cause, the N7K doesn't currently do MPLS and won't for >> another year, and when it does it will, as always, be released in >> fases. > fast forward to now from Nexus first release and some of the functionality > enabled by Nexus and NX-OS are used by many folks outside of the 'strict' > historic DC positioning Yes, but MPLS was specifically mentioned. So when will the N7K do MPLS VPN, TE, EoMPLS, and VPLS? Oh, it isn't even EC'd? And that's just at the high level, so when we get to the nitty gritty details of each of them, there will be more waiting... >> 'Don't send a switch to do a router's job'. > "routers" will always have deeper buffers, esoteric queueing structures > and more functionality by virtue of the choice of software processing > and/or programmable NPUs used. Hardware architecture aside, 'routers' will normally also have those crucial 'router features' from day 1. You won't have to wait years for them. > however many folks today consider c6500/c7600 to be "router" platforms > and they are fundamentally PFC3 based. Yup, but if you want to do anything remotely 'fancy', you'll be using the NPU-based blades at more or less the same price per blade as the whole original router... > i think both have their places. Sure, there's a place for a great DC switch. The switching fabric in the N7K is a fantastic piece of engineering, for example, and it's a good thing it found it's way into the ASR 9000 too. -A PS: Even then 6500 does MPLS VPNs, and we have DC customers who can't migrate to the N7K (for higher density 10G and lower price per 10G port), because it doesn't do MPLS VPNs. (Oh, and that box from Vendor J does). From twelcome at mobileemail.vodafonesa.co.za Fri Nov 27 02:53:38 2009 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Fri, 27 Nov 2009 07:53:38 +0000 Subject: [c-nsp] Using BFD as a link monitoring protocol Message-ID: <557860570-1259308503-cardhu_decombobulator_blackberry.rim.net-828203789-@bda192.bisx.produk.on.blackberry> (Apologies for top-posting - dumb mail-client) Correct, I intend using one of bgp, isis or other appropriate IGP with BFD as cisco recommends in their documentation. Are you sure there is no mib for BFD?, I see, on ciscos ftp mib repository, a bfd-ietf-mib.txt that reads " ... Mib for bidirectional forwarding protocol... "? Alternatively, if I used this with isis, for example, would I be able to have isis generate traps, based on detection performed by the BFD mechanism? Unfortunately, IP-SLA has been overruled by the powers that be on this particular network :-) Many Thanks, Traiano ------Original Message------ From: Oliver Boehmer (oboehmer) To: twelcome at mobileemail.vodafonesa.co.za To: cisco-nsp at puck.nether.net Sent: Nov 27, 2009 9:03 AM Subject: RE: [c-nsp] Using BFD as a link monitoring protocol Hi, > I need to monitor the state of links between router interfaces, and I have > a case where the link may go down (due to fibre break at L2) but the > interfaces still appear up when polled (we're on a ring). When a link goes > down I need to get sent a trap specifically identifying which link went > down, so I've looked at BFD (Bidirectional Forwarding Detection), and the > idea is to set up bfd sessions to run between each pair of interfaces that > define a link, and a session failure will result in snmp traps being sent > identifying which link failed. > > My question is: Has anyone deployed BFD for this purpose, i.e link failure > monitoring, and is this an appropriate application of BFD? Well, you can't just run BFD by itself, you need to have an application/client (routing protocols, HSRP, etc.) which is configured to use BFD before BFD establishes a session (not sure if the hidden command "bfd neighbor x.x.x.x" can work around this). In addition, BFD MIB is not yet there except in 12.2SRE. Not sure how many pairs you need to monitor, but you could investigate using IP-SLA probes for this purpose.. oli Sent via my BlackBerry from Vodacom - let your email find you! From achatz at forthnet.gr Fri Nov 27 03:15:27 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 27 Nov 2009 10:15:27 +0200 Subject: [c-nsp] how to clear a pseudowire? Message-ID: <4B0F8A9F.5000509@forthnet.gr> Is there an easy way to clear/reset a eompls pseudowire? The only (not affecting other services of the same interface) way i have found is to remove the xconnect config from both sides, but i was hoping that a clear command would exist. -- Tassos From ltd at cisco.com Fri Nov 27 03:37:30 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 27 Nov 2009 19:37:30 +1100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> Message-ID: <82107A0D-A893-4059-A2B3-AC21E31614CC@cisco.com> On 27/11/2009, at 6:41 PM, Asbjorn Hojmark - Lists wrote: > On Fri, 27 Nov 2009 14:33:37 +1100, you wrote: >>> Except, of cause, the N7K doesn't currently do MPLS and won't for >>> another year, and when it does it will, as always, be released in >>> fases. > >> fast forward to now from Nexus first release and some of the functionality >> enabled by Nexus and NX-OS are used by many folks outside of the 'strict' >> historic DC positioning > > Yes, but MPLS was specifically mentioned. So when will the N7K do MPLS > VPN, TE, EoMPLS, and VPLS? Oh, it isn't even EC'd? And that's just at > the high level, so when we get to the nitty gritty details of each of > them, there will be more waiting... generally speaking, cisco-nsp is not where we post product or platform specific roadmaps. :) your cisco account team should be able to assist you on N7K / NX-OS roadmap & where things stand. if they cannot help you then let me know off-list, cheers, lincoln. From oboehmer at cisco.com Fri Nov 27 04:13:51 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 27 Nov 2009 10:13:51 +0100 Subject: [c-nsp] Using BFD as a link monitoring protocol In-Reply-To: <557860570-1259308503-cardhu_decombobulator_blackberry.rim.net-828203789-@bda192.bisx.produk.on.blackberry> References: <557860570-1259308503-cardhu_decombobulator_blackberry.rim.net-828203789-@bda192.bisx.produk.on.blackberry> Message-ID: <6E4D2678AC543844917CA081C9D6B33FC3AC27@XMB-AMS-103.cisco.com> > Correct, I intend using one of bgp, isis or other appropriate IGP with BFD > as cisco recommends in their documentation. Ok. fine. > Are you sure there is no mib for BFD?, I see, on ciscos ftp mib repository, > a bfd-ietf-mib.txt that reads " ... Mib for bidirectional forwarding > protocol... "? There is this MIB, but as far as I know, it has just been implemented, and it is currently ony in 12.2(33)SRE images. No idea when this will show up in other trains.. > Alternatively, if I used this with isis, for example, would I be able to > have isis generate traps, based on detection performed by the BFD mechanism? I think so, you can use ciiAdjacencyChange (in CISCO-IETF-ISIS-MIB) to detect ISIS adjacency changes (MIB support is also quite new, please check availability in your image(s) using MIB locator at http://tools.cisco.com/ITDIT/MIBS/MainServlet) oli > > ------Original Message------ > From: Oliver Boehmer (oboehmer) > To: twelcome at mobileemail.vodafonesa.co.za > To: cisco-nsp at puck.nether.net > Sent: Nov 27, 2009 9:03 AM > Subject: RE: [c-nsp] Using BFD as a link monitoring protocol > > Hi, > > > I need to monitor the state of links between router interfaces, and I > have > > a case where the link may go down (due to fibre break at L2) but the > > interfaces still appear up when polled (we're on a ring). When a link > goes > > down I need to get sent a trap specifically identifying which link > went > > down, so I've looked at BFD (Bidirectional Forwarding Detection), and > the > > idea is to set up bfd sessions to run between each pair of interfaces > that > > define a link, and a session failure will result in snmp traps being > sent > > identifying which link failed. > > > > My question is: Has anyone deployed BFD for this purpose, i.e link > failure > > monitoring, and is this an appropriate application of BFD? > > Well, you can't just run BFD by itself, you need to have an > application/client (routing protocols, HSRP, etc.) which is configured > to use BFD before BFD establishes a session (not sure if the hidden > command "bfd neighbor x.x.x.x" can work around this). > In addition, BFD MIB is not yet there except in 12.2SRE. > > Not sure how many pairs you need to monitor, but you could investigate > using IP-SLA probes for this purpose.. > > oli > > > Sent via my BlackBerry from Vodacom - let your email find you! From tim at selfnet.de Fri Nov 27 04:44:08 2009 From: tim at selfnet.de (Tim) Date: Fri, 27 Nov 2009 10:44:08 +0100 Subject: [c-nsp] ipv6 cheat sheet In-Reply-To: References: Message-ID: <20091127094407.GA30580@samstag.members.selfnet.de> On Thu, Nov 26, 2009 at 04:53:55AM +0500, Good One wrote: > Did you find any cheat sheet for IPv6 subnetting anywhere? sipcalc For example, print all /64 subnets of 2001:db8::/32: $ sipcalc --v6split 64 2001:db8::/32 Available in GNU/Debian or the man-pages says: "Sipcalc can be downloaded from http://www.routemeister.net/" Cheers, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From pavel.skovajsa at gmail.com Fri Nov 27 04:46:42 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Fri, 27 Nov 2009 10:46:42 +0100 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <3847d10a7751ff28466dec236a1150a4.squirrel@email.fatcow.com> References: <4AEAF6B8.2090606@att.net> <8c308e8b0910301415t3b5c2d01n440e57bcf044992@mail.gmail.com> <443de7ad0910311035p2506ae77qbafd235bb4a59397@mail.gmail.com> <8c308e8b0910311113o109b1234l6ede80f136e4ec06@mail.gmail.com> <8c308e8b0911012234k43a7a1e1nd3370378bc039824@mail.gmail.com> <4B0991C0.6000308@rollernet.us> <3847d10a7751ff28466dec236a1150a4.squirrel@email.fatcow.com> Message-ID: <323aca890911270146k25b1319fwd3724a82546f6a7d@mail.gmail.com> In my opinion HP bought 3com in order to get its market share in China and Asia, I doubt they will dump their product lines of the Provision ASIC switches. """"" The acquisition of 3Com will dramatically expand HP?s Ethernet switching offerings, add routing solutions and significantly strengthen the company?s position in China ? one of the world?s fastest-growing markets ? via the H3C offerings. In addition, the combination will add a large and talented research and development team in China that will drive the acceleration of innovations to HP?s networking solutions. """"" -pavel skovajsa On Wed, Nov 25, 2009 at 10:07 PM, wrote: > Snippet: > > >The university I worked at as a student did a > > whole campus replacement of Cisco for ProCurve. > > > > ~Seth > > I'm involved in an 'alternative switch vendor' discussion and lab testing. > ProCurve and Juniper switches are in our lab and undergoing some poking > and proding. > > I am not at all familiar with HP ProCurve. The recent announcement > concerns me. What happens if during the overlap analysis HP dumps some of > their product line? Did we lose time making an effort to learn new > products, configurations and vendor-suggested best practices? Knowing > almost everyone's shop runs too thin and too fast, losing ground to > incorporate something that may no longer be sold seems like a possible > mistake in judgement and a blow to morale. > > -chris > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From perc69 at gmail.com Fri Nov 27 04:46:45 2009 From: perc69 at gmail.com (Per Carlson) Date: Fri, 27 Nov 2009 10:46:45 +0100 Subject: [c-nsp] Cisco Tahoma 1.x In-Reply-To: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> References: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> Message-ID: <746ca6da0911270146p6c8a4a12r4be70ec9ad5c5677@mail.gmail.com> Hi. > I have been hearing of Cisco Tahoma 1.x guide to carrier ethernet design. > > Would anyone with access to the document share his/hers with me, if > permitted? This document is under a NDA. If you want to get a copy of it, contact your AM or SE. -- Pelle From pl+list at pmacct.net Fri Nov 27 04:52:37 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Fri, 27 Nov 2009 09:52:37 +0000 Subject: [c-nsp] how to clear a pseudowire? In-Reply-To: <4B0F8A9F.5000509@forthnet.gr> References: <4B0F8A9F.5000509@forthnet.gr> Message-ID: <20091127095237.GA13722@moussaka.pmacct.net> Hi Tassos, As signalling is done via targeted LDP, perhaps you want to achieve that by clearing the specific LDP neighbor? Cheers, Paolo On Fri, Nov 27, 2009 at 10:15:27AM +0200, Tassos Chatzithomaoglou wrote: > Is there an easy way to clear/reset a eompls pseudowire? > > The only (not affecting other services of the same interface) way i have > found is to remove the xconnect config from both sides, but i was hoping > that a clear command would exist. > > -- > Tassos From mtinka at globaltransit.net Fri Nov 27 05:01:04 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 27 Nov 2009 18:01:04 +0800 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <4B0D899D.2040900@bromirski.net> Message-ID: <200911271801.05370.mtinka@globaltransit.net> On Thursday 26 November 2009 07:32:37 am David Hughes wrote: > From a customer perspective who uses 6500s for L2/L3 > aggregation in the DC and MPLS/IP core functionality, I > can see them losing their shine. They are a solid > platform and I do like them a lot but working with the > caveats can be a pain. N7K is starting to look like a > winning platform : Same here - we love the 6500 to bits. It's simply solid provided you know which buttons NOT to push (easy in our case, they only do pure Layer 2 Ethernet forwarding). However, for any new purchases, we're now looking at the Nexus 7000's and Juniper's EX8200's because they make more sense for 10Gbps Layer 2 aggregation, and will scale to 40Gbps and 100Gbps. Even with the SUP2T looming in the horizon, we'd be insane thinking we can grow with the 6500 in the future beyond 10Gbps. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Fri Nov 27 05:37:25 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 27 Nov 2009 18:37:25 +0800 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: <20091127073240.GU163@greenie.muc.de> References: <20091126180842.GO163@greenie.muc.de> <20091127073240.GU163@greenie.muc.de> Message-ID: <200911271837.26472.mtinka@globaltransit.net> On Friday 27 November 2009 03:32:40 pm Gert Doering wrote: > As far as I understand, the NPE225 is still supported > (because it's the fastest NPE for the non-VXR platform) > and the NPE400/NPE-G1/NPE-G2 on the VXR. Not 100% sure > about the NPE400. The NPE-400 was recently announced for EoS/EoL for the non- security bundles on the 7200-VXR as well as the uBR7200. Not sure if that means they are no longer supported on the 7200- VXR. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Fri Nov 27 04:54:23 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 27 Nov 2009 17:54:23 +0800 Subject: [c-nsp] [j-nsp] Network Liberation Movement??? In-Reply-To: <3847d10a7751ff28466dec236a1150a4.squirrel@email.fatcow.com> References: <4AEAF6B8.2090606@att.net> <4B0991C0.6000308@rollernet.us> <3847d10a7751ff28466dec236a1150a4.squirrel@email.fatcow.com> Message-ID: <200911271754.29048.mtinka@globaltransit.net> On Thursday 26 November 2009 05:07:04 am chris at lavin-llc.com wrote: > I am not at all familiar with HP ProCurve. The recent > announcement concerns me. What happens if during the > overlap analysis HP dumps some of their product line? > Did we lose time making an effort to learn new products, > configurations and vendor-suggested best practices? > Knowing almost everyone's shop runs too thin and too > fast, losing ground to incorporate something that may no > longer be sold seems like a possible mistake in > judgement and a blow to morale. It is a risk we all take when working with vendors. That is why we try to stick to the ones who have a track record for "surviving" :-). Some have been gobbled up, others have straight-out collapsed. There might be a higher cost to pay, in the short term, for limiting your choices, but the long term benefit of not having to "worry" about it are worth it. We've had it all - Cisco, Juniper, Extreme, Alcatel, Nortel, BayStack, Xyplex, 3Com, HP, Foundry, e.t.c. When I joined, we cut all that out and stuck with Cisco + Juniper. We've been better off for it. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From twelcome at mobileemail.vodafonesa.co.za Fri Nov 27 06:45:01 2009 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Fri, 27 Nov 2009 11:45:01 +0000 Subject: [c-nsp] Using BFD as a link monitoring protocol In-Reply-To: <6E4D2678AC543844917CA081C9D6B33FC3AC27@XMB-AMS-103.cisco.com> References: <557860570-1259308503-cardhu_decombobulator_blackberry.rim.net-828203789-@bda192.bisx.produk.on.blackberry><6E4D2678AC543844917CA081C9D6B33FC3AC27@XMB-AMS-103.cisco.com> Message-ID: <1769587466-1259322383-cardhu_decombobulator_blackberry.rim.net-1974119451-@bda192.bisx.produk.on.blackberry> Thanks, Oliver. I'll do some test setups on this and let you know the results! Regards, Traiano Sent via my BlackBerry from Vodacom - let your email find you! -----Original Message----- From: "Oliver Boehmer (oboehmer)" Date: Fri, 27 Nov 2009 10:13:51 To: ; Subject: RE: [c-nsp] Using BFD as a link monitoring protocol > Correct, I intend using one of bgp, isis or other appropriate IGP with BFD > as cisco recommends in their documentation. Ok. fine. > Are you sure there is no mib for BFD?, I see, on ciscos ftp mib repository, > a bfd-ietf-mib.txt that reads " ... Mib for bidirectional forwarding > protocol... "? There is this MIB, but as far as I know, it has just been implemented, and it is currently ony in 12.2(33)SRE images. No idea when this will show up in other trains.. > Alternatively, if I used this with isis, for example, would I be able to > have isis generate traps, based on detection performed by the BFD mechanism? I think so, you can use ciiAdjacencyChange (in CISCO-IETF-ISIS-MIB) to detect ISIS adjacency changes (MIB support is also quite new, please check availability in your image(s) using MIB locator at http://tools.cisco.com/ITDIT/MIBS/MainServlet) oli > > ------Original Message------ > From: Oliver Boehmer (oboehmer) > To: twelcome at mobileemail.vodafonesa.co.za > To: cisco-nsp at puck.nether.net > Sent: Nov 27, 2009 9:03 AM > Subject: RE: [c-nsp] Using BFD as a link monitoring protocol > > Hi, > > > I need to monitor the state of links between router interfaces, and I > have > > a case where the link may go down (due to fibre break at L2) but the > > interfaces still appear up when polled (we're on a ring). When a link > goes > > down I need to get sent a trap specifically identifying which link > went > > down, so I've looked at BFD (Bidirectional Forwarding Detection), and > the > > idea is to set up bfd sessions to run between each pair of interfaces > that > > define a link, and a session failure will result in snmp traps being > sent > > identifying which link failed. > > > > My question is: Has anyone deployed BFD for this purpose, i.e link > failure > > monitoring, and is this an appropriate application of BFD? > > Well, you can't just run BFD by itself, you need to have an > application/client (routing protocols, HSRP, etc.) which is configured > to use BFD before BFD establishes a session (not sure if the hidden > command "bfd neighbor x.x.x.x" can work around this). > In addition, BFD MIB is not yet there except in 12.2SRE. > > Not sure how many pairs you need to monitor, but you could investigate > using IP-SLA probes for this purpose.. > > oli > > > Sent via my BlackBerry from Vodacom - let your email find you! From braaen at zcorum.com Fri Nov 27 08:22:07 2009 From: braaen at zcorum.com (Brian Raaen) Date: Fri, 27 Nov 2009 08:22:07 -0500 Subject: [c-nsp] ipv6 cheat sheet In-Reply-To: References: Message-ID: <200911270822.08060.braaen@zcorum.com> My boss found the following cheatsheet. http://www.estoile.com/links/ipv6.pdf also have a look at the following http://www.estoile.com/ -- ---------------------- Brian Raaen Network Engineer braaen at zcorum.com Tel 678-507-5000x5574 On Wednesday 25 November 2009, Good One wrote: > > Hello guys, > > Did you find any cheat sheet for IPv6 subnetting anywhere? > > > > _________________________________________________________________ > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e- mail you. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in- action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en- xm:SI_SB_3:092010 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Fri Nov 27 06:45:28 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Fri, 27 Nov 2009 12:45:28 +0100 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: <200911271837.26472.mtinka@globaltransit.net> References: <20091126180842.GO163@greenie.muc.de> <20091127073240.GU163@greenie.muc.de> <200911271837.26472.mtinka@globaltransit.net> Message-ID: <1qevg5hgo0i7cgpfqvjvi1belk9lvu9kor@hojmark.net> On Fri, 27 Nov 2009 18:37:25 +0800, you wrote: > The NPE-400 was recently announced for EoS/EoL for the non- > security bundles on the 7200-VXR as well as the uBR7200. Not > sure if that means they are no longer supported on the 7200- > VXR. Yeah, the NPE-400 itself is announced EoS too: https://www.cisco.com/en/US/prod/collateral/routers/ps341/eol_c51_556152.html But it *is* still supported (see dates in the above). -A From frederic.loui at renater.fr Fri Nov 27 09:36:26 2009 From: frederic.loui at renater.fr (Frederic LOUI) Date: Fri, 27 Nov 2009 15:36:26 +0100 Subject: [c-nsp] BGP soft-reconfiguration inbound impact Message-ID: <4B0FE3EA.7010305@renater.fr> Hi everyone, I spent some times googling/searching the mailing list but I could not find any clear answer regarding memory impact related to "soft-reconfiguration inbound" statement. (If you have any link/pointer, I'm interested !) We're running a bunch of 760X (RSP7203CXL + 8x10G withc DFC3CXL) having full BGP feed and some of them start to be really overloaded. I've read now and then that it is not recommended to use "soft-reconfiguration inbound" due to the extra memory used, but : 1) What is the clear impact of this command ? (Is there an algorithm formula O(n) that would help us to quantity the memory used ?) 2) Is this extra-memory still an issue with modern hardware ? 3) What is the common best practice ? 4) Are you using "soft-reconfiguration inbound", if yes how ? (i.e: Only for troubleshooting purpose, "always on" as part of your configuration template etc.) Thanks in advance to all for your feedback -- Frederic LOUI / GIP RENATER Pilotage & Suivi du R?seau Network Backbone Engineering & Planning Tel: +33 1 53 94 20 40 / Fax: +33 1 53 94 20 31 loui at renater.fr http://www.renater.fr From p.mayers at imperial.ac.uk Fri Nov 27 10:26:27 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 27 Nov 2009 15:26:27 +0000 Subject: [c-nsp] BGP soft-reconfiguration inbound impact In-Reply-To: <4B0FE3EA.7010305@renater.fr> References: <4B0FE3EA.7010305@renater.fr> Message-ID: <4B0FEFA3.9050008@imperial.ac.uk> Frederic LOUI wrote: > Hi everyone, > > I spent some times googling/searching the mailing list but I could not > find any clear answer regarding > memory impact related to "soft-reconfiguration inbound" statement. (If > you have any link/pointer, I'm interested !) > > We're running a bunch of 760X (RSP7203CXL + 8x10G withc DFC3CXL) having > full BGP feed and some of them start to be really overloaded. > > I've read now and then that it is not recommended to use > "soft-reconfiguration inbound" due to the extra memory used, but : > > 1) What is the clear impact of this command ? (Is there an algorithm > formula O(n) that would help us to quantity the memory used ?) > 2) Is this extra-memory still an issue with modern hardware ? It depends on how many routes you have I think. If you've got the full feed, then I'd say you're going to pay a heavy price for soft-reconfig. What does "sh ip bgp summ" say? > 3) What is the common best practice ? Modern BGP implementations tend to support route refresh, where you request the peer re-send it's RIB. There's no config needed for this - just to a "sh ip bgp nei" and see if refresh is available: BGP neighbor is X remote AS 64580, internal link Inherits from template iBGP-world for session parameters BGP version 4, remote router ID X BGP state = Established, up for 4w4d Last read 00:00:43, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Of course, refreshing the full feed will take a while! There are I believe optimisations for this - ORF rings a bell - but since I don't deal in full-feeds, it's not something I'm up to speed with. > 4) Are you using "soft-reconfiguration inbound", if yes how ? (i.e: Only > for troubleshooting purpose, "always on" as part of your configuration > template etc.) We are because it's convenient to be able to do "sh ip bgp nei X received-routes" but we've got a very small routing table: ac-core#sh ip bgp summary BGP router identifier X local AS number 64580 BGP table version is 8375, main routing table version 8375 903 network entries using 105651 bytes of memory 1763 path entries using 91676 bytes of memory 153/13 BGP path/bestpath attribute entries using 21420 bytes of memory 20 BGP rrinfo entries using 480 bytes of memory 8 BGP AS-PATH entries using 192 bytes of memory 5 BGP community entries using 120 bytes of memory 11 BGP extended community entries using 264 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 219803 total bytes of memory Obviously that's not the case for you. From justin at justinshore.com Fri Nov 27 10:33:56 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 27 Nov 2009 09:33:56 -0600 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> Message-ID: <4B0FF164.9020008@justinshore.com> Asbjorn Hojmark - Lists wrote: > PS: Even then 6500 does MPLS VPNs, and we have DC customers who can't > migrate to the N7K (for higher density 10G and lower price per 10G > port), because it doesn't do MPLS VPNs. (Oh, and that box from Vendor > J does). Exactly. These days MPLS/VPNs is as much a DC feature as basic switching. Our DC couldn't operate with MPLS/VPNs. Justin From eric at atlantech.net Fri Nov 27 10:56:14 2009 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 27 Nov 2009 10:56:14 -0500 Subject: [c-nsp] mlppp dot1q question In-Reply-To: <000601ca6ea2$3713eb10$a53bc130$@org> References: <000601ca6ea2$3713eb10$a53bc130$@org> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BB155B823@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Thursday, November 26, 2009 9:11 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] mlppp dot1q question > > Hey guys... > > > > Is there any way to run subinterfaces across a MLPPP bundle in IOS? > I would imagine that your best bet is to use a Ethernet over T1 device like the RICi-8T1 from RAD (watch for wrap): http://www.rad.com/10/Mid_band_Ethernet_and_Fast_Ethernet_over_Eight_T1_NTU/2429/ You can bundle up to 8 T1s through MLPPP and transport VLANs across the link. -evt From jmplank at gmail.com Fri Nov 27 10:58:41 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 27 Nov 2009 10:58:41 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0FF164.9020008@justinshore.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> Message-ID: <8B6326E6-388F-4EAC-A579-B1CA60839C7D@gmail.com> Really. The product seems to be selling quite well. You are over stating. Keep it real. That being said I wish vendors would include mainstream features (which mpls has become). In early releases of software. That is not cisco specific. Sent from my iPhone On Nov 27, 2009, at 10:33 AM, Justin Shore wrote: > Asbjorn Hojmark - Lists wrote: >> PS: Even then 6500 does MPLS VPNs, and we have DC customers who can't >> migrate to the N7K (for higher density 10G and lower price per 10G >> port), because it doesn't do MPLS VPNs. (Oh, and that box from Vendor >> J does). > > Exactly. These days MPLS/VPNs is as much a DC feature as basic > switching. Our DC couldn't operate with MPLS/VPNs. > > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From frederic.loui at renater.fr Fri Nov 27 11:01:12 2009 From: frederic.loui at renater.fr (Frederic LOUI) Date: Fri, 27 Nov 2009 17:01:12 +0100 Subject: [c-nsp] BGP soft-reconfiguration inbound impact In-Reply-To: <4B0FEFA3.9050008@imperial.ac.uk> References: <4B0FE3EA.7010305@renater.fr> <4B0FEFA3.9050008@imperial.ac.uk> Message-ID: <4B0FF7C8.4060102@renater.fr> > Frederic LOUI wrote: >> Hi everyone, >> >> I spent some times googling/searching the mailing list but I could >> not find any clear answer regarding >> memory impact related to "soft-reconfiguration inbound" statement. >> (If you have any link/pointer, I'm interested !) >> >> We're running a bunch of 760X (RSP7203CXL + 8x10G withc DFC3CXL) >> having full BGP feed and some of them start to be really overloaded. >> >> I've read now and then that it is not recommended to use >> "soft-reconfiguration inbound" due to the extra memory used, but : >> >> 1) What is the clear impact of this command ? (Is there an algorithm >> formula O(n) that would help us to quantity the memory used ?) >> 2) Is this extra-memory still an issue with modern hardware ? > > It depends on how many routes you have I think. If you've got the full > feed, then I'd say you're going to pay a heavy price for soft-reconfig. > > What does "sh ip bgp summ" say? BGP router identifier , local AS number BGP table version is 19465839, main routing table version 19465839 314959 network entries using 39054916 bytes of memory 630625 path entries using 32792500 bytes of memory 71249/52253 BGP path/bestpath attribute entries using 5414924 bytes of memory 98 BGP rrinfo entries using 2352 bytes of memory 64471 BGP AS-PATH entries using 1647244 bytes of memory 854 BGP community entries using 57562 bytes of memory 27 BGP extended community entries using 2230 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 78971728 total bytes of memory Dampening enabled. 0 history paths, 0 dampened paths 885 received paths for inbound soft reconfiguration BGP activity 1266553/943038 prefixes, 6013343/5365600 paths, scan interval 60 secs > >> 3) What is the common best practice ? > > Modern BGP implementations tend to support route refresh, where you > request the peer re-send it's RIB. There's no config needed for this - > just to a "sh ip bgp nei" and see if refresh is available: > > BGP neighbor is X remote AS 64580, internal link > Inherits from template iBGP-world for session parameters > BGP version 4, remote router ID X > BGP state = Established, up for 4w4d > Last read 00:00:43, last write 00:00:31, hold time is 180, keepalive > interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > > Of course, refreshing the full feed will take a while! There are I > believe optimisations for this - ORF rings a bell - but since I don't > deal in full-feeds, it's not something I'm up to speed with. > Agree. >> 4) Are you using "soft-reconfiguration inbound", if yes how ? (i.e: >> Only for troubleshooting purpose, "always on" as part of your >> configuration template etc.) > > We are because it's convenient to be able to do "sh ip bgp nei X > received-routes" but we've got a very small routing table: > > ac-core#sh ip bgp summary > BGP router identifier X local AS number 64580 > BGP table version is 8375, main routing table version 8375 > 903 network entries using 105651 bytes of memory > 1763 path entries using 91676 bytes of memory > 153/13 BGP path/bestpath attribute entries using 21420 bytes of memory > 20 BGP rrinfo entries using 480 bytes of memory > 8 BGP AS-PATH entries using 192 bytes of memory > 5 BGP community entries using 120 bytes of memory > 11 BGP extended community entries using 264 bytes of memory > 0 BGP route-map cache entries using 0 bytes of memory > 0 BGP filter-list cache entries using 0 bytes of memory > BGP using 219803 total bytes of memory > > Obviously that's not the case for you. We also feel that this is a comfort for us to use "show ip bgp neighbor X received-routes" but this comfort has a cost and I was just wondering how much it REALLY is :-) And if based on users experiences there is something we could miss except route-refresh capability that is supported on most BGP implementation now and "received-route" command output. Thanks anyway for your feedback Have a good week-end Cheers/Fred From swmike at swm.pp.se Fri Nov 27 11:11:08 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 27 Nov 2009 17:11:08 +0100 (CET) Subject: [c-nsp] BGP soft-reconfiguration inbound impact In-Reply-To: <4B0FEFA3.9050008@imperial.ac.uk> References: <4B0FE3EA.7010305@renater.fr> <4B0FEFA3.9050008@imperial.ac.uk> Message-ID: On Fri, 27 Nov 2009, Phil Mayers wrote: > It depends on how many routes you have I think. If you've got the full > feed, then I'd say you're going to pay a heavy price for soft-reconfig. Only if you modify the routes a lot via routemap or alike. This code has been much tweaked the past 5 years, so in some cases soft-reconfig inbound takes no extra memory at all. -- Mikael Abrahamsson email: swmike at swm.pp.se From justin at justinshore.com Fri Nov 27 12:16:31 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 27 Nov 2009 11:16:31 -0600 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <8B6326E6-388F-4EAC-A579-B1CA60839C7D@gmail.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <8B6326E6-388F-4EAC-A579-B1CA60839C7D@gmail.com> Message-ID: <4B10096F.9010103@justinshore.com> Jason Plank wrote: > Really. The product seems to be selling quite well. You are over > stating. Keep it real. Hardly. It means that people are using the Nexus as a L2 switching workhorse and relying on additional L3 hardware to bring in the basic MPLS/VPN capabilities. Justin From achatz at forthnet.gr Fri Nov 27 13:05:50 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 27 Nov 2009 20:05:50 +0200 Subject: [c-nsp] how to clear a pseudowire? In-Reply-To: <20091127095237.GA13722@moussaka.pmacct.net> References: <4B0F8A9F.5000509@forthnet.gr> <20091127095237.GA13722@moussaka.pmacct.net> Message-ID: <4B1014FE.5010505@forthnet.gr> That would kill all pseudowires with the same neighbor, wouldn't it? -- Tassos Paolo Lucente wrote on 27/11/2009 11:52: > Hi Tassos, > > As signalling is done via targeted LDP, perhaps you want to achieve that > by clearing the specific LDP neighbor? > > Cheers, > Paolo > > On Fri, Nov 27, 2009 at 10:15:27AM +0200, Tassos Chatzithomaoglou wrote: >> Is there an easy way to clear/reset a eompls pseudowire? >> >> The only (not affecting other services of the same interface) way i have >> found is to remove the xconnect config from both sides, but i was hoping >> that a clear command would exist. >> >> -- >> Tassos > > From pl+list at pmacct.net Fri Nov 27 15:54:12 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Fri, 27 Nov 2009 20:54:12 +0000 Subject: [c-nsp] how to clear a pseudowire? In-Reply-To: <4B1014FE.5010505@forthnet.gr> References: <4B0F8A9F.5000509@forthnet.gr> <20091127095237.GA13722@moussaka.pmacct.net> <4B1014FE.5010505@forthnet.gr> Message-ID: <20091127205412.GA15987@moussaka.pmacct.net> Yes, it would. I guess for finer granularity you can only, and un-elegantly, screw the circuit up by playing with the VC MTU, at one side of it. Cheers, Paolo On Fri, Nov 27, 2009 at 08:05:50PM +0200, Tassos Chatzithomaoglou wrote: > That would kill all pseudowires with the same neighbor, wouldn't it? > > > -- > Tassos > > > Paolo Lucente wrote on 27/11/2009 11:52: >> Hi Tassos, >> >> As signalling is done via targeted LDP, perhaps you want to achieve that >> by clearing the specific LDP neighbor? >> >> Cheers, >> Paolo >> >> On Fri, Nov 27, 2009 at 10:15:27AM +0200, Tassos Chatzithomaoglou wrote: >>> Is there an easy way to clear/reset a eompls pseudowire? >>> >>> The only (not affecting other services of the same interface) way i >>> have found is to remove the xconnect config from both sides, but i >>> was hoping that a clear command would exist. >>> >>> -- >>> Tassos >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Fri Nov 27 17:52:01 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Fri, 27 Nov 2009 23:52:01 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <200911271801.05370.mtinka@globaltransit.net> References: <4B0D899D.2040900@bromirski.net> <200911271801.05370.mtinka@globaltransit.net> Message-ID: <4B105811.9030900@bromirski.net> On 2009-11-27 11:01, Mark Tinka wrote: > However, for any new purchases, we're now looking at the > Nexus 7000's and Juniper's EX8200's because they make more > sense for 10Gbps Layer 2 aggregation, and will scale to > 40Gbps and 100Gbps. > Even with the SUP2T looming in the horizon, we'd be insane > thinking we can grow with the 6500 in the future beyond > 10Gbps. With the new LCs yes, it will scale >10Gbit/s, as the new switch fabric will offer more than 40Gbit/s per slot. Wait for it, don't go insane right now :) -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From gtb at slac.stanford.edu Fri Nov 27 19:04:06 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Fri, 27 Nov 2009 16:04:06 -0800 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B105811.9030900@bromirski.net> References: <4B0D899D.2040900@bromirski.net> <200911271801.05370.mtinka@globaltransit.net> <4B105811.9030900@bromirski.net> Message-ID: <6F51B50ECF32084788B9B3A8469A71B529175C045A@EXCHCLUSTER1-02.win.slac.stanford.edu> > With the new LCs yes, it will scale >10Gbit/s, as the new switch > fabric will offer more than 40Gbit/s per slot. Wait for it, don't > go insane right now :) The "fabric" (and this is a EE joke regarding the weave of the PCB glass fiber determining the dielectric properties that determine the capability of the interconnect speeds) of even the E chassis indicates that the 6500 is not going to be a major platform for the 100Gb/sec future we want. Point solutions will no doubt exist (remember the single port 10Gb/sec card (really 8Gb/sec) for the 6500 SFM platform?), but Mark is right about future insanity. That does not mean the Cat6500 does not have a long future. So did (does) the Cat5000 (still have one in some corner running a L2 only function that was supposed to get replaced RSN some time ago.) Gary From ltd at cisco.com Fri Nov 27 20:17:50 2009 From: ltd at cisco.com (Lincoln Dale) Date: Sat, 28 Nov 2009 12:17:50 +1100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0FF164.9020008@justinshore.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> Message-ID: <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> On 28/11/2009, at 2:33 AM, Justin Shore wrote: > Exactly. These days MPLS/VPNs is as much a DC feature as basic switching. Our DC couldn't operate with MPLS/VPNs. so some extent it depends on exactly how far 'down' into your DC you extend MPLS VPNs. for example, do you extend it down to the access layer? or at what point do you map a MPLS VPN into a VRF or VLAN? because even without MPLS today, many folks with N7K quite happily make use of VRFs on N7K, although in cisco parlance you'd call it "vrf lite". one nice characteristic of NX-OS is that everything is vrf aware. i.e. there is no such thing as a "global table", rather there is a "default vrf" where everything goes if you don't explicitly use vrfs. On 28/11/2009, at 4:16 AM, Justin Shore wrote: > Jason Plank wrote: >> Really. The product seems to be selling quite well. You are over stating. Keep it real. > > Hardly. It means that people are using the Nexus as a L2 switching workhorse and relying on additional L3 hardware to bring in the basic MPLS/VPN capabilities. SOME people use it for L2. the majority of deployments i've seen are making extensive use of L3. cheers, lincoln. From justin at justinshore.com Fri Nov 27 22:48:13 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 27 Nov 2009 21:48:13 -0600 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> Message-ID: <4B109D7D.50300@justinshore.com> Lincoln Dale wrote: > so some extent it depends on exactly how far 'down' into your DC you extend MPLS VPNs. > > for example, do you extend it down to the access layer? > or at what point do you map a MPLS VPN into a VRF or VLAN? Our MPLS/VPNs stop above our top-of-rack L2 switches with VRFs mapped into VLANs from there on out. Our DC isn't just a colo but is primarily a hosting solution. The gist of the difference is that we're hosting the customer's network for them in our DC; not just a colo caged environment where the SP hands them a cable with Internet access at a given CIR and walks away. Our DC is an extension of the customer's private LAN, containing all their routes. Without MPLS/VPN customer prefixes would walk all over each other. Could we do it with multi-VRF? Sure, but it would be a bitch. CVPN, L2L and firewall services are in 7600s upstream of the DC (and miles apart). Getting them down to the DC would require either tunnels in VRFs or 1Q trunks with sub-ints or SVIs assigned to unique VRFs with a matching config on the far side. Routers at each level are paired and dual-homed to the opposing levels. It would be a configuration nightmare. And given Cisco's removal of BFD support on SVIs on 7600s, it would also be slow to converge during fiber cuts, interface failures or router crashes. > because even without MPLS today, many folks with N7K quite happily make use of VRFs on N7K, although in cisco parlance you'd call it "vrf lite". If we had N7Ks in our DCs it would be possible but I sure wouldn't want to be responsible for the multi-VRF config between redundant chassis. It would be just as bad reaching out to hardware VPN solutions since the only VRF-aware VPN solutions in Cisco's arsenal is either an IOS router with AIMs or VSAs (I think you can CVPN or L2L into a VRF on an ISR or 7200; never tried it), or the IPSec SPAs in 6500/7600s. ASA's aren't VRF-aware. On top of that you have a 2nd set of ASAs or some other firewall appliance for hosting customer firewall contexts and they too require more 1Q trunks with sub-ints or SVIs in VRFs on the N7Ks. You're right; you can use N7Ks in DCs and get around the lack of MPLS/VPN options but it greatly depends on the kind of DC you run and the services you provide. If it's a hands-off colo environment where the SP drops the customer Internet access and doesn't nothing else on the network then the N7K is an awesome fit (possibly even over kill, not that that's a bad thing). The customer can bring their own firewall or VPN appliance if the want and they provide their own local routing and switchports. If you're DC is more of a hosting solution and you provide other services to customers (CVPN, L2L, FW, IDS) besides raw Internet and cage space then the N7K in its current form is a problem to be overcome. You can either use it to drop raw Inet to those customer that only want that service and then use it as top of the line L2 switching solution with L3 tasks handled upstream, or you pick a platform that does everything in one fail swoop. A 65/7600 with IPSec SPAs, FWSMs 67xx 10G LCs feeding Nexus or 4900 top-of-rack switches would be such a solution. I would love to have the N7K or any of the Nexus switches in my DC for L2 switching over what I have today. I'm very eager to deploy the N1K in VMWare too. That would be very nice. > one nice characteristic of NX-OS is that everything is vrf aware. i.e. there is no such thing as a "global table", rather there is a "default vrf" where everything goes if you don't explicitly use vrfs. That would be a wonderful feature. So many things on vanilla IOS are still not VRF aware. Someday... > SOME people use it for L2. the majority of deployments i've seen are making extensive use of L3. Like I said above I think there are cases where it definitely works and works well. But if you sell services that don't mess with the N7K then you either have a lot of admin overhead bridging multiple products together to build your solutions, you have to limit what you use it for (L2) and rely on other products to do other things (L3, special services), or you pick a solution that does everything in one box. Personally I like top-of-rack switches over the expense of populating a 65/7600 full of electrical Ethernet ports (and the nightmare of wiring it all back to one location and a mess of patchcords on the front of a large chassis) so I would chose to use a smaller 65/7600 and go with something else for the L2. When the Nexus platforms get MPLS they will be even more awesome than the currently are and they will have even more uses throughout the network than they do today. I look forward to that day. Justin From rdobbins at arbor.net Fri Nov 27 23:03:45 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Sat, 28 Nov 2009 04:03:45 +0000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B109D7D.50300@justinshore.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> <4B109D7D.50300@justinshore.com> Message-ID: <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> On Nov 28, 2009, at 11:48 AM, Justin Shore wrote: > A 65/7600 with IPSec SPAs, FWSMs 67xx 10G LCs feeding Nexus or 4900 top-of-rack switches would be such a solution. Note that w/N7K, you get usable NetFlow, per-interface uRPF configuration, and less ACL constraints, all of which are extremely useful. If customers insist on placing stateful firewall chokepoints and such in front of their servers, 6500s can be used as service switches. They can handle IPSEC, as well. So, this simply leaves MPLS termination as the primary issue, does it not? If this is the case, then placing an MPLS-capable box at the DC distribution gateway level takes care of this, yes? ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From dwinkworth at att.net Fri Nov 27 23:43:56 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Fri, 27 Nov 2009 20:43:56 -0800 (PST) Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> <4B109D7D.50300@justinshore.com> <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> Message-ID: <990586.31613.qm@web180012.mail.gq1.yahoo.com> ..and now you have a sh*tpile of boxes in your environment running different versions of software with varying features for management and so forth. And if your like most IT companies, some mgmt turd will eventually let maintenance go on some of these boxes are not stick with the architectural plan and it will turn into spaghetti because they look at all these boxes and they think "we have tons of empty slots and ports." I guess to some extent this is unavoidable. ________________________________ From: "Dobbins, Roland" To: Cisco-nsp Sent: Fri, November 27, 2009 10:03:45 PM Subject: Re: [c-nsp] ASR1004 vs 7606(RSP720-CXL) On Nov 28, 2009, at 11:48 AM, Justin Shore wrote: > A 65/7600 with IPSec SPAs, FWSMs 67xx 10G LCs feeding Nexus or 4900 top-of-rack switches would be such a solution. Note that w/N7K, you get usable NetFlow, per-interface uRPF configuration, and less ACL constraints, all of which are extremely useful. If customers insist on placing stateful firewall chokepoints and such in front of their servers, 6500s can be used as service switches. They can handle IPSEC, as well. So, this simply leaves MPLS termination as the primary issue, does it not? If this is the case, then placing an MPLS-capable box at the DC distribution gateway level takes care of this, yes? ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rdobbins at arbor.net Sat Nov 28 04:33:13 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Sat, 28 Nov 2009 09:33:13 +0000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <990586.31613.qm@web180012.mail.gq1.yahoo.com> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> <4B109D7D.50300@justinshore.com> <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> <990586.31613.qm@web180012.mail.gq1.yahoo.com> Message-ID: <7FFBFF8C-6FE5-4F76-A2AA-6B17FACC6BF1@arbor.net> On Nov 28, 2009, at 12:43 PM, Derick Winkworth wrote: > ..and now you have a sh*tpile of boxes in your environment running different versions of software with varying features for management and so forth. Welcome to the Internet. ;> ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From p.mayers at imperial.ac.uk Sat Nov 28 07:50:50 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 28 Nov 2009 12:50:50 +0000 Subject: [c-nsp] BGP soft-reconfiguration inbound impact In-Reply-To: References: <4B0FE3EA.7010305@renater.fr> <4B0FEFA3.9050008@imperial.ac.uk> Message-ID: <20091128125050.GB3530@wildfire.net.ic.ac.uk> On Fri, Nov 27, 2009 at 04:11:08PM +0000, Mikael Abrahamsson wrote: >On Fri, 27 Nov 2009, Phil Mayers wrote: > >> It depends on how many routes you have I think. If you've got the full >> feed, then I'd say you're going to pay a heavy price for soft-reconfig. > >Only if you modify the routes a lot via routemap or alike. This code has >been much tweaked the past 5 years, so in some cases soft-reconfig inbound >takes no extra memory at all. What if you've got >1 set of paths e.g. 2 upstreams? But that's very interesting info. From jared at puck.nether.net Sat Nov 28 08:58:45 2009 From: jared at puck.nether.net (Jared Mauch) Date: Sat, 28 Nov 2009 08:58:45 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <6ovsg51tdl6mjdqrlsfpjvhrhimurm8elj@hojmark.net> <4B0FF164.9020008@justinshore.com> <3526F068-D077-4541-B8B1-81D1C66A4A97@cisco.com> <4B109D7D.50300@justinshore.com> <9D29944F-2784-4E47-87F0-E9266559542E@arbor.net> Message-ID: <90DB690A-33C1-4480-BD97-B817D5413654@puck.nether.net> I guess, unless you are doing 10G martini l2 ckts, and want to "waste" capital on numerous excess devices increasing network complexity. - Jared On Nov 27, 2009, at 11:03 PM, Dobbins, Roland wrote: > So, this simply leaves MPLS termination as the primary issue, does it not? If this is the case, then placing an MPLS-capable box at the DC distribution gateway level takes care of this, yes? From howard at leadmon.net Sat Nov 28 12:02:44 2009 From: howard at leadmon.net (Howard Leadmon) Date: Sat, 28 Nov 2009 12:02:44 -0500 Subject: [c-nsp] PA-MC-8T1 In-Reply-To: References: Message-ID: <006801ca704c$9c6635d0$d532a170$@net> I actually have a 6509 with a FlexWAN controller in it, with a PA-MC-8T1 in one side, and a DS3 card in the other, it works fine! You can run channelized or non-channelized, we run our links as full out T1's so no channelization for us. So yep, as long as you get an IOS that supports it, you will be fine... --- Howard Leadmon > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Graham Wooden > Sent: Wednesday, November 25, 2009 11:09 PM > To: cisco-nsp > Subject: [c-nsp] PA-MC-8T1 > > Hi all, > > Just wanted to confirm before I spend the money .... > > I am looking at the WAN card PA-MC-8T1 for some T1 aggregation points, > inserted into FlexWAN/6500. As I am reading the data sheet for it, it > looks > like it can do non-channelized connections, right? Need to consolidate > down > some non-fractional/channelized T1s... > > Thanks, > > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From howard at leadmon.net Sat Nov 28 13:35:02 2009 From: howard at leadmon.net (Howard Leadmon) Date: Sat, 28 Nov 2009 13:35:02 -0500 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. Message-ID: <006b01ca7059$814ce160$83e6a420$@net> I have a question hopefully someone can give me a pointer or shed some light on.. I have both an Aironet 1242AG and now a 1252AG access point, which are working fine. I have WPA2-Personal with a shared key setup and running great as well. As it was my impression that Vista and Win7 both supported Enterprise authentication, which I figured would be better and more secure than using the personal shared key stuff. I have tried, and googled, and I for the life of me just can't seem to get Enterprise auth going.. Does anyone have any docs on getting the Aironet and Windows to play together, configs, or links to info that will help? Just FYI, I am trying to use the radius server built into the AP, as I figured that would be simple enough, hopefully doing that is ok.. --- Howard Leadmon From erey at ernw.de Sat Nov 28 14:09:41 2009 From: erey at ernw.de (Enno Rey) Date: Sat, 28 Nov 2009 20:09:41 +0100 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. In-Reply-To: <006b01ca7059$814ce160$83e6a420$@net> References: <006b01ca7059$814ce160$83e6a420$@net> Message-ID: <20091128190941.GF28780@ws25.ernw.de> Hi, On Sat, Nov 28, 2009 at 01:35:02PM -0500, Howard Leadmon wrote: > I have a question hopefully someone can give me a pointer or shed some > light on.. > > > > I have both an Aironet 1242AG and now a 1252AG access point, which are > working fine. I have WPA2-Personal with a shared key setup and running > great as well. As it was my impression that Vista and Win7 both supported > Enterprise authentication, which I figured would be better and more secure > than using the personal shared key stuff. > > > > I have tried, and googled, and I for the life of me just can't seem to get > Enterprise auth going.. Does anyone have any docs on getting the Aironet > and Windows to play together, configs, or links to info that will help? > Just FYI, I am trying to use the radius server built into the AP, as I > figured that would be simple enough, hopefully doing that is ok.. > Attached (below) you find a productive config file (anonymized sufficiently I hope) and a "config snippet template" for RADIUS auth against local database. You should be able to understand (and assemble) the relevant pieces. Feel free to contact me off-list if you don't succeed... The "standard windows client config" is described for example in: https://www.cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/2.0/configuration/guide/winapEkh.html And this doc on hardening the APs might be interesting as well: http://www.ernw.de/content/e7/e183/e691/download693/ERNW_hard_cisco_aps_erey_ger.pdf thanks, Enno -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey *** TROOPERS10 - This time it's a home match *** International Security Conference & Hacking Summit *** 8-12 March 2010 - Heidelberg, Germany *** *************** www.troopers.de ****************** ============================== Config snippet/template ! must be configured before 'radius-server local' is even ! available aaa new-model ! enter local radius-server config mode radius-server local ! include devices that act as RADIUS clients nas 20.20.20.20 key radius123! nas 20.20.20.21 key rad234! ! configure users ! user wds necessary for WDS communication user wds pass wds456 ! user needed for infrastructure_AP authentication user infrastructureap pass infra678 ! other users e.g. for LEAP user erey pass hallo123 user fbrandtner pass franky user tschuster pass franke ! 'point to self' radius-server config (as client) ! note port numbers! radius-server host 20.20.20.20 kauth-port 1812 acct-port 1813 ey radius123! ====================== Full sample config ! ! No configuration change since last restart ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname A0119BG01 ! no logging console enable secret 5 $1$3aRl$ms3dlasjaksjXefaQoRH.J1 ! clock timezone GMT 1 clock summer-time mesz recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip domain lookup ip domain name warehouse.com ! ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius dummy ! aaa group server radius Infrastructure server 10.28.86.1 auth-port 1812 acct-port 1813 ! aaa group server radius rad_pmip ! aaa group server radius rad_eap1 ! aaa group server radius user server 10.28.86.1 auth-port 1812 acct-port 1813 server 10.0.184.20 auth-port 1645 acct-port 1646 server 10.0.184.21 auth-port 1645 acct-port 1646 ! aaa authentication login method_user group user aaa authentication login mac_methods local aaa authentication login method_infrastructure group Infrastructure aaa authentication login eap_methods group user aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common ! dot11 ssid abc115EPtz9aoMDE vlan 3 authentication open authentication key-management wpa wpa-psk ascii 7 BADEAFFE ! dot11 ssid abcm303GHos7aoISI vlan 2 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! ! crypto pki trustpoint TP-self-signed-724177026 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-724177026 revocation-check none rsakeypair TP-self-signed-724177026 ! ! crypto ca certificate chain TP-self-signed-724177026 certificate self-signed 01 30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 37323431 37373032 36301E17 0D303230 33303130 30303035 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3732 34313737 30323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C68F64C4 AE33F858 240A1126 8C2E41AF 511C542D 17E4DD0E 3E29BD36 7F8B280C 26FE86DB B671E0DD FC5C23F9 E5ED65E2 95990E9C C73A1A30 70B2C011 4D5803E0 2FA3E66E EB109922 4385B2B0 DB755888 692E7B80 A6811950 726DC7FB E8DF3175 72734D2A 611DF0D4 342E7AD0 E1AB1638 9D5EC5B7 35569203 AE1B113D 4AACAE0B 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801447 DF8B63E0 D1A0E27A D2CFE272 A6A8F3C0 B819B430 1D060355 1D0E0416 041447DF 8B63E0D1 A0E27AD2 CFE272A6 A8F3C0B8 19B4300D 06092A86 4886F70D 01010405 00038181 009E3010 9569DBE5 C3DBE314 FFF59CC1 DE75CB77 9082FDBD 7883DBBD 28556576 4F8FF831 625E146E 52FC84D0 13B8CB7B EC84AB50 C3E3AB1E 464056B7 9027010D E4E881FE 316CBFA5 617E5697 DBC11AF8 837299E8 7A3BE1B5 902E3FFF E77D1B00 405EAD3F 4FEE79BD 617DF22A 28FE4C7C 80D6021B 16832994 2F8A462C 7FF45615 B7 quit username ibm_inst privilege 15 password 7 xyz ! ! policy-map Office class class-default set cos 0 policy-map POS class class-default set cos 5 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown ! encryption vlan 2 mode ciphers aes-ccm ! encryption mode ciphers aes-ccm ! encryption vlan 3 mode ciphers tkip ! ssid abc115EPtz9aoMDE ! ssid abcm303GHos7aoISI ! speed basic-1.0 basic-2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 power local cck 30 power local ofdm 30 power client 30 channel 2437 station-role root fallback shutdown infrastructure-client ! interface Dot11Radio0.2 encapsulation dot1Q 2 native service-policy input POS service-policy output POS no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.3 encapsulation dot1Q 3 service-policy input Office service-policy output Office no ip route-cache bridge-group 3 bridge-group 3 subscriber-loop-control bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache speed 100 full-duplex ! interface FastEthernet0.2 encapsulation dot1Q 2 native service-policy input POS service-policy output POS no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.3 encapsulation dot1Q 3 service-policy input Office service-policy output Office no ip route-cache bridge-group 3 no bridge-group 3 source-learning bridge-group 3 spanning-disabled ! interface BVI1 ip address 10.28.86.1 255.255.252.0 no ip route-cache ! ip default-gateway 10.28.87.254 no ip http server ip http authentication local ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! snmp-server view basic iso included snmp-server view basic ieee802dot11 included snmp-server community a0_wlan_wh_ro view basic RO snmp-server community a0_wlan_wh_rw view basic RW snmp-server enable traps tty radius-server local nas 10.28.86.1 key 7 abc user wds nthash 7 0A7BADE user abc001IBMinst nthash 7 some_hash user abc002IBMinst nthash 7 some_hash user abc003IBMinst nthash 7 some_hash user abc004IBMinst nthash 7 some_hash user abc005IBMinst nthash 7 some_hash ! radius-server attribute 32 include-in-access-req format %h radius-server host 10.28.86.1 auth-port 1812 acct-port 1813 key 7 ABDC radius-server host 10.0.184.21 auth-port 1645 acct-port 1646 key 7 ABDC radius-server host 10.0.184.20 auth-port 1645 acct-port 1646 key 7 ABDC radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! wlccp ap username wds password 7 ABCD wlccp authentication-server infrastructure method_infrastructure wlccp authentication-server client leap method_user wlccp wds priority 100 interface BVI1 wlccp wnm ip address 10.1.240.41 ! line con 0 terminal-type ansi transport preferred all transport output all line vty 0 4 terminal-type ansi transport preferred all transport input all transport output all line vty 5 15 terminal-type ansi transport preferred all transport input all transport output all ! sntp server 192.168.4.35 sntp broadcast client end From tvarriale at comcast.net Sat Nov 28 15:37:02 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Sat, 28 Nov 2009 14:37:02 -0600 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. References: <006b01ca7059$814ce160$83e6a420$@net> Message-ID: What type of "enterprise" are you interested in? What's your user database? tv ----- Original Message ----- From: "Howard Leadmon" To: "'cisco-nsp'" Sent: Saturday, November 28, 2009 12:35 PM Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. > I have a question hopefully someone can give me a pointer or shed some > light on.. > > > > I have both an Aironet 1242AG and now a 1252AG access point, which are > working fine. I have WPA2-Personal with a shared key setup and running > great as well. As it was my impression that Vista and Win7 both > supported > Enterprise authentication, which I figured would be better and more secure > than using the personal shared key stuff. > > > > I have tried, and googled, and I for the life of me just can't seem to get > Enterprise auth going.. Does anyone have any docs on getting the Aironet > and Windows to play together, configs, or links to info that will help? > Just FYI, I am trying to use the radius server built into the AP, as I > figured that would be simple enough, hopefully doing that is ok.. > > > > > > > > --- > > Howard Leadmon > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From felixnkansah at gmail.com Sat Nov 28 17:42:45 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 28 Nov 2009 22:42:45 +0000 Subject: [c-nsp] Strange CDP Observation Message-ID: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> Hi Team, One of my field engineers at a remote site has reported a problem to me, one which I find rather strange but yet to confirm for myself. A Catalyst 2960 switch at the remote site is linked to a switch at a Central site via radio (bridged). However, besides the fact that connectivity tests between the two sites are failing, his observation is that when he issues the "SHOW CDP NEI" command on the remote C2960 switch, he sees the switch itself appearing as its neighbor rather than the other switch at the central location which is typically the output he expected. I have personally never seen a Cisco device showing itself as it's own neighbor in a 'show cdp neighbor' output. What do you know to be the cause of this problem? Thanks. From mhernand1 at comcast.net Sat Nov 28 18:07:13 2009 From: mhernand1 at comcast.net (manolo hernandez) Date: Sat, 28 Nov 2009 18:07:13 -0500 Subject: [c-nsp] Strange CDP Observation In-Reply-To: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> References: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> Message-ID: <4B11AD21.5020704@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Felix Nkansah wrote: > Hi Team, > > One of my field engineers at a remote site has reported a problem to me, one > which I find rather strange but yet to confirm for myself. > > A Catalyst 2960 switch at the remote site is linked to a switch at a Central > site via radio (bridged). > > However, besides the fact that connectivity tests between the two sites are > failing, his observation is that when he issues the "SHOW CDP NEI" command > on the remote C2960 switch, he sees the switch itself appearing as its > neighbor rather than the other switch at the central location which is > typically the output he expected. > > > I have personally never seen a Cisco device showing itself as it's own > neighbor in a 'show cdp neighbor' output. > > What do you know to be the cause of this problem? > > Thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > A loop would cause this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLEa0gAAoJEOcnyWxdB1IrOiQH/0kgUzaNaHWhYDcRlvThnBEB 4yCMDll7hw0mBl7Q7Hrb6HLUexYePaUQvwM8VH2YAaG/+CNfqsPVkwAuf5Mk0S0F i3aTY5VQXWQLGFdyrVmec3ejwXBw1VWbLLOPlnptVUUhLXq4X0IIf27iHUN9gQcG nGWJfA7CB3Mg9qQF3IHh+1MjMwY1Q8l853RREqQbU/4af8AxldyM7THtpVj5dRe/ XCymMFk194vzRn51vpnJifl9ImCWuxwYJsspgzKR7QY0ht0jO/mv+YaRXiwOYpdT RHYBoTk1xynTnx4EgkXraaYYKzbGMM9VuuKuXXCZ/ABmHWpnSXuAk2zsq4tQJXg= =kRrI -----END PGP SIGNATURE----- From ygauteron at gmail.com Sun Nov 29 01:57:32 2009 From: ygauteron at gmail.com (Yann Gauteron) Date: Sun, 29 Nov 2009 07:57:32 +0100 Subject: [c-nsp] Cisco Tahoma 1.x In-Reply-To: <746ca6da0911270146p6c8a4a12r4be70ec9ad5c5677@mail.gmail.com> References: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> <746ca6da0911270146p6c8a4a12r4be70ec9ad5c5677@mail.gmail.com> Message-ID: <8097baf0911282257q433cd031vcb4b4037746cbc21@mail.gmail.com> Hi! Without disclosing any secrets, what does the Cisco Tahoma Carrier Ethernet Design guide content ? As I am working for a Cisco partner and Carrier Ehternet is part of our activities, I think that depending its content, this document could be helpful in our business. Cheers, Y. 2009/11/27 Per Carlson > Hi. > > > I have been hearing of Cisco Tahoma 1.x guide to carrier ethernet design. > > > > Would anyone with access to the document share his/hers with me, if > > permitted? > > This document is under a NDA. If you want to get a copy of it, contact > your AM or SE. > > -- > Pelle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From streiner at cluebyfour.org Sun Nov 29 02:22:00 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 29 Nov 2009 02:22:00 -0500 (EST) Subject: [c-nsp] Cisco Tahoma 1.x In-Reply-To: <8097baf0911282257q433cd031vcb4b4037746cbc21@mail.gmail.com> References: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> <746ca6da0911270146p6c8a4a12r4be70ec9ad5c5677@mail.gmail.com> <8097baf0911282257q433cd031vcb4b4037746cbc21@mail.gmail.com> Message-ID: On Sun, 29 Nov 2009, Yann Gauteron wrote: > Without disclosing any secrets, what does the Cisco Tahoma Carrier Ethernet > Design guide content ? > > As I am working for a Cisco partner and Carrier Ehternet is part of our > activities, I think that depending its content, this document could be > helpful in our business. If you're working for a Cisco partner, then someone on your account team should be able to get the relevant information for you, and they would honestly be the best people to field such a request. When dealing with information provided under NDA, people will often err on the side of caution in terms of disclosing details (read: not tell you very much). Revealing even 'non-secret' information can put someone in violation of their NDA, depending on how it's worded and what it covers. jms From lists at hojmark.org Sun Nov 29 02:28:21 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Sun, 29 Nov 2009 08:28:21 +0100 Subject: [c-nsp] Cisco Tahoma 1.x In-Reply-To: <8097baf0911282257q433cd031vcb4b4037746cbc21@mail.gmail.com> References: <18dba4e50911261523l47c5f76dx5061637fd9ab5070@mail.gmail.com> <746ca6da0911270146p6c8a4a12r4be70ec9ad5c5677@mail.gmail.com> <8097baf0911282257q433cd031vcb4b4037746cbc21@mail.gmail.com> Message-ID: On Sun, 29 Nov 2009 07:57:32 +0100, you wrote: > Without disclosing any secrets, what does the Cisco Tahoma Carrier > Ethernet Design guide content ? Tahoma is solution testing, so they build a complete CE network (actually several variants of it), test different services on it, and document everything with configuration etc. It's hundreds of pages, so there's quite a bit of meterial there. > As I am working for a Cisco partner and Carrier Ehternet is part of > our activities, I think that depending its content, this document > could be helpful in our business. Contact your partner account manager or partner SE. It's no problem getting the documentation. -A From markom at ipexpert.com Sun Nov 29 06:34:05 2009 From: markom at ipexpert.com (Marko Milivojevic) Date: Sun, 29 Nov 2009 11:34:05 +0000 Subject: [c-nsp] Strange CDP Observation In-Reply-To: <4B1234CE.3090600@ine.com> References: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> <4B1234CE.3090600@ine.com> Message-ID: <4a15acd90911290334se22b5fex7acdcb03bccc476a@mail.gmail.com> On Sun, Nov 29, 2009 at 08:46, Scott Morris wrote: > While not normal, think about what makes it occur. > > If it REALLY WAS your own CDP frame, then your link should be down due > to loopguard. ?Even with a hub there, a hub is a repeater, so is ti > feasible to see your own stuff? Well, not really - otherwise it would be pretty hard to do "external loopback" solutions, as well as testing links using Ethernet loopback - which is still doable. I haven't seen "looped" status on Ethernet for a long time. I think there are several explanations for this problem: 1. Most obvious is that there is a simple loop somewhere. That needs to be investigated in MW configuration. 2. Don't forget that CDP is Cisco proprietary protocol. Other equipment usually doesn't have any special processing for these multicast frames. Furthermore, I have seen really bad multicast implementations where multicast frames would be flooded on all ports - including the one it was received from. This is what could be happening to you - MW is simply returning you back your multicast traffic. It *shouldn't* but it does. 3. You could be having some more creative problem, like Y-loop (you have A-to-B communication, but you are also getting this traffic back to A - A-to-A). In any case, I would focus my investigation on what's going on in the microwave part of the setup. -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: markom at ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 From markom at ipexpert.com Sun Nov 29 06:43:27 2009 From: markom at ipexpert.com (Marko Milivojevic) Date: Sun, 29 Nov 2009 11:43:27 +0000 Subject: [c-nsp] how to clear a pseudowire? In-Reply-To: <4B0F8A9F.5000509@forthnet.gr> References: <4B0F8A9F.5000509@forthnet.gr> Message-ID: <4a15acd90911290343m22f985a9jfe5f4535a893fdcd@mail.gmail.com> On Fri, Nov 27, 2009 at 08:15, Tassos Chatzithomaoglou wrote: > Is there an easy way to clear/reset a eompls pseudowire? > > The only (not affecting other services of the same interface) way i have > found is to remove the xconnect config from both sides, but i was hoping > that a clear command would exist. Can't you simply shut down the subinterface where xconnect is configured? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: markom at ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 From achatz at forthnet.gr Sun Nov 29 07:02:12 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sun, 29 Nov 2009 14:02:12 +0200 Subject: [c-nsp] how to clear a pseudowire? In-Reply-To: <4a15acd90911290343m22f985a9jfe5f4535a893fdcd@mail.gmail.com> References: <4B0F8A9F.5000509@forthnet.gr> <4a15acd90911290343m22f985a9jfe5f4535a893fdcd@mail.gmail.com> Message-ID: <4B1262C4.7030003@forthnet.gr> This doesn't actually clear completely the pseudowire. It surely kills it (i can see it going down), but something is kept "online" (like a cache), because in my case (SRD2/SRD3) the remote description doesn't get updated after doing shut/no shut on both sides. Maybe that's a bug and it's not supposed to happen, but unless i remove the xconnect xonfig and re-add it, the remote description doesn't get updated in any other case. It's strange that something in the lines of "clear mpls l2 vc" doesn't exist :( -- Tassos Marko Milivojevic wrote on 29/11/2009 13:43: > On Fri, Nov 27, 2009 at 08:15, Tassos Chatzithomaoglou > wrote: >> Is there an easy way to clear/reset a eompls pseudowire? >> >> The only (not affecting other services of the same interface) way i have >> found is to remove the xconnect config from both sides, but i was hoping >> that a clear command would exist. > > Can't you simply shut down the subinterface where xconnect is configured? > > -- > Marko Milivojevic - CCIE #18427 > Senior Technical Instructor - IPexpert > > Mailto: markom at ipexpert.com > Telephone: +1.810.326.1444 > Live Assistance, Please visit: http://www.ipexpert.com/chat > eFax: +1.810.454.0130 > From lodwijk2009 at gmail.com Sun Nov 29 08:00:50 2009 From: lodwijk2009 at gmail.com (lodwijk hutapea) Date: Sun, 29 Nov 2009 20:00:50 +0700 Subject: [c-nsp] (no subject) Message-ID: From lodwijk2009 at gmail.com Sun Nov 29 08:02:07 2009 From: lodwijk2009 at gmail.com (lodwijk hutapea) Date: Sun, 29 Nov 2009 20:02:07 +0700 Subject: [c-nsp] (no subject) Message-ID: From avayner at cisco.com Sun Nov 29 08:54:14 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 29 Nov 2009 14:54:14 +0100 Subject: [c-nsp] QoS for different types of internet customers In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAF8C@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAF8C@vic-cr-ex1.staff.netspace.net.au> Message-ID: What could be done is to build a few profiles where you allow the customer a pre defined mix of all 3 (or just 2) classes, each with a set percentage of the total link BW. You allow the customer to send the traffic pre-marked, and on your side use a policer to make sure they do not overload a specific class - and down-mark the excess traffic to a lower/BE class. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao Sent: Friday, November 27, 2009 08:36 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] QoS for different types of internet customers Sorry to diverse a bit from this discussion, but for customers on the Gold plan such as the one mentioned by Will, do you just prioritize their voip/video traffic so this traffic goes into the LLQ??? What happens to their other traffic - how will it be handled by the QoS policy? Cheers. Andy ------------------------------ Message: 10 Date: Thu, 26 Nov 2009 09:55:50 -0500 From: Lobo To: Cisco-NSP Mailing List Subject: Re: [c-nsp] QoS for different types of internet customers Message-ID: <4B0E96F6.1090802 at gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is how I view it as well...only provide QoS to the MPLS VPN since all the traffic stays on your network. I think what the Sales & Marketing folk are seeing this as, "well our dedicated internet customers pay more than the burst low speed customers so we should be able to guarantee their traffic in times of congestion." It's always about the $$$. Jose >William Byrd wrote: > > Basically the way we broke down our QoS was: > > Bronze - best effort > Silver - premium data for customers > Gold - customer voip / video > > I guess you could call our gold queue the real time queue. > > -- > Will Collier-Byrd This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Sun Nov 29 11:52:16 2009 From: graham at g-rock.net (Graham Wooden) Date: Sun, 29 Nov 2009 10:52:16 -0600 Subject: [c-nsp] VPN Tunneling question Message-ID: Hi all, I am bringing up a new remote location that is currently being served by a DSL line. This site will ultimately be served with my own PtP solution, but in the time being and to help with the migration, I want to deploy a routable subnet at the location using a VPN solution between two PIX firewalls. I drew up a diagram depicting this, and can be found at: http://www.iamforeverme.com/VPN_Issue_diagram.pdf Other than the some routing statements that need to be put in at my edge and core routers, anything I need to do on the main site's firewall to facilitate traffic coming in/out on the outside interface? The 525 is currently running v7.0.2. I was thinking about doing a GRE tunnel but since I have an extra 506e (v6.3.5) that I would just use that and do a IPSEC tunnel to my 525 at my main site. I want all the traffic at the remote site to transverse the VPN tunnel, since it's source addressing will be a public subnet originating at the main site. Seems like a common setup, no? Any thing else I need to consider? Thanks all, -graham From daniel at fnutt.net Sun Nov 29 14:26:51 2009 From: daniel at fnutt.net (Daniel Husand) Date: Sun, 29 Nov 2009 20:26:51 +0100 Subject: [c-nsp] Problem with dscp packets marking on 76th platform. In-Reply-To: <4B0D1075.50601@mail.ru> References: <4B0D1075.50601@mail.ru> Message-ID: <4B12CAFB.7000102@fnutt.net> On 25.11.2009 12:09, Teslenko wrote: > We try to introduce Qos in ours IP/MPLS backbone network, > constructed on routers 7600th series There is a hardware limitation in the PFC on the Cat6500/7600 which i might think you are hitting. You can _not_ mark packets ingress (as IP) on this platform and then egress them as MPLS. In that scenario the DSCP header will be lost. -- Daniel Husand From andy.saykao at staff.netspace.net.au Sun Nov 29 17:01:56 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 30 Nov 2009 09:01:56 +1100 Subject: [c-nsp] QoS for different types of internet customers References: <56F211C5E3F24F47B103EA1B253822BE044AAF8C@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAF91@vic-cr-ex1.staff.netspace.net.au> Thanks Arie. I had a sneaking suspicion it might be like that. I wasn't sure what happened to the customer's entire traffic mix who were in the GOLD class. Sure their real time traffic gets preferential treatment but what happens to their mission-critical data traffic? Makes sense what you're saying. -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Monday, 30 November 2009 12:54 AM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] QoS for different types of internet customers What could be done is to build a few profiles where you allow the customer a pre defined mix of all 3 (or just 2) classes, each with a set percentage of the total link BW. You allow the customer to send the traffic pre-marked, and on your side use a policer to make sure they do not overload a specific class - and down-mark the excess traffic to a lower/BE class. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao Sent: Friday, November 27, 2009 08:36 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] QoS for different types of internet customers Sorry to diverse a bit from this discussion, but for customers on the Gold plan such as the one mentioned by Will, do you just prioritize their voip/video traffic so this traffic goes into the LLQ??? What happens to their other traffic - how will it be handled by the QoS policy? Cheers. Andy ------------------------------ Message: 10 Date: Thu, 26 Nov 2009 09:55:50 -0500 From: Lobo To: Cisco-NSP Mailing List Subject: Re: [c-nsp] QoS for different types of internet customers Message-ID: <4B0E96F6.1090802 at gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is how I view it as well...only provide QoS to the MPLS VPN since all the traffic stays on your network. I think what the Sales & Marketing folk are seeing this as, "well our dedicated internet customers pay more than the burst low speed customers so we should be able to guarantee their traffic in times of congestion." It's always about the $$$. Jose >William Byrd wrote: > > Basically the way we broke down our QoS was: > > Bronze - best effort > Silver - premium data for customers > Gold - customer voip / video > > I guess you could call our gold queue the real time queue. > > -- > Will Collier-Byrd This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From graham at g-rock.net Sun Nov 29 22:53:00 2009 From: graham at g-rock.net (Graham Wooden) Date: Sun, 29 Nov 2009 21:53:00 -0600 Subject: [c-nsp] Client VPN issue with PIX v6.3 Message-ID: Hi all, One of my VPN devices is a 525 running v6.3.5. I am having an issue with Client VPN sessions coming in on the outside interface while accessing subnets that are reached by outside interface. I can access the "inside" interface addresses just fine. Is there some sort of limitation that I can't access subnets out past the outside interface while having VPN sessions terminating on the same interface? I tried to add these subnets to the split-tunnel acl with no love either. Thoughts? I have a v7.0.2 525 that is being tied up with another setup, so I can't test on 7.x code - but if if an upgrade is needed to solve this, let me know... Thanks! -graham From zeusdadog at gmail.com Sun Nov 29 23:18:30 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Sun, 29 Nov 2009 23:18:30 -0500 Subject: [c-nsp] Client VPN issue with PIX v6.3 In-Reply-To: References: Message-ID: <9418aca70911292018h164f6035u7673fe98d4da8882@mail.gmail.com> I think pix can't send traffic out the same interface it came in. On 11/29/09, Graham Wooden wrote: > Hi all, > > One of my VPN devices is a 525 running v6.3.5. I am having an issue with > Client VPN sessions coming in on the outside interface while accessing > subnets that are reached by outside interface. I can access the "inside" > interface addresses just fine. Is there some sort of limitation that I > can't access subnets out past the outside interface while having VPN > sessions terminating on the same interface? I tried to add these subnets to > the split-tunnel acl with no love either. > > Thoughts? I have a v7.0.2 525 that is being tied up with another setup, so > I can't test on 7.x code - but if if an upgrade is needed to solve this, let > me know... > > Thanks! > > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Sun Nov 29 23:33:10 2009 From: td_miles at yahoo.com (Tony) Date: Sun, 29 Nov 2009 20:33:10 -0800 (PST) Subject: [c-nsp] Client VPN issue with PIX v6.3 In-Reply-To: Message-ID: <885578.98531.qm@web110105.mail.gq1.yahoo.com> Hi Graham, If I understand correctly then you're saying that when you have a VPN client session open you can't access subnets that are on the outside of your PIX from the client that has the VPN session up ? Would the subnet in question be accessible from the client if it did NOT use a VPN tunnel (ie. is the subnet a generally accessible Internet address) ? If the subnet is accessible without the client tunnel up, then what you need is split tunneling. If this isn't working then you need to look at why it isn't. If this isn't what you want, and you actually WANT traffic to go from client across the VPN tunnel to PIX and then back out the outside interface then a 6.3 won't support this. You need to have at least 7.2.1 or higher code and use the command: same-security-traffic permit intra-interface http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 regards, Tony. --- On Mon, 30/11/09, Graham Wooden wrote: > From: Graham Wooden > Subject: [c-nsp] Client VPN issue with PIX v6.3 > To: "cisco-nsp" > Received: Monday, 30 November, 2009, 2:53 PM > Hi all, > > One of my VPN devices is a 525 running v6.3.5.? I am > having an issue with > Client VPN sessions coming in on the outside interface > while accessing > subnets that are reached by outside interface. I can access > the "inside" > interface addresses just fine.? Is there some sort of > limitation that I > can't access subnets out past the outside interface while > having VPN > sessions terminating on the same interface?? I tried > to add these subnets to > the split-tunnel acl with no love either. > > Thoughts?? I have a v7.0.2 525 that is being tied up > with another setup, so > I can't test on 7.x code - but if if an upgrade is needed > to solve this, let > me know... > > Thanks! > > -graham > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > __________________________________________________________________________________ Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7. Enter now: http://au.docs.yahoo.com/homepageset/ From tvarriale at comcast.net Sun Nov 29 23:33:18 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Sun, 29 Nov 2009 22:33:18 -0600 Subject: [c-nsp] Client VPN issue with PIX v6.3 References: Message-ID: PIX code below 7 doesn't support hairpinning. tv ----- Original Message ----- From: "Graham Wooden" To: "cisco-nsp" Sent: Sunday, November 29, 2009 9:53 PM Subject: [c-nsp] Client VPN issue with PIX v6.3 > Hi all, > > One of my VPN devices is a 525 running v6.3.5. I am having an issue with > Client VPN sessions coming in on the outside interface while accessing > subnets that are reached by outside interface. I can access the "inside" > interface addresses just fine. Is there some sort of limitation that I > can't access subnets out past the outside interface while having VPN > sessions terminating on the same interface? I tried to add these subnets > to > the split-tunnel acl with no love either. > > Thoughts? I have a v7.0.2 525 that is being tied up with another setup, > so > I can't test on 7.x code - but if if an upgrade is needed to solve this, > let > me know... > > Thanks! > > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Sun Nov 29 23:42:25 2009 From: graham at g-rock.net (Graham Wooden) Date: Sun, 29 Nov 2009 22:42:25 -0600 Subject: [c-nsp] Client VPN issue with PIX v6.3 In-Reply-To: <885578.98531.qm@web110105.mail.gq1.yahoo.com> Message-ID: Right, the subnet that I need access to is not publically routable but is on outside of this particular interface. Thanks to you and everyone that chimed in. I am going to see if I can re-purpose my other 525 running 7.0.2 and get it upgraded to 7.2 or do an upgrade on this one. -graham On 11/29/09 10:33 PM, "Tony" wrote: > Hi Graham, > > If I understand correctly then you're saying that when you have a VPN client > session open you can't access subnets that are on the outside of your PIX from > the client that has the VPN session up ? > > Would the subnet in question be accessible from the client if it did NOT use a > VPN tunnel (ie. is the subnet a generally accessible Internet address) ? > > If the subnet is accessible without the client tunnel up, then what you need > is split tunneling. If this isn't working then you need to look at why it > isn't. > > If this isn't what you want, and you actually WANT traffic to go from client > across the VPN tunnel to PIX and then back out the outside interface then a > 6.3 won't support this. > > You need to have at least 7.2.1 or higher code and use the command: > > same-security-traffic permit intra-interface > > http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7. > shtml > http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.htm > l#wp1289167 > > > regards, > Tony. > > > --- On Mon, 30/11/09, Graham Wooden wrote: > >> From: Graham Wooden >> Subject: [c-nsp] Client VPN issue with PIX v6.3 >> To: "cisco-nsp" >> Received: Monday, 30 November, 2009, 2:53 PM >> Hi all, >> >> One of my VPN devices is a 525 running v6.3.5.? I am >> having an issue with >> Client VPN sessions coming in on the outside interface >> while accessing >> subnets that are reached by outside interface. I can access >> the "inside" >> interface addresses just fine.? Is there some sort of >> limitation that I >> can't access subnets out past the outside interface while >> having VPN >> sessions terminating on the same interface?? I tried >> to add these subnets to >> the split-tunnel acl with no love either. >> >> Thoughts?? I have a v7.0.2 525 that is being tied up >> with another setup, so >> I can't test on 7.x code - but if if an upgrade is needed >> to solve this, let >> me know... >> >> Thanks! >> >> -graham >> >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > ______________________________________________________________________________ > ____ > Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7. > Enter now: http://au.docs.yahoo.com/homepageset/ > From randy_94108 at yahoo.com Sun Nov 29 23:06:57 2009 From: randy_94108 at yahoo.com (Randy) Date: Sun, 29 Nov 2009 20:06:57 -0800 (PST) Subject: [c-nsp] Client VPN issue with PIX v6.3 In-Reply-To: Message-ID: <936723.23717.qm@web80501.mail.mud.yahoo.com> --- On Sun, 11/29/09, Graham Wooden wrote: From: Graham Wooden Subject: [c-nsp] Client VPN issue with PIX v6.3 To: "cisco-nsp" Date: Sunday, November 29, 2009, 7:53 PM Hi all, One of my VPN devices is a 525 running v6.3.5.? I am having an issue with Client VPN sessions coming in on the outside interface while accessing subnets that are reached by outside interface. I can access the "inside" interface addresses just fine.? Is there some sort of limitation that I can't access subnets out past the outside interface while having VPN sessions terminating on the same interface?? I tried to add these subnets to the split-tunnel acl with no love either. Thoughts?? I have a v7.0.2 525 that is being tied up with another setup, so I can't test on 7.x code - but if if an upgrade is needed to solve this, let me know... Thanks! -graham _______________________________________________ Hi Graham, If memory serves me, hairpinning(same-security-traffic permit intra-interface)?in a pix is only supported on 7.x and above. Regards, ./Randy From perc69 at gmail.com Mon Nov 30 03:50:30 2009 From: perc69 at gmail.com (Per Carlson) Date: Mon, 30 Nov 2009 09:50:30 +0100 Subject: [c-nsp] mlppp dot1q question In-Reply-To: References: <000601ca6ea2$3713eb10$a53bc130$@org> Message-ID: <746ca6da0911300050k477dec0i271a34c81b019275@mail.gmail.com> Hi. > maybe you could also use eg l2tpv3 over mlppp or frame-relay with frf.16.1 > and ?DLCIs? > > Haven't tried it though... We are using MLFR (FRF 16.1) in a quite large scale with great success. No bugs have bitten us so far, neither on the PE-side (12.0S on GSR) or CPE (ISR's running different 12.4 flavours). -- Pelle From anthony.ryan at manchester.ac.uk Mon Nov 30 05:53:27 2009 From: anthony.ryan at manchester.ac.uk (Anthony Ryan) Date: Mon, 30 Nov 2009 10:53:27 +0000 Subject: [c-nsp] Strange CDP Observation In-Reply-To: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> References: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> Message-ID: <1246C1F5-B69F-4FA8-8529-3CC2D360A3F6@manchester.ac.uk> On 28 Nov 2009, at 22:42, Felix Nkansah wrote: > One of my field engineers at a remote site has reported a problem to > me, one > which I find rather strange but yet to confirm for myself. > > A Catalyst 2960 switch at the remote site is linked to a switch at a > Central > site via radio (bridged). > > However, besides the fact that connectivity tests between the two > sites are > failing, his observation is that when he issues the "SHOW CDP NEI" > command > on the remote C2960 switch, he sees the switch itself appearing as its > neighbor rather than the other switch at the central location which is > typically the output he expected. > > I have personally never seen a Cisco device showing itself as it's own > neighbor in a 'show cdp neighbor' output. > > What do you know to be the cause of this problem? We used to see symptoms like fairly regularly that with certain provider's telco circuits when they went wrong. Usually it meant that a line card somewhere within the telco circuit had gone into a soft- loop mode. This sort of soft-loop is a deliberate and useful feature when building circuits and testing each leg of the circuit at installation time as it means they can test each section of the link without needing someone to physically put a loop of cable at the far end. But if the soft-loop feature had somehow randomly switched on then it meant there was a problem with our circuit. It could happen due to a software bug, or a hardware fault...or maybe human error if an operator at the telco remotely applied a loop on the wrong device when trying to commision a new circuit somewhere else. Sometimes it would go away by restarting the telco equipment. Sometimes apparently it needed a linecard change ( in the telco kit not in our Cisco kit. ) And maybe sometimes somebody at the telco quietly removed the soft- loop without admitting they created it by mistake. If there is a loop in place you might be able to detect/prove it even more by forcing some traffic out out and watching the packets counts in/out increase by the same amounts as each packets you transmit arrives back to you on your receive. I dont know the nature of your radio circuit but it could be a problem with a soft-loop within that equipment perhaps. Do you control all the hardware for that or do you lease the circuit from someone ? Anthony Ryan From lists at quux.de Mon Nov 30 07:43:17 2009 From: lists at quux.de (Jens Link) Date: Mon, 30 Nov 2009 13:43:17 +0100 Subject: [c-nsp] Netflow in 2960 and 3750? In-Reply-To: <1259236215.32461.30.camel@hal9000> (luismi's message of "Thu\, 26 Nov 2009 12\:50\:15 +0100") References: <1259236215.32461.30.camel@hal9000> Message-ID: <874oocchei.fsf@laphroiag.quux.de> luismi writes: > Hi all, > > is there any option to connect one 2960 and one 3570 to netflow > collector? I was doing a research but I didn't find anything about it > yet Some (very) long time ago I had a similar problem connected a (old) laptop running Linux and fprobe-ng to a span port of a 3570. This was okay for me because there was not much traffic to collect, basically a couple of 2 MBit lines. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From ronan at iol.ie Mon Nov 30 08:02:04 2009 From: ronan at iol.ie (Ronan Mullally) Date: Mon, 30 Nov 2009 13:02:04 +0000 (GMT) Subject: [c-nsp] Multi-chassis Multilink PPP for L2TP termination Message-ID: A long time ago, in a galaxy far, far away I ran MMP on a bunch of AS5300s terminating PRI connections. Does it work today on routers (7200s / 7301s running 12.4T) that are terminating broadband connections (ppp encapsulated in L2TP)? I want to aggregate 2 or more incoming L2TP connections into a single logical link. -Ronan From Ian.Mackinnon at atosorigin.com Mon Nov 30 08:19:09 2009 From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian) Date: Mon, 30 Nov 2009 13:19:09 +0000 Subject: [c-nsp] Multi-chassis Multilink PPP for L2TP termination In-Reply-To: References: Message-ID: <61D4116B957C2843AACB49664C8AB223037F98D0@UKCWRX004.uk.int.atosorigin.com> Yes it does, you need a vpdn multihop command as well as the ppp multilink Used it on 7200s successfully doing LNS work. Ian > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Ronan Mullally > Sent: 30 November 2009 13:02 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Multi-chassis Multilink PPP for L2TP termination > > A long time ago, in a galaxy far, far away I ran MMP on a bunch of > AS5300s terminating PRI connections. > > Does it work today on routers (7200s / 7301s running 12.4T) that are > terminating broadband connections (ppp encapsulated in L2TP)? I want > to aggregate 2 or more incoming L2TP connections into a single logical > link. > > > -Ronan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________________ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. _______________________________________________________ From brez at brezworks.com Mon Nov 30 07:50:12 2009 From: brez at brezworks.com (Jeremy Bresley) Date: Mon, 30 Nov 2009 06:50:12 -0600 Subject: [c-nsp] Strange CDP Observation In-Reply-To: <4a15acd90911290334se22b5fex7acdcb03bccc476a@mail.gmail.com> References: <18dba4e50911281442x5c9fe25co69512c4772c92aca@mail.gmail.com> <4B1234CE.3090600@ine.com> <4a15acd90911290334se22b5fex7acdcb03bccc476a@mail.gmail.com> Message-ID: <4B13BF84.4040000@brezworks.com> Marko Milivojevic wrote: > On Sun, Nov 29, 2009 at 08:46, Scott Morris wrote: > >> While not normal, think about what makes it occur. >> >> If it REALLY WAS your own CDP frame, then your link should be down due >> to loopguard. Even with a hub there, a hub is a repeater, so is ti >> feasible to see your own stuff? >> > > Well, not really - otherwise it would be pretty hard to do "external > loopback" solutions, as well as testing links using Ethernet loopback > - which is still doable. I haven't seen "looped" status on Ethernet > for a long time. > > I think there are several explanations for this problem: > > 1. Most obvious is that there is a simple loop somewhere. That needs > to be investigated in MW configuration. > > 2. Don't forget that CDP is Cisco proprietary protocol. Other > equipment usually doesn't have any special processing for these > multicast frames. Furthermore, I have seen really bad multicast > implementations where multicast frames would be flooded on all ports - > including the one it was received from. This is what could be > happening to you - MW is simply returning you back your multicast > traffic. It *shouldn't* but it does. > > 3. You could be having some more creative problem, like Y-loop (you > have A-to-B communication, but you are also getting this traffic back > to A - A-to-A). > > In any case, I would focus my investigation on what's going on in the > microwave part of the setup. > > -- > Marko Milivojevic - CCIE #18427 > Senior Technical Instructor - IPexpert > > Mailto: markom at ipexpert.com > Telephone: +1.810.326.1444 > Live Assistance, Please visit: http://www.ipexpert.com/chat > eFax: +1.810.454.0130 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ I've seen this behavior in 2 situations. 1) There really is a cable connecting two ports together. Depending on spanning-tree configuration, this can be very bad. The example I'm thinking of was the result of a patch-field where something got plugged in incorrectly. 2) There's a non-Cisco vendor sitting in the middle with two ports connected. I know from experience that a Foundry switch configured with FDP support but not CDP support will pass CDP packets through, but not interpret them itself. 3) There's a device such as an IPS sitting on that port. We have a client with a TippingPoint IPS that appears as a transparent bridge and passes the CDP packets through. So when this is plugged into 2 ports on the same switch (on two different VLANs), it sees itself on the far end port. Hope this and the other suggestions lets you narrow down what the problem is. Please post what the end result was back to the list, I'm sure you have several of us curious now. Jeremy Bresley brez at brezworks.com From zisko.nsp at gmail.com Mon Nov 30 09:14:24 2009 From: zisko.nsp at gmail.com (cisco cisco) Date: Mon, 30 Nov 2009 15:14:24 +0100 Subject: [c-nsp] Strange CDP Observation Message-ID: <81ab0f960911300614ta0be7fble3437d8036580ac5@mail.gmail.com> I had the same problem. The problem was that one switch was configured with isl trunking and the other with dot1q trunking. Change both switches to dot1q soved this... Regards! From shawn.zhangshang at gmail.com Mon Nov 30 09:22:41 2009 From: shawn.zhangshang at gmail.com (Shawn Zhang) Date: Mon, 30 Nov 2009 06:22:41 -0800 (PST) Subject: [c-nsp] Invitation to connect on LinkedIn Message-ID: <117649377.13531581.1259590961147.JavaMail.app@ech3-cdn12.prod> LinkedIn ------------ Shawn Zhang pidi? a?adirte como contacto en LinkedIn: ------------------------------------------ Sebasti?n, I'd like to add you to my professional network on LinkedIn. - Shawn Aceptar invitaci?n de Shawn Zhang http://www.linkedin.com/e/vyPV953ymgwhJZim_QSTkIEJ407GCYbmqcvZFAK/blk/I1622661053_2/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_cBYPdj0NdzoOczoNiiZScCkUqClKcOYRd38Vd3gSejwLrCBxbOYWrSlI/EML_comm_afe/ Ver invitaci?n de Shawn Zhang http://www.linkedin.com/e/vyPV953ymgwhJZim_QSTkIEJ407GCYbmqcvZFAK/blk/I1622661053_2/39vcPkMcjoScz8SckALqnpPbOYWrSlI/svi/ ------------------------------------------ ?SAB?AS que LinkedIn te deja verificar referencias m?s eficientemente? Introduce el nombre de la empresa y los a?os de empleo o el posible empleado para encontrar los colegas que tambi?n est?n en tu red. Esto te ofrece un conjunto m?s equilibrado de comentarios para evaluar a ese empleado nuevo. http://www.linkedin.com/e/rsr/inv-27/ ------ (c) 2009, LinkedIn Corporation From drew.weaver at thenap.com Mon Nov 30 09:39:16 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 30 Nov 2009 09:39:16 -0500 Subject: [c-nsp] OSPF clarification Message-ID: Hi, If you have your entire network in a single area (area 0), is it normal that when a VLAN on any switch in that area flaps that all of your routes in OSPF 'reset'? I don't mean a 'neighbor' VLAN, I mean just any old VLAN with an IP address assigned to it. Last update from x.x.x.x on Vlan4061, 00:08:42 ago I mean the 'timers' seem to reset for every single route in OSPF anytime a single VLAN anywhere goes down. If this is intended, which I am still not sure of, what would be the proper way to 'area' a datacenter? It doesn't seem like there would be a way to do it so that just the route attached to said VLAN that is flapping would be removed/re-inserted unless you put each VLAN in a separate area. thanks, -Drew From jared at puck.nether.net Mon Nov 30 09:57:20 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 30 Nov 2009 09:57:20 -0500 Subject: [c-nsp] XNE on ASR1k already EOL? In-Reply-To: References: <4B0E500E.2060409@forthnet.gr> Message-ID: <12A8D559-00EE-4C23-ABA7-71D89AA08EC4@puck.nether.net> The good news is (or i guess is) They made classless routing the default now in XE 2.5/XNE - Jared On Nov 26, 2009, at 6:07 AM, Asbjorn Hojmark - Lists wrote: > On Thu, 26 Nov 2009 11:53:18 +0200, you wrote: > >> http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/end_of_life_c51-570651.html >> http://www.cisco.com/en/US/customer/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700 >> >> Anyone know what happened? > > It's just a symptom of the fact that they run time-based releases with > IOS XE on ASR1K, so 2.5 doesn't live long, and they tell us that well > in advance (even before there is an alternative). Some of the releases > (2.4, 2.7, 2.10, 2.23 etc) will have extended maintenance. > > It's all explained here: > http://www.cisco.com/en/US/customer/prod/collateral/routers/ps9343/product_bulletin_c25-448258.html > > -A > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecralar at hotmail.com Mon Nov 30 10:09:31 2009 From: ecralar at hotmail.com (Alex) Date: Mon, 30 Nov 2009 15:09:31 -0000 Subject: [c-nsp] OSPF clarification In-Reply-To: References: Message-ID: Drew, If your VLANs are all covered by "network X.Y.Z.W area V" command under "router ospf T" then they all are represented as Type-1/Type-2 LSA in OSPF LSDB. And every time a VLAN goes down, LSA-1/2 are reflooded with Age=MaxAge (default 3600 sec). When this VLAn goes back up, LSA-1/2 are recreated and reflooded again. Every time this happens, all OSPF routers in given area must recalculate their SPF, then put OSPF routes in a routing table with new timestamp. I'd suggest to use OSPF "network" statement for core VLANs only, edge VLANs should be injected with "redistrubute connected/static" statement (this creates Type-5 LSA for edge VLANs which does not affect SPF). HTH Rgds Alex -------------------------------------------------- From: "Drew Weaver" Date: 30 November 2009 14:39 To: "Cisco-nsp" Subject: [c-nsp] OSPF clarification > Hi, > > If you have your entire network in a single area (area 0), is it normal > that when a VLAN on any switch in that area flaps that all of your routes > in OSPF 'reset'? > > I don't mean a 'neighbor' VLAN, I mean just any old VLAN with an IP > address assigned to it. > > Last update from x.x.x.x on Vlan4061, 00:08:42 ago > > I mean the 'timers' seem to reset for every single route in OSPF anytime a > single VLAN anywhere goes down. > > If this is intended, which I am still not sure of, what would be the > proper way to 'area' a datacenter? > > It doesn't seem like there would be a way to do it so that just the route > attached to said VLAN that is flapping would be removed/re-inserted unless > you put each VLAN in a separate area. > > thanks, > -Drew > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nick at inex.ie Mon Nov 30 10:51:18 2009 From: nick at inex.ie (Nick Hilliard) Date: Mon, 30 Nov 2009 15:51:18 +0000 Subject: [c-nsp] XNE on ASR1k already EOL? In-Reply-To: <12A8D559-00EE-4C23-ABA7-71D89AA08EC4@puck.nether.net> References: <4B0E500E.2060409@forthnet.gr> <12A8D559-00EE-4C23-ABA7-71D89AA08EC4@puck.nether.net> Message-ID: <4B13E9F6.9060408@inex.ie> On 30/11/2009 14:57, Jared Mauch wrote: > They made classless routing the default now in XE 2.5/XNE Is there even an option to use classful routing on ios-xe? I simply can't imagine who would use this, or why. Nick From sthaug at nethelp.no Mon Nov 30 11:11:12 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 30 Nov 2009 17:11:12 +0100 (CET) Subject: [c-nsp] OSPF clarification In-Reply-To: References: Message-ID: <20091130.171112.74680153.sthaug@nethelp.no> > I'd suggest to use OSPF "network" statement for core VLANs only, edge VLANs > should be injected with "redistrubute connected/static" statement (this > creates Type-5 LSA for edge VLANs which does not affect SPF). Or put them in IBGP. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From kloch at kl.net Mon Nov 30 11:25:12 2009 From: kloch at kl.net (Kevin Loch) Date: Mon, 30 Nov 2009 11:25:12 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B0D899D.2040900@bromirski.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> Message-ID: <4B13F1E8.1020509@kl.net> ?ukasz Bromirski wrote: > The new EARL - EARL8 is already there - as the PFC for Nexus 7k. It will > also be the part of next-gen Sup "2T" and DFCs for LCs in the 6500E. Will the 2T and new LC's work in the 7600 chassis? - Kevin From mtinka at globaltransit.net Mon Nov 30 11:40:08 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 1 Dec 2009 00:40:08 +0800 Subject: [c-nsp] OSPF clarification In-Reply-To: References: Message-ID: <200912010040.09448.mtinka@globaltransit.net> On Monday 30 November 2009 11:09:31 pm Alex wrote: > If your VLANs are all covered by "network X.Y.Z.W area V" > command under "router ospf T" then they all are > represented as Type-1/Type-2 LSA in OSPF LSDB. > And every time a VLAN goes down, LSA-1/2 are reflooded > with Age=MaxAge (default 3600 sec). > When this VLAn goes back up, LSA-1/2 are recreated and > reflooded again. Every time this happens, all OSPF > routers in given area must recalculate their SPF, then > put OSPF routes in a routing table with new timestamp. That's OSPFv2 for you. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Mon Nov 30 11:40:33 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 1 Dec 2009 00:40:33 +0800 Subject: [c-nsp] OSPF clarification In-Reply-To: <20091130.171112.74680153.sthaug@nethelp.no> References: <20091130.171112.74680153.sthaug@nethelp.no> Message-ID: <200912010040.34790.mtinka@globaltransit.net> On Tuesday 01 December 2009 12:11:12 am sthaug at nethelp.no wrote: > Or put them in IBGP. +1. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From eric at roxanne.org Mon Nov 30 11:44:38 2009 From: eric at roxanne.org (Eric Gauthier) Date: Mon, 30 Nov 2009 11:44:38 -0500 Subject: [c-nsp] OSPF clarification In-Reply-To: References: Message-ID: <20091130164438.GA11810@roxanne.org> Alex, If this is a big concern and you have the option, check out IS-IS. Eric :) On Mon, Nov 30, 2009 at 03:09:31PM -0000, Alex wrote: > Drew, > If your VLANs are all covered by "network X.Y.Z.W area V" command under > "router ospf T" then they all are represented as Type-1/Type-2 LSA in OSPF > LSDB. > And every time a VLAN goes down, LSA-1/2 are reflooded with Age=MaxAge > (default 3600 sec). > When this VLAn goes back up, LSA-1/2 are recreated and reflooded again. > Every time this happens, all OSPF routers in given area must recalculate > their SPF, then put OSPF routes in a routing table with new timestamp. > I'd suggest to use OSPF "network" statement for core VLANs only, edge VLANs > should be injected with "redistrubute connected/static" statement (this > creates Type-5 LSA for edge VLANs which does not affect SPF). > HTH > Rgds > Alex > > > -------------------------------------------------- > From: "Drew Weaver" > Date: 30 November 2009 14:39 > To: "Cisco-nsp" > Subject: [c-nsp] OSPF clarification > > >Hi, > > > >If you have your entire network in a single area (area 0), is it normal > >that when a VLAN on any switch in that area flaps that all of your routes > >in OSPF 'reset'? > > > >I don't mean a 'neighbor' VLAN, I mean just any old VLAN with an IP > >address assigned to it. > > > >Last update from x.x.x.x on Vlan4061, 00:08:42 ago > > > >I mean the 'timers' seem to reset for every single route in OSPF anytime a > >single VLAN anywhere goes down. > > > >If this is intended, which I am still not sure of, what would be the > >proper way to 'area' a datacenter? > > > >It doesn't seem like there would be a way to do it so that just the route > >attached to said VLAN that is flapping would be removed/re-inserted unless > >you put each VLAN in a separate area. > > > >thanks, > >-Drew > > > > > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rdobbins at arbor.net Mon Nov 30 12:01:13 2009 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 30 Nov 2009 17:01:13 +0000 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B13F1E8.1020509@kl.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <4B13F1E8.1020509@kl.net> Message-ID: On Dec 1, 2009, at 12:25 AM, Kevin Loch wrote: > Will the 2T and new LC's work in the 7600 chassis? That depends upon if/when the 7600 team commit to the putative, unannounced hardware we're speculating about which we don't know for sure exists, or when it will be available, if it is. ;> Best to ask these questions of your Cisco account team. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From psirt at cisco.com Mon Nov 30 12:37:23 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Mon, 30 Nov 2009 17:37:23 -0000 Subject: [c-nsp] [nsp] Cisco Security Advisory: Cisco IOS HTTP Server Vulnerability Message-ID: <200005150803.EAA27616@rtp-msg-core-1.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Cisco IOS HTTP Server Vulnerability Revision 1.0 For public release 2000 May 14 at 09:00 US/Eastern (UTC+0400) ------------------------------------------------------------------------ Summary A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http:///%%" is attempted. This defect can be exploited to produce a denial of service (DoS) attack. This defect has been discussed on public mailing lists and should be considered public information. The vulnerability, identified as Cisco bug ID CSCdr36952, affects virtually all mainstream Cisco routers and switches running Cisco IOS software releases 11.1 through 12.1, inclusive. The vulnerability has been corrected and Cisco is making fixed releases available to replace all affected IOS releases. Customers are urged to upgrade to releases that are not vulnerable to this defect as shown in detail below. The vulnerability can be mitigated by disabling the IOS HTTP server, using an access-list on an interface in the path to the router to prevent unauthorized network connections to the HTTP server, or applying an access-class option directly to the HTTP server itself. The IOS HTTP server is enabled by default only on Cisco 1003, 1004, and 1005 routers that are not configured. In all other cases, the IOS http server must be explicitly enabled in order to exploit this defect. The complete advisory is available at http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml . ------------------------------------------------------------------------ Affected Products The following list of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Compare the version number obtained from the router with the versions presented in the Software Versions and Fixes section below. Cisco devices that may be running affected releases include: * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. * Most recent versions of the LS1010 ATM switch. * The Catalyst 6000 if it is running IOS. * Some versions of the Catalyst 2900XL LAN switch. * The Cisco DistributedDirector. For some products, the affected software releases are relatively new and may not be available on every device listed above. If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include: * 700 series dialup routers (750, 760, and 770 series) are not affected. * Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL. However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and 5500, are affected (see the Affected Products section above). * The Catalyst 6000 is not affected if it is not running IOS. * WAN switching products in the IGX and BPX lines are not affected. * The MGX (formerly known as the AXIS shelf) is not affected. * No host-based software is affected. * The Cisco PIX Firewall is not affected. * The Cisco LocalDirector is not affected. * The Cisco Cache Engine is not affected. ------------------------------------------------------------------------ Details The HTTP server was introduced in IOS release 11.0 to extend router management to the worldwide web. The defect appears in a function added in IOS releases 11.1 and 11.2 that parses special characters in a URI of the format "%nn" where each "n" represents a hexadecimal digit. The vulnerability is exposed when an attempt is made to browse to "http:///%%". Due to the defect, the function incorrectly parses "%%" and it enters an infinite loop. A watchdog timer expires two minutes later and forces the router to crash and reload. Once it has resumed normal operation, the router is again vulnerable to the same defect until the HTTP server is disabled, access from untrusted hosts is prohibited, or the router is upgraded to a release of Cisco IOS software that is not vulnerable to this defect. In rare cases, the affected device fails to reload, forcing the administrator to cycle the power to resume operation. Some devices have reloaded without providing stack traces and may indicate wrongly that they were "restarted by power-on" when that did not occur. The HTTP server is not enabled by default except on unconfigured Cisco model 1003, 1004, and 1005 routers. Once initial access is granted to configure the router, the customer may disable or limit access to the HTTP server by changing the configuration. Once the new configuration has been saved, the the HTTP server will not be enabled automatically when the router restarts. ------------------------------------------------------------------------ Impact Any affected Cisco IOS device that is operating with the HTTP server enabled and is not protected against unauthorized connections can be forced to halt for a period of up to two minutes and then reload. The vulnerability can be exercised repeatedly, possibly creating a denial of service (DoS) attack, until such time as the HTTP server is disabled, the router is protected against the attack, or the software on the router is upgraded to an unaffected release of IOS. In rare instances when a router at a remote location fails to reload, an administrator must visit the physical device to recover from the defect. In rare cases where no stack trace could be recovered and the router may erroneously report "restarted by power-on", the customer may be misled as to the true cause of a reload. ------------------------------------------------------------------------ Software Versions and Fixes The following table summarizes the major releases of Cisco IOS software affected by the defect described in this notice and scheduled dates on which the earliest corresponding fixed releases will be available. All dates are tentative and subject to change. Each row of the table shows the earliest release that contains the fix for the vulnerability in the "Rebuild", "Interim", or "Maintenance" columns, presented in release number order. A Maintenance Release is the most heavily-tested and highly-recommended release in a given row. A Rebuild Release is constructed from the previous maintenance or mainline release with the addition of a code fix for the specific defect. Although it receives less testing than a maintenance release, it is built from the previous maintenance release and includes only the minimum changes necessary to address the specific defect. An Interim Release has much less testing than a maintenance release and should be selected only if there is no other suitable release that fixes the defect. To find an appropriate replacement for a vulnerable release, compare the release number as reported by the show version command to the major releases in the first column below. For example, if your device reports that it is running 12.0(5)S, find the row in the table for 12.0S. Reading across to the right, you find that the earliest maintenance release containing the fix will be 12.0(11)S, which will be available for download from CCO on or about 2000-5-29. The earliest interim release containing the fix will be 12.0(10.6)S, available on or about 2000-05-15. The rebuild of the previous maintenance release, 12.0(10)S1, should be available on 2000-05-01. The only difference between 12.0(10)S and 12.0(10)S1 is the minimum change necessary to fix this vulnerability. In particular, 12.0(10)S1 will not contain any fixes or features applied to any interim releases since the earlier maintenance release, whereas the interim release, 12.0(10.6)S, contains the fix as well as the features and instabilities introduced by previous interim releases, 12.0(10.1)S through 12.0(10.5)S. Therefore, based on this example: * If you can apply a workaround or otherwise wait for the maintenance release, then upgrade to 12.0(11)S. Or * If you are running 12.0(10.1)S to 12.0(10.5)S inclusive and need some functionality introduced in those interim releases, upgrade to 12.0(10.6)S. Upgrade to 12.0(11)S or later as soon as possible. Or * If you are running release 12.0(10)S or earlier, upgrade to 12.0(10)S1. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that their current hardware and software configurations will continue to be supported properly by the new release. ---------+------------------+------------------------------------------- Major | Description or | Release | Platform | Availability of Repaired Releases* ---------+------------------+-------------+--------------+-------------- Unaffected Earlier Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- 11.0 & | | | | earlier, | | Not | Not | all | Numerous | vulnerable | vulnerable | Not vulnerable variants | | | | ---------+------------------+-------------+--------------+-------------- 11.1-based Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- | General | | | 11.1 | Deployment (GD): | Unavailable | Unavailable | Unavailable | all platforms | | | ---------+------------------+-------------+--------------+-------------- | | | 11.1(33.2)CA | 11.1(34)CA 11.1CA | Core/ISP support:| | | | rsp, c7200 | | | | | | 2000-05-08 | 2000-05-30 ---------+------------------+-------------+--------------+-------------- | | 11.1(33)CC1 | 11.1(33.1)CC | 11.1(34)CC 11.1CC | FIB support: rsp,| | | | c7200 | | | | | 2000-05-10 | 2000-05-22 | 2000-06-12 ---------+------------------+-------------+--------------+-------------- 11.2-based Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- | General | 11.2(22a) | 11.2(22.2) | 11.2(23) 11.2 | Deployment (GD): | | | | all platforms | 2000-05-29 | 2000-05-08 | 2000-07-10 ---------+------------------+-------------+--------------+-------------- | IBM networking, | 11.2(22a)BC | 11.2(22.1)BC | 11.2BC | CIP & TN3270 | | | | support: rsp | 2000-05-31 | 2000-05-05 | ---------+------------------+-------------+--------------+-------------- | | 11.2(22a)P | 11.2(22.2)P | 11.2(23)P 11.2P | All platforms | | | | | 2000-05-29 | 2000-05-08 | 2000-07-17 ---------+------------------+-------------+--------------+-------------- 11.3-based Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- | xDSL access | 11.3(1)DA9 | | 11.3DA | multiplexer: | | | | c6200 | 2000-05-31 | | ---------+------------------+-------------+--------------+-------------- 12.0-based Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- | General | 12.0(11a) | 12.0(11.1) | 12.0(12) 12.0 | Deployment (GD): | | | | all platforms | 2000-05-31 | 2000-05-22 | 2000-07-17 ---------+------------------+-------------+--------------+-------------- | | 12.0(8)DA5 | | 12.0DA | xDSL support: | | | | 6100, 6200 | | | | | 2000-05-31 | | ---------+------------------+-------------+--------------+-------------- | | 12.0(10)S1 | 12.0(10.6)S | 12.0(11)S 12.0S | Core/ISP support:| | | | gsr, rsp, c7200 | | | | | 2000-05-03 | 2000-05-15 | 2000-05-29 ---------+------------------+-------------+--------------+-------------- | | | 12.0(10.6)SC | 12.0(11)SC 12.0SC | Cable/broadband | | | | ISP: ubr7200 | | | | | | 2000-05-15 | 2000-05-30 ---------+------------------+-------------+--------------+-------------- | | 12.0(9)SL1 | | 12.0(10)SL 12.0SL | 10000 ESR: c10k | | | | | 2000-05-15 | | 2000-05-31 ---------+------------------+-------------+--------------+-------------- | | 12.0(9)ST1 | | 12.0(10)ST 12.0ST | MPLS/VPN support:| | | | gsr, rsp, c7200 | | | | | 2000-05-31 | | 2000-06-12 ---------+------------------+-------------+--------------+-------------- | cat8510c, | | | 12.0(5)W5(13d) | cat8540c, c6msm | | | | | | | 2000-05-19 +------------------+-------------+--------------+-------------- | ls1010, cat8510m,| | | 12.0(7)W5(15c) | cat8540m | | | | | | | 2000-05-08 +------------------+-------------+--------------+-------------- 12.0W5 | | | | 12.0(7)W5(15d) | cat2948g, cat4232| | | | | | | 2000-05-12 +------------------+-------------+--------------+-------------- | c5atm, c5atm, | | | 12.0(9)W5(17a) | c3620, c3640, | | | | c4500, c5rsfc, | | | | c5rsm, c7200, rsp| | | 2000-05-22 ---------+------------------+-------------+--------------+-------------- 12.1-based Releases | Rebuild | Interim** | Maintenance ---------+------------------+-------------+--------------+-------------- | General | 12.1(1b) | 12.1(2.1) | 12.1(3) 12.1 | Deployment (GD) | | | | candidate: all | | | | platforms | 2000-05-01 | 2000-05-15 | 2000-07-10 ---------+------------------+-------------+--------------+-------------- | Access & Dial | | | | Early Deployment | 12.1(1)AA2 | | 12.1(2)AA 12.1AA | (ED): c5200, | | | | c5300, c5800, | 2000-05-31 | | 2000-05-22 | dsc-c5800 | | | ---------+------------------+-------------+--------------+-------------- | | | | 12.1(1)DA 12.1DA | xDSL support: | | | | 6160, 6260 | | | | | | | 2000-05-11 ---------+------------------+-------------+--------------+-------------- | | | | 12.1(1)DB 12.1DB | xDSL support: | | | | c6400 | | | | | | | 2000-05-30 ---------+------------------+-------------+--------------+-------------- | | | | 12.1(1)DC 12.1DC | xDSL NRP support:| | | | c6400r | | | | | | | 2000-05-15 ---------+------------------+-------------+--------------+-------------- | ELB Early | | | | Deployment (ED): | 12.1(1)E2 | | 12.1(2)E 12.1E | cat6k, 8500, | | | | ls1010, 7500, | 2000-05-04 | | 2000-05-30 | 7200, 7100 | | | ---------+------------------+-------------+--------------+-------------- | Cable/broadband | | | 12.1(2)EC 12.1EC | Early Deployment | | | | (ED): ubr7200 | | | 2000-05-30 ---------+------------------+-------------+--------------+-------------- | New technology | | 12.1(2.0.1)T2| 12.1(2)T 12.1T | Early Deployment | | | | (ED): all | | | | platforms | | 2000-05-01 | 2000-05-22 ---------+------------------+-------------+--------------+-------------- | | 12.1(1)XA3 | | 12.1(2)T*** 12.1XA*** | Obsolete | | | | | 2000-05-31 | | 2000-05-22 ---------+------------------+-------------+--------------+-------------- | Early Deployment | | | 12.1(1)XD 12.1XD | (ED): limited | | | | platforms | | | 2000-05-15 ---------+------------------+-------------+--------------+-------------- | Early Deployment | | | 12.1(1)XE 12.1XE | (ED): limited | | | | platforms | | | 2000-05-08 ---------+------------------+-------------+--------------+-------------- Notes ------------------------------------------------------------------------ * All dates are estimated and subject to change. ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. *** 12.1XA is obsolete. Customers should upgrade to 12.1(2)T when it becomes available. This is not a misprint. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software release will be provided to any customer who can use it and for whom the standard fixed software release is not yet available. Customers may install only the feature sets they have purchased. Note that not all fixed software may be available as of the release date of this notice. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as follows: * +1 800 553 2447 (toll-free call within North America) * +1 408 526 7209 (toll call from elsewhere in the world) * E-mail: tac at cisco.com Additional contact information for the TAC is on-line at http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml, including instructions and e-mail addresses for use by non-English speakers. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt at cisco.com" or "security-alert at cisco.com" for software upgrades. You will obtain faster results by contacting the TAC directly. ------------------------------------------------------------------------ Workarounds In lieu of an upgrade, the threat may be eliminated or reduced by any of the following measures: * Completely disable the HTTP server using the command no ip http server while in global configuration mode. Or * If the HTTP server must remain enabled while unrepaired, network access to it can be controlled by applying a standard access list to the HTTP service itself. For example, if the router's HTTP service should be reachable only from a browser running on a computer at IP address 10.1.2.3, then use the following commands in global configuration mode to create a standard access list and apply it to the HTTP server: access-list 1 permit 10.1.2.3 ip http access-class 1 If access list 1 is already in use, then choose another number in the range 0-99. The implicit deny rule added to the end of every access list will prevent access from any other IP addresses. Or * Prevent network access to a vulnerable HTTP server by blocking traffic in the network path to the server's port with an extended access list. Such a list would be applied on an interface of the vulnerable router itself or on another Cisco router in the path of a potential attack, e.g., applied inbound on the outside interface of an edge router. The port number used in the extended access list statement must be the default port used by the HTTP server, port 80, or equal to whatever value it may have been set via the ip http port command. Please use this particular workaround with great care; it cannot be recommended confidently without knowledge of specific customer network configurations. Be sure to save the resulting configuration in memory so that protection of the server is not inadvertently removed after a reload. ------------------------------------------------------------------------ Exploitation and Public Announcements This vulnerability was announced on the BUGTRAQ mailing list on 2000-04-27 with sufficient information that anyone could exercise the flaw. The Cisco PSIRT responded the same day and acknowledged the vulnerability in e-mail to the BUGTRAQ list with preliminary information regarding estimates of affected platforms and releases as well as a workaround to mitigate the threat. Following the response to BUGTRAQ, the Cisco PSIRT sent a preliminary warning with similar content to cust-security-announce at cisco.com and several internal Cisco mailing lists. This vulnerability has been discussed in detail on full-disclosure mailing lists and web sites, and requires no special equipment to be exploited. The Cisco PSIRT has received no reports of malicious exploitation of this vulnerability. ------------------------------------------------------------------------ Status of This Notice: INTERIM This is an interim notice. Cisco expects the contents of this report will change. The reader is warned that this notice may contain inaccurate or incomplete information. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing monthly updates of this notice until it reaches final status. ------------------------------------------------------------------------ Distribution This notice will be posted at http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml. In addition to this HTML version on Cisco's Worldwide Web site, a text version of this notice will be clear-signed with the Cisco PSIRT PGP key and posted to the following e-mail addresses and Usenet newsgroups: * cust-security-announce at cisco.com * bugtraq at securityfocus.com * firewalls at lists.gnac.net * first-teams at first.org (which includes the CERT/CC) * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, and may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. ------------------------------------------------------------------------ Revision History -----------+-----------+------------------------------------------------ Revision 1.0| 2000-05-14| Initial public release. -----------+-----------+------------------------------------------------ ------------------------------------------------------------------------ Cisco Product Security Incident Assistance Process The web page at http://www.cisco.com/warp/public/707/sec_incident_response.shtml describes how to report security vulnerabilities in Cisco products, obtain assistance with security incidents, and register to receive product security information from Cisco Systems, Inc., including instructions for press inquiries regarding Cisco Security Advisories and notices. This advisory is Cisco's official public statement regarding this vulnerability. ------------------------------------------------------------------------ This notice is copyright 2000 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQEVAwUBOR+pUWiN3BRdFxkbAQHZYwgAmjz3K8SalTY1UvzvERQMgjfi/QSUwF7A cGzFFyvL4ZRnT2SwHqowVqYukhutmg5dcfYibFK4yUROvj5Rg/qxv4xJruTjAoqR wZXiQjZh8wX0/Dxt8hnyA8ZNbMsy3S+OHI5inJYULv5wK/mXhgp1idE6AP9ayBCM EvwAVTNz60a74qMEsFIjoVMCTxkLjB8yNydrr8EkP3bWWS9k0eVMmOtJcMSTVrlk ZNgpst4jLg4uvt+oJF2IEXgytJt9IELJ/a4S2N3GsglcojgueCeKSopU8goFhtg0 enLUjf6My35ytOHGKWG/D/UwVFTrzkXKhQv40K3fOS1zL1s2TiVGRg== =wUl3 -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S /+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21 I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7 aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE 44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x 4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3 nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG 2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF 87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4 UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR =sJ3p -----END PGP PUBLIC KEY BLOCK----- From mcgrath at fas.harvard.edu Mon Nov 30 13:47:29 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Mon, 30 Nov 2009 13:47:29 -0500 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. In-Reply-To: References: <006b01ca7059$814ce160$83e6a420$@net> Message-ID: <4B141341.3070903@fas.harvard.edu> Since there is WPA-PSK and WPA2 often known as Enterprise, The real difference is that WPA-PSK uses a fixed 'pre-shared' key to encrypt the link between the AP and the supplicant, Enterprise assumes that a RADIUS server is available to authenticate the session and set the key for the session. What has not been discussed is what protocol is being used for these PEAP and/or EAP-TTLS are valid choices, The encryption scheme is 'better' on enterprise as the key is not known before session instantiation, But WPA-PSK (aka Personal) and WPA2 both use the same cipher set to protect the session so the link is as secure but if the key is disclosed to unauthorized users the wireless network effectively has no security whereas WPA2 uses a user database and if the user's credentials are disclosed the endpoint can be deauthenticated and the users credentials changed. Whereas WPA-PSK requires reconfiguration of the AP(s) and supplicant reconfiguration, Hope this helps - Scott Tony Varriale wrote: > What type of "enterprise" are you interested in? What's your user database? > > tv > ----- Original Message ----- > From: "Howard Leadmon" > To: "'cisco-nsp'" > Sent: Saturday, November 28, 2009 12:35 PM > Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. > > > >> I have a question hopefully someone can give me a pointer or shed some >> light on.. >> >> >> >> I have both an Aironet 1242AG and now a 1252AG access point, which are >> working fine. I have WPA2-Personal with a shared key setup and running >> great as well. As it was my impression that Vista and Win7 both >> supported >> Enterprise authentication, which I figured would be better and more secure >> than using the personal shared key stuff. >> >> >> >> I have tried, and googled, and I for the life of me just can't seem to get >> Enterprise auth going.. Does anyone have any docs on getting the Aironet >> and Windows to play together, configs, or links to info that will help? >> Just FYI, I am trying to use the radius server built into the AP, as I >> figured that would be simple enough, hopefully doing that is ok.. >> >> >> >> >> >> >> >> --- >> >> Howard Leadmon >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gsgranados at comcast.net Mon Nov 30 14:16:53 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 30 Nov 2009 11:16:53 -0800 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. References: <006b01ca7059$814ce160$83e6a420$@net> <4B141341.3070903@fas.harvard.edu> Message-ID: <012a01ca71f1$b21ea410$2608120a@am.thmulti.com> Not to be confused with WPA2-psk which is like WPA psk but uses aes instead of TKIP cryptography. ----- Original Message ----- From: "Scott McGrath" To: "'cisco-nsp'" Sent: Monday, November 30, 2009 10:47 AM Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. > Since there is WPA-PSK and WPA2 often known as Enterprise, > > The real difference is that WPA-PSK uses a fixed 'pre-shared' key to > encrypt the link between the AP and the supplicant, Enterprise assumes > that a RADIUS server is available to authenticate the session and set the > key for the session. What has not been discussed is what protocol is > being used for these PEAP and/or EAP-TTLS are valid choices, > > The encryption scheme is 'better' on enterprise as the key is not known > before session instantiation, But WPA-PSK (aka Personal) and WPA2 both > use the same cipher set to protect the session so the link is as secure > but if the key is disclosed to unauthorized users the wireless network > effectively has no security whereas WPA2 uses a user database and if the > user's credentials are disclosed the endpoint can be deauthenticated and > the users credentials changed. Whereas WPA-PSK requires reconfiguration > of the AP(s) and supplicant reconfiguration, > > Hope this helps > > - Scott > > Tony Varriale wrote: >> What type of "enterprise" are you interested in? What's your user >> database? >> >> tv >> ----- Original Message ----- >> From: "Howard Leadmon" >> To: "'cisco-nsp'" >> Sent: Saturday, November 28, 2009 12:35 PM >> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. >> >> >> >>> I have a question hopefully someone can give me a pointer or shed some >>> light on.. >>> >>> >>> >>> I have both an Aironet 1242AG and now a 1252AG access point, which are >>> working fine. I have WPA2-Personal with a shared key setup and running >>> great as well. As it was my impression that Vista and Win7 both >>> supported >>> Enterprise authentication, which I figured would be better and more >>> secure >>> than using the personal shared key stuff. >>> >>> >>> >>> I have tried, and googled, and I for the life of me just can't seem to >>> get >>> Enterprise auth going.. Does anyone have any docs on getting the >>> Aironet >>> and Windows to play together, configs, or links to info that will help? >>> Just FYI, I am trying to use the radius server built into the AP, as I >>> figured that would be simple enough, hopefully doing that is ok.. >>> >>> >>> >>> >>> >>> >>> >>> --- >>> >>> Howard Leadmon >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Mon Nov 30 14:18:13 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Mon, 30 Nov 2009 20:18:13 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <4B13F1E8.1020509@kl.net> Message-ID: <4B141A75.4060104@bromirski.net> On 2009-11-30 18:01, Dobbins, Roland wrote: > Best to ask these questions of your Cisco account team. Exactly :) -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From mcgrath at fas.harvard.edu Mon Nov 30 14:29:43 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Mon, 30 Nov 2009 14:29:43 -0500 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. In-Reply-To: <012a01ca71f1$b21ea410$2608120a@am.thmulti.com> References: <006b01ca7059$814ce160$83e6a420$@net> <4B141341.3070903@fas.harvard.edu> <012a01ca71f1$b21ea410$2608120a@am.thmulti.com> Message-ID: <4B141D27.8040202@fas.harvard.edu> That's what I LIKE about standards - SO MANY incompatible ones to choose from... - Scott Scott Granados wrote: > Not to be confused with WPA2-psk which is like WPA psk but uses aes instead > of TKIP cryptography. > > > > ----- Original Message ----- > From: "Scott McGrath" > To: "'cisco-nsp'" > Sent: Monday, November 30, 2009 10:47 AM > Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. > > > >> Since there is WPA-PSK and WPA2 often known as Enterprise, >> >> The real difference is that WPA-PSK uses a fixed 'pre-shared' key to >> encrypt the link between the AP and the supplicant, Enterprise assumes >> that a RADIUS server is available to authenticate the session and set the >> key for the session. What has not been discussed is what protocol is >> being used for these PEAP and/or EAP-TTLS are valid choices, >> >> The encryption scheme is 'better' on enterprise as the key is not known >> before session instantiation, But WPA-PSK (aka Personal) and WPA2 both >> use the same cipher set to protect the session so the link is as secure >> but if the key is disclosed to unauthorized users the wireless network >> effectively has no security whereas WPA2 uses a user database and if the >> user's credentials are disclosed the endpoint can be deauthenticated and >> the users credentials changed. Whereas WPA-PSK requires reconfiguration >> of the AP(s) and supplicant reconfiguration, >> >> Hope this helps >> >> - Scott >> >> Tony Varriale wrote: >> >>> What type of "enterprise" are you interested in? What's your user >>> database? >>> >>> tv >>> ----- Original Message ----- >>> From: "Howard Leadmon" >>> To: "'cisco-nsp'" >>> Sent: Saturday, November 28, 2009 12:35 PM >>> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. >>> >>> >>> >>> >>>> I have a question hopefully someone can give me a pointer or shed some >>>> light on.. >>>> >>>> >>>> >>>> I have both an Aironet 1242AG and now a 1252AG access point, which are >>>> working fine. I have WPA2-Personal with a shared key setup and running >>>> great as well. As it was my impression that Vista and Win7 both >>>> supported >>>> Enterprise authentication, which I figured would be better and more >>>> secure >>>> than using the personal shared key stuff. >>>> >>>> >>>> >>>> I have tried, and googled, and I for the life of me just can't seem to >>>> get >>>> Enterprise auth going.. Does anyone have any docs on getting the >>>> Aironet >>>> and Windows to play together, configs, or links to info that will help? >>>> Just FYI, I am trying to use the radius server built into the AP, as I >>>> figured that would be simple enough, hopefully doing that is ok.. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> --- >>>> >>>> Howard Leadmon >>>> >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From lists at hojmark.org Mon Nov 30 15:12:34 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Mon, 30 Nov 2009 21:12:34 +0100 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <4B141A75.4060104@bromirski.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <4B13F1E8.1020509@kl.net> <4B141A75.4060104@bromirski.net> Message-ID: <7p98h5pmu4h83l0s163upspf39024lj3gd@hojmark.net> On Mon, 30 Nov 2009 20:18:13 +0100, you wrote: > > Best to ask these questions of your Cisco account team. > > Exactly :) They say: "We don't know. We can't get a definite answer from the BU". -A From kloch at kl.net Mon Nov 30 15:25:04 2009 From: kloch at kl.net (Kevin Loch) Date: Mon, 30 Nov 2009 15:25:04 -0500 Subject: [c-nsp] ASR1004 vs 7606(RSP720-CXL) In-Reply-To: <7p98h5pmu4h83l0s163upspf39024lj3gd@hojmark.net> References: <200911240858.32505.mtinka@globaltransit.net> <20091125074223.GQ163@greenie.muc.de> <4B0D899D.2040900@bromirski.net> <4B13F1E8.1020509@kl.net> <4B141A75.4060104@bromirski.net> <7p98h5pmu4h83l0s163upspf39024lj3gd@hojmark.net> Message-ID: <4B142A20.5060901@kl.net> Asbjorn Hojmark - Lists wrote: > On Mon, 30 Nov 2009 20:18:13 +0100, you wrote: > >>> Best to ask these questions of your Cisco account team. >> Exactly :) > > They say: "We don't know. We can't get a definite answer from the BU". > Hopefully they won't screw everyone (again) who forklifted their 6500's to 7600's to support the rsp720... - Kevin From jmayer at loplof.de Mon Nov 30 15:29:40 2009 From: jmayer at loplof.de (Joerg Mayer) Date: Mon, 30 Nov 2009 21:29:40 +0100 Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question.. In-Reply-To: <012a01ca71f1$b21ea410$2608120a@am.thmulti.com> References: <4B141341.3070903@fas.harvard.edu> <012a01ca71f1$b21ea410$2608120a@am.thmulti.com> Message-ID: <20091130202940.GK21085@thot.informatik.uni-kl.de> On Mon, Nov 30, 2009 at 11:16:53AM -0800, Scott Granados wrote: > Not to be confused with WPA2-psk which is like WPA psk but uses aes > instead of TKIP cryptography. Let me clear up on a few terms: There are a few pairs: The (wireless) protocol to negotiate the (per packet) authentication and encryption mechanisms and how to derive keys: WPA (aka mostly 802.11i draft 3 with non-IEEE information elements) WPA2 (aka mostly 802.11i) How to derive the PMK (pairwise master key): PSK (the PMK is direclty derived from the preshared key or passphrase) Enterprise (use 802.1X/Radius to derive the PMK) Encryption and authentication: TKIP (how to derive the per packet keys, use RC4 for encryption and Michael MIC for authentication) AES (different per packet key mechanism, use AES in various forms for both, encryption and authentication). With WPA, TKIP is mandatory and AES is optional With WPA2, AES is mandatory and TKIP is optional Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From peter at whole-uk.com Mon Nov 30 15:11:35 2009 From: peter at whole-uk.com (Pete Barnwell) Date: Mon, 30 Nov 2009 20:11:35 +0000 Subject: [c-nsp] 2821 spurious reload Message-ID: <4B1426F7.5050604@whole-uk.com> I've had a 2821 reload unexpectedly -sh ver shows a bus error as below Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T1, RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 26-Feb-09 19:47 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) uptime is 1 hour, 7 minutes System returned to ROM by bus error at PC 0x4224F26C, address 0x1E at 18:56:16 GMT Mon Nov 30 2009 System restarted at 18:43:38 GMT Mon Nov 30 2009 #sh region address 0x4224F26C Address 0x4224F26C is located physically in : Name : text Class : IText Media : R/O Start : 0x4000F000 End : 0x43F7FFFF Size : 0x03F71000 This suggests to me hardware rather than software from Googling? The routers got its original 256Mb and an additional 512Mb stick in it - is it possible to tell if this is a memory error from this, and if so which stick might be the problem? I have no Smartnet on this, so can't ask TAC :( Thanks Pete From cluestore at gmail.com Mon Nov 30 16:28:35 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 30 Nov 2009 15:28:35 -0600 Subject: [c-nsp] QoS on LNS virtual-template Message-ID: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> Hi All, I went through the archives and couldn't find specifically what I was looking for and of course, most of the Cisco links are broken now, but I noticed that QoS is applied to my virtual-template interface in my config, but when I do a "show policy-map interface virtual-access xx", I get nothing as if the policy wasn't inhereted. When I look at my policy-maps, I also noticed that I do not have parent/child policies configured (which I am to understand how you have to configure QoS like this on this type of interface). Here's an example of what I have on our LNS boxes.... First question, do I need a child/parent policy to attach the service-policy to the virtual-template? Second question, do I need to have the "qos pre-classify" command on the virtual-template?? Third question, does anyone see anything wrong with the way this is configured?? class-map match-all VOIP match access-group name VoicePorts match ip rtp 16384 16383 match ip dscp ef policy-map DSL class VOIP priority percent 75 class class-default fair-queue random-detect interface Virtual-Template2 mtu 1460 ip unnumbered Loopback2 service-policy output DSL ip route-cache flow ip tcp adjust-mss 1420 ip policy route-map clear-df qos pre-classify peer default ip address dhcp ppp authentication pap ppp ipcp mask 255.255.255.0 ppp ipcp address accept ip access-list extended VoicePorts permit udp host x.x.x.x range 22026 62025 any permit udp host x.x.x.x range 22026 62025 any TIA, Clue From cluestore at gmail.com Mon Nov 30 16:42:14 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 30 Nov 2009 15:42:14 -0600 Subject: [c-nsp] QoS on LNS virtual-template In-Reply-To: <4B143AFC.5020304@reub.net> References: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> <4B143AFC.5020304@reub.net> Message-ID: <580af3b90911301342h722cd986ta0b64c4f8c76bd5c@mail.gmail.com> Sorry, should have included the importants as well. Im running a little older code 12.3 mainline on NPE-G1. Gonna check to see if this is a bug or not a feature, which I also read in another thread. Clue On Mon, Nov 30, 2009 at 3:37 PM, Reuben Farrelly wrote: > Hi, > > What version of code are you running? > > I have found 12.4 mainline worked ok, but somewhere along the 12.4T series > and including 15.0(M) I cannot apply any QoS policies to Virtual-Access > interfaces - policies just don't apply. I have a TAC case open for this > now... > > Reuben > > > Clue Store wrote: > >> Hi All, >> >> I went through the archives and couldn't find specifically what I was >> looking for and of course, most of the Cisco links are broken now, but I >> noticed that QoS is applied to my virtual-template interface in my config, >> but when I do a "show policy-map interface virtual-access xx", I get >> nothing >> as if the policy wasn't inhereted. When I look at my policy-maps, I also >> noticed that I do not have parent/child policies configured (which I am to >> understand how you have to configure QoS like this on this type of >> interface). Here's an example of what I have on our LNS boxes.... >> >> First question, do I need a child/parent policy to attach the >> service-policy >> to the virtual-template? >> >> Second question, do I need to have the "qos pre-classify" command on the >> virtual-template?? >> >> Third question, does anyone see anything wrong with the way this is >> configured?? >> >> >> >> class-map match-all VOIP >> match access-group name VoicePorts >> match ip rtp 16384 16383 >> match ip dscp ef >> >> >> policy-map DSL >> class VOIP >> priority percent 75 >> class class-default >> fair-queue >> random-detect >> >> >> interface Virtual-Template2 >> mtu 1460 >> ip unnumbered Loopback2 >> service-policy output DSL >> ip route-cache flow >> ip tcp adjust-mss 1420 >> ip policy route-map clear-df >> qos pre-classify >> peer default ip address dhcp >> ppp authentication pap >> ppp ipcp mask 255.255.255.0 >> ppp ipcp address accept >> >> ip access-list extended VoicePorts >> permit udp host x.x.x.x range 22026 62025 any >> permit udp host x.x.x.x range 22026 62025 any >> >> >> TIA, >> Clue >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From reuben-cisco-nsp at reub.net Mon Nov 30 16:37:00 2009 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 01 Dec 2009 08:37:00 +1100 Subject: [c-nsp] QoS on LNS virtual-template In-Reply-To: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> References: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> Message-ID: <4B143AFC.5020304@reub.net> Hi, What version of code are you running? I have found 12.4 mainline worked ok, but somewhere along the 12.4T series and including 15.0(M) I cannot apply any QoS policies to Virtual-Access interfaces - policies just don't apply. I have a TAC case open for this now... Reuben Clue Store wrote: > Hi All, > > I went through the archives and couldn't find specifically what I was > looking for and of course, most of the Cisco links are broken now, but I > noticed that QoS is applied to my virtual-template interface in my config, > but when I do a "show policy-map interface virtual-access xx", I get nothing > as if the policy wasn't inhereted. When I look at my policy-maps, I also > noticed that I do not have parent/child policies configured (which I am to > understand how you have to configure QoS like this on this type of > interface). Here's an example of what I have on our LNS boxes.... > > First question, do I need a child/parent policy to attach the service-policy > to the virtual-template? > > Second question, do I need to have the "qos pre-classify" command on the > virtual-template?? > > Third question, does anyone see anything wrong with the way this is > configured?? > > > > class-map match-all VOIP > match access-group name VoicePorts > match ip rtp 16384 16383 > match ip dscp ef > > > policy-map DSL > class VOIP > priority percent 75 > class class-default > fair-queue > random-detect > > > interface Virtual-Template2 > mtu 1460 > ip unnumbered Loopback2 > service-policy output DSL > ip route-cache flow > ip tcp adjust-mss 1420 > ip policy route-map clear-df > qos pre-classify > peer default ip address dhcp > ppp authentication pap > ppp ipcp mask 255.255.255.0 > ppp ipcp address accept > > ip access-list extended VoicePorts > permit udp host x.x.x.x range 22026 62025 any > permit udp host x.x.x.x range 22026 62025 any > > > TIA, > Clue > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cluestore at gmail.com Mon Nov 30 18:01:31 2009 From: cluestore at gmail.com (Clue Store) Date: Mon, 30 Nov 2009 17:01:31 -0600 Subject: [c-nsp] QoS on LNS virtual-template In-Reply-To: <580af3b90911301342h722cd986ta0b64c4f8c76bd5c@mail.gmail.com> References: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> <4B143AFC.5020304@reub.net> <580af3b90911301342h722cd986ta0b64c4f8c76bd5c@mail.gmail.com> Message-ID: <580af3b90911301501s5b3c5663ibd2d964b1590bf5a@mail.gmail.com> Some more info, i'm looking at the Feaure Navigator and see that "QoS: Classification, Policing, and Marking on LAC" is available on the same feature set that I would like to move to. Does anyone know if this this also means "QoS: Classification, Policing, and Marking on LNS" as well?? Anyone from Cisco care to chime in???? I'm gonna lab up some gear later and test this feature set and see if the policy actually works on the virtual template. Clue On Mon, Nov 30, 2009 at 3:42 PM, Clue Store wrote: > Sorry, should have included the importants as well. > > Im running a little older code 12.3 mainline on NPE-G1. Gonna check to see > if this is a bug or not a feature, which I also read in another thread. > > Clue > > On Mon, Nov 30, 2009 at 3:37 PM, Reuben Farrelly < > reuben-cisco-nsp at reub.net> wrote: > >> Hi, >> >> What version of code are you running? >> >> I have found 12.4 mainline worked ok, but somewhere along the 12.4T series >> and including 15.0(M) I cannot apply any QoS policies to Virtual-Access >> interfaces - policies just don't apply. I have a TAC case open for this >> now... >> >> Reuben >> >> >> Clue Store wrote: >> >>> Hi All, >>> >>> I went through the archives and couldn't find specifically what I was >>> looking for and of course, most of the Cisco links are broken now, but I >>> noticed that QoS is applied to my virtual-template interface in my >>> config, >>> but when I do a "show policy-map interface virtual-access xx", I get >>> nothing >>> as if the policy wasn't inhereted. When I look at my policy-maps, I also >>> noticed that I do not have parent/child policies configured (which I am >>> to >>> understand how you have to configure QoS like this on this type of >>> interface). Here's an example of what I have on our LNS boxes.... >>> >>> First question, do I need a child/parent policy to attach the >>> service-policy >>> to the virtual-template? >>> >>> Second question, do I need to have the "qos pre-classify" command on the >>> virtual-template?? >>> >>> Third question, does anyone see anything wrong with the way this is >>> configured?? >>> >>> >>> >>> class-map match-all VOIP >>> match access-group name VoicePorts >>> match ip rtp 16384 16383 >>> match ip dscp ef >>> >>> >>> policy-map DSL >>> class VOIP >>> priority percent 75 >>> class class-default >>> fair-queue >>> random-detect >>> >>> >>> interface Virtual-Template2 >>> mtu 1460 >>> ip unnumbered Loopback2 >>> service-policy output DSL >>> ip route-cache flow >>> ip tcp adjust-mss 1420 >>> ip policy route-map clear-df >>> qos pre-classify >>> peer default ip address dhcp >>> ppp authentication pap >>> ppp ipcp mask 255.255.255.0 >>> ppp ipcp address accept >>> >>> ip access-list extended VoicePorts >>> permit udp host x.x.x.x range 22026 62025 any >>> permit udp host x.x.x.x range 22026 62025 any >>> >>> >>> TIA, >>> Clue >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > From dean at eatworms.org.uk Mon Nov 30 18:46:22 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Mon, 30 Nov 2009 23:46:22 -0000 Subject: [c-nsp] QoS on LNS virtual-template In-Reply-To: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> References: <580af3b90911301328r3a882153t6dc43a7aac3dd145@mail.gmail.com> Message-ID: <006f01ca7217$52cd9720$f868c560$@org.uk> I do think you'll need the parent/child setup. The problems start with knowing what to set the parent policer to. If all you're sessions are fixed B/W then you can hard code it. If you have a mix then you may have more of a challenge. Some providers pass through the downstream B/W from the DSLAM/LAC to the LNS - many don't (check if your VAI have the right bandwidth). And setting your QoS to the negotiated DSL rate may not of course mean that all the traffic gets through the provider network from your LNS to the DSLAM, so you might prioritise all you like on the LNS...and get wholly arbitary drops from your provider. If they offer QoS then you'll need to mirror your QoS marking to the L2TP encapsulated packet with "ip tos reflect" in the VPDN group. The latest 12.2SB have been better for us for QoS on L2TP VAI, but in general it seems flaky and small code changes can have a big impact on a) whether it works at all and b) how well it works. To be confident....you'll need a lot of testing. Dean -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Clue Store Sent: 30 November 2009 21:29 To: Cisco-nsp Subject: [c-nsp] QoS on LNS virtual-template Hi All, I went through the archives and couldn't find specifically what I was looking for and of course, most of the Cisco links are broken now, but I noticed that QoS is applied to my virtual-template interface in my config, but when I do a "show policy-map interface virtual-access xx", I get nothing as if the policy wasn't inhereted. When I look at my policy-maps, I also noticed that I do not have parent/child policies configured (which I am to understand how you have to configure QoS like this on this type of interface). Here's an example of what I have on our LNS boxes.... First question, do I need a child/parent policy to attach the service-policy to the virtual-template? Second question, do I need to have the "qos pre-classify" command on the virtual-template?? Third question, does anyone see anything wrong with the way this is configured?? class-map match-all VOIP match access-group name VoicePorts match ip rtp 16384 16383 match ip dscp ef policy-map DSL class VOIP priority percent 75 class class-default fair-queue random-detect interface Virtual-Template2 mtu 1460 ip unnumbered Loopback2 service-policy output DSL ip route-cache flow ip tcp adjust-mss 1420 ip policy route-map clear-df qos pre-classify peer default ip address dhcp ppp authentication pap ppp ipcp mask 255.255.255.0 ppp ipcp address accept ip access-list extended VoicePorts permit udp host x.x.x.x range 22026 62025 any permit udp host x.x.x.x range 22026 62025 any TIA, Clue _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Mon Nov 30 20:15:25 2009 From: eninja at gmail.com (Eninja) Date: Tue, 1 Dec 2009 02:15:25 +0100 Subject: [c-nsp] 2821 spurious reload In-Reply-To: <4B1426F7.5050604@whole-uk.com> References: <4B1426F7.5050604@whole-uk.com> Message-ID: Pete, This is a software issue. The address - 0x1E - is invalid. Eninja On Nov 30, 2009, at 9:11 PM, Pete Barnwell wrote: > I've had a 2821 reload unexpectedly -sh ver shows a bus error as below > > Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version > 12.4(22)T1, RELEASE SOFTWARE (fc5) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2009 by Cisco Systems, Inc. > Compiled Thu 26-Feb-09 19:47 by prod_rel_team > > ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) > > uptime is 1 hour, 7 minutes > System returned to ROM by bus error at PC 0x4224F26C, address 0x1E at > 18:56:16 GMT Mon Nov 30 2009 > System restarted at 18:43:38 GMT Mon Nov 30 2009 > > > #sh region address 0x4224F26C > Address 0x4224F26C is located physically in : > > Name : text > Class : IText > Media : R/O > Start : 0x4000F000 > End : 0x43F7FFFF > Size : 0x03F71000 > > This suggests to me hardware rather than software from Googling? > > The routers got its original 256Mb and an additional 512Mb stick in > it > - is it possible to tell if this is a memory error from this, and if > so > which stick might be the problem? > > I have no Smartnet on this, so can't ask TAC :( > > Thanks > > Pete > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/