From rmikisa at gmail.com Mon Feb 1 02:15:34 2010 From: rmikisa at gmail.com (Mikisa Richard) Date: Mon, 01 Feb 2010 10:15:34 +0300 Subject: [c-nsp] Policer on c4503 In-Reply-To: <20100131153923.GC1461@geeks.org> References: <4B629163.3060207@gmail.com> <20100131153923.GC1461@geeks.org> Message-ID: <4B667F96.1070603@gmail.com> Hi all, UPDATE: Turned out the policer was fine. Just a small tweak on the ACL got it to work. Otherwise grateful for all the help Richard On 1/31/2010 6:39 PM, Doug McIntyre wrote: > On Fri, Jan 29, 2010 at 10:42:27AM +0300, Mikisa Richard wrote: > >> Hi all, >> >> Any ideas why the Policer policy below does not work. Intention is for >> me to lock down traffic to 3Mbps both ways on interface g3/11. >> >> !! >> class-map match-all ROKE-LIMIT >> match access-group name ROKE-SLAP >> ! >> policy-map POLICY-ROKE >> class ROKE-LIMIT >> police 3000000 bps 30000 byte conform-action transmit exceed-action drop >> ! >> interface GigabitEthernet3/11 >> description link to ROKE >> no switchport >> ip address x.x.x.x >> service-policy input POLICY-ROKE >> service-policy output POLICY-ROKE >> > > Looks like the correct thing, assuming the access-group traffic is > being matched. > > Do you have 'qos' enabled? Its off by default on the 4500. > > Just a simple 'qos' as a config option in this platform. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Michael.Robson at manchester.ac.uk Mon Feb 1 11:35:51 2010 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Mon, 1 Feb 2010 16:35:51 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <20100129190937.GB20301@lboro.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> Message-ID: <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> On 29 Jan 2010, at 17:07, David Prall wrote: > So XP doesn't support IPv6 DHCP, nor do they support IPv6 DNS. Not sure > about the macintosh. and I thought I was being clever pointing fec0:0:0:ffff::1, 2 and 3 to real DNSv6 servers and finding the "add dns" from within netsh only to be thwarted by an XP resolver that doesn't support IPV6 properly. On 29 Jan 2010, at 19:09, Alan Buxey wrote: > Hi, >> OK so looking at/listening to various recommendations, when allocating IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish out the DNS servers and domain looks the most appealing. Since the IOS version we are using on our 6500s doesn't support IPV6 DHCP relaying (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve the DNS and domain information but I cannot get it to work. When I use the following configuration the clients are configured with appropriate v6 IPs and can get out into the IPV6 Internet, but no DNS or domain information is received. Turning on "debug ipv6 DHCP" yields no entries in the log at all for either an iMac or an XP laptop: am I missing some configuration? > > > DHCPv6 and stateless configuration are pretty much still very messy right now. > yes, DHCPv6 would be a direct replacement for clients on the v6 landscape but > not many clients support it.... > I'm starting to realise that... > worse, stateless configuration, whilst in a way elegant, hardly anything gets > handed over to it....eg DNS or NTP information . theres also no way to hand over > any encrpytion or seed things eg for SeND - we've been in chats with people > about getting some nice extensions into the stateless RFC - it'd be good/useful > to have these things sorted. > RFC 5006 looks promising, although it does seem to only mention DNS servers. > ..now...what are those IPv6 youtube addresses, I've got an hour to burn ;-) > alan wahoo! Ta. Michael -- From A.L.M.Buxey at lboro.ac.uk Mon Feb 1 11:59:08 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 1 Feb 2010 16:59:08 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> Message-ID: <20100201165908.GB2090@lboro.ac.uk> Hi, > and I thought I was being clever pointing fec0:0:0:ffff::1, 2 and 3 to real DNSv6 servers and finding the "add dns" from within netsh only to be thwarted by an XP resolver that doesn't support IPV6 properly. those addresses...ah yes. when i first saw them in the ipconfig /all i thought several problems were surpassed...but those addresses are from an old and deprecated RFC IIRC and other RFCs now state that they cannot go beyond certain boundaries....so they might not (or should not) be routed now. ideal, i guess, for a basic network...SoHo or small network environment of with all systems on a flat network.... but for enterprise. nope. all gone :-( > > ..now...what are those IPv6 youtube addresses, I've got an hour to burn ;-) > > alan > wahoo! youtube is now IPv6 ready - thanks Lorenzo Colitti (and his buddies!) but the AAAA's are only given to their happy ipv6 select partners....(unfortunately we are not yet one of those because we cannot guarantee 100% happy google services on IPv6 for all of our network.... alan From pkranz at unwiredltd.com Mon Feb 1 15:59:55 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Mon, 1 Feb 2010 12:59:55 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. Message-ID: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Currently in our network we use dot1Q trunks to forward end-user/customer VLANs from Site A to Site B to provide them virtual point-to-point circuits between data centers without the overhead of some type of VPN tunnel. However if one of our backhauls between data centers fails, we would desire these VLAN's to forward via an alternative backhaul path (All of our data centers have at least 2 exits to other datacenters in our network, and are meshed via OSPF/BGP) It seems like there are a lot of different approaches to provide some level of self-healing/redundancy to these layer2 services we offer, I am interested in advice on which would be most straightforward to implement on top of our existing layer3 network. Perhaps implementing Rapid-PVST is the simplest approach, but I'd be interested in some best-practices knowledge here.. Thanks! Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com From mtinka at globaltransit.net Mon Feb 1 20:11:15 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 2 Feb 2010 09:11:15 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: <201002020911.15846.mtinka@globaltransit.net> On Tuesday 02 February 2010 04:59:55 am Peter Kranz wrote: > It seems like there are a lot of different approaches to > provide some level of self-healing/redundancy to these > layer2 services we offer, I am interested in advice on > which would be most straightforward to implement on top > of our existing layer3 network. > > Perhaps implementing Rapid-PVST is the simplest approach, > but I'd be interested in some best-practices knowledge > here.. If you can support MPLS, I'd recommend that for a "self- healing" control plane to transport Ethernet frames. Else, STP (or some flavor of it) or your vendor's incarnate of the same are your other options. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From brhedlun at cisco.com Mon Feb 1 23:56:50 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Mon, 1 Feb 2010 22:56:50 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> True, the Nexus 2000 does not locally switch, but lets explore that for a second... 1) a typical enterprise Data Center is running applications that are not latency sensitive, where latencies in the 10s of microseconds are perfectly OK and nobody is really counting anyway. Only in the small minority of Data Centers running high frequency trading, grid computing, or some other ultra low latency application, every *nanosecond* matters and local switching with fewer hops is of paramount importance. Furthermore, these applications are quickly migrating away from 1GE to 10GE attached servers for the obvious low latency advantages. 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus 2000 to handle the additional uplink load that may otherwise not be present on a 4948. 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus 2000 itself also uses cut-through for frames entering on 1GE and egressing on 10GE. The two combined often results in port-to-port latencies similar to a Catalyst 6500, even without the "local switching". If you are comfortable with your Catalyst 6500 local switching latencies, you can expect similar performance from a Nexus 2000/5000 combination. -- Brad Hedlund, CCIE #5530 Consulting Systems Engineer, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst >> 4948 as access layers switches? >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that >> could be used by servers with 10GbE/FCoE servers. > > The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more "traditional" access switch. Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment. > > > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ghira at mistral.co.uk Tue Feb 2 00:21:09 2010 From: ghira at mistral.co.uk (Adam Atkinson) Date: Tue, 02 Feb 2010 05:21:09 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <201002020911.15846.mtinka@globaltransit.net> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <201002020911.15846.mtinka@globaltransit.net> Message-ID: <4B67B645.5030309@mistral.co.uk> Mark Tinka wrote: > If you can support MPLS, I'd recommend that for a "self- > healing" control plane to transport Ethernet frames. > > Else, STP (or some flavor of it) or your vendor's incarnate > of the same are your other options. Or EAPS if your kit does it. From mksmith at adhost.com Tue Feb 2 00:27:58 2010 From: mksmith at adhost.com (Michael K. Smith) Date: Mon, 01 Feb 2010 21:27:58 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: On 2/1/10 12:59 PM, "Peter Kranz" wrote: > Currently in our network we use dot1Q trunks to forward end-user/customer > VLANs from Site A to Site B to provide them virtual point-to-point circuits > between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would desire > these VLAN's to forward via an alternative backhaul path (All of our data > centers have at least 2 exits to other datacenters in our network, and are > meshed via OSPF/BGP) > > It seems like there are a lot of different approaches to provide some level > of self-healing/redundancy to these layer2 services we offer, I am > interested in advice on which would be most straightforward to implement on > top of our existing layer3 network. > > Perhaps implementing Rapid-PVST is the simplest approach, but I'd be > interested in some best-practices knowledge here.. > > Thanks! We're using Cisco Resilient Ethernet Protocol (REP) which does the trick. Depending upon your gear, you could also look at 802.17 (RPR) or Spatial Reuse Protocol (SRP) on the routers. I'm sure there are more acronyms as well. Regards, Mike From stmagconsulting at gmail.com Tue Feb 2 00:59:49 2010 From: stmagconsulting at gmail.com (Stephane MAGAND) Date: Tue, 2 Feb 2010 06:59:49 +0100 Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? Message-ID: Hi I have a small EoMPLS tunnels : pseudowire-class EoMPLS encapsulation mpls interworking ethernet interface GigabitEthernet0/2.910 encapsulation dot1Q 910 no cdp enable xconnect 10.206.5.180 910 encapsulation mpls Anyone know what is the solution for limit this tunnels at 20 Mbits ? a Policy ? ACL ? Running on Cisco 7301 c7301-adventerprisek9_sna-mz.124-24.T.bin sorry for my english and thanks for your help. Stephane From avayner at cisco.com Tue Feb 2 02:58:20 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 2 Feb 2010 08:58:20 +0100 Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? In-Reply-To: References: Message-ID: Stephane, You should be able to add a policy-map on the interface with a policer in the class-default class. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND Sent: Tuesday, February 02, 2010 08:00 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? Hi I have a small EoMPLS tunnels : pseudowire-class EoMPLS encapsulation mpls interworking ethernet interface GigabitEthernet0/2.910 encapsulation dot1Q 910 no cdp enable xconnect 10.206.5.180 910 encapsulation mpls Anyone know what is the solution for limit this tunnels at 20 Mbits ? a Policy ? ACL ? Running on Cisco 7301 c7301-adventerprisek9_sna-mz.124-24.T.bin sorry for my english and thanks for your help. Stephane _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 2 04:26:23 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 02 Feb 2010 09:26:23 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: <4B67EFBF.10500@imperial.ac.uk> On 02/01/2010 08:59 PM, Peter Kranz wrote: > Currently in our network we use dot1Q trunks to forward end-user/customer > VLANs from Site A to Site B to provide them virtual point-to-point circuits > between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would desire > these VLAN's to forward via an alternative backhaul path (All of our data > centers have at least 2 exits to other datacenters in our network, and are > meshed via OSPF/BGP) What equipment are you running the network on? EoMPLS occurs as an option, buf of course requires enabling MPLS. From matt at melbourne.org.uk Tue Feb 2 04:32:27 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Tue, 2 Feb 2010 09:32:27 +0000 Subject: [c-nsp] Rate-limiting VMs within the network Message-ID: Hi, I am looking seeking a mechanism to limit bandwidth utilised by virtual machines on a given host on a per-VM basis within a hosting environment. Ideally, any single VM should not be allowed to exceed an outbound bandwidth utilisation of 100Mbps. The current solution uses Microsoft Hyper-V and its virtual switch technology. The Hyper-V hosts are connected into Cisco 2960G access switches which are then uplinked to a redundant core of 6509 switches. I readily recognise an alternative solution to this would be to use VMware/Cisco Nexus 1000V instead to form a virtual distributed switch, but for this particular project we are limited to using the MS Hyper-V solution. We have no control of bandwidth utilisation within the MS Hyper-V vSwitch (apparently, this functionality may appear at a later date), so the expectation is that any rate-limiting could occur within the network. However, multiple VMs are hosted on the same physical server, and these VMs can move between hosts as resources are optimised, so any classical ?per-port? QoS policing is not likely to be straightforward and isn?t likely to scale (the principle concerns are the potential number of VMs and their mobility). To police on a per-IP address basis, I'd expect to have to define many classes (one for each VM) which, for potentially many hundreds (possibly thousands) of VMs could be serious scalability issue. An alternative solution we?ve been investigating into is ?Per-User Microflow Policing?, or User-Based Rate Limiting (UBRL), where we can police based on source IP address. An acceptable solution would be to limit each IP address within a certain range to use up to 100Mbps of outbound bandwidth. However, it appears that UBRL and NetFlow (which is also running on the core 6509s) are mutually exclusive when there is a flow-mask conflict. Full NetFlow data needs to be retained by the NetFlow collector for billing purposes. Are there any other mechisms to achieve per-VM rate-limiting within the network? Cheers, Matt -- Matthew Melbourne From rdobbins at arbor.net Tue Feb 2 04:59:05 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 2 Feb 2010 09:59:05 +0000 Subject: [c-nsp] Rate-limiting VMs within the network In-Reply-To: References: Message-ID: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> On Feb 2, 2010, at 5:32 PM, Matthew Melbourne wrote: > Full NetFlow data needs to be retained by the NetFlow collector for billing purposes. Due to the various well-known caveats associated with NetFlow on 6500/7600, it's largely operationally useless, and you certainly can't count on it for billing or anything else of importance. So, no conflict, after all. ;> ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From p.mayers at imperial.ac.uk Tue Feb 2 06:10:58 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 02 Feb 2010 11:10:58 +0000 Subject: [c-nsp] Rate-limiting VMs within the network In-Reply-To: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> References: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> Message-ID: <4B680842.1040207@imperial.ac.uk> On 02/02/10 09:59, Dobbins, Roland wrote: > > On Feb 2, 2010, at 5:32 PM, Matthew Melbourne wrote: > >> Full NetFlow data needs to be retained by the NetFlow collector for >> billing purposes. > > Due to the various well-known caveats associated with NetFlow on > 6500/7600, it's largely operationally useless, and you certainly > can't count on it for billing or anything else of importance. So, no > conflict, after all. Certainly 6500 netflow is limited, and the limitations are unfortunate - but if you happen to live within or can tolerate those limitations, it works as expected. I hear "6500 netflow is useless" a lot on this list, and from the tone of such posts I can only assume that if people are outside those limits, it makes them very angry indeed ;o) We use it very successfully, with full mask, because the traffic profile within our network fits within TCAM at all times, and because we can live without egress netflow and sampling, and various other missing features. Without knowing more about the OPs network I can't tell if his concerns about netflow are relevant to the microflow policing question, but I can say that there's at least a possibility that, if he's using it, his netflow is far from useless. From kris at amy.id.au Tue Feb 2 08:06:40 2010 From: kris at amy.id.au (Kris Amy) Date: Tue, 2 Feb 2010 23:06:40 +1000 Subject: [c-nsp] DHCPv6 and Windows Message-ID: <79167dd71002020506n76255726r31066fc490068766@mail.gmail.com> Hi all, I'm having trouble getting DHCPv6 and Windows (specifically 7) to interop for the correct default gateway. It is picking up the address OK but the default gateway is staying as Link-Local IP. So far I've tried all combinations of enabling/disabling ipv6 nd managed-config-flag ipv6 nd other-config-flag on the relevant LAN interface and various combinations of netsh int ipv6 set int managedaddress=disabled advertise=disabled routerdiscovery=dhcp Hoping someone has the magic combination to get it to work. OS X worked first time without any changes. I believe if the M and O flags are set then the client should go into stateful mode and request the default gateway from the advertising router. Cheers, Kris From kris at amy.id.au Tue Feb 2 08:17:52 2010 From: kris at amy.id.au (Kris Amy) Date: Tue, 2 Feb 2010 23:17:52 +1000 Subject: [c-nsp] DHCPv6 and Windows In-Reply-To: References: <79167dd71002020506n76255726r31066fc490068766@mail.gmail.com> Message-ID: <79167dd71002020517w3b924b42n6d86672410380230@mail.gmail.com> Hi, We are using Prefix delegation from our LNS to deliver it to the CPE. I cannot ping the IP that it determines is the default gateway via Link-Local. Cheers, Kris On Tue, Feb 2, 2010 at 11:14 PM, Antonio Querubin wrote: > On Tue, 2 Feb 2010, Kris Amy wrote: > > I'm having trouble getting DHCPv6 and Windows (specifically 7) to interop >> for the correct default gateway. >> >> It is picking up the address OK but the default gateway is staying as >> Link-Local IP. >> > > What's wrong with using the link-local of the gateway? > > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: tony at lava.net > From pkranz at unwiredltd.com Tue Feb 2 13:13:03 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Tue, 2 Feb 2010 10:13:03 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <4B67EFBF.10500@imperial.ac.uk> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> Message-ID: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> The network is composed of 6509-e chassis with SUP 720 3BXL cards at all sites.. So far respondents have recommended the following options; (so many ways to skin this cat..!) EoMPLS Cisco Resilient Ethernet Protocol (REP) 802.17 (RPR) Spatial Reuse Protocol (SRP) STP Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 02, 2010 1:26 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Layer 2 VLAN advice.. On 02/01/2010 08:59 PM, Peter Kranz wrote: > Currently in our network we use dot1Q trunks to forward > end-user/customer VLANs from Site A to Site B to provide them virtual > point-to-point circuits between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would > desire these VLAN's to forward via an alternative backhaul path (All > of our data centers have at least 2 exits to other datacenters in our > network, and are meshed via OSPF/BGP) What equipment are you running the network on? EoMPLS occurs as an option, buf of course requires enabling MPLS. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From a.dhingra at neu.edu Tue Feb 2 14:38:15 2010 From: a.dhingra at neu.edu (Dhingra, Anand) Date: Tue, 2 Feb 2010 14:38:15 -0500 Subject: [c-nsp] Question about FCoE In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <9683A1EFE9214446A78BDA9EA8AF79DC4DE2103124@NEUBOS3ES816CLS.nunet.neu.edu> I was wondering if anyone has any real world experience with FCoE? We are looking at 5010 as a top of rack solution, with FC going to back to a brocade switch? Some questions I had was is this mature? Has anyone deployed this? What were your difficulties? Thanks Anand From mtinka at globaltransit.net Tue Feb 2 19:17:23 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 3 Feb 2010 08:17:23 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <201002030817.24147.mtinka@globaltransit.net> On Wednesday 03 February 2010 02:13:03 am Peter Kranz wrote: > The network is composed of 6509-e chassis with SUP 720 > 3BXL cards at all sites.. Oh that will do MPLS quite nicely :-). Of course, as someone else already mentioned, it means enabling MPLS in the network if you don't already have it running. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From zeusdadog at gmail.com Tue Feb 2 23:20:25 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 2 Feb 2010 23:20:25 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth Message-ID: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> I am trying to configure vrf aware IPSec VPN for remote access, coming into one VRF and tunneling into another VRF. Can I do that without XAUTH? I can't seem to find any reference to doing it without xauth. If it's possible and someone has done this, can you please post a sample config? Thanks! From atif.jauhar at gmail.com Wed Feb 3 00:36:44 2010 From: atif.jauhar at gmail.com (Muhammad Atif Jauahar) Date: Wed, 3 Feb 2010 10:36:44 +0500 Subject: [c-nsp] Cisco Wireless LAN and Windows Domain Group Policies enforcement Message-ID: <6a51198a1002022136s7666fbeyb50d03fdcc61854d@mail.gmail.com> Hi, In my organization, we have deploy Cisco WLCs with user based authentication via IAS (integrated with Microsoft Active Directory) and Lightweight Access Points for wireless network... we are facing issue to enforce Windows Domain Group Policies to wireless client... To enforce policies we force client to connect via wired network after policies implemented then we asked them now they can use wireless network... Kindly let me know, how I will enforce Domain Group Policies using wireless network. -- Regards, Muhammad Atif Jauhar (+92-33-3346-0000) From nick at inex.ie Wed Feb 3 05:16:14 2010 From: nick at inex.ie (Nick Hilliard) Date: Wed, 03 Feb 2010 10:16:14 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <4B694CEE.2020400@inex.ie> On 02/02/2010 18:13, Peter Kranz wrote: > The network is composed of 6509-e chassis with SUP 720 3BXL cards at all > sites.. > > So far respondents have recommended the following options; (so many ways to > skin this cat..!) > > EoMPLS > Cisco Resilient Ethernet Protocol (REP) > 802.17 (RPR) > Spatial Reuse Protocol (SRP) > STP Of this list, sup720s and regular c65k lan cards support stp and eompls. RPR is supported on ONS gear, and REP is supported in some of the metro ethernet products (me3400 and me6500). I don't think that SRP was ever implemented, was it? Anyway, standard warnings apply to STP configurations. Nick From tom at netspot.com.au Wed Feb 3 05:37:23 2010 From: tom at netspot.com.au (Tom Lanyon) Date: Wed, 3 Feb 2010 21:07:23 +1030 Subject: [c-nsp] IPV6 again In-Reply-To: <20100201165908.GB2090@lboro.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: On 02/02/2010, at 3:29 AM, Alan Buxey wrote: > youtube is now IPv6 ready - thanks Lorenzo Colitti (and his > buddies!) but > the AAAA's are only given to their happy ipv6 select partners.... > (unfortunately > we are not yet one of those because we cannot guarantee 100% happy > google > services on IPv6 for all of our network.... Youtube via my home ADSL connection is happily coming in via IPv6 now and is working well... :) They are not handing out an AAAA for www.youtube.com but most of the content (img+video) servers are on v6. Tom From teun at moonblade.net Wed Feb 3 05:53:15 2010 From: teun at moonblade.net (Teun Vink) Date: Wed, 03 Feb 2010 11:53:15 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <1265194395.29797.66.camel@moridin.office.bit.nl.office.bit.nl> On Wed, 2010-02-03 at 21:07 +1030, Tom Lanyon wrote: > On 02/02/2010, at 3:29 AM, Alan Buxey wrote: > > youtube is now IPv6 ready - thanks Lorenzo Colitti (and his > > buddies!) but > > the AAAA's are only given to their happy ipv6 select partners.... > > (unfortunately > > we are not yet one of those because we cannot guarantee 100% happy > > google > > services on IPv6 for all of our network.... > > Youtube via my home ADSL connection is happily coming in via IPv6 now > and is working well... :) > > They are not handing out an AAAA for www.youtube.com but most of the > content (img+video) servers are on v6. Actually, they are handing out AAAA since today: % host www.youtube.com www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 74.125.79.102 youtube-ui.l.google.com has address 74.125.79.100 youtube-ui.l.google.com has address 74.125.79.101 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b -- Teun From dale.shaw+cisco-nsp at gmail.com Wed Feb 3 05:57:19 2010 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 3 Feb 2010 21:57:19 +1100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> Hi, On Wed, Feb 3, 2010 at 9:37 PM, Tom Lanyon wrote: > > They are not handing out an AAAA for www.youtube.com but most of the content > (img+video) servers are on v6. Hmm, really? I'm speaking to www.youtube.com (youtube-ui.l.google.com) on 2001:4860:c004::64 cheers, Dale From gert at greenie.muc.de Wed Feb 3 06:03:05 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Feb 2010 12:03:05 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <20100203110305.GI857@greenie.muc.de> Hi, On Wed, Feb 03, 2010 at 09:07:23PM +1030, Tom Lanyon wrote: > They are not handing out an AAAA for www.youtube.com but most of the > content (img+video) servers are on v6. Actually you're missing all the fun :-) www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 74.125.79.102 youtube-ui.l.google.com has address 74.125.79.101 youtube-ui.l.google.com has address 74.125.79.100 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a (since this morning) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Feb 3 07:01:57 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 03 Feb 2010 12:01:57 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> Message-ID: <4B6965B5.6000302@imperial.ac.uk> On 03/02/10 10:57, Dale Shaw wrote: > Hi, > > On Wed, Feb 3, 2010 at 9:37 PM, Tom Lanyon wrote: >> >> They are not handing out an AAAA for www.youtube.com but most of the content >> (img+video) servers are on v6. > > Hmm, really? > > I'm speaking to www.youtube.com (youtube-ui.l.google.com) on 2001:4860:c004::64 Hmm. Nope - ns4.google.com returns A records only for me. A colleague suggests it's this: http://www.google.com/intl/en/ipv6/ You are maybe on a provider who has this enabled? Does anyone know the details - do the google DNS servers choose to reply with AAAA based on AS-path of the querying IP, or netblock? Inbound interface? From swmike at swm.pp.se Wed Feb 3 07:14:52 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 3 Feb 2010 13:14:52 +0100 (CET) Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: On Wed, 3 Feb 2010, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply with > AAAA based on AS-path of the querying IP, or netblock? Inbound interface? When I talked to google, they wanted to know what netblock(s) my resolvers were in, so I guess it's based on that. -- Mikael Abrahamsson email: swmike at swm.pp.se From j.vaningenschenau at utwente.nl Wed Feb 3 07:18:53 2010 From: j.vaningenschenau at utwente.nl (j.vaningenschenau at utwente.nl) Date: Wed, 3 Feb 2010 13:18:53 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: <63656D8795A13249B35AD1E5FFAB2F7F026BC1F0@EX04.service.utwente.nl> > Hmm. Nope - ns4.google.com returns A records only for me. > > A colleague suggests it's this: > > http://www.google.com/intl/en/ipv6/ > > You are maybe on a provider who has this enabled? That's probably the case. > Does anyone know the details - do the google DNS servers choose to > reply > with AAAA based on AS-path of the querying IP, or netblock? Inbound > interface? For our network, the IP addresses of our main resolvers have been whitelisted by Google (after contacting them, assuring we have native ipv6 connectivity and will offer support to our users if problems should arise). Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands From gert at greenie.muc.de Wed Feb 3 07:31:25 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Feb 2010 13:31:25 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: <20100203123125.GL857@greenie.muc.de> Hi, On Wed, Feb 03, 2010 at 12:01:57PM +0000, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply > with AAAA based on AS-path of the querying IP, or netblock? Inbound > interface? Netblock. You register your DNS resolvers' IP address(es) with them, and they whitelist you to receive AAAA records. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saxon.jones at gmail.com Wed Feb 3 09:14:21 2010 From: saxon.jones at gmail.com (Saxon Jones) Date: Wed, 3 Feb 2010 07:14:21 -0700 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: <86b512c31002030614v644af59dt6fc43a352d902f85@mail.gmail.com> In the tunnel interface configuration, "ip vrf forwarding" sets the VRF that traffic in the tunnel is a part of, and "tunnel vrf" sets the VRF that the tunnel travels over. Is this what you're asking? -saxon On 2 February 2010 21:20, Jay Nakamura wrote: > I am trying to configure vrf aware IPSec VPN for remote access, coming > into one VRF and tunneling into another VRF. Can I do that without > XAUTH? I can't seem to find any reference to doing it without xauth. > If it's possible and someone has done this, can you please post a > sample config? > > > Thanks! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nick.jon.griffin at gmail.com Wed Feb 3 09:16:11 2010 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 3 Feb 2010 08:16:11 -0600 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <4B694CEE.2020400@inex.ie> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> <4B694CEE.2020400@inex.ie> Message-ID: AFAIK, SRP was implemented/available in 12K's and 7200's, I used it in a cmts environment. This was 5 years ago, not sure about the offering nowdays. On Wed, Feb 3, 2010 at 4:16 AM, Nick Hilliard wrote: > On 02/02/2010 18:13, Peter Kranz wrote: > > The network is composed of 6509-e chassis with SUP 720 3BXL cards at all > > sites.. > > > > So far respondents have recommended the following options; (so many ways > to > > skin this cat..!) > > > > EoMPLS > > Cisco Resilient Ethernet Protocol (REP) > > 802.17 (RPR) > > Spatial Reuse Protocol (SRP) > > STP > > Of this list, sup720s and regular c65k lan cards support stp and eompls. > RPR is supported on ONS gear, and REP is supported in some of the metro > ethernet products (me3400 and me6500). I don't think that SRP was ever > implemented, was it? > > Anyway, standard warnings apply to STP configurations. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From linux.yahoo at gmail.com Wed Feb 3 10:13:59 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Wed, 3 Feb 2010 16:13:59 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> No AFAIK vPC is already available on N5K/N2K, active/active with FEX should be possible: Cisco Nexus 5000 NX-OS Software Rel 4.1(3)N2(1) "A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus 5000 Series switches or Cisco Nexus 2000 Series Fabric Extenders to appear as a single port channel by a third device (see the following figure). The third device can be a switch, server, or any other networking device. Beginning with Cisco NX-OS Release 4.1(3)N1(1), you can configure vPCs in topologies that include Cisco Nexus 5000 Seriesswitches connected to the Fabric Extender. A vPC can provide multipathing, which allows you to create redundancy by enabling multiple parallel paths between nodes and load balancing traffic where alternative paths exist" R/ Manu On Sat, Jan 30, 2010 at 12:56 AM, scott owens wrote: > > > > 1. Re: Nexus 2000 vs Catalyst 4948 for access layer > > (chris at lavin-llc.com) > > -------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 29 Jan 2010 14:16:59 -0500 > > From: chris at lavin-llc.com > > To: "Nick Hilliard" > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Message-ID: > > > > Content-Type: text/plain;charset=iso-8859-1 > > > > > wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young > > in > > > its development cycle; IOS is much more mature and has many more > > features. > > > > > > Nick > > > > > > I'm curious why you suggest that the NX-OS is very young. My > understanding > > (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS > > OS into a routing/switching combination with IOS. > > > > I had the recent experience of a Nexus CPOC down in RTP. Going into it I > > was apprehensive about learning a new OS. But through the CPOC I learned > > that it's not that much different from IOS. Seemed like they did a decent > > job of importing/aliasing the IOS related commands. I didn't feel as lost > > within the CLI as I had expected. > > > > -chris > > > > > We have about a dozen 2148Ts connected to 4 Nexus 5Ks and a couple of 7Ks > > I would absolutely NOT pick the 2148Ts for just switching unless you had > some larger data center needs; they and their "parent" 5Ks don't route .. > .so we do some ( and we wanted to) vlan tagging on servers to bypass > routing. > > I will say that "show log last 20" is worth every penny :) > > They are stable if you hook them up right - currently you can not do > active/active with a FEX connected to multiple 5Ks & do LACP teaming to > servers. > > Got question - shoot them on over ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From andy at xecu.net Wed Feb 3 10:39:46 2010 From: andy at xecu.net (Andy Dills) Date: Wed, 3 Feb 2010 10:39:46 -0500 (EST) Subject: [c-nsp] problems migrating to a 3550 Message-ID: <20100203100235.T43899@shell.xecu.net> I'm migrating a network from an old HP Procurve switch to a Cisco 3550. Simple setup, public and private vlans. Setup a port to be tagged on both vlans on the HP side, and on the cisco end set it to be in trunking mode. The cisco sees the vlans. I'm getting the full table from 'show mac address-table', with the appropriate vlans attached to the appropriate mac addresses. Things in vlan2 on the HP switch can reach the IP address of the 3550 on vlan2 just fine, vlan2 is solid. However, things in vlan1 on the HP switch cannot reach the IP of the 3550 on vlan1, and anything attached to 3550 on vlan1 ports cannot reach anything on vlan1 on the HP switch. Both switches have all of the correct mac addresses in their layer 2 forwarding table. However, whereas things on vlan2 are consistently reachable and populate the arp table, on vlan1 some things will show up in the arp table, most will not, and none will be pingable. Another symptom I'm noticing is that nothing on vlan1 on the HP switch can see the mac address for the vlan1 interface on the 3550, or of anything attached to vlan1 of the 3550. However, these mac addresses will be in both switches forwarding tables. And likewise, there will be addresses in the forwarding table of the 3550, but somehow the server is unable to get arp resolution for any of those very hosts. Config: ! interface FastEthernet0/48 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2 switchport mode trunk ! ! interface Vlan1 description Public ip address 10.0.0.126 255.255.255.128 ! interface Vlan2 description Private ip address 10.0.0.254 255.255.255.128 ! ip route 0.0.0.0 0.0.0.0 10.0.0.1 public#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/48 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/48 1-2 Port Vlans allowed and active in management domain Fa0/48 1-2 Port Vlans in spanning tree forwarding state and not pruned Fa0/48 1-2 Running Version 12.2(44)SE6. Any suggestions? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- From j.vaningenschenau at utwente.nl Wed Feb 3 11:58:12 2010 From: j.vaningenschenau at utwente.nl (j.vaningenschenau at utwente.nl) Date: Wed, 3 Feb 2010 17:58:12 +0100 Subject: [c-nsp] problems migrating to a 3550 In-Reply-To: <20100203100235.T43899@shell.xecu.net> References: <20100203100235.T43899@shell.xecu.net> Message-ID: <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> > Things in vlan2 on the HP switch can reach the IP address of the 3550 > on > vlan2 just fine, vlan2 is solid. > > However, things in vlan1 on the HP switch cannot reach the IP of the > 3550 > on vlan1, and anything attached to 3550 on vlan1 ports cannot reach > anything on vlan1 on the HP switch. You could try either: * Setting VLAN 1 as untagged on the Procurve side, or * configuring "switchport trunk native vlan tag" on the Cisco side. (or avoid using VLAN 1, which is what we always do between Cisco and HP switches) Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands From bacon at walleyesoftware.com Wed Feb 3 12:02:44 2010 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Wed, 3 Feb 2010 11:02:44 -0600 Subject: [c-nsp] what is it with 3550s? Message-ID: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> They seem to be an incredibly popular device, especially for telcos as CPE devices. Why? (I have no use for them, really, and they appear to be EOL, I'm just really curious.) From cnsp at shreddedmail.com Wed Feb 3 12:49:36 2010 From: cnsp at shreddedmail.com (Rick Ernst) Date: Wed, 3 Feb 2010 09:49:36 -0800 Subject: [c-nsp] Cat 4948 policer is greedy? Message-ID: I'm using a Catalyst 4948 as a bump in the cable between another network operator and a metro-ether backhaul to our POP. We land some IP on the 4948 as SVIs for the trunk facing the other operator. Other VLANs are provisioned as "pass-through" for out-of-band circuits. It was my previous experience that unless the policer was attached to the layer-2 interface, or that the traffic landed on the device, that a policer would not affect traffic. I've run into a situation where a policer on a shutdown interface is affecting traffic. Modifying the service-policy on Vlan3017 has an immediate effect on traffic passing across the VLAN. Should this be happening? It doesn't make sense to me based on the configuration and previous experience with policing. Thanks! ------------ policy-map BW_5M class class-default police 5 mbps 0.125 mbyte conform-action transmit exceed-action drop interface GigabitEthernet1/44 description X-Connect to POP switchport trunk encapsulation dot1q switchport trunk allowed vlan 3,3003,3004,3006,3007,3011,3015,3017,3019-3022 switchport trunk allowed vlan add 3025,3027-3029,3036-3039,3041-3099 switchport mode trunk interface GigabitEthernet1/45 description Trunk to WiMAX switchport trunk encapsulation dot1q switchport trunk allowed vlan 3000-3099 switchport mode trunk spanning-tree bpdufilter enable interface Vlan3017 description Customer OOB VLAN no ip address no ip redirects no ip proxy-arp shutdown ! service-policy was not removed when service was changed from ! access to OOB service-policy input BW_5M service-policy output BW_5M #show policy-map interface vlan3017 Vlan3017 Service-policy input: BW_5M Class-map: class-default (match-any) 2097190676 packets Match: any 2097190676 packets police: Per-interface Conform: 26477941465 bytes Exceed: 221088686 bytes Service-policy output: BW_5M Class-map: class-default (match-any) 1991735528 packets Match: any 1991735528 packets police: Per-interface Conform: 26477412954 bytes Exceed: 0 bytes From jlewis at lewis.org Wed Feb 3 12:50:10 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 12:50:10 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: On Wed, 3 Feb 2010, Jeff Bacon wrote: > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) They're one of cisco's earliest (first?) inexpensive fixed configuration layer 3 switches, do per-port policing (ingress and egress) with pretty good flexibility (better than the 3560 which "replaced" them) and because they're EOL, they've gotten very inexpensive. As CPE, I can see them being attractive where you need a router that's going to handle limited routes (preferably just default and maybe a few static routes, but with EMI software, they can do limited BGP4) but want wire rate packet forwarding performance. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From eric at atlantech.net Wed Feb 3 12:50:57 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 12:50:57 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jeff Bacon > Sent: Wednesday, February 03, 2010 12:03 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] what is it with 3550s? > > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) > They can do full layer 3 routing, have a diverse selection of model numbers, do decent QoS, and are cheap, cheap, cheap. -evt From iam at st-andrews.ac.uk Wed Feb 3 12:45:26 2010 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Wed, 03 Feb 2010 17:45:26 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: <4B69B636.9030100@st-andrews.ac.uk> Jeff Bacon wrote: > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Jeff, They're relatively fully featured, run relatively recent IOS, and are dirt cheap. (3550-24FX's run ~350UKP). The fibre ones were also kept "on the books" for quite a while, until the 3750-24FS launched (but they cost a fortune). In my experience, they don't suffer from the early 3750 reliability issues either. (I have some early (2004/2005 ish) C3750G-12S's that have mainboard capacitor explosions). Later C3750-12S's (starting sometime before Feb 2006, and marked -V4 on the label) have a different mainboard, with a differently designed power stage. ) -- ian Ian McDonald, ITS, University of St Andrews T: +441334462779 F: +441334462759 The University of St Andrews is a charity registered in Scotland: SC013532 From b.turnbow at twt.it Wed Feb 3 13:05:54 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 3 Feb 2010 19:05:54 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Bacon >Sent: mercoled? 3 febbraio 2010 18.03 >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] what is it with 3550s? >They seem to be an incredibly popular device, especially for telcos as >CPE devices. Why? (I have no use for them, really, and they appear to be >EOL, I'm just really curious.) It depends on the model etc but they have an advantage over the 3750s in the way they slice up tcam resources. Like the 3550-12s had a reference of 24k routes with 16 svis , as compared to a 3750-12 that does max 20k with 8 svis Brian From cayers at ena.com Wed Feb 3 14:20:04 2010 From: cayers at ena.com (Cory Ayers) Date: Wed, 3 Feb 2010 13:20:04 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: > > They seem to be an incredibly popular device, especially for telcos > as > > CPE devices. Why? (I have no use for them, really, and they appear to > be > > EOL, I'm just really curious.) > > > > They can do full layer 3 routing, have a diverse selection of model > numbers, do decent QoS, and are cheap, cheap, cheap. > > -evt +1. They are dirt cheap, rock solid from our experience, and have options for 10 optical ports (c3550-12G). With that said, unless I'm missing something, I still don't see IPv6 routing support and they are EOL. We will be moving away from them and don't see C3560 or C3750 as a viable replacement. From brhedlun at cisco.com Wed Feb 3 14:23:38 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 3 Feb 2010 13:23:38 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> References: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> Message-ID: <42D38646-6700-4EE1-B413-EACB68414589@cisco.com> That is correct. The Nexus 2000 can be connected to two Nexus 5000's with an active/active virtual port channel (vPC). However, if you do that, you cannot (yet) connect the Server to the Nexus 2000's with an active/active 802.3ad LACP NIC team. You can obviously use active/standby teaming, or, active/active transmit load balancing (TLB) with active/standby receive. If your Nexus 2000's are each singly homed to a single Nexus 500 like this: N2K1------>N5K1 || N2K2------>N5K2 then you CAN connect the Server to both N2K's with an active/active 802.3ad LACP team: N2K1------>N5K1 Server< || LACP N2K2------>N5K2 This architecture provides active/active with redundancy from the network through to the server. Check out this link for more info on how that's done: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html -- Brad Hedlund, CCIE #5530 Consulting Systems Engineer, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 3, 2010, at 9:13 AM, Manu Chao wrote: > No > > AFAIK vPC is already available on N5K/N2K, active/active with FEX should > be possible: > > Cisco Nexus 5000 NX-OS Software Rel 4.1(3)N2(1) > > "A virtual port channel (vPC) allows links that are physically connected to > two different Cisco Nexus 5000 Series switches or Cisco Nexus 2000 Series > Fabric Extenders to appear as a single port channel by a third device (see > the following figure). The third device can be a switch, server, or any > other networking device. Beginning with Cisco NX-OS Release 4.1(3)N1(1), you > can configure vPCs in topologies that include Cisco Nexus 5000 > Seriesswitches connected to the Fabric > Extender. A vPC can provide multipathing, which allows you to create > redundancy by enabling multiple parallel paths between nodes and load > balancing traffic where alternative paths exist" > > R/ > Manu > > On Sat, Jan 30, 2010 at 12:56 AM, scott owens wrote: > >>> >>> 1. Re: Nexus 2000 vs Catalyst 4948 for access layer >>> (chris at lavin-llc.com) >>> -------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Fri, 29 Jan 2010 14:16:59 -0500 >>> From: chris at lavin-llc.com >>> To: "Nick Hilliard" >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >>> Message-ID: >>> >>> Content-Type: text/plain;charset=iso-8859-1 >>> >>>> wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young >>> in >>>> its development cycle; IOS is much more mature and has many more >>> features. >>>> >>>> Nick >>> >>> >>> I'm curious why you suggest that the NX-OS is very young. My >> understanding >>> (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS >>> OS into a routing/switching combination with IOS. >>> >>> I had the recent experience of a Nexus CPOC down in RTP. Going into it I >>> was apprehensive about learning a new OS. But through the CPOC I learned >>> that it's not that much different from IOS. Seemed like they did a decent >>> job of importing/aliasing the IOS related commands. I didn't feel as lost >>> within the CLI as I had expected. >>> >>> -chris >>> >> >> >> We have about a dozen 2148Ts connected to 4 Nexus 5Ks and a couple of 7Ks >> >> I would absolutely NOT pick the 2148Ts for just switching unless you had >> some larger data center needs; they and their "parent" 5Ks don't route .. >> .so we do some ( and we wanted to) vlan tagging on servers to bypass >> routing. >> >> I will say that "show log last 20" is worth every penny :) >> >> They are stable if you hook them up right - currently you can not do >> active/active with a FEX connected to multiple 5Ks & do LACP teaming to >> servers. >> >> Got question - shoot them on over ... >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Wed Feb 3 14:30:06 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 14:30:06 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: On Wed, 3 Feb 2010, Cory Ayers wrote: > +1. They are dirt cheap, rock solid from our experience, and have > options for 10 optical ports (c3550-12G). With that said, unless I'm > missing something, I still don't see IPv6 routing support and they are > EOL. We will be moving away from them and don't see C3560 or C3750 as a > viable replacement. You're not going to see IPv6 routing support on the 3550 AFAIK. As colo/customer aggregation switches, the per port policing limitations on the 3560 make it a poor substitute for the 3550. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From eric at atlantech.net Wed Feb 3 15:01:33 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 15:01:33 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: Wednesday, February 03, 2010 2:30 PM > To: Cory Ayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > colo/customer aggregation switches, the per port policing limitations on > the 3560 make it a poor substitute for the 3550. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: Switch1(config)#ipv6 ? access-list Configure access lists general-prefix Configure a general IPv6 prefix hop-limit Configure hop count limit host Configure static hostnames icmp Configure ICMP parameters local Specify local options neighbor Neighbor route Configure static routes router Enable an IPV6 routing process source-route Process packets with source routing header options unicast-routing Enable unicast routing -evt From sethm at rollernet.us Wed Feb 3 15:03:53 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 03 Feb 2010 12:03:53 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <4B69D6A9.5090703@rollernet.us> On 2/3/10 12:01 PM, Eric Van Tol wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Jon Lewis >> Sent: Wednesday, February 03, 2010 2:30 PM >> To: Cory Ayers >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] what is it with 3550s? >> >> You're not going to see IPv6 routing support on the 3550 AFAIK. As >> colo/customer aggregation switches, the per port policing limitations on >> the 3560 make it a poor substitute for the 3550. >> >> ---------------------------------------------------------------------- >> Jon Lewis | I route >> Senior Network Engineer | therefore you are >> Atlantic Net | >> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >> _______________________________________________ > > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > Does it have a SDM template for dual v4-v6 mode? ~Seth From ed at edgeoc.net Wed Feb 3 15:08:03 2010 From: ed at edgeoc.net (Edward Salonia) Date: Wed, 3 Feb 2010 20:08:03 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net><2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local><2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> That is in SW only, if memory serves me. Also, I believe it has since been removed because of that. -----Original Message----- From: Eric Van Tol Date: Wed, 3 Feb 2010 15:01:33 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] what is it with 3550s? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: Wednesday, February 03, 2010 2:30 PM > To: Cory Ayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > colo/customer aggregation switches, the per port policing limitations on > the 3560 make it a poor substitute for the 3550. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: Switch1(config)#ipv6 ? access-list Configure access lists general-prefix Configure a general IPv6 prefix hop-limit Configure hop count limit host Configure static hostnames icmp Configure ICMP parameters local Specify local options neighbor Neighbor route Configure static routes router Enable an IPV6 routing process source-route Process packets with source routing header options unicast-routing Enable unicast routing -evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nicotine at warningg.com Wed Feb 3 15:09:39 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 3 Feb 2010 14:09:39 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <20100203200939.GD2240@radiological.warningg.com> On Wed, Feb 03, 2010 at 03:01:33PM -0500, Eric Van Tol wrote: > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > IPv6 on 3550 is software-switched, as the ASICs on the platform aren't big enough for v6 addressing. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sthaug at nethelp.no Wed Feb 3 15:18:32 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 03 Feb 2010 21:18:32 +0100 (CET) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> Message-ID: <20100203.211832.74687696.sthaug@nethelp.no> > That is in SW only, if memory serves me. Also, I believe it has since been removed because of that. Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. Steinar Haug, Nethelp consulting, sthaug at nethelp.no > -----Original Message----- > From: Eric Van Tol > Date: Wed, 3 Feb 2010 15:01:33 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Jon Lewis > > Sent: Wednesday, February 03, 2010 2:30 PM > > To: Cory Ayers > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] what is it with 3550s? > > > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > > colo/customer aggregation switches, the per port policing limitations on > > the 3560 make it a poor substitute for the 3550. > > > > ---------------------------------------------------------------------- > > Jon Lewis | I route > > Senior Network Engineer | therefore you are > > Atlantic Net | > > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > _______________________________________________ > > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > > -evt > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Wed Feb 3 15:31:44 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 15:31:44 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100203.211832.74687696.sthaug@nethelp.no> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> <20100203.211832.74687696.sthaug@nethelp.no> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> > -----Original Message----- > From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] > Sent: Wednesday, February 03, 2010 3:19 PM > To: ed at edgeoc.net > Cc: Eric Van Tol; cisco-nsp-bounces at puck.nether.net; cisco- > nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > > That is in SW only, if memory serves me. Also, I believe it has since > been removed because of that. > > Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no Yes, this is true. But what was said was, "You're not going to see IPv6 routing support on the 3550 AFAIK." I wouldn't turn it on unless your v6 traffic is extremely minimal, but it does support it. Just not well. -evt From enelsonm5 at yahoo.com Wed Feb 3 15:35:59 2010 From: enelsonm5 at yahoo.com (Erik Nelson) Date: Wed, 3 Feb 2010 12:35:59 -0800 (PST) Subject: [c-nsp] Cisco ACE module configuration question Message-ID: <579353.91231.qm@web65713.mail.ac4.yahoo.com> I have a ACE module in a 6500, and have basic load balancing (with sticky connections) working. The lab environment that I need to use this for will have 40+ servers, but all the traffic will be generated by just four servers. Each server will be simulating many users, each on a different source port. The traffic is HTTP, but not on port 80. Since there are programs generating the user traffic, I can't necessarily depend on them to behave completely like browsers (cookies, for instance). I have no control over the application software or load generator software. Also, each connection needs to be sticky. Any suggestions? I think I need the source port to be part of the load balancing decisions. But this is the first ACE I have touched, and am somewhat lost. Thanks! From jlewis at lewis.org Wed Feb 3 15:50:35 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 15:50:35 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> <20100203.211832.74687696.sthaug@nethelp.no> <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> Message-ID: On Wed, 3 Feb 2010, Eric Van Tol wrote: >> Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. >> >> Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > Yes, this is true. But what was said was, "You're not going to see IPv6 > routing support on the 3550 AFAIK." I wouldn't turn it on unless your > v6 traffic is extremely minimal, but it does support it. Just not well. I didn't think we would at all. Having it software switched on a 3550 probably means you can "do IPv6" in as much as just giving a v6 address to an SVI for management purposes, or for use in low bandwidth lab setups. IPv6 layer 3 ports for customers wanting to push much data isn't likely to work too well. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From pkranz at unwiredltd.com Wed Feb 3 16:11:49 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Wed, 3 Feb 2010 13:11:49 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <201002030817.24147.mtinka@globaltransit.net> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> <201002030817.24147.mtinka@globaltransit.net> Message-ID: <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> So in terms of enabling MPLS on a fully meshed set of routers running BGP and OSPF.. Here are the general steps I believe; #conf t Tag-switching advertise-tags ! Int g0/0 Mtu 9216 Tag-switching ip ! However, what can I expect to happen when this is done, i.e. will existing BGP sessions drop between the routers who's interfaces I have changed to tag-switching IP? What other kinds of gotchas? Ideally I'd like to add MPLS capabilities in a hitless manner to the existing network. -Peter From jeff-kell at utc.edu Wed Feb 3 16:12:07 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:12:07 -0500 Subject: [c-nsp] QQ In-Reply-To: <4B69D6A9.5090703@rollernet.us> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> Message-ID: <4B69E6A7.6070800@utc.edu> The 3550-EMIs, particularly the 3550-12s, were a hot little switch in their day. L3 routing and up to 10 optical ports would otherwise spell a 4500 (only 6Gbps at the time) or 6500. We still use some 3550-12s, doing L3 routing and VRF-lite, pushing those capabilities out to some areas we couldn't otherwise afford. If you don't need IPv6 or advanced QoS, they're still a hot little switch. And yes, cheap aftermarket while they last. Jeff From RGoldberg at compudyne.net Wed Feb 3 16:01:06 2010 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Wed, 3 Feb 2010 15:01:06 -0600 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jay Nakamura > Sent: Tuesday, February 02, 2010 10:20 PM > To: cisco-nsp > Subject: [c-nsp] VRF aware IPSec for remote access without xauth > > I am trying to configure vrf aware IPSec VPN for remote access, coming > into one VRF and tunneling into another VRF. Can I do that without > XAUTH? I can't seem to find any reference to doing it without xauth. > If it's possible and someone has done this, can you please post a > sample config? I believe the following tidbits should get you going. This is from an 2801 running 12.4.24T1. Tunnels lands on vrf ISP2 and pops out into vrf LAN. ip vrf ISP2 rd 1:2 ip vrf LAN rd 1:3 crypto keyring ISP2 vrf ISP2 pre-shared-key address a.b.c.d key blahblahblah crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp profile ProfileForNuttyVendor vrf LAN keyring ISP2 match identity address a.b.c.d 255.255.255.255 ISP2 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map AwesomeMap 3 ipsec-isakmp description tunnel for Nutty Vendor set peer a.b.c.d set transform-set ESP-3DES-SHA set isakmp-profile ProfileForNuttyVendor match address 111 reverse-route interface FastEthernet0/1 ip vrf forwarding LAN ip address 10.1.19.250 255.255.255.0 nterface FastEthernet0/0 ip vrf forwarding ISP2 ip address w.x.y.z 255.255.255.248 access-list 111 remark Nutty Vendor tunnel access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 - Ryan From jeff-kell at utc.edu Wed Feb 3 16:33:43 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:33:43 -0500 Subject: [c-nsp] what is it with 3550s? (was: QQ In-Reply-To: <4B69E6A7.6070800@utc.edu> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> Message-ID: <4B69EBB7.8010102@utc.edu> I have *no* idea where that 'QQ' came from -- sorry for the unintentional thread/subject misdirection! While I'm "appending" the original post, let me add that 3550-12s boot *much* faster then the suggested 3750-12 replacements too :-) Jeff From rsm at fast-serv.com Wed Feb 3 16:42:25 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 3 Feb 2010 16:42:25 -0500 Subject: [c-nsp] what is it with 3550s? (was: QQ In-Reply-To: <4B69EBB7.8010102@utc.edu> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> <4B69EBB7.8010102@utc.edu> Message-ID: <20100203214106.M15257@fast-serv.com> Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared to their 3560/3750 counterparts? -- Randy ---------- Original Message ----------- From: Jeff Kell To: cisco-nsp Sent: Wed, 03 Feb 2010 16:33:43 -0500 Subject: Re: [c-nsp] what is it with 3550s? (was: QQ > I have *no* idea where that 'QQ' came from -- sorry for the > unintentional thread/subject misdirection! > > While I'm "appending" the original post, let me add that 3550-12s > boot *much* faster then the suggested 3750-12 replacements too :-) > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jeff-kell at utc.edu Wed Feb 3 16:55:43 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:55:43 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100203214106.M15257@fast-serv.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> <4B69EBB7.8010102@utc.edu> <20100203214106.M15257@fast-serv.com> Message-ID: <4B69F0DF.4040301@utc.edu> On 2/3/2010 4:42 PM, Randy McAnally wrote: > Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared > to their 3560/3750 counterparts? > In our case (vrf-enabled, but not ipv6): foobar-3550#show sdm prefer (a 3550-12) The current template is the routing extended-match template. The selected template optimizes the resources in the switch to support this level of features for 16 routed interfaces and 1K VLANs. number of unicast mac addresses: 6K number of igmp groups: 6K number of qos aces: 1K number of security aces: 1K number of unicast routes: 12K number of multicast routes: 6K foobar-3750#show sdm prefer (a 3750-12) The current template is "aggregate default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 12K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 6K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.875k number of IPv4/MAC security aces: 1K From john at vanoppen.com Wed Feb 3 16:07:53 2010 From: john at vanoppen.com (John van Oppen) Date: Wed, 3 Feb 2010 13:07:53 -0800 Subject: [c-nsp] IPV6 again References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk><20100129190937.GB20301@lboro.ac.uk><5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk><20100201165908.GB2090@lboro.ac.uk><3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com><4B6965B5.6000302@imperial.ac.uk> Message-ID: yep, it is based on the netblocks the resolvers are in, we have it enabled too and had to provide the subnets that our resolvers send their outbound queries from. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: Wednesday, February 03, 2010 4:15 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPV6 again On Wed, 3 Feb 2010, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply with > AAAA based on AS-path of the querying IP, or netblock? Inbound interface? When I talked to google, they wanted to know what netblock(s) my resolvers were in, so I guess it's based on that. -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom at netspot.com.au Wed Feb 3 17:19:54 2010 From: tom at netspot.com.au (Tom Lanyon) Date: Thu, 4 Feb 2010 08:49:54 +1030 Subject: [c-nsp] IPV6 again In-Reply-To: <20100203110305.GI857@greenie.muc.de> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <20100203110305.GI857@greenie.muc.de> Message-ID: <65F1E8FE-7220-403A-8494-3E8C9960DFCD@netspot.com.au> On 03/02/2010, at 9:33 PM, Gert Doering wrote: > On Wed, Feb 03, 2010 at 09:07:23PM +1030, Tom Lanyon wrote: >> They are not handing out an AAAA for www.youtube.com but most of the >> content (img+video) servers are on v6. > > Actually you're missing all the fun :-) > > www.youtube.com is an alias for youtube-ui.l.google.com. > youtube-ui.l.google.com has address 74.125.79.102 > youtube-ui.l.google.com has address 74.125.79.101 > youtube-ui.l.google.com has address 74.125.79.100 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a > > (since this morning) > > gert Hi Gert, I spoke too soon! That wasn't available for me 12 hours ago. :) Tom From ncnet at sbcglobal.net Wed Feb 3 17:42:59 2010 From: ncnet at sbcglobal.net (Larry Stites) Date: Wed, 03 Feb 2010 14:42:59 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B69F0DF.4040301@utc.edu> Message-ID: A quick search through our inventory and I see current used market prices are: WS-C3550-12G $675/ea - $875/ea WS-C3550-24PWR-SMI - $350/ea - $450/ea WS-C3550-48-EMI $315/ea - $450/ea WS-C3550-48-SMI $250/ea - $350/ea ~.~ Best regards, Larry E. Stites Acquisitions and Sales Northern California Networks, Inc. Nevada City, Calif. 95959 on 2/3/10 1:55 PM, Jeff Kell wrote: > On 2/3/2010 4:42 PM, Randy McAnally wrote: >> Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared >> to their 3560/3750 counterparts? >> > > In our case (vrf-enabled, but not ipv6): > > foobar-3550#show sdm prefer (a 3550-12) > The current template is the routing extended-match template. > The selected template optimizes the resources in > the switch to support this level of features for > 16 routed interfaces and 1K VLANs. > > number of unicast mac addresses: 6K > number of igmp groups: 6K > number of qos aces: 1K > number of security aces: 1K > number of unicast routes: 12K > number of multicast routes: 6K > > foobar-3750#show sdm prefer (a 3750-12) > The current template is "aggregate default" template. > The selected template optimizes the resources in > the switch to support this level of features for > 8 routed interfaces and 1024 VLANs. > > number of unicast mac addresses: 6K > number of IPv4 IGMP groups + multicast routes: 1K > number of IPv4 unicast routes: 12K > number of directly-connected IPv4 hosts: 6K > number of indirect IPv4 routes: 6K > number of IPv4 policy based routing aces: 0 > number of IPv4/MAC qos aces: 0.875k > number of IPv4/MAC security aces: 1K > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Wed Feb 3 18:18:33 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure Message-ID: Hey all... So we've been having issues with this 6500 for awhile now, just doing random stuff so we replaced the chassis and one of the Sups, so today while I was at lunch (doesn't it always happen this way) the switch had one of these: System returned to ROM by Stateful Switchover (SP by bus error at PC 0x402DF924, address 0x0) Good times, so after the switch finally "recovered" I noticed this in my log: .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was bounced by Consistency Check IDBS Up. ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was bounced by Consistency Check IDBS Up. Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was bounced by Consistency Check IDBS Down .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was bounced by Consistency Check IDBS Down. .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was bounced by Consistency Check IDBS Down Since then we replaced the other supervisor which we suspect might be bad, but we're trying to figure out if there is an actual REASON for that: Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was bounced by Consistency Check IDBS Down. error... We had to go in and shut/no shut interfaces 3/41 - 3/48 manually before the VLANs would come back up... We would like to avoid any more epilepsy from this box if possible, any ideas? thanks, -Drew From rsm at fast-serv.com Wed Feb 3 21:17:34 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 3 Feb 2010 21:17:34 -0500 Subject: [c-nsp] 6500 having a seizure In-Reply-To: References: Message-ID: <20100204021648.M52591@fast-serv.com> What software release? -- Randy ---------- Original Message ----------- From: Drew Weaver To: "cisco-nsp at puck.nether.net" Sent: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure > Hey all... > > So we've been having issues with this 6500 for awhile now, just > doing random stuff so we replaced the chassis and one of the Sups, > so today while I was at lunch (doesn't it always happen this way) > the switch had one of these: > > System returned to ROM by Stateful Switchover (SP by bus error at PC > 0x402DF924, address 0x0) > > Good times, so after the switch finally "recovered" I noticed this > in my log: > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > bounced by Consistency Check IDBS Up. > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > bounced by Consistency Check IDBS Up. > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > bounced by Consistency Check IDBS Down > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > bounced by Consistency Check IDBS Down > > Since then we replaced the other supervisor which we suspect might > be bad, but we're trying to figure out if there is an actual REASON > for that: > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > manually before the VLANs would come back up... > > We would like to avoid any more epilepsy from this box if possible, > any ideas? > > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From p_ambedkar at rediffmail.com Wed Feb 3 23:35:32 2010 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 4 Feb 2010 04:35:32 -0000 Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode_still_continues?= Message-ID: <20100204043532.58182.qmail@f4mail-235-134.rediffmail.com> Hi, my cisco 6509 rommon mode still continues.. previously i cleaned up the all modules, changed the batteries, now it is showing: rommon 1 > boot open: file "c7200-fslib-m" not found open(): Open Error = -1 loadprog: error - on file open cannot load the monitor library "bootflash:%c7200-fslib-m" from device: boot fla shboot: cannot open "bootflash:" boot: cannot determine first file name on device "bootflash:" rommon 2 > rommon 2 > can anybody help me. bye. From mark.carter at imperial.ac.uk Thu Feb 4 05:21:55 2010 From: mark.carter at imperial.ac.uk (Carter, Mark R) Date: Thu, 4 Feb 2010 10:21:55 +0000 Subject: [c-nsp] Cisco ACE module configuration question In-Reply-To: <579353.91231.qm@web65713.mail.ac4.yahoo.com> References: <579353.91231.qm@web65713.mail.ac4.yahoo.com> Message-ID: <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> Erik Nelson wrote: > I have a ACE module in a 6500, and have basic load balancing (with > sticky connections) working. The lab environment that I need to use > this for will have 40+ servers, but all the traffic will be generated > by just four servers. Each server will be simulating many users, each > on a different source port. The traffic is HTTP, but not on port 80. > Since there are programs generating the user traffic, I can't > necessarily depend on them to behave completely like browsers (cookies, > for instance). I have no control over the application software or load > generator software. Also, each connection needs to be sticky. > > Any suggestions? I think I need the source port to be part of the load > balancing decisions. But this is the first ACE I have touched, and am > somewhat lost. > I don't think it's possible to base stickiness on the source port. The options are either IP address or something from the payload. So unless each client sends a unique identifier in the http payload, I don't think you'll be able to do it. From Christophe.Cardon at bec.dk Thu Feb 4 06:09:11 2010 From: Christophe.Cardon at bec.dk (Christophe Cardon) Date: Thu, 4 Feb 2010 12:09:11 +0100 Subject: [c-nsp] Cisco ACE module configuration question In-Reply-To: <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> References: <579353.91231.qm@web65713.mail.ac4.yahoo.com> <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> Message-ID: <2460F1476CDEBC45835CD3506BA8BF3801A7D6F6C937@EX08.res.bec.dk> >From the Cisco documentation: Cisco ACE provides stickiness that allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session. Cisco ACE supports the following sticky methods: . Source or destination IP address . Cookie . HTTP header, and Generic Protocol Parsing for session level persistence such as SSL session ID Rgds, Christophe -----Oprindelig meddelelse----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Carter, Mark R Sendt: 4. februar 2010 11:22 Til: 'Erik Nelson'; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Cisco ACE module configuration question Erik Nelson wrote: > I have a ACE module in a 6500, and have basic load balancing (with > sticky connections) working. The lab environment that I need to use > this for will have 40+ servers, but all the traffic will be generated > by just four servers. Each server will be simulating many users, each > on a different source port. The traffic is HTTP, but not on port 80. > Since there are programs generating the user traffic, I can't > necessarily depend on them to behave completely like browsers > (cookies, for instance). I have no control over the application > software or load generator software. Also, each connection needs to be sticky. > > Any suggestions? I think I need the source port to be part of the load > balancing decisions. But this is the first ACE I have touched, and am > somewhat lost. > I don't think it's possible to base stickiness on the source port. The options are either IP address or something from the payload. So unless each client sends a unique identifier in the http payload, I don't think you'll be able to do it. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Feb 4 07:40:21 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 4 Feb 2010 07:40:21 -0500 Subject: [c-nsp] 6500 having a seizure In-Reply-To: <20100204021648.M52591@fast-serv.com> References: <20100204021648.M52591@fast-serv.com> Message-ID: Hey Randy, 12.2(18)SXF17 -Drew -----Original Message----- From: Randy McAnally [mailto:rsm at fast-serv.com] Sent: Wednesday, February 03, 2010 9:18 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 having a seizure What software release? -- Randy ---------- Original Message ----------- From: Drew Weaver To: "cisco-nsp at puck.nether.net" Sent: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure > Hey all... > > So we've been having issues with this 6500 for awhile now, just > doing random stuff so we replaced the chassis and one of the Sups, > so today while I was at lunch (doesn't it always happen this way) > the switch had one of these: > > System returned to ROM by Stateful Switchover (SP by bus error at PC > 0x402DF924, address 0x0) > > Good times, so after the switch finally "recovered" I noticed this > in my log: > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > bounced by Consistency Check IDBS Up. > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > bounced by Consistency Check IDBS Up. > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > bounced by Consistency Check IDBS Down > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > bounced by Consistency Check IDBS Down > > Since then we replaced the other supervisor which we suspect might > be bad, but we're trying to figure out if there is an actual REASON > for that: > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > manually before the VLANs would come back up... > > We would like to avoid any more epilepsy from this box if possible, > any ideas? > > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From mailandrewg at gmail.com Thu Feb 4 08:48:12 2010 From: mailandrewg at gmail.com (Andrew Gabriel) Date: Thu, 4 Feb 2010 19:18:12 +0530 Subject: [c-nsp] Cisco ACS question Message-ID: I don't have a lot of experience with Cisco ACS boxes and the Cisco documentation doesn't explain this clearly so am hoping somebody could share their experience or provide some ideas. We have 2 Cisco ACS boxes (4.2) that are currently used for providing Radius authentication to wireless users (Cisco WLC). At the back end it is linked to our Microsoft Active Directory and the ACS doesn't have any user accounts, it just interfaces between the Active Directory servers and the wireless clients. My question is, how do I use the existing ACS severs to run Radius and TACACS for AAA for various network devices on the network. In other words, how do I run a separate set of authentication for the network engineers to manage their devices, using the existing ACS infrastructure, without: 1. Disrupting or changing the existing authentication for Wireless 2. Allowing any general wireless user to authenticate to our network devices (I don't mind having a separate AD group for the network admins so the rest of the users can be filtered, or even manually setting up local accounts for the few network engineers on the ACS boxes). Would appreciate any suggestions or ideas. Thanks, -Andrew. From scottowens12 at gmail.com Thu Feb 4 09:16:06 2010 From: scottowens12 at gmail.com (scott owens) Date: Thu, 4 Feb 2010 08:16:06 -0600 Subject: [c-nsp] iSCSI versus FCOE with Nexus Message-ID: Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for your converged networking needs ? Problems , good points, ease of use, performance, size of deployment ( possibly what kind ) ? Thank you. From ck at sandcastl.es Thu Feb 4 09:20:23 2010 From: ck at sandcastl.es (ck) Date: Thu, 4 Feb 2010 06:20:23 -0800 Subject: [c-nsp] 6500 having a seizure In-Reply-To: References: <20100204021648.M52591@fast-serv.com> Message-ID: <8c308e8b1002040620m6a2ff85ex161d94a441715d6a@mail.gmail.com> sounds similar to CSCsi49150 On Thu, Feb 4, 2010 at 4:40 AM, Drew Weaver wrote: > Hey Randy, > > 12.2(18)SXF17 > > -Drew > > -----Original Message----- > From: Randy McAnally [mailto:rsm at fast-serv.com] > Sent: Wednesday, February 03, 2010 9:18 PM > To: Drew Weaver; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6500 having a seizure > > What software release? > > -- > Randy > > ---------- Original Message ----------- > From: Drew Weaver > To: "cisco-nsp at puck.nether.net" > Sent: Wed, 3 Feb 2010 18:18:33 -0500 > Subject: [c-nsp] 6500 having a seizure > > > Hey all... > > > > So we've been having issues with this 6500 for awhile now, just > > doing random stuff so we replaced the chassis and one of the Sups, > > so today while I was at lunch (doesn't it always happen this way) > > the switch had one of these: > > > > System returned to ROM by Stateful Switchover (SP by bus error at PC > > 0x402DF924, address 0x0) > > > > Good times, so after the switch finally "recovered" I noticed this > > in my log: > > > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > > bounced by Consistency Check IDBS Up. > > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > > bounced by Consistency Check IDBS Up. > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > > bounced by Consistency Check IDBS Down > > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > > bounced by Consistency Check IDBS Down > > > > Since then we replaced the other supervisor which we suspect might > > be bad, but we're trying to figure out if there is an actual REASON > > for that: > > > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > > bounced by Consistency Check IDBS Down. > > > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > > manually before the VLANs would come back up... > > > > We would like to avoid any more epilepsy from this box if possible, > > any ideas? > > > > thanks, > > -Drew > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------- End of Original Message ------- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dwbielawa at liberty.edu Thu Feb 4 09:07:22 2010 From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS)) Date: Thu, 4 Feb 2010 09:07:22 -0500 Subject: [c-nsp] Cisco ACS question In-Reply-To: References: Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC004108002AA@LUEMS04VS.University.liberty.edu> Hello, The setup you are looking for is two parts. The first part is on the network device that you want to authenticate using TACACS. The second part is in the ACS server itself. In our network we use TACACS for authentication, authorization, and accounting for network logins. Below is a link to the Cisco TACACS configuration guide for a 3750. http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swauthen.html#wp1044243 In ACS we have our devices configured using TACACS. I would recommend setting up a separate group in ACS for your admin accounts. Then add those devices to that group, with the enable option set to the maximum privilege level of 15. Do not allow you general user group access to the devices configured for TACACS and they will not be able to login to them. Thank You Daniel Bielawa Network Engineer Liberty University Network Services Email: dwbielawa at liberty.edu Phone: 434-592-7987 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: Thursday, February 04, 2010 8:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ACS question I don't have a lot of experience with Cisco ACS boxes and the Cisco documentation doesn't explain this clearly so am hoping somebody could share their experience or provide some ideas. We have 2 Cisco ACS boxes (4.2) that are currently used for providing Radius authentication to wireless users (Cisco WLC). At the back end it is linked to our Microsoft Active Directory and the ACS doesn't have any user accounts, it just interfaces between the Active Directory servers and the wireless clients. My question is, how do I use the existing ACS severs to run Radius and TACACS for AAA for various network devices on the network. In other words, how do I run a separate set of authentication for the network engineers to manage their devices, using the existing ACS infrastructure, without: 1. Disrupting or changing the existing authentication for Wireless 2. Allowing any general wireless user to authenticate to our network devices (I don't mind having a separate AD group for the network admins so the rest of the users can be filtered, or even manually setting up local accounts for the few network engineers on the ACS boxes). Would appreciate any suggestions or ideas. Thanks, -Andrew. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mailers at oranged.to Thu Feb 4 18:34:23 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Thu, 4 Feb 2010 23:34:23 +0000 (UTC) Subject: [c-nsp] iSCSI versus FCOE with Nexus In-Reply-To: Message-ID: <2136206869.20.1265326463756.JavaMail.root@poops.oranged.to> Hello, We have stuck with iSCSI for the time being. The vendor support on the storage end is tried and tested/reliable. As more vendors start to support FCOE we may find that decision will change but not for some time. Regards, Jimmy. ----- Original Message ----- From: "scott owens" To: cisco-nsp at puck.nether.net Sent: Friday, 5 February, 2010 1:16:06 AM Subject: [c-nsp] iSCSI versus FCOE with Nexus Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for your converged networking needs ? Problems , good points, ease of use, performance, size of deployment ( possibly what kind ) ? Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 02:15:08 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 12:45:08 +0530 Subject: [c-nsp] find window's machine from Cisco Router Message-ID: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Dear Team, anybody cal tell me how to check window machine connected in Cisco Router, for ex. in show arp we are getting bunch of ip and MAC , how to verify from them which is linux machine ip and which windows machine ip ,, or if there is any other command OR other way to rectify to find it Router#sho arp Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 From andrew.gabriel at sanmina-sci.com Fri Feb 5 03:00:43 2010 From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel) Date: Fri, 5 Feb 2010 13:30:43 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From b.turnbow at twt.it Fri Feb 5 03:38:26 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 09:38:26 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerd? 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 04:42:11 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 15:12:11 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Dear Sir, access-list 101 permit any any % Unrecognized command On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > Though not as reliable as a port scanner, you could do something like this > even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Fri Feb 5 04:41:36 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 10:41:36 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Message-ID: sorry forgot the "ip" access-list 101 permit ip any any Brian Turnbow Network Manager TWT S.p.A. ________________________________ From: vijay gore [mailto:vijaygore27 at gmail.com] Sent: venerd? 5 febbraio 2010 10.42 To: Brian Turnbow Cc: Andrew Gabriel; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, access-list 101 permit any any % Unrecognized command On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerd? 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 04:57:13 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 15:27:13 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Message-ID: <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up On Fri, Feb 5, 2010 at 3:12 PM, vijay gore wrote: > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > >> Though not as reliable as a port scanner, you could do something like this >> even from remote >> >> access-list 101 permit udp any any range 137 138 log >> access-list 101 permit any any >> >> interface fa1 >> ip access-group 101 in >> >> >> Then >> Show log >> to see netbios packet users >> >> Brian >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto: >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel >> Sent: venerd? 5 febbraio 2010 9.01 >> To: vijay gore >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] find window's machine from Cisco Router >> >> Use a port scanner like NMAP. >> >> -Andrew. >> >> >> >> >> On Fri, Feb 5, 2010 at 12:45 PM, vijay gore >> wrote: >> >> > Dear Team, >> > >> > anybody cal tell me how to check window machine connected in Cisco >> Router, >> > >> > >> > for ex. >> > >> > in show arp we are getting bunch of ip and MAC , how to verify from them >> > which is linux machine ip and which windows machine ip ,, >> > >> > or if there is any other command OR other way to rectify to find it >> > >> > >> > Router#sho arp >> > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA >> FastEthernet1 >> > Internet 192.168.8.4 111 002s.ae73.46de ARPA >> FastEthernet1 >> > Internet 192.168.8.5 1 002s.ae73.4778 ARPA >> FastEthernet1 >> > Internet 192.168.8.6 0 002s.ae73.db74 ARPA >> FastEthernet1 >> > Internet 192.168.8.12 18 002s.1913.6daa ARPA >> FastEthernet1 >> > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA >> FastEthernet1 >> > Internet 192.168.8.14 11 002s.1913.676c ARPA >> FastEthernet1 >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for use >> by the addressee(s) named herein and may contain legally privileged and/or >> confidential information. If you are not the intended recipient of this >> e-mail message, you are hereby notified that any dissemination, distribution >> or copying of this e-mail message, and any attachments thereto, is strictly >> prohibited. If you have received this e-mail message in error, please >> immediately notify the sender and permanently delete the original and any >> copies of this email and any prints thereof. >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS >> NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform >> Electronic Transactions Act or the applicability of any other law of similar >> substance and effect, absent an express statement to the contrary >> hereinabove, this e-mail message its contents, and any attachments hereto >> are not intended to represent an offer or acceptance to enter into a >> contract and are not otherwise intended to bind the sender, Sanmina-SCI >> Corporation (or any of its subsidiaries), or any other person or entity. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From vijaygore27 at gmail.com Fri Feb 5 05:39:11 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 16:09:11 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Message-ID: <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> No sir. it's not working, actually sir, in this router there are 7 PC's connected, some PC having Linux OS & some PC's having Windows OS, now i want to know which machine having Linux OS & which machine having Windows OS. please help me out this sir On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow wrote: > it looks like you have loggin enabled for warings only > > try > logging buffered debugging > > > another alternative if the first does not log, is to do a debug ip packet > using an access list that matches only netbios. > this could be more processor intensive..... > first create > access-list 102 permit udp any any range 137 138 > then > debug ip packet 102 > when done don't forget undebug all > > > > > Brian > > ------------------------------ > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > *Sent:* venerd? 5 febbraio 2010 10.57 > *To:* Brian Turnbow > > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state to > up > > > > From gururug at gmail.com Fri Feb 5 06:04:14 2010 From: gururug at gmail.com (Imran K) Date: Fri, 5 Feb 2010 22:04:14 +1100 Subject: [c-nsp] cisco-nsp Digest, Vol 87, Issue 11 In-Reply-To: References: Message-ID: <25d943641002050304l3be8b0c4y35da9ac6b58fb187@mail.gmail.com> TCL script to telnet to 445 i.e.; for each $MAC in MACS { telnet $IP port 445 ??? On Fri, Feb 5, 2010 at 8:59 PM, wrote: > Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp > or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > > You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cisco-nsp digest..." > > > Today's Topics: > > 1. Re: iSCSI versus FCOE with Nexus (Jimmy Stewpot) > 2. find window's machine from Cisco Router (vijay gore) > 3. Re: find window's machine from Cisco Router (Andrew Gabriel) > 4. Re: find window's machine from Cisco Router (Brian Turnbow) > 5. Re: find window's machine from Cisco Router (vijay gore) > 6. Re: find window's machine from Cisco Router (Brian Turnbow) > 7. Re: find window's machine from Cisco Router (vijay gore) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 4 Feb 2010 23:34:23 +0000 (UTC) > From: Jimmy Stewpot > To: scott owens > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] iSCSI versus FCOE with Nexus > Message-ID: > <2136206869.20.1265326463756.JavaMail.root at poops.oranged.to> > Content-Type: text/plain; charset=utf-8 > > Hello, > > We have stuck with iSCSI for the time being. The vendor support on the > storage end is tried and tested/reliable. As more vendors start to support > FCOE we may find that decision will change but not for some time. > > Regards, > > Jimmy. > > ----- Original Message ----- > From: "scott owens" > To: cisco-nsp at puck.nether.net > Sent: Friday, 5 February, 2010 1:16:06 AM > Subject: [c-nsp] iSCSI versus FCOE with Nexus > > Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for > your converged networking needs ? > > Problems , good points, ease of use, performance, size of deployment ( > possibly what kind ) ? > > Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------ > > Message: 2 > Date: Fri, 5 Feb 2010 12:45:08 +0530 > From: vijay gore > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002042315v2a5f4888q7148d797fc80c163 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > > > ------------------------------ > > Message: 3 > Date: Fri, 5 Feb 2010 13:30:43 +0530 > From: Andrew Gabriel > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > > > ------------------------------ > > Message: 4 > Date: Fri, 5 Feb 2010 09:38:26 +0100 > From: "Brian Turnbow" > To: "Andrew Gabriel" , "vijay gore" > > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > Though not as reliable as a port scanner, you could do something like this > even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------ > > Message: 5 > Date: Fri, 5 Feb 2010 15:12:11 +0530 > From: vijay gore > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002050142w224927b4va5d782c13d3b4fdc at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > Though not as reliable as a port scanner, you could do something like > this > > even from remote > > > > access-list 101 permit udp any any range 137 138 log > > access-list 101 permit any any > > > > interface fa1 > > ip access-group 101 in > > > > > > Then > > Show log > > to see netbios packet users > > > > Brian > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto: > > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > > Sent: venerd? 5 febbraio 2010 9.01 > > To: vijay gore > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > Use a port scanner like NMAP. > > > > -Andrew. > > > > > > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > wrote: > > > > > Dear Team, > > > > > > anybody cal tell me how to check window machine connected in Cisco > > Router, > > > > > > > > > for ex. > > > > > > in show arp we are getting bunch of ip and MAC , how to verify from > them > > > which is linux machine ip and which windows machine ip ,, > > > > > > or if there is any other command OR other way to rectify to find it > > > > > > > > > Router#sho arp > > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > > FastEthernet1 > > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > > FastEthernet1 > > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > > FastEthernet1 > > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > > FastEthernet1 > > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > > FastEthernet1 > > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > > FastEthernet1 > > > Internet 192.168.8.14 11 002s.1913.676c ARPA > > FastEthernet1 > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > CONFIDENTIALITY > > This e-mail message and any attachments thereto, is intended only for use > > by the addressee(s) named herein and may contain legally privileged > and/or > > confidential information. If you are not the intended recipient of this > > e-mail message, you are hereby notified that any dissemination, > distribution > > or copying of this e-mail message, and any attachments thereto, is > strictly > > prohibited. If you have received this e-mail message in error, please > > immediately notify the sender and permanently delete the original and any > > copies of this email and any prints thereof. > > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS > NOT > > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > > Electronic Transactions Act or the applicability of any other law of > similar > > substance and effect, absent an express statement to the contrary > > hereinabove, this e-mail message its contents, and any attachments hereto > > are not intended to represent an offer or acceptance to enter into a > > contract and are not otherwise intended to bind the sender, Sanmina-SCI > > Corporation (or any of its subsidiaries), or any other person or entity. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > ------------------------------ > > Message: 6 > Date: Fri, 5 Feb 2010 10:41:36 +0100 > From: "Brian Turnbow" > To: "vijay gore" > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > sorry forgot the "ip" > access-list 101 permit ip any any > > > Brian Turnbow > Network Manager > > TWT S.p.A. > > > > > ________________________________ > > From: vijay gore [mailto:vijaygore27 at gmail.com] > Sent: venerd? 5 febbraio 2010 10.42 > To: Brian Turnbow > Cc: Andrew Gabriel; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > Though not as reliable as a port scanner, you could do something > like this even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify > from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find > it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only > for use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient of > this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments thereto, > is strictly prohibited. If you have received this e-mail message in error, > please immediately notify the sender and permanently delete the original and > any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > ------------------------------ > > Message: 7 > Date: Fri, 5 Feb 2010 15:27:13 +0530 > From: vijay gore > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002050157q7385a310v8e99c240551ab222 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state > to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state > to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state > to > up > > > > On Fri, Feb 5, 2010 at 3:12 PM, vijay gore wrote: > > > Dear Sir, > > > > access-list 101 permit any any > > > > % Unrecognized command > > > > > > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > >> Though not as reliable as a port scanner, you could do something like > this > >> even from remote > >> > >> access-list 101 permit udp any any range 137 138 log > >> access-list 101 permit any any > >> > >> interface fa1 > >> ip access-group 101 in > >> > >> > >> Then > >> Show log > >> to see netbios packet users > >> > >> Brian > >> > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net [mailto: > >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > >> Sent: venerd? 5 febbraio 2010 9.01 > >> To: vijay gore > >> Cc: cisco-nsp at puck.nether.net > >> Subject: Re: [c-nsp] find window's machine from Cisco Router > >> > >> Use a port scanner like NMAP. > >> > >> -Andrew. > >> > >> > >> > >> > >> On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > >> wrote: > >> > >> > Dear Team, > >> > > >> > anybody cal tell me how to check window machine connected in Cisco > >> Router, > >> > > >> > > >> > for ex. > >> > > >> > in show arp we are getting bunch of ip and MAC , how to verify from > them > >> > which is linux machine ip and which windows machine ip ,, > >> > > >> > or if there is any other command OR other way to rectify to find it > >> > > >> > > >> > Router#sho arp > >> > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > >> FastEthernet1 > >> > Internet 192.168.8.4 111 002s.ae73.46de ARPA > >> FastEthernet1 > >> > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.12 18 002s.1913.6daa ARPA > >> FastEthernet1 > >> > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.14 11 002s.1913.676c ARPA > >> FastEthernet1 > >> > _______________________________________________ > >> > cisco-nsp mailing list cisco-nsp at puck.nether.net > >> > https://puck.nether.net/mailman/listinfo/cisco-nsp > >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > >> > >> CONFIDENTIALITY > >> This e-mail message and any attachments thereto, is intended only for > use > >> by the addressee(s) named herein and may contain legally privileged > and/or > >> confidential information. If you are not the intended recipient of this > >> e-mail message, you are hereby notified that any dissemination, > distribution > >> or copying of this e-mail message, and any attachments thereto, is > strictly > >> prohibited. If you have received this e-mail message in error, please > >> immediately notify the sender and permanently delete the original and > any > >> copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS > >> NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > >> Electronic Transactions Act or the applicability of any other law of > similar > >> substance and effect, absent an express statement to the contrary > >> hereinabove, this e-mail message its contents, and any attachments > hereto > >> are not intended to represent an offer or acceptance to enter into a > >> contract and are not otherwise intended to bind the sender, Sanmina-SCI > >> Corporation (or any of its subsidiaries), or any other person or entity. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 87, Issue 11 > ***************************************** > From zeusdadog at gmail.com Fri Feb 5 06:26:33 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Fri, 5 Feb 2010 06:26:33 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <9418aca71002050326r1e673f46j1a17e59d0fd0da1b@mail.gmail.com> > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, No, there is no way to find what OS a host is running from MAC and IP. There may be other ways to try to guess what the host is running like using nmap or looking for ports it's listening but that's getting into things that have nothing to do with this Cisco list. From b.turnbow at twt.it Fri Feb 5 05:27:01 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 11:27:01 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Message-ID: it looks like you have loggin enabled for warings only try logging buffered debugging another alternative if the first does not log, is to do a debug ip packet using an access list that matches only netbios. this could be more processor intensive..... first create access-list 102 permit udp any any range 137 138 then debug ip packet 102 when done don't forget undebug all Brian ________________________________ From: vijay gore [mailto:vijaygore27 at gmail.com] Sent: venerd? 5 febbraio 2010 10.57 To: Brian Turnbow Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up From teslenko.andrey at gmail.com Fri Feb 5 06:29:27 2010 From: teslenko.andrey at gmail.com (Anrey Teslenko) Date: Fri, 5 Feb 2010 13:29:27 +0200 Subject: [c-nsp] Configuring a Static L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface Message-ID: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> Hi All, I have some problem which i need to solve I have two Cisco 1841 routers For one of them CE i have Wan interface and ethernet interface (customer side) For second of them PE i have Wan interface andvlan sub-interface (customer side) I try to build xconnect over L2TPv3 tunnel between them But i observed that session was established only on CE side, and not connected on PE side What can i do that tunnels was working? Can i build L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface? --------------------------------------- configuration on CE l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/0 ! # Wan interface interface FastEthernet0/0 ip address 193.xxx.xxx.1 255.255.255.192 duplex auto speed auto ! # customer side interface interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 17437 31507 -------------------------------------- configuration on PE l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol l2tpv3 interworking-class ip local interface FastEthernet0/1.264 ! # Wan interface interface FastEthernet0/1.264 encapsulation dot1Q 264 ip address 195.xxx.xxx.2 255.255.255.252 ! # customer side interface interface FastEthernet0/1.602 encapsulation dot1Q 602 no cdp enable xconnect 193.xxx.xxx.1 60 pw-class inter-L2TP-TUNNEL From lists at quux.de Fri Feb 5 05:30:20 2010 From: lists at quux.de (Jens Link) Date: Fri, 05 Feb 2010 11:30:20 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: (Brian Turnbow's message of "Fri, 5 Feb 2010 09:38:26 +0100") References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <87zl3ovutf.fsf@laphroiag.quux.de> "Brian Turnbow" writes: > Though not as reliable as a port scanner, you could do something like > this even from remote > > access-list 101 permit udp any any range 137 138 log access-list 101 > permit any any This might also match for some *NIX host running samba or any other kind of CIFS services. One might also to a telnet to port 137 / 138 / 445 from the router but this will also not show a difference between Windows and other CIFS Implementation. Running nmap (http://insecure.org) from a host is much more reliable. cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From matt at melbourne.org.uk Fri Feb 5 06:32:33 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Fri, 5 Feb 2010 11:32:33 +0000 Subject: [c-nsp] Load-sharing with two links to the same ISP Message-ID: Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne From vijaygore27 at gmail.com Fri Feb 5 07:02:19 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 17:32:19 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <87zl3ovutf.fsf@laphroiag.quux.de> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <87zl3ovutf.fsf@laphroiag.quux.de> Message-ID: <31533f201002050402w4f98784at717dbdf59c65c003@mail.gmail.com> thanks On Fri, Feb 5, 2010 at 4:00 PM, Jens Link wrote: > "Brian Turnbow" writes: > > > Though not as reliable as a port scanner, you could do something like > > this even from remote > > > > access-list 101 permit udp any any range 137 138 log access-list 101 > > permit any any > > This might also match for some *NIX host running samba or any other kind > of CIFS services. > > One might also to a telnet to port 137 / 138 / 445 from the router but > this will also not show a difference between Windows and other CIFS > Implementation. > > Running nmap (http://insecure.org) from a host is much more reliable. > > cheers > > Jens > -- > ------------------------------------------------------------------------- > | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | > | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | > ------------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aftab.siddiqui at gmail.com Fri Feb 5 07:33:43 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Fri, 5 Feb 2010 17:33:43 +0500 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <3c605ce11002050433w4d517bb2ic5a35b21ea1a4636@mail.gmail.com> use "maximum-paths" in BGP peering. With this you can add multiple routes in the routing table as long as the routes you are getting from the same AS. BUT once this is added it is applied to all BGP peers, not possible to do it for some selected peers. If you have many neighbors on this router than care should be taken before making this decision. Regards, Aftab A. Siddiqui On Fri, Feb 5, 2010 at 4:32 PM, Matthew Melbourne wrote: > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From teslenko.andrey at gmail.com Fri Feb 5 08:04:56 2010 From: teslenko.andrey at gmail.com (Anrey Teslenko) Date: Fri, 5 Feb 2010 15:04:56 +0200 Subject: [c-nsp] Configuring a Static L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface In-Reply-To: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> References: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> Message-ID: <3f0164571002050504v7b928741r7b12dc4721f385e6@mail.gmail.com> Hi all, I fix some configuration and now i have tunnel's status is established and session's status is established, but i am not observe the current session in this tunnel Another words i have working tunnel and have established session on both side, but i can't see one site from another (192.168.0.1/30 LAN1) --(ethernet)-- (1841) L2tp tunnel--(WAN) -- L2tp tunnel(1841)--ethernet -- (192.168.0.1/30 LAN2) For example #sh l2tun (On PE) L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name State Remote Address Port *Sessions* L2TP Class/ VPDN Group *56239* 32597 CPE est 193.xxx.xxx.1 0 * 0* interworking-cl LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid, Circuit 31507 17437 *56239* 60, Fa0/1.602:602 est 00:26:51 977 What is wrong? Help me please. --------------------------------------- current config CE -------------------------------------- l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/0 ! interface FastEthernet0/0 ip address 193.xxx.xxx.1 255.255.255.192 duplex auto speed auto ! interface FastEthernet0/1 no ip address xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 222 111 l2tp hello interworking-class ---------------------------------------- current config PE --------------------------------------- l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/1.264 ! interface FastEthernet0/1.264 encapsulation dot1Q 264 ip address 195.xxx.xxx.2 255.255.255.252 ! interface FastEthernet0/1.602 encapsulation dot1Q 602 no cdp enable xconnect 193.xxx.xxx.1 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 111 222 l2tp hello interworking-class 2010/2/5 Anrey Teslenko > Hi All, > > I have some problem which i need to solve > I have two Cisco 1841 routers > For one of them CE i have Wan interface and ethernet interface (customer > side) > For second of them PE i have Wan interface andvlan sub-interface (customer > side) > > I try to build xconnect over L2TPv3 tunnel between them > But i observed that session was established only on CE side, > and not connected on PE side > > What can i do that tunnels was working? > Can i build L2TPv3 Session Xconnect between an Ethernet Interface and > VLAN Subinterface? > > --------------------------------------- > configuration on CE > > l2tp-class interworking-class > ! > pseudowire-class inter-L2TP-TUNNEL > encapsulation l2tpv3 > protocol none > ip local interface FastEthernet0/0 > ! > # Wan interface > interface FastEthernet0/0 > ip address 193.xxx.xxx.1 255.255.255.192 > duplex auto > speed auto > ! > # customer side interface > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > no cdp enable > xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class > inter-L2TP-TUNNEL > l2tp id 17437 31507 > -------------------------------------- > configuration on PE > > l2tp-class interworking-class > ! > pseudowire-class inter-L2TP-TUNNEL > encapsulation l2tpv3 > protocol l2tpv3 interworking-class > ip local interface FastEthernet0/1.264 > ! > # Wan interface > interface FastEthernet0/1.264 > encapsulation dot1Q 264 > ip address 195.xxx.xxx.2 255.255.255.252 > ! > # customer side interface > interface FastEthernet0/1.602 > encapsulation dot1Q 602 > no cdp enable > xconnect 193.xxx.xxx.1 60 pw-class inter-L2TP-TUNNEL > > > > > From johnps at IowaTelecom.com Fri Feb 5 09:36:27 2010 From: johnps at IowaTelecom.com (John P. Schneider) Date: Fri, 5 Feb 2010 08:36:27 -0600 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> Message-ID: Maybe I'm over simplifying this but can't you just compare the MAC addresses? If you only have 7 machines it would not take very long. Thank You, John Schneider -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore Sent: Friday, February 05, 2010 4:39 AM To: Brian Turnbow Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router No sir. it's not working, actually sir, in this router there are 7 PC's connected, some PC having Linux OS & some PC's having Windows OS, now i want to know which machine having Linux OS & which machine having Windows OS. please help me out this sir On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow wrote: > it looks like you have loggin enabled for warings only > > try > logging buffered debugging > > > another alternative if the first does not log, is to do a debug ip > packet using an access list that matches only netbios. > this could be more processor intensive..... > first create > access-list 102 permit udp any any range 137 138 then debug ip packet > 102 when done don't forget undebug all > > > > > Brian > > ------------------------------ > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > *Sent:* venerd? 5 febbraio 2010 10.57 > *To:* Brian Turnbow > > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state to > up > > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ivan.pepelnjak at zaplana.net Fri Feb 5 09:48:05 2010 From: ivan.pepelnjak at zaplana.net (Ivan Pepelnjak) Date: Fri, 5 Feb 2010 15:48:05 +0100 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <001b01caa672$3a961f80$afc25e80$@pepelnjak@zaplana.net> This might help: http://www.nil.com/ipcorner/LoadBalancingBGP/ Ivan Pepelnjak blog.ioshints.info / www.ioshints.info > -----Original Message----- > From: Matthew Melbourne [mailto:matt at melbourne.org.uk] > Sent: Friday, February 05, 2010 12:33 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Load-sharing with two links to the same ISP > > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne From tdurack at gmail.com Fri Feb 5 10:38:38 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 10:38:38 -0500 Subject: [c-nsp] WS-X6748-SFP input errors Message-ID: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: sh int g1/9 | i error 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets The other side is clean. What do input errors alone indicate? (Have tested/replaced fiber/SFPs, without success.) -- Tim:> Sent from Brooklyn, NY, United States From tdurack at gmail.com Fri Feb 5 10:49:04 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 10:49:04 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> Message-ID: <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L wrote: > Can you paste in the full 'show int', my guess is you're getting input > buffer failures (need to see the 'Input Queue' line in particular). sh int g1/9 GigabitEthernet1/9 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001e.1357.fbd0 (bia 001e.1357.fbd0) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:23, output hang never Last clearing of "show interface" counters 01:05:50 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 4572000 bits/sec, 1295 packets/sec 5 minute output rate 6576000 bits/sec, 1271 packets/sec 2841615 packets input, 1464896475 bytes, 0 no buffer Received 9233 broadcasts (4717 multicasts) 0 runts, 0 giants, 0 throttles 4101 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2471204 packets output, 1795192240 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out -- Tim:> Sent from Brooklyn, NY, United States From ewitkop at gmail.com Fri Feb 5 10:54:55 2010 From: ewitkop at gmail.com (Erik Witkop) Date: Fri, 5 Feb 2010 10:54:55 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Message-ID: Here is a link that I will refer to from time to time. I don't know if it will help. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfd6.shtml#l3_l2 On Fri, Feb 5, 2010 at 10:38 AM, Tim Durack wrote: > Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: > > sh int g1/9 | i error > 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 output errors, 0 collisions, 0 interface resets > > The other side is clean. What do input errors alone indicate? > > (Have tested/replaced fiber/SFPs, without success.) > -- > Tim:> > Sent from Brooklyn, NY, United States > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Fri Feb 5 11:07:51 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 05 Feb 2010 11:07:51 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> Message-ID: <4B6C4257.4040307@utc.edu> On 2/5/2010 10:49 AM, Tim Durack wrote: > On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L > wrote: > >> Can you paste in the full 'show int', my guess is you're getting input >> buffer failures (need to see the 'Input Queue' line in particular). >> Input errors on LH fiber... try "show int g1/9 count err" and look for symbol errors. Jeff From tdurack at gmail.com Fri Feb 5 11:11:26 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:11:26 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C4257.4040307@utc.edu> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> Message-ID: <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: > On 2/5/2010 10:49 AM, Tim Durack wrote: >> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >> wrote: >> >>> Can you paste in the full 'show int', my guess is you're getting input >>> buffer failures (need to see the 'Input Queue' line in particular). >>> > > Input errors on LH fiber... try "show int g1/9 count err" and look for > symbol errors. Only Rcv-Err: sh int g1/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Gi1/9 0 0 0 16840 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/9 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/9 0 0 0 0 0 -- Tim:> Sent from Brooklyn, NY, United States From cisco-nsp at slepicka.net Fri Feb 5 11:28:29 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 05 Feb 2010 10:28:29 -0600 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> Message-ID: <4B6C472D.7090503@slepicka.net> sh int gi1/9 trans detail? Tim Durack wrote: > On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: > >> On 2/5/2010 10:49 AM, Tim Durack wrote: >> >>> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >>> wrote: >>> >>> >>>> Can you paste in the full 'show int', my guess is you're getting input >>>> buffer failures (need to see the 'Input Queue' line in particular). >>>> >>>> >> Input errors on LH fiber... try "show int g1/9 count err" and look for >> symbol errors. >> > > Only Rcv-Err: > > sh int g1/9 counters errors > > Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards > Gi1/9 0 0 0 16840 0 0 > > Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen > Runts Giants > Gi1/9 0 0 0 0 0 > 0 0 > > Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err > Gi1/9 0 0 0 0 0 > > From cisco-nsp at slepicka.net Fri Feb 5 11:32:55 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 05 Feb 2010 10:32:55 -0600 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C472D.7090503@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> Message-ID: <4B6C4837.8030608@slepicka.net> also, check sh queueing int gi1/9 James Slepicka wrote: > sh int gi1/9 trans detail? > > Tim Durack wrote: >> On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: >> >>> On 2/5/2010 10:49 AM, Tim Durack wrote: >>> >>>> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >>>> wrote: >>>> >>>> >>>>> Can you paste in the full 'show int', my guess is you're getting >>>>> input >>>>> buffer failures (need to see the 'Input Queue' line in particular). >>>>> >>>>> >>> Input errors on LH fiber... try "show int g1/9 count err" and look for >>> symbol errors. >>> >> >> Only Rcv-Err: >> >> sh int g1/9 counters errors >> >> Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize >> OutDiscards >> Gi1/9 0 0 0 16840 >> 0 0 >> >> Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen >> Runts Giants >> Gi1/9 0 0 0 0 0 >> 0 0 >> >> Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err >> Symbol-Err >> Gi1/9 0 0 0 >> 0 0 >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Fri Feb 5 11:34:45 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:34:45 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C472D.7090503@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> Message-ID: <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> On Fri, Feb 5, 2010 at 11:28 AM, James Slepicka wrote: > sh int gi1/9 trans detail? sh int g1/9 transceiver detail Module 1 doesn't support DOM (Thanks Cisco.) -- Tim:> Sent from Brooklyn, NY, United States From tdurack at gmail.com Fri Feb 5 11:38:43 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:38:43 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C4837.8030608@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> Message-ID: <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> On Fri, Feb 5, 2010 at 11:32 AM, James Slepicka wrote: > also, check sh queueing int gi1/9 Queues are clean. It's not a very busy link. I still think this smells like a L1 problem. Our fiber guys swear it's clean. (Although they always do that. Eventually they will probably fess up to some kinky 62.5/50.0 mismatch fiber issue.) -- Tim:> Sent from Brooklyn, NY, United States From MatlockK at exempla.org Fri Feb 5 10:42:07 2010 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Fri, 5 Feb 2010 08:42:07 -0700 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> Can you paste in the full 'show int', my guess is you're getting input buffer failures (need to see the 'Input Queue' line in particular). Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack Sent: Friday, February 05, 2010 8:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WS-X6748-SFP input errors Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: sh int g1/9 | i error 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets The other side is clean. What do input errors alone indicate? (Have tested/replaced fiber/SFPs, without success.) -- Tim:> Sent from Brooklyn, NY, United States _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From md at bts.sk Fri Feb 5 12:07:14 2010 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Fri, 5 Feb 2010 18:07:14 +0100 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> Message-ID: <20100205165544.M48599@bts.sk> On Fri, 5 Feb 2010 11:34:45 -0500, Tim Durack wrote > On Fri, Feb 5, 2010 at 11:28 AM, James Slepicka nsp at slepicka.net> wrote: > > sh int gi1/9 trans detail? > > sh int g1/9 transceiver detail > Module 1 doesn't support DOM > > (Thanks Cisco.) :-(( If you have DOM-enabled SFPs, try to plug the link to any switch with properly supports DOM and read the power levels - just yesterday we installed a new link where both ends were up/up, but the received power levels were -8 dBm at one side and -22 dBm (!) at the other side... With kind regards, M. From A.L.M.Buxey at lboro.ac.uk Fri Feb 5 12:13:23 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 5 Feb 2010 17:13:23 +0000 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> Message-ID: <20100205171323.GA21875@lboro.ac.uk> Hi, > I still think this smells like a L1 problem. Our fiber guys swear it's > clean. (Although they always do that. Eventually they will probably > fess up to some kinky 62.5/50.0 mismatch fiber issue.) ..i was hinking the same thing - what about the interfaces at each end (eg are they both LH... what is the distance of the link?) alan From Robert.Smales at cw.com Fri Feb 5 12:38:37 2010 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 5 Feb 2010 17:38:37 -0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: Message-ID: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From tdurack at gmail.com Fri Feb 5 13:12:16 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 13:12:16 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <20100205171323.GA21875@lboro.ac.uk> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> Message-ID: <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> On Fri, Feb 5, 2010 at 12:13 PM, Alan Buxey wrote: > ..i was hinking the same thing - what about the interfaces at each end > (eg are they both LH... what is the distance of the link?) LX/LH on both sides. It's an intra-building run, couple of hundred metres at most. (It's LX over mmf as we have standardized on LX optics. We're trying to encourage the deployment of smf in our buildings.) -- Tim:> From jshearer at amedisys.com Fri Feb 5 13:42:41 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 5 Feb 2010 12:42:41 -0600 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: As a previous poster recommended NMAP is going to be your best bet for fingerprinting the OS. There are ways to obfuscate the stack and trick NMAP but it will get stock machines most of the time. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 11:39 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From jim at tgasolutions.com Fri Feb 5 13:48:26 2010 From: jim at tgasolutions.com (Jim McBurnett) Date: Fri, 5 Feb 2010 13:48:26 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: I did not read all the posts... But why not add: http://www.hanewin.net/lldp-e.htm or the linux version? Then on the Cisco switch show lldp...... Later, Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 12:39 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick at inex.ie Fri Feb 5 13:50:39 2010 From: nick at inex.ie (Nick Hilliard) Date: Fri, 05 Feb 2010 18:50:39 +0000 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> Message-ID: <4B6C687F.4080103@inex.ie> On 05/02/2010 18:12, Tim Durack wrote: > (It's LX over mmf as we have standardized on LX optics. o_O If you're using mode conditioning cables at each end, I'll upgrade your chances of success with this link to: "Pray to Cthulu. Hard". You need to get a power meter and measure the Rx strength each end of the link, in both directions. If you want to find out exactly where the problem is, measure it at each patch point along the way. You can rent or buy these things pretty cheaply. You can then check the received power against your SFP/GBIC spec and see if it's within budget. Nick From tdurack at gmail.com Fri Feb 5 14:09:07 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 14:09:07 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C687F.4080103@inex.ie> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> <4B6C687F.4080103@inex.ie> Message-ID: <9e246b4d1002051109o1af5910cjed78acf7563d254c@mail.gmail.com> On Fri, Feb 5, 2010 at 1:50 PM, Nick Hilliard wrote: > On 05/02/2010 18:12, Tim Durack wrote: >> (It's LX over mmf as we ?have standardized on LX optics. > > o_O > > If you're using mode conditioning cables at each end, I'll upgrade your > chances of success with this link to: "Pray to Cthulu. Hard". LX is supported over mmf. Usually this works for us... > You need to get a power meter and measure the Rx strength each end of the > link, in both directions. ?If you want to find out exactly where the > problem is, measure it at each patch point along the way. ?You can rent or > buy these things pretty cheaply. ?You can then check the received power > against your SFP/GBIC spec and see if it's within budget. I'll leave that to the fiber contractor :-) Mean time, I'm going to swap fiber with the redundant link, and see if the errors follow the fiber or stay with the port. > Nick > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tim:> Sent from Brooklyn, NY, United States From CFlint at mt.gov Fri Feb 5 14:36:57 2010 From: CFlint at mt.gov (Flint, Chris) Date: Fri, 5 Feb 2010 12:36:57 -0700 Subject: [c-nsp] WS-X6748-SFP input errors Message-ID: <169F1B4CBA47CC4F93BF2BD0A504C0552F139A2C57@doaisd05222.state.mt.ads> Hi Tim, Assuming you're running older fiber, you probably need mode-conditioning patch cords for LX over MMF. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/product_bulletin_c25-530836.html We ran into this with LX4 optics over MMF... several closets worked correctly, but one in particular wouldn't link up. We found this document and fixed the problem. Chris ======================================= Message: 5 Date: Fri, 5 Feb 2010 13:12:16 -0500 From: Tim Durack <.> To: Alan Buxey <.> Cc: "cisco-nsp at puck.nether.net" Subject: Re: [c-nsp] WS-X6748-SFP input errors Message-ID: <9e246b4d1002051012g23166f9bu829d74b61f999b9c at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Fri, Feb 5, 2010 at 12:13 PM, Alan Buxey wrote: > ..i was thinking the same thing - what about the interfaces at each end > (eg are they both LH... what is the distance of the link?) LX/LH on both sides. It's an intra-building run, couple of hundred metres at most. (It's LX over mmf as we have standardized on LX optics. We're trying to encourage the deployment of smf in our buildings.) -- Tim:> From mays at win.net Fri Feb 5 15:23:04 2010 From: mays at win.net (Joseph Mays) Date: Fri, 5 Feb 2010 15:23:04 -0500 Subject: [c-nsp] AS5300/AS5400 power supplies Message-ID: <01f901caa6a1$079fd060$b52118d8@engineering01> Does anyone know if the power supplies in AS5300's and AS5400's are interchangeable? From chris at k7sle.com Fri Feb 5 17:33:57 2010 From: chris at k7sle.com (Chris Gauthier) Date: Fri, 5 Feb 2010 14:33:57 -0800 (PST) Subject: [c-nsp] OT - Infoblox vs. Bluecat In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net> Message-ID: <20677750.2571265409237480.JavaMail.root@giskard> When I worked for a previous employer, we evaluated bluecat and infoblox. Bluecat was quickly ruled out because of price and complexity. The Infoblox got a lot more attention and they were great to work with during our eval of the hardware. One manager was ready to purchase and was about to pick u pthe phone and call when another manager railroaded the big boss to go with Windows DNS/DHCP (in a non-AD environment) at the last second. I *really* liked the manageability, tech support, and expertise of the product. The HA worked great, including DHCP failover. I liked them so much, I've tried to bring them to my current employer, but the solutions are just too expensive for the budget. Another point that I liked was that Cricket Liu (author of the DNS and Bind O'Reilly books and the DNS on Windows Server 2000 and DNS on Windows Server 2003 books) is part of their executive team. They're also MS certified, a plus for my current employer. I liked the detail in logging, too. Some of the reporting was a challenge, but I was asking for stats (can't remember which) that had to gathered programatically. Hope this helps all of you! Chris Gauthier, CCNA Security Salem, Oregon, USA ----- Original Message ----- From: "Charles Church" To: "nsp-cisco" Sent: Friday, January 15, 2010 7:09:55 AM GMT -08:00 US/Canada Pacific Subject: [c-nsp] OT - Infoblox vs. Bluecat I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Sat Feb 6 00:11:39 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Sat, 6 Feb 2010 10:41:39 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: <31533f201002052111w38a5fce5r862f9846a809c061@mail.gmail.com> Dear Sir, i am having 200 location each location having 7-10 machine, and out of them each and every time i have to found which is Linux host and which is Windows host. On Fri, Feb 5, 2010 at 11:08 PM, Smales, Robert wrote: > You can't identify the OS from a MAC address, MAC addresses are assigned by > whoever made the Ethernet chip, the Linux boxes could have cards from the > same manufacturer as the Windows boxes - I've got two home-built PCs, > identical hardware, one runs Windows 7, the other Debian Etch, you couldn't > tell them apart by their MAC addresses. > > If there are only 7 devices on the OPs network, wouldn't it be simpler to > walk round the room to see what was what? > > Robert > Robert Smales > Technical Engineer > Cable&Wireless Worldwide > www.cw.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > > P. Schneider > > Sent: 05 February 2010 14:36 > > To: 'vijay gore'; Brian Turnbow > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > > > Maybe I'm over simplifying this but can't you just compare > > the MAC addresses? If you only have 7 machines it would not > > take very long. > > > > > > Thank You, > > John Schneider > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > > Sent: Friday, February 05, 2010 4:39 AM > > To: Brian Turnbow > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > No sir. > > > > it's not working, > > > > actually sir, in this router there are 7 PC's connected, > > some PC having Linux OS & some PC's having Windows OS, now i > > want to know which machine having Linux OS & which machine > > having Windows OS. > > > > please help me out this sir > > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > > wrote: > > > > > it looks like you have loggin enabled for warings only > > > > > > try > > > logging buffered debugging > > > > > > > > > another alternative if the first does not log, is to do a debug ip > > > packet using an access list that matches only netbios. > > > this could be more processor intensive..... > > > first create > > > access-list 102 permit udp any any range 137 138 then debug > > ip packet > > > 102 when done don't forget undebug all > > > > > > > > > > > > > > > Brian > > > > > > ------------------------------ > > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > > *Sent:* venerd? 5 febbraio 2010 10.57 > > > *To:* Brian Turnbow > > > > > > *Cc:* cisco-nsp at puck.nether.net > > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > > > Dear Sir, > > > > > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > > > Router#sho log > > > Syslog logging: enabled (1 messages dropped, 0 messages > > rate-limited, > > > 0 flushes, 0 overruns, xml disabled, > > filtering disabled) > > > No Active Message Discriminator. > > > > > > No Inactive Message Discriminator. > > > > > > Console logging: level debugging, 40 messages logged, > > xml disabled, > > > filtering disabled > > > Monitor logging: level debugging, 0 messages logged, > > xml disabled, > > > filtering disabled > > > Buffer logging: level warnings, 10 messages logged, > > xml disabled, > > > filtering disabled > > > Logging Exception size (4096 bytes) > > > Count and timestamp logging messages: disabled > > > Persistent logging: disabled > > > No active filter modules. > > > ESM: 0 messages dropped > > > Trap logging: level informational, 43 message lines logged > > > Log Buffer (51200 bytes): > > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > > FastEthernet0, changed > > > state to > > > up > > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > > FastEthernet1, changed > > > state to > > > up > > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > > FastEthernet9, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet8, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet7, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet6, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet5, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet4, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet3, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet2, changed > > > state to > > > up > > > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > This e-mail has been scanned for viruses by the Cable & Wireless e-mail > security system - powered by MessageLabs. For more information on a > proactive managed e-mail security service, visit > http://www.cw.com/uk/emailprotection/ > > The information contained in this e-mail is confidential and may also be > subject to legal privilege. It is intended only for the recipient(s) named > above. If you are not named above as a recipient, you must not read, copy, > disclose, forward or otherwise use the information contained in this email. > If you have received this e-mail in error, please notify the sender (whose > contact details are above) immediately by reply e-mail and delete the > message and any attachments without retaining any copies. > > Cable and Wireless plc > Registered in England and Wales.Company Number 238525 > Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ecables at gmail.com Sat Feb 6 00:21:54 2010 From: ecables at gmail.com (Eric Cables) Date: Fri, 5 Feb 2010 21:21:54 -0800 Subject: [c-nsp] 2610 + NM-16ESW -- What IOS supports this card? Message-ID: I have an old 2610 router that I am attempting to use an NM-16ESW card in, but despite my efforts I cannot find an IOS image that supports this card. Cisco's documentation ( http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html) indicates that 12.2(8)T and above should support the module in a 2600 series router, but there are no downloadable 12.2T images on Cisco.com, and though I have tried multiple 12.3 images, none have worked. Here are a couple of versions that I've tried without success: c2600-ik9o3s3-mz.123-26.bin c2600-ik9o3s3-mz.123-18a.bin Here is what I see after inserting the module and booting up (relevant messages): smart init is sizing iomem ID MEMORY_REQ TYPE 000091 0X0008B800 C2600 single Ethernet 0002A9 0X001FCE2F 16 port ethernet switch 0X00098670 public buffer pools 0X00211000 public particle pools TOTAL: 0X00531C9F If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 6Mb. Using 9 percent iomem. [6Mb/64Mb] %PA-3-NOTSUPPORTED: PA in slot1 (Unknown (type 681)) is not supported on this image. Please issue "show diag" in fully loaded IOS image to get the PA's information and verify if it is supported by this image, a newer version may be needed. Slot 1: Unknown (type 681) Port adapter Port adapter is disabled Port adapter insertion time unknown EEPROM contents at hardware discovery: Hardware Revision : 1.0 Top Assy. Part Number : 800-15156-01 Board Revision : E0 Deviation Number : 0-0 Fab Version : 03 PCB Serial Number : FOC08490SW4 RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Unknown Field (type 00CF): 00 12 01 55 E8 87 MAC Address block size : 17 Product (FRU) Number : NM-16ESW EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 02 A9 41 01 00 C0 46 03 20 00 3B 34 01 0x10: 42 45 30 80 00 00 00 00 02 03 C1 8B 46 4F 43 30 0x20: 38 34 39 30 53 57 34 03 00 81 00 00 00 00 04 00 0x30: CF 06 00 12 01 55 E8 87 43 00 11 FF FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF <-- snip -- I've opened a ticket with TAC, to try and get an IOS recommendation, but I was told that the 2610 has reached the "end of support" cycle, meaning I'm SOL. Additionally, the Software Adviser does not return any available images for the platform & hardware combination. If anyone has a 2600 series router (non-XM) that has a working NM-16ESW module, can you please provide the IOS version (if available to download on Cisco.com), or send me the image itself? The 2610's memory is maxed out (64MB) with 16MB of flash. Thanks, -- Eric Cables From gururug at gmail.com Sat Feb 6 01:34:09 2010 From: gururug at gmail.com (Imran K) Date: Sat, 6 Feb 2010 17:34:09 +1100 Subject: [c-nsp] find window's machine from Cisco Router Message-ID: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> As stated by other posters, the best "passive" way to determine this is via stack operations. ( sequencing, etc ), which is best done "off router" due to the specific nature ( active ). Is it not possible to write a custom IDS signature that will analyse similar footprints ( passively ) as nmap. From fwissue at gmail.com Sat Feb 6 02:43:01 2010 From: fwissue at gmail.com (Michael Lee) Date: Fri, 5 Feb 2010 23:43:01 -0800 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> Message-ID: <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> maybe setup an acl for port range 137 to 139 with log then check on the logg On Fri, Feb 5, 2010 at 10:34 PM, Imran K wrote: > As stated by other posters, the best "passive" way to determine this is via > stack operations. ( sequencing, etc ), which is best done "off router" due > to the specific nature ( active ). > > Is it not possible to write a custom IDS signature that will analyse > similar > footprints ( passively ) as nmap. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Sat Feb 6 07:37:18 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Sat, 6 Feb 2010 12:37:18 +0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> Message-ID: <20100206123718.GB24093@lboro.ac.uk> Hi, > maybe setup an acl for port range 137 to 139 with log > then check on the logg OS fingerprinting with ISC DHCPD (if you have a DHCP environment) tcpdump listening to a PSAN intance on that subnet...very soon you'll see all the pretty broadcast rubbish from the windows hosts alan From sony.scaria at gmail.com Sat Feb 6 09:46:35 2010 From: sony.scaria at gmail.com (Sony Scaria) Date: Sat, 6 Feb 2010 20:16:35 +0530 Subject: [c-nsp] Hybrid to Native conversion Message-ID: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Hi, I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration to IOS format. Is there any tool available which expedite the process than a manual conversion? Sony. From Charles.Church at harris.com Sat Feb 6 10:03:30 2010 From: Charles.Church at harris.com (Church, Charles) Date: Sat, 6 Feb 2010 10:03:30 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: <290EF89F13F04F4E924BB235A46D18F108C6769D38@MLBMXUS2.cs.myharris.net> Sorry, meant to send this yesterday, had some email issues.... Why not enable netflow on the router, and see who's using what ports? If you can capture enough source and destination port info, you can compare that to the 'fingerprint' type stuff that NMAP does and make some educated guesses. But NMAP from a remote machine will be far easier. Just make sure you own all the gear between the NMAP machine and the end hosts, since any ISP filtering might throw off the results. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 12:39 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6514 bytes Desc: not available URL: From aaron at wsc.ma.edu Sat Feb 6 10:12:23 2010 From: aaron at wsc.ma.edu (Childs, Aaron) Date: Sat, 6 Feb 2010 10:12:23 -0500 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Message-ID: <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> Hi Sony, There aren't any tools that I know of. I converted all of our SUP720's and SUP2's last summer using the directions here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015bfa6.shtml The process isn't as painful as it looks, just a little time consuming. Good Luck! Aaron ----------- Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Sony Scaria [sony.scaria at gmail.com] Sent: Saturday, February 06, 2010 9:46 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Hybrid to Native conversion Hi, I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration to IOS format. Is there any tool available which expedite the process than a manual conversion? Sony. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shaw38 at gmail.com Sat Feb 6 15:27:16 2010 From: shaw38 at gmail.com (Steve Shaw) Date: Sat, 6 Feb 2010 15:27:16 -0500 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> Message-ID: <1d3cfae11002061227h411da319o77c06e536b10f604@mail.gmail.com> Sony, There's a java-based conversion utility for the CatOS to IOS conversion: Utility: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008070f124.shtml#Download Instructions: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008070f124.shtml Hope that helps. Steve On Sat, Feb 6, 2010 at 10:12 AM, Childs, Aaron wrote: > Hi Sony, > > There aren't any tools that I know of. I converted all of our SUP720's and > SUP2's last summer using the directions here: > http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015bfa6.shtml > > The process isn't as painful as it looks, just a little time consuming. > > Good Luck! > Aaron > ----------- > Aaron Childs > Assistant Director, Networking > Westfield State College > http://www.wsc.ma.edu/it/ > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of Sony Scaria [sony.scaria at gmail.com] > Sent: Saturday, February 06, 2010 9:46 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Hybrid to Native conversion > > Hi, > > > > I have an old 6500 with SUP2 and MSFC2. I Need to convert the > configuration > to IOS format. Is there any tool available which expedite the process than > a > manual conversion? > > > > Sony. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter.hicks at poggs.co.uk Sat Feb 6 18:10:04 2010 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Sat, 06 Feb 2010 23:10:04 +0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <20100206123718.GB24093@lboro.ac.uk> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> <20100206123718.GB24093@lboro.ac.uk> Message-ID: <4B6DF6CC.2010303@poggs.co.uk> Alan Buxey wrote: > tcpdump listening to a PSAN intance on that subnet...very soon you'll > see all the pretty broadcast rubbish from the windows hosts +1 for that. Windows machines are the ones wearing loud hawaiian shirts being very loud. Peter From Bryan at bryanfields.net Sat Feb 6 20:55:12 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sat, 06 Feb 2010 20:55:12 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 Message-ID: <4B6E1D80.8000209@bryanfields.net> I was trouble shooing my network today and found a nasty little bug when some one does 'show isis database' from exec mode on C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. After issuing the command you get the output of it, and some time in the next 30 sec the router crashes. example: LTRKAKHQR01-c1811w#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL STPBFLGURT1.00-00 0x00005F0A 0x49A3 907 0/0/0 galaxydoor.00-00 0x0000200A 0x2DF0 900 0/0/0 LTRKAKHQR01-c1.00-00* 0x00000953 0x64C1 1099 0/0/0 TAMQFLTART1.00-00 0x00005859 0x1542 908 0/0/0 IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL STPBFLGURT1.00-00 0x000060A8 0x1149 914 0/0/0 galaxydoor.00-00 0x0000200F 0x645F 912 0/0/0 LTRKAKHQR01-c1.00-00* 0x00000991 0xF41F 916 0/0/0 TAMQFLTART1.00-00 0x00005926 0x83FD 913 0/0/0 LTRKAKHQR01-c1811w#term mon LTRKAKHQR01-c1811w#sh clock 01:44:47.438 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:44:56.418 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:01.690 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:06.182 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:10.146 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:12.658 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:16.222 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock ______BAM! Lockup at this point______ from the log output: Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:20 UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Check heaps. Feb 6 20:45:27 192.168.3.210 104: LTRKAKHQR01-c1811w: -Traceback= 0x8007CCB0z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 105: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:22 UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (0/0),process = Check heaps. Feb 6 20:45:27 192.168.3.210 106: LTRKAKHQR01-c1811w: -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), -Traceback= 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MTRACE: mallocfree: addr, pc Feb 6 20:45:27 192.168.3.210 109: LTRKAKHQR01-c1811w: 86297A44,80BAE58C 86297A44,40000294 86CC08A0,80BAE570 86CC08A0,3000021E Feb 6 20:45:27 192.168.3.210 110: LTRKAKHQR01-c1811w: 86DC8180,8154FFC0 866536C8,8154FE24 866536C8,8154FE24 866536C8,8154FE88 Feb 6 20:45:27 192.168.3.210 111: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MTRACE: mallocfree: addr, pc Feb 6 20:45:27 192.168.3.210 112: LTRKAKHQR01-c1811w: 8666F860,81569A98 866536C8,8154FE88 866536C8,8154FE24 866536C8,8154FE24 Feb 6 20:45:27 192.168.3.210 113: LTRKAKHQR01-c1811w: 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 Feb 6 20:45:27 192.168.3.210 114: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 86AC28DC, words 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:28 192.168.3.210 115: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28DC: 0x813E0508 0x0 0x0 0x8364CCBC Feb 6 20:45:28 192.168.3.210 116: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28EC: 0x8012DAC4 0x86AC57F0 0x86AB9C1C 0x80001772 Feb 6 20:45:28 192.168.3.210 117: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28FC: 0x1 0x86AC2980 0x15C 0x86D41800 Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, 12/12000 Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 01:45:39 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to down ------- Some times I'll get a crashinfo file, other times I will not. >From a previous crash info: ------------- CMD: 'sh isis database' 21:23:27 UTC Sat Feb 6 2010 validblock_diagnose, code = 2 current memory block, bp = 0x8700E0B0, memorypool type is Processor data check, ptr = 0x8700E0E0 next memory block, bp = 0x87010FC4, memorypool type is Processor data check, ptr = 0x87010FF4 previous memory block, bp = 0x870053DC, memorypool type is Processor data check, ptr = 0x8700540C ========= Dump bp = 0x8700E0B0 ====================== 8700DFB0: 0 8700EAB0 FFFFFFFF 0 0 0 0 0 8700DFD0: 0 0 6347E519 0 8207070C D02688F2 6347E519 85F7C994 8700DFF0: 85F7C994 811AEC4C 8700E010 811AB16C D0D0D0D 245EBB78 D0D0D0D 867CD2F4 8700E010: 8700E040 813B2838 D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 82070710 8700E030: 85F7C994 6347E519 875E3258 875E3214 8700E070 813B2B8C D0D0D0D 48822022 8700E050: 1 8700E2D8 0 0 8700E070 6347E519 8700E400 0 8700E070: 8700E0B0 813B4470 0 0 28822022 6347E519 0 0 8700E090: 0 0 6347E519 85F7C994 0 0 8700E400 0 8700E0B0: 8700E350 813E0508 0 0 8012DAC4 87010FC4 870053F0 80001772 8700E0D0: 1 0 8700E158 872550DC FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E0F0: 0 0 FFFFFFFF FFFFFFFF FFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E110: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 8700E130: 2F 86427028 0 85F7C994 0 6347E519 6347E519 245EBB78 8700E150: 8700E2F0 867CD2F4 8700E1D8 811ABDE0 FFFFFFFF 6347E519 D02688F2 2F 8700E170: 0 0 0 C0 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E190: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF ========= Feb 6 2010 21:24:09 UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/1),process = Check heaps. -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Dump bp->next = 0x87010FC4 ====================== 87010EC4: 61780000 87010EF0 84228082 73796E74 A4CB80 7002FD0 87010F20 87010E70 87010EE4: 87010EF8 83EB0000 83EB0000 0 83EB0000 0 A4CB80 0 87010F04: 0 867F2054 0 0 86493648 87010FB0 80B77310 FFFFFF 87010F24: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 87010F44: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 2A 1 FFFFFFFF 87010F64: FFFFFFFF 0 0 0 0 0 0 0 87010F84: 0 0 0 0 0 0 0 0 87010FA4: 0 0 0 87010FB8 8012086C 0 80124418 FD0110DF 87010FC4: AB1234CD E40000 15F 873074D0 80B4FCA0 87015E18 8700E0C4 80002712 87010FE4: 1 8200EA4C 166 872550DC 0 0 87307494 0 87011004: 87307494 258 2C7 140018 2C1 0 0 0 87011024: 0 430000 83EC2BBC 41414120 536D616C 6C204368 756E0000 87011B6C 87011044: 87015E14 0 0 87011B70 87011B88 87011BA0 87011BB8 87011BD0 87011064: 87011BE8 87011C00 87011C18 87011C30 87011C48 87011C60 87011C78 87011C90 87011084: 87011CA8 87011CC0 87011CD8 87011CF0 87011D08 87011D20 87011D38 87011D50 870110A4: 87011D68 87011D80 87011D98 87011DB0 87011DC8 87011DE0 87011DF8 87011E10 ========== Dump bp->previous = 0x870053F0 ===================== 870052F0: 0 0 0 0 0 0 0 0 87005310: 0 FD0110DF AB1234CD FFFE0000 0 82FC74AC 81BDE144 87005390 87005330: 870052A8 80000024 1 0 1 850B5B2C 83824BA0 0 87005350: 0 0 1 0 Feb 6 2010 21:24:11 UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (1/1),process = Check heaps. -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z 0 0 0 90000 87005370: 1 870051FC 0 0 0 0 0 FD0110DF 87005390: AB1234CD FFFE0000 0 82FC74AC 81BD9178 870053DC 8700532C 8000000E 870053B0: 1 0 1 850B5B2C 1 0 0 0 870053D0: 0 0 FD0110DF AB1234CD 750000 75 83646E94 82C4EED4 870053F0: 8700E0B0 870053A4 4652 0 82C89068 7C 850B1410 DEADBEEF 87005410: 82C89068 0 D0D0D0D 83EC321C 83EC3218 D0D0D0D D0D0D0D D0D0D0D 87005430: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005450: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005470: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005490: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 870054B0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 870054D0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D ============================================ Feb 6 2010 21:24:12 UTC: %SYS-3-BADMAGIC: Corrupt block at 8700E0B0 (magic 8700E350), -Traceback= 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc 873068BC,80BAE58C 873068BC,40000294 859EC9B4,80BAE570 859EC9B4,3000021E 86EAC770,8154FFC0 86EA8998,8154FE24 86EA8998,8154FE24 859EC9B4,81540E3C Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc 859EC9B4,8153B354 859EC9B4,3000021E 86EA8998,8154FE88 86EAB098,81569A98 86EA8998,8154FE88 86EA8998,8154FE24 86EA8998,8154FE24 86EA8998,8154EE70 Feb 6 2010 21:24:12 UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 8700E0B0, words 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0B0: 0x8700E350 0x813E0508 0x0 0x0 Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0C0: 0x8012DAC4 0x87010FC4 0x870053F0 0x80001772 Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0D0: 0x1 0x0 0x8700E158 0x872550DC %Software-forced reload 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector 1500, PC = 0x8011E220, LR = 0x8011E1E4 -Traceback= 0x8011E220z 0x8011E1E4z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z CPU Register Context: MSR = 0x02029220 CR = 0x28000042 CTR = 0x81F26400 XER = 0x00000000 R0 = 0x8011E1E4 R1 = 0x8511CBA8 R2 = 0xFFE97C10 R3 = 0x83FA9978 R4 = 0x82F869BC R5 = 0x00000000 R6 = 0x83970000 R7 = 0x82F60000 R8 = 0x02029220 R9 = 0x83AD0000 R10 = 0x00000000 R11 = 0x00000000 R12 = 0x24000088 R13 = 0xFFE994A8 R14 = 0x820554DC R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x83D60000 R23 = 0x83D60000 R24 = 0xAB1234AB R25 = 0xAB1234CD R26 = 0x83D60000 R27 = 0x85FBD91C R28 = 0x00000000 R29 = 0x83647534 R30 = 0x83980000 R31 = 0x00000000 ------ I've tried this on both 1811w's on my network and had the exact same problems. Any one else seen this or know if it's a known bug? I've searched the cisco site and cannot find a reference to this issue. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From david at davidcoulson.net Sat Feb 6 21:38:17 2010 From: david at davidcoulson.net (David Coulson) Date: Sat, 06 Feb 2010 21:38:17 -0500 Subject: [c-nsp] Telnet to Pix via VPN Message-ID: <4B6E2799.904@davidcoulson.net> I have a number of ASAs and Pix devices with interconnected VPNs. From each LAN I can telnet into the local device, however on both an ASA5510 and Pix515 running 8.0 I am unable to telnet into the device from across a VPN. An older Pix501 running 6.3 will allow me. I can ping across the VPNs to each device. In all cases 'management-access inside' is enabled and the appropriate remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet client thinks the connection is open, but I don't get a login prompt. Log output when I attempt to telnet to the 515 - Not sure I understand the TCP intercept part of this. Maybe that is the smoking gun. Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity Ifc:172.16.5.1/23 (172.16.5.1/23) Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity Ifc:172.16.5.1/23 (172.16.5.1/23) From jrjahangir at yahoo.com Sat Feb 6 22:58:38 2010 From: jrjahangir at yahoo.com (mdjahangir hossain) Date: Sat, 6 Feb 2010 19:58:38 -0800 (PST) Subject: [c-nsp] Netflow problem in cisco SAR-7606 router Message-ID: <536733.90533.qm@web53603.mail.re2.yahoo.com> Dear concern: I faced a problem in cisco? SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. Here the router IOS information: BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin Thanks Jahangir Hossain From lukasz at bromirski.net Sun Feb 7 03:45:13 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sun, 07 Feb 2010 09:45:13 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E1D80.8000209@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> Message-ID: <4B6E7D99.1000409@bromirski.net> On 2010-02-07 02:55, Bryan Fields wrote: > I was trouble shooing my network today and found a nasty little bug when some > one does 'show isis database' from exec mode on C181X Software > (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. > After issuing the command you get the output of it, and some time in the next > 30 sec the router crashes. > example: > LTRKAKHQR01-c1811w#sh isis database Hard to reproduce or something else is causing the crash, I just tried this on my farm of 9 different 18xx and no crash at all: c180x#sh ver | i IOS Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2) c180x#sh isis database IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL c180x.00-00 * 0x00002DA1 0x2975 1142 0/0/0 tor-core.00-00 0x00002D98 0xCD09 1073 0/0/0 w-ts.00-00 0x00001019 0x899B 584 0/0/0 w-ts.01-00 0x00001015 0xAEB4 863 0/0/0 c180x#sh clock 09:40:26.110 CET Sun Feb 7 2010 c180x#sh clock 09:40:32.818 CET Sun Feb 7 2010 c180x#sh clock 09:40:41.810 CET Sun Feb 7 2010 c180x#sh clock 09:40:48.898 CET Sun Feb 7 2010 c180x#sh clock 09:40:56.338 CET Sun Feb 7 2010 c180x#sh clock 09:41:02.018 CET Sun Feb 7 2010 c180x#sh clock 09:41:07.971 CET Sun Feb 7 2010 c180x#sh clock 09:41:12.963 CET Sun Feb 7 2010 > from the log output: > Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:20 > UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs > (0/0),process = Check heaps. > UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), -Traceback= > 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 86AC28DC, words > 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= > 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z > Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, 12/12000 > Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 01:45:39 UTC: > %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to down Some process is behaving badly, if the Check Heaps has a problem validating the alignments. Then it seems something writes some gibberish out of it's memory slice and then things start to fall down. > %Software-forced reload > 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector 1500, PC = > 0x8011E220, LR = 0x8011E1E4 > Any one else seen this or know if it's a known bug? I've searched the cisco > site and cannot find a reference to this issue. Open a case. Have it reproduced and then nailed down to some specific bug. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From dwhitejr at cisco.com Sun Feb 7 10:05:09 2010 From: dwhitejr at cisco.com (David White, Jr. (dwhitejr)) Date: Sun, 07 Feb 2010 10:05:09 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6E2799.904@davidcoulson.net> References: <4B6E2799.904@davidcoulson.net> Message-ID: <4B6ED6A5.1020803@cisco.com> Hi David, It sounds like you are running into CSCsj53102. What version are you running on your 8.0 devices? Sincerely, David. David Coulson wrote: > I have a number of ASAs and Pix devices with interconnected VPNs. From > each LAN I can telnet into the local device, however on both an > ASA5510 and Pix515 running 8.0 I am unable to telnet into the device > from across a VPN. An older Pix501 running 6.3 will allow me. I can > ping across the VPNs to each device. > > In all cases 'management-access inside' is enabled and the appropriate > remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet > client thinks the connection is open, but I don't get a login prompt. > > Log output when I attempt to telnet to the 515 - Not sure I understand > the TCP intercept part of this. Maybe that is the smoking gun. > > Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 > for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity > Ifc:172.16.5.1/23 (172.16.5.1/23) > Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for > outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration > 0:00:00 bytes 0 Flow terminated by TCP Intercept > Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 > for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity > Ifc:172.16.5.1/23 (172.16.5.1/23) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Sun Feb 7 10:19:29 2010 From: petelists at templin.org (Pete Templin) Date: Sun, 07 Feb 2010 09:19:29 -0600 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Message-ID: <4B6EDA01.1080104@templin.org> Sony Scaria wrote: > I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration > to IOS format. Is there any tool available which expedite the process than a > manual conversion? Do you have any Sup2/MSFC2 that are already native? If so, format some extra PCMCIA cards in IOS with your desired image on them. You'll format faster (most likely) and have much quicker software copy times. I just did a pile of these in November and January, and having a ready stack of cards cut the conversion time to probably <30 minutes, including some reloads and reboots afterward to verify config registers and configuration loads. pt From david at davidcoulson.net Sun Feb 7 10:20:45 2010 From: david at davidcoulson.net (David Coulson) Date: Sun, 07 Feb 2010 10:20:45 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6ED6A5.1020803@cisco.com> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> Message-ID: <4B6EDA4D.7030307@davidcoulson.net> 8.0(3) on both Pix515 and ASA5510 On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: > Hi David, > > It sounds like you are running into CSCsj53102. What version are you > running on your 8.0 devices? > > Sincerely, > > David. > > David Coulson wrote: > >> I have a number of ASAs and Pix devices with interconnected VPNs. From >> each LAN I can telnet into the local device, however on both an >> ASA5510 and Pix515 running 8.0 I am unable to telnet into the device >> from across a VPN. An older Pix501 running 6.3 will allow me. I can >> ping across the VPNs to each device. >> >> In all cases 'management-access inside' is enabled and the appropriate >> remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet >> client thinks the connection is open, but I don't get a login prompt. >> >> Log output when I attempt to telnet to the 515 - Not sure I understand >> the TCP intercept part of this. Maybe that is the smoking gun. >> >> Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 >> for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity >> Ifc:172.16.5.1/23 (172.16.5.1/23) >> Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for >> outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration >> 0:00:00 bytes 0 Flow terminated by TCP Intercept >> Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 >> for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity >> Ifc:172.16.5.1/23 (172.16.5.1/23) >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From scottowens12 at gmail.com Sun Feb 7 12:40:45 2010 From: scottowens12 at gmail.com (scott owens) Date: Sun, 7 Feb 2010 11:40:45 -0600 Subject: [c-nsp] Hybrid to Native conversion Message-ID: Make sure you have enough ram & flash before you start down this path. IOS images can be much larger than what is on your Sup IIs - even if you upgraded them with one of the early Cisco upgrade paths. scott From david at davidcoulson.net Sun Feb 7 12:55:41 2010 From: david at davidcoulson.net (David Coulson) Date: Sun, 07 Feb 2010 12:55:41 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6ED6A5.1020803@cisco.com> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> Message-ID: <4B6EFE9D.8040809@davidcoulson.net> I upgraded my 515E pair to 8.0(4) and it appears to have solved the problem. David On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: > Hi David, > > It sounds like you are running into CSCsj53102. What version are you > running on your 8.0 devices? > > Sincerely, > > David. From Bryan at bryanfields.net Sun Feb 7 14:04:32 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sun, 07 Feb 2010 14:04:32 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E7D99.1000409@bromirski.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> Message-ID: <4B6F0EC0.70506@bryanfields.net> On 2/7/2010 03:45, ?ukasz Bromirski wrote: > On 2010-02-07 02:55, Bryan Fields wrote: >> I was trouble shooing my network today and found a nasty little bug when some >> one does 'show isis database' from exec mode on C181X Software >> (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. >> After issuing the command you get the output of it, and some time in the next >> 30 sec the router crashes. >> example: >> LTRKAKHQR01-c1811w#sh isis database > > Hard to reproduce or something else is causing the crash, I just tried > this on my farm of 9 different 18xx and no crash at all: > > c180x#sh ver | i IOS > Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version > 15.0(1)M, RELEASE SOFTWARE (fc2) I'm running the 15.0(1)M1 Advanced IP services, which is a different IOS image. > Some process is behaving badly, if the Check Heaps has a > problem validating the alignments. Then it seems > something writes some gibberish out of it's memory slice > and then things start to fall down. A multitasking os with out memory protection strikes once again! > Open a case. Have it reproduced and then nailed down to some > specific bug. This is my personal network, I don't have a support contract on any of it. I like to demo the newer IOS on it for that reason. Figured it was worth a shot to ask over here, maybe some cisco engineer watches this or some one ran into this before. I would suspect not, as no one would run ISIS on this platform, as it's kinda a half ass ISIS implementation to begin with. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From lukasz at bromirski.net Sun Feb 7 14:35:42 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sun, 07 Feb 2010 20:35:42 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F0EC0.70506@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> Message-ID: <4B6F160E.4080009@bromirski.net> On 2010-02-07 20:04, Bryan Fields wrote: >> Hard to reproduce or something else is causing the crash, I just tried >> this on my farm of 9 different 18xx and no crash at all: >> c180x#sh ver | i IOS >> Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version >> 15.0(1)M, RELEASE SOFTWARE (fc2) > I'm running the 15.0(1)M1 Advanced IP services, which is a different IOS image. I tried Adv IP Services also, and a 15.0(1)M1 release. No luck, but I'll try to dig deeper. Rodney is also on the list, maybe he will pickup the thread as his time permits. > I would suspect not, as no one would run ISIS on this platform, as it's kinda > a half ass ISIS implementation to begin with. Well, it works and is supported, so... what's there not from your perspective that makes it "half ass"? IS-IS is actually run on a number of "small" boxes by a couple of SPs that just need a routing protocol for their own AS that is separate from IP. NANOG usually hosts discussion about that once a quarter or so. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From Bryan at bryanfields.net Sun Feb 7 14:48:35 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sun, 07 Feb 2010 14:48:35 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F160E.4080009@bromirski.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> <4B6F160E.4080009@bromirski.net> Message-ID: <4B6F1913.3060909@bryanfields.net> On 2/7/2010 14:35, ?ukasz Bromirski wrote: > I tried Adv IP Services also, and a 15.0(1)M1 release. No luck, > but I'll try to dig deeper. Rodney is also on the list, maybe > he will pickup the thread as his time permits. Hmm, I have two routers on my network that it happens to, both are 1811w models. >> I would suspect not, as no one would run ISIS on this platform, as it's kinda >> a half ass ISIS implementation to begin with. > > Well, it works and is supported, so... what's there not from your > perspective that makes it "half ass"? No ipv6 support in the ISIS implementation. I consider that "half-assed". Perhaps in the future cisco will drop the other cheek :-) -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From jared at puck.nether.net Sun Feb 7 15:21:09 2010 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 7 Feb 2010 15:21:09 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F0EC0.70506@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> Message-ID: <9C0AFBD2-A2D6-4EC8-B148-2D89282CEA5C@puck.nether.net> On Feb 7, 2010, at 2:04 PM, Bryan Fields wrote: > A multitasking os with out memory protection strikes once again! Time to discontinue old technology. - Jared From dwhitejr at cisco.com Sun Feb 7 16:47:57 2010 From: dwhitejr at cisco.com (David White, Jr. (dwhitejr)) Date: Sun, 07 Feb 2010 16:47:57 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6EFE9D.8040809@davidcoulson.net> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> <4B6EFE9D.8040809@davidcoulson.net> Message-ID: <4B6F350D.50301@cisco.com> Hi David, Based on running 8.0(3) and upgrading to 8.0(4) resolved the issue, I would guess your PIXes have VAC/VAC+ in them, and thus you were running into CSCsi79159. Sincerely, David. David Coulson wrote: > I upgraded my 515E pair to 8.0(4) and it appears to have solved the > problem. > > David > > On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: >> Hi David, >> >> It sounds like you are running into CSCsj53102. What version are you >> running on your 8.0 devices? >> >> Sincerely, >> >> David. From eninja at gmail.com Sun Feb 7 18:00:29 2010 From: eninja at gmail.com (Eninja) Date: Mon, 8 Feb 2010 00:00:29 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E1D80.8000209@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> Message-ID: <38AE3CD7-DBD1-4036-A15C-3F8231B267C3@gmail.com> Bryan, Your box crashed because the memory got corrupted. This is a software bug. Set it up for a core dump and send to bug manufacturer for rectification. /eninja On Feb 7, 2010, at 2:55 AM, Bryan Fields wrote: > I was trouble shooing my network today and found a nasty little bug > when some > one does 'show isis database' from exec mode on C181X Software > (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. > > After issuing the command you get the output of it, and some time in > the next > 30 sec the router crashes. > > example: > LTRKAKHQR01-c1811w#sh isis database > > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > STPBFLGURT1.00-00 0x00005F0A 0x49A3 907 > 0/0/0 > galaxydoor.00-00 0x0000200A 0x2DF0 900 > 0/0/0 > LTRKAKHQR01-c1.00-00* 0x00000953 0x64C1 1099 > 0/0/0 > TAMQFLTART1.00-00 0x00005859 0x1542 908 > 0/0/0 > IS-IS Level-2 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > STPBFLGURT1.00-00 0x000060A8 0x1149 914 > 0/0/0 > galaxydoor.00-00 0x0000200F 0x645F 912 > 0/0/0 > LTRKAKHQR01-c1.00-00* 0x00000991 0xF41F 916 > 0/0/0 > TAMQFLTART1.00-00 0x00005926 0x83FD 913 > 0/0/0 > LTRKAKHQR01-c1811w#term mon > LTRKAKHQR01-c1811w#sh clock > 01:44:47.438 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:44:56.418 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:01.690 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:06.182 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:10.146 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:12.658 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:16.222 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > > ______BAM! Lockup at this point______ > > from the log output: > Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:20 > UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000) > msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 104: LTRKAKHQR01-c1811w: -Traceback= > 0x8007CCB0z > 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z > 0x82052770z > 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 105: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:22 > UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000) > msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 106: LTRKAKHQR01-c1811w: -Traceback= > 0x8007CCB8z > 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z > 0x82052364z > 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), - > Traceback= > 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z > Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > Feb 6 20:45:27 192.168.3.210 109: LTRKAKHQR01-c1811w: > 86297A44,80BAE58C > 86297A44,40000294 86CC08A0,80BAE570 86CC08A0,3000021E > Feb 6 20:45:27 192.168.3.210 110: LTRKAKHQR01-c1811w: > 86DC8180,8154FFC0 > 866536C8,8154FE24 866536C8,8154FE24 866536C8,8154FE88 > Feb 6 20:45:27 192.168.3.210 111: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > Feb 6 20:45:27 192.168.3.210 112: LTRKAKHQR01-c1811w: > 8666F860,81569A98 > 866536C8,8154FE88 866536C8,8154FE24 866536C8,8154FE24 > Feb 6 20:45:27 192.168.3.210 113: LTRKAKHQR01-c1811w: > 866536C8,8154EE70 > 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 > Feb 6 20:45:27 192.168.3.210 114: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk > 86AC28DC, words > 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= > 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz > 0x8012086Cz > 0x80124418z > Feb 6 20:45:28 192.168.3.210 115: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28DC: 0x813E0508 0x0 0x0 0x8364CCBC > Feb 6 20:45:28 192.168.3.210 116: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28EC: 0x8012DAC4 0x86AC57F0 0x86AB9C1C 0x80001772 > Feb 6 20:45:28 192.168.3.210 117: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28FC: 0x1 0x86AC2980 0x15C 0x86D41800 > Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, > 12/12000 > Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 > 01:45:39 UTC: > %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed > state to down > ------- > > Some times I'll get a crashinfo file, other times I will not. >> From a previous crash info: > > ------------- > CMD: 'sh isis database' 21:23:27 UTC Sat Feb 6 2010 > validblock_diagnose, code = 2 > > current memory block, bp = 0x8700E0B0, > memorypool type is Processor > data check, ptr = 0x8700E0E0 > > next memory block, bp = 0x87010FC4, > memorypool type is Processor > data check, ptr = 0x87010FF4 > > previous memory block, bp = 0x870053DC, > memorypool type is Processor > data check, ptr = 0x8700540C > ========= Dump bp = 0x8700E0B0 ====================== > > 8700DFB0: 0 8700EAB0 FFFFFFFF 0 0 > 0 0 0 > 8700DFD0: 0 0 6347E519 0 8207070C D02688F2 > 6347E519 85F7C994 > 8700DFF0: 85F7C994 811AEC4C 8700E010 811AB16C D0D0D0D 245EBB78 > D0D0D0D 867CD2F4 > 8700E010: 8700E040 813B2838 D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D 82070710 > 8700E030: 85F7C994 6347E519 875E3258 875E3214 8700E070 813B2B8C > D0D0D0D 48822022 > 8700E050: 1 8700E2D8 0 0 8700E070 6347E519 > 8700E400 0 > 8700E070: 8700E0B0 813B4470 0 0 28822022 > 6347E519 0 0 > 8700E090: 0 0 6347E519 85F7C994 0 0 > 8700E400 0 > > 8700E0B0: 8700E350 813E0508 0 0 8012DAC4 87010FC4 > 870053F0 80001772 > 8700E0D0: 1 0 8700E158 872550DC FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E0F0: 0 0 FFFFFFFF FFFFFFFF FFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E110: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF 0 > 8700E130: 2F 86427028 0 85F7C994 0 6347E519 > 6347E519 245EBB78 > 8700E150: 8700E2F0 867CD2F4 8700E1D8 811ABDE0 FFFFFFFF 6347E519 > D02688F2 2F > 8700E170: 0 0 0 C0 FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E190: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > ========= > Feb 6 2010 21:24:09 UTC: %SYS-3-CPUHOG: Task is running for (2000) > msecs, more > than (2000)msecs (1/1),process = Check heaps. > -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z > 0x82050E18z > 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z Dump > bp->next = 0x87010FC4 ====================== > > 87010EC4: 61780000 87010EF0 84228082 73796E74 A4CB80 7002FD0 > 87010F20 87010E70 > 87010EE4: 87010EF8 83EB0000 83EB0000 0 83EB0000 0 > A4CB80 0 > 87010F04: 0 867F2054 0 0 86493648 87010FB0 > 80B77310 FFFFFF > 87010F24: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 87010F44: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 2A 1 FFFFFFFF > 87010F64: FFFFFFFF 0 0 0 0 > 0 0 0 > 87010F84: 0 0 0 0 0 > 0 0 0 > 87010FA4: 0 0 0 87010FB8 8012086C 0 80124418 > FD0110DF > 87010FC4: AB1234CD E40000 15F 873074D0 80B4FCA0 87015E18 > 8700E0C4 80002712 > 87010FE4: 1 8200EA4C 166 872550DC 0 0 87307494 > 0 > 87011004: 87307494 258 2C7 140018 2C1 > 0 0 0 > 87011024: 0 430000 83EC2BBC 41414120 536D616C 6C204368 > 756E0000 87011B6C > 87011044: 87015E14 0 0 87011B70 87011B88 87011BA0 > 87011BB8 87011BD0 > 87011064: 87011BE8 87011C00 87011C18 87011C30 87011C48 87011C60 > 87011C78 87011C90 > 87011084: 87011CA8 87011CC0 87011CD8 87011CF0 87011D08 87011D20 > 87011D38 87011D50 > 870110A4: 87011D68 87011D80 87011D98 87011DB0 87011DC8 87011DE0 > 87011DF8 87011E10 > ========== Dump bp->previous = 0x870053F0 ===================== > > 870052F0: 0 0 0 0 0 > 0 0 0 > 87005310: 0 FD0110DF AB1234CD FFFE0000 0 82FC74AC > 81BDE144 87005390 > 87005330: 870052A8 80000024 1 0 1 850B5B2C > 83824BA0 0 > 87005350: 0 0 1 0 > Feb 6 2010 21:24:11 UTC: %SYS-3-CPUHOG: Task is running for (4000) > msecs, more > than (2000)msecs (1/1),process = Check heaps. > -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z > 0x820500E4z > 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz > 0x8012086Cz > 0x80124418z 0 0 0 90000 > 87005370: 1 870051FC 0 0 0 > 0 0 FD0110DF > 87005390: AB1234CD FFFE0000 0 82FC74AC 81BD9178 870053DC > 8700532C 8000000E > 870053B0: 1 0 1 850B5B2C 1 > 0 0 0 > 870053D0: 0 0 FD0110DF AB1234CD 750000 75 > 83646E94 82C4EED4 > 870053F0: 8700E0B0 870053A4 4652 0 82C89068 7C > 850B1410 DEADBEEF > > 87005410: 82C89068 0 D0D0D0D 83EC321C 83EC3218 D0D0D0D > D0D0D0D D0D0D0D > 87005430: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005450: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005470: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005490: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 870054B0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 870054D0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > ============================================ > > Feb 6 2010 21:24:12 UTC: %SYS-3-BADMAGIC: Corrupt block at 8700E0B0 > (magic > 8700E350), -Traceback= 0x82052388z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc > 873068BC,80BAE58C 873068BC,40000294 859EC9B4,80BAE570 > 859EC9B4,3000021E > 86EAC770,8154FFC0 86EA8998,8154FE24 86EA8998,8154FE24 > 859EC9B4,81540E3C > Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc > 859EC9B4,8153B354 859EC9B4,3000021E 86EA8998,8154FE88 > 86EAB098,81569A98 > 86EA8998,8154FE88 86EA8998,8154FE24 86EA8998,8154FE24 > 86EA8998,8154EE70 > Feb 6 2010 21:24:12 UTC: %SYS-6-BLKINFO: Corrupted magic value in > in-use > block blk 8700E0B0, words 6002, alloc 8012DAC4, InUse, dealloc > FFFFFFFF, rfcnt > 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0B0: 0x8700E350 > 0x813E0508 > 0x0 0x0 > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0C0: 0x8012DAC4 > 0x87010FC4 > 0x870053F0 0x80001772 > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0D0: 0x1 0x0 > 0x8700E158 > 0x872550DC > > %Software-forced reload > > > 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector > 1500, PC = > 0x8011E220, LR = 0x8011E1E4 > > -Traceback= 0x8011E220z 0x8011E1E4z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > > CPU Register Context: > MSR = 0x02029220 CR = 0x28000042 CTR = 0x81F26400 XER = 0x00000000 > R0 = 0x8011E1E4 R1 = 0x8511CBA8 R2 = 0xFFE97C10 R3 = > 0x83FA9978 > R4 = 0x82F869BC R5 = 0x00000000 R6 = 0x83970000 R7 = > 0x82F60000 > R8 = 0x02029220 R9 = 0x83AD0000 R10 = 0x00000000 R11 = 0x00000000 > R12 = 0x24000088 R13 = 0xFFE994A8 R14 = 0x820554DC R15 = 0x00000000 > R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 > R20 = 0x00000000 R21 = 0x00000000 R22 = 0x83D60000 R23 = > 0x83D60000 > R24 = 0xAB1234AB R25 = 0xAB1234CD R26 = 0x83D60000 R27 = > 0x85FBD91C > R28 = 0x00000000 R29 = 0x83647534 R30 = 0x83980000 R31 = 0x00000000 > ------ > > I've tried this on both 1811w's on my network and had the exact same > problems. > Any one else seen this or know if it's a known bug? I've searched > the cisco > site and cannot find a reference to this issue. > > -- > Bryan Fields > > 727-409-1194 - Voice > 727-214-2508 - Fax > http://bryanfields.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From roddy.strachan at staff.netspace.net.au Sun Feb 7 18:05:39 2010 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Mon, 08 Feb 2010 10:05:39 +1100 Subject: [c-nsp] ASR etherchannel Message-ID: Hey all, Currently we run two ASR 1004?s in an LNS environment, we are about to reach the maximum of 1GB on the port into our core network, so I?m thinking of ways to give us more bandwidth. One way that came to mind was using etherchannel/port-channel. I?ve set this up using a 7301 to our core quite well and it seems to work. Has anyone had any experience with the ASR side of things? Any known issues/bugs that exist? We are currently running IOS Version 12.2(33)XNB3 It seems the config options are there. Basically I just want to add another gig port to the group, so we get 2GB into the core from the LNS. Thanks This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mcdonald.richards at gmail.com Sun Feb 7 19:38:04 2010 From: mcdonald.richards at gmail.com (McDonald Richards) Date: Mon, 8 Feb 2010 11:38:04 +1100 Subject: [c-nsp] ASR etherchannel In-Reply-To: References: Message-ID: <8bde567b1002071638k66bb9101taad5bc5a8b63fd0f@mail.gmail.com> Hi Roddy, I think you're after etherchannel load-balancing (instead of per-VLAN) which only started in 2.4 (XND). I've not been game to use it myself so let us know how you go with it. Macca On Mon, Feb 8, 2010 at 10:05 AM, Roddy Strachan < roddy.strachan at staff.netspace.net.au> wrote: > Hey all, > > Currently we run two ASR 1004?s in an LNS environment, we are about to > reach > the maximum of 1GB on the port into our core network, so I?m thinking of > ways to give us more bandwidth. One way that came to mind was using > etherchannel/port-channel. > > I?ve set this up using a 7301 to our core quite well and it seems to work. > > Has anyone had any experience with the ASR side of things? > > Any known issues/bugs that exist? > > We are currently running IOS Version 12.2(33)XNB3 > > It seems the config options are there. > > Basically I just want to add another gig port to the group, so we get 2GB > into the core from the LNS. > > > > Thanks > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jrjahangir at yahoo.com Sun Feb 7 23:45:20 2010 From: jrjahangir at yahoo.com (mdjahangir hossain) Date: Sun, 7 Feb 2010 20:45:20 -0800 (PST) Subject: [c-nsp] Netflow problem ...In Cisco 7606 Router Message-ID: <332919.67370.qm@web53608.mail.re2.yahoo.com> Dear concern: I faced a problem in cisco? SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. Here the router IOS information: BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin Thanks Jahangir Hossain From kloch at kl.net Mon Feb 8 00:30:11 2010 From: kloch at kl.net (Kevin Loch) Date: Mon, 08 Feb 2010 00:30:11 -0500 Subject: [c-nsp] Netflow problem ...In Cisco 7606 Router In-Reply-To: <332919.67370.qm@web53608.mail.re2.yahoo.com> References: <332919.67370.qm@web53608.mail.re2.yahoo.com> Message-ID: <4B6FA163.4090101@kl.net> mdjahangir hossain wrote: > Dear concern: > > I faced a problem in cisco SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. > > Here the router IOS information: > > BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) > > System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin As badly as netflow is broken on the 7600's (and more so than usual in SRD*) It shouldn't affect your RP cpu to the point of being "so slow". It sounds like you have enabled something that can only be done in software on the RP. A quick search found: http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/prod_qas0900aecd80350bfc.html > table 3: > > Bridged NetFlow, Multicast NetFlow with v9 export > Cisco IOS Software only I don't have any sup32's so I don't know if it's any netflow v9 or just the specific types listed. You might try a different type than v9 and/or try increasing the sub-sampling level. I use: mls nde sender version 5 mls sampling packet-based 1024 8192 I also recommend avoiding SRD for netflow, SRC seems to be much less buggy. - Kevin From elmi at 4ever.de Mon Feb 8 03:26:20 2010 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 8 Feb 2010 09:26:20 +0100 Subject: [c-nsp] ASR etherchannel In-Reply-To: References: Message-ID: <20100208082620.GR26720@ronin.4ever.de> roddy.strachan at staff.netspace.net.au (Roddy Strachan) wrote: > Currently we run two ASR 1004?s in an LNS environment, we are about to reach > the maximum of 1GB on the port into our core network, so I?m thinking of > ways to give us more bandwidth. One way that came to mind was using > etherchannel/port-channel. > > I?ve set this up using a 7301 to our core quite well and it seems to work. > > Has anyone had any experience with the ASR side of things? Yes. It simply doesn't work. ("It" being a dot1q trunk to a pair of 3750s in my case) Lucky me only had to put two VLANs on that bundle, so I could disentangle (but lost redundancy, of course). That's 12.2(33)XNC1t, btw. I haven't reported that bug yet, because I though "why should it always be me?", but I have not heard of a fix yet. Yours, Elmar. From THamdi at sbm.com.sa Mon Feb 8 03:58:24 2010 From: THamdi at sbm.com.sa (Tarig Hamdi) Date: Mon, 8 Feb 2010 11:58:24 +0300 Subject: [c-nsp] Tarig Hamdi is out of the office. Message-ID: I will be out of the office starting 02/08/2010 and will not return until 02/15/2010. From jawwad14 at gmail.com Mon Feb 8 05:12:51 2010 From: jawwad14 at gmail.com (Muhammad Jawwad Paracha) Date: Mon, 8 Feb 2010 15:12:51 +0500 Subject: [c-nsp] Cisco 6506 ACL problem Message-ID: Dear All, We are facing problem in Cisco 6506 equipment regarding ACL's. It has occured 3 times that ACL's that are being implement on device stops working for 1,2 minute. Appreciate if you can suggest any solution to this problem. Thank you From asturluismi at gmail.com Mon Feb 8 08:15:29 2010 From: asturluismi at gmail.com (luismi) Date: Mon, 08 Feb 2010 14:15:29 +0100 Subject: [c-nsp] PGM and multicast Message-ID: <1265634929.7354.6.camel@hal9000> Is there anyone here using multicast and PGM? We have several multicast services -video and audio streams- and sometimes we use to have incidents because the service is not ok, and we would like to deploy PGM to have more control. So, my questions are... Is possible to manage the rx buffer of the multicast in a router to add a delay (around 2secs) to avoid disruptions while the PGM is asking for the packet lost to the other hop? Windows XP looks to support PGM, what about linux? any experience? Any commercial encoder with PGM support there? Is possible to collect information throught snmp about PGM stats? (I asked this to create alarms in nagios as well some graphics :) Any other comments would be welcome too. From koug at intracom.gr Mon Feb 8 08:29:53 2010 From: koug at intracom.gr (John Kougoulos) Date: Mon, 8 Feb 2010 15:29:53 +0200 (EET) Subject: [c-nsp] Cisco 6506 ACL problem In-Reply-To: References: Message-ID: On Mon, 8 Feb 2010, Muhammad Jawwad Paracha wrote: > Dear All, > > We are facing problem in Cisco 6506 equipment regarding ACL's. It has > occured 3 times that ACL's that are being implement on device stops working > for 1,2 minute. Hello, I think that I recently saw somewhere to prefer named ACLs instead of numeric because numeric are merged line by line while named when you press ^Z Regards, John From copse at xy.org Mon Feb 8 08:55:56 2010 From: copse at xy.org (Roger Wiklund) Date: Mon, 8 Feb 2010 14:55:56 +0100 Subject: [c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing? Message-ID: Hi We have an MPLS customer who is running IS-IS on their LAN, and then redistributing that into BGP to our core. This was the original standard setup: PE----ebgp-----CE----ebgp-----CUSOMER----ISIS So that worked just fine, but the customer wanted the IS-IS metric to be injected into BGP MED. This can be done, but with the setup above, MED is only sent to the CE router, after that its removed. So what we did was to setup eBGP multihop from the PE directly to the customers router. We then used BGP on the CE to the customers router, and from the CE to PE we used a default route. Now, this site is the customers HUB site so somewhere in their LAN, they have an Internet breakout. So the customer is injecting a default route from their router, into the MPLS. So what happened now is when another stanard site in the MPLS tried to reach the internet, we had a loop between the PE and CE. Cause the PE will send it to the CE, and the CE will have a static default route back to the PE. So to fix this, I skipped the default static route on the CE, and enabled eBGP between the PE and CE. That way the CE have full knowledge about each sides. However, this is not an optimal soultion, I dont want to have 2 BGP peerings on the PE. So, what I came up with, and this is where I would like your input on. In my lab, I have the same setup, so I removed all the static routes and dynamic routing on the CE. So basically everyting is broken, because the CE doesnt know where to send the traffic to. I then configured policy based routing, and created an ACL permit all traffic, and created 2 route-maps, that matches on the ACL, and sets the next hop. I then applied the route-maps to each interface on the CE. So, when traffic coming into the CE from the PE, I match on everything, and set the next hop to the customers router. And vice versa in the other direction. I tested it and it worked, and it has no dynamic routing what so ever. But this is just in the Lab, I really cant say what will happen in the live network. Have anyone done anything similar? Will PBR eat up all the CPU process? Any other problems that may occur? I mean, all I want to do on the CE is shuffle the traffic from one interface to another. Thanks Regards Roger From me at falz.net Mon Feb 8 09:11:44 2010 From: me at falz.net (Chris Wopat) Date: Mon, 8 Feb 2010 08:11:44 -0600 Subject: [c-nsp] 2811 login issues Message-ID: I have a 2811 that stopped accepting logins from its FastEthernet interface last week out of the blue. When this happened there were no config changes, router reboots, etc. It has a Multilink bundle unnumbered via that FastEthernet interface and it *does* accept logins from this direction. Config is simple, a default route via FA and a /24 via MU. A few other odd symptoms: - 'copy tftp flash' will work for about 12 seconds and then begin to timeout. - telnetting from the router to anywhere immediately gives "Destination unreachable; gateway or host down" without even really trying. What's even more strange is that everything works fine the first 5-10 minutes after a reboot. It was running 12.4(15)XY1 and I was able to get it to 12.4(15)XY3 to see if it was a bug. It's running XY for support for its HWIC-4T1/E1. In an attempt to rule out an upstream routing problem I've added its default gateway (3.89) to the login ACL and it gives the same symptoms when connecting from there. It seems to be completely dropping packets vs rejecting them as it still does if you connect from an IP not on that ACL. 'debug ip packet' shows this when connecting via telnet or ssh: Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, rcvd 2 Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, stop process pak for forus packet Thoughts? --Chris From philxor at gmail.com Mon Feb 8 09:33:12 2010 From: philxor at gmail.com (Phil Bedard) Date: Mon, 8 Feb 2010 09:33:12 -0500 Subject: [c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing? In-Reply-To: References: Message-ID: What kind of devices are you using? The device will probably make more difference than anything else with regards to PBR. I would say generally having the two BGP peering connections is one solution to the ebgp multihop problem. Another solution would be to use a tunnel (prob GRE) between the customer router to your PE through the CE, and run ebgp directly over the tunnel interfaces, but you still need to know how to get to the endpoints. What about using static MEDs? More information on what they want to accomplish by using MEDs would be useful as well. Phil On Feb 8, 2010, at 8:55 AM, Roger Wiklund wrote: > Hi > > We have an MPLS customer who is running IS-IS on their LAN, and then > redistributing that into BGP to our core. > > This was the original standard setup: > PE----ebgp-----CE----ebgp-----CUSOMER----ISIS > > So that worked just fine, but the customer wanted the IS-IS metric to be > injected into BGP MED. This can be done, but with the setup above, MED is > only sent to the CE router, after that its removed. > > So what we did was to setup eBGP multihop from the PE directly to the > customers router. We then used BGP on the CE to the customers router, and > from the CE to PE we used a default route. > > Now, this site is the customers HUB site so somewhere in their LAN, they > have an Internet breakout. So the customer is injecting a default route from > their router, into the MPLS. > > So what happened now is when another stanard site in the MPLS tried to reach > the internet, we had a loop between the PE and CE. Cause the PE will send it > to the CE, and the CE will have a static default route back to the PE. > > So to fix this, I skipped the default static route on the CE, and enabled > eBGP between the PE and CE. That way the CE have full knowledge about each > sides. > However, this is not an optimal soultion, I dont want to have 2 BGP peerings > on the PE. > > So, what I came up with, and this is where I would like your input on. > > In my lab, I have the same setup, so I removed all the static routes and > dynamic routing on the CE. So basically everyting is broken, because the CE > doesnt know where to send the traffic to. > I then configured policy based routing, and created an ACL permit all > traffic, and created 2 route-maps, that matches on the ACL, and sets the > next hop. I then applied the route-maps to each interface on the CE. > > So, when traffic coming into the CE from the PE, I match on everything, and > set the next hop to the customers router. And vice versa in the other > direction. I tested it and it worked, and it has no dynamic routing what so > ever. > > But this is just in the Lab, I really cant say what will happen in the live > network. > > Have anyone done anything similar? Will PBR eat up all the CPU process? Any > other problems that may occur? I mean, all I want to do on the CE is shuffle > the traffic from one interface to another. > > Thanks > > Regards > Roger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From awain567 at yahoo.com Mon Feb 8 10:47:27 2010 From: awain567 at yahoo.com (Alex Wa) Date: Mon, 8 Feb 2010 07:47:27 -0800 (PST) Subject: [c-nsp] weird issue with IBM blade cente switch 3012 Message-ID: <123834.11532.qm@web58004.mail.re3.yahoo.com> Hi guys, ? I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue?I can't really figure out. ? This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk,?I even see each other through CDP.? let's say 6509 side is A and 3012 is B. ? ?situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B ? situation #2?when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add ?(situation A) it's not able to ping A. ? debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. ? Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! ? comments, sugestions, ideas on what to do next? any help will be highly appreciatted ? alejandro wainshtok From Jonathan.Soler at eu.didata.com Mon Feb 8 11:26:44 2010 From: Jonathan.Soler at eu.didata.com (Jonathan Soler (Europe)) Date: Mon, 8 Feb 2010 17:26:44 +0100 Subject: [c-nsp] Routing between site to site VPNs Message-ID: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> Hello, We would like to know if it is possible to forward traffic between site-to-site VPNs that are established in the same physical interface of a router? ?And in a firewall? Jonathan From mksmith at adhost.com Mon Feb 8 12:32:11 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 8 Feb 2010 09:32:11 -0800 Subject: [c-nsp] Routing between site to site VPNs In-Reply-To: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> References: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> Message-ID: <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> Hello Jonathan: That should be possible. See http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml about Intra-interface communications for the PIX/ASA. I'm not sure if the same exists for routers, however. Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jonathan Soler (Europe) > Sent: Monday, February 08, 2010 8:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Routing between site to site VPNs > > Hello, > > > > We would like to know if it is possible to forward traffic between > site-to-site VPNs that are established in the same physical interface > of a router? ?And in a firewall? > > > > Jonathan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Feb 8 12:55:51 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 8 Feb 2010 12:55:51 -0500 Subject: [c-nsp] ISR IPS module Message-ID: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> Has anyone used these cards on ISRs? https://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html Any opinions? How effective is it? Is it worth using? Also, what is your opinion on doing IPS without the hardware card on an ISR? My experience is it boggs down the router too much and you have to be so careful about what to include in scanning that it wasn't worth the effort. But that was before Cisco changed the signature format and how it scanned traffic at around 12.4(11)T. From nick.jon.griffin at gmail.com Mon Feb 8 13:08:27 2010 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Mon, 8 Feb 2010 12:08:27 -0600 Subject: [c-nsp] "show stats" question Message-ID: Can anyone confirm the command below, the Chars/in/out reference, are the results listed in bytes? I'm unable to find this command documented anywhere on CCO to get a better description of the command and its output. The 6509 ?show stats? command gives the following information: Vlan2 Switching path Pkts In Chars In Pkts Out Chars Out Processor 14342 1650437 2492 166010 Route cache 534 55212 149 11166 Distributed cache 7169590 6090148689 8831508 9040962158 Total 7184466 6091854338 8834149 9041139334 Thanks, Nick Griffin From andrew.gabriel at sanmina-sci.com Mon Feb 8 13:27:02 2010 From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel) Date: Mon, 8 Feb 2010 23:57:02 +0530 Subject: [c-nsp] Routing between site to site VPNs In-Reply-To: <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> References: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> Message-ID: If you use a Cisco Router you can have a site-to-site VPN with multiple 'tunnel' interfaces on the router, which might all make use of the same physical interface. These work just like regular interfaces as far as routing is concerned and you can easily route between them. Regards, Andrew Gabriel. On Mon, Feb 8, 2010 at 11:02 PM, Michael K. Smith - Adhost < mksmith at adhost.com> wrote: > Hello Jonathan: > > That should be possible. See > http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtmlabout Intra-interface communications for the PIX/ASA. I'm not sure if the > same exists for routers, however. > > Mike > > -- > Michael K. Smith - CISSP, GSEC, GISP > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Jonathan Soler (Europe) > > Sent: Monday, February 08, 2010 8:27 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Routing between site to site VPNs > > > > Hello, > > > > > > > > We would like to know if it is possible to forward traffic between > > site-to-site VPNs that are established in the same physical interface > > of a router? ?And in a firewall? > > > > > > > > Jonathan > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From unixhead at gmail.com Mon Feb 8 13:40:20 2010 From: unixhead at gmail.com (Matt Bennett) Date: Mon, 8 Feb 2010 18:40:20 +0000 Subject: [c-nsp] weird issue with IBM blade cente switch 3012 In-Reply-To: <123834.11532.qm@web58004.mail.re3.yahoo.com> References: <123834.11532.qm@web58004.mail.re3.yahoo.com> Message-ID: Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa wrote: > Hi guys, > > I have to configure several Cisco 3012 switches for a project and i'm kind > of stuck with an issue I can't really figure out. > > This is the situation. I have a two 6509s core to which i'm connecting 12 > 3012s. most of them work fine but with 3 of them i'm not able to ping each > other (through 2 vlan interfaces on same vlan). trunks are configured > between them, spanning tree runnign as it should, vlan allowed on trunk, I > even see each other through CDP. let's say 6509 side is A and 3012 is B. > > situation #1: when you ping B from A, B have correct entries in the arp > and mac-add tables (for A), A doesn't have them for B. A still unable to > ping B > > situation #2 when you ping A from B, B is not able to resolve A's mac-add > so arp entry for A is incomplete. but the curious thing is that even when B > has A mac-add (situation A) it's not able to ping A. > > debug commands show encapsulation failure (as it should with an regular > incomplete entry). nothing on the log. masks verified as the same. > > Also tried creating all over again with different secuence (VLAN, int VLAN, > trunk) with same results. And, the most weird thing of all: it works on some > switches with the exact same config and layout!! > > comments, sugestions, ideas on what to do next? any help will be highly > appreciatted > > alejandro wainshtok > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From awain567 at yahoo.com Mon Feb 8 14:10:51 2010 From: awain567 at yahoo.com (Alex Wa) Date: Mon, 8 Feb 2010 11:10:51 -0800 (PST) Subject: [c-nsp] weird issue with IBM blade cente switch 3012 In-Reply-To: Message-ID: <291680.53808.qm@web58002.mail.re3.yahoo.com> Matt, ? I'll need to ask the IBM guys if they did so.?I received the switches in their current positions. ? Thanks, Alejandro Wainshtok --- On Mon, 2/8/10, Matt Bennett wrote: From: Matt Bennett Subject: Re: [c-nsp] weird issue with IBM blade cente switch 3012 To: "Alex Wa" Cc: cisco-nsp at puck.nether.net Date: Monday, February 8, 2010, 10:40 AM Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa wrote: Hi guys, ? I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue?I can't really figure out. ? This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk,?I even see each other through CDP.? let's say 6509 side is A and 3012 is B. ? ?situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B ? situation #2?when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add ?(situation A) it's not able to ping A. ? debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. ? Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! ? comments, sugestions, ideas on what to do next? any help will be highly appreciatted ? alejandro wainshtok _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Mon Feb 8 14:27:01 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Mon, 08 Feb 2010 20:27:01 +0100 Subject: [c-nsp] ISR IPS module In-Reply-To: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> References: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> Message-ID: <4B706585.2070804@bromirski.net> On 2010-02-08 18:55, Jay Nakamura wrote: > Any opinions? How effective is it? Is it worth using? It is a appliance on a card, so it is as effective as the real box, however with less performance due to slower CPU. > Also, what is your opinion on doing IPS without the hardware card on > an ISR? My experience is it boggs down the router too much and you > have to be so careful about what to include in scanning that it wasn't > worth the effort. But that was before Cisco changed the signature > format and how it scanned traffic at around 12.4(11)T. Performance should be better at 12.4(15)T and later, but as You said, doing inspection on a traffic requires a lot of CPU cycles. CPUs driving ISRs are in that term a lot slower than the x86-family CPUs driving addon modules so the outcome is obvious. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From matt at melbourne.org.uk Mon Feb 8 14:59:36 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Mon, 8 Feb 2010 19:59:36 -0000 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> Thanks for the pointers towards eBGP Multipath. Can I check that this still works if two links are terminated on different edge routers (though with iBGP between the edge routers). I assume this will use additional TCAM resources (Sup720-3BXL) in maintaining two routes per prefix, which could be significant for a full BGP feed? Cheers, Matt -----Original Message----- From: Erik Cuevas [mailto:ecuevas at fxcm.com] Sent: 05 February 2010 12:33 To: Matthew Melbourne Subject: RE: [c-nsp] Load-sharing with two links to the same ISP Did you check out BGP multipath? http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml or is the AS Path is different try... bgp bestpath as-path multipath-relax(its hidden) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne Sent: Friday, February 05, 2010 6:33 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Load-sharing with two links to the same ISP Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 07:35:00 From kunkel at w-link.net Mon Feb 8 14:08:26 2010 From: kunkel at w-link.net (Rick Kunkel) Date: Mon, 8 Feb 2010 11:08:26 -0800 (Pacific Standard Time) Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 Message-ID: Hello all... Right now, I've got a bunch of customers connected to a bunch of switchports using different VLANs. I've got 802.1q running between the switches, and then a router attached with a bunch of subinterfaces, one for each VLAN. Assigned to each of these subinterfaces is the customer's gateway IP address. So, for instance, have something like this for the customer port interface FastEthernet 1/12 switchport access vlan 80 Then the switch is connected to a router, with an interface like this interface GigabitEthernet 0/1.80 encapsulation dot1Q 80 ip address X.X.X.2 255.255.255.252 Pretty standard stuff.... So, now, we're opening another location, and we've got some customers interested in having some equipment in the first location and some in the second, and having it all be part of the same network. The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a "bad" idea to use an 802.1q trunk for backbone connectivity? 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in "routed" mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in "switchport" mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it "acceptable" to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? Thanks! Rick From rupeni_t at usp.ac.fj Mon Feb 8 15:29:16 2010 From: rupeni_t at usp.ac.fj (Terry Rupeni (ITS-USP)) Date: Tue, 9 Feb 2010 08:29:16 +1200 Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 In-Reply-To: References: Message-ID: <004401caa8fd$62fb0250$28f106f0$@ac.fj> I'd go with the 802.1q Trunked backbone. It gives you the flexibility of spanning vlans across a network. As for point 3 how about a virtual vlan interface on one of the 6509. If you have ample capacity over your backbones I don't see a problem on where the virtual vlan is to be terminated also with subinterfaces you run the risk of oversubscribing the actual physical interface bandwidth. hope I'm making sense! Terry Rupeni -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rick Kunkel Sent: Tuesday, 9 February 2010 7:08 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 Hello all... Right now, I've got a bunch of customers connected to a bunch of switchports using different VLANs. I've got 802.1q running between the switches, and then a router attached with a bunch of subinterfaces, one for each VLAN. Assigned to each of these subinterfaces is the customer's gateway IP address. So, for instance, have something like this for the customer port interface FastEthernet 1/12 switchport access vlan 80 Then the switch is connected to a router, with an interface like this interface GigabitEthernet 0/1.80 encapsulation dot1Q 80 ip address X.X.X.2 255.255.255.252 Pretty standard stuff.... So, now, we're opening another location, and we've got some customers interested in having some equipment in the first location and some in the second, and having it all be part of the same network. The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a "bad" idea to use an 802.1q trunk for backbone connectivity? 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in "routed" mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in "switchport" mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it "acceptable" to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? Thanks! Rick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gururug at gmail.com Mon Feb 8 17:09:47 2010 From: gururug at gmail.com (Imran K) Date: Tue, 9 Feb 2010 09:09:47 +1100 Subject: [c-nsp] Routing between site to site VPNs Message-ID: <25d943641002081409t5bfef84dta9fec6c8e2e6cdcd@mail.gmail.com> You will have to supply more information on what exactly you are trying to do here. The "Physical" interface is transparent to the routing process except for linking the tunnel to it. You may require some *route maps* if you are trying to achieve something non basic. From bacon at walleyesoftware.com Mon Feb 8 18:09:04 2010 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Mon, 8 Feb 2010 17:09:04 -0600 Subject: [c-nsp] 3560G as WAN-aggregation-layer Message-ID: <5A69C25361FED34F83ABF05F5047524507F05FB1@wally.walleyetrading.net> Greetings. I know this is going to sound pretty, well, lame. But... I currently have a couple of routers (a 7204/NPE-G1 and a 3845) front-ending my WAN connections, which are all metro Ethernet, mostly gig ports which are policed at some CIR, or 100Mbit. The routers are big, expensive, and really don't do much - oh, someday I would like to do some QoS...someday. So, there is this pile of 3560Gs in the corner. I've had less-than-impressive experiences with them as server-farm access switches, which is why they are there. However, I'm thinking that for handling a handful (4-6) of Gig-Es/100Ms which are mostly not running at capacity, as long as I distribute the ports out amongst the port ASICs (so each line has the full 2Mbit TX buffer of the port ASIC to itself), and as long as I don't do something stupid like put all 4 ports of a 4-port etherchannel in ports 1-4, they ought to be fine. The switches don't need to do much - pass the traffic, run EIGRP, a little light QoS. Our route table is tiny, relatively. Am I going to regret this? Conversely, how much can I really expect out of an NPE-G1? From jay at west.net Mon Feb 8 21:42:47 2010 From: jay at west.net (Jay Hennigan) Date: Mon, 08 Feb 2010 18:42:47 -0800 Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 In-Reply-To: References: Message-ID: <4B70CBA7.7090805@west.net> Rick Kunkel wrote: > Hello all... > The connection between the two location is ethnernet, and the hardware > is (well, will be as soon as we upgrade out of a 7200) a 6509 on either > side, and I think it'd be pretty cool to run an 802.1q trunk between > them using 6509 switchports instead of routed ports. However, I've got > some problems, or at least I'm having trouble wrapping my brain around > some things... > > 1. In the interests of keeping things simple, is it a "bad" idea to use > an 802.1q trunk for backbone connectivity? One thing to consider is contention for the link among the VLANs. You'll want some form of QoS and/or rate limiting to ensure that a particular VLAN can't choke the link. > 2. I'd normally set up this kind of point-to-point link using a /30, > using interfaces in "routed" mode, and assigning the addresses to the > interfaces on each end of the link. If using and 802.1q trunk with > interafaces in "switchport" mode, would it be advisable to use loopback > interfaces for these addresses instead? > > 3. I'm used to having the customer's gateway set on that Gigabit > subinterface, as above. But if I want this customer to have their stuff > on the same VLAN in both locations, AFAIK, I should set switchport > access VLAN 80 on both their access ports. I'm then stuck figuring out > where to put the gateway address for their IP space. Again, would > loopback interfaces be good candidates for this? Or perhaps a VLAN > interface, as weird as that seems to me? A VLAN interface is what I would use here. You're providing a layer 2 connection between the two customer locations so their IP-layer addresses won't show up in your routing table at all. The VLAN interface is needed as the gateway, with whatever subnet mask is appropriate for the customer's network needs. See below for why this may not be a good idea. > 4. My motivation for doing any of this in the first place, as opposed > to a simple /30 point-to-point interface, is to allow customers to have > access to layer 2 across our network, whether it be for internal use or > for purchasing third-party connectivity. Is it "acceptable" to use our > single point-to-point ethernet for this, or should I be using a separate > network for this entirely? As a rule, a hybrid solution with layer 2 across the customer endpoints with a layer 3 gateway to the Internet on a VLAN interface doesn't scale very well. If the customer wants their own firewall there are issues. It isn't unusual for them to have a lot of internal traffic (file server, etc.) with lower Internet needs. Metering this for billing can be an issue. What we usually do in this scenario is to provide a layer 2 VLAN bridge on one VLAN for the customer's internal network. Then, on a separate VLAN, provide Internet access to one location. The customer can then put their own NAT firewall between the two VLANs. For scaling among more than two customer locations and cutting down broadcast noise, consider MPLS with a VRF per customer and offer them a private routed layer 3 network. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From aftab.siddiqui at gmail.com Tue Feb 9 00:52:49 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Tue, 9 Feb 2010 10:52:49 +0500 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> References: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> Message-ID: <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> hi Matthew, Keeping the current internet full feed in view its around 300k routes and sup720-3BXL should support 1million routes (its cisco though :p). So even if you terminate the links on 2 different edges coming from the same AS it should work fine. If you are trying "bgp bestpath as-path multipath-relax" kindly share the outcomes because in my opinion it is used to load share between different as-path. I have never tried it before. Regards, Aftab A. Siddiqui On Tue, Feb 9, 2010 at 12:59 AM, Matthew Melbourne wrote: > Thanks for the pointers towards eBGP Multipath. Can I check that this still > works if two links are terminated on different edge routers (though with > iBGP between the edge routers). I assume this will use additional TCAM > resources (Sup720-3BXL) in maintaining two routes per prefix, which could > be > significant for a full BGP feed? > > Cheers, > > Matt > > -----Original Message----- > From: Erik Cuevas [mailto:ecuevas at fxcm.com] > Sent: 05 February 2010 12:33 > To: Matthew Melbourne > Subject: RE: [c-nsp] Load-sharing with two links to the same ISP > > Did you check out BGP multipath? > > > http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 > .shtml > > > or is the AS Path is different try... > > bgp bestpath as-path multipath-relax(its hidden) > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne > Sent: Friday, February 05, 2010 6:33 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Load-sharing with two links to the same ISP > > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 > 07:35:00 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 02:58:59 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 08:58:59 +0100 Subject: [c-nsp] Best practice - Core vs Access Router Message-ID: I am running one 6509 as a core router: IOS: SXF15a 1x WS-SUP720-3BXL 1x WS-X6748-GE-TX 2x WS-X6704-10GE On this core I am doing BGP with 2 upstreams (full BGP table IN) and 10 downstreams (full BGP table OUT). I am also doing OSPF with 4 other core routers in this AS. On top of that there is one VLAN on this core that serves as a default gateway for approximatively 5000 servers, producing around 30 GBps outbound traffic and 10 GBps inbound. Recently I noticed that this core router becomes very unresponsive from time to time, dropping OSPF and BGP sessions (hold time expired and so on). SNMP generated stats become useless as well, because most SNMP requests to that core are timing out. It's really just the core that is rather slow, but reachability to my customers and from my customers to the internet remains perfect. Pinging the loopback interface of the core or any default gateway IP address of the busy VLAN can show up to 60% packet loss Therefore I was thinking to split the core and move this very active VLAN to a different router behind the core and only add a static route to the core, so that the new router can handle these many MAC addresses and hopefully get my core more responsive again. Does this scenario make any sense at all? Is it wise to have one core router with many transit (in and out) BGP sessions also act as an access router / default gateway for several thousand servers? What is usually the best practice here? Thank you for your clues. Andy From livio.zanol.puppim at gmail.com Tue Feb 9 05:40:59 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Tue, 9 Feb 2010 08:40:59 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: Yeah, You are right. But I would like to use my nexus 5000 10GE/FCoE ports just for access servers, maximizing it's use... The uplinks from Nexus 2000 could easially go directly to my distribution/core. Unfortunally, nexus 2000 is just an fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO changes it's later... Let's think: 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost 1 switch (2RU). I haven't figure out yet what's the advantage of having this design (nexus 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus 7000/cisco 6500). That's what I'm talking about. The only REAL advantage so far is the vPC... 2010/2/2 Brad Hedlund > > True, the Nexus 2000 does not locally switch, but lets explore that for a > second... > > 1) a typical enterprise Data Center is running applications that are not > latency sensitive, where latencies in the 10s of microseconds are perfectly > OK and nobody is really counting anyway. Only in the small minority of Data > Centers running high frequency trading, grid computing, or some other ultra > low latency application, every *nanosecond* matters and local switching with > fewer hops is of paramount importance. Furthermore, these applications are > quickly migrating away from 1GE to 10GE attached servers for the obvious low > latency advantages. > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus > 2000 to handle the additional uplink load that may otherwise not be present > on a 4948. > > 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus > 2000 itself also uses cut-through for frames entering on 1GE and egressing > on 10GE. The two combined often results in port-to-port latencies similar > to a Catalyst 6500, even without the "local switching". If you are > comfortable with your Catalyst 6500 local switching latencies, you can > expect similar performance from a Nexus 2000/5000 combination. > > > -- > Brad Hedlund, CCIE #5530 > Consulting Systems Engineer, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > >> Can anyone please tell me the advantages of using Nexus 2000 over > Catalyst > >> 4948 as access layers switches? > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that > >> could be used by servers with 10GbE/FCoE servers. > > > > The N2K does no local switching so if you have any east-west traffic > between ports on the same switch you'll be better served by a more > "traditional" access switch. Naturally the N2K offers centralised > management etc etc but that may or may not be of interest depending on the > size of your deployment. > > > > > > > > David > > ... > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- []'s L?vio Zanol Puppim From oldnick at oldnick.ru Tue Feb 9 06:15:15 2010 From: oldnick at oldnick.ru (Sergey Nikitin) Date: Tue, 09 Feb 2010 14:15:15 +0300 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <4B7143C3.1030005@oldnick.ru> May be you should try to find out what is the reason of the packet loss? Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. Andy B. wrote: > I am running one 6509 as a core router: > > IOS: SXF15a > 1x WS-SUP720-3BXL > 1x WS-X6748-GE-TX > 2x WS-X6704-10GE > > On this core I am doing BGP with 2 upstreams (full BGP table IN) and > 10 downstreams (full BGP table OUT). > I am also doing OSPF with 4 other core routers in this AS. > > On top of that there is one VLAN on this core that serves as a default > gateway for approximatively 5000 servers, producing around 30 GBps > outbound traffic and 10 GBps inbound. > > Recently I noticed that this core router becomes very unresponsive > from time to time, dropping OSPF and BGP sessions (hold time expired > and so on). SNMP generated stats become useless as well, because most > SNMP requests to that core are timing out. It's really just the core > that is rather slow, but reachability to my customers and from my > customers to the internet remains perfect. Pinging the loopback > interface of the core or any default gateway IP address of the busy > VLAN can show up to 60% packet loss > > Therefore I was thinking to split the core and move this very active > VLAN to a different router behind the core and only add a static route > to the core, so that the new router can handle these many MAC > addresses and hopefully get my core more responsive again. > > Does this scenario make any sense at all? Is it wise to have one core > router with many transit (in and out) BGP sessions also act as an > access router / default gateway for several thousand servers? What is > usually the best practice here? > > Thank you for your clues. > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 07:21:47 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 13:21:47 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B7143C3.1030005@oldnick.ru> References: <4B7143C3.1030005@oldnick.ru> Message-ID: CPU load is fairly normal at 20-30% No congestion. Most links are under 50%. I have no Control Plane Policies in place, but I have already been advised to do so - this might help, right? Redesigning the network and shifting the busy (uncongested!) VLAN to another router seemed like the only choice we have left, unless this CPP can help? Andy On Tue, Feb 9, 2010 at 12:15 PM, Sergey Nikitin wrote: > > May be you should try to find out what is the reason of the packet loss? ?Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. > > > Andy B. wrote: >> >> I am running one 6509 as a core router: >> >> IOS: SXF15a >> 1x WS-SUP720-3BXL >> 1x WS-X6748-GE-TX >> 2x WS-X6704-10GE >> >> On this core I am doing BGP with 2 upstreams (full BGP table IN) and >> 10 downstreams (full BGP table OUT). >> I am also doing OSPF with 4 other core routers in this AS. >> >> On top of that there is one VLAN on this core that serves as a default >> gateway for approximatively 5000 servers, producing around 30 GBps >> outbound traffic and 10 GBps inbound. >> >> Recently I noticed that this core router becomes very unresponsive >> from time to time, dropping OSPF and BGP sessions (hold time expired >> and so on). SNMP generated stats become useless as well, because most >> SNMP requests to that core are timing out. It's really just the core >> that is rather slow, but reachability to my customers and from my >> customers to the internet remains perfect. Pinging the loopback >> interface of the core or any default gateway IP address of the busy >> VLAN can show up to 60% packet loss >> >> Therefore I was thinking to split the core and move this very active >> VLAN to a different router behind the core and only add a static route >> to the core, so that the new router can handle these many MAC >> addresses and hopefully get my core more responsive again. >> >> Does this scenario make any sense at all? Is it wise to have one core >> router with many transit (in and out) BGP sessions also act as an >> access router / default gateway for several thousand servers? What is >> usually the best practice here? >> >> Thank you for your clues. >> >> Andy >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From linux.yahoo at gmail.com Tue Feb 9 07:25:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 13:25:04 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Two key advantages: - Technical: FCoE, vPC - Management: you needn't to manage N2Ks R/ Manu On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Yeah, You are right. > > But I would like to use my nexus 5000 10GE/FCoE ports just for access > servers, maximizing it's use... The uplinks from Nexus 2000 could easially > go directly to my distribution/core. Unfortunally, nexus 2000 is just an > fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO > changes it's later... > > Let's think: > > 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must > use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost > 1 > switch (2RU). > > I haven't figure out yet what's the advantage of having this design (nexus > 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus > 7000/cisco 6500). That's what I'm talking about. > > The only REAL advantage so far is the vPC... > > 2010/2/2 Brad Hedlund > > > > > True, the Nexus 2000 does not locally switch, but lets explore that for a > > second... > > > > 1) a typical enterprise Data Center is running applications that are not > > latency sensitive, where latencies in the 10s of microseconds are > perfectly > > OK and nobody is really counting anyway. Only in the small minority of > Data > > Centers running high frequency trading, grid computing, or some other > ultra > > low latency application, every *nanosecond* matters and local switching > with > > fewer hops is of paramount importance. Furthermore, these applications > are > > quickly migrating away from 1GE to 10GE attached servers for the obvious > low > > latency advantages. > > > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink > for > > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus > > 2000 to handle the additional uplink load that may otherwise not be > present > > on a 4948. > > > > 3) The upstream Nexus 5000 implements cut-through switching, and the > Nexus > > 2000 itself also uses cut-through for frames entering on 1GE and > egressing > > on 10GE. The two combined often results in port-to-port latencies > similar > > to a Catalyst 6500, even without the "local switching". If you are > > comfortable with your Catalyst 6500 local switching latencies, you can > > expect similar performance from a Nexus 2000/5000 combination. > > > > > > -- > > Brad Hedlund, CCIE #5530 > > Consulting Systems Engineer, Data Center > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > > > >> Can anyone please tell me the advantages of using Nexus 2000 over > > Catalyst > > >> 4948 as access layers switches? > > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, > that > > >> could be used by servers with 10GbE/FCoE servers. > > > > > > The N2K does no local switching so if you have any east-west traffic > > between ports on the same switch you'll be better served by a more > > "traditional" access switch. Naturally the N2K offers centralised > > management etc etc but that may or may not be of interest depending on > the > > size of your deployment. > > > > > > > > > > > > David > > > ... > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From livio.zanol.puppim at gmail.com Tue Feb 9 07:37:00 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Tue, 9 Feb 2010 10:37:00 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Message-ID: Neus 2000 does not have FCoE. 2010/2/9 Manu Chao > Two key advantages: > - Technical: FCoE, vPC > - Management: you needn't to manage N2Ks > > R/ > Manu > > On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < > livio.zanol.puppim at gmail.com> wrote: > >> Yeah, You are right. >> >> But I would like to use my nexus 5000 10GE/FCoE ports just for access >> servers, maximizing it's use... The uplinks from Nexus 2000 could easially >> go directly to my distribution/core. Unfortunally, nexus 2000 is just an >> fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >> changes it's later... >> >> Let's think: >> >> 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must >> use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost >> 1 >> switch (2RU). >> >> I haven't figure out yet what's the advantage of having this design (nexus >> 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >> 7000/cisco 6500). That's what I'm talking about. >> >> The only REAL advantage so far is the vPC... >> >> 2010/2/2 Brad Hedlund >> >> > >> > True, the Nexus 2000 does not locally switch, but lets explore that for >> a >> > second... >> > >> > 1) a typical enterprise Data Center is running applications that are not >> > latency sensitive, where latencies in the 10s of microseconds are >> perfectly >> > OK and nobody is really counting anyway. Only in the small minority of >> Data >> > Centers running high frequency trading, grid computing, or some other >> ultra >> > low latency application, every *nanosecond* matters and local switching >> with >> > fewer hops is of paramount importance. Furthermore, these applications >> are >> > quickly migrating away from 1GE to 10GE attached servers for the obvious >> low >> > latency advantages. >> > >> > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink >> for >> > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus >> > 2000 to handle the additional uplink load that may otherwise not be >> present >> > on a 4948. >> > >> > 3) The upstream Nexus 5000 implements cut-through switching, and the >> Nexus >> > 2000 itself also uses cut-through for frames entering on 1GE and >> egressing >> > on 10GE. The two combined often results in port-to-port latencies >> similar >> > to a Catalyst 6500, even without the "local switching". If you are >> > comfortable with your Catalyst 6500 local switching latencies, you can >> > expect similar performance from a Nexus 2000/5000 combination. >> > >> > >> > -- >> > Brad Hedlund, CCIE #5530 >> > Consulting Systems Engineer, Data Center >> > bhedlund at cisco.com >> > http://www.internetworkexpert.org >> > >> > >> > >> > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: >> > >> > > >> > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: >> > > >> > >> Can anyone please tell me the advantages of using Nexus 2000 over >> > Catalyst >> > >> 4948 as access layers switches? >> > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, >> that >> > >> could be used by servers with 10GbE/FCoE servers. >> > > >> > > The N2K does no local switching so if you have any east-west traffic >> > between ports on the same switch you'll be better served by a more >> > "traditional" access switch. Naturally the N2K offers centralised >> > management etc etc but that may or may not be of interest depending on >> the >> > size of your deployment. >> > > >> > > >> > > >> > > David >> > > ... >> > > _______________________________________________ >> > > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > >> >> >> -- >> []'s >> >> L?vio Zanol Puppim >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- []'s L?vio Zanol Puppim From saku at ytti.fi Tue Feb 9 07:44:35 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 14:44:35 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: <20100209124435.GA27615@mx.ytti.net> On (2010-02-09 13:21 +0100), Andy B. wrote: > CPU load is fairly normal at 20-30% What is more important if this is process or interrupt. 'show proc cpu' you have x/y, y is interrupt and should be 0, if not, you are software switching something due to misconfiguration or software defect. > No congestion. Most links are under 50%. > I have no Control Plane Policies in place, but I have already been > advised to do so - this might help, right? > Redesigning the network and shifting the busy (uncongested!) VLAN to > another router seemed like the only choice we have left, unless this > CPP can help? Do you see any input drops in 'sh int | i Input|^[A-Z]' Are you within bounds of PFC resources? show platform hardware capacity pfc -- ++ytti From p.mayers at imperial.ac.uk Tue Feb 9 07:50:10 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 12:50:10 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: <4B715A02.8010604@imperial.ac.uk> On 09/02/10 12:21, Andy B. wrote: > CPU load is fairly normal at 20-30% Is this average or during a performance event? What about the SP and any DFC CPUs? What linecards do you have in the box? > No congestion. Most links are under 50%. > I have no Control Plane Policies in place, but I have already been > advised to do so - this might help, right? > > Redesigning the network and shifting the busy (uncongested!) VLAN to > another router seemed like the only choice we have left, unless this Your network doesn't sound that unusual to me. Provided you have PFC-3B/XL (and DFC-3B/XL if you're running DFCs) the 6500 ought to be able to handle it in a "steady state" (see below). What does: sh mls cef maximum-routes sh mls cef summary ...say? The first thing to do is determine why these performance problems are occurring. Otherwise, installing a new router might do nothing other than cost money. You say "so that the new router can handle these many MAC addresses"; do you have any reason to believe that MAC or adjacency table size is the problem? The 6500 can handle 64k MAC addresses at layer2 and variable numbers of ARP/layer3 adjacencies. Control-plane policing will only help if CPU-punted or CPU-directed packets are causing the performance problems. MLS rate limiters may also help in that situation. Alternatively if you're getting the BGP scanner eating lots of CPU because of churn in your full feeds, then you need to address that. It could be ICMP redirects, or layer2 loops downstream. How often are these performance problems occurring? Is anything logged on the router at the time? What does the output of: sh proc cpu | ex 0.00 remote command switch sh proc cpu | ex 0.00 sh platform hardware capacity forwarding ...say after a window of poor performance? How long do the events last? As you can see, there's a lot to look into. As to whether it's "wise" to have one router doing both jobs - it depends. Some people will I guess say "no split them" but it's really a matter of costs and benefits. We do similar things where one 6500 does a *LOT* of work (without the full table) and have no problems. From linux.yahoo at gmail.com Tue Feb 9 07:51:57 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 13:51:57 +0100 Subject: [c-nsp] "show stats" question In-Reply-To: References: Message-ID: <7100ed371002090451q710ecd2dmd3b6fdcb8a0594f8@mail.gmail.com> Hello Nick, AFAIK "show stats" command doesn't exist?? If you mean "show interfaces stats" command then you have following description in CCO: Chars In: Number of characters received in each switching mechanism Chars Out: Number of characters sent out each switching mechanism I assume we are speaking about ASCII character (8 bits) but I am not 100% sure :) R/ Manu On Mon, Feb 8, 2010 at 7:08 PM, Nick Griffin wrote: > Can anyone confirm the command below, the Chars/in/out reference, are the > results listed in bytes? I'm unable to find this command documented > anywhere > on CCO to get a better description of the command and its output. > > The 6509 ?show stats? command gives the following information: > > Vlan2 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 14342 1650437 2492 166010 > Route cache 534 55212 149 11166 > Distributed cache 7169590 6090148689 8831508 9040962158 > Total 7184466 6091854338 8834149 9041139334 > > Thanks, > > Nick Griffin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 07:56:37 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 13:56:37 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209124435.GA27615@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> Message-ID: I think I am not software switching: CPU utilization for five seconds: 19%/5%; one minute: 46%; five minutes: 42% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 6 426848940 21297160 20042 2.71% 1.01% 1.23% 0 Check heaps 123 821446324 874103795 939 2.31% 2.42% 2.40% 0 IP Input 281 84726288 609026650 139 0.55% 0.25% 0.22% 0 Port manager per 169 98404740 5822749 16900 0.31% 0.31% 0.31% 0 Adj Manager 9 92306248 220930403 417 0.31% 0.43% 0.40% 0 ARP Input 180 64244512 51116025 1256 0.23% 0.26% 0.25% 0 CEF process 320 18645168 124211249 150 0.15% 1.26% 1.10% 0 BGP I/O 307 28557284 371501297 76 0.07% 0.10% 0.06% 0 MLD 167 27023688 387372814 69 0.07% 0.12% 0.09% 0 IPv6 Input 286 91380880 67881032 1346 0.07% 4.58% 3.92% 0 BGP Router 322 24944 12735 1958 0.07% 0.09% 0.02% 1 SSH Process ... #show platform hardware capacity pfc L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3383 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315002 60% 144 bits (IP mcast, IPv6) 262144 2904 1% detail: Protocol Used %Used IPv4 315002 60% MPLS 0 0% EoM 0 0% IPv6 2842 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5046 1% Forwarding engine load: Module pps peak-pps peak-time 5 4443376 10849623 12:44:28 CEST Mon Dec 21 2009 Netflow Resources TCAM utilization: Module Created Failed %Used 5 262020 0 100% ICAM utilization: Module Created Failed %Used 5 4 5228242 3% Flowmasks: Mask# Type Features IPv4: 0 reserved none IPv4: 1 Intf FulFM_GUARDIAN IPv4: 2 unused none IPv4: 3 reserved none IPv6: 0 reserved none IPv6: 1 Intf FulFM_IPV6_GUARDIAN IPv6: 2 unused none IPv6: 3 reserved none CPU Rate Limiters Resources Rate limiters: Total Used Reserved %Used Layer 3 9 4 1 44% Layer 2 4 2 2 50% ACL/QoS TCAM Resources Key: ACLent - ACL TCAM entries, ACLmsk - ACL TCAM masks, AND - ANDOR, QoSent - QoS TCAM entries, QOSmsk - QoS TCAM masks, OR - ORAND, Lbl-in - ingress label, Lbl-eg - egress label, LOUsrc - LOU source, LOUdst - LOU destination, ADJ - ACL adjacency Module ACLent ACLmsk QoSent QoSmsk Lbl-in Lbl-eg LOUsrc LOUdst AND OR ADJ 5 1% 2% 1% 1% 1% 1% 0% 0% 0% 0% 1% I do see input drops - what does that mean? Andy On Tue, Feb 9, 2010 at 1:44 PM, Saku Ytti wrote: > On (2010-02-09 13:21 +0100), Andy B. wrote: > >> CPU load is fairly normal at 20-30% > > What is more important if this is process or interrupt. 'show proc cpu' you > have x/y, y is interrupt and should be 0, if not, you are software switching > something due to misconfiguration or software defect. > >> No congestion. Most links are under 50%. >> I have no Control Plane Policies in place, but I have already been >> advised to do so - this might help, right? > >> Redesigning the network and shifting the busy (uncongested!) VLAN to >> another router seemed like the only choice we have left, unless this >> CPP can help? > > Do you see any input drops in 'sh int | i Input|^[A-Z]' > > Are you within bounds of PFC resources? > show platform hardware capacity pfc > > -- > ?++ytti > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Tue Feb 9 08:04:21 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:04:21 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> Message-ID: <20100209130421.GA27687@mx.ytti.net> On (2010-02-09 13:56 +0100), Andy B. wrote: > I think I am not software switching: > > CPU utilization for five seconds: 19%/5%; one minute: 46%; five minutes: 42% Could you try to catch this when the five second value is >40% so we'll see what is causing the load. Currently what ever is happening, is not happening. Output 5s sorted list. > Module pps peak-pps peak-time > 5 4443376 10849623 12:44:28 CEST Mon Dec 21 2009 10Mpps peak, well within limits of CFC system, so you're not anywhere near the performance limits. > Netflow Resources > TCAM utilization: Module Created Failed %Used > 5 262020 0 100% Netflow full, highly typical and nothing to worry about. > I do see input drops - what does that mean? It means that you got more packets towards software than buffers could hold, default is 75 packets, which is way too little for even some normal situations, such as BGP, especially route reflector use. If it is normal, you should increase it to 1k or 2k. But it might also indicate that transit traffic is coming to control-plane, there are many tools 7600 offers to troubleshoot them. When you look at those interfaces where you see drops, do any of them display packets in input buffer /right now/, if so, you can use 'show buffers input-interface X header' to see those packets are, which will go long way to determine if they are normal or something to worry about. -- ++ytti From linux.yahoo at gmail.com Tue Feb 9 08:07:59 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:07:59 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Message-ID: <7100ed371002090507g5212cbe2xb6784acb1890c4fc@mail.gmail.com> Correct, not yet On Tue, Feb 9, 2010 at 1:37 PM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Neus 2000 does not have FCoE. > > 2010/2/9 Manu Chao > > Two key advantages: >> - Technical: FCoE, vPC >> - Management: you needn't to manage N2Ks >> >> R/ >> Manu >> >> On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < >> livio.zanol.puppim at gmail.com> wrote: >> >>> Yeah, You are right. >>> >>> But I would like to use my nexus 5000 10GE/FCoE ports just for access >>> servers, maximizing it's use... The uplinks from Nexus 2000 could >>> easially >>> go directly to my distribution/core. Unfortunally, nexus 2000 is just an >>> fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >>> changes it's later... >>> >>> Let's think: >>> >>> 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I >>> must >>> use at my nexus 5000. That's more than 1 entirelly switch (1RU) and >>> almost 1 >>> switch (2RU). >>> >>> I haven't figure out yet what's the advantage of having this design >>> (nexus >>> 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >>> 7000/cisco 6500). That's what I'm talking about. >>> >>> The only REAL advantage so far is the vPC... >>> >>> 2010/2/2 Brad Hedlund >>> >>> > >>> > True, the Nexus 2000 does not locally switch, but lets explore that for >>> a >>> > second... >>> > >>> > 1) a typical enterprise Data Center is running applications that are >>> not >>> > latency sensitive, where latencies in the 10s of microseconds are >>> perfectly >>> > OK and nobody is really counting anyway. Only in the small minority of >>> Data >>> > Centers running high frequency trading, grid computing, or some other >>> ultra >>> > low latency application, every *nanosecond* matters and local switching >>> with >>> > fewer hops is of paramount importance. Furthermore, these applications >>> are >>> > quickly migrating away from 1GE to 10GE attached servers for the >>> obvious low >>> > latency advantages. >>> > >>> > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink >>> for >>> > 4948. This results in a possible 1:1.2 oversubscription ratio for >>> Nexus >>> > 2000 to handle the additional uplink load that may otherwise not be >>> present >>> > on a 4948. >>> > >>> > 3) The upstream Nexus 5000 implements cut-through switching, and the >>> Nexus >>> > 2000 itself also uses cut-through for frames entering on 1GE and >>> egressing >>> > on 10GE. The two combined often results in port-to-port latencies >>> similar >>> > to a Catalyst 6500, even without the "local switching". If you are >>> > comfortable with your Catalyst 6500 local switching latencies, you can >>> > expect similar performance from a Nexus 2000/5000 combination. >>> > >>> > >>> > -- >>> > Brad Hedlund, CCIE #5530 >>> > Consulting Systems Engineer, Data Center >>> > bhedlund at cisco.com >>> > http://www.internetworkexpert.org >>> > >>> > >>> > >>> > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: >>> > >>> > > >>> > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: >>> > > >>> > >> Can anyone please tell me the advantages of using Nexus 2000 over >>> > Catalyst >>> > >> 4948 as access layers switches? >>> > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, >>> that >>> > >> could be used by servers with 10GbE/FCoE servers. >>> > > >>> > > The N2K does no local switching so if you have any east-west traffic >>> > between ports on the same switch you'll be better served by a more >>> > "traditional" access switch. Naturally the N2K offers centralised >>> > management etc etc but that may or may not be of interest depending on >>> the >>> > size of your deployment. >>> > > >>> > > >>> > > >>> > > David >>> > > ... >>> > > _______________________________________________ >>> > > cisco-nsp mailing list cisco-nsp at puck.nether.net >>> > > https://puck.nether.net/mailman/listinfo/cisco-nsp >>> > > archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >>> > >>> >>> >>> -- >>> []'s >>> >>> L?vio Zanol Puppim >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > > > -- > []'s > > L?vio Zanol Puppim > From globichen at gmail.com Tue Feb 9 08:08:47 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:08:47 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B715A02.8010604@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> Message-ID: On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers wrote: >> CPU load is fairly normal at 20-30% > > Is this average or during a performance event? What about the SP and any DFC > CPUs? This is average. Performance would go up to 99% if the BGP scanner is busy, but this does not happen very often. > > What linecards do you have in the box? #sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD082XXXXX 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD084XXXXX 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD114XXXXX 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL110XXXXX Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok Mod Online Diag Status ---- ------------------- 2 Pass 5 Pass 8 Pass 9 Pass > > > sh mls cef maximum-routes > sh mls cef summary #sh mls cef maximum-routes FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) #sh mls cef summary Total routes: 317940 IPv4 unicast routes: 315089 IPv4 Multicast routes: 3 MPLS routes: 0 IPv6 unicast routes: 2848 IPv6 multicast routes: 59 EoM routes: 0 > > You say "so that the new router can handle these many MAC addresses"; do you > have any reason to believe that MAC or adjacency table size is the problem? > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > ARP/layer3 adjacencies. No, I have no reason. I is just a desperate measure, because despite plenty of research I could not find out what is causing my core to become so unresponsive at management and BGP/OSPF level. > It could be ICMP redirects, or layer2 loops downstream. How would I detect that? > > How often are these performance problems occurring? Is anything logged on > the router at the time? What does the output of: It's at peak times, usually in the evening hours when there is a lot of traffic. It never happens in the afternoon or late at night - really only when we reached a certain amount of traffic or packets. > sh proc cpu | ex 0.00 > remote command switch sh proc cpu | ex 0.00 > sh platform hardware capacity forwarding > > ...say after a window of poor performance? How long do the events last? It's not peak time yet, but here the current results: #sh proc cpu sort | e 0.00 CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager per 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC Message H 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O #remote command switch sh proc cpu | ex 0.00 CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: 51% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan Statistics 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control Time 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning Tree 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat colle 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS Stats 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process #sh platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3386 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315005 60% 144 bits (IP mcast, IPv6) 262144 2911 1% detail: Protocol Used %Used IPv4 315005 60% MPLS 0 0% EoM 0 0% IPv6 2849 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5045 1% Forwarding engine load: Module pps peak-pps peak-time 5 4440416 10849623 12:44:28 CEST Mon Dec 21 2009 Thanks! Andy From globichen at gmail.com Tue Feb 9 08:20:06 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:20:06 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209130421.GA27687@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> Message-ID: On Tue, Feb 9, 2010 at 2:04 PM, Saku Ytti wrote: > Could you try to catch this when the five second value is >40% so we'll see > what is causing the load. Currently what ever is happening, is not > happening. Actually, last time when the core started to become very unresponsive, CPU load was lower than usual - 12-15%. Except when it was re-establishing BGP sessions with transit customers, then it went up to 99% for quite a while, but that is normal. > Output 5s sorted list. > >> ? ? ? ? ? ? ? ? ? ? ?Module ? ? ? pps ? peak-pps ? ? ? ? ? ? ? ? ? ? peak-time >> ? ? ? ? ? ? ? ? ? ? ?5 ? ? ? ?4443376 ? 10849623 ?12:44:28 CEST Mon Dec 21 2009 > > 10Mpps peak, well within limits of CFC system, so you're not anywhere near > the performance limits. > >> Netflow Resources >> ? ? ? ? ? TCAM utilization: ? ? ? Module ? ? ? Created ? ? ?Failed ? ? ? %Used >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 5 ? ? ? ? ? ? 262020 ? ? ? ? ? 0 ? ? ? ?100% > > Netflow full, highly typical and nothing to worry about. > >> I do see input drops - what does that mean? > > It means that you got more packets towards software than buffers could > hold, default is 75 packets, which is way too little for even some normal > situations, such as BGP, especially route reflector use. > If it is normal, you should increase it to 1k or 2k. > > But it might also indicate that transit traffic is coming to control-plane, > there are many tools 7600 offers to troubleshoot them. ?When you look at > those interfaces where you see drops, do any of them display packets in > input buffer /right now/, if so, you can use 'show buffers input-interface > X header' to see those packets are, which will go long way to determine if > they are normal or something to worry about. > Yes, here is some input buffer: #show buffers input-interface te9/1 header Buffer information for Small buffer at 0x5007A3A8 data_area 0x806EBC4, refcount 1, next 0x454585E0, flags 0x280 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:47.772) outputtime 47w4d (elapsed 00:00:30.952), oqnumber 65535 datagramstart 0x806EC3A, datagramsize 62, maximum size 308 mac_start 0x806EC3A, addr_start 0x806EC3A, info_start 0x0 network_start 0x806EC48, transport_start 0x806EC5C, caller_pc 0x4187C1F0 source: x.x.72.173, destination: y.y.161.0, id: 0x611D, ttl: 120, TOS: 0 prot: 6, source port 60922, destination port 47743 #show buffers input-interface te9/2 header Buffer information for Small buffer at 0x5002EA70 data_area 0x802C2C4, refcount 1, next 0x5007DA28, flags 0x200 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646CC78 (TenGigabitEthernet9/2), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:54.296) outputtime 47w4d (elapsed 00:00:43.944), oqnumber 65535 datagramstart 0x802C33A, datagramsize 70, maximum size 308 mac_start 0x802C33A, addr_start 0x802C33A, info_start 0x0 network_start 0x802C348, transport_start 0x802C35C, caller_pc 0x4187C1F0 source: y.y.226.89, destination: x.x.160.112, id: 0x5ADD, ttl: 52, TOS: 0 prot: 6, source port 52067, destination port 18309 Changes all the time. Sometimes it is empty, but it seems rarely to be the case. From noc at phibee.net Tue Feb 9 08:30:20 2010 From: noc at phibee.net (Phibee Network Operation Center) Date: Tue, 09 Feb 2010 14:30:20 +0100 Subject: [c-nsp] Cisco 7401ASR ? Message-ID: <4B71636C.2040704@phibee.net> Hi i am search a real information on the Cisco 7401ASR : If you have one units ;=) I want know if this cisco are same performence that the Cisco 7204 with a NPE 400 ? He support MPLS, Interworking and EoMPLS It's the same IOS that Cisco 7204 ? Thanks for your information. Jerome From saku at ytti.fi Tue Feb 9 08:32:24 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:32:24 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> Message-ID: <20100209133224.GA27783@mx.ytti.net> On (2010-02-09 14:20 +0100), Andy B. wrote: > source: x.x.72.173, destination: y.y.161.0, id: 0x611D, ttl: 120, > TOS: 0 prot: 6, source port 60922, destination port 47743 > > source: y.y.226.89, destination: x.x.160.112, id: 0x5ADD, ttl: 52, > TOS: 0 prot: 6, source port 52067, destination port 18309 > > Changes all the time. Sometimes it is empty, but it seems rarely to be the case. Are these receive addresses in the router or transit? sh mls cef lookup x.x.160.112 sh mls cef lookup x.x.160.112 detail sh mls cef adjacency entry 123 detail -- ++ytti From Charles.Church at harris.com Tue Feb 9 08:43:43 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 08:43:43 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Is it possible the NDE on the SP is the issue? I assume it's configured to export? What does a 'sh proc cpu hist' tell you on the RP and SP? Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 8:09 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers wrote: >> CPU load is fairly normal at 20-30% > > Is this average or during a performance event? What about the SP and any DFC > CPUs? This is average. Performance would go up to 99% if the BGP scanner is busy, but this does not happen very often. > > What linecards do you have in the box? #sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD082XXXXX 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD084XXXXX 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD114XXXXX 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL110XXXXX Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok Mod Online Diag Status ---- ------------------- 2 Pass 5 Pass 8 Pass 9 Pass > > > sh mls cef maximum-routes > sh mls cef summary #sh mls cef maximum-routes FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) #sh mls cef summary Total routes: 317940 IPv4 unicast routes: 315089 IPv4 Multicast routes: 3 MPLS routes: 0 IPv6 unicast routes: 2848 IPv6 multicast routes: 59 EoM routes: 0 > > You say "so that the new router can handle these many MAC addresses"; do you > have any reason to believe that MAC or adjacency table size is the problem? > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > ARP/layer3 adjacencies. No, I have no reason. I is just a desperate measure, because despite plenty of research I could not find out what is causing my core to become so unresponsive at management and BGP/OSPF level. > It could be ICMP redirects, or layer2 loops downstream. How would I detect that? > > How often are these performance problems occurring? Is anything logged on > the router at the time? What does the output of: It's at peak times, usually in the evening hours when there is a lot of traffic. It never happens in the afternoon or late at night - really only when we reached a certain amount of traffic or packets. > sh proc cpu | ex 0.00 > remote command switch sh proc cpu | ex 0.00 > sh platform hardware capacity forwarding > > ...say after a window of poor performance? How long do the events last? It's not peak time yet, but here the current results: #sh proc cpu sort | e 0.00 CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager per 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC Message H 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O #remote command switch sh proc cpu | ex 0.00 CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: 51% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan Statistics 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control Time 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning Tree 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat colle 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS Stats 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process #sh platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3386 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315005 60% 144 bits (IP mcast, IPv6) 262144 2911 1% detail: Protocol Used %Used IPv4 315005 60% MPLS 0 0% EoM 0 0% IPv6 2849 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5045 1% Forwarding engine load: Module pps peak-pps peak-time 5 4440416 10849623 12:44:28 CEST Mon Dec 21 2009 Thanks! Andy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From globichen at gmail.com Tue Feb 9 08:45:25 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:45:25 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209133224.GA27783@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: > Are these receive addresses in the router or transit? > > sh mls cef lookup x.x.160.112 > sh mls cef lookup x.x.160.112 detail > > sh mls cef adjacency entry 123 detail > #show buffers input-interface te9/1 header Buffer information for Small buffer at 0x50070DC8 data_area 0x80667C4, refcount 1, next 0x45475F58, flags 0x280 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:09.252) outputtime 47w4d (elapsed 00:03:54.772), oqnumber 65535 datagramstart 0x806683A, datagramsize 62, maximum size 308 mac_start 0x806683A, addr_start 0x806683A, info_start 0x0 network_start 0x8066848, transport_start 0x8066878, caller_pc 0x4187C1F0 source: x.x.224.116, destination: y.y.176.97, id: 0x79FD, ttl: 121, TOS: 0 prot: 6, source port 2844, destination port 445 x.x = outside y.y = server connected to the core #sh mls cef lookup x.x.224.116 Codes: decap - Decapsulation, + - Push Label Index Prefix Adjacency 298605 x.x.192.0/18 Te9/1 , 0022.5517.0f00 #sh mls cef lookup y.y.176.97 Codes: decap - Decapsulation, + - Push Label Index Prefix Adjacency 20304 y.y.176.0/24 glean BCS#sh mls cef lookup y.y.176.97 detail Codes: M - mask entry, V - value entry, A - adjacency index, P - priority bit D - full don't switch, m - load balancing modnumber, B - BGP Bucket sel V0 - Vlan 0,C0 - don't comp bit 0,V1 - Vlan 1,C1 - don't comp bit 1 RVTEN - RPF Vlan table enable, RVTSEL - RPF Vlan table select Format: IPV4_DA - (8 | xtag vpn pi cr recirc tos prefix) Format: IPV4_SA - (9 | xtag vpn pi cr recirc prefix) M(20304 ): E | 1 FFF 0 0 0 0 255.255.255.0 V(20304 ): 8 | 1 0 0 0 0 0 y.y.176.0 (A:14 ,P:1,D:0,m:0 ,B:0 ) From saku at ytti.fi Tue Feb 9 08:45:29 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:45:29 +0200 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: <20100209134529.GA27827@mx.ytti.net> On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > i am search a real information on the Cisco 7401ASR : > If you have one units ;=) > > I want know if this cisco are same performence that the > Cisco 7204 with a NPE 400 ? ASR was the second product to be blessed (or cursed) with toaster chip a.k.a PXF. Like first product NSE-1 it was failure and newer software will disable and won't allow enabling PXF, so everything will be software switched, like in NPE400, performance is below NPE300. > He support MPLS, Interworking and EoMPLS > > It's the same IOS that Cisco 7204 ? No. Also it is EOL platform and as price for gray NPE300 is ridiculously small I personally wouldn't accept even free ASR's. -- ++ytti From linux.yahoo at gmail.com Tue Feb 9 08:47:48 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:47:48 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). If you have the budget, i would push for Cisco ASR or Juniper M Core R/ Manu From saku at ytti.fi Tue Feb 9 08:47:51 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:47:51 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: <20100209134751.GB27827@mx.ytti.net> On (2010-02-09 14:45 +0100), Andy B. wrote: > #sh mls cef lookup y.y.176.97 > > Codes: decap - Decapsulation, + - Push Label > Index Prefix Adjacency > 20304 y.y.176.0/24 glean Ok it it punted to resolve its MAC address. You could try 'mls rate-limit unicast cef glean 200 50' To limit glean to 200pps. However we can't prove problem you saw was due to excessive packets to glean adjacencies. -- ++ytti From globichen at gmail.com Tue Feb 9 08:50:12 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:50:12 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles wrote: > Is it possible the NDE on the SP is the issue? ?I assume it's configured to > export? ?What does a 'sh proc cpu hist' tell you on the RP and SP? > > Chuck I can almost certainly rule that out. Last time this happened I turned off NDE, but it did not change much. Here the result anways: #sh proc cpu hist 2222222288888555511111111111111111111111111111111111111113 4448888844444666677777444446666655555666667777777777999999 100 90 80 ***** 70 ***** 60 ********* 50 ********* 40 ********* * 30 ************** * 20 ********************** ******************************* 10 ********************************************************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 1 1 1 1 7907999979978997999980999998999899899097889889978997088899 4509292289154946699800675905966199809044339839881997055793 100 ** * * * **** ***** *** ** ** * ** ** * * 90 ** **** ** ** **** ********** ******* ** ** ** ****** 80 ************************************** ****************** 70 ********************************************************** 60 ********************************************************** 50 *******************************************************##* 40 ****************#**************************************### 30 #################*######################################## 20 ########################################################## 10 ########################################################## 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 100 ********************************************************************** 90 ********************************************************************** 80 ********************************************************************** 70 *******#**********************##************************************** 60 *******#**********************##************************************** 50 ******###*********************###******#********************#********* 40 #*##**###*#**##***#**#***#****###***##*#****#*****#**##**#####******** 30 #####*######*##########*###**#####*#####***####################***#### 20 ###################################################################### 10 ###################################################################### 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% #remote command switch sh proc cpu hist 3333322222222226666677777333331111222223333322222666667777 1111155555999990000077777000005555999997777755555777776666 100 90 80 ***** **** 70 ***** ********* 60 ********** ********* 50 ********** ********* 40 ********** ***** ********* 30 ****************************** ************************ 20 ********************************************************** 10 ********************************************************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 7977778888889999975798767688889888888988788888998988998878 7046543783562032129590344605798023115098878663008368337698 100 * * 90 * ** ******* * **** **** **** ********** * 80 ** ** #****##*#** *#* ***##****************####******* 70 ******#****##*#*** *#** *****##******#*********#####****** 60 ******##***##*#*#***#*******####*****#******#*######*****# 50 ******##***##*###***##******####**#**##****##*######***#*# 40 ##################*###****################################ 30 ########################################################## 20 ########################################################## 10 ########################################################## 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1111 1 1 1 9999999999999900009999999999999999999999899889998999909999999880908999 8968979889989900007367999999989999979583747981479337809999993870907900 100 ******************* ******************* * * ********* *** * 90 ********************************************************************** 80 ********************************************************************** 70 ****#***************************************************************** 60 **#*#*#######************##*#*######****************###*************** 50 #################****#################************########************ 40 ########################################*******###############*###***# 30 ###################################################################### 20 ###################################################################### 10 ###################################################################### 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% From linux.yahoo at gmail.com Tue Feb 9 08:51:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:51:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> For sure it may be possible to reduce/optimise the routing But in all case you will hit the platform limit ;( Full Internet Routing cost a lot On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles wrote: > Is it possible the NDE on the SP is the issue? I assume it's configured to > export? What does a 'sh proc cpu hist' tell you on the RP and SP? > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Tuesday, February 09, 2010 8:09 AM > To: Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > > On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers > wrote: > >> CPU load is fairly normal at 20-30% > > > > Is this average or during a performance event? What about the SP and any > DFC > > CPUs? > > This is average. Performance would go up to 99% if the BGP scanner is > busy, but this does not happen very often. > > > > > What linecards do you have in the box? > > #sh mod > Mod Ports Card Type Model Serial > No. > --- ----- -------------------------------------- ------------------ > ----------- > 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX > SAD082XXXXX > 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL > SAD084XXXXX > 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > SAD114XXXXX > 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > SAL110XXXXX > > Mod MAC addresses Hw Fw Sw > Status > --- ---------------------------------- ------ ------------ ------------ > ------- > 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok > 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok > 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok > 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok > > Mod Sub-Module Model Serial Hw > Status > ---- --------------------------- ------------------ ----------- ------- > ------- > 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok > 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok > 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok > 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok > 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok > > Mod Online Diag Status > ---- ------------------- > 2 Pass > 5 Pass > 8 Pass > 9 Pass > > > > > > > > > sh mls cef maximum-routes > > sh mls cef summary > > #sh mls cef maximum-routes > FIB TCAM maximum routes : > ======================= > Current :- > ------- > IPv4 + MPLS - 512k (default) > IPv6 + IP Multicast - 256k (default) > > > #sh mls cef summary > > Total routes: 317940 > IPv4 unicast routes: 315089 > IPv4 Multicast routes: 3 > MPLS routes: 0 > IPv6 unicast routes: 2848 > IPv6 multicast routes: 59 > EoM routes: 0 > > > > > You say "so that the new router can handle these many MAC addresses"; do > you > > have any reason to believe that MAC or adjacency table size is the > problem? > > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > > ARP/layer3 adjacencies. > > No, I have no reason. I is just a desperate measure, because despite > plenty of research I could not find out what is causing my core to > become so unresponsive at management and BGP/OSPF level. > > > > It could be ICMP redirects, or layer2 loops downstream. > > How would I detect that? > > > > > How often are these performance problems occurring? Is anything logged on > > the router at the time? What does the output of: > > It's at peak times, usually in the evening hours when there is a lot > of traffic. It never happens in the afternoon or late at night - > really only when we reached a certain amount of traffic or packets. > > > sh proc cpu | ex 0.00 > > remote command switch sh proc cpu | ex 0.00 > > sh platform hardware capacity forwarding > > > > ...say after a window of poor performance? How long do the events last? > > It's not peak time yet, but here the current results: > > #sh proc cpu sort | e 0.00 > CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: > 32% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router > 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process > 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager > per > 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC > Message H > 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager > 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process > 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input > 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O > > #remote command switch sh proc cpu | ex 0.00 > > CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: > 51% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process > 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan > Statistics > 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control > Time > 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning > Tree > 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat > colle > 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll > 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS > Stats > 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 > 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 > 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process > > #sh platform hardware capacity forwarding > L2 Forwarding Resources > MAC Table usage: Module Collisions Total Used > %Used > 5 0 65536 3386 > 5% > > VPN CAM usage: Total Used > %Used > 512 0 > 0% > L3 Forwarding Resources > FIB TCAM usage: Total Used > %Used > 72 bits (IPv4, MPLS, EoM) 524288 315005 > 60% > 144 bits (IP mcast, IPv6) 262144 2911 > 1% > > detail: Protocol Used > %Used > IPv4 315005 > 60% > MPLS 0 > 0% > EoM 0 > 0% > > IPv6 2849 > 1% > IPv4 mcast 3 > 1% > IPv6 mcast 59 > 1% > > Adjacency usage: Total Used > %Used > 1048576 5045 > 1% > > Forwarding engine load: > Module pps peak-pps > peak-time > 5 4440416 10849623 12:44:28 CEST Mon Dec 21 > 2009 > > > > > > Thanks! > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 08:54:19 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:54:19 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot I have other cores that do 40 times more BGP and they work like charm, with the exception that they do not have a few thousand servers connected to them. Only customers with routers. These routers are similar to this 6509, so nothing better or worse. Andy From linux.yahoo at gmail.com Tue Feb 9 09:09:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:09:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> trust me, change your design: - Core / Internet (ASR or Juniper) - Distribution / Datacenter (6509) with a default dynamic route from your Core to your Distribution On Tue, Feb 9, 2010 at 2:54 PM, Andy B. wrote: > On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > > For sure it may be possible to reduce/optimise the routing > > > > But in all case you will hit the platform limit ;( > > > > Full Internet Routing cost a lot > > I have other cores that do 40 times more BGP and they work like charm, > with the exception that they do not have a few thousand servers > connected to them. Only customers with routers. > These routers are similar to this 6509, so nothing better or worse. > > Andy > From linux.yahoo at gmail.com Tue Feb 9 09:11:37 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:11:37 +0100 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <20100209134529.GA27827@mx.ytti.net> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> Message-ID: <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> new ASR are better ;) On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > i am search a real information on the Cisco 7401ASR : > > If you have one units ;=) > > > > I want know if this cisco are same performence that the > > Cisco 7204 with a NPE 400 ? > > ASR was the second product to be blessed (or cursed) with toaster > chip a.k.a PXF. > Like first product NSE-1 it was failure and newer software will disable and > won't allow enabling PXF, so everything will be software switched, like in > NPE400, performance is below NPE300. > > > He support MPLS, Interworking and EoMPLS > > > > It's the same IOS that Cisco 7204 ? > > No. Also it is EOL platform and as price for gray NPE300 is ridiculously > small I personally wouldn't accept even free ASR's. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Tue Feb 9 09:13:08 2010 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 9 Feb 2010 09:13:08 -0500 (EST) Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: On Tue, 9 Feb 2010, Andy B. wrote: > I am running one 6509 as a core router: > > IOS: SXF15a > 1x WS-SUP720-3BXL > 1x WS-X6748-GE-TX > 2x WS-X6704-10GE > > On this core I am doing BGP with 2 upstreams (full BGP table IN) and > 10 downstreams (full BGP table OUT). > I am also doing OSPF with 4 other core routers in this AS. > > On top of that there is one VLAN on this core that serves as a default > gateway for approximatively 5000 servers, producing around 30 GBps > outbound traffic and 10 GBps inbound. If all of that traffic is transiting between the 6748 and 6704s, is it possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 has to the rest of the chassis during short traffic spikes? With that much going on, I'm surprised you're using a single 6509 vs having things split between a pair or more of them. Put some transit and some customers on each...that way if one has an issue, needs a software upgrade, etc., you can do a reload without the network going completely offline. Or are you already doing that, and the troubled 6509 is just one of multiple? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From saku at ytti.fi Tue Feb 9 09:19:24 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:19:24 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> References: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> Message-ID: <20100209141924.GA27965@mx.ytti.net> On (2010-02-09 14:47 +0100), Manu Chao wrote: > Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). > > If you have the budget, i would push for Cisco ASR or Juniper M Core There is nothing in the data that supports your remark, the routers peak pps rate is below CFC system performance and there is plenty of TCAM space free. Also I welcome you to look into JNPR MX, instead of M. -- ++ytti From drew.weaver at thenap.com Tue Feb 9 09:20:47 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 9 Feb 2010 09:20:47 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: Are you rate limiting ttl failures? mls rate-limit all ttl-failure 100 10 thanks, -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 7:22 AM To: Sergey Nikitin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router CPU load is fairly normal at 20-30% No congestion. Most links are under 50%. I have no Control Plane Policies in place, but I have already been advised to do so - this might help, right? Redesigning the network and shifting the busy (uncongested!) VLAN to another router seemed like the only choice we have left, unless this CPP can help? Andy On Tue, Feb 9, 2010 at 12:15 PM, Sergey Nikitin wrote: > > May be you should try to find out what is the reason of the packet loss? ?Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. > > > Andy B. wrote: >> >> I am running one 6509 as a core router: >> >> IOS: SXF15a >> 1x WS-SUP720-3BXL >> 1x WS-X6748-GE-TX >> 2x WS-X6704-10GE >> >> On this core I am doing BGP with 2 upstreams (full BGP table IN) and >> 10 downstreams (full BGP table OUT). >> I am also doing OSPF with 4 other core routers in this AS. >> >> On top of that there is one VLAN on this core that serves as a default >> gateway for approximatively 5000 servers, producing around 30 GBps >> outbound traffic and 10 GBps inbound. >> >> Recently I noticed that this core router becomes very unresponsive >> from time to time, dropping OSPF and BGP sessions (hold time expired >> and so on). SNMP generated stats become useless as well, because most >> SNMP requests to that core are timing out. It's really just the core >> that is rather slow, but reachability to my customers and from my >> customers to the internet remains perfect. Pinging the loopback >> interface of the core or any default gateway IP address of the busy >> VLAN can show up to 60% packet loss >> >> Therefore I was thinking to split the core and move this very active >> VLAN to a different router behind the core and only add a static route >> to the core, so that the new router can handle these many MAC >> addresses and hopefully get my core more responsive again. >> >> Does this scenario make any sense at all? Is it wise to have one core >> router with many transit (in and out) BGP sessions also act as an >> access router / default gateway for several thousand servers? What is >> usually the best practice here? >> >> Thank you for your clues. >> >> Andy >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Tue Feb 9 09:21:48 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 9 Feb 2010 15:21:48 +0100 (CET) Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: On Tue, 9 Feb 2010, Phibee Network Operation Center wrote: > It's the same IOS that Cisco 7204 ? If it's anything like the 7120, then it won't take regular 7200 IOS images. 7401 went EoL end of 2009 and latest IOS available on CCO seems to be 12.4(15)T11, so you won't see any new images after that would be my guess. -- Mikael Abrahamsson email: swmike at swm.pp.se From globichen at gmail.com Tue Feb 9 09:22:44 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 15:22:44 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: On Tue, Feb 9, 2010 at 3:13 PM, Jon Lewis wrote: > If all of that traffic is transiting between the 6748 and 6704s, is it > possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 has > to the rest of the chassis during short traffic spikes? The 6748 is not really doing that much. Maybe 3-4 GBps. Incoming Transit and IBGP comes with one 6704. The other 6704 is port-channeled into the VLAN > With that much going on, I'm surprised you're using a single 6509 vs having > things split between a pair or more of them. ?Put some transit and some > customers on each...that way if one has an issue, needs a software upgrade, > etc., you can do a reload without the network going completely offline. ?Or > are you already doing that, and the troubled 6509 is just one of multiple? This is already partially the case - I am working on improvements here as well :) Andy From oldnick at oldnick.ru Tue Feb 9 09:27:39 2010 From: oldnick at oldnick.ru (Sergey Nikitin) Date: Tue, 09 Feb 2010 17:27:39 +0300 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <4B7170DB.7010602@oldnick.ru> What is the output of: show platform hardware capacity interface show fabric utilization detail ? Andy B. wrote: > On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles > wrote: >> Is it possible the NDE on the SP is the issue? I assume it's configured to >> export? What does a 'sh proc cpu hist' tell you on the RP and SP? >> >> Chuck > > I can almost certainly rule that out. Last time this happened I turned > off NDE, but it did not change much. > > Here the result anways: > > #sh proc cpu hist > > 2222222288888555511111111111111111111111111111111111111113 > 4448888844444666677777444446666655555666667777777777999999 > 100 > 90 > 80 ***** > 70 ***** > 60 ********* > 50 ********* > 40 ********* * > 30 ************** * > 20 ********************** ******************************* > 10 ********************************************************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per second (last 60 seconds) > > 1 1 1 1 > 7907999979978997999980999998999899899097889889978997088899 > 4509292289154946699800675905966199809044339839881997055793 > 100 ** * * * **** ***** *** ** ** * ** ** * * > 90 ** **** ** ** **** ********** ******* ** ** ** ****** > 80 ************************************** ****************** > 70 ********************************************************** > 60 ********************************************************** > 50 *******************************************************##* > 40 ****************#**************************************### > 30 #################*######################################## > 20 ########################################################## > 10 ########################################################## > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > 1111111111111111111111111111111111111111111111111111111111111111111111 > 0000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000000000000000000000000000000000000000000000000000000000 > 100 ********************************************************************** > 90 ********************************************************************** > 80 ********************************************************************** > 70 *******#**********************##************************************** > 60 *******#**********************##************************************** > 50 ******###*********************###******#********************#********* > 40 #*##**###*#**##***#**#***#****###***##*#****#*****#**##**#####******** > 30 #####*######*##########*###**#####*#####***####################***#### > 20 ###################################################################### > 10 ###################################################################### > 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. > 0 5 0 5 0 5 0 5 0 5 0 5 0 > > CPU% per hour (last 72 hours) > * = maximum CPU% # = average CPU% > > #remote command switch sh proc cpu hist > > 3333322222222226666677777333331111222223333322222666667777 > 1111155555999990000077777000005555999997777755555777776666 > 100 > 90 > 80 ***** **** > 70 ***** ********* > 60 ********** ********* > 50 ********** ********* > 40 ********** ***** ********* > 30 ****************************** ************************ > 20 ********************************************************** > 10 ********************************************************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per second (last 60 seconds) > > > 7977778888889999975798767688889888888988788888998988998878 > 7046543783562032129590344605798023115098878663008368337698 > 100 * * > 90 * ** ******* * **** **** **** ********** * > 80 ** ** #****##*#** *#* ***##****************####******* > 70 ******#****##*#*** *#** *****##******#*********#####****** > 60 ******##***##*#*#***#*******####*****#******#*######*****# > 50 ******##***##*###***##******####**#**##****##*######***#*# > 40 ##################*###****################################ > 30 ########################################################## > 20 ########################################################## > 10 ########################################################## > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > 1111 1 1 1 > 9999999999999900009999999999999999999999899889998999909999999880908999 > 8968979889989900007367999999989999979583747981479337809999993870907900 > 100 ******************* ******************* * * ********* *** * > 90 ********************************************************************** > 80 ********************************************************************** > 70 ****#***************************************************************** > 60 **#*#*#######************##*#*######****************###*************** > 50 #################****#################************########************ > 40 ########################################*******###############*###***# > 30 ###################################################################### > 20 ###################################################################### > 10 ###################################################################### > 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. > 0 5 0 5 0 5 0 5 0 5 0 5 0 > > CPU% per hour (last 72 hours) > * = maximum CPU% # = average CPU% > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Tue Feb 9 09:27:52 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:27:52 +0200 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> Message-ID: <20100209142752.GB27965@mx.ytti.net> On (2010-02-09 15:11 +0100), Manu Chao wrote: > new ASR are better ;) Indeed, but of course 7400, ASR1k and ASR9k have nothing in common while name might suggest so, so 'new ASR' is bit stretching it. ASR1k is popey/QFP which is cisco IP, AFAIK based on tensilica di570t, running IOS as process on top of linux. ASR9k is EZchip NP(3c|4), which is 3rd party NPU with fabric is from nexus7k, running IOS-XR on top of QNX obviously. 7400 is plain old IOS, purely software router today as toaster/PXF cannot be enabled. I think ASR1k is very interesting platform for some applications while ASR9k as it is today is overshadowed by MX. CSCO will have to work hard to bridge the gap. > > On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > > > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > > > i am search a real information on the Cisco 7401ASR : > > > If you have one units ;=) > > > > > > I want know if this cisco are same performence that the > > > Cisco 7204 with a NPE 400 ? > > > > ASR was the second product to be blessed (or cursed) with toaster > > chip a.k.a PXF. > > Like first product NSE-1 it was failure and newer software will disable and > > won't allow enabling PXF, so everything will be software switched, like in > > NPE400, performance is below NPE300. > > > > > He support MPLS, Interworking and EoMPLS > > > > > > It's the same IOS that Cisco 7204 ? > > > > No. Also it is EOL platform and as price for gray NPE300 is ridiculously > > small I personally wouldn't accept even free ASR's. > > > > -- > > ++ytti > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- ++ytti From globichen at gmail.com Tue Feb 9 09:28:26 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 15:28:26 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B7170DB.7010602@oldnick.ru> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> Message-ID: On Tue, Feb 9, 2010 at 3:27 PM, Sergey Nikitin wrote: > What is the output of: > > show platform hardware capacity interface > show fabric utilization detail > #show platform hardware capacity interface Interface Resources Interface drops: Module Total drops: Tx Rx Highest drop port: Tx Rx 2 21586995208 13878964 13 24 5 0 6 0 1 8 26023 459918169 3 4 9 249981 480544167 1 4 Interface buffer sizes: Module Bytes: Tx buffer Rx buffer 2 1221120 152000 8 14622592 1914304 9 14622592 1914304 #show fabric utilization detail Fabric utilization: Ingress Egress Module Chanl Speed rate peak rate peak 2 0 20G 8% 0% 2% 0% 2 1 20G 29% 0% 61% 0% 5 0 20G 15% 0% 17% 0% 8 0 20G 34% 0% 5% 0% 8 1 20G 6% 0% 16% 0% 9 0 20G 36% 0% 8% 0% 9 1 20G 12% 0% 48% 0% From brhedlun at cisco.com Tue Feb 9 09:30:01 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 9 Feb 2010 08:30:01 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> The Nexus 2000->5000 design does require looking at things a bit differently than you have in the past. Data Center architecture is changing fast due to the rapid onset of Data Center virtualization. Server & Storage administrators have been struggling with this change as well, this isn't something unique to the Network. There is a tendency to view the Nexus 2000 as a switch. And understandably so because it's packaged like a switch, looks like a switch, and installs in the rack like a switch. Because of this perception it's easy to subject it to the typical switch design criteria. But in doing so you begin an exercise that leads to more frustration than clarity because you are apply old thinking to new technology. It makes more sense to view the Nexus 2000 as a linecard that has been pulled out of a switch, packaged up in sheet metal, and the backplane ports connecting to the supervisor engine changed to SFP+ ports. You know have a linecard that connects to its supervisor engine with cables. Why is that significant? Because it reduces the complexity (and therefore total cost of ownership) of adopting a Data Center virtualization architecture. (10) Nexus 2000's are managed no differently than (10) linecards. I think we can all agree that a linecard requires a lot less management than a switch. It also allows the Data Center to grow into larger L2 domains required by virtualization by minimizing the # of L2 nodes, because the Nexus 2000 links to data center with L1, versus L2. Business leaders are hearing a lot about cloud computing these days, and it's cost advantages to the business. Yet there is a valid concern with data privacy and security that comes with public cloud computing. If internal IT can transform their data centers into a private cloud, or at least drastically improve the operational efficiency and total cost of ownership of their own data centers ... the wholesale outsourcing of the data center applications to the public cloud become less attractive to the business leaders. -- Brad Hedlund, CCIE #5530, VCP Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 9, 2010, at 4:40 AM, Livio Zanol Puppim wrote: > Yeah, You are right. > > But I would like to use my nexus 5000 10GE/FCoE ports just for access servers, maximizing it's use... The uplinks from Nexus 2000 could easially go directly to my distribution/core. Unfortunally, nexus 2000 is just an fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO changes it's later... > > Let's think: > > 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost 1 switch (2RU). > > I haven't figure out yet what's the advantage of having this design (nexus 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus 7000/cisco 6500). That's what I'm talking about. > > The only REAL advantage so far is the vPC... > > 2010/2/2 Brad Hedlund > > True, the Nexus 2000 does not locally switch, but lets explore that for a second... > > 1) a typical enterprise Data Center is running applications that are not latency sensitive, where latencies in the 10s of microseconds are perfectly OK and nobody is really counting anyway. Only in the small minority of Data Centers running high frequency trading, grid computing, or some other ultra low latency application, every *nanosecond* matters and local switching with fewer hops is of paramount importance. Furthermore, these applications are quickly migrating away from 1GE to 10GE attached servers for the obvious low latency advantages. > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus 2000 to handle the additional uplink load that may otherwise not be present on a 4948. > > 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus 2000 itself also uses cut-through for frames entering on 1GE and egressing on 10GE. The two combined often results in port-to-port latencies similar to a Catalyst 6500, even without the "local switching". If you are comfortable with your Catalyst 6500 local switching latencies, you can expect similar performance from a Nexus 2000/5000 combination. > > > -- > Brad Hedlund, CCIE #5530 > Consulting Systems Engineer, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst > >> 4948 as access layers switches? > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that > >> could be used by servers with 10GbE/FCoE servers. > > > > The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more "traditional" access switch. Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment. > > > > > > > > David > > ... > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > []'s > > L?vio Zanol Puppim From saku at ytti.fi Tue Feb 9 09:31:13 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:31:13 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209143113.GC27965@mx.ytti.net> On (2010-02-09 14:51 +0100), Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot You appear not to be aware of difference in XL and non-XL models, the device being discussed here can handle 1M IPv4 routes. There is nothing at all to support your conclusion that limits of the platform are being met. -- ++ytti From drew.weaver at thenap.com Tue Feb 9 09:33:05 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 9 Feb 2010 09:33:05 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: 6500s are just an awful platform and have caveats out the wazoo. Yes, the 3BXL will do full internet tables, but not as well as any router Cisco offers (GSR...) Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) Yes, the Supervisor will respond to traceroutes, but in software... (rate limit TTL) If you ping the 6500 while BGP scanner is running you will see 600ms responses... Most of these things (except for the 6724 line card suckage) are 'fixed' in hardware only platforms (GSR... etc) I probably sound bitter, but if one goes straight from what Cisco's documentation says they would think the 6500 is a great platform, but there should be a * next to everything in that entire white paper. -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 8:54 AM To: Manu Chao Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot I have other cores that do 40 times more BGP and they work like charm, with the exception that they do not have a few thousand servers connected to them. Only customers with routers. These routers are similar to this 6509, so nothing better or worse. Andy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sven at darkman.de Tue Feb 9 09:35:43 2010 From: sven at darkman.de (Sven 'Darkman' Michels) Date: Tue, 09 Feb 2010 15:35:43 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <4B7172BF.2080209@darkman.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Andy B. schrieb: > I have other cores that do 40 times more BGP and they work like charm, > with the exception that they do not have a few thousand servers > connected to them. Only customers with routers. > These routers are similar to this 6509, so nothing better or worse. How about splitting the servers into different vlans? should lower the broadcasts etc and may help... (its hard for me to belive that you have one /19 or similar configured to one vlan, i hope there are a few subnets ;) Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktxcr8ACgkQQoCguWUBzBxNJACgoic90h9xxDA8VASDwyJ4OmP4 QMwAoIz/VigSz2nch4cRZXDcVZ1jaViC =LtsD -----END PGP SIGNATURE----- From linux.yahoo at gmail.com Tue Feb 9 09:47:44 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:47:44 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209141924.GA27965@mx.ytti.net> References: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> <20100209141924.GA27965@mx.ytti.net> Message-ID: <7100ed371002090647n1f0b8234k2d8c417bba689d2d@mail.gmail.com> J MX and T work very very well you are right On Tue, Feb 9, 2010 at 3:19 PM, Saku Ytti wrote: > On (2010-02-09 14:47 +0100), Manu Chao wrote: > > > Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). > > > > If you have the budget, i would push for Cisco ASR or Juniper M Core > > There is nothing in the data that supports your remark, the routers peak > pps rate is below CFC system performance and there is plenty of TCAM space > free. > Also I welcome you to look into JNPR MX, instead of M. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Charles.Church at harris.com Tue Feb 9 10:03:24 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 10:03:24 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> The weird part is the NDE process is still using CPU. Which netflow setting are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are getting crushed at times, seems like more than just a punted packet issue, since that would be primarily RP, wouldn't it? Chuck -----Original Message----- From: Andy B. [mailto:globichen at gmail.com] Sent: Tuesday, February 09, 2010 8:50 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router I can almost certainly rule that out. Last time this happened I turned off NDE, but it did not change much. Here the result anways: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Tue Feb 9 10:07:46 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:07:46 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> Message-ID: <4B717A42.2090908@imperial.ac.uk> On 09/02/10 14:09, Manu Chao wrote: > trust me, change your design: > - Core / Internet (ASR or Juniper) > - Distribution / Datacenter (6509) > > with a default dynamic route from your Core to your Distribution I personally disagree that this is the right approach. Without taking the time to understand the reason the 6500 is failing to function, it might not help at all, and could be a big waste of money. It *might* be the right solution, but until the problem is identified, it is premature. From linux.yahoo at gmail.com Tue Feb 9 10:11:29 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 16:11:29 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> Can you please share following output: show fabric utilization On Tue, Feb 9, 2010 at 3:22 PM, Andy B. wrote: > On Tue, Feb 9, 2010 at 3:13 PM, Jon Lewis wrote: > > > If all of that traffic is transiting between the 6748 and 6704s, is it > > possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 > has > > to the rest of the chassis during short traffic spikes? > > The 6748 is not really doing that much. Maybe 3-4 GBps. > > Incoming Transit and IBGP comes with one 6704. > The other 6704 is port-channeled into the VLAN > > > With that much going on, I'm surprised you're using a single 6509 vs > having > > things split between a pair or more of them. Put some transit and some > > customers on each...that way if one has an issue, needs a software > upgrade, > > etc., you can do a reload without the network going completely offline. > Or > > are you already doing that, and the troubled 6509 is just one of > multiple? > > This is already partially the case - I am working on improvements here > as well :) > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 10:12:57 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 16:12:57 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> References: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> Message-ID: On Tue, Feb 9, 2010 at 4:11 PM, Manu Chao wrote: > Can you please share following output: > > show fabric utilization #show fabric utilization slot channel speed Ingress % Egress % 2 0 20G 7 2 2 1 20G 27 63 5 0 20G 14 17 8 0 20G 38 4 8 1 20G 6 18 9 0 20G 38 7 9 1 20G 12 48 From globichen at gmail.com Tue Feb 9 10:15:27 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 16:15:27 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: On Tue, Feb 9, 2010 at 4:03 PM, Church, Charles wrote: > The weird part is the NDE process is still using CPU. ?Which netflow setting > are you using for 'mls flow ip xxx'? ?Since both the RP and SP CPU are > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Netflow is basically configured like this: ip flow-cache entries 524288 ip flow-cache timeout active 1 mls ip slb purge global mls ip multicast flow-stat-timer 9 mls aging fast time 4 threshold 2 mls aging long 128 mls aging normal 64 mls netflow usage notify 80 300 mls flow ip interface-full mls flow ipv6 interface-full mls rate-limit unicast cef glean 200 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-aggregation cache as cache timeout active 1 export destination 9000 enabled From linux.yahoo at gmail.com Tue Feb 9 10:18:57 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 16:18:57 +0100 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <20100209142752.GB27965@mx.ytti.net> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> <20100209142752.GB27965@mx.ytti.net> Message-ID: <7100ed371002090718l6830a75enb35a82b2e4ea1093@mail.gmail.com> Agreed ;) The gap was huge, it is now acceptable On Tue, Feb 9, 2010 at 3:27 PM, Saku Ytti wrote: > On (2010-02-09 15:11 +0100), Manu Chao wrote: > > > new ASR are better ;) > > Indeed, but of course 7400, ASR1k and ASR9k have nothing in common while > name might suggest so, so 'new ASR' is bit stretching it. > ASR1k is popey/QFP which is cisco IP, AFAIK based on tensilica di570t, > running IOS as process on top of linux. > ASR9k is EZchip NP(3c|4), which is 3rd party NPU with fabric is from > nexus7k, running IOS-XR on top of QNX obviously. > 7400 is plain old IOS, purely software router today as toaster/PXF cannot > be enabled. > > I think ASR1k is very interesting platform for some applications while > ASR9k as it is today is overshadowed by MX. CSCO will have to work hard to > bridge the gap. > > > > > > On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > > > > > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > > > > > i am search a real information on the Cisco 7401ASR : > > > > If you have one units ;=) > > > > > > > > I want know if this cisco are same performence that the > > > > Cisco 7204 with a NPE 400 ? > > > > > > ASR was the second product to be blessed (or cursed) with toaster > > > chip a.k.a PXF. > > > Like first product NSE-1 it was failure and newer software will disable > and > > > won't allow enabling PXF, so everything will be software switched, like > in > > > NPE400, performance is below NPE300. > > > > > > > He support MPLS, Interworking and EoMPLS > > > > > > > > It's the same IOS that Cisco 7204 ? > > > > > > No. Also it is EOL platform and as price for gray NPE300 is > ridiculously > > > small I personally wouldn't accept even free ASR's. > > > > > > -- > > > ++ytti > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Tue Feb 9 10:22:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:22:50 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: <4B717DCA.10601@imperial.ac.uk> On 09/02/10 13:45, Andy B. wrote: >> Are these receive addresses in the router or transit? >> >> sh mls cef lookup x.x.160.112 >> sh mls cef lookup x.x.160.112 detail >> >> sh mls cef adjacency entry 123 detail >> > > #show buffers input-interface te9/1 header > > Buffer information for Small buffer at 0x50070DC8 > data_area 0x80667C4, refcount 1, next 0x45475F58, flags 0x280 > linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 > if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) > inputtime 47w4d (elapsed 00:00:09.252) > outputtime 47w4d (elapsed 00:03:54.772), oqnumber 65535 > datagramstart 0x806683A, datagramsize 62, maximum size 308 > mac_start 0x806683A, addr_start 0x806683A, info_start 0x0 > network_start 0x8066848, transport_start 0x8066878, caller_pc 0x4187C1F0 > > source: x.x.224.116, destination: y.y.176.97, id: 0x79FD, ttl: 121, > TOS: 0 prot: 6, source port 2844, destination port 445 > > x.x = outside Ok, so this is an inbound TCP packet to port 445, for a host which isn't in the ARP table, hence the glean: > #sh mls cef lookup y.y.176.97 > > Codes: decap - Decapsulation, + - Push Label > Index Prefix Adjacency > 20304 y.y.176.0/24 glean Probably random malware/virus scanning. Obviously the CPU will handle gleans (things which need an ARP lookup). As has been pointed out, you can enable the "glean" rate limiter but two points to bear in mind: 1. It's box-global and there's no per-interface round-robin or anything. Basically you're telling it "only ever send me 200 packets which need an ARP lookup per second" and if some bad person on the internet sends you 201, they can crowd out legitimate local traffic (the glean rate-limiter should really be per input-SVI. Sigh...) 2. It seems a bit unlikely that you'll suddenly get 5x more glean traffic at the exact peak of your forwarding rate, so this might be just random background traffic. Personally I would use a SPAN or (E)RSPAN session monitoring the CPU during an outage to see what's actually hitting the CPU: http://cisco.cluepon.net/index.php/6500_SPAN_the_RP ...this is a lot easier under later IOS, but can be done under SXF. Why guess what's hitting the CPU when you can *know*? From saku at ytti.fi Tue Feb 9 10:26:52 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 17:26:52 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> Message-ID: <20100209152652.GA28195@mx.ytti.net> My guess is that you are sporadically getting flood of glean punts which are blocking your input buffers causing OSPF/BGP keepalives to be dropped. I suggest increasing hold-queue input on the interfaces where you see drops and also to implement glean rate-limit. For long term, setup ERSPAN for control-plane traffic so if it happens again in spite of the changes you'll have more data to work with. -- ++ytti From Charles.Church at harris.com Tue Feb 9 10:38:41 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 10:38:41 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA7D7@MLBMXUS2.cs.myharris.net> I haven't used the 'flow-aggregation ...' in the past, but it has a destination on it still. Not sure if that's still causing exporting to happen or not. Can you reduce the flow mask from 'interface-full' to something like 'source' so that it will use less TCAM space? Chuck -----Original Message----- From: Andy B. [mailto:globichen at gmail.com] Sent: Tuesday, February 09, 2010 10:15 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 4:03 PM, Church, Charles wrote: > The weird part is the NDE process is still using CPU. ?Which netflow setting > are you using for 'mls flow ip xxx'? ?Since both the RP and SP CPU are > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Netflow is basically configured like this: ip flow-cache entries 524288 ip flow-cache timeout active 1 mls ip slb purge global mls ip multicast flow-stat-timer 9 mls aging fast time 4 threshold 2 mls aging long 128 mls aging normal 64 mls netflow usage notify 80 300 mls flow ip interface-full mls flow ipv6 interface-full mls rate-limit unicast cef glean 200 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-aggregation cache as cache timeout active 1 export destination 9000 enabled -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From gert at greenie.muc.de Tue Feb 9 10:44:11 2010 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Feb 2010 16:44:11 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209154411.GP9556@greenie.muc.de> Hi, On Tue, Feb 09, 2010 at 09:33:05AM -0500, Drew Weaver wrote: > Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) Burst in which direction? Fabric->Line card? (This is pretty much unavoidable for any sort of hardware if you go from higher speed to lower speed interfaces - the question is, of course, "how big are the buffers"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 10:50:21 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 17:50:21 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209155021.GA28238@mx.ytti.net> On (2010-02-09 09:33 -0500), Drew Weaver wrote: > 6500s are just an awful platform and have caveats out the wazoo. Yes, it is complex to operate successfully outside LAN environments, that complexity may well increase OPEX past any CAPEX benefit it had. > Yes, the 3BXL will do full internet tables, but not as well as any router Cisco offers (GSR...) I haven't experienced any relevant difference taking full table on GSR and on 7600. Of course when you have SUP720, RSP720, GRP-A, GRP-B, PRP-1, PRP-2, you'd need to be more specific what you mean. The BGP code is obviously mostly same. > Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) To nitpick, it has single 20G fabric connection, so actually 20x1Gbps not 24. > Yes, the Supervisor will respond to traceroutes, but in software... (rate limit TTL) All devices do traceroute in software, GSR has distributed LC CPU, but still software. JNPR not long ago had chassis wide limit on traceroute 50pps per interface and 500pps per PFE, wasn't even configurable, unlike it is in 7600. In GSR still today there is nothing you can do to protect control-plane from say TTL exceeded attack, rACL and CoPP are done in LC CPU, while in 7600 they are done in hardware. It is trivial to bring GSR/IOS to its knees when dossed by someone who understands the platform, I no know way to DoS 7600 when not connected to it in L2 when it has been properly configured. > If you ping the 6500 while BGP scanner is running you will see 600ms responses... BGP has been event driven since 2006 with release of SRA. > Most of these things (except for the 6724 line card suckage) are 'fixed' in hardware only platforms (GSR... etc) GSR is not hardware only, as said control-plane can't be protected in hardware in IOS at all, E0 and E1 are pure software linecards. > I probably sound bitter, but if one goes straight from what Cisco's documentation says they would think the 6500 is a great platform, but there should be a * next to everything in that entire white paper. I'd say if you don't have time to invest on understaning the platform in-depth then neither 7600 or GSR will be easy or cheap to operate, JNPR in my experience requires far less from the pilot and is mostly competitively priced unless you're looking at purely LAN cards. -- ++ytti From p.mayers at imperial.ac.uk Tue Feb 9 10:56:06 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:56:06 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: <4B718596.2050602@imperial.ac.uk> On 09/02/10 15:03, Church, Charles wrote: > The weird part is the NDE process is still using CPU. Which netflow setting > are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are What evidence do we have for the RP and SP both being hit? > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Not if it were a loop From globichen at gmail.com Tue Feb 9 11:56:45 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 17:56:45 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209152652.GA28195@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: On Tue, Feb 9, 2010 at 4:26 PM, Saku Ytti wrote: > My guess is that you are sporadically getting flood of glean punts which > are blocking your input buffers causing OSPF/BGP keepalives to be dropped. > Excuse me for being ignorant, but what are glean punts? Should I dig out my routing for dummies book :-/ Andy From tvarriale at comcast.net Mon Feb 8 23:25:44 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 8 Feb 2010 22:25:44 -0600 Subject: [c-nsp] 3560G as WAN-aggregation-layer References: <5A69C25361FED34F83ABF05F5047524507F05FB1@wally.walleyetrading.net> Message-ID: <8559330CD7FC4195A9836D019EB086B2@flamdt01> Care to share your server farm experience? There are many that do what you are trying to do as long as you understand the limitations and differences in QoS/etc (compared to routers). G1s, although being part of a software platform, are decent horsepower. If you are looking at some shaping/policing down from gig you may want to be careful (especially on multiple). But, if it's a 100mb line and you want to play they will do fairly well. tv ----- Original Message ----- From: "Jeff Bacon" To: Sent: Monday, February 08, 2010 5:09 PM Subject: [c-nsp] 3560G as WAN-aggregation-layer > Greetings. > > I know this is going to sound pretty, well, lame. But... > > I currently have a couple of routers (a 7204/NPE-G1 and a 3845) > front-ending my WAN connections, which are all metro Ethernet, mostly > gig ports which are policed at some CIR, or 100Mbit. The routers are > big, expensive, and really don't do much - oh, someday I would like to > do some QoS...someday. > > So, there is this pile of 3560Gs in the corner. I've had > less-than-impressive experiences with them as server-farm access > switches, which is why they are there. However, I'm thinking that for > handling a handful (4-6) of Gig-Es/100Ms which are mostly not running at > capacity, as long as I distribute the ports out amongst the port ASICs > (so each line has the full 2Mbit TX buffer of the port ASIC to itself), > and as long as I don't do something stupid like put all 4 ports of a > 4-port etherchannel in ports 1-4, they ought to be fine. > > The switches don't need to do much - pass the traffic, run EIGRP, a > little light QoS. Our route table is tiny, relatively. > > Am I going to regret this? > Conversely, how much can I really expect out of an NPE-G1? > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwcarder at wisc.edu Tue Feb 9 12:24:24 2010 From: dwcarder at wisc.edu (Dale W. Carder) Date: Tue, 09 Feb 2010 11:24:24 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209152652.GA28195@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: On Feb 9, 2010, at 9:26 AM, Saku Ytti wrote: > My guess is that you are sporadically getting flood of glean punts which > are blocking your input buffers causing OSPF/BGP keepalives to be dropped. Maybe, but does SPD prioritize glean traffic vs IGP? Dale From saku at ytti.fi Tue Feb 9 12:27:55 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 19:27:55 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <20100209172755.GA28533@mx.ytti.net> On (2010-02-09 17:56 +0100), Andy B. wrote: > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ No ignorance, sorry for being so terse, just wanted to avoid rambling on too much. Glean are packets which need to be punted because forwarding information is incomplete, in this case because it is locally connected destination without valid hardware (MAC) forwarding address. To resolve IP address, you'll ARP it, and this is software function, to be able to trigger ARP you'll need to punt the packet to software. As you have huge LAN, it is likely also very empty, so you might get sudden burst of packets spread around the LAN, which would suddenly punt many packets to software. If BGP/OSPF is running over same physical interface, incoming BGP/OSPF keepalive might be dropped, since there is no room to punt it (actually SPD should have some extra room for them) causing BGP keepalive to be dropped. When OSPF/BGP goes down, is it always one side tearing it down due due to hold-time expiring? If it is always the same and always the router under discussion this would support my hypothesis. -- ++ytti From me at falz.net Tue Feb 9 12:36:21 2010 From: me at falz.net (Chris Wopat) Date: Tue, 9 Feb 2010 11:36:21 -0600 Subject: [c-nsp] 2811 login issues Message-ID: On Mon, Feb 8, 2010 at 11:00 AM, wrote: > Subject: [c-nsp] 2811 login issues > Message-ID: > ? ? ? ? > Content-Type: text/plain; charset=ISO-8859-1 > > I have a 2811 that stopped accepting logins from its FastEthernet > interface last week out of the blue. When this happened there were no > config changes, router reboots, etc. It has a Multilink bundle > unnumbered via that FastEthernet interface and it *does* accept logins > from this direction. Config is simple, a default route via FA and a > /24 via MU. > > A few other odd symptoms: > > - 'copy tftp flash' will work for about 12 seconds and then begin to timeout. > > - telnetting from the router to anywhere immediately gives > "Destination unreachable; gateway or host down" without even really > trying. > > What's even more strange is that everything works fine the first 5-10 > minutes after a reboot. > It was running 12.4(15)XY1 and I was able to get it to 12.4(15)XY3 to > see if it was a bug. It's running XY for support for its HWIC-4T1/E1. > > In an attempt to rule out an upstream routing problem I've added its > default gateway (3.89) to the login ACL and it gives the same symptoms > when connecting from there. It seems to be completely dropping packets > vs rejecting them as it still does if you connect from an IP not on > that ACL. > > 'debug ip packet' shows this when connecting via telnet or ssh: > > Feb ?8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), > d=10.170.3.90, len 60, rcvd 2 > Feb ?8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), > d=10.170.3.90, len 60, stop process pak for forus packet Anyone have insight into this? I still have not come up with a solution. I've also temporarily enabled CDP to confirm that things are connected as they should be. --Chris From Charles.Church at harris.com Tue Feb 9 12:39:33 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 12:39:33 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B718596.2050602@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> I was going by the 'show proc cpu hist' he gave for both the SP and RP. Both looked pretty bad across the board. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 09, 2010 10:56 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On 09/02/10 15:03, Church, Charles wrote: > The weird part is the NDE process is still using CPU. Which netflow setting > are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are What evidence do we have for the RP and SP both being hit? > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Not if it were a loop _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From ray at oneunified.net Tue Feb 9 11:57:06 2010 From: ray at oneunified.net (Ray Burkholder) Date: Tue, 9 Feb 2010 12:57:06 -0400 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> Message-ID: <009f01caa9a8$e9b259a0$bd170ce0$@net> > > Business leaders are hearing a lot about cloud computing these days, > and it's cost advantages to the business. Yet there is a valid concern > with data privacy and security that comes with public cloud computing. > If internal IT can transform their data centers into a private cloud, > or at least drastically improve the operational efficiency and total > cost of ownership of their own data centers ... the wholesale > outsourcing of the data center applications to the public cloud become > less attractive to the business leaders. I'm not quite sure I understand the impact of that last statement... "become less attractive to the business leaders." Is that a good thing or a bad thing? i.e, is going into the public cloud a good thing or a bad thing? And if business leaders "transform their data centers into a private cloud", isn't that still a private network? Or are there additional ramifications of this, i.e, going the virtualization path and making everything server non-centric? Ray -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From p.mayers at imperial.ac.uk Tue Feb 9 12:44:05 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 17:44:05 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <4B719EE5.1080400@imperial.ac.uk> On 09/02/10 16:56, Andy B. wrote: > On Tue, Feb 9, 2010 at 4:26 PM, Saku Ytti wrote: >> My guess is that you are sporadically getting flood of glean punts which >> are blocking your input buffers causing OSPF/BGP keepalives to be dropped. >> > > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ Packets that need an ARP lookup before they are routed onwards, because the destination is a "connected" subnet but the destination IP isn't in the ARP table. The destination needs to be "gleaned" From p.mayers at imperial.ac.uk Tue Feb 9 12:56:34 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 17:56:34 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> Message-ID: <4B71A1D2.10909@imperial.ac.uk> On 09/02/10 17:39, Church, Charles wrote: > I was going by the 'show proc cpu hist' he gave for both the SP and RP. > Both looked pretty bad across the board. His graphs don't look that dis-similar to mine, and we have no such problems. The peak/avg CPU don't look so unreasonable to me given the load and setup he's described. To summarise in this thread, it has been suggested: 1. Netflow is the problem - to which the OP said he's already tried disabling it 2. CPU punts, specifically gleans, are the problem - in which case CoPP or MLS rate limiters can be tried, but the OP really IMHO needs to confirm this with a span of the CPU 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the load we've been told about; therefore something is wrong ...and lots more besides. I'm exhausted from following the thread, but my advice to the OP is to determine what is hitting the CPU *during an outage*, then proceed from there. I'm going to stop reading now. From lowen at pari.edu Tue Feb 9 12:06:42 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 9 Feb 2010 12:06:42 -0500 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: <201002091206.42761.lowen@pari.edu> On Tuesday 09 February 2010 08:30:20 am Phibee Network Operation Center wrote: > i am search a real information on the Cisco 7401ASR : > If you have one units ;=) Have two of them here, one in use, the other in standby. > I want know if this cisco are same performence that the > Cisco 7204 with a NPE 400 ? Probably not; 7401ASR is a 1 rack unit single PA NSE-1. A little less performance than NPE-300. Has PXF; at least as of 12.4(21a), it's enabled and running: pari-7400-2#sh pxf int Intf I/f # Attributes Gi0/0 5 Raw, Encap, Unsupp Feat. Gi0/1 4 Raw, Encap PO1/0 6 Raw, Encap pari-7400-2#sh pxf info pxf: tmc type TMC ASIC Pass2 (T2-ECC) revision 2 ucode: filename 'system:pxf/ucode0' revision 1.1 state: is running, number of starts 1 uptime: 52w0d Memory Configuration: Bank Name Total Reserved In-use Free tmc internal memory column 0 16 Kb 2048 bytes 0 bytes 14 Kb tmc column 0 memory bank 0 32 Mb 31 Mb 16 Kb 352 Kb tmc internal memory column 1 16 Kb 512 bytes 0 bytes 15 Kb tmc column 1 memory bank 0 32 Mb 669 Kb 2279 Kb 29 Mb tmc internal memory column 2 16 Kb 6656 bytes 0 bytes 9728 bytes tmc column 2 memory bank 0 32 Mb 441 Kb 672 Kb 30 Mb tmc internal memory column 3 16 Kb 15 Kb 0 bytes 512 bytes tmc column 3 memory bank 0 32 Mb 2092 Kb 64 Kb 29 Mb pari-7400-2#sh pxf fea nat stat NAT translation processing information total nat entries = 4096, entries (used, free) = (107, 3989) untranslated flows: 0 translated flows: 3503431328 icmp extendable flows: 0 noop alloc miss: 0 entry alloc miss: 3096957 entry poke miss: 0 pari-7400-2# Having said all that, I'm seeing packets switched by the PXF (sh int stat) on Gi0/1 and PO1/0, but not on Gi0/0 (unsupported feature; doing something on Gi0/0 that PXF doesn't like, apparently, but not sure what); the number of packets actually PXF-switched is a pretty small percentage of the total traffic going through the box. > He support MPLS, Interworking and EoMPLS 7400 is designed to be CPE, and doesn't run S, SX, or SR train images (12.4 mainline and up to a point in 12.4T are available). Not designed for core stuff; having said that, I haven't tried any MPLS stuff on it. In my case, I'm doing edge NAT, BGP, OSPF, POS APS, CBAC, and Stateful NAT. Typical edge stuff; using the 7401 since it can handle OC-3 POS and do APS (which is how our OC3 is configured) paired currently with a 7507 running the same IOS (but which has different features; one of those things about IOS is how different the feature set can be platform to platform, and how you can somewhat see what the pedigree of a particular bit of hardware is by looking at the various feature footprints.... see feature diffs between Cat5k RSM versus RSFC, or Cat6k MSM versus MSFC; the RSM and MSM betray their pedigree by certain features lacking....). The two 7401's were paired for the OC3 POS APS, but the second one developed issues when loaded very heavily and is now a backup only. > It's the same IOS that Cisco 7204 ? No; almost the same as NSE-1, but specific to the chassis. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From tdurack at gmail.com Tue Feb 9 13:05:49 2010 From: tdurack at gmail.com (Tim Durack) Date: Tue, 9 Feb 2010 13:05:49 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <9e246b4d1002091005kec474a2t37440709c54a84ea@mail.gmail.com> On Tue, Feb 9, 2010 at 11:56 AM, Andy B. wrote: > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ Traffic for which there is no forwarding entry. For example, an ip that has no arp entry for the directly connected interface. Router then needs to arp to associate mac-ip. This is triggered by a glean adjacency covering the directly connected network. ("glean" didn't mean much to me until we inadvertently interrupted this normal process with a slightly too restrictive CoPP. Those kind of lessons tend to stick with you...) -- Tim:> Sent from New York, NY, United States From Michael.Balasko at cityofhenderson.com Tue Feb 9 13:56:53 2010 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Tue, 9 Feb 2010 10:56:53 -0800 Subject: [c-nsp] Cisco CNR - Was: RE: OT - Infoblox vs. Bluecat In-Reply-To: <20677750.2571265409237480.JavaMail.root@giskard> References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net> <20677750.2571265409237480.JavaMail.root@giskard> Message-ID: <9AF22D15085E7D409ED5710CBC779E930D8D533C@COHNTCS09.ci.henderson.nv.us> Is there a reason no one looks at Cisco's Enterprise solution? Network Registrar? We've been running if since before I got here (9 years) and it has been beyond rock solid. Runs on piles of OS's and also handles stateful DHCP extremely well. Worth a look if you ask me. Michael Balasko CCSP, MCSE Network Specialist II City of Henderson, Nevada 240 Water St. Henderson, Nevada 89015 702.267.4337 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gauthier Sent: Friday, February 05, 2010 2:34 PM To: Charles Church Cc: nsp-cisco Subject: Re: [c-nsp] OT - Infoblox vs. Bluecat When I worked for a previous employer, we evaluated bluecat and infoblox. Bluecat was quickly ruled out because of price and complexity. The Infoblox got a lot more attention and they were great to work with during our eval of the hardware. One manager was ready to purchase and was about to pick u pthe phone and call when another manager railroaded the big boss to go with Windows DNS/DHCP (in a non-AD environment) at the last second. I *really* liked the manageability, tech support, and expertise of the product. The HA worked great, including DHCP failover. I liked them so much, I've tried to bring them to my current employer, but the solutions are just too expensive for the budget. Another point that I liked was that Cricket Liu (author of the DNS and Bind O'Reilly books and the DNS on Windows Server 2000 and DNS on Windows Server 2003 books) is part of their executive team. They're also MS certified, a plus for my current employer. I liked the detail in logging, too. Some of the reporting was a challenge, but I was asking for stats (can't remember which) that had to gathered programatically. Hope this helps all of you! Chris Gauthier, CCNA Security Salem, Oregon, USA ----- Original Message ----- From: "Charles Church" To: "nsp-cisco" Sent: Friday, January 15, 2010 7:09:55 AM GMT -08:00 US/Canada Pacific Subject: [c-nsp] OT - Infoblox vs. Bluecat I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nicotine at warningg.com Tue Feb 9 14:23:34 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 9 Feb 2010 13:23:34 -0600 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP Message-ID: <20100209192334.GD24950@radiological.warningg.com> Some of the earlier threads today sparked me to re-check some CoPP I had deployed to see if the ARP limiting I placed in was affective, as I had experienced some episodes where it would take some time for the supervisor to learn ARP entries for new links. I found some confusing and misleading results, in both my counters, and the documentation on Cisco's site. Any input would be appreciated. First I did "show mls qos protocol arp": Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By Id Id ------------------------------------------------------------------------- CPP 6 In CoPP-CLASS 0 8 dscp 0 0 0 CPP 6 In class-defa 0 7 dscp 0 715557790 105287223 All 6 - Default 0 0* No 0 173681814237 0 The first line is a class that matches "protocol arp" -- the fact that none of my ARP traffic is matching this rule is disturbing, as the SXH configuration guide states: Layer 2 Protocols?Traffic used for address resolution protocol (ARP). Excessive ARP packets can potentially monopolize RP resources, starving other important processes; CoPP can be used to rate limit ARP packets to prevent this situation. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol classification criteria. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/copp.html However, in the same document, they also state: CoPP does not support ARP policies. ARP policing mechanisms provide protection against ARP storms. This doesn't appear to be happening, as confirmed by "show policy-map control-plane": Hardware Counters: class-map: CoPP-CLASS-ARP (match-all) Match: protocol arp police : 8192000 bps 256000 limit 256000 extended limit Earl in slot 6 : 0 bytes 5 minute offered rate 0 bps aggregate-forwarded 0 bytes action: transmit exceeded 0 bytes action: transmit aggregate-forward 0 bps exceed 0 bps Instead, the output from the first command seems to indicate that ARP traffic is being matched by class-default, and is being rate-limited along with other non-matched traffic. A friend pointed me at http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html which documents "mls qos protocol arp police", but there is a qualifier that states that this is not CoPP specific, as it will also rate-limit switched ARP packets through the switch, not just those directed at the router processor. What are other providers using for CoPP configurations on their 6500s? Is it functioning correctly for you? Are there any other pitfalls I should be aware of? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 14:37:32 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 21:37:32 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209192334.GD24950@radiological.warningg.com> References: <20100209192334.GD24950@radiological.warningg.com> Message-ID: <20100209193732.GA28912@mx.ytti.net> On (2010-02-09 13:23 -0600), Brandon Ewing wrote: > Some of the earlier threads today sparked me to re-check some CoPP I had > deployed to see if the ARP limiting I placed in was affective, as I had You must mean the thread where glean was mentioned, you probably are aware but just for sake of posterity policing glean and ARP are two different things, any packet can be glean punt while policing ARP is matching only incoming ARP packet. > What are other providers using for CoPP configurations on their 6500s? Is > it functioning correctly for you? Are there any other pitfalls I should be > aware of? I think you've gathered relevant and correct data, I don't think PFC3 supports ARP match in CoPP. So you must use MLS rate-limiter, where you have to remember that AFAIK this is also for transit ARP which you might be bridging as a switch. -- ++ytti From zeusdadog at gmail.com Tue Feb 9 14:41:53 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 9 Feb 2010 14:41:53 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> I have not explained my situation very well so let me restart. VPN is client VPN, not LAN to LAN. The old style IPsec Cisco VPN client, not Anyconnect client. Internet access on the router is on one VRF. Network we want to access via VPN is on another VRF. See below config. I have gotten it to work so far where it will connect, do Xauth, and establish connection. You can see the VPN client IP in the routing table of the Customer VRF. Traffic gets sent to the VPN from the client but nothing from the Customer VRF comes back out to the VPN. I do want to do this without XAuth if possible. Also, I used the loopback interface as the destination of the VPN so it could fail over if one link goes down. aaa new-model ! aaa authentication login CustomerVPNCliAuth local aaa authorization network CustomerVPNNetAuth local ! ip cef ! ip vrf Customer rd 12345:1100 import map internetVRFDefaultMap route-target export 12345:1100 route-target import 12345:1100 route-target import 12345:1 ! ip vrf internet rd 12345:1 route-target export 12345:1 route-target import 12345:1 ! crypto keyring CustomerVPNKey vrf internet local-address Loopback1 pre-shared-key address 0.0.0.0 0.0.0.0 key testtest no crypto xauth Loopback1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group CustomerVPNGroup key testtest pool CustomerVPNPool acl CustomerVPNSplitTunnel crypto isakmp profile CustomerVPN vrf Customer keyring CustomerVPNKey self-identity address match identity group CustomerVPNGroup client authentication list CustomerVPNCliAuth isakmp authorization list CustomerVPNNetAuth client configuration address initiate client configuration address respond client configuration group CustomerVPNGroup local-address Loopback1 ! ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac ! crypto dynamic-map CustomerVPNDynMap 1 set transform-set AES256 set isakmp-profile CustomerVPN reverse-route ! ! crypto map CustomerVPN local-address Loopback1 crypto map CustomerVPN 10 ipsec-isakmp dynamic CustomerVPNDynMap ! ! ! ! ! ! interface Loopback0 ip vrf forwarding internet ip address a.a.a.1 255.255.255.255 ! ! interface Loopback1 ip vrf forwarding internet ip address a.a.a.2 255.255.255.255 crypto map CustomerVPN ! ! interface Loopback2 ip vrf forwarding internet ip address a.a.a.3 255.255.255.255 ip nat outside ip virtual-reassembly ! ! interface GigabitEthernet0/0 ip address m.m.m.x 255.255.255.0 duplex auto speed auto ! ! interface GigabitEthernet0/0.802 encapsulation dot1Q 802 ip vrf forwarding internet ip address b.b.b.b 255.255.255.240 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/1.803 encapsulation dot1Q 803 ip vrf forwarding internet ip address c.c.c.c 255.255.255.240 ip nat outside ip virtual-reassembly ip ospf cost 15 ! interface GigabitEthernet0/1.811 encapsulation dot1Q 811 ip address n.n.n.n.x 255.255.255.0 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/2.1100 encapsulation dot1Q 1100 ip vrf forwarding Customer ip address 10.0.244.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/2.1101 encapsulation dot1Q 1101 ip vrf forwarding Customer ip address 10.0.245.1 255.255.255.0 ip nat inside ip virtual-reassembly ! router ospf 1 vrf internet log-adjacency-changes redistribute static metric-type 1 subnets passive-interface default no passive-interface GigabitEthernet0/0.802 no passive-interface GigabitEthernet0/1.803 network a.a.a.1 0.0.0.0 area 0 network b.b.b.b 0.0.0.15 area 0 network c.c.c.c 0.0.0.15 area 0 ! router bgp 12345 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Customer no synchronization redistribute static default-information originate exit-address-family ! address-family ipv4 vrf internet no synchronization redistribute ospf 1 vrf internet match internal external 1 external 2 default-information originate exit-address-family ! ip local pool CustomerVPNPool 192.168.254.1 192.168.254.254 recycle delay 10 ip forward-protocol nd ! ip extcommunity-list 1 permit rt 12345:1 ip nat inside source list CustomerNATACL interface Loopback2 vrf Customer overload ! ip access-list extended CustomerNATACL deny ip 10.0.244.0 0.0.1.255 192.168.254.0 0.0.0.255 permit ip 10.0.244.0 0.0.1.255 any ip access-list extended CustomerVPNSplitTunnel permit ip 10.0.244.0 0.0.0.255 192.168.254.0 0.0.0.255 permit ip 10.0.245.0 0.0.0.255 192.168.254.0 0.0.0.255 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ip prefix-list DefaultOnly seq 10 permit 192.168.254.0/24 ! route-map internetVRFDefaultMap permit 10 match ip address prefix-list DefaultOnly match extcommunity 1 On Wed, Feb 3, 2010 at 4:01 PM, Ryan Goldberg wrote: >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Jay Nakamura >> Sent: Tuesday, February 02, 2010 10:20 PM >> To: cisco-nsp >> Subject: [c-nsp] VRF aware IPSec for remote access without xauth >> >> I am trying to configure vrf aware IPSec VPN for remote access, coming >> into one VRF and tunneling into another VRF. ?Can I do that without >> XAUTH? ?I can't seem to find any reference to doing it without xauth. >> If it's possible and someone has done this, can you please post a >> sample config? > > I believe the following tidbits should get you going. ?This is from an 2801 running 12.4.24T1. ?Tunnels lands on vrf ISP2 and pops out into vrf LAN. > > ip vrf ISP2 > ?rd 1:2 > > ip vrf LAN > ?rd 1:3 > > crypto keyring ISP2 vrf ISP2 > ?pre-shared-key address a.b.c.d key blahblahblah > > crypto isakmp policy 2 > ?encr 3des > ?authentication pre-share > ?group 2 > > crypto isakmp profile ProfileForNuttyVendor > ? vrf LAN > ? keyring ISP2 > ? match identity address a.b.c.d 255.255.255.255 ISP2 > > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > > crypto map AwesomeMap 3 ipsec-isakmp > ?description tunnel for Nutty Vendor > ?set peer a.b.c.d > ?set transform-set ESP-3DES-SHA > ?set isakmp-profile ProfileForNuttyVendor > ?match address 111 > ?reverse-route > > interface FastEthernet0/1 > ?ip vrf forwarding LAN > ?ip address 10.1.19.250 255.255.255.0 > > nterface FastEthernet0/0 > ?ip vrf forwarding ISP2 > ?ip address w.x.y.z 255.255.255.248 > > > access-list 111 remark Nutty Vendor tunnel > access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 > > - > > Ryan > From nick at inex.ie Tue Feb 9 15:13:49 2010 From: nick at inex.ie (Nick Hilliard) Date: Tue, 09 Feb 2010 20:13:49 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209193732.GA28912@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> Message-ID: <4B71C1FD.4000609@inex.ie> On 09/02/2010 19:37, Saku Ytti wrote: > I think you've gathered relevant and correct data, I don't think PFC3 > supports ARP match in CoPP. So you must use MLS rate-limiter, where you > have to remember that AFAIK this is also for transit ARP which you might be > bridging as a switch. so, this looks like an effective attack vector for trashing sup720 RPs then - if you have l2 access to the device. Makes a good argument for implementing arp sponges on core paths and edges so that this cannot be exploited remotely. I assume that ipv6 nd is sufficiently high up the protocol stack that it can be managed by copp? Nick From nicotine at warningg.com Tue Feb 9 15:15:35 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 9 Feb 2010 14:15:35 -0600 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209193732.GA28912@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> Message-ID: <20100209201535.GE24950@radiological.warningg.com> On Tue, Feb 09, 2010 at 09:37:32PM +0200, Saku Ytti wrote: > I think you've gathered relevant and correct data, I don't think PFC3 > supports ARP match in CoPP. So you must use MLS rate-limiter, where you > have to remember that AFAIK this is also for transit ARP which you might be > bridging as a switch. > > -- > ++ytti Even so, my ARP traffic would STILL hit the class-default class for the CoPP profile, and be rate-limited before reaching the Sup, no? Also, to rebutt, I found http://aharp.ittns.northwestern.edu/papers/copp.html In it, it says that Rodney Dunn contacted the author to state that matching protocol ARP in a class map on the Sup720 SHOULD work. I do see software matches for the ARP class in the policy-map: Software Counters: Class-map: CoPP-CLASS-ARP (match-all) 1492439 packets, 89546340 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: protocol arp police: cir 8192000 bps, bc 256000 bytes conformed 1492439 packets, 89546340 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit conformed 0000 bps, exceed 0000 bps However, the output from "show mls qos protocol arp" still seems to indicate that ARP traffic is being dropped somewhere, even though software and hardware counters for the ARP class show 0 drops. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 16:28:29 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 23:28:29 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71C1FD.4000609@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> Message-ID: <20100209212829.GA2183@mx.ytti.net> On (2010-02-09 20:13 +0000), Nick Hilliard wrote: > so, this looks like an effective attack vector for trashing sup720 RPs then > - if you have l2 access to the device. Makes a good argument for > implementing arp sponges on core paths and edges so that this cannot be > exploited remotely. I personally choose to police all ARP, so attack vector is to congest ARP so that no new hosts can't come up, but nothing that used to work, would break. If this would be JNPR then all hosts would break after ARP timeouts, as JNPR does not refresh ARP cache on traffic. But there are plenty of attack vectors in L2, like IXP or IS-IS packets, no special rate-limiter so will go 'class-default'. > I assume that ipv6 nd is sufficiently high up the protocol stack that it > can be managed by copp? There is mls rate-limiter for ND, but that will also affect transit traffic. -- ++ytti From saku at ytti.fi Tue Feb 9 16:30:14 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 23:30:14 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209201535.GE24950@radiological.warningg.com> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> Message-ID: <20100209213014.GB2183@mx.ytti.net> On (2010-02-09 14:15 -0600), Brandon Ewing wrote: > Even so, my ARP traffic would STILL hit the class-default class for the CoPP > profile, and be rate-limited before reaching the Sup, no? MLS rate-limiters are ran before CoPP, so what ever ARP would come through would indeed match your class-default. > In it, it says that Rodney Dunn contacted the author to state that > matching protocol ARP in a class map on the Sup720 SHOULD work. Oh cool, I wonder if it then was software issue always or if this is new feature in PFC3C. -- ++ytti From Bryan at bryanfields.net Tue Feb 9 17:18:31 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Tue, 09 Feb 2010 17:18:31 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> Message-ID: <4B71DF37.9080203@bryanfields.net> On 2/9/2010 14:41, Jay Nakamura wrote: > I have not explained my situation very well so let me restart. > > VPN is client VPN, not LAN to LAN. The old style IPsec Cisco VPN > client, not Anyconnect client. > > Internet access on the router is on one VRF. Network we want to > access via VPN is on another VRF. See below config. > > I have gotten it to work so far where it will connect, do Xauth, and > establish connection. You can see the VPN client IP in the routing > table of the Customer VRF. Traffic gets sent to the VPN from the > client but nothing from the Customer VRF comes back out to the VPN. Have you thought about doing this using a Virtual-Template so each client lives on a "real" interface. This prevents the retarded way packets get handled when they go out a crypto map on an interface. All you have to do it put the template interface in the VRF and it should work. Now I've never done something this crazy before, but I'm interested to see how it works. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From nick at inex.ie Tue Feb 9 17:18:28 2010 From: nick at inex.ie (Nick Hilliard) Date: Tue, 09 Feb 2010 22:18:28 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209213014.GB2183@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> <20100209213014.GB2183@mx.ytti.net> Message-ID: <4B71DF34.2060105@inex.ie> On 09/02/2010 21:30, Saku Ytti wrote: > Oh cool, I wonder if it then was software issue always or if this is > new feature in PFC3C. I think this was before the pfc3c's time; the original text is here: http://aharp.ittns.northwestern.edu/papers/copp.html ... last edited 2005. Nick From merlyn at Geeks.ORG Tue Feb 9 17:29:11 2010 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Tue, 9 Feb 2010 16:29:11 -0600 Subject: [c-nsp] problems migrating to a 3550 In-Reply-To: <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> References: <20100203100235.T43899@shell.xecu.net> <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> Message-ID: <20100209222911.GA16479@geeks.org> On Wed, Feb 03, 2010 at 05:58:12PM +0100, j.vaningenschenau at utwente.nl wrote: > > Things in vlan2 on the HP switch can reach the IP address of the 3550 > > on > > vlan2 just fine, vlan2 is solid. > > > > However, things in vlan1 on the HP switch cannot reach the IP of the > > 3550 > > on vlan1, and anything attached to 3550 on vlan1 ports cannot reach > > anything on vlan1 on the HP switch. > > You could try either: > > * Setting VLAN 1 as untagged on the Procurve side, or > * configuring "switchport trunk native vlan tag" on the Cisco side. > > (or avoid using VLAN 1, which is what we always do between Cisco and HP > switches) Cisco itself recommends against using VLAN 1 in all configs beyond the basic setup as well (in some SRND). Mixing up traffic on VLAN1 between any vendor is a crapshot, highly recommended to avoid VLAN1. From tvarriale at comcast.net Tue Feb 9 17:59:33 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 9 Feb 2010 16:59:33 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <8F7A23CCABE9459DA149965D4659A22D@flamdt01> ----- Original Message ----- From: "Livio Zanol Puppim" To: "Brad Hedlund" Cc: "Cisco NSP ((E-mail))'" Sent: Tuesday, February 09, 2010 4:40 AM Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > The only REAL advantage so far is the vPC... You forgot the bottom line for most companies: cost. From tvarriale at comcast.net Tue Feb 9 18:14:19 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 9 Feb 2010 17:14:19 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <0B4B5F938B6C42FD91139B6EC46D334D@flamdt01> ----- Original Message ----- From: "Livio Zanol Puppim" To: "Brad Hedlund" Cc: "Cisco NSP ((E-mail))'" Sent: Tuesday, February 09, 2010 4:40 AM Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > Unfortunally, nexus 2000 is just an >fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >changes it's later... No maybe about it. >10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must >use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost >1 >switch (2RU). I wouldn't recommend designing a network that way. >I haven't figure out yet what's the advantage of having this design (nexus >2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >7000/cisco 6500). That's what I'm talking about. Cheap, high density 1g, scalable infrastructure for right now. And, in the near future, they will throw some fantastic features on top of that. tv From amsoares at netcabo.pt Tue Feb 9 20:55:08 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 01:55:08 -0000 Subject: [c-nsp] WebVPN Issue Message-ID: Hello group, I'm facing a strange issue with IOS Based WebVPN: when user X is connected and then another user uses the same user X, the second user is not able to connect but the first user looses connectivity. I have this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. This is not expected behavior, right ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt From kuscent01 at yahoo.com.ph Tue Feb 9 20:56:48 2010 From: kuscent01 at yahoo.com.ph (Sherwin Torres) Date: Wed, 10 Feb 2010 09:56:48 +0800 (SGT) Subject: [c-nsp] Inbound traffic Message-ID: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Hi, I have multiple upstream provider, a combination of tier1 and tier2 network. Sample: 1. AS1 - AS200 - AS30 2. AS1 - AS300 - AS30 3. AS1 - AS400 - AS20 - AS30 In the above scenario, I am using AS30 and I need to access AS1. The outbound traffic can be force using the localpref to prefer which path I can use for the outbound however, my dilemma is the inbound traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, this might be the best in returned path while sample 3 is the least priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? Thanks in advance. From jlewis at lewis.org Tue Feb 9 22:23:25 2010 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 9 Feb 2010 22:23:25 -0500 (EST) Subject: [c-nsp] Inbound traffic In-Reply-To: <151074.37847.qm@web76513.mail.sg1.yahoo.com> References: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Message-ID: On Wed, 10 Feb 2010, Sherwin Torres wrote: > 1. AS1 - AS200 - AS30 > 2. AS1 - AS300 - AS30 > 3. AS1 - AS400 - AS20 - AS30 > > In the above scenario, I am using AS30 and I need to access AS1. The > outbound traffic can be force using the localpref to prefer which > path I can use for the outbound however, my dilemma is the inbound > traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, > this might be the best in returned path while sample 3 is the least > priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? The short answer is as-path prepending of your announced routes to as200 and as300. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From brhedlun at cisco.com Tue Feb 9 23:07:06 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 9 Feb 2010 22:07:06 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <009f01caa9a8$e9b259a0$bd170ce0$@net> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> <009f01caa9a8$e9b259a0$bd170ce0$@net> Message-ID: Ray, My point there, put another way, is that Data Center operating costs are going to be scrutinized more now than ever before. Internal IT needs to get lean and mean. The real possibility of wholesale outsourcing of Data Center applications and operations to cloud providers is just around the corner. Depending on your role in IT, that could be a good thing, or a bad thing. Those who are viewed as champions for driving efficiency and reducing total cost of ownership will do just fine. Disclaimer: I speak for myself. These are my opinions, and not necessarily those of my employer. -- Brad Hedlund, CCIE #5530 Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 9, 2010, at 10:57 AM, Ray Burkholder wrote: >> >> Business leaders are hearing a lot about cloud computing these days, >> and it's cost advantages to the business. Yet there is a valid concern >> with data privacy and security that comes with public cloud computing. >> If internal IT can transform their data centers into a private cloud, >> or at least drastically improve the operational efficiency and total >> cost of ownership of their own data centers ... the wholesale >> outsourcing of the data center applications to the public cloud become >> less attractive to the business leaders. > > I'm not quite sure I understand the impact of that last statement... "become > less attractive to the business leaders." Is that a good thing or a bad > thing? i.e, is going into the public cloud a good thing or a bad thing? > And if business leaders "transform their data centers into a private cloud", > isn't that still a private network? Or are there additional ramifications > of this, i.e, going the virtualization path and making everything server > non-centric? > > Ray > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Tue Feb 9 23:30:28 2010 From: mksmith at adhost.com (Michael K. Smith) Date: Tue, 09 Feb 2010 20:30:28 -0800 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: Message-ID: Brad: On 2/9/10 8:07 PM, "Brad Hedlund" wrote: > Ray, > My point there, put another way, is that Data Center operating costs are going > to be scrutinized more now than ever before. They are always scrutinized by those of us supplying those services. I'm sure there were some folks in the 90's .com bubble that were able to throw dollars around, but almost all data center ops that I know of are working with clearly defined cost/benefit data. > Internal IT needs to get lean and mean. The real possibility of wholesale > outsourcing of Data Center applications and operations to cloud providers is > just around the corner. Really. Centralize all that is decentralized and decentralize all that is centralized. Rinse. Repeat. I appreciate the benefit of decentralized infrastructure for particular applications and environments, but it is not a panacea. If you work in regulated environments (HIPAA, SOX, PCI, etc.) then "the cloud" is not sufficient for your regulatory needs. However, you can build your own "cloud" which we used to call a Wide Area Network. In addition, the true costs of data center operations, regardless of whether or not it's my DC or Google's DC, are power and cooling. And most of us are working *very* hard at minimizing those recurring costs. A switch? A router? Those costs are small in comparison to cooling 100k of data center with 15Kw per rack. > Depending on your role in IT, that could be a good thing, or a bad thing. > Those who are viewed as champions for driving efficiency and reducing total > cost of ownership will do just fine. > OPEX vs. CAPEX. Going to "the cloud" reduces CAPEX but I've yet to see where it uniformly reduces OPEX. There are lots of applications that benefit greatly, and others that don't. There are some evolutionary concepts at play, but I don't see the Sea change that $vendors are seizing. > Disclaimer: I speak for myself. These are my opinions, and not necessarily > those of my employer. > Then you should post from your gmail account. Regards, Mike From aftab.siddiqui at gmail.com Wed Feb 10 00:05:26 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Wed, 10 Feb 2010 10:05:26 +0500 Subject: [c-nsp] Inbound traffic In-Reply-To: References: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Message-ID: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> Hi Sherwin, Inbound traffic can also be altered on the basis of prefix-advertisement. If you are advertising more specific prefix i.e. /22 or /24 (though not recommended with tier1 service providers) your inbound traffic will always take the desired path. and yes as-path prepend is also an option. Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis wrote: > On Wed, 10 Feb 2010, Sherwin Torres wrote: > > 1. AS1 - AS200 - AS30 >> 2. AS1 - AS300 - AS30 >> 3. AS1 - AS400 - AS20 - AS30 >> >> In the above scenario, I am using AS30 and I need to access AS1. The >> outbound traffic can be force using the localpref to prefer which >> path I can use for the outbound however, my dilemma is the inbound >> traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, >> this might be the best in returned path while sample 3 is the least >> priority due to longer path. Is there a way can I manipulate the inbound >> and outbound via sample 3 without contacting AS1? >> > > The short answer is as-path prepending of your announced routes to as200 > and as300. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Wed Feb 10 00:53:19 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 10 Feb 2010 00:53:19 -0500 (EST) Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: On Wed, 10 Feb 2010, Sherwin Torres wrote: > Anyway, I agree but you might confuse on my inquiry. In the internet > cloud, there are lots of interconnected AS and if I'm going to prepend > the announcement to AS200 and AS300 - all inbound traffic will pass to > AS20 alone. No necessarily. Based on the info you provided, prepending once to 200 and 300 will give you equal path lengths on the 3 paths, and something other than as-path will be used for best path selection. x> Actually, what I want is - to isolate specific AS (AS1) to pass via > AS400-AS20-AS30 as the primary returned path while other AS from the > internet cloud would be still the best path going to AS30. It sounds like what you want is providers who support BGP communities that would let you tune things like prepending or propagation of routes to certain of their peers. The further away from your network you're trying to influence things, the harder its going to be to do. i.e. if as200 and as300 supported it, you could announce your routes to them with tags that say to prepend a few times when advertising to as1, making the AS1 - AS400 - AS20 - AS30 path more favorable. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From aftab.siddiqui at gmail.com Wed Feb 10 00:55:10 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Wed, 10 Feb 2010 10:55:10 +0500 Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: <3c605ce11002092155h2015611chebb67f5c8c05044f@mail.gmail.com> Dear Sherwin, You only want to influcence the traffic coming in from AS1 and from no where else. For that am afraid you have to contact AS1 in someway like almost all Tier1 providers have preset community attributes tp change the traffic going towards its peers. You have to send bgp community having AS1:xxx sort of value. I guess am making it more complicated for :) Kindly take a look at the following link, it will help you understand how Tier1 providers do that. http://www.onesc.net/communities/as7922/ Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 10:28 AM, Sherwin Torres wrote: > Hi Jon & Aftab, > > Thank you very much for your inputs. > > Anyway, I agree but you might confuse on my inquiry. In the internet cloud, > there are lots of interconnected AS and if I'm going to prepend the > announcement to AS200 and AS300 - all inbound traffic will pass to AS20 > alone. > > Actually, what I want is - to isolate specific AS (AS1) to pass via > AS400-AS20-AS30 as the primary returned path while other AS from the > internet cloud would be still the best path going to AS30. > > > Thanks. > > --- On *Wed, 2/10/10, Aftab Siddiqui * wrote: > > > From: Aftab Siddiqui > Subject: Re: [c-nsp] Inbound traffic > To: "Jon Lewis" > Cc: "Sherwin Torres" , cisco-nsp at puck.nether.net > Date: Wednesday, 10 February, 2010, 1:05 PM > > > Hi Sherwin, > > Inbound traffic can also be altered on the basis of prefix-advertisement. > If you are advertising more specific prefix i.e. /22 or /24 (though not > recommended with tier1 service providers) your inbound traffic will always > take the desired path. > > and yes as-path prepend is also an option. > > Regards, > > Aftab A. Siddiqui > > > On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis > > wrote: > >> On Wed, 10 Feb 2010, Sherwin Torres wrote: >> >> 1. AS1 - AS200 - AS30 >>> 2. AS1 - AS300 - AS30 >>> 3. AS1 - AS400 - AS20 - AS30 >>> >>> In the above scenario, I am using AS30 and I need to access AS1. The >>> outbound traffic can be force using the localpref to prefer which >>> path I can use for the outbound however, my dilemma is the inbound >>> traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, >>> this might be the best in returned path while sample 3 is the least >>> priority due to longer path. Is there a way can I manipulate the inbound >>> and outbound via sample 3 without contacting AS1? >>> >> >> The short answer is as-path prepending of your announced routes to as200 >> and as300. >> >> ---------------------------------------------------------------------- >> Jon Lewis | I route >> Senior Network Engineer | therefore you are >> Atlantic Net | >> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > ------------------------------ > Get connected with chat on network profile, blog, or any personal website! > > Yahoo! allows you to IM with Pingbox. Check it out! > From kuscent01 at yahoo.com.ph Wed Feb 10 00:28:46 2010 From: kuscent01 at yahoo.com.ph (Sherwin Torres) Date: Wed, 10 Feb 2010 13:28:46 +0800 (SGT) Subject: [c-nsp] Inbound traffic In-Reply-To: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> Message-ID: <551724.66623.qm@web76516.mail.sg1.yahoo.com> Hi Jon & Aftab, Thank you very much for your inputs. Anyway, I agree but you might confuse on my inquiry. In the internet cloud, there are lots of interconnected AS and if I'm going to prepend the announcement to AS200 and AS300 - all inbound traffic will pass to AS20 alone. Actually, what I want is - to isolate specific AS (AS1) to pass via AS400-AS20-AS30 as the primary returned path while other AS from the internet cloud would be still the best path going to AS30. Thanks. --- On Wed, 2/10/10, Aftab Siddiqui wrote: From: Aftab Siddiqui Subject: Re: [c-nsp] Inbound traffic To: "Jon Lewis" Cc: "Sherwin Torres" , cisco-nsp at puck.nether.net Date: Wednesday, 10 February, 2010, 1:05 PM Hi Sherwin, ? Inbound traffic can also?be altered on the basis of prefix-advertisement. If you are advertising more specific prefix i.e. /22 or /24 (though not recommended with tier1 service providers) your inbound traffic will always take the desired path. ? and yes as-path prepend is also an option. Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis wrote: On Wed, 10 Feb 2010, Sherwin Torres wrote: 1. AS1 - AS200 - AS30 2. AS1 - AS300 - AS30 3. AS1 - AS400 - AS20 - AS30 In the above scenario, I am using AS30 and I need to access AS1. The outbound traffic can be force using the localpref to prefer which path I can use for the outbound however, my dilemma is the inbound traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, this might be the best in returned path while sample 3 is the least priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? The short answer is as-path prepending of your announced routes to as200 and as300. ---------------------------------------------------------------------- ?Jon Lewis ? ? ? ? ? ? ? ? ? | ?I route ?Senior Network Engineer ? ? | ?therefore you are ?Atlantic Net ? ? ? ? ? ? ? ?| _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Design your own exclusive Pingbox today! It's easy to create your personal chat space on your blogs. http://ph.messenger.yahoo.com/pingbox From gert at greenie.muc.de Wed Feb 10 02:52:54 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Feb 2010 08:52:54 +0100 Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: <20100210075254.GS9556@greenie.muc.de> Hi, On Wed, Feb 10, 2010 at 01:28:46PM +0800, Sherwin Torres wrote: > Actually, what I want is - to isolate specific AS (AS1) to pass > via AS400-AS20-AS30 as the primary returned path while other AS > from the internet cloud would be still the best path going to AS30. In some specific circumstances, this might work (AS400-20-30 having community settings to force traffic that way, and 30+20 honouring transitive communities). In most cases, it's not going to work. Welcome to the Internet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Feb 10 04:17:59 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 10 Feb 2010 09:17:59 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71C1FD.4000609@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> Message-ID: <4B7279C7.1020807@imperial.ac.uk> On 02/09/2010 08:13 PM, Nick Hilliard wrote: > On 09/02/2010 19:37, Saku Ytti wrote: >> I think you've gathered relevant and correct data, I don't think PFC3 >> supports ARP match in CoPP. So you must use MLS rate-limiter, where you >> have to remember that AFAIK this is also for transit ARP which you might be >> bridging as a switch. > > so, this looks like an effective attack vector for trashing sup720 RPs then > - if you have l2 access to the device. Makes a good argument for > implementing arp sponges on core paths and edges so that this cannot be > exploited remotely. Correct. > > I assume that ipv6 nd is sufficiently high up the protocol stack that it > can be managed by copp? Off the top of my head I think CoPP is run in software for ipv6 traffic. From saku at ytti.fi Wed Feb 10 04:45:44 2010 From: saku at ytti.fi (Saku Ytti) Date: Wed, 10 Feb 2010 11:45:44 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B7279C7.1020807@imperial.ac.uk> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> <4B7279C7.1020807@imperial.ac.uk> Message-ID: <20100210094544.GA5185@mx.ytti.net> On (2010-02-10 09:17 +0000), Phil Mayers wrote: > >I assume that ipv6 nd is sufficiently high up the protocol stack that it > >can be managed by copp? > > Off the top of my head I think CoPP is run in software for ipv6 traffic. Actually it is fully supported in hardware, I was also long under impression it is not. Of course one has to remember the ACL compression issue, PFC3 does not have enough bits in ACL TCAM for full IPv6 data, so you can decide one of two way to operate a) default - lookup up-to /128 in ACL is in hardware - lookup to L4 data is punted b) compressed - lookup up-to /88 is in hardware - lookup past /88 is punted - lookup to L4 ports and flags are hardware (16+16+8+88 -> 128) I would argue that default is mostly useless and that you want to run your system in compressed mode. Just remember always to round the IP lookup to /88, usually this shouldn't be any security concern, as you assign so large netblocks that all hosts inside /88 would have same security posture. -- ++ytti From rjs at eng.gxn.net Wed Feb 10 04:47:03 2010 From: rjs at eng.gxn.net (Rob Shakir) Date: Wed, 10 Feb 2010 09:47:03 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71DF34.2060105@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> <20100209213014.GB2183@mx.ytti.net> <4B71DF34.2060105@inex.ie> Message-ID: <7071A32D-7ECF-4410-A067-E4588FA8A197@eng.gxn.net> On 9 Feb 2010, at 22:18, Nick Hilliard wrote: > On 09/02/2010 21:30, Saku Ytti wrote: >> Oh cool, I wonder if it then was software issue always or if this is >> new feature in PFC3C. > > I think this was before the pfc3c's time; the original text is here: > > http://aharp.ittns.northwestern.edu/papers/copp.html Hi Nick, After some testing this morning, I'm a bit confused around this feature. There appears to be plenty of documentation that implies that CoPP is not supported for ARP on PFC3 (EARL7.5) type boxes. For example [0] - which is again from 2005, with the relevant quote being: "ARP policies are not supported by CoPP. To protect the system by ARP broadcast a useful tool is ?mls qos protocol arp police ?. " [1] also appears to say this too. So, my current understanding was that "match proto arp" is not something that one can do on 6500 (within CoPP). On our existing PFC3BXL boxes, I can check the hardware QoS entries for ARP, with a configured class-default (so, this would imply that arp should perhaps fall within this), and I get the following: 7600#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] T arp any any When I check this on a 6500 with PFC3C, I do get an entry that implies policing would occur: 6500#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] MAU arp any any AT arp any any T arp any any However, I'm not sure whether this is a function of having "match protocol arp" or whether this is being caught by class-default. With a CoPP policy that is very basic for example purposes: policy-map POLICY-COPP-INPUT class COPP-ARP police cir 80000000 bc 2500000 be 2500000 conform-action transmit exceed-action drop violate-action drop class class-default police cir 100000000 bc 312500 be 312500 conform-action transmit exceed-action drop violate-action drop This results in the MAU arp entry above. With a small amount of ARP traffic, I can see something in the software counters: Class-map: COPP-ARP (match-all) 61 packets, 3660 bytes However, sh mls qos arp shows that the COPP-ARP class map hasn't forwarded any traffic: 6500#sh mls qos arp | i CPP CPP 5 In COPP-ARP 0 3 dscp 0 0 0 CPP 5 In class-defa 0 1 dscp 0 665667 0 CPP 6 In COPP-ARP 0 3 dscp 0 0 0 CPP 6 In class-defa 0 1 dscp 0 0 0 In addition, the MAU entry in the hardware is actually related to the class-default as far as I can see, not my class COPP-ARP. Applying a policy-map that has no COPP-ARP in it (identical the one above, otherwise) produces a similar hardware entry. 6500#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] MAU arp any any AT arp any any T arp any any This behaviour doesn't seem unchanged whether I not I configure "mls qos protocol ARP police..." on the box in question. So, it appears to me like there's some confusion here - I'm not sure I can explain why the class-default in a policy-map on PFC3C appears to operate differently to PFC3BXL in terms of creating the hardware entry that the SP shows. In addition, I'm not entirely sure that this is being matched by the 'match proto arp' part of the policy-map. It'd be nice to get some clarification of what this is actually doing! On your 6K5/7K6s do you see the same thing as this, or is any ARP class-map showing forwarding and/or policing? Kind regards, Rob [0]: http://www.cisco.com/web/strategy/docs/gov/DATM_CoPP_ERSPAN_NetFlow.pdf [1]: http://www.ciscosystems.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html From asturluismi at gmail.com Wed Feb 10 06:54:14 2010 From: asturluismi at gmail.com (luismi) Date: Wed, 10 Feb 2010 12:54:14 +0100 Subject: [c-nsp] ip source guard in the switch layer without DHCP Message-ID: <1265802854.11279.3.camel@hal9000> According with this link http://www.packetlife.net/blog/2009/may/25/ip-source-guard-without-dhcp/ It is possible to deploy "ip source guard" without dhcp environment. I think it could be interesting for some parts of our network here. The problem is that the configuration is... SW(config)#ip source binding 001d.60b3.0add vlan 10 10.0.0.10 interface f0/10 SW(config)#ip source binding 0023.7d00.d0a8 vlan 10 10.0.0.20 interface f0/20 What about if the server connected to that port is sending multicast traffic? Is it possible to apply several entries to the same mac address with multiple addresses and also multicast addresses? From david.freedman at uk.clara.net Wed Feb 10 06:56:48 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 11:56:48 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B729F00.6070806@uk.clara.net> >IOS: SXF15a *ouch*, please upgrade to SXH/I to get event driven BGP.... From david.freedman at uk.clara.net Wed Feb 10 06:56:48 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 11:56:48 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B729F00.6070806@uk.clara.net> >IOS: SXF15a *ouch*, please upgrade to SXH/I to get event driven BGP.... From scottowens12 at gmail.com Wed Feb 10 07:52:20 2010 From: scottowens12 at gmail.com (scott owens) Date: Wed, 10 Feb 2010 06:52:20 -0600 Subject: [c-nsp] firewalling authenticated wireless traffic Message-ID: Hello, We offer wireless connectivity to about 500 to 1000 user/devices that authenticate with machine & domain credentials via WPA2. Currently we send this through a HA pair of ASA5520s where the rule for this traffic essentially is any->any := ok. Does anyone let this type of traffic directly into their core networks - perhaps still restricting other type of wlans with controllers or firewalls ? Did you start off with firewalls and move to direct connects, the other way around, just do it with ACLs, treat all wireless as foreign and have to authenticate "extra" ? My thought is that our wireless traffic is likely more secure that our plain wired networks - at this point without 802.1x on lan. Thank you, Scott From p.mayers at imperial.ac.uk Wed Feb 10 08:10:54 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 10 Feb 2010 13:10:54 +0000 Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: <4B72B05E.8080204@imperial.ac.uk> On 10/02/10 12:52, scott owens wrote: > Hello, > > We offer wireless connectivity to about 500 to 1000 user/devices that > authenticate with machine& domain credentials via WPA2. > Currently we send this through a HA pair of ASA5520s where the rule for this > traffic essentially is any->any := ok. > Does anyone let this type of traffic directly into their core networks - > perhaps still restricting other type of wlans with controllers or firewalls We do exactly the same thing. The main rationale is that we could drop in rules in a hurry during a mass outbreak such as Blaster or Slammer. > My thought is that our wireless traffic is likely more secure that our plain > wired networks - at this point without 802.1x on lan. Indeed. From koug at intracom.gr Wed Feb 10 09:12:32 2010 From: koug at intracom.gr (John Kougoulos) Date: Wed, 10 Feb 2010 16:12:32 +0200 (EET) Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: > > We offer wireless connectivity to about 500 to 1000 user/devices that > authenticate with machine & domain credentials via WPA2. > My thought is that our wireless traffic is likely more secure that our plain > wired networks - at this point without 802.1x on lan. > but the wireless signal travels probably outside your premises. Therefore someone who has stolen a laptop will stop near your building and get inside your network easily, since most probably the credentials are saved on the PC. And you rely on WPA2 because it has not been broken. yet. Client VPN & two factor authentication is safer I think, but I guess you'll have to forget about wifi phones. you can also block user-to-user traffic (like private vlans) to avoid eg attacks between the associated machines, while not connected on the vpn. Regards, John From brhedlun at cisco.com Wed Feb 10 10:01:30 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 10 Feb 2010 09:01:30 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Michael- On Feb 9, 2010, at 10:30 PM, Michael K. Smith wrote: > > "the cloud" is not sufficient for your regulatory needs. However, you can > build your own "cloud" which we used to call a Wide Area Network. That's exactly my point if you've been following this thread. Internal IT *can* build/buy their own private cloud. The VCE vBlock is one example of that, and there is a good reason why the vBlock has fabric extenders. Applying the same old thinking to data center design isn't going to build a private cloud. > > A switch? A router? Those costs are small in comparison to cooling 100k of data center with 15Kw per rack. Agree 1000%. This thread started off in the minutia of server access layer switches, but there is a much larger equation here as you point out (the multitude of servers). However while the switch itself may seem like minutia, the architectural plays you make at the server access switching layer can have a broader reaching impact on power & cooling efficiencies. Again there is a reason the VCE vBlock has FCoE. > Then you should post from your gmail account. What difference would that make? We're all adults here. Cheers, Brad -- Brad Hedlund, CCIE #5530 Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org From jmplank at gmail.com Wed Feb 10 10:08:19 2010 From: jmplank at gmail.com (Jason Plank) Date: Wed, 10 Feb 2010 10:08:19 -0500 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Brad, You just made a terrible assumption. :) Jason >> Then you should post from your gmail account. > > What difference would that make? We're all adults here. > > > Cheers, > Brad > > > -- > Brad Hedlund, CCIE #5530 > Technology Solutions Architect, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From mhuff at ox.com Wed Feb 10 10:14:00 2010 From: mhuff at ox.com (Matthew Huff) Date: Wed, 10 Feb 2010 10:14:00 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> With IP services on a 3560-E, is it possible to do server load balancing? If so, any caveat's that I should be aware of? We just need to front end two web servers (oracle identity management) for http and https (no ssl offloading needed). I hate to have to buy an ACE just for these two servers ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 From mtinka at globaltransit.net Wed Feb 10 09:45:52 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 10 Feb 2010 22:45:52 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <201002030817.24147.mtinka@globaltransit.net> <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> Message-ID: <201002102245.53583.mtinka@globaltransit.net> On Thursday 04 February 2010 05:11:49 am Peter Kranz wrote: > So in terms of enabling MPLS on a fully meshed set of > routers running BGP and OSPF.. > > Here are the general steps I believe; > > #conf t > Tag-switching advertise-tags > ! > Int g0/0 > Mtu 9216 > Tag-switching ip > ! Be very careful here - changing the interface MTU would bring down OSPF as adjacencies with other OSPF speakers depend on the link MTU being the same for both sides. However, yes, MPLS needs larger-than-default Ethernet MTU's to work, so 9,000 bytes is good. To guard against dropping your OSPF adjacencies, set 'ip mtu 15000' so that OSFP can continue to use 1,500 bytes while all other protocols (including MPLS) use 9,000. You can then regularize this setup once your MPLS turn-up is complete. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From dcp at dcptech.com Wed Feb 10 10:36:26 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 10:36:26 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> Message-ID: <01a101caaa66$cf5f5d00$6e1e1700$@com> IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. Could always use Anycast via a loopback on the servers and let CEF ECMP take care of it. But this is typically only done for UDP applications. Not sure if EOT is on the 3560-E for Static Routes, or you could use BGP from the servers. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Matthew Huff > Sent: Wednesday, February 10, 2010 10:14 AM > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > With IP services on a 3560-E, is it possible to do server load > balancing? If so, any caveat's that I should be aware of? We just need > to front end two web servers (oracle identity management) for http and > https (no ssl offloading needed). I hate to have to buy an ACE just for > these two servers > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > From psirt at cisco.com Wed Feb 10 11:00:00 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 10 Feb 2010 11:00:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Message-ID: <201002101100.ironport@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Advisory ID: cisco-sa-20100210-ironport Revision 1.0 For Public Release 2010 February 10 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities: ??? Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2 ??? Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1 ??? Cisco IronPort PostX MAP versions prior to 6.2.9.1 The version of software that is running on a Cisco IronPort Encryption Appliance is located on the "About" page of the Cisco IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface. It is possible to workaround the remote code execution vulnerability (IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort Encryption Appliance configuration files. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted: jboss/server/postx/deploy/http-invoker.sar jboss/server/postx/deploy/jms/jbossmq-httpil.sar The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file. After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Note: Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch of Blue Cross Blue Shield of Illinois. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. ??? cust-security-announce at cisco.com ??? first-bulletins at lists.first.org ??? bugtraq at securityfocus.com ??? vulnwatch at vulnwatch.org ??? cisco at spot.colorado.edu ??? cisco-nsp at puck.nether.net ??? full-disclosure at lists.grok.org.uk ??? comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??? Revision ??? ??? Initial ??? ??? 1.0 ??? 2010-FEB-10 ??? public ??? ??? ??? ??? release ??? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh H9asrIkxuFpOpSgFLdpV7D8= =ahIn -----END PGP SIGNATURE----- From amsoares at netcabo.pt Wed Feb 10 11:14:37 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 16:14:37 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: References: Message-ID: Thank you both for your inputs. I still cannot share the config since i saw this in a production network and i'm still trying to reproduce it in the lab. But the "debug ip routing" says it all: 1) When user X connects, he gets ip=10.10.10.166 RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] 2) When another user tries the connection with the same user X: RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] RT(VRF_X): delete subnet route to 10.10.10.166/32 RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] RT(VRF_X): delete subnet route to 10.10.10.166/32 So the router deletes the route, adds it and removes it again. This explains the loss of connectivity. We have radius authentication and the radius server assigns a pre-defined ip to each user. So when the radius server sends the same ip, it seems the router gets confused. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Farrukh Haroon Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 To: Antonio Soares Cc: cisco-nsp at puck.nether.net; Cisco certification Subject: Re: WebVPN Issue No it works fine for multiple users, we have it running. If you can post the sanitized config, I can have a look. Also check your 'show tcp brief' output to see if you have any stale connections there. We faced a similar issue, and putting 'service tcp-keepalives-in' fixed the issue (you may put 'out' as well).. We are running 12.4(15)Tx tough. Regards Farrukh On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares wrote: > Hello group, > > I'm facing a strange issue with IOS Based WebVPN: when user X is connected > and then another user uses the same user X, the second > user is not able to connect but the first user looses connectivity. I have > this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. > This is not expected behavior, right ? > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt From lists at hojmark.org Wed Feb 10 11:16:29 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 10 Feb 2010 17:16:29 +0100 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> Message-ID: On Wed, 10 Feb 2010 10:14:00 -0500, you wrote: > With IP services on a 3560-E, is it possible to do server load balancing? No. -A From mhuff at ox.com Wed Feb 10 11:20:13 2010 From: mhuff at ox.com (Matthew Huff) Date: Wed, 10 Feb 2010 11:20:13 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <01a101caaa66$cf5f5d00$6e1e1700$@com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. This is for straight revere-proxy web caches for Oracle WebCache so it uses http/https. We may have to purchase an ACE appliance. Anyone have any suggestions for a turnkey (not linux server based, etc) appliance that does http/https load balancing? Something as simple and cheap as possible. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: David Prall [mailto:dcp at dcptech.com] > Sent: Wednesday, February 10, 2010 10:36 AM > To: Matthew Huff; 'cisco-nsp' > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > Could always use Anycast via a loopback on the servers and let CEF ECMP take > care of it. But this is typically only done for UDP applications. Not sure > if EOT is on the 3560-E for Static Routes, or you could use BGP from the > servers. > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > Sent: Wednesday, February 10, 2010 10:14 AM > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > With IP services on a 3560-E, is it possible to do server load > > balancing? If so, any caveat's that I should be aware of? We just need > > to front end two web servers (oracle identity management) for http and > > https (no ssl offloading needed). I hate to have to buy an ACE just for > > these two servers > > > > ---- > > Matthew Huff?????? | One Manhattanville Rd > > OTA Management LLC | Purchase, NY 10577 > > http://www.ox.com | Phone: 914-460-4039 > > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > From dcp at dcptech.com Wed Feb 10 11:38:11 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 11:38:11 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Message-ID: <01c301caaa6f$6f76aa20$4e63fe60$@com> Create a loopback interface on the servers with the VIP. Point a static route for the VIP at the servers physical address, make the VIP on the same subnet as the physicals. Let CEF take care of it. You lose a lot of dynamic capabilities that are available via monitoring. You'll need Enhanced Object Tracking to monitor that the server is alive. David -- http://dcp.dcptech.com > -----Original Message----- > From: Matthew Huff [mailto:mhuff at ox.com] > Sent: Wednesday, February 10, 2010 11:20 AM > To: 'David Prall'; 'cisco-nsp' > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. > This is for straight revere-proxy web caches for Oracle WebCache so it > uses http/https. We may have to purchase an ACE appliance. Anyone have > any suggestions for a turnkey (not linux server based, etc) appliance > that does http/https load balancing? Something as simple and cheap as > possible. > > > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > > > -----Original Message----- > > From: David Prall [mailto:dcp at dcptech.com] > > Sent: Wednesday, February 10, 2010 10:36 AM > > To: Matthew Huff; 'cisco-nsp' > > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > > > Could always use Anycast via a loopback on the servers and let CEF > ECMP take > > care of it. But this is typically only done for UDP applications. Not > sure > > if EOT is on the 3560-E for Static Routes, or you could use BGP from > the > > servers. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > > Sent: Wednesday, February 10, 2010 10:14 AM > > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > > > With IP services on a 3560-E, is it possible to do server load > > > balancing? If so, any caveat's that I should be aware of? We just > need > > > to front end two web servers (oracle identity management) for http > and > > > https (no ssl offloading needed). I hate to have to buy an ACE just > for > > > these two servers > > > > > > ---- > > > Matthew Huff?????? | One Manhattanville Rd > > > OTA Management LLC | Purchase, NY 10577 > > > http://www.ox.com | Phone: 914-460-4039 > > > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > > > From amsoares at netcabo.pt Wed Feb 10 12:24:12 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 17:24:12 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> Message-ID: <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> Yes, it works fine with local pool. In this case, the AC client gets a message saying "no address assigned". I was able to reproduce the problem in the meanwhile. It makes sense that the 2nd user is not able to establish the session but it doesn't make sense the 1st looses his connection. This seems a bug to me. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Roman Rodichev [mailto:romangs at iementor.com] Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue So that might be the problem. How can you assign a different IP from RADIUS for concurrent logins? It should work with local pool Sent from my iPhone On Feb 10, 2010, at 10:14 AM, "Antonio Soares" wrote: > Thank you both for your inputs. I still cannot share the config > since i saw this in a production network and i'm still trying to > reproduce it in the lab. > > But the "debug ip routing" says it all: > > 1) When user X connects, he gets ip=10.10.10.166 > > RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 > RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] > > 2) When another user tries the connection with the same user X: > > RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] > RT(VRF_X): delete subnet route to 10.10.10.166/32 > RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 > RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] > RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] > RT(VRF_X): delete subnet route to 10.10.10.166/32 > > So the router deletes the route, adds it and removes it again. This > explains the loss of connectivity. > > We have radius authentication and the radius server assigns a pre- > defined ip to each user. So when the radius server sends the same > ip, it seems the router gets confused. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf > Of Farrukh Haroon > Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net; Cisco certification > Subject: Re: WebVPN Issue > > No it works fine for multiple users, we have it running. If you can > post the > sanitized config, I can have a look. > > Also check your 'show tcp brief' output to see if you have any stale > connections there. We faced a similar issue, and putting 'service > tcp-keepalives-in' fixed the issue (you may put 'out' as well).. > > We are running 12.4(15)Tx tough. > > Regards > > Farrukh > > > > On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares > wrote: > >> Hello group, >> >> I'm facing a strange issue with IOS Based WebVPN: when user X is >> connected >> and then another user uses the same user X, the second >> user is not able to connect but the first user looses connectivity. >> I have >> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >> This is not expected behavior, right ? >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt > > From scottowens12 at gmail.com Wed Feb 10 12:30:39 2010 From: scottowens12 at gmail.com (scott owens) Date: Wed, 10 Feb 2010 11:30:39 -0600 Subject: [c-nsp] firewalling authenticated wireless traffic Message-ID: > > From: John Kougoulos > To: scott owens > > We offer wireless connectivity to about 500 to 1000 user/devices > that authenticate with machine & domain credentials via WPA2. > > > My thought is that our wireless traffic is likely more secure that our > plain wired networks - at this point without 802.1x on lan. > > > but the wireless signal travels probably outside your premises. Therefore > someone who has stolen a laptop will stop near your building and > get inside your network easily, since most probably the credentials > are saved on the PC. > > User credentials are not cached, machine ones are - of course. They really would not have to go to this effort - they could just plug a laptop into our network . 802.1x/NAC is not yet implemented internally. > And you rely on WPA2 because it has not been broken. yet. > Client VPN & two factor authentication is safer I think, but I guess you'll > have to forget about wifi phones. > > you can also block user-to-user traffic (like private vlans) to avoid > eg attacks between the associated machines, while not connected on the vpn. > > We do use Citrix SSL vpns for our app connectivity both internally and externally so there is no difference to the end user from a look and feel when they use a device and we do separate ssid/network for phones as well and it has acls restricting it to only the phone portion of network. There are a couple of options for Cisco wisms on where/how you do peer-to-peer bocking - we selected stopping it closest to client for the wireless PC devices. So I think you are in agreement it is ok to just plug into network directly ? Regards, > John > > > From gkg at gmx.de Wed Feb 10 12:50:09 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 18:50:09 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group Message-ID: <4B72F1D1.3080709@gmx.de> Hi, I've got a setup that could use some tweaking ... CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN being in a bridge group, LAN ip on the BVI1 interface. LAN ports are only for designated boxes, while there are select users that may use the WLAN link to connect. For those, the router is running as a DHCP server, too. Anyway, I would like to limit the DHCP answers to just the WLAN link. I know I could go ahead and just split up the bridge group, with routing between the networks, but due to some other requirements, WLAN and wired lan needs to be in the same broadcast domain (at least unless the customer goes through some major reconfiguration). I've received some suggestion as to using a policy map with class maps matching on proto dhcp and the incoming interfaces, dropping the traffic when it matched, while still forwarding the class default ... anyway, I tried setting that up, but still got DHCP on the FE ports ... Any other suggestions? Or some hint on what I missed? Here's an excerpt from the config ... --- class-map match-all NODHCP match protocol dhcp match input-interface FastEthernet0 class-map match-all NODHCP1 match protocol dhcp match input-interface FastEthernet1 class-map match-all NODHCP2 match protocol dhcp match input-interface FastEthernet2 class-map match-all NODHCP3 match protocol dhcp match input-interface FastEthernet3 policy-map NODHCP class NODHCP drop class NODHCP1 drop class NODHCP2 drop class NODHCP3 drop class class-default ! interface BVI1 ip address 10.1.1.1 255.255.255.0 service-policy input NODHCP Help appreciated, -garry From dcp at dcptech.com Wed Feb 10 13:04:47 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 13:04:47 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B72F1D1.3080709@gmx.de> References: <4B72F1D1.3080709@gmx.de> Message-ID: <01d101caaa7b$8855bca0$990135e0$@com> Match protocol is nbar, I can never remember which require "ip nbar protocol-discovery" on the interface. Why not use an access-list denying dhcp deny udp any eq bootpc any eq bootps David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Garry > Sent: Wednesday, February 10, 2010 12:50 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Limiting DHCP on a Bridge Group > > Hi, > > I've got a setup that could use some tweaking ... > > CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN > being in a bridge group, LAN ip on the BVI1 interface. > > LAN ports are only for designated boxes, while there are select users > that may use the WLAN link to connect. For those, the router is running > as a DHCP server, too. > Anyway, I would like to limit the DHCP answers to just the WLAN link. I > know I could go ahead and just split up the bridge group, with routing > between the networks, but due to some other requirements, WLAN and > wired > lan needs to be in the same broadcast domain (at least unless the > customer goes through some major reconfiguration). > > I've received some suggestion as to using a policy map with class maps > matching on proto dhcp and the incoming interfaces, dropping the > traffic > when it matched, while still forwarding the class default ... anyway, I > tried setting that up, but still got DHCP on the FE ports ... > > Any other suggestions? Or some hint on what I missed? Here's an excerpt > from the config ... > > --- > class-map match-all NODHCP > match protocol dhcp > match input-interface FastEthernet0 > class-map match-all NODHCP1 > match protocol dhcp > match input-interface FastEthernet1 > class-map match-all NODHCP2 > match protocol dhcp > match input-interface FastEthernet2 > class-map match-all NODHCP3 > match protocol dhcp > match input-interface FastEthernet3 > > policy-map NODHCP > class NODHCP > drop > class NODHCP1 > drop > class NODHCP2 > drop > class NODHCP3 > drop > class class-default > ! > interface BVI1 > ip address 10.1.1.1 255.255.255.0 > service-policy input NODHCP > > Help appreciated, -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From globichen at gmail.com Wed Feb 10 13:44:07 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 19:44:07 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: I am currently facing this strange behaviour once again. Nothing suspicious in terms of CPU: #sh proc cpu sort | ex 0.00 CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input #remote command switch sh proc cpu sort | ex 0.00 CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc Packet loss to the router (nothing behind it) is around 25%. And still loosing random BGP and OSPF sessions. SNMP graphs are not being generated either. Currently feeling quite desperate, because I have no clue where to look next... Andy On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: > On 09/02/10 17:39, Church, Charles wrote: >> >> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >> Both looked pretty bad across the board. > > His graphs don't look that dis-similar to mine, and we have no such > problems. The peak/avg CPU don't look so unreasonable to me given the load > and setup he's described. > > To summarise in this thread, it has been suggested: > > ?1. Netflow is the problem - to which the OP said he's already tried > disabling it > > ?2. CPU punts, specifically gleans, are the problem - in which case CoPP or > MLS rate limiters can be tried, but the OP really IMHO needs to confirm this > with a span of the CPU > > ?3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly > dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the > load we've been told about; therefore something is wrong > > ...and lots more besides. I'm exhausted from following the thread, but my > advice to the OP is to determine what is hitting the CPU *during an outage*, > then proceed from there. > > I'm going to stop reading now. > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Feb 10 13:48:25 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 18:48:25 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B72FF79.3030502@uk.clara.net> So, are you checking your interfaces for incrementing drop/error counters? Are you seeing any of this when there is the problem occuring? (clear counters , sh int summ etc..) Dave. What about Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: >> On 09/02/10 17:39, Church, Charles wrote: >>> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >>> Both looked pretty bad across the board. >> His graphs don't look that dis-similar to mine, and we have no such >> problems. The peak/avg CPU don't look so unreasonable to me given the load >> and setup he's described. >> >> To summarise in this thread, it has been suggested: >> >> 1. Netflow is the problem - to which the OP said he's already tried >> disabling it >> >> 2. CPU punts, specifically gleans, are the problem - in which case CoPP or >> MLS rate limiters can be tried, but the OP really IMHO needs to confirm this >> with a span of the CPU >> >> 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly >> dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the >> load we've been told about; therefore something is wrong >> >> ...and lots more besides. I'm exhausted from following the thread, but my >> advice to the OP is to determine what is hitting the CPU *during an outage*, >> then proceed from there. >> >> I'm going to stop reading now. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Feb 10 13:48:25 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 18:48:25 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B72FF79.3030502@uk.clara.net> So, are you checking your interfaces for incrementing drop/error counters? Are you seeing any of this when there is the problem occuring? (clear counters , sh int summ etc..) Dave. What about Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: >> On 09/02/10 17:39, Church, Charles wrote: >>> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >>> Both looked pretty bad across the board. >> His graphs don't look that dis-similar to mine, and we have no such >> problems. The peak/avg CPU don't look so unreasonable to me given the load >> and setup he's described. >> >> To summarise in this thread, it has been suggested: >> >> 1. Netflow is the problem - to which the OP said he's already tried >> disabling it >> >> 2. CPU punts, specifically gleans, are the problem - in which case CoPP or >> MLS rate limiters can be tried, but the OP really IMHO needs to confirm this >> with a span of the CPU >> >> 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly >> dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the >> load we've been told about; therefore something is wrong >> >> ...and lots more besides. I'm exhausted from following the thread, but my >> advice to the OP is to determine what is hitting the CPU *during an outage*, >> then proceed from there. >> >> I'm going to stop reading now. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Wed Feb 10 14:00:33 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:00:33 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B72FF79.3030502@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 7:48 PM, David Freedman wrote: > So, are you checking your interfaces for incrementing drop/error counters? > > Are you seeing any of this when there is the problem occuring? > (clear counters , sh int summ etc..) > I am having input drops all the time, no matter how high or low I set the incoming hold-queue. The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: TenGigabitEthernet8/1 is up, line protocol is up (connected) Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 TenGigabitEthernet9/1 is up, line protocol is up (connected) Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 TenGigabitEthernet9/2 is up, line protocol is up (connected) Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 These links are not congested! Te9/1 is the busiest with maybe 6.5 out of 10 Gig. The other two are below 5 Gig. From lmeade at signal.ca Wed Feb 10 14:00:55 2010 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 10 Feb 2010 11:00:55 -0800 Subject: [c-nsp] rate-limit command not accepting ? Message-ID: I have got a pair of 6509E switches, that we use for our core and they are connected with fiber ether channels. The plan is to use the 2nd for a failover core if the 1st has failed. My testing has failover working fine. But when I add a rate limit command on the vlan interface it is not allowing me. This is what I have on my primary core for a vlan int interface Vlan7 description Twilight_Production ip address 10.1.7.2 255.255.255.0 ip access-group USM in ip helper-address 10.1.6.10 no ip redirects no ip unreachables ip flow ingress rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop rate-limit output 2096000 128000 128000 conform-action transmit exceed-action drop ip route-cache flow no ip mroute-cache mls netflow sampling standby 15 ip 10.1.7.1 standby 15 priority 250 standby 15 preempt But when I add the rate-limit commands on the 2nd core I get this DTCCAT-CORE01(config)#interface Vlan7 DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop ^ % Invalid input detected at '^' marker. DTCCAT-CORE01(config-if)# rate-limit output 2096000 128000 128000 conform-action transmit exceed-action drop ^ % Invalid input detected at '^' marker. Both are running the same IOS of s3223_rp-ADVIPSERVICESK9_WAN-M, both have the same PFC and MSFC cards ? Any ideas ? From globichen at gmail.com Wed Feb 10 14:04:51 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:04:51 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: By the way, I am using Cacti to pull out data from all my routers. Here is what cacti is reporting when the router is behaving like now: 02/10/2010 07:39:12 PM - SPINE: Poller[0] Host[4] DS[594] WARNING: SNMP timeout detected [500 ms], ignoring host 'x.x.4.131' The cacti server is in a dedicated 'NOC vlan' right next to the core, not on any of these OSPF/BGP interfaces. Andy On Wed, Feb 10, 2010 at 8:00 PM, Andy B. wrote: > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > ?Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > ?Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > ?Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > From koug at intracom.gr Wed Feb 10 14:05:28 2010 From: koug at intracom.gr (John Kougoulos) Date: Wed, 10 Feb 2010 21:05:28 +0200 (EET) Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: Hello, > User credentials are not cached, machine ones are - of course. I think windows caches users credentials, so that you can logon to a PC when there is no network connectivity. I really don't know how WPA2/802.1x uses domain authentication. Is it Kerberos enabled EAP? > They really would not have to go to this effort - they could just plug a > laptop into our network . 802.1x/NAC is not yet implemented internally. Understood, but they should get into a building to get access to your network, and I suppose there is someone in the entrance that will allow only employees to enter the building? And in any case, in order to attack your network, they will have to be somewhere inside your premises, risking to be caught in action. When they are using wireless they just need a good antenna. > We do use Citrix SSL vpns for our app connectivity both internally and > externally so there is no difference to the end user from a look and feel > when they use a device and we do separate ssid/network for phones as well > and it has acls restricting it to only the phone portion of network. There > are a couple of options for Cisco wisms on where/how you do peer-to-peer > bocking - we selected stopping it closest to client for the wireless PC > devices. I guess the SSL vpns have proper authentication, so in this case you have to permit access only to these devices, instead of any->any. So if you trust the SSL vpns externally, and you allow access only there, I guess WPA2/802.1x/Domain doesn't really make a difference compared to an Internet user or no crypto on wireless, except perhaps for DoS protection, like DHCP pool exhaustion etc. More or less we agree that you need a crypto protection based on VPN technologies, and good authentication, so you treat a wireless user as if he was an Internet user. I don't see this solution as "just plug into network directly". Obviously the main question here is what are you trying to protect? Your network/application/data, or just your Internet connection which a neighbor may use to download videos, music (which also might get you into trouble)? Regards, John From gkg at gmx.de Wed Feb 10 14:06:25 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 20:06:25 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <01d101caaa7b$8855bca0$990135e0$@com> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> Message-ID: <4B7303B1.6080406@gmx.de> On 10.02.2010 19:04, David Prall wrote: > Match protocol is nbar, I can never remember which require "ip nbar > protocol-discovery" on the interface. Tried it (put it in the bvi1 interface), still getting DHCP replies though .. recognition is working fine, though ... dhcp 2 1 1180 352 The policy map/class seem to be attached to the BVI correctly, too: T#show policy-map int BVI1 Service-policy input: NODHCP Class-map: NODHCP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol dhcp Match: input-interface FastEthernet0 drop [..] Class-map: class-default (match-any) 931 packets, 57159 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any Even added another class with input interface of VLAN1, still no success ... on the show policy-map command, none of the class-maps show any IP traffic, except for the default class ... After setting up two seperate classes to check for either an interface, or the protocol, it looks like the protocol part is working, while the interface match seems to fail ... adding both vlan1 and bvi1, I guess the class/policy map isn't able to differentiate the incoming interface anymore at that stage, as all the traffic is listed under BVI1, though the computer used to connect to the router at that point is connected to Fa0 ...: Class-map: test1 (match-any) 81 packets, 4860 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: input-interface FastEthernet0 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet1 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet2 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet3 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface Vlan1 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface BVI1 81 packets, 4860 bytes 5 minute rate 0 bps Any suggestion as to how to get around this? Maybe adding seperate vlans to each port and binding them to the bridge group? > > Why not use an access-list denying dhcp > deny udp any eq bootpc any eq bootps Because I still need the DHCP to go through on the WLAN link? Tnx, garry From lukasz at bromirski.net Wed Feb 10 14:12:02 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 10 Feb 2010 20:12:02 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B730502.3020700@bromirski.net> On 2010-02-10 19:44, Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: Are you still running SXF15a? David advice was already - move to SXI to stay out of trouble, as SXF train is already EOS and will hit end of software maintenance by December 2011. If You need to stay by SXF go to SXF17 and then try to troubleshoot. My first guess is - have You had any problems with TCAMs overflowing in the past? If so, in the nearest service window reload the box, to clean up the cache and TCAM contents. I'm only guessing that's your problem, but mysterious drops on the traffic with no process hinting high RP/SP CPU may be the issue here. As well as David noted - any errors/drops on the interfaces themselves. Any CoPP configured on the box? mls rate-limiters? -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end." | http://lukasz.bromirski.net From david.freedman at uk.clara.net Wed Feb 10 14:13:21 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 19:13:21 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: <4B730551.9070608@uk.clara.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy B. wrote: > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. Are these supervisor ports or on a card (i.e 6704/6708?) Things I would check: - - That I understand 6704 has pathetically small per port buffers - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 for these - - No IGP hello padding (if you have large MTU and pad then you must punt these big things - - Check SPD headroom (show ip spd) - - The drops are not being reported on input due to lack of transmit buffer on output (i.e to lower speed card), check traffic flows/pps to low speed interfaces and adjust buffers appropriately Dave. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktzBVEACgkQtFWeqpgEZrIB+QCeKT5sqezBtRp5DWXD71VwH6Ke tJUAnRyC67nIKx1NpYBB+g+854TtBUq3 =g6FU -----END PGP SIGNATURE----- From dcp at dcptech.com Wed Feb 10 14:18:53 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:18:53 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <01d601caaa85$e28b1b20$a7a15160$@com> Andy, By excluding 0.00 your excluding those that have had 0.00 anywhere in the time list. Just use sort and look at the top few. Although most likely the same. If you have a number of large Ethernet subnets with few systems on them, then "sh ip arp" will contain a number of incompletes. If it is the entire subnet filled with incompletes then someone is looking for all of your systems and is most likely doing a ping sweep, then enabling "mls rate-limit unicast cef glean" will be worthwhile. These are both Adj Manager and ARP Input I believe. The other one is if you've run out of TCAM space, because your over the limits with the number of routes you have. Don't know if you're running an XL or not. CPU doesn't look out of order currently. Need to capture it ongoing to see what process is pushing it to 24%, and even then it should still be forwarding traffic. You might need to look at the DFC's as well, to see if one is having issues: Remote command module X sh proc cpu sort David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Wednesday, February 10, 2010 1:44 PM > To: Phil Mayers > Cc: nsp-cisco > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: > 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP > ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP > Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH > Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj > Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP > Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF > process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 > Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five > minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan > Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp > process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF > process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC > Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP > Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM > Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning > Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib > stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR > cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look > next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers > wrote: > > On 09/02/10 17:39, Church, Charles wrote: > >> > >> I was going by the 'show proc cpu hist' he gave for both the SP and > RP. > >> Both looked pretty bad across the board. > > > > His graphs don't look that dis-similar to mine, and we have no such > > problems. The peak/avg CPU don't look so unreasonable to me given the > load > > and setup he's described. > > > > To summarise in this thread, it has been suggested: > > > > ?1. Netflow is the problem - to which the OP said he's already tried > > disabling it > > > > ?2. CPU punts, specifically gleans, are the problem - in which case > CoPP or > > MLS rate limiters can be tried, but the OP really IMHO needs to > confirm this > > with a span of the CPU > > > > ?3. The 6500 is just no good buy a juniper or asr1k (!) which I > strongly > > dispute. It may be awkward and have odd limits, but it OUGHT TO > HANDLE the > > load we've been told about; therefore something is wrong > > > > ...and lots more besides. I'm exhausted from following the thread, > but my > > advice to the OP is to determine what is hitting the CPU *during an > outage*, > > then proceed from there. > > > > I'm going to stop reading now. > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Wed Feb 10 14:22:30 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:22:30 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: <01d701caaa86$64041850$2c0c48f0$@com> Your drops and flushes counts are the same. A flush is a control plane packet that pushed to CPU even though the input queue was filled. I don't believe these two numbers should be the same unless all of the input queue was filled with these packets. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Wednesday, February 10, 2010 2:01 PM > To: David Freedman > Cc: nsp-cisco > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: > > So, are you checking your interfaces for incrementing drop/error > counters? > > > > Are you seeing any of this when there is the problem occuring? > > (clear counters , sh int summ etc..) > > > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the > counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output > drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Wed Feb 10 14:25:31 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 19:25:31 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <01d701caaa86$64041850$2c0c48f0$@com> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <01d701caaa86$64041850$2c0c48f0$@com> Message-ID: <4B73082B.3010909@uk.clara.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Prall wrote: > Your drops and flushes counts are the same. All his drops are flushes, you usually see this when the system and SPD can't deal I believe, would be interested if the system buffers for the control plane are getting misses or creation churn (sh buff) Dave. A flush is a control plane > packet that pushed to CPU even though the input queue was filled. I don't > believe these two numbers should be the same unless all of the input queue > was filled with these packets. > > David > > -- > http://dcp.dcptech.com > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Andy B. >> Sent: Wednesday, February 10, 2010 2:01 PM >> To: David Freedman >> Cc: nsp-cisco >> Subject: Re: [c-nsp] Best practice - Core vs Access Router >> >> On Wed, Feb 10, 2010 at 7:48 PM, David Freedman >> wrote: >>> So, are you checking your interfaces for incrementing drop/error >> counters? >>> Are you seeing any of this when there is the problem occuring? >>> (clear counters , sh int summ etc..) >>> >> I am having input drops all the time, no matter how high or low I set >> the incoming hold-queue. >> >> The OSPF and IBGP interfaces approx. 30 minutes after I cleared the >> counters: >> >> TenGigabitEthernet8/1 is up, line protocol is up (connected) >> Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output >> drops: 0 >> >> TenGigabitEthernet9/1 is up, line protocol is up (connected) >> Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output >> drops: 0 >> >> TenGigabitEthernet9/2 is up, line protocol is up (connected) >> Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output >> drops: 0 >> >> >> These links are not congested! Te9/1 is the busiest with maybe 6.5 out >> of 10 Gig. The other two are below 5 Gig. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktzCCsACgkQtFWeqpgEZrI6ggCgtHrGhYMz78ldFns2Ord5uuBX H2MAn1O+MGZGkkr3pPRMDrh3EsJDNBLp =qE7B -----END PGP SIGNATURE----- From globichen at gmail.com Wed Feb 10 14:28:00 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:28:00 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730551.9070608@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 8:13 PM, David Freedman wrote: > - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 > for these I moved from 75 to 2000 yesterday and then tried 4096. The results were more or less the same. > - - No IGP hello padding (if you have large MTU and pad then you must punt > these big things MTU is 1500 on all my interfaces throughout the entire backbone. > - - Check SPD headroom (show ip spd) #show ip spd Current mode: normal. Queue min/max thresholds: 73/74, Headroom: 100, Extended Headroom: 10 IP normal queue: 1, priority queue: 0. SPD special drop mode: none > - - The drops are not being reported on input due to lack of transmit > buffer on output (i.e to lower speed card), check traffic flows/pps to > low speed interfaces and adjust buffers appropriately Can you explain this further? Andy From globichen at gmail.com Wed Feb 10 14:29:04 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:29:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B73082B.3010909@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <01d701caaa86$64041850$2c0c48f0$@com> <4B73082B.3010909@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 8:25 PM, David Freedman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Prall wrote: >> Your drops and flushes counts are the same. > > All his drops are flushes, you usually see this when the system and SPD > can't deal I believe, would be interested if the system buffers for the > control plane are getting misses or creation churn (sh buff) #sh buf Buffer elements: 11983 in free list (500 max allowed) 2127613198 hits, 0 misses, 11500 created Public buffer pools: Small buffers, 104 bytes (total 1024, permanent 1024, peak 9446 @ 7w0d): 978 in free list (128 min, 2048 max allowed) 2986617305 hits, 7649 misses, 9639 trims, 9639 created 0 failures (0 no memory) Medium buffers, 256 bytes (total 3000, permanent 3000): 2992 in free list (64 min, 3000 max allowed) 505691343 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Middle buffers, 600 bytes (total 512, permanent 512): 511 in free list (64 min, 1024 max allowed) 267289397 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Big buffers, 1536 bytes (total 1000, permanent 1000): 999 in free list (64 min, 1000 max allowed) 1211957882 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) VeryBig buffers, 4520 bytes (total 10, permanent 10): 10 in free list (0 min, 100 max allowed) 561291 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Large buffers, 9240 bytes (total 8, permanent 8): 8 in free list (0 min, 10 max allowed) 21723 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Huge buffers, 18024 bytes (total 2, permanent 2, peak 11 @ 7w0d): 2 in free list (0 min, 4 max allowed) 637239 hits, 176 misses, 352 trims, 352 created 0 failures (0 no memory) Interface buffer pools: EOBC0/0 buffers, 1524 bytes (total 2400, permanent 2400): 923 in free list (0 min, 2400 max allowed) 1477 hits, 0 fallbacks 1200 max cache size, 956 in cache 1707029856 hits in cache, 277 misses in cache IPC buffers, 4096 bytes (total 672, permanent 672): 609 in free list (224 min, 2240 max allowed) 25575465 hits, 0 fallbacks, 0 trims, 0 created 0 failures (0 no memory) Private Huge IPC buffers, 18024 bytes (total 2, permanent 2): 2 in free list (1 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Private Huge buffers, 65280 bytes (total 2, permanent 2): 2 in free list (1 min, 4 max allowed) 3806 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Header pools: From dcp at dcptech.com Wed Feb 10 14:30:51 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:30:51 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B7303B1.6080406@gmx.de> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> Message-ID: <01d801caaa87$8e813620$ab83a260$@com> I think the match interface is looking at where the policy is assigned. I know the policy isn't supported on the physical interfaces. I have to do all my QoS on fa4 inbound. Why not place an acl on the vlan interface for the wired ports. Not sure if it would be hit first, or if the bvi would capture it. Moved to an 881 at home, so I don't have my 871W anymore. David -- http://dcp.dcptech.com > -----Original Message----- > From: Garry [mailto:gkg at gmx.de] > Sent: Wednesday, February 10, 2010 2:06 PM > To: c-nsp > Cc: David Prall > Subject: Re: [c-nsp] Limiting DHCP on a Bridge Group > > On 10.02.2010 19:04, David Prall wrote: > > Match protocol is nbar, I can never remember which require "ip nbar > > protocol-discovery" on the interface. > > Tried it (put it in the bvi1 interface), still getting DHCP replies > though .. recognition is working fine, though ... > > dhcp 2 1 > 1180 352 > > The policy map/class seem to be attached to the BVI correctly, too: > > T#show policy-map int > BVI1 > > Service-policy input: NODHCP > > Class-map: NODHCP (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol dhcp > Match: input-interface FastEthernet0 > drop > [..] > Class-map: class-default (match-any) > 931 packets, 57159 bytes > 5 minute offered rate 1000 bps, drop rate 0 bps > Match: any > > Even added another class with input interface of VLAN1, still no > success > ... on the show policy-map command, none of the class-maps show any IP > traffic, except for the default class ... > > After setting up two seperate classes to check for either an interface, > or the protocol, it looks like the protocol part is working, while the > interface match seems to fail ... adding both vlan1 and bvi1, I guess > the class/policy map isn't able to differentiate the incoming interface > anymore at that stage, as all the traffic is listed under BVI1, though > the computer used to connect to the router at that point is connected > to > Fa0 ...: > > Class-map: test1 (match-any) > 81 packets, 4860 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: input-interface FastEthernet0 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet1 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet2 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet3 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface Vlan1 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface BVI1 > 81 packets, 4860 bytes > 5 minute rate 0 bps > > Any suggestion as to how to get around this? Maybe adding seperate > vlans > to each port and binding them to the bridge group? > > > > Why not use an access-list denying dhcp > > deny udp any eq bootpc any eq bootps > > Because I still need the DHCP to go through on the WLAN link? > > Tnx, garry From gkg at gmx.de Wed Feb 10 14:38:46 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 20:38:46 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <01d801caaa87$8e813620$ab83a260$@com> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> <01d801caaa87$8e813620$ab83a260$@com> Message-ID: <4B730B46.8040600@gmx.de> On 10.02.2010 20:30, David Prall wrote: > I think the match interface is looking at where the policy is assigned. I > know the policy isn't supported on the physical interfaces. I have to do all > my QoS on fa4 inbound. > > Why not place an acl on the vlan interface for the wired ports. Not sure if > it would be hit first, or if the bvi would capture it. I recon it ends up in the BVI, as adding the access-list to vlan1 ends up with no hits, while adding the same to the BVI increases the hit counter correctly, and dhcp requests are blocked ... but BVI won't help as it would also block the requests on wlan ... From dcp at dcptech.com Wed Feb 10 14:46:35 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:46:35 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B730B46.8040600@gmx.de> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> <01d801caaa87$8e813620$ab83a260$@com> <4B730B46.8040600@gmx.de> Message-ID: <01d901caaa89$c1335a10$439a0e30$@com> Garry, Wondering if you could do the wireless and vlan1 as unnumbered to a loopback. Then they are two distinct interfaces, on the same subnet. Or could always split the subnet into two distinct /25's instead of a single /24. David -- http://dcp.dcptech.com > -----Original Message----- > From: Garry [mailto:gkg at gmx.de] > Sent: Wednesday, February 10, 2010 2:39 PM > To: David Prall > Cc: 'c-nsp' > Subject: Re: [c-nsp] Limiting DHCP on a Bridge Group > > On 10.02.2010 20:30, David Prall wrote: > > I think the match interface is looking at where the policy is > assigned. I > > know the policy isn't supported on the physical interfaces. I have to > do all > > my QoS on fa4 inbound. > > > > Why not place an acl on the vlan interface for the wired ports. Not > sure if > > it would be hit first, or if the bvi would capture it. > > I recon it ends up in the BVI, as adding the access-list to vlan1 ends > up with no hits, while adding the same to the BVI increases the hit > counter correctly, and dhcp requests are blocked ... but BVI won't help > as it would also block the requests on wlan ... From tvarriale at comcast.net Wed Feb 10 14:51:36 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 10 Feb 2010 13:51:36 -0600 Subject: [c-nsp] Best practice - Core vs Access Router References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net><290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net><4B718596.2050602@imperial.ac.uk><290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net><4B71A1D2.10909@imperial.ac.uk><4B72FF79.3030502@uk.clara.net> Message-ID: <338E7BE4EDEC45CBA8D1D136DF6ACDB0@flamdt01> show ip traffic? Anything incrementing in there by a significant amount? How fast do your drops/flushes increment? I assume these are 6704s without DFCs? If not, what are those ports? tv ----- Original Message ----- From: "Andy B." To: "David Freedman" Cc: "nsp-cisco" Sent: Wednesday, February 10, 2010 1:00 PM Subject: Re: [c-nsp] Best practice - Core vs Access Router > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error >> counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the > counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: > 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output > drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ck at sandcastl.es Wed Feb 10 15:02:29 2010 From: ck at sandcastl.es (ck) Date: Wed, 10 Feb 2010 12:02:29 -0800 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Message-ID: <8c308e8b1002101202y6bfa204eo9fa618dabaad2dc2@mail.gmail.com> i wouldn't waste money or time on an ace, you could easily get away with using haproxy or pound On Wed, Feb 10, 2010 at 8:20 AM, Matthew Huff wrote: > Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. > This is for straight revere-proxy web caches for Oracle WebCache so it uses > http/https. We may have to purchase an ACE appliance. Anyone have any > suggestions for a turnkey (not linux server based, etc) appliance that does > http/https load balancing? Something as simple and cheap as possible. > > > > ---- > Matthew Huff | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff | Fax: 914-460-4139 > > > > > -----Original Message----- > > From: David Prall [mailto:dcp at dcptech.com] > > Sent: Wednesday, February 10, 2010 10:36 AM > > To: Matthew Huff; 'cisco-nsp' > > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > > > Could always use Anycast via a loopback on the servers and let CEF ECMP > take > > care of it. But this is typically only done for UDP applications. Not > sure > > if EOT is on the 3560-E for Static Routes, or you could use BGP from the > > servers. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > > Sent: Wednesday, February 10, 2010 10:14 AM > > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > > > With IP services on a 3560-E, is it possible to do server load > > > balancing? If so, any caveat's that I should be aware of? We just need > > > to front end two web servers (oracle identity management) for http and > > > https (no ssl offloading needed). I hate to have to buy an ACE just for > > > these two servers > > > > > > ---- > > > Matthew Huff | One Manhattanville Rd > > > OTA Management LLC | Purchase, NY 10577 > > > http://www.ox.com | Phone: 914-460-4039 > > > aim: matthewbhuff | Fax: 914-460-4139 > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Joel.Snyder at Opus1.COM Wed Feb 10 14:32:15 2010 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 10 Feb 2010 12:32:15 -0700 Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: <4B7309BF.4000403@opus1.com> >>> My thought is that our wireless traffic is likely more secure that our >> plain wired networks - at this point without 802.1x on lan. > > So I think you are in agreement it is ok to just plug into network directly Well, I wouldn't agree that. (Of course, this is the famously "we don't need no stinkin' firewalls" list, but you're NOT really asking a Cisco-NSP question here--these guys are ISP BGP wonks for the most part) Your logic is, to me, pretty flawed: you're saying, in effect, "we have failed to implement good security on our wired LAN, so this is an excuse to not apply any additional security to our wireless LAN." I'd disagree with that on general principles, especially since your LAN security posture may change in the future and then where will your wireless be? I agree with Phil Mayers who said they use a similar approach because it lets them drop in firewall rules at any moment, which is a great idea. But this is not, to me, an excuse to have completely unfettered access when you do have the opportunity to "clean up" the traffic a little. I also think that the point John Kougoulos made of a stolen laptop, or stolen/borrowed credentials making you an easy target (whether intentional or unintentional--consider the infected consultant who borrows a staffer's credentials) is one you should heed. Obvious examples: by definition, does every single wireless user have a legitimate business need to get to every part of your network? If not, block those subnets, things that they would not normally be hitting directly (printer & VoIP vlans are obvious candidates, but other pieces may also be right depending on how your network is segmented). By definition, does every single wireless user have a legitimate business need to send all ports outbound? If not, block those ports proactively. Obvious trouble spots are SMTP--perhaps you want to destination NAT all SMTP to your anti-spam/anti-virus gateway, or block it except to official mail servers. But you could also proactively block known infection vectors--destination ports such as SQL Slammer's UDP attack. If wireless users are not domain-connected, then they probably also do not need Windows file sharing, a HUGE known vector for malware to spread, another good block candidate. It all depends on how you use the wireless and how much you use the wireless. If it's an either/or proposition for users---they are not supposed to care whether they're on Wi-Fi or wired---then a more lenient policy is appropriate. If wireless is more 'exceptional' use and people aren't expected to be working full-tilt there, then a much more aggressive filtering is appropriate. I would also ALWAYS put UTM features such as anti-malware and, more importantly, IPS, on that firewall between the Wi-Fi and the LAN; there is no better and simpler way to catch early attacks than by deploying cheap and simple protections at such choke points. (I am carefully biting my tongue here and not saying that you must upgrade your firewall to one that has UTM features, but you might read that in the subtext...) In any case, taking NO precautions (except a firewall with no rules) is probably too lenient. Certainly, if I were auditing you, I'd say that you missed a great opportunity to add a small amount of control that can save you a large amount of headache while costing you almost nothing. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms at Opus1.COM http://www.opus1.com/jms From lsawyer at gci.com Wed Feb 10 15:03:37 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Wed, 10 Feb 2010 11:03:37 -0900 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <01d601caaa85$e28b1b20$a7a15160$@com> Message-ID: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> Here's some of my common aliases. top is the one that you'll probably use !# Global Aliases (should work on all platforms ! alias exec ifsum sho int sum | incl ^\*|Interface|: |------ alias exec sib show ip interface brief | exclude (down|unass) alias exec sid show interface description | exclude (admin|unass) alias exec top sho proc cpu sort 5sec | excl 0.00% 0.00% 0.00% alias exec ip6 show ipv6 !# Cisco 3750 series, for qos asic monitoring # the next line will wrap, so replace underscores with spaces alias_exec_drops_show_platform_port-asic_stats_drop_|_excl_((e|s|:)_0|=|_Que|Statistics|Frames|^$) privilege exec level 1 show platform port-asic stats drop > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall > Sent: Wednesday, February 10, 2010 10:19 AM > To: 'Andy B.'; 'Phil Mayers' > Cc: 'nsp-cisco' > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > Andy, > By excluding 0.00 your excluding those that have had 0.00 > anywhere in the time list. Just use sort and look at the top > few. Although most likely the same. > > If you have a number of large Ethernet subnets with few > systems on them, then "sh ip arp" will contain a number of > incompletes. If it is the entire subnet filled with > incompletes then someone is looking for all of your systems > and is most likely doing a ping sweep, then enabling "mls > rate-limit unicast cef glean" will be worthwhile. These are > both Adj Manager and ARP Input I believe. > > The other one is if you've run out of TCAM space, because > your over the limits with the number of routes you have. > Don't know if you're running an XL or not. > > CPU doesn't look out of order currently. Need to capture it > ongoing to see what process is pushing it to 24%, and even > then it should still be forwarding traffic. > > You might need to look at the DFC's as well, to see if one is > having issues: > Remote command module X sh proc cpu sort > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Andy B. > > Sent: Wednesday, February 10, 2010 1:44 PM > > To: Phil Mayers > > Cc: nsp-cisco > > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > > > I am currently facing this strange behaviour once again. Nothing > > suspicious in terms of CPU: > > > > #sh proc cpu sort | ex 0.00 > > CPU utilization for five seconds: 7%/3%; one minute: 24%; > five minutes: > > 23% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min > TTY Process > > 123 823552748 891845755 923 1.35% 1.32% 1.24% > 0 IP Input > > 142 42990360 548209142 78 0.63% 0.15% 0.06% > 0 IP SNMP > > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP > > ENGINE > > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP > > Router > > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH > > Process > > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj > > Manager > > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP > > Input > > 320 20411156 140247526 145 0.15% 1.64% 1.57% > 0 BGP I/O > > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF > > process > > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 > > Input > > > > #remote command switch sh proc cpu sort | ex 0.00 CPU > utilization for > > five seconds: 10%/0%; one minute: 14%; five > > minutes: 20% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min > TTY Process > > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan > > Statistics > > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp > > process > > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF > > process > > 152 24224440 35123075 689 0.15% 0.08% 0.07% > 0 CEF LC > > Stats > > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP > > Download Lis > > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM > > Manager pro > > 127 37865260 135955648 278 0.07% 0.07% 0.07% > 0 Spanning > > Tree > > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib > > stat colle > > 239 11888108 8600338 1382 0.07% 0.04% 0.03% > 0 LTL MGR > > cc > > > > Packet loss to the router (nothing behind it) is around 25%. > > And still loosing random BGP and OSPF sessions. SNMP graphs are not > > being generated either. > > > > Currently feeling quite desperate, because I have no clue where to > > look next... > > > > Andy > > > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers > > > wrote: > > > On 09/02/10 17:39, Church, Charles wrote: > > >> > > >> I was going by the 'show proc cpu hist' he gave for both > the SP and > > RP. > > >> Both looked pretty bad across the board. > > > > > > His graphs don't look that dis-similar to mine, and we > have no such > > > problems. The peak/avg CPU don't look so unreasonable to me given > > > the > > load > > > and setup he's described. > > > > > > To summarise in this thread, it has been suggested: > > > > > > 1. Netflow is the problem - to which the OP said he's > already tried > > > disabling it > > > > > > 2. CPU punts, specifically gleans, are the problem - in > which case > > CoPP or > > > MLS rate limiters can be tried, but the OP really IMHO needs to > > confirm this > > > with a span of the CPU > > > > > > 3. The 6500 is just no good buy a juniper or asr1k (!) which I > > strongly > > > dispute. It may be awkward and have odd limits, but it OUGHT TO > > HANDLE the > > > load we've been told about; therefore something is wrong > > > > > > ...and lots more besides. I'm exhausted from following the thread, > > but my > > > advice to the OP is to determine what is hitting the CPU > *during an > > outage*, > > > then proceed from there. > > > > > > I'm going to stop reading now. > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Wed Feb 10 16:41:49 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 10 Feb 2010 16:41:49 -0500 Subject: [c-nsp] VRFs and redirect cache... Message-ID: <4B73281D.9060401@utc.edu> In the process of chasing down an odd problem earlier this week, I ran up against a grey cloud perhaps someone can clarify. We had moved an internal NTP-configured interface (loopback) that some of our gear was configured to use as a reference server. The disappearance of the /32 route led to taking a default route, which in our topology generated a redirect to another gateway (FWSM) which was then denying the connections. Tracking back to the switches in question and "show ip redirect" indicated the cached redirect information. "clear ip redirect" removed the problem. But there seems to be only one "redirect cache", that's not a VRF-aware thing on the Catalysts. Are redirects only done by the global VRF? What's up with that? I can disable redirects and avoid the issue (at some extra-hop cost when forwarding to a non-routing ASA that can't announce a default route), but curious how redirects are handled in a multi-VRF scenario. Jeff From jasonleblanc at gmail.com Wed Feb 10 16:55:13 2010 From: jasonleblanc at gmail.com (Jason LeBlanc) Date: Wed, 10 Feb 2010 14:55:13 -0700 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> Message-ID: <0487446D-8BC0-4A84-B05B-07B8B28439CB@gmail.com> These are great! Thanks Leif On Feb 10, 2010, at 1:03 PM, Leif Sawyer wrote: > Here's some of my common aliases. top is the one that you'll probably use > > !# Global Aliases (should work on all platforms > ! > alias exec ifsum sho int sum | incl ^\*|Interface|: |------ > > alias exec sib show ip interface brief | exclude (down|unass) > alias exec sid show interface description | exclude (admin|unass) > > alias exec top sho proc cpu sort 5sec | excl 0.00% 0.00% 0.00% > > alias exec ip6 show ipv6 > > !# Cisco 3750 series, for qos asic monitoring > # the next line will wrap, so replace underscores with spaces > alias_exec_drops_show_platform_port-asic_stats_drop_|_excl_((e|s|:)_0|=|_Que|Statistics|Frames|^$) > privilege exec level 1 show platform port-asic stats drop > > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall >> Sent: Wednesday, February 10, 2010 10:19 AM >> To: 'Andy B.'; 'Phil Mayers' >> Cc: 'nsp-cisco' >> Subject: Re: [c-nsp] Best practice - Core vs Access Router >> >> Andy, >> By excluding 0.00 your excluding those that have had 0.00 >> anywhere in the time list. Just use sort and look at the top >> few. Although most likely the same. >> >> If you have a number of large Ethernet subnets with few >> systems on them, then "sh ip arp" will contain a number of >> incompletes. If it is the entire subnet filled with >> incompletes then someone is looking for all of your systems >> and is most likely doing a ping sweep, then enabling "mls >> rate-limit unicast cef glean" will be worthwhile. These are >> both Adj Manager and ARP Input I believe. >> >> The other one is if you've run out of TCAM space, because >> your over the limits with the number of routes you have. >> Don't know if you're running an XL or not. >> >> CPU doesn't look out of order currently. Need to capture it >> ongoing to see what process is pushing it to 24%, and even >> then it should still be forwarding traffic. >> >> You might need to look at the DFC's as well, to see if one is >> having issues: >> Remote command module X sh proc cpu sort >> >> David >> >> -- >> http://dcp.dcptech.com >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Andy B. >>> Sent: Wednesday, February 10, 2010 1:44 PM >>> To: Phil Mayers >>> Cc: nsp-cisco >>> Subject: Re: [c-nsp] Best practice - Core vs Access Router >>> >>> I am currently facing this strange behaviour once again. Nothing >>> suspicious in terms of CPU: >>> >>> #sh proc cpu sort | ex 0.00 >>> CPU utilization for five seconds: 7%/3%; one minute: 24%; >> five minutes: >>> 23% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min >> TTY Process >>> 123 823552748 891845755 923 1.35% 1.32% 1.24% >> 0 IP Input >>> 142 42990360 548209142 78 0.63% 0.15% 0.06% >> 0 IP SNMP >>> 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP >>> ENGINE >>> 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP >>> Router >>> 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH >>> Process >>> 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj >>> Manager >>> 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP >>> Input >>> 320 20411156 140247526 145 0.15% 1.64% 1.57% >> 0 BGP I/O >>> 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF >>> process >>> 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 >>> Input >>> >>> #remote command switch sh proc cpu sort | ex 0.00 CPU >> utilization for >>> five seconds: 10%/0%; one minute: 14%; five >>> minutes: 20% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min >> TTY Process >>> 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan >>> Statistics >>> 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp >>> process >>> 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF >>> process >>> 152 24224440 35123075 689 0.15% 0.08% 0.07% >> 0 CEF LC >>> Stats >>> 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP >>> Download Lis >>> 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM >>> Manager pro >>> 127 37865260 135955648 278 0.07% 0.07% 0.07% >> 0 Spanning >>> Tree >>> 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib >>> stat colle >>> 239 11888108 8600338 1382 0.07% 0.04% 0.03% >> 0 LTL MGR >>> cc >>> >>> Packet loss to the router (nothing behind it) is around 25%. >>> And still loosing random BGP and OSPF sessions. SNMP graphs are not >>> being generated either. >>> >>> Currently feeling quite desperate, because I have no clue where to >>> look next... >>> >>> Andy >>> >>> On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers >> >>> wrote: >>>> On 09/02/10 17:39, Church, Charles wrote: >>>>> >>>>> I was going by the 'show proc cpu hist' he gave for both >> the SP and >>> RP. >>>>> Both looked pretty bad across the board. >>>> >>>> His graphs don't look that dis-similar to mine, and we >> have no such >>>> problems. The peak/avg CPU don't look so unreasonable to me given >>>> the >>> load >>>> and setup he's described. >>>> >>>> To summarise in this thread, it has been suggested: >>>> >>>> 1. Netflow is the problem - to which the OP said he's >> already tried >>>> disabling it >>>> >>>> 2. CPU punts, specifically gleans, are the problem - in >> which case >>> CoPP or >>>> MLS rate limiters can be tried, but the OP really IMHO needs to >>> confirm this >>>> with a span of the CPU >>>> >>>> 3. The 6500 is just no good buy a juniper or asr1k (!) which I >>> strongly >>>> dispute. It may be awkward and have odd limits, but it OUGHT TO >>> HANDLE the >>>> load we've been told about; therefore something is wrong >>>> >>>> ...and lots more besides. I'm exhausted from following the thread, >>> but my >>>> advice to the OP is to determine what is hitting the CPU >> *during an >>> outage*, >>>> then proceed from there. >>>> >>>> I'm going to stop reading now. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Wed Feb 10 18:05:55 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 23:05:55 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <003201caaaa1$0a9c4330$1fd4c990$@com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> <003201caaaa1$0a9c4330$1fd4c990$@com> Message-ID: <1F027770303D4744BEA139DB10180A57@int.convex.pt> The session of the 1st user remains up and the vpn routes are there. But in the router the route back to the user is removed. So in the user's perspective, connectivity is broken and he doesn't have an idea why. Clearly a bug, don't you think ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quarta-feira, 10 de Fevereiro de 2010 22:33 To: 'Roman Rodichev'; 'Antonio Soares' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Actually it makes sense. You have duplicate IP's and the router needs to decide which one is valid, which often will cause a network interrupt. Although it doesn't allow the second connection it is terminating the first to process to make a decision about the conflict. At least that is what I interpret what you are seeing to be. Regards, ? Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Roman Rodichev Sent: Wednesday, February 10, 2010 12:28 PM To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue Probably just a "feature" :) Sent from my iPhone On Feb 10, 2010, at 11:24 AM, "Antonio Soares" wrote: > Yes, it works fine with local pool. In this case, the AC client gets > a message saying "no address assigned". > > I was able to reproduce the problem in the meanwhile. It makes sense > that the 2nd user is not able to establish the session but it > doesn't make sense the 1st looses his connection. > > This seems a bug to me. > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: Roman Rodichev [mailto:romangs at iementor.com] > Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 > To: Antonio Soares > Cc: Farrukh Haroon; ; Cisco certification > Subject: Re: WebVPN Issue > > So that might be the problem. How can you assign a different IP from > RADIUS for concurrent logins? > > It should work with local pool > > Sent from my iPhone > > On Feb 10, 2010, at 10:14 AM, "Antonio Soares" > wrote: > >> Thank you both for your inputs. I still cannot share the config >> since i saw this in a production network and i'm still trying to >> reproduce it in the lab. >> >> But the "debug ip routing" says it all: >> >> 1) When user X connects, he gets ip=10.10.10.166 >> >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> >> 2) When another user tries the connection with the same user X: >> >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> >> So the router deletes the route, adds it and removes it again. This >> explains the loss of connectivity. >> >> We have radius authentication and the radius server assigns a pre- >> defined ip to each user. So when the radius server sends the same >> ip, it seems the router gets confused. >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> -----Original Message----- >> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf >> Of Farrukh Haroon >> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 >> To: Antonio Soares >> Cc: cisco-nsp at puck.nether.net; Cisco certification >> Subject: Re: WebVPN Issue >> >> No it works fine for multiple users, we have it running. If you can >> post the >> sanitized config, I can have a look. >> >> Also check your 'show tcp brief' output to see if you have any stale >> connections there. We faced a similar issue, and putting 'service >> tcp-keepalives-in' fixed the issue (you may put 'out' as well).. >> >> We are running 12.4(15)Tx tough. >> >> Regards >> >> Farrukh >> >> >> >> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares >> wrote: >> >>> Hello group, >>> >>> I'm facing a strange issue with IOS Based WebVPN: when user X is >>> connected >>> and then another user uses the same user X, the second >>> user is not able to connect but the first user looses connectivity. >>> I have >>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >>> This is not expected behavior, right ? >>> >>> >>> Thanks. >>> >>> Regards, >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> amsoares at netcabo.pt From lists at hojmark.org Wed Feb 10 18:07:59 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 11 Feb 2010 00:07:59 +0100 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: Message-ID: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop > ^ > % Invalid input detected at '^' marker. The rate-limit command is not supported on Catalyst 6500. Use a policy-map with policing instead. -A From lmeade at signal.ca Wed Feb 10 20:10:35 2010 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 10 Feb 2010 17:10:35 -0800 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: While I would of agreed with you comment, why is it that I am able to put the rate limit commands on failover 6509 ? -----Original Message----- From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] Sent: Wednesday, February 10, 2010 3:08 PM To: Leslie Meade Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] rate-limit command not accepting ? On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop > ^ > % Invalid input detected at '^' marker. The rate-limit command is not supported on Catalyst 6500. Use a policy-map with policing instead. -A From amsoares at netcabo.pt Wed Feb 10 20:14:11 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 11 Feb 2010 01:14:11 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <003d01caaaae$a17b8a60$e4729f20$@com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> <003201caaaa1$0a9c4330$1fd4c990$@com> <1F027770303D4744BEA139DB10180A57@int.convex.pt> <003d01caaaae$a17b8a60$e4729f20$@com> Message-ID: Tyson, TAC SR in progress. I will let you know what they will call this :) Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quinta-feira, 11 de Fevereiro de 2010 0:11 To: 'Antonio Soares'; 'Roman Rodichev' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Antonio, It would be plausible that you could open a case with Cisco and call it a bug, or a feature enhancement, that if there is an IP conflict that it disconnects both sessions or refuses/ignores the radius attribute if it conflicts with an existing session; or gives an error message, but I wouldn't necessarily call that a bug. Typically I would classify a bug as a feature that does not operate as it should within normal conditions or expected error states. But that may be just me. More it sounds like a basic rule is being broken (assigning duplicate IP's) and adverse effects are happening from it. Currently there may not be an error check to handle the error state as you would hope. Please don't take offense, I can see myself making the same mistake, but a networking rule 101 is being broken and sometimes you will have strange results from such. Much like spanning-tree loops or duplicate IP's on the network. Sometimes it takes intervention to fix the basic problems. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: Wednesday, February 10, 2010 6:06 PM To: 'Tyson Scott'; 'Roman Rodichev' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue The session of the 1st user remains up and the vpn routes are there. But in the router the route back to the user is removed. So in the user's perspective, connectivity is broken and he doesn't have an idea why. Clearly a bug, don't you think ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quarta-feira, 10 de Fevereiro de 2010 22:33 To: 'Roman Rodichev'; 'Antonio Soares' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Actually it makes sense. You have duplicate IP's and the router needs to decide which one is valid, which often will cause a network interrupt. Although it doesn't allow the second connection it is terminating the first to process to make a decision about the conflict. At least that is what I interpret what you are seeing to be. Regards, ? Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Roman Rodichev Sent: Wednesday, February 10, 2010 12:28 PM To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue Probably just a "feature" :) Sent from my iPhone On Feb 10, 2010, at 11:24 AM, "Antonio Soares" wrote: > Yes, it works fine with local pool. In this case, the AC client gets > a message saying "no address assigned". > > I was able to reproduce the problem in the meanwhile. It makes sense > that the 2nd user is not able to establish the session but it > doesn't make sense the 1st looses his connection. > > This seems a bug to me. > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: Roman Rodichev [mailto:romangs at iementor.com] > Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 > To: Antonio Soares > Cc: Farrukh Haroon; ; Cisco certification > Subject: Re: WebVPN Issue > > So that might be the problem. How can you assign a different IP from > RADIUS for concurrent logins? > > It should work with local pool > > Sent from my iPhone > > On Feb 10, 2010, at 10:14 AM, "Antonio Soares" > wrote: > >> Thank you both for your inputs. I still cannot share the config >> since i saw this in a production network and i'm still trying to >> reproduce it in the lab. >> >> But the "debug ip routing" says it all: >> >> 1) When user X connects, he gets ip=10.10.10.166 >> >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> >> 2) When another user tries the connection with the same user X: >> >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> >> So the router deletes the route, adds it and removes it again. This >> explains the loss of connectivity. >> >> We have radius authentication and the radius server assigns a pre- >> defined ip to each user. So when the radius server sends the same >> ip, it seems the router gets confused. >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> -----Original Message----- >> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf >> Of Farrukh Haroon >> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 >> To: Antonio Soares >> Cc: cisco-nsp at puck.nether.net; Cisco certification >> Subject: Re: WebVPN Issue >> >> No it works fine for multiple users, we have it running. If you can >> post the >> sanitized config, I can have a look. >> >> Also check your 'show tcp brief' output to see if you have any stale >> connections there. We faced a similar issue, and putting 'service >> tcp-keepalives-in' fixed the issue (you may put 'out' as well).. >> >> We are running 12.4(15)Tx tough. >> >> Regards >> >> Farrukh >> >> >> >> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares >> wrote: >> >>> Hello group, >>> >>> I'm facing a strange issue with IOS Based WebVPN: when user X is >>> connected >>> and then another user uses the same user X, the second >>> user is not able to connect but the first user looses connectivity. >>> I have >>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >>> This is not expected behavior, right ? >>> >>> >>> Thanks. >>> >>> Regards, >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> amsoares at netcabo.pt From junks2you at gmail.com Thu Feb 11 01:28:29 2010 From: junks2you at gmail.com (=?gb2312?B?SnVua3MyeW91?=) Date: Thu, 11 Feb 2010 16:28:29 +1000 Subject: [c-nsp] =?gb2312?b?SGlnaCBDUFUgYSBpc3N1ZSBmb3Igdm9pY2UgdHJhZmZp?= =?gb2312?b?Yz8=?= Message-ID: <4b73958c.0409c00a.1518.56b0@mx.google.com> Hi Guys, Currently we were hitting some high CPU issue. One of the 6509 with SUP720 standing in the core hiked to 96% percent very randomly in the past 72 hours or even longer. Write memory, SNMP, software switching could be the cause, we don't know yet. Everything seems working fine now. Although it now gets to normal level, am wondering if it could affect the voice calls (handled by Call manager 7) while the CPU usage reaches above 90%. Since we are not able to simulate this issue, I just hope it wouldn't be a 'bomb' there. Simply speaking, is high CPU utilisation a issue affecting voice traffic passing through this core switch? Thanks in advance for the input. Bill. From gregariouspearl at gmail.com Thu Feb 11 00:55:08 2010 From: gregariouspearl at gmail.com (MSZ) Date: Thu, 11 Feb 2010 10:55:08 +0500 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: <44c523751002102155u1c46f358r6084601b992c175d@mail.gmail.com> Try with the following ip access-list extended IP-All permit ip any any [MATCH PREFIXES YOU WANT] Class-map match-all IP-All match access-group name IP-All Policy-map RATE class IP-All police cir 2096000 bc 128000 be 128000 conform-action set-dscp-transmit default exceed-action drop violate-action drop int [Name] service-policy input RATE Service-policy output RATE Regards, Salman Zahid On Thu, Feb 11, 2010 at 6:10 AM, Leslie Meade wrote: > While I would of agreed with you comment, why is it that I am able to put > the rate limit commands on failover 6509 ? > > > -----Original Message----- > From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] > Sent: Wednesday, February 10, 2010 3:08 PM > To: Leslie Meade > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] rate-limit command not accepting ? > > On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > > > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 > conform-action transmit exceed-action drop > > ^ > > % Invalid input detected at '^' marker. > > The rate-limit command is not supported on Catalyst 6500. > Use a policy-map with policing instead. > > -A > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- You only live once, but if you work it right, once is enough...... From swnospam2 at yahoo.com Thu Feb 11 02:34:21 2010 From: swnospam2 at yahoo.com (Shing Wong) Date: Wed, 10 Feb 2010 23:34:21 -0800 (PST) Subject: [c-nsp] Cisco/Fibex 6732 Software Message-ID: <771976.1633.qm@web65705.mail.ac4.yahoo.com> Does any body know where I can get the management software for the Cisco/Fibex 6732? I have had two of them in my warehouse for years, but I can't find the EMS discs for them. From saku at ytti.fi Thu Feb 11 03:23:08 2010 From: saku at ytti.fi (Saku Ytti) Date: Thu, 11 Feb 2010 10:23:08 +0200 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: <20100211082308.GA7131@mx.ytti.net> On (2010-02-10 17:10 -0800), Leslie Meade wrote: > While I would of agreed with you comment, why is it that I am able to put the rate limit commands on failover 6509 ? Are both running 'mls qos'? Anyhow, I'm not sure how interesting it is in the end of the day why you can't configure it, as it is not supported. VXR will happily accept this command, but it won't do anything there, at least since 12.2(25)S which was released like 2003 or so. I'd be very surprised if you've programmed anything in TCAM at all in the other box where it appears to be working. -- ++ytti From rsm at fast-serv.com Thu Feb 11 11:15:40 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 11 Feb 2010 11:15:40 -0500 Subject: [c-nsp] ISSU on SXF -> SXI Message-ID: <20100211160934.M57476@fast-serv.com> Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual sup720-3bxl? -- Randy From pavel.skovajsa at gmail.com Thu Feb 11 12:01:51 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Thu, 11 Feb 2010 18:01:51 +0100 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211160934.M57476@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> Message-ID: <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> Hello Randy, as far as I am aware the ISSU works only for SXI train onward. See http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf -pavel On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > sup720-3bxl? > > -- > Randy > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Thu Feb 11 12:50:50 2010 From: globichen at gmail.com (Andy B.) Date: Thu, 11 Feb 2010 18:50:50 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730502.3020700@bromirski.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: > Are you still running SXF15a? David advice was already - move to SXI > to stay out of trouble, as SXF train is already EOS and will hit > end of software maintenance by December 2011. If You need to stay by > SXF go to SXF17 and then try to troubleshoot. Okay, updated the box to SXI3 about 12 hours ago. Still the same issue though - loosing BGP / OSPF sessions (hold time expired) and SNMP graphs again looking like crap. > > My first guess is - have You had any problems with TCAMs overflowing > in the past? If so, in the nearest service window reload the box, > to clean up the cache and TCAM contents. I'm only guessing that's your > problem, but mysterious drops on the traffic with no process hinting > high RP/SP CPU may be the issue here. As well as David noted - any > errors/drops on the interfaces themselves. > Due to the IOS upgrade the box has been rebooted - so we can rule this out, I guess? > Any CoPP configured on the box? mls rate-limiters? no CoPP configured yet - shame on me, but sh proc CPU does not reveal any strange or unusual load. mls rate-limiters: mls rate-limit unicast cef glean 5000 10 mls rate-limit unicast ip rpf-failure 1000 10 mls rate-limit unicast ip icmp redirect 1000 10 mls rate-limit unicast ip icmp unreachable no-route 1000 10 mls rate-limit unicast ip icmp unreachable acl-drop 1000 10 mls rate-limit unicast ip errors 1000 10 mls rate-limit all ttl-failure 1000 10 mls rate-limit all mtu-failure 1000 10 One more thing I am guessing: I have two 6704s, te8/1-4 and te9/1-4. Some OSPFs are on one card, some on the others. The busy VLAN with a few thousand servers is also channeled on both cards. Would it be better to regroup the vlan to let's say te8/1-4 and everything that is backbone related (OSPF/IBGP) to te9/1-4. I am not sure if I am hitting any fabric limitations. I really do not know where else to look at... Andy From mark.carter at imperial.ac.uk Thu Feb 11 13:21:34 2010 From: mark.carter at imperial.ac.uk (Carter, Mark R) Date: Thu, 11 Feb 2010 18:21:34 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: <323DE271DDCA6F4C989354B6113FE0302D85FA83A1@ICEXM1.ic.ac.uk> Andy B. wrote > I really do not know where else to look at... > If you haven't already, as Phil Mayers suggested, I would strongly recommend using a SPAN session to monitor the type and amount of traffic that is hitting the CPU: http://cisco.cluepon.net/index.php/6500_SPAN_the_RP From saku at ytti.fi Thu Feb 11 13:37:08 2010 From: saku at ytti.fi (Saku Ytti) Date: Thu, 11 Feb 2010 20:37:08 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: <20100211183708.GA11693@mx.ytti.net> On (2010-02-11 18:50 +0100), Andy B. wrote: > mls rate-limit unicast cef glean 5000 10 This might be too high. We know that you lose packets in hold-queue, even when it is 4k, this means you are getting too much packets to software processing, more than the box can handle. It is issue that needs to be fixed, whether it is the same issue which is causing packet loss and BGP/OSPF timeout, we can't tell. We also so far have seen from your output that the packets hitting hold-queue have been glean packets, with no example of other type of packets. Now, best would be to ERSPAN the control-plane traffic to get more accurate results on what the bulk of the packets are. And/or you could decrease glean to much smaller value, maybe 500, maybe 100. You have to remember, that you don't break anything /existing/ with tight glean limit, you only delay /new/ hosts from coming up during the event (or attack). -- ++ytti From rsm at fast-serv.com Thu Feb 11 14:48:04 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 11 Feb 2010 14:48:04 -0500 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> Message-ID: <20100211194447.M88975@fast-serv.com> Thanks for that information. What is the 'least problematic' method, step by step, to upgrade from SXF to SXI since I have dual sups? I can handle a single reboot but don't want to whack any config or cause the sups to lose redundancy or need multiple or extended downtimes. -- Randy ---------- Original Message ----------- From: Pavel Skovajsa To: Randy McAnally Cc: cisco-nsp at puck.nether.net Sent: Thu, 11 Feb 2010 18:01:51 +0100 Subject: Re: [c-nsp] ISSU on SXF -> SXI > Hello Randy, > > as far as I am aware the ISSU works only for SXI train onward. See > http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf > > -pavel > > On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > > sup720-3bxl? > > > > -- > > Randy > > > > > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ------- End of Original Message ------- From jshearer at amedisys.com Thu Feb 11 15:01:19 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Thu, 11 Feb 2010 14:01:19 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211194447.M88975@fast-serv.com> References: <20100211160934.M57476@fast-serv.com><323aca891002110901k6206f32 3sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com> Message-ID: Just the rolling sup method. Upload new image to both sups, reload standby, reload primary. The standby reload will be non-service impacting. The primary sup will be service impacting as SSO/NSF is not enabled with a version mismatch. Outage will vary based on features enabled. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy McAnally Sent: Thursday, February 11, 2010 1:48 PM To: Pavel Skovajsa Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI Thanks for that information. What is the 'least problematic' method, step by step, to upgrade from SXF to SXI since I have dual sups? I can handle a single reboot but don't want to whack any config or cause the sups to lose redundancy or need multiple or extended downtimes. -- Randy ---------- Original Message ----------- From: Pavel Skovajsa To: Randy McAnally Cc: cisco-nsp at puck.nether.net Sent: Thu, 11 Feb 2010 18:01:51 +0100 Subject: Re: [c-nsp] ISSU on SXF -> SXI > Hello Randy, > > as far as I am aware the ISSU works only for SXI train onward. See > http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf > > -pavel > > On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > > sup720-3bxl? > > > > -- > > Randy > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From livio.zanol.puppim at gmail.com Thu Feb 11 20:18:00 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Thu, 11 Feb 2010 23:18:00 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Brad, Can?t I make ?the cloud? with traditional switches (4948 for example)? As I?ve said before, my only concern is that I?ll loose A LOT of access ports on Nexus 5000 that could be used by servers with 10GE/FCoE. Again, the only reasons you are giving me to use this design is ?management facility? and vPC. So, putting it in a balance I see more losses than benefits. What?s the big problem on connecting to another device to manage it? Is this really a big loss? It?ll take 5 minutes more to make a service. I don?t think that this is the best benefit of this design. I would really appreciate to have all switches of the same series managed by the same program (cisco DCNM), unfortunally I think we are going the other way. Loosing 20 access interfaces, isn?t a good option for me? I?m not talking about a huge datacenter. I will only need 10 1G switch for the next years, so ?big L2 domain? for me isn?t to much trouble. If you could explain better this problem maybe I change my mind? I?m expecting that 10G(with FCoE) will dominate the servers design, so my loss will be huge. I?ll maintain 1Gbps only for backward compatibility (10 years? hehehe). If Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite difficult to make that works) the deisgn would perfect fit for our needs? 2010/2/10 Jason Plank > Brad, > > You just made a terrible assumption. :) > > Jason > > >> Then you should post from your gmail account. > > > > What difference would that make? We're all adults here. > > > > > > Cheers, > > Brad > > > > > > -- > > Brad Hedlund, CCIE #5530 > > Technology Solutions Architect, Data Center > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > -- > Jason Plank > (CCIE #16560) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From rodunn at cisco.com Thu Feb 11 21:51:07 2010 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 11 Feb 2010 21:51:07 -0500 Subject: [c-nsp] High CPU a issue for voice traffic? In-Reply-To: <4b73958c.0409c00a.1518.56b0@mx.google.com> References: <4b73958c.0409c00a.1518.56b0@mx.google.com> Message-ID: <4B74C21B.1050501@cisco.com> On 2/11/10 1:28 AM, Junks2you wrote: > Hi Guys, > > Currently we were hitting some high CPU issue. One of the 6509 with SUP720 standing in the core hiked to 96% percent very randomly in the past 72 hours or even longer. Write memory, SNMP, software switching could be the cause, we don't know yet. Everything seems working fine now. Although it now gets to normal level, am wondering if it could affect the voice calls (handled by Call manager 7) while the CPU usage reaches above 90%. Since we are not able to simulate this issue, I just hope it wouldn't be a 'bomb' there. Simply speaking, is high CPU utilisation a issue affecting voice traffic passing through this core switch? > yes and no..if your RP CPU gets to the point your control plane comes down all transit traffic will be impacted. You need to make sure you have the appropriate CoPP and mls rate limiters enabled. If the traffic is hardware switched 'distributed in 'sh int stat' the high cpu on the RP is ok in short spikes....if it's high much you need to figure out why. Rodney > Thanks in advance for the input. > > Bill. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Fri Feb 12 00:42:52 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 11 Feb 2010 23:42:52 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: Message-ID: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> >----- Original Message ----- >From: "Livio Zanol Puppim" >To: "Jason Plank" >Cc: "Cisco NSP ((E-mail))'" >Sent: Thursday, February 11, 2010 7:18 PM >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >Brad, > >Can?t I make ?the cloud? with traditional switches (4948 for example)? You can call it what you'd like. >As I?ve said before, my only concern is that I?ll loose A LOT of access >ports >on Nexus 5000 that could be used by servers with 10GE/FCoE. Ok, maybe I missed something. What are you trying to do? High density 1 gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does that. >I?m expecting that 10G(with FCoE) will dominate the servers design, so my >loss will be huge. It will be a large part of the future, no doubt. Your loss? >f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >dfficult to make that works) the deisgn would perfect fit for our needs? As I've stated before, there is no if. Not sure how many more times I have to say it... tv From tvarriale at comcast.net Fri Feb 12 00:47:59 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 11 Feb 2010 23:47:59 -0600 Subject: [c-nsp] Best practice - Core vs Access Router References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net><290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net><4B718596.2050602@imperial.ac.uk><290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net><4B71A1D2.10909@imperial.ac.uk><4B730502.3020700@bromirski.net> Message-ID: <32C080C83F444E96A7DBA952816D4343@flamdt01> ----- Original Message ----- From: "Andy B." To: "Lukasz Bromirski" Cc: "nsp-cisco" Sent: Thursday, February 11, 2010 11:50 AM Subject: Re: [c-nsp] Best practice - Core vs Access Router > I have two 6704s, te8/1-4 and te9/1-4. Some OSPFs are on one card, > some on the others. The busy VLAN with a few thousand servers is also > channeled on both cards. Would it be better to regroup the vlan to > let's say te8/1-4 and everything that is backbone related (OSPF/IBGP) > to te9/1-4. I am not sure if I am hitting any fabric limitations. > > I really do not know where else to look at... > > Andy ----- Original Message ----- From: "Tony Varriale" To: "nsp-cisco" Sent: Wednesday, February 10, 2010 1:51 PM Subject: Re: [c-nsp] Best practice - Core vs Access Router > show ip traffic? Anything incrementing in there by a significant amount? > How fast do your drops/flushes increment? > > I assume these are 6704s without DFCs? If not, what are those ports? > > tv ? From p.mayers at imperial.ac.uk Fri Feb 12 04:56:44 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 09:56:44 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211194447.M88975@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> <20100211194447.M88975@fast-serv.com> Message-ID: <4B7525DC.5020105@imperial.ac.uk> On 02/11/2010 07:48 PM, Randy McAnally wrote: > Thanks for that information. > > What is the 'least problematic' method, step by step, to upgrade from SXF to > SXI since I have dual sups? I can handle a single reboot but don't want to > whack any config or cause the sups to lose redundancy or need multiple or > extended downtimes. Load the firmware onto both sup, change the boot statement, reload the standby sup and it will come up in RPR mode. Force a switchover, the new sup will finish booting & reload the linecards. We do this for almost all our software upgrades, and the outage it typically in the region of 90 seconds. There's nothing special in this regard about going to SXI - this is how we did it. It's worth noting that AFAICT ISSU requires the linecards to have sufficient RAM to pre-load the new IOS image, and many standard linecards e.g. 6748-SFP/DFC-3B do not, and will therefore not do a "fast" ISSU. It's also relevant that for ISSU the old and new images have to be "compatible" and I have my doubts how often that will be the case... From jshearer at amedisys.com Fri Feb 12 07:20:50 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 06:20:50 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B7525DC.5020105@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> Message-ID: It is my understanding that ISSU will be supported for the same feature set in the same dev line. IE - Will work going from SXI to SXI3 but will not work going from SXI to SXJ. (I know J doesn't exist yet). Is this how everyone else understands ISSU? Any other known restrictions? Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, February 12, 2010 3:57 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI On 02/11/2010 07:48 PM, Randy McAnally wrote: > Thanks for that information. > > What is the 'least problematic' method, step by step, to upgrade from SXF to > SXI since I have dual sups? I can handle a single reboot but don't want to > whack any config or cause the sups to lose redundancy or need multiple or > extended downtimes. Load the firmware onto both sup, change the boot statement, reload the standby sup and it will come up in RPR mode. Force a switchover, the new sup will finish booting & reload the linecards. We do this for almost all our software upgrades, and the outage it typically in the region of 90 seconds. There's nothing special in this regard about going to SXI - this is how we did it. It's worth noting that AFAICT ISSU requires the linecards to have sufficient RAM to pre-load the new IOS image, and many standard linecards e.g. 6748-SFP/DFC-3B do not, and will therefore not do a "fast" ISSU. It's also relevant that for ISSU the old and new images have to be "compatible" and I have my doubts how often that will be the case... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From p.mayers at imperial.ac.uk Fri Feb 12 07:29:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 12:29:50 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> Message-ID: <4B7549BE.3010700@imperial.ac.uk> On 12/02/10 12:20, Jason Shearer wrote: > It is my understanding that ISSU will be supported for the same feature set in the same dev line. > > IE - Will work going from SXI to SXI3 but will not work going from SXI to SXJ. (I know J doesn't exist yet). > > Is this how everyone else understands ISSU? Any other known restrictions? Sorry, yes - I'm confusing things. There are 3 scenarios: * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) I think that's about right? From Kevin.Hatem at pgs.com Fri Feb 12 09:07:59 2010 From: Kevin.Hatem at pgs.com (Kevin Hatem) Date: Fri, 12 Feb 2010 08:07:59 -0600 Subject: [c-nsp] per-port price for 10G on c3750E Message-ID: <15D5002F61F31A45A82A153D2F739067B174799F75@HOUMS26.onshore.pgs.com> What would be the cost per 10G port on a 3750E-48? It's simplified on a platform/line card with all 10G ports, but the 3750E has 48 1G ports and only 2 10G ports. Thanks. -kevin hatem This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author. From arne.svennevik at met.no Fri Feb 12 09:28:34 2010 From: arne.svennevik at met.no (Arne Svennevik) Date: Fri, 12 Feb 2010 14:28:34 +0000 (UTC) Subject: [c-nsp] per-port price for 10G on c3750E In-Reply-To: <194792043.326972.1265984807691.JavaMail.root@imap1b> Message-ID: <1092136464.327007.1265984914413.JavaMail.root@imap1b> I'd compare 3750G-48 to 3750E-48 to get an idea of the additional cost of the 10G ports. Currently the difference is $5k in the global price list, but the actual price depends on a lot of factors. Check with your Cisco account team for accurate figures. Arne ----- Original Message ----- Fra: "Kevin Hatem" Til: "cisco-nsp at puck.nether.net" Sendt: 12. februar 2010 15:07:59 Emne: [c-nsp] per-port price for 10G on c3750E What would be the cost per 10G port on a 3750E-48? It's simplified on a platform/line card with all 10G ports, but the 3750E has 48 1G ports and only 2 10G ports. Thanks. -kevin hatem This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rjs at eng.gxn.net Fri Feb 12 09:47:58 2010 From: rjs at eng.gxn.net (Rob Shakir) Date: Fri, 12 Feb 2010 14:47:58 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B7549BE.3010700@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> Message-ID: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> On 12 Feb 2010, at 12:29, Phil Mayers wrote: > * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. > > * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. > > * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) > > I think that's about right? This seems quite accurate to me. Our experience of ISSU has been terrible. We've found multiple bugs related to it, and have found that -- in general -- we're much better off in terms of service disruption with a "classic" upgrade (upgrade secondary, reload peer, force failover, etc). Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet our requirements, and hence we are better off doing classic upgrades. We've taken their advice, and will not be trying it again. I think it's suited for deployments where you have 30+ boxes that are identical in terms of configuration, and hardware, but in the SP environment (like us), the variance of boxes means that it's just not worthwhile. Kind regards, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html From jshearer at amedisys.com Fri Feb 12 09:55:02 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 08:55:02 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4 B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: I haven't tried ISSU with our VSS pairs but this is about what I expected. Too many caveats to risk it, eh? Jason -----Original Message----- From: Rob Shakir [mailto:rjs at eng.gxn.net] Sent: Friday, February 12, 2010 8:48 AM To: Phil Mayers Cc: Jason Shearer; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI On 12 Feb 2010, at 12:29, Phil Mayers wrote: > * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. > > * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. > > * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) > > I think that's about right? This seems quite accurate to me. Our experience of ISSU has been terrible. We've found multiple bugs related to it, and have found that -- in general -- we're much better off in terms of service disruption with a "classic" upgrade (upgrade secondary, reload peer, force failover, etc). Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet our requirements, and hence we are better off doing classic upgrades. We've taken their advice, and will not be trying it again. I think it's suited for deployments where you have 30+ boxes that are identical in terms of configuration, and hardware, but in the SP environment (like us), the variance of boxes means that it's just not worthwhile. Kind regards, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From p.mayers at imperial.ac.uk Fri Feb 12 10:06:36 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 15:06:36 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: <4B756E7C.9060506@imperial.ac.uk> On 12/02/10 14:47, Rob Shakir wrote: > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think As it happens I just did a "half-test" on one of our boxes where I did the "issu loadversion" so that I could see what it told me about outage times - and all kinds of horrific messages started spraying onto the console about missing ifindex values, IDB failures and so forth. I quickly did an "issu abortversion" Bah. Thanks a lot Cisco... From livio.zanol.puppim at gmail.com Fri Feb 12 10:37:43 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 13:37:43 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Ok... Let's try again, more simplyfied. Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G ports from Nexus 5000 for access. That's my only problem, loosing ports com 5000... Is it clear enought? Can you give me a good reason to use the first design? 2010/2/12 Tony Varriale > ----- Original Message ----- From: "Livio Zanol Puppim" < >> livio.zanol.puppim at gmail.com> >> To: "Jason Plank" >> Cc: "Cisco NSP ((E-mail))'" >> Sent: Thursday, February 11, 2010 7:18 PM >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> > Brad, >> >> Can?t I make ?the cloud? with traditional switches (4948 for example)? >> > > You can call it what you'd like. > > > As I?ve said before, my only concern is that I?ll loose A LOT of access >> ports >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> > > Ok, maybe I missed something. What are you trying to do? High density 1 > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does > that. > > > I?m expecting that 10G(with FCoE) will dominate the servers design, so my >> loss will be huge. >> > > It will be a large part of the future, no doubt. Your loss? > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >> dfficult to make that works) the deisgn would perfect fit for our needs? >> > > As I've stated before, there is no if. Not sure how many more times I have > to say it... > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From rsm at fast-serv.com Fri Feb 12 10:41:51 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 12 Feb 2010 10:41:51 -0500 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B756E7C.9060506@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> <4B756E7C.9060506@imperial.ac.uk> Message-ID: <20100212154114.M76226@fast-serv.com> Thanks for verifying my suspicions... ISSU just seemed 'too good to be true'. RPR mode upgrade it is... -- Randy ---------- Original Message ----------- From: Phil Mayers To: N/A Cc: "cisco-nsp at puck.nether.net" Sent: Fri, 12 Feb 2010 15:06:36 +0000 Subject: Re: [c-nsp] ISSU on SXF -> SXI > On 12/02/10 14:47, Rob Shakir wrote: > > > > This seems quite accurate to me. > > > > Our experience of ISSU has been terrible. We've found multiple bugs > > related to it, and have found that -- in general -- we're much better > > off in terms of service disruption with a "classic" upgrade (upgrade > > secondary, reload peer, force failover, etc). > > > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > > our requirements, and hence we are better off doing classic upgrades. > > We've taken their advice, and will not be trying it again. I think > > As it happens I just did a "half-test" on one of our boxes where I > did the "issu loadversion" so that I could see what it told me about > outage times - and all kinds of horrific messages started spraying > onto the console about missing ifindex values, IDB failures and so forth. > > I quickly did an "issu abortversion" > > Bah. Thanks a lot Cisco... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jshearer at amedisys.com Fri Feb 12 10:53:58 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 09:53:58 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64A AFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Don't really need the 7K.....you can run your 10G trunks to and existing 6500 or something else to do L3. In the future you will supposedly be able to run your FEXs to the 7K and supposedly the next gen 5Ks will be able to do "more". I see the current topology good for very large datacenters. Pair of 7Ks at the core, pairs of 5Ks at the end of the row and pairs of 2Ks in each rack. Very scalable design. Currently the Nexus is not for everyone. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim Sent: Friday, February 12, 2010 9:38 AM To: Tony Varriale Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer Ok... Let's try again, more simplyfied. Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G ports from Nexus 5000 for access. That's my only problem, loosing ports com 5000... Is it clear enought? Can you give me a good reason to use the first design? 2010/2/12 Tony Varriale > ----- Original Message ----- From: "Livio Zanol Puppim" < >> livio.zanol.puppim at gmail.com> >> To: "Jason Plank" >> Cc: "Cisco NSP ((E-mail))'" >> Sent: Thursday, February 11, 2010 7:18 PM >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> > Brad, >> >> Can't I make "the cloud" with traditional switches (4948 for example)? >> > > You can call it what you'd like. > > > As I've said before, my only concern is that I'll loose A LOT of access >> ports >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> > > Ok, maybe I missed something. What are you trying to do? High density 1 > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does > that. > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so my >> loss will be huge. >> > > It will be a large part of the future, no doubt. Your loss? > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >> dfficult to make that works) the deisgn would perfect fit for our needs... >> > > As I've stated before, there is no if. Not sure how many more times I have > to say it... > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From samuelmenon at yahoo.com.br Fri Feb 12 11:04:18 2010 From: samuelmenon at yahoo.com.br (SAMUEL MENON) Date: Fri, 12 Feb 2010 08:04:18 -0800 (PST) Subject: [c-nsp] Res: ISSU on SXF -> SXI In-Reply-To: <20100212154114.M76226@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> <4B756E7C.9060506@imperial.ac.uk> <20100212154114.M76226@fast-serv.com> Message-ID: <244047.94442.qm@web112618.mail.gq1.yahoo.com> Hi I have good experiences with ISSU to upgrade IOS to SRB4 to SRD1 or SRD3. I have made the procedure a few times without problems. The messages about missing ifindex values, IDB failures and other is normal while the procedure. I just found a BUG ID when I some problems while upgrade from IOS SRD3 to SRE version. The workaround for the BUG ID does not work too, the bug will be fixed in IOS SRD4 that will be avaliable in next month. I have a doubt for other people that make this procedure. We need in the begining of the procedure to remove the efsu: no service image-version efsu Do we need to add again the command "service image-version efsu" ? In the procedure does not show if we need to add again the command line or not. Regards, ________________________________ De: Randy McAnally Para: Phil Mayers Cc: "cisco-nsp at puck.nether.net" Enviadas: Sexta-feira, 12 de Fevereiro de 2010 13:41:51 Assunto: Re: [c-nsp] ISSU on SXF -> SXI Thanks for verifying my suspicions... ISSU just seemed 'too good to be true'. RPR mode upgrade it is... -- Randy ---------- Original Message ----------- From: Phil Mayers To: N/A Cc: "cisco-nsp at puck.nether.net" Sent: Fri, 12 Feb 2010 15:06:36 +0000 Subject: Re: [c-nsp] ISSU on SXF -> SXI > On 12/02/10 14:47, Rob Shakir wrote: > > > > This seems quite accurate to me. > > > > Our experience of ISSU has been terrible. We've found multiple bugs > > related to it, and have found that -- in general -- we're much better > > off in terms of service disruption with a "classic" upgrade (upgrade > > secondary, reload peer, force failover, etc). > > > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > > our requirements, and hence we are better off doing classic upgrades. > > We've taken their advice, and will not be trying it again. I think > > As it happens I just did a "half-test" on one of our boxes where I > did the "issu loadversion" so that I could see what it told me about > outage times - and all kinds of horrific messages started spraying > onto the console about missing ifindex values, IDB failures and so forth. > > I quickly did an "issu abortversion" > > Bah. Thanks a lot Cisco... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ____________________________________________________________________________________ Veja quais s?o os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com From linux.yahoo at gmail.com Fri Feb 12 11:04:32 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Fri, 12 Feb 2010 17:04:32 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> Is it a new Datacenter? On Fri, Feb 12, 2010 at 4:37 PM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can?t I make ?the cloud? with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I?ve said before, my only concern is that I?ll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I?m expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs? > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Fri Feb 12 11:13:16 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Fri, 12 Feb 2010 17:13:16 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: <9avan5d6alsvcs919nmugogsdu6ct3mv89@hojmark.net> On Fri, 12 Feb 2010 13:37:43 -0200, you wrote: > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? Well, the 10G ports on the N7K are more than twice as expensive as the 10G ports on the N5K. -A From livio.zanol.puppim at gmail.com Fri Feb 12 11:32:44 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 14:32:44 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Now we're talking. Replies later 2010/2/12 > Given the pricing, I'd be more concerned about "losing ports" on the Nexus > 7000 than on the 5000. > > > A modest Nexus 7010 (two sups, four 32-port cards, two power supplies, LAN > software license) lists for just under US$400,000 using bundle pricing. > > That gets you 128 10Gb/s ports, oversubscribed 4:1. > > So, US$3125 per port (US$12,500 per non-blocking port). > > Those ports don't support the inexpensive twinax cables, so add another > US$3,600 to put SR optics on both ends of each link. > > The Nexus 5000 OTOH lists for about US$40,000 (dual power 5020 with 40 > ports and base license). US$1,000 per non-blocking port. And these ports > support the twinax cables ($150-$250 / cable) > > With optics (on both ends), N7K: $6,700 to $15,100 per port. > With twinax cables, N5K: $1,200 per port. > > And the N5K pricing gets even better when you price the bundle option with > 6 2148Ts, optics and twinax cables. > > If you have a requirement for several hundred 1Gb/s ports with no > oversubscription through the core, then the 5K might not be any help. > > /chris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim > Sent: Friday, February 12, 2010 10:38 AM > To: Tony Varriale > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can't I make "the cloud" with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I've said before, my only concern is that I'll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs. > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From tvarriale at comcast.net Fri Feb 12 12:11:58 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 12 Feb 2010 11:11:58 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer Message-ID: <7B1755456FCF43F08085463918FDE845@flamdt01> >----- Original Message ----- >From: Livio Zanol Puppim >To: Tony Varriale >Cc: cisco-nsp at puck.nether.net >Sent: Friday, February 12, 2010 9:37 AM >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >Ok... > >Let's try again, more simplyfied. > >Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Why not just plug directly into the 7k? It has 48 port 1g blades...tx and fiber. tv From livio.zanol.puppim at gmail.com Fri Feb 12 12:37:11 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:37:11 -0200 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7B1755456FCF43F08085463918FDE845@flamdt01> References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE 2010/2/12 Tony Varriale > > >----- Original Message ----- > >From: Livio Zanol Puppim > >To: Tony Varriale > >Cc: cisco-nsp at puck.nether.net > >Sent: Friday, February 12, 2010 9:37 AM > >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > > > >Ok... > > > >Let's try again, more simplyfied. > > > >Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Why not just plug directly into the 7k? It has 48 port 1g blades...tx and > fiber. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From livio.zanol.puppim at gmail.com Fri Feb 12 12:43:44 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:43:44 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> Message-ID: Yes. 2010/2/12 Manu Chao > Is it a new Datacenter? > > On Fri, Feb 12, 2010 at 4:37 PM, Livio Zanol Puppim < > livio.zanol.puppim at gmail.com> wrote: > >> Ok... >> >> Let's try again, more simplyfied. >> >> Using a DC topology with Nexus family, I must have, for gigabit >> connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. >> >> Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G >> ports from Nexus 5000 for access. >> >> That's my only problem, loosing ports com 5000... Is it clear enought? >> >> Can you give me a good reason to use the first design? >> >> 2010/2/12 Tony Varriale >> >> > ----- Original Message ----- From: "Livio Zanol Puppim" < >> >> livio.zanol.puppim at gmail.com> >> >> To: "Jason Plank" >> >> Cc: "Cisco NSP ((E-mail))'" >> >> Sent: Thursday, February 11, 2010 7:18 PM >> >> >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> >> >> >> > Brad, >> >> >> >> Can?t I make ?the cloud? with traditional switches (4948 for example)? >> >> >> > >> > You can call it what you'd like. >> > >> > >> > As I?ve said before, my only concern is that I?ll loose A LOT of access >> >> ports >> >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> >> >> > >> > Ok, maybe I missed something. What are you trying to do? High density >> 1 >> > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k >> does >> > that. >> > >> > >> > I?m expecting that 10G(with FCoE) will dominate the servers design, so >> my >> >> loss will be huge. >> >> >> > >> > It will be a large part of the future, no doubt. Your loss? >> > >> > >> > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not >> quite >> >> dfficult to make that works) the deisgn would perfect fit for our >> needs? >> >> >> > >> > As I've stated before, there is no if. Not sure how many more times I >> have >> > to say it... >> > >> > tv >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> >> >> -- >> []'s >> >> L?vio Zanol Puppim >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- []'s L?vio Zanol Puppim From paul at paulstewart.org Fri Feb 12 12:11:32 2010 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 12 Feb 2010 12:11:32 -0500 Subject: [c-nsp] LAG Problem Cisco/Juniper Message-ID: <001901caac06$6d57eae0$4807c0a0$@org> Hey folks. I'm cross posting this so apologies if you are both lists. Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco 7606 using a pair of GigE's - rush job etc.. can't get the group to come up and missing something obvious ;) Cisco: interface GigabitEthernet3/25 description ---------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface GigabitEthernet3/37 description -------------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface Port-channel2 description -------------- switchport switchport access vlan 56 switchport mode access end Juniper Side: ge-0/0/35 { description xxxxx-1; ether-options { 802.3ad ae0; } ge-0/0/47 { description xxxxxx-2; ether-options { 802.3ad ae0; } ae0 { aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { passive; } } unit 0 { family ethernet-switching { port-mode access; vlan { members xxxxxx; } } } From livio.zanol.puppim at gmail.com Fri Feb 12 12:54:26 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:54:26 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Correcting my last e-mail: Actually, It's a new datacenter for existing servers and at the same time it must support new applications. Christopher, We are planning to use only Fiber Optics, no twinax cables. Also, I can't use 10G/FCoE at Nexus 7000. But you have a good argument. 2010/2/12 > Given the pricing, I'd be more concerned about "losing ports" on the Nexus > 7000 than on the 5000. > > > A modest Nexus 7010 (two sups, four 32-port cards, two power supplies, LAN > software license) lists for just under US$400,000 using bundle pricing. > > That gets you 128 10Gb/s ports, oversubscribed 4:1. > > So, US$3125 per port (US$12,500 per non-blocking port). > > Those ports don't support the inexpensive twinax cables, so add another > US$3,600 to put SR optics on both ends of each link. > > The Nexus 5000 OTOH lists for about US$40,000 (dual power 5020 with 40 > ports and base license). US$1,000 per non-blocking port. And these ports > support the twinax cables ($150-$250 / cable) > > With optics (on both ends), N7K: $6,700 to $15,100 per port. > With twinax cables, N5K: $1,200 per port. > > And the N5K pricing gets even better when you price the bundle option with > 6 2148Ts, optics and twinax cables. > > If you have a requirement for several hundred 1Gb/s ports with no > oversubscription through the core, then the 5K might not be any help. > > /chris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim > Sent: Friday, February 12, 2010 10:38 AM > To: Tony Varriale > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can't I make "the cloud" with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I've said before, my only concern is that I'll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs. > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From BBlackford at nwresd.k12.or.us Fri Feb 12 13:03:19 2010 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 12 Feb 2010 10:03:19 -0800 Subject: [c-nsp] LAG Problem Cisco/Juniper In-Reply-To: <001901caac06$6d57eae0$4807c0a0$@org> References: <001901caac06$6d57eae0$4807c0a0$@org> Message-ID: <6069A203FD01884885C037F81DD750801742DA1274@wsc-mail-01.intra.nwresd.k12.or.us> I'm not an expert on this subject, but I do notice you don't have a 'chassis' stanza. Also, each physical interface should probably have the spped forced as well. The flowing works for my LAGs. Obviously, I'm using port-mode trunk on mine chassis { aggregated-devices { ethernet { device-count 2; ge-0/0/46 { ether-options { speed { 1g; } 802.3ad ae0; } } ge-0/0/47 { ether-options { speed { 1g; } 802.3ad ae0; ae0 { aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } native-vlan-id 1; -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Friday, February 12, 2010 9:12 AM To: cisco-nsp at puck.nether.net Cc: juniper-nsp at puck.nether.net Subject: [c-nsp] LAG Problem Cisco/Juniper Hey folks. I'm cross posting this so apologies if you are both lists. Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco 7606 using a pair of GigE's - rush job etc.. can't get the group to come up and missing something obvious ;) Cisco: interface GigabitEthernet3/25 description ---------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface GigabitEthernet3/37 description -------------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface Port-channel2 description -------------- switchport switchport access vlan 56 switchport mode access end Juniper Side: ge-0/0/35 { description xxxxx-1; ether-options { 802.3ad ae0; } ge-0/0/47 { description xxxxxx-2; ether-options { 802.3ad ae0; } ae0 { aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { passive; } } unit 0 { family ethernet-switching { port-mode access; vlan { members xxxxxx; } } } _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jshearer at amedisys.com Fri Feb 12 13:17:01 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 12:17:01 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: Sounds like you need to wait a bit. Talk to you Cisco account team regarding the support for FEXs landing on the 7K. I know it was a rumored feature as many customers have been requesting it. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim Sent: Friday, February 12, 2010 11:37 AM To: Tony Varriale Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE 2010/2/12 Tony Varriale > > >----- Original Message ----- > >From: Livio Zanol Puppim > >To: Tony Varriale > >Cc: cisco-nsp at puck.nether.net > >Sent: Friday, February 12, 2010 9:37 AM > >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > > > >Ok... > > > >Let's try again, more simplyfied. > > > >Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Why not just plug directly into the 7k? It has 48 port 1g blades...tx and > fiber. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From tvarriale at comcast.net Fri Feb 12 16:05:53 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 12 Feb 2010 15:05:53 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: <2ED12D8009DC41579933CDD0C958C667@flamdt01> ----- Original Message ----- From: Livio Zanol Puppim To: Tony Varriale Cc: cisco-nsp at puck.nether.net Sent: Friday, February 12, 2010 11:37 AM Subject: Re: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE Ok, so use another switch(es) (6500 or something) or wait until the 2k is supported on the 7k. You don't have to use the 2ks. You have 5 different options here. Pick one. tv From cisco-nsp at slepicka.net Fri Feb 12 16:12:25 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 12 Feb 2010 15:12:25 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <4B62229D.1080002@inex.ie> References: <4B62229D.1080002@inex.ie> Message-ID: <4B75C439.4060202@slepicka.net> >>- does not support 10/100, only 1000 sigh... I just got bit by this one again trying to install a vendor-provided server with 10/100 interfaces only. Nick Hilliard wrote: > On 28/01/2010 20:54, Livio Zanol Puppim wrote: > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst >> 4948 as access layers switches? >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that >> could be used by servers with 10GbE/FCoE servers. >> > > the current generation of n2k: > > - does not support 10/100, only 1000 > - has serious etherchannel limitations > - no netflow > - no rspan / erspan > > It's an interesting switch which should improve lots in the next generation > of hardware. But right now, it is very specifically aimed at a particular > niche. For that niche, it will perform very well indeed, but it's not > really a general purpose access switch. > > wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young in > its development cycle; IOS is much more mature and has many more features. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jshearer at amedisys.com Fri Feb 12 16:59:46 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 15:59:46 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B 7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE -4AE3-9345-456D41768947@eng.gxn.net> <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> Message-ID: Cool. I might have to try SXI to SXI3 on a sacrificial chassis. Jason -----Original Message----- From: Daniska, Tomas [mailto:tomas at soitron.com] Sent: Friday, February 12, 2010 3:57 PM To: Jason Shearer; Rob Shakir; Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] ISSU on SXF -> SXI I have experienced ISSU SXI2 to SXI2a on four VSSs, worked liked a charm, two times a second or so blackout. But then, 2->2a is nothing major... -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jason Shearer > Sent: Friday, February 12, 2010 3:55 PM > To: Rob Shakir; Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > I haven't tried ISSU with our VSS pairs but this is about what I > expected. Too many caveats to risk it, eh? > > Jason > > -----Original Message----- > From: Rob Shakir [mailto:rjs at eng.gxn.net] > Sent: Friday, February 12, 2010 8:48 AM > To: Phil Mayers > Cc: Jason Shearer; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > > On 12 Feb 2010, at 12:29, Phil Mayers wrote: > > > * The old and new image are not ISSU-compatible (different major > releases or feature sets) - in which case an RPR upgrade is the best > you can do. > > > > * The old and new images are ISSU compatible, and the linecard > software has not changed. In this case, the linecards do not need to be > restarted, and downtimes of 0-3 seconds can be achieved because it's > basically just an SSO switchover. > > > > * The old and new images are ISSU compatible but the linecard > software is different, so the linecards need to be restarted into the > new image - this can be a faster, warm boot (if the linecard has enough > RAM) or a slower, cold boot (if not) > > > > I think that's about right? > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think it's > suited for deployments where you have 30+ boxes that are identical in > terms of configuration, and hardware, but in the SP environment (like > us), the variance of boxes means that it's just not worthwhile. > > > Kind regards, > Rob > > -- > Rob Shakir > Network Development Engineer GX Networks/Vialtus Solutions > ddi: +44208 587 6077 mob: +44797 155 4098 > pgp: 0xc07e6deb nic-hdl: RJS-RIPE > > This email is subject to: http://www.vialtus.com/disclaimer.html > > > *** NOTICE--The attached communication contains privileged and > confidential information. If you are not the intended recipient, DO NOT > read, copy, or disseminate this communication. Non-intended recipients > are hereby placed on notice that any unauthorized disclosure, > duplication, distribution, or taking of any action in reliance on the > contents of these materials is expressly prohibited. If you have > received this communication in error, please delete this information in > its entirety and contact the Amedisys Privacy Hotline at 1-866-518- > 6684. Also, please immediately notify the sender via e-mail that you > have received this communication in error. *** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From tomas at soitron.com Fri Feb 12 16:57:29 2010 From: tomas at soitron.com (Daniska, Tomas) Date: Fri, 12 Feb 2010 22:57:29 +0100 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> I have experienced ISSU SXI2 to SXI2a on four VSSs, worked liked a charm, two times a second or so blackout. But then, 2->2a is nothing major... -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jason Shearer > Sent: Friday, February 12, 2010 3:55 PM > To: Rob Shakir; Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > I haven't tried ISSU with our VSS pairs but this is about what I > expected. Too many caveats to risk it, eh? > > Jason > > -----Original Message----- > From: Rob Shakir [mailto:rjs at eng.gxn.net] > Sent: Friday, February 12, 2010 8:48 AM > To: Phil Mayers > Cc: Jason Shearer; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > > On 12 Feb 2010, at 12:29, Phil Mayers wrote: > > > * The old and new image are not ISSU-compatible (different major > releases or feature sets) - in which case an RPR upgrade is the best > you can do. > > > > * The old and new images are ISSU compatible, and the linecard > software has not changed. In this case, the linecards do not need to be > restarted, and downtimes of 0-3 seconds can be achieved because it's > basically just an SSO switchover. > > > > * The old and new images are ISSU compatible but the linecard > software is different, so the linecards need to be restarted into the > new image - this can be a faster, warm boot (if the linecard has enough > RAM) or a slower, cold boot (if not) > > > > I think that's about right? > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think it's > suited for deployments where you have 30+ boxes that are identical in > terms of configuration, and hardware, but in the SP environment (like > us), the variance of boxes means that it's just not worthwhile. > > > Kind regards, > Rob > > -- > Rob Shakir > Network Development Engineer GX Networks/Vialtus Solutions > ddi: +44208 587 6077 mob: +44797 155 4098 > pgp: 0xc07e6deb nic-hdl: RJS-RIPE > > This email is subject to: http://www.vialtus.com/disclaimer.html > > > *** NOTICE--The attached communication contains privileged and > confidential information. If you are not the intended recipient, DO NOT > read, copy, or disseminate this communication. Non-intended recipients > are hereby placed on notice that any unauthorized disclosure, > duplication, distribution, or taking of any action in reliance on the > contents of these materials is expressly prohibited. If you have > received this communication in error, please delete this information in > its entirety and contact the Amedisys Privacy Hotline at 1-866-518- > 6684. Also, please immediately notify the sender via e-mail that you > have received this communication in error. *** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From m_attia100100 at hotmail.com Fri Feb 12 23:17:31 2010 From: m_attia100100 at hotmail.com (mohamed attia) Date: Sat, 13 Feb 2010 04:17:31 +0000 Subject: [c-nsp] SNMP process 45% Message-ID: Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ From randy_94108 at yahoo.com Fri Feb 12 23:29:03 2010 From: randy_94108 at yahoo.com (Randy) Date: Fri, 12 Feb 2010 20:29:03 -0800 (PST) Subject: [c-nsp] SNMP process 45% In-Reply-To: Message-ID: <547525.60704.qm@web80508.mail.mud.yahoo.com> "sh proc cpu sorted" is your friend. ? output will be *sorted* from most-snmp in this case to least. Add up the utils of the first few and you will be able to account for the remaining 55% --- On Fri, 2/12/10, mohamed attia wrote: From: mohamed attia Subject: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net Date: Friday, February 12, 2010, 8:17 PM Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms)???Invoked? ? ? uSecs???5Sec???1Min???5Min TTY Process 231? ???4428660???3798727? ? ???1165 46.12% 45.46% 44.28%???0 SNMP ENGINE? ? ? ? 73???198346604 837505469? ? ? ? 236? 0.55%? 0.52%? 0.56%???0 IP Input? ? ? ??? 245???278646264 832638396? ? ? ? 334? 0.47%? 0.40%? 0.40%???0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 ? ??? ???????? ?????? ??? ? _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From m_attia100100 at hotmail.com Fri Feb 12 23:39:34 2010 From: m_attia100100 at hotmail.com (mohamed attia) Date: Sat, 13 Feb 2010 04:39:34 +0000 Subject: [c-nsp] SNMP process 45% In-Reply-To: <547525.60704.qm@web80508.mail.mud.yahoo.com> References: , <547525.60704.qm@web80508.mail.mud.yahoo.com> Message-ID: hi randy, thanks or your help but the show below is show process cpu sorted as you mentioned. but i still facing the same problem. Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 Date: Fri, 12 Feb 2010 20:29:03 -0800 From: randy_94108 at yahoo.com Subject: Re: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net; m_attia100100 at hotmail.com "sh proc cpu sorted" is your friend. output will be *sorted* from most-snmp in this case to least. Add up the utils of the first few and you will be able to account for the remaining 55% --- On Fri, 2/12/10, mohamed attia wrote: From: mohamed attia Subject: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net Date: Friday, February 12, 2010, 8:17 PM Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/ From sethm at rollernet.us Sat Feb 13 01:05:29 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 12 Feb 2010 22:05:29 -0800 Subject: [c-nsp] SNMP process 45% In-Reply-To: References: , <547525.60704.qm@web80508.mail.mud.yahoo.com> Message-ID: <4B764129.9030203@rollernet.us> On 2/12/10 8:39 PM, mohamed attia wrote: > > hi randy, > > > > thanks or your help but the show below is show process cpu sorted as you mentioned. > > > > but i still facing the same problem. > Is someone flooding your SNMP? Do you have an ACL on SNMP? ~Seth From illcritikz at gmail.com Sat Feb 13 06:20:50 2010 From: illcritikz at gmail.com (bjs) Date: Sat, 13 Feb 2010 22:20:50 +1100 Subject: [c-nsp] SNMP process 45% In-Reply-To: References: Message-ID: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> Is it that you don't understand why your cpu is at 100% when SNMP is only chewing 45% and the other processes don't make up the difference? Just to clear it up in case that is your question... Your "sh proc cpu sort" looks like: *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99%* So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of which 49% is at interrupt(ie your normal cef switched traffic), you have a remaining 50% being used by processes as seen in the list: PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router So i'm sure if you added up all your processes there you would find it equals that 50% Now given your 1 and 5 minute CPU utilization is at 99% and more specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real problem here(as other people have mentioned) is SNMP, you need to check out what devices are polling your router and sort it out. Once you resolve the snmp issue you can expect the cpu to drop to around 50-55% bjs On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia wrote: > > > > Hi, > > > > can any one help me as i noticed that our cisco VXR 7200 have process 100% > and after checking i detect that SNMP ENGINE only reach to 45%. > > > > > CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > > > > > > Best Regards, > ----------------------------------- > Eng. : Mohamed Attia > Tel: +2 010 2039799 > > > > > > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > http://clk.atdmt.com/GBL/go/201469230/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From BBlackford at nwresd.k12.or.us Sat Feb 13 10:29:48 2010 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Sat, 13 Feb 2010 07:29:48 -0800 Subject: [c-nsp] SNMP process 45% In-Reply-To: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> References: , <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> Message-ID: <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> What is being polled is something to look at. I had an SNMP poller getting the route table and at a couple of full feeds, that seemed to be enough to add a high CPU load. (C7600/RSP720) I can second the ACL to limit who can poll. -b ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of bjs [illcritikz at gmail.com] Sent: Saturday, February 13, 2010 3:20 AM To: mohamed attia Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SNMP process 45% Is it that you don't understand why your cpu is at 100% when SNMP is only chewing 45% and the other processes don't make up the difference? Just to clear it up in case that is your question... Your "sh proc cpu sort" looks like: *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99%* So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of which 49% is at interrupt(ie your normal cef switched traffic), you have a remaining 50% being used by processes as seen in the list: PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router So i'm sure if you added up all your processes there you would find it equals that 50% Now given your 1 and 5 minute CPU utilization is at 99% and more specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real problem here(as other people have mentioned) is SNMP, you need to check out what devices are polling your router and sort it out. Once you resolve the snmp issue you can expect the cpu to drop to around 50-55% bjs On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia wrote: > > > > Hi, > > > > can any one help me as i noticed that our cisco VXR 7200 have process 100% > and after checking i detect that SNMP ENGINE only reach to 45%. > > > > > CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > > > > > > Best Regards, > ----------------------------------- > Eng. : Mohamed Attia > Tel: +2 010 2039799 > > > > > > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > http://clk.atdmt.com/GBL/go/201469230/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ler762 at gmail.com Sat Feb 13 11:09:22 2010 From: ler762 at gmail.com (Lee) Date: Sat, 13 Feb 2010 11:09:22 -0500 Subject: [c-nsp] SNMP process 45% In-Reply-To: <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> References: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: On 2/13/10, Bill Blackford wrote: > What is being polled is something to look at. I had an SNMP poller getting > the route table and at a couple of full feeds, that seemed to be enough to > add a high CPU load. (C7600/RSP720) > > I can second the ACL to limit who can poll. In addition to limiting who can poll you can also limit what they can poll. eg snmp-server view noload internet included snmp-server view noload internet.6.3.16 excluded snmp-server view noload atEntry excluded snmp-server view noload ipRouteEntry excluded snmp-server view noload ipNetToMediaEntry excluded snmp-server community public view noload RO 2 Regards, Lee > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of bjs [illcritikz at gmail.com] > Sent: Saturday, February 13, 2010 3:20 AM > To: mohamed attia > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SNMP process 45% > > Is it that you don't understand why your cpu is at 100% when SNMP is only > chewing 45% and the other processes don't make up the difference? > > Just to clear it up in case that is your question... > > Your "sh proc cpu sort" looks like: > > *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99%* > > So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of > which 49% is at interrupt(ie your normal cef switched traffic), you have a > remaining 50% being used by processes as seen in the list: > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > So i'm sure if you added up all your processes there you would find it > equals that 50% > > Now given your 1 and 5 minute CPU utilization is at 99% and more > specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real > problem here(as other people have mentioned) is SNMP, you need to check out > what devices are polling your router and sort it out. > > Once you resolve the snmp issue you can expect the cpu to drop to around > 50-55% > > bjs > > On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia > wrote: > >> >> >> >> Hi, >> >> >> >> can any one help me as i noticed that our cisco VXR 7200 have process 100% >> and after checking i detect that SNMP ENGINE only reach to 45%. >> >> >> >> >> CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: >> 99% >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE >> 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input >> 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router >> >> >> >> >> >> >> Best Regards, >> ----------------------------------- >> Eng. : Mohamed Attia >> Tel: +2 010 2039799 >> >> >> >> >> >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> http://clk.atdmt.com/GBL/go/201469230/direct/01/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From daveyjatin at gmail.com Sun Feb 14 12:33:00 2010 From: daveyjatin at gmail.com (Jatin) Date: Sun, 14 Feb 2010 23:03:00 +0530 Subject: [c-nsp] Mailing lists for SMB Market (Cisco or Non-Cisco) Message-ID: <4B7833CC.9070706@gmail.com> Hi Is there any mailing lists like this one catering to SMB market space ? Thanks Jatin From me at falz.net Sun Feb 14 20:25:54 2010 From: me at falz.net (Chris Wopat) Date: Sun, 14 Feb 2010 19:25:54 -0600 Subject: [c-nsp] 2811 login issues Message-ID: > Date: Tue, 9 Feb 2010 11:36:21 -0600 > From: Chris Wopat > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 2811 login issues > > I have a 2811 that stopped accepting logins from its FastEthernet > interface last week out of the blue. When this happened there were no > config changes, router reboots, etc. It has a Multilink bundle > unnumbered via that FastEthernet interface and it *does* accept logins > from this direction. Config is simple, a default route via FA and a > /24 via MU. Although no one replied I'd like to post the solution to this for the to potentially help anyone reading this in the future. The first few minutes the router is booted (all interfaces are up during this period): # sh ip route | inc 3.88 C 10.170.3.88/29 is directly connected, FastEthernet0/0 Then for some reason 5-10 minutes later it would change to: # sh ip route | inc 3.88 C 10.170.3.88/32 is directly connected, FastEthernet0/0 Numbering Mu1 fixed it. I still have no clue why this was happening but am content with it being fixed. I have even less of a clue as to why this just started happening out of the blue one day after being up for many months with no config changes, interface flaps or even user logins but am happy that it's working. --Chris From arl at nordicom.tele.dk Mon Feb 15 03:27:38 2010 From: arl at nordicom.tele.dk (Arne Larsen) Date: Mon, 15 Feb 2010 09:27:38 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss Message-ID: <4B79057A.3090207@nordicom.tele.dk> Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on From pavel.skovajsa at gmail.com Mon Feb 15 03:50:06 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 15 Feb 2010 09:50:06 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <4B79057A.3090207@nordicom.tele.dk> References: <4B79057A.3090207@nordicom.tele.dk> Message-ID: <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> Hi Arne, according to http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf you need to run at least SXI on the VSS and A2(1.2) on ACE. -pavel On Mon, Feb 15, 2010 at 9:27 AM, Arne Larsen wrote: > Hi all. > > > Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on > a vss environment > It seems that that two boxes can?t see each other via the trunks. > I have used one interface for management only and bundled the others in to 1 > etherchannel. > I have the following configured on the channel. > I made a test setup on a 3750 switch to test, before deploying this on the > 6500, and that seemed to work fine. > Is there something that is pulling my legs. > I attented a session on Networkers in Barcelona, an the guy that teached > there would make the documentation available on the web, but I can?t find > it. Have anyone of you seen this doc. I?ve also seached the web for a book > about ace, but again I can?t find anything. Is there some of you that know > where I can get my hand one this > > /Arne > > interface port-channel 1 > ft-port vlan 3085 > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > port-channel load-balance src-dst-port > no shutdown > > and this configured on the physical interfaces > > speed 1000M > duplex FULL > carrier-delay 30 > qos trust cos > channel-group 1 > no shutdown > > on the vss environment I have this on the etherchannel > > interface Port-channel30 > description B: portchannel for ACE4710 load balancer > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > > and this configured on the physical interfaces > > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > spanning-tree portfast edge > channel-group 30 mode on > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From arl at nordicom.tele.dk Mon Feb 15 04:29:44 2010 From: arl at nordicom.tele.dk (Arne Larsen) Date: Mon, 15 Feb 2010 10:29:44 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> References: <4B79057A.3090207@nordicom.tele.dk> <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> Message-ID: <4B791408.3080308@nordicom.tele.dk> Pavel Skovajsa wrote: >Hi Arne, > >according to http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf >you need to run at least SXI on the VSS and A2(1.2) on ACE. > >-pavel > >On Mon, Feb 15, 2010 at 9:27 AM, Arne Larsen wrote: > > >>Hi all. >> >> >>Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on >>a vss environment >>It seems that that two boxes can?t see each other via the trunks. >>I have used one interface for management only and bundled the others in to 1 >>etherchannel. >>I have the following configured on the channel. >>I made a test setup on a 3750 switch to test, before deploying this on the >>6500, and that seemed to work fine. >>Is there something that is pulling my legs. >>I attented a session on Networkers in Barcelona, an the guy that teached >>there would make the documentation available on the web, but I can?t find >>it. Have anyone of you seen this doc. I?ve also seached the web for a book >>about ace, but again I can?t find anything. Is there some of you that know >>where I can get my hand one this >> >>/Arne >> >>interface port-channel 1 >>ft-port vlan 3085 >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>port-channel load-balance src-dst-port >>no shutdown >> >>and this configured on the physical interfaces >> >>speed 1000M >>duplex FULL >>carrier-delay 30 >>qos trust cos >>channel-group 1 >>no shutdown >> >>on the vss environment I have this on the etherchannel >> >>interface Port-channel30 >>description B: portchannel for ACE4710 load balancer >>switchport >>switchport trunk encapsulation dot1q >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>switchport mode trunk >>switchport nonegotiate >>mls qos trust cos >> >>and this configured on the physical interfaces >> >>switchport >>switchport trunk encapsulation dot1q >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>switchport mode trunk >>switchport nonegotiate >>mls qos trust cos >>spanning-tree portfast edge >>channel-group 30 mode on >> >> >>_______________________________________________ >>cisco-nsp mailing list cisco-nsp at puck.nether.net >>https://puck.nether.net/mailman/listinfo/cisco-nsp >>archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > > > I'm running 122-33.SXI3 on the vss and A3(2.0) on the ace /Arne From tsands at rackspace.com Mon Feb 15 08:19:37 2010 From: tsands at rackspace.com (Tom Sands) Date: Mon, 15 Feb 2010 07:19:37 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730551.9070608@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> Message-ID: <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> David Freedman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andy B. wrote: >> On Wed, Feb 10, 2010 at 7:48 PM, David Freedman >> wrote: >>> So, are you checking your interfaces for incrementing drop/error counters? >>> >>> Are you seeing any of this when there is the problem occuring? >>> (clear counters , sh int summ etc..) >>> >> I am having input drops all the time, no matter how high or low I set >> the incoming hold-queue. >> >> The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: >> >> TenGigabitEthernet8/1 is up, line protocol is up (connected) >> Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 >> >> TenGigabitEthernet9/1 is up, line protocol is up (connected) >> Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 >> >> TenGigabitEthernet9/2 is up, line protocol is up (connected) >> Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 >> >> >> These links are not congested! Te9/1 is the busiest with maybe 6.5 out >> of 10 Gig. The other two are below 5 Gig. > > Are these supervisor ports or on a card (i.e 6704/6708?) > > Things I would check: > > - - That I understand 6704 has pathetically small per port buffers The 6704 looks like the biggest problem in this setup. We avoid them at all cost. > - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 > for these > - - No IGP hello padding (if you have large MTU and pad then you must punt > these big things > - - Check SPD headroom (show ip spd) > - - The drops are not being reported on input due to lack of transmit > buffer on output (i.e to lower speed card), check traffic flows/pps to > low speed interfaces and adjust buffers appropriately > > Dave. -------------------------------------------------------------------------------- Tom Sands Chief Network Engineer Rackspace (210)312-4391 -------------------------------------------------------------------------------- Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com, and delete the original message. Your cooperation is appreciated. From tvarriale at comcast.net Mon Feb 15 09:25:45 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 15 Feb 2010 08:25:45 -0600 Subject: [c-nsp] vs ace4710 and cisco 6500-vss References: <4B79057A.3090207@nordicom.tele.dk> Message-ID: <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> What do you mean they cant see each other? tv ----- Original Message ----- From: "Arne Larsen" To: Sent: Monday, February 15, 2010 2:27 AM Subject: [c-nsp] vs ace4710 and cisco 6500-vss Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben at net-satori.ca Mon Feb 15 10:22:48 2010 From: ben at net-satori.ca (Benjamin Lauziere) Date: Mon, 15 Feb 2010 10:22:48 -0500 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> References: <4B79057A.3090207@nordicom.tele.dk>, <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> Message-ID: <27303227E96E6E4C891127103483861239F8CEC750@VMBX101.ihostexchange.net> It seems that your FT vlan is not allowed on the trunk: ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 samething on the switch: switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 Ben ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale [tvarriale at comcast.net] Sent: February 15, 2010 9:25 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] vs ace4710 and cisco 6500-vss What do you mean they cant see each other? tv ----- Original Message ----- From: "Arne Larsen" To: Sent: Monday, February 15, 2010 2:27 AM Subject: [c-nsp] vs ace4710 and cisco 6500-vss Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From linux.yahoo at gmail.com Mon Feb 15 12:05:22 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 15 Feb 2010 18:05:22 +0100 Subject: [c-nsp] BGP to OSPF redistribution In-Reply-To: <20100114131600.GA7162@eagle.aitken.com> References: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com> <20100113212044.GI75640@gerbil.cluepon.net> <20100114131600.GA7162@eagle.aitken.com> Message-ID: <7100ed371002150905g31f3ecc3xb24ee3ce44f64743@mail.gmail.com> may be better option here: using stub area without BGP to OSPF redistribution R/ Manu On Thu, Jan 14, 2010 at 2:16 PM, Jeff Aitken wrote: > On Wed, Jan 13, 2010 at 04:25:04PM -0500, null zeroroute wrote: > > Very good suggestion, however the provider is not sending the internet > > routing table, only our own internal network's routes. Or are you > > suggesting some providers make mistakes and send full internet tables to > a > > private VRF customer? > > What he's saying is that any time you redistribute BGP into $IGP, you are > playing with fire. The likelihood of a mistake may be low but the cost of > a mistake is high. > > One thing you'll definitely want to use is the 'redistribute > maximum-prefix' > command: > > router ospf $PID > redistribute maximum-prefix $LIMIT > > This should help limit the damage if there's a redistribution "accident". > > > --Jeff > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lsawyer at gci.com Mon Feb 15 16:25:26 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Mon, 15 Feb 2010 12:25:26 -0900 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <7100ed371002150905g31f3ecc3xb24ee3ce44f64743@mail.gmail.com> Message-ID: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> Having trouble finding an IOS that works on the ME-C3750-24TE with IPv6 and IS-IS. http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html seems to say that 12.2(25)SEA has the support, but that is nowhere to be found, and none of the future releases show it. Does anybody have an idea of the actual roadmap, or is using it and can provide a working image name? Thanks. Leif From mtinka at globaltransit.net Mon Feb 15 16:46:11 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 16 Feb 2010 05:46:11 +0800 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> Message-ID: <201002160546.16435.mtinka@globaltransit.net> On Tuesday 16 February 2010 05:25:26 am Leif Sawyer wrote: > Does anybody have an idea of the actual roadmap, or is > using it and can provide a working image name? IS-IS was introduced to the Catalyst family in IOS 12.2(50)SE. 12.2(52)SE brought IPv6 to the Cisco Catalyst 3750ME switch. Current support for IS-IS on this platform is IPv4. IPv6 support is not yet here. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From lsawyer at gci.com Mon Feb 15 17:02:58 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Mon, 15 Feb 2010 13:02:58 -0900 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <201002160546.16435.mtinka@globaltransit.net> Message-ID: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> Erm, I've running 12.2(46)SE with IS-ISv4 very successfully. Previously, we ran 12.2(25)EY4 and 12.2(25)SEG3 -- which I believe also had IS-IS capability. Since we're an IS-IS network, I'm pretty sure v4 support would have been an issue prior. But v6 support is the actual question, thanks. > -----Original Message----- > From: Mark Tinka [mailto:mtinka at globaltransit.net] > Sent: Monday, February 15, 2010 12:46 PM > To: cisco-nsp at puck.nether.net > Cc: Leif Sawyer > Subject: Re: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS > > On Tuesday 16 February 2010 05:25:26 am Leif Sawyer wrote: > > > Does anybody have an idea of the actual roadmap, or is > using it and > > can provide a working image name? > > IS-IS was introduced to the Catalyst family in IOS 12.2(50)SE. > > 12.2(52)SE brought IPv6 to the Cisco Catalyst 3750ME switch. > > Current support for IS-IS on this platform is IPv4. IPv6 > support is not yet here. > > Cheers, > > Mark. > From aaron.glenn at gmail.com Mon Feb 15 19:41:54 2010 From: aaron.glenn at gmail.com (Aaron Glenn) Date: Tue, 16 Feb 2010 00:41:54 +0000 Subject: [c-nsp] SUP720-3BXL "Warning: NVRAM size is 0" Message-ID: <18f601941002151641n6152701bx9a0287a7c9eda08c@mail.gmail.com> Greets, In what's unfortunately become a common theme, I'm staring down a SUP720-3BXL that will not boot. After copying an up-to-date SXH IOS image to sup-bootdisk ("The Kid" didn't ship pc cards) and a reload, I am getting a "Warning: NVRAM size is 0" and subsequent TLB exceptions on boot. The only real scrap of information I've been able to find is a relatively old CSC[1] explaining some early versions of WS-SUP720 suffer from a busted crystal oscillator. I've confirmed that this board's serial numbers and hw revisions do not fall under this field notice, yet I'm getting exactly the same behavior as described. I would appreciate any suggestions on how to resuscitate this thing or additional steps to verify it is indeed a faulty hardware issue. Thanks, Aaron [1] http://www.ciscosystems.com/en/US/ts/fn/200/fn27595.html From frnkblk at iname.com Mon Feb 15 22:51:17 2010 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 15 Feb 2010 21:51:17 -0600 Subject: [c-nsp] Dynamic IP VPN clients on a dual-ISP ASA 5505 Message-ID: We have a customer that recently added a second ISP uplink to their ASA 5505 at the hub (headquarters) and would like to migrate some of their spokes (IPSec) sites to terminate on the new uplink at the hub. Secondly, they would like the new uplink to be their hub's primary internet link (using PAT). Their spokes are predominately using SOHO gear on different ISP services that have dynamic IP addresses, and behind each spoke is a unique private subnet. What Cisco is telling us that if we want to use dual-ISP interfaces that the spokes cannot use a dynamic WAN IP addresses. If the spokes have static WAN IP address it will work -- something with how the VPN session gets setup and the fact that the default router is for the new uplink, we're told. But the client wants to avoid the $10/month charge for a static for each spoke, if at all possible. With all the knobs and buttons that the ASA has, I find this a little surprising. Does anyone have a similar setup for which they would be willing to share a configuration snippet? Here's an abbreviated configuration: headquarters 192.168.x.0/24 | ASA 5505 / \ ISP #1 ISP #2 | | INTERNET | | | | dynamic IP dynamic IP Remote A Remote B 192.168.a.0/24 192.168.b.0/24 A bonus would be if HQ could automatically fail over to the other ISP link, Thanks in advance for any assistance. Regards, Frank Bulk From mtinka at globaltransit.net Mon Feb 15 23:58:46 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 16 Feb 2010 12:58:46 +0800 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> Message-ID: <201002161258.52687.mtinka@globaltransit.net> On Tuesday 16 February 2010 06:02:58 am Leif Sawyer wrote: > Erm, I've running 12.2(46)SE with IS-ISv4 very > successfully. You're right, I was mixing up platforms (the 3560/3750, to be exact, since I asked Cisco for IS-IS support on this more than 2 years ago). The 3750ME has had IS-IS support for a long time (I think as far back as IOS 12.1AX). > But v6 support is the actual question, thanks. The last time I asked my SE, Cisco's plan was to make v6 support or IS-IS for the 3750ME available at the end of 2010, since we also have a couple of these boxes in the network. Given previous Cisco schedules, this could easily be 2011. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From zeusdadog at gmail.com Tue Feb 16 00:30:47 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 16 Feb 2010 00:30:47 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> Message-ID: <9418aca71002152130x6310c623v1ebeff45b84feb6b@mail.gmail.com> I have fixed this issue with TAC help. To help those that may encounter this issue later, here is the changes, crypto isakmp profile CustomerVPN ! Remove this line for Authentication. You have to keep authorization line. no client authentication list CustomerVPNCliAuth Then, I forgot to add crypto-map on the two interfaces that the traffic actually came in on. (I was under the mistaken understanding that you can only put crypto-map on one interface.) On Tue, Feb 9, 2010 at 2:41 PM, Jay Nakamura wrote: > I have not explained my situation very well so let me restart. > > VPN is client VPN, not LAN to LAN. ?The old style IPsec Cisco VPN > client, not Anyconnect client. > > Internet access on the router is on one VRF. ?Network we want to > access via VPN is on another VRF. ?See below config. > > I have gotten it to work so far where it will connect, do Xauth, and > establish connection. ?You can see the VPN client IP in the routing > table of the Customer VRF. ?Traffic gets sent to the VPN from the > client but nothing from the Customer VRF comes back out to the VPN. > > I do want to do this without XAuth if possible. ?Also, I used the > loopback interface as the destination of the VPN so it could fail over > if one link goes down. > > > > aaa new-model > ! > aaa authentication login CustomerVPNCliAuth local > aaa authorization network CustomerVPNNetAuth local > ! > ip cef > ! > ip vrf Customer > ?rd 12345:1100 > ?import map internetVRFDefaultMap > ?route-target export 12345:1100 > ?route-target import 12345:1100 > ?route-target import 12345:1 > ! > ip vrf internet > ?rd 12345:1 > ?route-target export 12345:1 > ?route-target import 12345:1 > ! > crypto keyring CustomerVPNKey vrf internet > ?local-address Loopback1 > ?pre-shared-key address 0.0.0.0 0.0.0.0 key testtest > no crypto xauth Loopback1 > ! > crypto isakmp policy 1 > ?encr aes 256 > ?authentication pre-share > ?group 2 > ! > crypto isakmp client configuration group CustomerVPNGroup > ?key testtest > ?pool CustomerVPNPool > ?acl CustomerVPNSplitTunnel > crypto isakmp profile CustomerVPN > ? vrf Customer > ? keyring CustomerVPNKey > ? self-identity address > ? match identity group CustomerVPNGroup > ? client authentication list CustomerVPNCliAuth > ? isakmp authorization list CustomerVPNNetAuth > ? client configuration address initiate > ? client configuration address respond > ? client configuration group CustomerVPNGroup > ? local-address Loopback1 > ! > ! > crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac > ! > crypto dynamic-map CustomerVPNDynMap 1 > ?set transform-set AES256 > ?set isakmp-profile CustomerVPN > ?reverse-route > ! > ! > crypto map CustomerVPN local-address Loopback1 > crypto map CustomerVPN 10 ipsec-isakmp dynamic CustomerVPNDynMap > ! > ! > ! > ! > ! > ! > interface Loopback0 > ?ip vrf forwarding internet > ?ip address a.a.a.1 255.255.255.255 > ?! > ! > interface Loopback1 > ?ip vrf forwarding internet > ?ip address a.a.a.2 255.255.255.255 > ?crypto map CustomerVPN > ?! > ! > interface Loopback2 > ?ip vrf forwarding internet > ?ip address a.a.a.3 255.255.255.255 > ?ip nat outside > ?ip virtual-reassembly > ?! > ! > interface GigabitEthernet0/0 > ?ip address m.m.m.x 255.255.255.0 > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/0.802 > ?encapsulation dot1Q 802 > ?ip vrf forwarding internet > ?ip address b.b.b.b 255.255.255.240 > ?ip nat outside > ?ip virtual-reassembly > ! > interface GigabitEthernet0/1 > ?no ip address > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/1.803 > ?encapsulation dot1Q 803 > ?ip vrf forwarding internet > ?ip address c.c.c.c 255.255.255.240 > ?ip nat outside > ?ip virtual-reassembly > ?ip ospf cost 15 > ! > interface GigabitEthernet0/1.811 > ?encapsulation dot1Q 811 > ?ip address n.n.n.n.x 255.255.255.0 > ! > interface GigabitEthernet0/2 > ?no ip address > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/2.1100 > ?encapsulation dot1Q 1100 > ?ip vrf forwarding Customer > ?ip address 10.0.244.1 255.255.255.0 > ?ip nat inside > ?ip virtual-reassembly > ! > interface GigabitEthernet0/2.1101 > ?encapsulation dot1Q 1101 > ?ip vrf forwarding Customer > ?ip address 10.0.245.1 255.255.255.0 > ?ip nat inside > ?ip virtual-reassembly > ! > router ospf 1 vrf internet > ?log-adjacency-changes > ?redistribute static metric-type 1 subnets > ?passive-interface default > ?no passive-interface GigabitEthernet0/0.802 > ?no passive-interface GigabitEthernet0/1.803 > ?network a.a.a.1 0.0.0.0 area 0 > ?network b.b.b.b 0.0.0.15 area 0 > ?network c.c.c.c 0.0.0.15 area 0 > ! > router bgp 12345 > ?no synchronization > ?bgp log-neighbor-changes > ?no auto-summary > ?! > ?address-family ipv4 vrf Customer > ?no synchronization > ?redistribute static > ?default-information originate > ?exit-address-family > ?! > ?address-family ipv4 vrf internet > ?no synchronization > ?redistribute ospf 1 vrf internet match internal external 1 external 2 > ?default-information originate > ?exit-address-family > ! > ip local pool CustomerVPNPool 192.168.254.1 192.168.254.254 recycle delay 10 > ip forward-protocol nd > ! > ip extcommunity-list 1 permit rt 12345:1 > ip nat inside source list CustomerNATACL interface Loopback2 vrf > Customer overload > ! > ip access-list extended CustomerNATACL > ?deny ? ip 10.0.244.0 0.0.1.255 192.168.254.0 0.0.0.255 > ?permit ip 10.0.244.0 0.0.1.255 any > ip access-list extended CustomerVPNSplitTunnel > ?permit ip 10.0.244.0 0.0.0.255 192.168.254.0 0.0.0.255 > ?permit ip 10.0.245.0 0.0.0.255 192.168.254.0 0.0.0.255 > ! > ! > ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 > ip prefix-list DefaultOnly seq 10 permit 192.168.254.0/24 > ! > route-map internetVRFDefaultMap permit 10 > ?match ip address prefix-list DefaultOnly > ?match extcommunity 1 > > > > On Wed, Feb 3, 2010 at 4:01 PM, Ryan Goldberg wrote: >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Jay Nakamura >>> Sent: Tuesday, February 02, 2010 10:20 PM >>> To: cisco-nsp >>> Subject: [c-nsp] VRF aware IPSec for remote access without xauth >>> >>> I am trying to configure vrf aware IPSec VPN for remote access, coming >>> into one VRF and tunneling into another VRF. ?Can I do that without >>> XAUTH? ?I can't seem to find any reference to doing it without xauth. >>> If it's possible and someone has done this, can you please post a >>> sample config? >> >> I believe the following tidbits should get you going. ?This is from an 2801 running 12.4.24T1. ?Tunnels lands on vrf ISP2 and pops out into vrf LAN. >> >> ip vrf ISP2 >> ?rd 1:2 >> >> ip vrf LAN >> ?rd 1:3 >> >> crypto keyring ISP2 vrf ISP2 >> ?pre-shared-key address a.b.c.d key blahblahblah >> >> crypto isakmp policy 2 >> ?encr 3des >> ?authentication pre-share >> ?group 2 >> >> crypto isakmp profile ProfileForNuttyVendor >> ? vrf LAN >> ? keyring ISP2 >> ? match identity address a.b.c.d 255.255.255.255 ISP2 >> >> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac >> >> crypto map AwesomeMap 3 ipsec-isakmp >> ?description tunnel for Nutty Vendor >> ?set peer a.b.c.d >> ?set transform-set ESP-3DES-SHA >> ?set isakmp-profile ProfileForNuttyVendor >> ?match address 111 >> ?reverse-route >> >> interface FastEthernet0/1 >> ?ip vrf forwarding LAN >> ?ip address 10.1.19.250 255.255.255.0 >> >> nterface FastEthernet0/0 >> ?ip vrf forwarding ISP2 >> ?ip address w.x.y.z 255.255.255.248 >> >> >> access-list 111 remark Nutty Vendor tunnel >> access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 >> >> - >> >> Ryan >> > From marco.regini at ascotlc.it Tue Feb 16 06:29:19 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 12:29:19 +0100 Subject: [c-nsp] multicast on transit LAN Message-ID: Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini From Jon.Harald.Bovre at hafslund.no Tue Feb 16 07:47:04 2010 From: Jon.Harald.Bovre at hafslund.no (=?iso-8859-1?Q?B=F8vre_Jon_Harald?=) Date: Tue, 16 Feb 2010 13:47:04 +0100 Subject: [c-nsp] multicast on transit LAN In-Reply-To: Message-ID: Might not solve your problem but have a look at a MVR vlan. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swigmp.html#wp1035931 Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Marco Regini Sendt: 16. februar 2010 12:29 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] multicast on transit LAN Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 16 10:36:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 16 Feb 2010 15:36:50 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: Message-ID: <4B7ABB92.1040801@imperial.ac.uk> On 02/16/2010 11:29 AM, Marco Regini wrote: > My last chance is to proxy the IGMP, let me explain: > > > > Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 So the 3560 and 3750 are routing the multicast? In that case you probably need PIM snooping on the layer2 equipment between them. If you don't have that, then yes - IGMP proxy is an option. From marco.regini at ascotlc.it Tue Feb 16 11:45:01 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 17:45:01 +0100 Subject: [c-nsp] multicast on transit LAN References: <4B7ABB92.1040801@imperial.ac.uk> Message-ID: Hi Phil, all my cisco are routing the multicast, the problem is that the l3 link between them are not point-to-point. I tried to enable rgmp,cgmp ... but seems they assumes the apparatus being a router or a switch ( if the cisco has a svi on the vlan 100 it is a router, if not is a switch). I'am not sure if proxing the IGMP will works, because IGMP snooping probably has the same limitation, but I want to tray; do you know how to enable it? This is a pseudo configuration of apparatus, what lines I need to proxy the IGMP arriving to the access interface Fa0/30? ! interface Vlan 100 description L3 DAESY-CHAIN-NUMBER-100 ip address 172.16.100.1 255.255.255.0 ip pim sparse-dense-mode ! interface range Gi 0/1 - 4 description L2 DAESY-CHAIN-NUMBER-100 switchport mode trunk switchport trunk allowed vlan 100 ! On the access apparatus there are the Customers interface. ! interface Fa0/30 description L2 Customer Smith switchport access vlan 30 ! ! interface Vlan 30 description L3 Customer Smith ip address 10.0.30.1 255.255.255.240 ! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: marted? 16 febbraio 2010 16:37 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] multicast on transit LAN On 02/16/2010 11:29 AM, Marco Regini wrote: > My last chance is to proxy the IGMP, let me explain: > > > > Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 So the 3560 and 3750 are routing the multicast? In that case you probably need PIM snooping on the layer2 equipment between them. If you don't have that, then yes - IGMP proxy is an option. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From marco.regini at ascotlc.it Tue Feb 16 11:21:02 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 17:21:02 +0100 Subject: [c-nsp] multicast on transit LAN References: Message-ID: Hi Jon, MVR is a very interesting feauture, thanks. I need some time to reflect, may be I'am not going to use it this time but knowing i can do multicast in this way is important. One question: how I use MVR with PIM? On my 3570 ( my distribution router) I configure a svi 101 ! int Vlan 101 description L3 FOR MVR MULTICAST ip address 172.16.101.1 255.255.255.0 ip pim sparse-dense-mode ! On my Catalyst 3560 ( my access apparatus) I do not create a svi 101 but simply put mvr on the access interface: ! interface Fa0/30 description L2 Customer Smith switchport access vlan 30 mvr type receiver mvr vlan 101 group 228.1.23.4 ! ! interface Vlan 30 description L3 Customer Smith ip address 10.0.30.1 255.255.255.240 ! -----Original Message----- From: B?vre Jon Harald [mailto:Jon.Harald.Bovre at hafslund.no] Sent: marted? 16 febbraio 2010 13:47 To: Marco Regini; cisco-nsp at puck.nether.net Subject: SV: multicast on transit LAN Might not solve your problem but have a look at a MVR vlan. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swigmp.html#wp1035931 Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Marco Regini Sendt: 16. februar 2010 12:29 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] multicast on transit LAN Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 16 12:19:27 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 16 Feb 2010 17:19:27 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: <4B7ABB92.1040801@imperial.ac.uk> Message-ID: <4B7AD39F.1040500@imperial.ac.uk> On 02/16/2010 04:45 PM, Marco Regini wrote: > Hi Phil, all my cisco are routing the multicast, the problem is that > the l3 link between them are not point-to-point. Understood. You have the config: layer3 -- layer2 -- (...) -- layer2 -- layer3 ...and the multicast needs to pass between the layer3 devices. The layer3 devices are using PIM to speak to each other, yes? In which case, you need PIM snooping on the layer2 devices. What are the layer2 devices? How many are there? Who runs them? > > I tried to enable rgmp,cgmp ... but seems they assumes the apparatus > being a router or a switch ( if the cisco has a svi on the vlan 100 > it is a router, if not is a switch). I'am not sure if proxing the I'm sorry, I don't understand you. RGMP and CGMP are different things, which serve different purposes. > IGMP will works, because IGMP snooping probably has the same > limitation, but I want to tray; do you know how to enable it? > > > > This is a pseudo configuration of apparatus, what lines I need to > proxy the IGMP arriving to the access interface Fa0/30? I'm sorry, I don't understand. That configuration cannot possibly work. Can you give a more detailed configuration? I've never used IGMP proxy on a cisco, and upon examination it looks like it might be a different feature than I thought - the docs seem to link it to unidirectional tunnels. You really need PIM snooping. From globichen at gmail.com Tue Feb 16 14:52:55 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 16 Feb 2010 20:52:55 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> Message-ID: On Mon, Feb 15, 2010 at 2:19 PM, Tom Sands wrote: > The 6704 looks like the biggest problem in this setup. ?We avoid them at all > cost. What would be your recommendation then? 6708? sidenote: I may have narrowed down the issue. There is a port-channel on te9/4 and te8/4. When I shut down one of these two interfaces, the box is becoming very responsive again: BCS#sh etherchannel 66 detail Group state = L2 Ports: 2 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol: PAgP Minimum Links: 0 Ports in the group: ------------------- Port: Te8/4 ------------ Port state = Down Not-in-Bndl Channel group = 66 Mode = Desirable-Sl Gcchange = 0 Port-channel = null GC = 0x00000000 Pseudo port-channel = Po66 Port index = 0 Load = 0x00 Protocol = PAgP Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down. Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running. Local information: Hello Partner PAgP Learning Group Port Flags State Timers Interval Count Priority Method Ifindex Te8/4 d U1/S1 1s 0 128 Any 0 Age of the port in the current state: 5d:11h:50m:10s Port: Te9/4 ------------ Port state = Up Mstr In-Bndl Channel group = 66 Mode = Desirable-Sl Gcchange = 0 Port-channel = Po66 GC = 0x00420001 Pseudo port-channel = Po66 Port index = 1 Load = 0xFF Protocol = PAgP Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down. Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running. Local information: Hello Partner PAgP Learning Group Port Flags State Timers Interval Count Priority Method Ifindex Te9/4 SC U6/S7 30s 1 128 Any 122 Partner's information: Partner Partner Partner Partner Group Port Name Device ID Port Age Flags Cap. Te9/4 XXXX 0021.a050.d600 Te4/2 18s SC 420001 Age of the port in the current state: 0d:00h:05m:49s Port-channels in the group: ---------------------- Port-channel: Po66 ------------ Age of the Port-channel = 5d:11h:52m:22s Logical slot/port = 14/4 Number of ports = 1 GC = 0x00420001 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = PAgP Fast-switchover = disabled Load share deferral = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------------+------------------+----------- 1 FF Te9/4 Desirable-Sl 8 Time since last port bundled: 0d:00h:05m:49s Te9/4 Time since last port Un-bundled: 0d:00h:05m:06s Te8/4 Last applied Hash Distribution Algorithm: Fixed This is while Te8/4 is shut down. The other end of the channel is also a 6509 box with 1x 6704. Andy From marco.regini at ascotlc.it Tue Feb 16 15:19:59 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 21:19:59 +0100 Subject: [c-nsp] multicast on transit LAN References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> Message-ID: Hi Phil, I apologize if I'm obscure, and thanks a lot :-) for your patience. I have Layer3/Layer2--Layer3/Layer2 --Layer3/Layer2-- ... The vlan 100 span the entire chain (the cisco are interconnected via the fc gigabit interface with 802.1q trunk), each node on the chain has a "interface vlan 100" with address on the same network. The customer, the multicast sender/receiver are on the FastEthernet interfaces, in their dedicated vlan and network. Regarding Pim Snooping my poor 3560,3750 do not support it, but in the documentation I found again that you need the cisco be or a router or a switch, not both. But I'm not an expert so do not trust very much what I say. Cheers -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: marted? 16 febbraio 2010 18:19 To: Marco Regini Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] multicast on transit LAN On 02/16/2010 04:45 PM, Marco Regini wrote: > Hi Phil, all my cisco are routing the multicast, the problem is that > the l3 link between them are not point-to-point. Understood. You have the config: layer3 -- layer2 -- (...) -- layer2 -- layer3 ...and the multicast needs to pass between the layer3 devices. The layer3 devices are using PIM to speak to each other, yes? In which case, you need PIM snooping on the layer2 devices. What are the layer2 devices? How many are there? Who runs them? > > I tried to enable rgmp,cgmp ... but seems they assumes the apparatus > being a router or a switch ( if the cisco has a svi on the vlan 100 > it is a router, if not is a switch). I'am not sure if proxing the I'm sorry, I don't understand you. RGMP and CGMP are different things, which serve different purposes. > IGMP will works, because IGMP snooping probably has the same > limitation, but I want to tray; do you know how to enable it? > > > > This is a pseudo configuration of apparatus, what lines I need to > proxy the IGMP arriving to the access interface Fa0/30? I'm sorry, I don't understand. That configuration cannot possibly work. Can you give a more detailed configuration? I've never used IGMP proxy on a cisco, and upon examination it looks like it might be a different feature than I thought - the docs seem to link it to unidirectional tunnels. You really need PIM snooping. From gert at greenie.muc.de Tue Feb 16 15:33:36 2010 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 16 Feb 2010 21:33:36 +0100 Subject: [c-nsp] ip source guard in the switch layer without DHCP In-Reply-To: <1265802854.11279.3.camel@hal9000> References: <1265802854.11279.3.camel@hal9000> Message-ID: <20100216203336.GI9556@greenie.muc.de> Hi, On Wed, Feb 10, 2010 at 12:54:14PM +0100, luismi wrote: > What about if the server connected to that port is sending multicast > traffic? Multicast traffic is sent from the normal unicast MAC and IP address. Since the switch is checking the packet *source*, it should not interfere. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Tue Feb 16 15:57:40 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 16 Feb 2010 20:57:40 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> Message-ID: <20100216205740.GC1822@lboro.ac.uk> Hi, > Regarding Pim Snooping my poor 3560,3750 do not support it, but in the documentation I found again that you need the cisco > be or a router or a switch, not both. ip igmp snooping should be available global or per physical/logical interface the pim features are how the traffic is dealt with - eg ip pim spare-mode alan From rsm at fast-serv.com Tue Feb 16 17:05:16 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 16 Feb 2010 17:05:16 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216205740.GC1822@lboro.ac.uk> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> Message-ID: <20100216215941.M18122@fast-serv.com> Is there a simpler way to add/remove VLANs from a trunk port without having to redefine the allowed list each time? I'm trying to script the adding and removing of allowed VLANs and I would rather simple add/remove commands to add or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in Foundry) instead of redefining every VLAN each on the trunk port every time the script runs. But I don't think it's possible? -- Randy From jackson.tim at gmail.com Tue Feb 16 17:15:17 2010 From: jackson.tim at gmail.com (Tim Jackson) Date: Tue, 16 Feb 2010 16:15:17 -0600 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216215941.M18122@fast-serv.com> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> Message-ID: <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> switchport trunk vlan allowed add/remove: nsvltnit-office-3560(config-if)#switchport trunk allowed vlan ? ?WORD ? ?VLAN IDs of the allowed VLANs when this port is in trunking mode ?add ? ? add VLANs to the current list ?all ? ? all VLANs ?except ?all VLANs except the following ?none ? ?no VLANs ?remove ?remove VLANs from the current list On Tue, Feb 16, 2010 at 4:05 PM, Randy McAnally wrote: > Is there a simpler way to add/remove VLANs from a trunk port without having to > redefine the allowed list each time? ?I'm trying to script the adding and > removing of allowed VLANs and I would rather simple add/remove commands to add > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > Foundry) instead of redefining every VLAN each on the trunk port every time > the script runs. ?But I don't think it's possible? > > -- > Randy > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Tue Feb 16 17:17:28 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 16 Feb 2010 23:17:28 +0100 (CET) Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216215941.M18122@fast-serv.com> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> Message-ID: <20100216.231728.41663379.sthaug@nethelp.no> > Is there a simpler way to add/remove VLANs from a trunk port without having to > redefine the allowed list each time? I'm trying to script the adding and > removing of allowed VLANs and I would rather simple add/remove commands to add > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > Foundry) instead of redefining every VLAN each on the trunk port every time > the script runs. But I don't think it's possible? What is wrong with "switchport trunk allowed vlan add ..." and the corresponding "switchport trunk allowed vlan rem ..." ? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From rsm at fast-serv.com Tue Feb 16 17:21:02 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 16 Feb 2010 17:21:02 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216.231728.41663379.sthaug@nethelp.no> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> Message-ID: <20100216221910.M53040@fast-serv.com> Nothing wrong...it's exactly what I needed. Long hours of coding makes me overlook these kinds of things and I really appreciate the added eyes of the community :) -- Randy ---------- Original Message ----------- From: sthaug at nethelp.no To: rsm at fast-serv.com Cc: cisco-nsp at puck.nether.net Sent: Tue, 16 Feb 2010 23:17:28 +0100 (CET) Subject: Re: [c-nsp] Controlling allowed VLANs, alternatives? > > Is there a simpler way to add/remove VLANs from a trunk port without having to > > redefine the allowed list each time? I'm trying to script the adding and > > removing of allowed VLANs and I would rather simple add/remove commands to add > > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > > Foundry) instead of redefining every VLAN each on the trunk port every time > > the script runs. But I don't think it's possible? > > What is wrong with "switchport trunk allowed vlan add ..." and the > corresponding "switchport trunk allowed vlan rem ..." ? > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no ------- End of Original Message ------- From jeff-kell at utc.edu Tue Feb 16 17:28:16 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 16 Feb 2010 17:28:16 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> Message-ID: <4B7B1C00.1040808@utc.edu> On 2/16/2010 5:15 PM, Tim Jackson wrote: > switchport trunk vlan allowed add/remove: > > nsvltnit-office-3560(config-if)#switchport trunk allowed vlan ? > WORD VLAN IDs of the allowed VLANs when this port is in trunking mode > add add VLANs to the current list > all all VLANs > except all VLANs except the following > none no VLANs > remove remove VLANs from the current list > And if changing a group of them, do "interface range ..." first. Jeff From Dhanalakshmi.Mohanasundaram at in.lafarge.com Tue Feb 16 17:31:02 2010 From: Dhanalakshmi.Mohanasundaram at in.lafarge.com (Dhanalakshmi.Mohanasundaram at in.lafarge.com) Date: Wed, 17 Feb 2010 04:01:02 +0530 Subject: [c-nsp] Dhanalakshmi Mohanasundaram is out of the office. Message-ID: I will be out of the office starting 02/17/2010 and will not return until 02/19/2010. I will respond to your message when I return. In case of any issues Pls contact Mr. Periyasamy Nattar ( Periyasamy.nattar at in.lafareg.com ) "This e-mail is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains. Please e-mail the sender immediately and delete this message from your system. E-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware, that the company may monitor your emails and their content" From mailers at oranged.to Tue Feb 16 22:03:50 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Wed, 17 Feb 2010 03:03:50 +0000 (UTC) Subject: [c-nsp] ASA5510 with SIP dropping intermittent In-Reply-To: <194215044.28.1266375622378.JavaMail.root@poops.oranged.to> Message-ID: <831641327.30.1266375830692.JavaMail.root@poops.oranged.to> Hello, I am currently running a Cisco ASA 5510 device running software version 8.0(3)6. The configuration is very simple, we have a group of voice servers behind the system talking to an upstream Voice service provider using SIP. Outbound calls work 100% of the time, however we have a policy in place with permits inbound connections. Most of the time it works however in an apparently random fashion it drops incoming calls. There have been no changes to the device in months and its only started to occur over the last week. I have been ripping my hair out trying to resolve this issue with little to no luck. When I check what is going on I see the following messages in the log. Feb 16 10:48:10 %ASA-6-106015: Deny TCP (no connection) from /57345 to /5060 flags PSH ACK on interface Outside The configuration is as follows. Voice Server (192.168.1.20/24) -> ASA internal (192.168.1.254) || ASA External (Public Address) -> Internet. We have an inbound policy permitting any inbound SIP udp and tcp to the Public Address. We then have a one to one mapping static (inside,Outside) 192.168.1.20 netmask 255.255.255.255 Everything seems fine, and I don't understand why its dropping the connections on a very intermittent basis. It seems that its probably something to do with the inspect. If we disable inspect it breaks all phone connections. I found the following bug reference number in the release notes for 8.2. CSCtb23281 but I don't have Cisco Logins which provide me with the bugs db any more... Any advice or assistance would be greatly appreciated. Regards, Jimmy Stewpot. From kris at amy.id.au Tue Feb 16 23:33:16 2010 From: kris at amy.id.au (Kris Amy) Date: Wed, 17 Feb 2010 14:33:16 +1000 Subject: [c-nsp] VLAN Tagging/Untagging overhead Message-ID: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> Hi All, Is there any cpu impact by packets being de/encapsulated onto a VLAN rather than going as native on a software based platform (7200/7300)? If so would this be a big impact at 50k pps? Regards, Kris From tvarriale at comcast.net Tue Feb 16 23:43:45 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 16 Feb 2010 22:43:45 -0600 Subject: [c-nsp] ASA5510 with SIP dropping intermittent References: <831641327.30.1266375830692.JavaMail.root@poops.oranged.to> Message-ID: That bug was supposedly first found in 8.2(1). My first thought is that the control channel is staying up on the voice SP, but is timing out in the translation table. Do you log your set ups and tear downs to a syslog server? If so, go back and try and chase that source port to see if there's a timeout/teardown prior to that timestamp. You need the SIP inspection since you are NATing. No way around it and I don't think that's the issue at this point. Or, better said, at this point in the data collection phase. tv ----- Original Message ----- From: "Jimmy Stewpot" To: Sent: Tuesday, February 16, 2010 9:03 PM Subject: [c-nsp] ASA5510 with SIP dropping intermittent > Hello, > > I am currently running a Cisco ASA 5510 device running software version > 8.0(3)6. The configuration is very simple, we have a group of voice > servers behind the system talking to an upstream Voice service provider > using SIP. Outbound calls work 100% of the time, however we have a policy > in place with permits inbound connections. Most of the time it works > however in an apparently random fashion it drops incoming calls. There > have been no changes to the device in months and its only started to occur > over the last week. I have been ripping my hair out trying to resolve this > issue with little to no luck. > > When I check what is going on I see the following messages in the log. > > Feb 16 10:48:10 %ASA-6-106015: Deny TCP (no connection) from /57345 > to /5060 flags PSH ACK on interface Outside > > The configuration is as follows. > > Voice Server (192.168.1.20/24) -> ASA internal (192.168.1.254) || ASA > External (Public Address) -> Internet. > > We have an inbound policy permitting any inbound SIP udp and tcp to the > Public Address. We then have a one to one mapping > > static (inside,Outside) 192.168.1.20 netmask 255.255.255.255 > > Everything seems fine, and I don't understand why its dropping the > connections on a very intermittent basis. It seems that its probably > something to do with the inspect. If we disable inspect it breaks all > phone connections. I found the following bug reference number in the > release notes for 8.2. CSCtb23281 but I don't have Cisco Logins which > provide me with the bugs db any more... > > Any advice or assistance would be greatly appreciated. > > Regards, > > Jimmy Stewpot. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ramet at ramet7.net Wed Feb 17 00:31:35 2010 From: ramet at ramet7.net (Ramet Khalili) Date: Wed, 17 Feb 2010 09:01:35 +0330 Subject: [c-nsp] Active Directory User shaping Message-ID: <000301caaf92$8ede9bc0$ac9bd340$@net> Hey there, Does anyone know how can I shape my active directory users with their domains username and passwords? Something like the UTMs do, I really wonder why they didn't put this on ASAs! Ramet From ioan.branet at gmail.com Wed Feb 17 03:10:36 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 10:10:36 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 Message-ID: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> Hello group, I try to creaty an EOMPLS VLAN mode circuit betweet one 10G subinterface and GE interface between two 7600 as PE. Here is my config: PE1: sh running-config interface TenGigabitEthernet7/3.999 Building configuration... Current configuration : 141 bytes ! interface TenGigabitEthernet7/3.999 description TEST_EOMPLS encapsulation dot1Q 999 xconnect 172.25.231.68 9999 encapsulation mpls end show mpls l2transport vc 9999 detail Local interface: Te7/3.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.231.68, VC ID: 9999, VC status: up Output interface: Te4/2, imposed label stack {5673 54} Preferred path: not configured Default path: active Next hop: 95.77.36.45 Create time: 00:04:21, last status change time: 00:04:21 Signaling protocol: LDP, peer 172.25.231.68:0 up Targeted Hello: 172.25.224.1(LDP Id) -> 172.25.231.68 MPLS VC labels: local 1244, remote 54 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: EOMPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 PE2: sh running-config interface Gi2/2.999 Building configuration... Current configuration : 137 bytes ! interface GigabitEthernet2/2.999 description EOMPLS TEST encapsulation dot1Q 999 xconnect 172.25.224.1 9999 encapsulation mpls end #show mpls l2transport vc 9999 detail Local interface: Gi2/2.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.224.1, VC ID: 9999, VC status: up Output interface: Vl894, imposed label stack {2488 1244} Preferred path: not configured Default path: active Next hop: 85.186.212.133 Create time: 00:10:07, last status change time: 00:03:49 Signaling protocol: LDP, peer 172.25.224.1:0 up Targeted Hello: 172.25.231.68(LDP Id) -> 172.25.224.1 MPLS VC labels: local 54, remote 1244 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: TEST_EOMPLS Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 9 byte totals: receive 0, send 576 packet drops: receive 0, send 0 It seems that on PE1 side I only receive but not send any VCs frames: VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 CE1 is a Juniper and it is learnig ARP from other CE: show configuration interfaces xe-3/1/0 enable; flexible-vlan-tagging; link-mode full-duplex; encapsulation flexible-ethernet-services; gigether-options { no-auto-negotiation; } unit 999 { vlan-id 999; family inet { address 150.1.1.2/30; } } ping 150.1.1.1 source 150.1.1.2 PING 150.1.1.1 (150.1.1.1): 56 data bytes ^C --- 150.1.1.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss {master} show arp no-resolve | match xe-3/1/0 00:25:45:a5:fe:a2 150.1.1.1 xe-3/1/0.999 none CE2 is not learning arp from CE1 CE2: interface GigabitEthernet2/2 description Link to PE2-EOMPLS switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 999 switchport mode trunk sh running-config interface vlan 999 Building configuration... Current configuration : 63 bytes ! interface Vlan999 ip address 150.1.1.1 255.255.255.252 end #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) #sh ip arp Vlan999 Protocol Address Age (min) Hardware Addr Type Interface Internet 150.1.1.1 - 0016.9c6d.4280 ARPA Vlan999 Internet 150.1.1.2 0 Incomplete ARPA Have you tried such a setup? Could you send me an example? Thank you, John From ioan.branet at gmail.com Wed Feb 17 03:49:48 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 10:49:48 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> Message-ID: <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson wrote: > On Wed, 17 Feb 2010, Ioan Branet wrote: > > You should answer to the list, answering just to me doesn't make much > sense. > > SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't > remember), or go SRD3 or later. > > > Hello, >> >> We are running on both PEs the following: >> sh ver | i IOS >> Cisco IOS Software, c7600s72033_rp Software >> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE >> (fc3) >> >> 10G card on PE1 is: >> show module 7 >> Mod Ports Card Type Model Serial >> No. >> --- ----- -------------------------------------- ------------------ >> ----------- >> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >> SAL1337YN4W >> >> and 1G on PE2 is: >> >> >> ro-sv01a-rd2#show module 2 >> Mod Ports Card Type Model Serial >> No. >> --- ----- -------------------------------------- ------------------ >> ----------- >> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >> SAL1005CBXG >> >> Mod MAC addresses Hw Fw Sw >> Status >> --- ---------------------------------- ------ ------------ ------------ >> ------- >> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok >> >> Mod Sub-Module Model Serial Hw >> Status >> ---- --------------------------- ------------------ ----------- ------- >> ------- >> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok >> >> Mod Online Diag Status >> ---- ------------------- >> 2 Pass >> >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson > >wrote: >> >> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> GE interface between two 7600 as PE. >>> >>>> >>>> >>> You forgot to include what software you're running. >>> >>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >> > -- > Mikael Abrahamsson email: swmike at swm.pp.se > From swmike at swm.pp.se Wed Feb 17 03:53:49 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 17 Feb 2010 09:53:49 +0100 (CET) Subject: [c-nsp] netiquette Message-ID: Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: "Never post private (off-list) correspondence to the list without the permission of the sender." -- Mikael Abrahamsson email: swmike at swm.pp.se From achatz at forthnet.gr Wed Feb 17 04:05:45 2010 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 17 Feb 2010 11:05:45 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> Message-ID: <4B7BB169.1090306@forthnet.gr> I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-a>sh mpls l2 vc 3601 Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP 7600-b>sh mpls l2 vc 3601 Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: > Hello, > > We run EOMPLS on port and vlan mode on GE interfaces but we did not run > EOMPLS Vlan mode between 10G and 1G subinterfaces until now. > > Any feedback is appreciated. > Thank you, > John > > On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson wrote: > > >> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >> You should answer to the list, answering just to me doesn't make much >> sense. >> >> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >> remember), or go SRD3 or later. >> >> >> Hello, >> >>> We are running on both PEs the following: >>> sh ver | i IOS >>> Cisco IOS Software, c7600s72033_rp Software >>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE >>> (fc3) >>> >>> 10G card on PE1 is: >>> show module 7 >>> Mod Ports Card Type Model Serial >>> No. >>> --- ----- -------------------------------------- ------------------ >>> ----------- >>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>> SAL1337YN4W >>> >>> and 1G on PE2 is: >>> >>> >>> ro-sv01a-rd2#show module 2 >>> Mod Ports Card Type Model Serial >>> No. >>> --- ----- -------------------------------------- ------------------ >>> ----------- >>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>> SAL1005CBXG >>> >>> Mod MAC addresses Hw Fw Sw >>> Status >>> --- ---------------------------------- ------ ------------ ------------ >>> ------- >>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok >>> >>> Mod Sub-Module Model Serial Hw >>> Status >>> ---- --------------------------- ------------------ ----------- ------- >>> ------- >>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok >>> >>> Mod Online Diag Status >>> ---- ------------------- >>> 2 Pass >>> >>> Thank you, >>> John >>> >>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >> >>>> wrote: >>>> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>>> GE interface between two 7600 as PE. >>>> >>>> >>>>> >>>> You forgot to include what software you're running. >>>> >>>> -- >>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>> >>>> >>>> >> -- >> Mikael Abrahamsson email: swmike at swm.pp.se >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From p.mayers at imperial.ac.uk Wed Feb 17 04:33:36 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 17 Feb 2010 09:33:36 +0000 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216221910.M53040@fast-serv.com> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> <20100216221910.M53040@fast-serv.com> Message-ID: <4B7BB7F0.8060203@imperial.ac.uk> On 02/16/2010 10:21 PM, Randy McAnally wrote: > Nothing wrong...it's exactly what I needed. > > Long hours of coding makes me overlook these kinds of things and I really > appreciate the added eyes of the community :) FWIW we define an alias: alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...and use: int Gi1/1 tagvlan 100 detagvlan 200-299,310 ...because forgetting that "add" and "remove" can do really really really bad things... From marco.regini at ascotlc.it Wed Feb 17 04:37:18 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Wed, 17 Feb 2010 10:37:18 +0100 Subject: [c-nsp] netiquette References: Message-ID: Thanks. So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com answer to me directly, I can't replay to the mailing list but only to tom? Even if the message is only about technical stuff? Marco -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: mercoled? 17 febbraio 2010 09:54 To: cisco-nsp at puck.nether.net Subject: [c-nsp] netiquette Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: "Never post private (off-list) correspondence to the list without the permission of the sender." -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ioan.branet at gmail.com Wed Feb 17 04:44:16 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 11:44:16 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <4B7BB169.1090306@forthnet.gr> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> Message-ID: <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < achatz at forthnet.gr> wrote: > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > 7600-a>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > 7600-b>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > Both 7600s are running SRD3. > > -- > Tassos > > Ioan Branet wrote on 17/02/2010 10:49: > >> Hello, >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> Any feedback is appreciated. >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >wrote: >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> You should answer to the list, answering just to me doesn't make much >>> sense. >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >>> remember), or go SRD3 or later. >>> >>> >>> Hello, >>> >>> >>>> We are running on both PEs the following: >>>> sh ver | i IOS >>>> Cisco IOS Software, c7600s72033_rp Software >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >>>> SOFTWARE >>>> (fc3) >>>> >>>> 10G card on PE1 is: >>>> show module 7 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>>> SAL1337YN4W >>>> >>>> and 1G on PE2 is: >>>> >>>> >>>> ro-sv01a-rd2#show module 2 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>>> SAL1005CBXG >>>> >>>> Mod MAC addresses Hw Fw Sw >>>> Status >>>> --- ---------------------------------- ------ ------------ ------------ >>>> ------- >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 >>>> Ok >>>> >>>> Mod Sub-Module Model Serial Hw >>>> Status >>>> ---- --------------------------- ------------------ ----------- ------- >>>> ------- >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >>>> Ok >>>> >>>> Mod Online Diag Status >>>> ---- ------------------- >>>> 2 Pass >>>> >>>> Thank you, >>>> John >>>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >>> >>>> >>>>> wrote: >>>>> >>>>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>>> >>>> >>>>> GE interface between two 7600 as PE. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>> You forgot to include what software you're running. >>>>> >>>>> -- >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>>> >>>>> >>>>> >>>>> >>>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Wed Feb 17 05:07:25 2010 From: saku at ytti.fi (Saku Ytti) Date: Wed, 17 Feb 2010 12:07:25 +0200 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <4B7BB7F0.8060203@imperial.ac.uk> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> <20100216221910.M53040@fast-serv.com> <4B7BB7F0.8060203@imperial.ac.uk> Message-ID: <20100217100725.GA6481@mx.ytti.net> On (2010-02-17 09:33 +0000), Phil Mayers wrote: > alias interface tagvlan switchport trunk allowed vlan add > alias interface detagvlan switchport trunk allowed vlan remove > ...because forgetting that "add" and "remove" can do really really > really bad things... Agreed. Alternatives are using EEM or TACACS to deny execution of dangerous commands. It is hard to find people who've worked with Cisco switches for few years who haven't made this mistake. Also very common mistake we've denied in TACACS is 'no router isis', people sometimes type that in interface, forgetting the 'ip'. While Cisco does provide rather poor quality software it is still the operator who breaks the network most typically. Hardware faults are far distant 3rd. Yet when we design networks, we concentrate on avoiding downtime from hardware faults. -- ++ytti From swmike at swm.pp.se Wed Feb 17 05:54:33 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 17 Feb 2010 11:54:33 +0100 (CET) Subject: [c-nsp] netiquette In-Reply-To: References: Message-ID: On Wed, 17 Feb 2010, Marco Regini wrote: > Thanks. > > So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com > answer to me directly, I can't replay to the mailing list but only to tom? > > Even if the message is only about technical stuff? That is correct. Unless you KNOW for sure that Tom is ok with you posting his reply to the list, you shouldn't do it. What Tom is telling you might be for your eyes only and he doesn't want to share it with the rest of the world, and you might not realise it. The correct way of handling this is to reply to your own email to the list and supply the new information (if you feel it's not a secret). Then at least the world won't know who said it to you. -- Mikael Abrahamsson email: swmike at swm.pp.se From psirt at cisco.com Wed Feb 17 11:00:00 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: wed, 17 Feb 2010 11:00:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Message-ID: <201002171100.csa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products ================= Vulnerable Products +------------------ Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Note: Only the Management Center for Cisco Security Agents is affected by the directory traversal and SQL injection vulnerabilities. The agents installed on user end-points are not affected. Only Cisco Security Agent release 5.2 for Windows and Linux, either managed or standalone, are affected by the DoS vulnerability. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- The Sun Solaris version of Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center. The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Management Center for Cisco Security Agents Directory Traversal Vulnerability +---------------------------------------------------------------------------- The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73275 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0146. Management Center for Cisco Security Agents SQL Injection Vulnerability +---------------------------------------------------------------------- The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73290 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0147. Cisco Security Agent Denial of Service Vulnerability +--------------------------------------------------- Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets. Note: Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. This vulnerability is documented in Cisco Bug ID CSCtb89870 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0148. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd73275 - Directory Traversal in the Management Center for Cisco Security Agents CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd73290 - Management Center for Cisco Security Agents: SQL Injection CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtb89870 - Kernel Panic When Receiving Certain TCP Packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. Successful exploitation of the Cisco Security Agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | | Cisco | First | | | Vulnerability | Security | Fixed | Recommended | | | Agent | Version | Release | | | Release | | | |---------------+----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | |Directory |----------+------------+-------------| | Traversal | 5.2 | Not | Not | | Vulnerability | | vulnerable | vulnerable | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | 5.1.0.117 | 5.1.0.117 | |SQL Injection |----------+------------+-------------| | Vulnerability | 5.2 | 5.2.0.296 | 5.2.0.296 | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | Not | 5.1.0.117 | | | | vulnerable | | |Denial of |----------+------------+-------------| | Service | 5.2 | 5.2.0.285 | 5.2.0.296 | |Vulnerability |----------+------------+-------------| | | 6.0 | Not | 6.0.1.132 | | | | vulnerable | | +-----------------------------------------------------+ Cisco CSA software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The directory traversal and SQL injection vulnerabilities were discovered and reported to Cisco by Gabriele Giuseppini from Cigital. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. The DoS vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-February-17 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLew9U86n/Gc8U/uARAifvAJ9oLuXJY6iy962givBVY7701k4ktACfa3wK O9O+Q4F1alHxm6CIbUIXkUs= =+hka -----END PGP SIGNATURE----- From ioan.branet at gmail.com Wed Feb 17 11:01:42 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 18:01:42 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> Message-ID: <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> Hello, I tried with Cisco 7600 as CE instead of Juniper and it works, I have to find out what is wrong there. Thank you for your help, Regards, John ---------- Forwarded message ---------- From: Ioan Branet Date: Wed, Feb 17, 2010 at 11:44 AM Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 To: Tassos Chatzithomaoglou Cc: cisco-nsp at puck.nether.net Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < achatz at forthnet.gr> wrote: > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > 7600-a>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > 7600-b>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > Both 7600s are running SRD3. > > -- > Tassos > > Ioan Branet wrote on 17/02/2010 10:49: > >> Hello, >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> Any feedback is appreciated. >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >wrote: >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> You should answer to the list, answering just to me doesn't make much >>> sense. >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >>> remember), or go SRD3 or later. >>> >>> >>> Hello, >>> >>> >>>> We are running on both PEs the following: >>>> sh ver | i IOS >>>> Cisco IOS Software, c7600s72033_rp Software >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >>>> SOFTWARE >>>> (fc3) >>>> >>>> 10G card on PE1 is: >>>> show module 7 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>>> SAL1337YN4W >>>> >>>> and 1G on PE2 is: >>>> >>>> >>>> ro-sv01a-rd2#show module 2 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>>> SAL1005CBXG >>>> >>>> Mod MAC addresses Hw Fw Sw >>>> Status >>>> --- ---------------------------------- ------ ------------ ------------ >>>> ------- >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 >>>> Ok >>>> >>>> Mod Sub-Module Model Serial Hw >>>> Status >>>> ---- --------------------------- ------------------ ----------- ------- >>>> ------- >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >>>> Ok >>>> >>>> Mod Online Diag Status >>>> ---- ------------------- >>>> 2 Pass >>>> >>>> Thank you, >>>> John >>>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >>> >>>> >>>>> wrote: >>>>> >>>>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>>> >>>> >>>>> GE interface between two 7600 as PE. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>> You forgot to include what software you're running. >>>>> >>>>> -- >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>>> >>>>> >>>>> >>>>> >>>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From psirt at cisco.com Wed Feb 17 11:33:35 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 17 Feb 2010 11:33:35 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Message-ID: <201002171134.asa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Affected Products ================= Vulnerable Products +------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable " command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy internal group-policy attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that can be triggered by a malformed TCP segment that transits the appliance. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Cisco ASA 5500 Series Adaptive Security Appliances that are running software versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A crafted IKE message that is sent through an IPsec tunnel that terminates on a Cisco ASA 5500 Series Adaptive Security Appliance could cause all IPsec tunnels that terminate on the same device to be torn down. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable " command appears in the configuration. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- An authentication bypass vulnerability affects Cisco ASA 5500 Series Adaptive Security Appliances when NTLMv1 authentication is configured. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. Sample output is displayed in the following example: ciscoasa#show aaa-server protocol nt Server Group: test Server Protocol: nt Server Address: 192.168.10.11 Server port: 139 Server status: ACTIVE, Last transaction (success) at 11:10:08 UTC Fri Jan 29 Cisco PIX 500 Series Security Appliance Vulnerability Status +----------------------------------------------------------- Cisco PIX 500 Series Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * SIP Inspection Denial of Service Vulnerabilities * SCCP Inspection Denial of Service Vulnerability * Crafted IKE Message Denial of Service Vulnerability * NTLMv1 Authentication Bypass Vulnerability Because the Cisco PIX 500 Series Security Appliances reached End of Software Maintenance Releases on July 28, 2009, no further software releases will be available for the Cisco PIX 500 Series Security Appliances. Cisco PIX 500 Series Security Appliances customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances or to implement any applicable workarounds that are listed in the "Workarounds" section of this advisory. Fixed software is available for the Cisco ASA 5500 Series Adaptive Security Appliances. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) when specific TCP segments are received during the TCP connection termination phase. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. This vulnerability is documented in Cisco bug ID CSCsz77717 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0149. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by two denial of service vulnerabilities that may cause an appliance to reload during the processing of SIP messages. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities are documented in Cisco bug IDs CSCsy91157, and CSCtc96018, and have been assigned CVE IDs CVE-2010-0150, and CVE-2010-0569 respectively. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause the appliance to reload during the processing of malformed skinny control message. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. This vulnerability is documented in Cisco bug ID CSCsz79757 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0151. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause the appliance to reload when a malformed DTLS message is sent to the DTLS port (by default UDP port 443). Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. This vulnerability is documented in Cisco bug ID CSCtb64913 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0565. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause an appliance to reload when all of the following conditions are met: 1. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. This vulnerability is documented in Cisco bug ID CSCtb37219 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0566. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that may cause all IPsec tunnels terminating on the appliance to be torn down and prevent new tunnels from being established. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The vulnerability is triggered when the appliance processes a malformed IKE message on port UDP 4500 that traverses an existing IPsec tunnel. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. This vulnerability is documented in Cisco bug ID CSCtc47782 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0567. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that could result in authentication bypass when the affected appliance is configured to authenticate users against Microsoft Windows servers using the NTLMv1 protocol. Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Affected services include: * Telnet access to the security appliance * SSH access to the security appliance * HTTPS access to the security appliance (including Cisco ASDM access) * Serial console access * Privileged (enable) mode access * Cut-through proxy for network access * VPN access This vulnerability is documented in Cisco bug ID CSCte21953 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0568. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. +---------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |TCP Connection |---------+-----------| | Exhaustion | 7.2 | 7.2(4.46) | |Denial of |---------+-----------| | Service | 8.0 | 8.0(4.38) | |Vulnerability ( |---------+-----------| | CSCsz77717) | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.5) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | |SIP Inspection |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerabilities | 8.0 | 8.0(5.2) | |(CSCsy91157 and |---------+-----------| | CSCtc96018) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.16) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | | |---------+-----------| | SCCP Inspection | 7.2 | Not | | Denial of | | affected | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.38) | |CSCsz79757) |---------+-----------| | | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.2) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |WebVPN DTLS |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.44) | |CSCtb64913) |---------+-----------| | | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted TCP | 7.2 | 7.2(4.45) | |Segment Denial |---------+-----------| | of Service | 8.0 | 8.0(4.44) | |Vulnerability ( |---------+-----------| | CSCtb37219) | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted IKE | 7.2 | 7.2(4.45) | |Message Denial |---------+-----------| | of Service | 8.0 | 8.0(5.1) | |Vulnerability ( |---------+-----------| | CSCtc47782) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.15) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | | 7.2 | 7.2(4.45) | | |---------+-----------| | NTLMv1 | 8.0 | 8.0(5.7) | |Authentication |---------+-----------| | Bypass | | 8.1 | | Vulnerability ( | | (2.40), | | CSCte21953) | 8.1 | available | | | | early | | | | March | | | | 2010 | | |---------+-----------| | | 8.2 | 8.2(2.1) | +---------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workarounds =========== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A workaround for this vulnerability is to prevent UDP port 4500 traffic from ever traversing IPsec tunnels terminating on the Cisco ASA 5500 Series Adaptive Security Appliance. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable " command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- This vulnerability was discovered during the resolution of a customer service request. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- From psirt at cisco.com Wed Feb 17 11:51:25 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 17 Feb 2010 11:51:25 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Message-ID: <201002171200.fwsm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Advisory ID: cisco-sa-20100217-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Affected Products ================= Vulnerable Products +------------------ All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global To determine the version of Cisco FWSM Software that is running, issue the "show module" command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 4.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the "show module " command to identify the software version that is running. Example output follows: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under "Sw." Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module " command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module " but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the "show version" command. Example output follows: FWSM> show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. FWSM Version: 3.2(2)10 Products Confirmed Not Vulnerable +-------------------------------- The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml With the exception of Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. The Cisco FWSM is affected by a vulnerability that may cause the device to reload during the processing of a malformed SCCP message when SCCP inspection is enabled. This vulnerability is only triggered by transit traffic; traffic that is destined to the device does not trigger this vulnerability. This issue is documented in Cisco bug ID CSCtb60485 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0151. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtb60485 ("Traceback in 'skinny' Thread with Skinny Inspection Enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco FWSM Software table below describes a major Cisco FWSM Software train and the earliest possible release within that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---------------------------------------+ | Major Release | First Fixed Release | |----------------+----------------------| | 3.1 | Not affected | |----------------+----------------------| | 3.2 | Not affected | |----------------+----------------------| | 4.0 | 4.0(8) | +---------------------------------------+ Fixed Cisco FWSM Software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/web/download/index.html and navigating to "Security > Cisco Catalyst 6500 Series Firewall Services Module > Firewall Services Module (FWSM) Software". Workarounds =========== If SCCP inspection is not required, this vulnerability can be mitigated by disabling it. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy map configuration. If SCCP inspection is required, there are no workarounds. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111553 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8HcEACgkQ86n/Gc8U/uAt9ACfeg3ofsbaZw8dqiX9pZFit0+4 WJcAnRFpRBRrWxegerkKeCPXESTSRpdZ =RifX -----END PGP SIGNATURE----- From linux.yahoo at gmail.com Wed Feb 17 12:06:00 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Wed, 17 Feb 2010 18:06:00 +0100 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> Message-ID: <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> Hello, It is just a config problem on your J CE1: You needn't flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) R/ Manu On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet wrote: > Hello, > > I tried with Cisco 7600 as CE instead of Juniper and it works, I have to > find out what is wrong there. > > Thank you for your help, > Regards, > John > > ---------- Forwarded message ---------- > From: Ioan Branet > Date: Wed, Feb 17, 2010 at 11:44 AM > Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface > between two 7600 > To: Tassos Chatzithomaoglou > Cc: cisco-nsp at puck.nether.net > > > Hello, > > Maybe there is a bug with SRB IOS. > I still have VC up on both ends but I cant ping between CE1 and CE2. > > On CE1 (Juniper side) I learn arp address of remote CE2 device and receive > arp request and send arp reply: > > > show arp no-resolve | match xe-3/1/0 > 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none > > > Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 > Device Media Type Extension TLV #3, length 1, value: Ethernet (1) > Logical Interface Encapsulation Extension TLV #6, length 1, value: > Ethernet (14) > Device Interface Index Extension TLV #1, length 2, value: 193 > Logical Interface Index Extension TLV #4, length 4, value: 126 > Logical Unit Number Extension TLV #5, length 4, value: 32767 > -----original packet----- > 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: > vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 > 11:34:01.878596 Out > Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 > Device Media Type Extension TLV #3, length 1, value: Ethernet (1) > Logical Interface Encapsulation Extension TLV #6, length 1, value: > Ethernet (14) > Device Interface Index Extension TLV #1, length 2, value: 193 > Logical Interface Index Extension TLV #4, length 4, value: 126 > Logical Unit Number Extension TLV #5, length 4, value: 32767 > -----original packet----- > 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), > length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at > 0:21:59:a7:c4:30. > > The issue is that I can't upgrade to SRD IOS. > > thank you, > John > > > > On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < > achatz at forthnet.gr> wrote: > > > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > > > 7600-a>sh mpls l2 vc 3601 > > > > Local intf Local circuit Dest address VC ID > Status > > ------------- -------------------------- --------------- ---------- > > ---------- > > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > > > > 7600-b>sh mpls l2 vc 3601 > > > > Local intf Local circuit Dest address VC ID > Status > > ------------- -------------------------- --------------- ---------- > > ---------- > > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > > > > Both 7600s are running SRD3. > > > > -- > > Tassos > > > > Ioan Branet wrote on 17/02/2010 10:49: > > > >> Hello, > >> > >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run > >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. > >> > >> Any feedback is appreciated. > >> Thank you, > >> John > >> > >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson >> >wrote: > >> > >> > >> > >>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>> > >>> You should answer to the list, answering just to me doesn't make much > >>> sense. > >>> > >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't > >>> remember), or go SRD3 or later. > >>> > >>> > >>> Hello, > >>> > >>> > >>>> We are running on both PEs the following: > >>>> sh ver | i IOS > >>>> Cisco IOS Software, c7600s72033_rp Software > >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE > >>>> SOFTWARE > >>>> (fc3) > >>>> > >>>> 10G card on PE1 is: > >>>> show module 7 > >>>> Mod Ports Card Type Model > >>>> Serial > >>>> No. > >>>> --- ----- -------------------------------------- ------------------ > >>>> ----------- > >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > >>>> SAL1337YN4W > >>>> > >>>> and 1G on PE2 is: > >>>> > >>>> > >>>> ro-sv01a-rd2#show module 2 > >>>> Mod Ports Card Type Model > >>>> Serial > >>>> No. > >>>> --- ----- -------------------------------------- ------------------ > >>>> ----------- > >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP > >>>> SAL1005CBXG > >>>> > >>>> Mod MAC addresses Hw Fw Sw > >>>> Status > >>>> --- ---------------------------------- ------ ------------ > ------------ > >>>> ------- > >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 > >>>> Ok > >>>> > >>>> Mod Sub-Module Model Serial Hw > >>>> Status > >>>> ---- --------------------------- ------------------ ----------- > ------- > >>>> ------- > >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 > >>>> Ok > >>>> > >>>> Mod Online Diag Status > >>>> ---- ------------------- > >>>> 2 Pass > >>>> > >>>> Thank you, > >>>> John > >>>> > >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < > swmike at swm.pp.se > >>>> > >>>> > >>>>> wrote: > >>>>> > >>>>> > >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>>> > >>>> > >>>>> GE interface between two 7600 as PE. > >>>>> > >>>>> > >>>>> > >>>>>> > >>>>>> > >>>>> You forgot to include what software you're running. > >>>>> > >>>>> -- > >>>>> Mikael Abrahamsson email: swmike at swm.pp.se > >>>>> > >>>>> > >>>>> > >>>>> > >>>> -- > >>> Mikael Abrahamsson email: swmike at swm.pp.se > >>> > >>> > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > >> > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From avayner at cisco.com Wed Feb 17 13:02:43 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 17 Feb 2010 19:02:43 +0100 Subject: [c-nsp] VLAN Tagging/Untagging overhead In-Reply-To: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> References: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> Message-ID: Kris, There should not be a big impact as if you are doing CEF switching the layer 2 adjacency header is pre-computed and is just reused. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy Sent: Wednesday, February 17, 2010 06:33 To: cisco-nsp Subject: [c-nsp] VLAN Tagging/Untagging overhead Hi All, Is there any cpu impact by packets being de/encapsulated onto a VLAN rather than going as native on a software based platform (7200/7300)? If so would this be a big impact at 50k pps? Regards, Kris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists.james.edwards at gmail.com Wed Feb 17 13:19:31 2010 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 17 Feb 2010 11:19:31 -0700 Subject: [c-nsp] Renumbering serial interfaces Message-ID: I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From deadheadblues at gmail.com Wed Feb 17 13:21:53 2010 From: deadheadblues at gmail.com (B) Date: Wed, 17 Feb 2010 11:21:53 -0700 Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP Message-ID: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> What's the best way to monitor an IPSec tunnel via SNMP on an ASA (v8)? I just want to know if it is up or down. I did an snmpwalk but can't find anything related to the tunnels. From paul at paulstewart.org Wed Feb 17 13:25:27 2010 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 17 Feb 2010 13:25:27 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <001f01caaffe$93eeb890$bbcc29b0$@org> Test this ahead of time with a lab box if you can ;) What I've done in this scenarios is to build the snippets of config I need to apply and put them into a plain text file. Then do a "copy tftp://blahblah/filename running-config" which merges the changes. Before I do the copy I do a "reload in 15" in case it fails so that I know I can get back into the box in 15 minutes.... YMMV... Please test this though as I haven't done it in a while but did work for my needs at the time... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of james edwards Sent: Wednesday, February 17, 2010 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From thirdfrl.nsp at gmail.com Wed Feb 17 13:35:21 2010 From: thirdfrl.nsp at gmail.com (Ryan Lambert) Date: Wed, 17 Feb 2010 13:35:21 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <56665ca71002171035x21afc6cchd1caf9049c873e53@mail.gmail.com> You can renumber serial links with one person. Standard disclaimer of paying attention to detail, being careful, etc. If you can tolerate a few minutes downtime worst-case (which, I'm making the assumption this is being done in a window that can), you can also use the 'reload in x' command, where x = minutes. If you botch it and cannot get back in, the device will reload with the saved startup configuration (ie: not with your most current changes). You can roll back the near side and be back up. If all changes are successful, don't forget to reload cancel and write your changes. Obviously there are some other things you probably need to consider like routing protocol adjacencies, or static default routes... so telnet/ssh'ing in from a directly connected interface may be necessary depending on the setup. The only time something like this is a bit more tricky is when multiple changes are required (encapsulation, etc.) HTH, -Ryan On Wed, Feb 17, 2010 at 1:19 PM, james edwards < lists.james.edwards at gmail.com> wrote: > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > > LALMR_2620(config)#interface ATM0/0.32 point-to-point > LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 > LALMR_2620(config-subif)#^Z > > > -- > James H. Edwards > Senior Network Systems Administrator > Judicial Information Division > jedwards at nmcourts.gov > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rwest at zyedge.com Wed Feb 17 14:22:37 2010 From: rwest at zyedge.com (Ryan West) Date: Wed, 17 Feb 2010 19:22:37 +0000 Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP In-Reply-To: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> References: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> Message-ID: <5DC4853C6CC3EE4788779E0726E034DD10B43C@zy-ex1.zyedge.local> B, > -----Original Message----- > Sent: Wednesday, February 17, 2010 1:22 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP > > What's the best way to monitor an IPSec tunnel via SNMP on an ASA (v8)? > I > just want to know if it is up or down. > I did an snmpwalk but can't find anything related to the tunnels. Check out this MIB, CISCO-IPSEC-FLOW-MONITOR-MIB. .1.3.6.1.4.1.9.9.171.1.3.1.1.0 will retrieve the number of active tunnels. .1.3.6.1.4.1.9.9.171.1.2.1.1.0 will retrieve the number of active IKE peers. -ryan From gert at greenie.muc.de Wed Feb 17 15:30:57 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 17 Feb 2010 21:30:57 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <20100217203057.GW9556@greenie.muc.de> Hi, On Wed, Feb 17, 2010 at 11:19:31AM -0700, james edwards wrote: > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > > LALMR_2620(config)#interface ATM0/0.32 point-to-point > LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 > LALMR_2620(config-subif)#^Z Should work. (At that point, the connection will lock up, and then you need to connect to the new address and continue) Always remember to put in "reload in 5" before you do anything that might lock you out, and "reload cancel" afterwards... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From nicholas.hatch at gmail.com Wed Feb 17 16:51:34 2010 From: nicholas.hatch at gmail.com (nick hatch) Date: Wed, 17 Feb 2010 13:51:34 -0800 Subject: [c-nsp] netiquette In-Reply-To: References: Message-ID: On Wed, Feb 17, 2010 at 2:54 AM, Mikael Abrahamsson wrote: > On Wed, 17 Feb 2010, Marco Regini wrote: > > Thanks. >> >> So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com >> answer to me directly, I can't replay to the mailing list but only to tom? >> >> Even if the message is only about technical stuff? >> > > That is correct. Unless you KNOW for sure that Tom is ok with you posting > his reply to the list, you shouldn't do it. > > A good example of this is someone going out on a limb to provide information that isn't under NDA, but that their PR department might not want to see on a public list. I've asked questions before ("Anyone know why $FOO_COMPANY is doing this?") and received subtle but helpful answers that make the reply button seem like a dangerous weapon if used incorrectly. ... there tends to be a lot of trust in these parts. -Nick From ioan.branet at gmail.com Wed Feb 17 16:58:13 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 23:58:13 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> Message-ID: <257d19981002171358r79714ab5o461b1f01567b82a3@mail.gmail.com> Hello, I used also vlan-tagging but with same result: show configuration interfaces xe-3/1/0 description "** Link To PE1 **"; vlan-tagging; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 999 { bandwidth 10g; vlan-id 999; family inet { accounting { source-class-usage { input; } } no-redirects; sampling { input; } address 150.1.1.2/30 { primary; preferred; } } } #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) On Wed, Feb 17, 2010 at 7:06 PM, Manu Chao wrote: > Hello, > > It is just a config problem on your J CE1: You needn't > flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) > > R/ > Manu > On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet wrote: > >> Hello, >> >> I tried with Cisco 7600 as CE instead of Juniper and it works, I have to >> find out what is wrong there. >> >> Thank you for your help, >> Regards, >> John >> >> ---------- Forwarded message ---------- >> From: Ioan Branet >> Date: Wed, Feb 17, 2010 at 11:44 AM >> Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface >> between two 7600 >> To: Tassos Chatzithomaoglou >> Cc: cisco-nsp at puck.nether.net >> >> >> Hello, >> >> Maybe there is a bug with SRB IOS. >> I still have VC up on both ends but I cant ping between CE1 and CE2. >> >> On CE1 (Juniper side) I learn arp address of remote CE2 device and receive >> arp request and send arp reply: >> >> >> show arp no-resolve | match xe-3/1/0 >> 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none >> >> >> Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 >> Device Media Type Extension TLV #3, length 1, value: Ethernet (1) >> Logical Interface Encapsulation Extension TLV #6, length 1, >> value: >> Ethernet (14) >> Device Interface Index Extension TLV #1, length 2, value: 193 >> Logical Interface Index Extension TLV #4, length 4, value: 126 >> Logical Unit Number Extension TLV #5, length 4, value: 32767 >> -----original packet----- >> 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: >> vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 >> 11:34:01.878596 Out >> Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 >> Device Media Type Extension TLV #3, length 1, value: Ethernet (1) >> Logical Interface Encapsulation Extension TLV #6, length 1, >> value: >> Ethernet (14) >> Device Interface Index Extension TLV #1, length 2, value: 193 >> Logical Interface Index Extension TLV #4, length 4, value: 126 >> Logical Unit Number Extension TLV #5, length 4, value: 32767 >> -----original packet----- >> 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), >> length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at >> 0:21:59:a7:c4:30. >> >> The issue is that I can't upgrade to SRD IOS. >> >> thank you, >> John >> >> >> >> On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < >> achatz at forthnet.gr> wrote: >> >> > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. >> > >> > 7600-a>sh mpls l2 vc 3601 >> > >> > Local intf Local circuit Dest address VC ID >> Status >> > ------------- -------------------------- --------------- ---------- >> > ---------- >> > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP >> > >> > >> > 7600-b>sh mpls l2 vc 3601 >> > >> > Local intf Local circuit Dest address VC ID >> Status >> > ------------- -------------------------- --------------- ---------- >> > ---------- >> > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP >> > >> > >> > Both 7600s are running SRD3. >> > >> > -- >> > Tassos >> > >> > Ioan Branet wrote on 17/02/2010 10:49: >> > >> >> Hello, >> >> >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> >> >> Any feedback is appreciated. >> >> Thank you, >> >> John >> >> >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >> >wrote: >> >> >> >> >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >>> >> >>> You should answer to the list, answering just to me doesn't make much >> >>> sense. >> >>> >> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >> >>> remember), or go SRD3 or later. >> >>> >> >>> >> >>> Hello, >> >>> >> >>> >> >>>> We are running on both PEs the following: >> >>>> sh ver | i IOS >> >>>> Cisco IOS Software, c7600s72033_rp Software >> >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >> >>>> SOFTWARE >> >>>> (fc3) >> >>>> >> >>>> 10G card on PE1 is: >> >>>> show module 7 >> >>>> Mod Ports Card Type Model >> >>>> Serial >> >>>> No. >> >>>> --- ----- -------------------------------------- ------------------ >> >>>> ----------- >> >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >> >>>> SAL1337YN4W >> >>>> >> >>>> and 1G on PE2 is: >> >>>> >> >>>> >> >>>> ro-sv01a-rd2#show module 2 >> >>>> Mod Ports Card Type Model >> >>>> Serial >> >>>> No. >> >>>> --- ----- -------------------------------------- ------------------ >> >>>> ----------- >> >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >> >>>> SAL1005CBXG >> >>>> >> >>>> Mod MAC addresses Hw Fw Sw >> >>>> Status >> >>>> --- ---------------------------------- ------ ------------ >> ------------ >> >>>> ------- >> >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 >> 12.2(33)SRB4 >> >>>> Ok >> >>>> >> >>>> Mod Sub-Module Model Serial Hw >> >>>> Status >> >>>> ---- --------------------------- ------------------ ----------- >> ------- >> >>>> ------- >> >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >> >>>> Ok >> >>>> >> >>>> Mod Online Diag Status >> >>>> ---- ------------------- >> >>>> 2 Pass >> >>>> >> >>>> Thank you, >> >>>> John >> >>>> >> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < >> swmike at swm.pp.se >> >>>> >> >>>> >> >>>>> wrote: >> >>>>> >> >>>>> >> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >>>> >> >>>> >> >>>>> GE interface between two 7600 as PE. >> >>>>> >> >>>>> >> >>>>> >> >>>>>> >> >>>>>> >> >>>>> You forgot to include what software you're running. >> >>>>> >> >>>>> -- >> >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> -- >> >>> Mikael Abrahamsson email: swmike at swm.pp.se >> >>> >> >>> >> >>> >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- Ioan Branet CCIE #23474 R&S From b.turnbow at twt.it Thu Feb 18 03:22:07 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 18 Feb 2010 09:22:07 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: Besides the reload in xx that several have mentioned you can also put secondary Ips on the link Nad then cancel the primary. I.e. interface ATM0/0.32 point-to-point Ip add 2.2.2.2 255.255.255.252 secondary Telnet/ssh to this address using source address 2.2.2.1 Then no ip add 1.1.1.1 255.255.255.252 The 2.2.2.2 address becomes the priamry and you should not loose the management session. Don't forget to cancell the reload.... Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of james edwards Sent: mercoled? 17 febbraio 2010 19.20 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From marco.regini at ascotlc.it Thu Feb 18 05:29:34 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Thu, 18 Feb 2010 11:29:34 +0100 Subject: [c-nsp] multicast on transit LAN Message-ID: Hi, i did some progress on this topic, with the help of "ip igmp helper address". At L3 my network lab is like this, the vlan/network between 3560 and 3750 is the vlan 100. Customers_cpe--Cisco3560-| Customers_cpe--Cisco3560-| Customers_cpe--Cisco3560-| ........................-|-----------Cisco3750---Core Customers_cpe--Cisco3560-| Al L1 is simply a daisy-chain on the gigabit interface with a trunk that carry only the vlan100. Well, "IGMP snooping, CGMP, RGMP" do not limit the multicast packet on the vlan 100, I do not know why. Perhaps this is because all apparatus are routing and switching the vlan 100: on cisco doc I see dedicated L2 only switch connecting customers cpe and provider router. But this is only an ipotesis, I need to capture some traffic to understand. The workaround I have found is to put on the customer interface "ip igmp helper address 151.1.1.1", in this way the multicast join/leave of the customers cpe "are forwarded" by the 3560 to the Cisco3750. This has 2 nice effect: 1) IGMP snooping start working on Vlan100. 2) "show ip igmp groups" on the 4006 show me multicast group registration on all the 3560. Questions: Why a need "igmp helper address" hack? Is anyone of you using "igmp helper address" in a production environment? From tsands at rackspace.com Thu Feb 18 07:47:56 2010 From: tsands at rackspace.com (Tom Sands) Date: Thu, 18 Feb 2010 06:47:56 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> Message-ID: <22291_1266497286_o1ICm14D024310_4B7D36FC.6090200@rackspace.com> Andy B. wrote: > On Mon, Feb 15, 2010 at 2:19 PM, Tom Sands wrote: >> The 6704 looks like the biggest problem in this setup. We avoid them at all >> cost. > > > What would be your recommendation then? 6708? Absolutely, while a 2:1 card the buffers are far greater. Also, depending on your use of it, having a DFC/DFCXL can be of great benefit. > > sidenote: I may have narrowed down the issue. There is a port-channel > on te9/4 and te8/4. When I shut down one of these two interfaces, the > box is becoming very responsive again: I would be very interested in knowing if this problem is truly resolved and what the suspected problem/resolution was by breaking this port channel. Since these are 6704 cards they use CFC's vs DFC's, where a problem such as above would of made more sense if it were actually using DFC's and the ingress of the traffic was on the same line card as the egress of only one of the ports in the channel. > > BCS#sh etherchannel 66 detail > Group state = L2 > Ports: 2 Maxports = 8 > Port-channels: 1 Max Port-channels = 1 > Protocol: PAgP > Minimum Links: 0 > Ports in the group: > ------------------- > Port: Te8/4 > ------------ > > Port state = Down Not-in-Bndl > Channel group = 66 Mode = Desirable-Sl Gcchange = 0 > Port-channel = null GC = 0x00000000 Pseudo > port-channel = Po66 > Port index = 0 Load = 0x00 Protocol = PAgP > > Flags: S - Device is sending Slow hello. C - Device is in Consistent state. > A - Device is in Auto mode. P - Device learns on physical port. > d - PAgP is down. > Timers: H - Hello timer is running. Q - Quit timer is running. > S - Switching timer is running. I - Interface timer is running. > > Local information: > Hello Partner PAgP Learning Group > Port Flags State Timers Interval Count Priority Method Ifindex > Te8/4 d U1/S1 1s 0 128 Any 0 > > Age of the port in the current state: 5d:11h:50m:10s > > Port: Te9/4 > ------------ > > Port state = Up Mstr In-Bndl > Channel group = 66 Mode = Desirable-Sl Gcchange = 0 > Port-channel = Po66 GC = 0x00420001 Pseudo > port-channel = Po66 > Port index = 1 Load = 0xFF Protocol = PAgP > > Flags: S - Device is sending Slow hello. C - Device is in Consistent state. > A - Device is in Auto mode. P - Device learns on physical port. > d - PAgP is down. > Timers: H - Hello timer is running. Q - Quit timer is running. > S - Switching timer is running. I - Interface timer is running. > > Local information: > Hello Partner PAgP Learning Group > Port Flags State Timers Interval Count Priority Method Ifindex > Te9/4 SC U6/S7 30s 1 128 Any 122 > > Partner's information: > > Partner Partner Partner Partner Group > Port Name Device ID Port Age Flags Cap. > Te9/4 XXXX 0021.a050.d600 Te4/2 18s SC 420001 > > Age of the port in the current state: 0d:00h:05m:49s > > Port-channels in the group: > ---------------------- > > Port-channel: Po66 > ------------ > > Age of the Port-channel = 5d:11h:52m:22s > Logical slot/port = 14/4 Number of ports = 1 > GC = 0x00420001 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = PAgP > Fast-switchover = disabled > Load share deferral = disabled > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------------+------------------+----------- > 1 FF Te9/4 Desirable-Sl 8 > > Time since last port bundled: 0d:00h:05m:49s Te9/4 > Time since last port Un-bundled: 0d:00h:05m:06s Te8/4 > > Last applied Hash Distribution Algorithm: Fixed > > > This is while Te8/4 is shut down. > > The other end of the channel is also a 6509 box with 1x 6704. > > > Andy > . > Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com, and delete the original message. Your cooperation is appreciated. From steve at ibctech.ca Thu Feb 18 08:22:26 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 18 Feb 2010 08:22:26 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <4B7D3F12.4000100@ibctech.ca> On 2010.02.18 03:22, Brian Turnbow wrote: > Besides the reload in xx that several have mentioned you can also put secondary Ips on the link > Nad then cancel the primary. > > I.e. > interface ATM0/0.32 point-to-point > Ip add 2.2.2.2 255.255.255.252 secondary > > Telnet/ssh to this address using source address 2.2.2.1 > Then no ip add 1.1.1.1 255.255.255.252 > The 2.2.2.2 address becomes the priamry and you should not loose the management session. Does this work differently on a serial interface? On an fa int: route-server1(config)#int lo75 route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 Must delete secondary before deleting primary Steve From jlewis at lewis.org Thu Feb 18 08:56:00 2010 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 18 Feb 2010 08:56:00 -0500 (EST) Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D3F12.4000100@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> Message-ID: On Thu, 18 Feb 2010, Steve Bertrand wrote: >> I.e. >> interface ATM0/0.32 point-to-point >> Ip add 2.2.2.2 255.255.255.252 secondary >> >> Telnet/ssh to this address using source address 2.2.2.1 >> Then no ip add 1.1.1.1 255.255.255.252 >> The 2.2.2.2 address becomes the priamry and you should not loose the management session. > > Does this work differently on a serial interface? On an fa int: > > route-server1(config)#int lo75 > route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 > route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec > route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 > > Must delete secondary before deleting primary Instead of removing the primary IP of the interface, try just changing it. It'll let you do that. I've seen people break things by doing that by accident when they meant to add another secondary address. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From steve at ibctech.ca Thu Feb 18 08:58:56 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 18 Feb 2010 08:58:56 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: <4B7D3F12.4000100@ibctech.ca> Message-ID: <4B7D47A0.4090809@ibctech.ca> On 2010.02.18 08:56, Jon Lewis wrote: > On Thu, 18 Feb 2010, Steve Bertrand wrote: > >>> I.e. >>> interface ATM0/0.32 point-to-point >>> Ip add 2.2.2.2 255.255.255.252 secondary >>> >>> Telnet/ssh to this address using source address 2.2.2.1 >>> Then no ip add 1.1.1.1 255.255.255.252 >>> The 2.2.2.2 address becomes the priamry and you should not loose the >>> management session. >> >> Does this work differently on a serial interface? On an fa int: >> >> route-server1(config)#int lo75 >> route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 >> route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec >> route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 >> >> Must delete secondary before deleting primary > > Instead of removing the primary IP of the interface, try just changing > it. It'll let you do that. I've seen people break things by doing that > by accident when they meant to add another secondary address. I suppose that considering that this is a PtP link, the OP could apply an IPv6 address to each end, verify reachability, and temporarily remove all v4 addresses and still maintain a connection until the work is complete :) ...I'd still use the "reload in..." just to be safe though. Steve From craig at askings.com.au Thu Feb 18 08:45:52 2010 From: craig at askings.com.au (craig at askings.com.au) Date: Thu, 18 Feb 2010 23:45:52 +1000 (EST) Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <8ac323eb49ca5d37441d591e4d1d92c5.squirrel@smtp.askings.com.au> > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > You could setup ipv6 between the two routers and ssh/telnet over that while you are changing the ipv4 settings. Craig. From b.turnbow at twt.it Thu Feb 18 09:32:50 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 18 Feb 2010 15:32:50 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D3F12.4000100@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> Message-ID: Sorry the last line should be ip address 208.70.109.156 255.255.255.255 Making the secondary primary, and removing the primary. I remember doing it with no ip address x.x.x.x.... but I just tried and it gives me the same error. Too much lunch I think. Brian -----Original Message----- From: Steve Bertrand [mailto:steve at ibctech.ca] Sent: gioved? 18 febbraio 2010 14.22 To: Brian Turnbow Cc: james edwards; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Renumbering serial interfaces On 2010.02.18 03:22, Brian Turnbow wrote: > Besides the reload in xx that several have mentioned you can also put secondary Ips on the link > Nad then cancel the primary. > > I.e. > interface ATM0/0.32 point-to-point > Ip add 2.2.2.2 255.255.255.252 secondary > > Telnet/ssh to this address using source address 2.2.2.1 > Then no ip add 1.1.1.1 255.255.255.252 > The 2.2.2.2 address becomes the priamry and you should not loose the management session. Does this work differently on a serial interface? On an fa int: route-server1(config)#int lo75 route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 Must delete secondary before deleting primary Steve From jeff-kell at utc.edu Thu Feb 18 10:52:18 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 18 Feb 2010 10:52:18 -0500 Subject: [c-nsp] Small Catalysts with odd "no buffer" errors Message-ID: <4B7D6232.4000109@utc.edu> I have a 2950 switch we just provisioned to deploy, and in checking it out beforehand, have run into an unusual "no buffers" condition. I've seen this before but never been able to resolve what is causing it. See if this rings any bells... Doctors-Temp#sho int f0/1 FastEthernet0/1 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0007.8436.5041 (bia 0007.8436.5041) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 100BaseTX input flow-control is unsupported output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 10000 bits/sec, 13 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 36881 packets input, 3921937 bytes, *2443 no buffer* Received 33638 broadcasts (10590 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, *2443 ignored* 0 watchdog, 10585 multicast, 0 pause input 0 input packets with dribble condition detected 15496 packets output, 1222739 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out There are no traditional buffer exceptions: Doctors-Temp#show buffers Buffer elements: 499 in free list (500 max allowed) 43707 hits, 0 misses, 0 created Public buffer pools: Small buffers, 104 bytes (total 60, permanent 25, peak 103 @ 01:33:34): 60 in free list (20 min, 60 max allowed) 19032 hits, 26 misses, 43 trims, 78 created 0 failures (0 no memory) Middle buffers, 600 bytes (total 30, permanent 15, peak 36 @ 01:33:35): 28 in free list (10 min, 30 max allowed) 8082 hits, 7 misses, 6 trims, 21 created 0 failures (0 no memory) Big buffers, 1524 bytes (total 7, permanent 5, peak 7 @ 01:33:19): 7 in free list (5 min, 10 max allowed) 182 hits, 1 misses, 0 trims, 2 created 0 failures (0 no memory) VeryBig buffers, 4520 bytes (total 2, permanent 0, peak 2 @ 00:44:36): 2 in free list (0 min, 10 max allowed) 143 hits, 1 misses, 0 trims, 2 created 0 failures (0 no memory) Large buffers, 5024 bytes (total 0, permanent 0): 0 in free list (0 min, 5 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 2 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Interface buffer pools: Calhoun Packet Receive Pool buffers, 1560 bytes (total 256, permanent 256): 222 in free list (0 min, 256 max allowed) 14323 hits, 0 misses Controller reports no significant errors other than discards: Doctors-Temp#show controller ethernet f0/1 Transmit Receive 1333345 Bytes 4501690 Bytes 17091 Frames 42219 Frames 10227 Multicast frames 0 FCS errors 1019 Broadcast frames 12253 Multicast frames 0 Pause frames 25775 Broadcast frames 0 Single defer frames 0 Control frames 0 Multiple defer frames 0 Pause frames 0 1 collision frames 0 Unknown opcode frames 0 2-15 collisions 0 Alignment errors 0 Late collisions 0 Length out of range 0 Excessive collisions 1 Symbol error frames 0 Total collisions 2 False carrier errors 0 Control frames 0 Valid frames, too small 0 VLAN discard frames 0 Valid frames, too large 0 Too old frames 1 Invalid frames, too small 8961 Tagged frames 0 Invalid frames, too large 0 Aborted Tx frames 2871 Discarded frames Transmit and Receive 11113 Minimum size frames 41525 65 to 127 byte frames 3359 128 to 255 byte frames 2951 256 to 511 byte frames 269 512 to 1023 byte frames 91 1024 to 1518 byte frames 1 1519 to 1522 byte frames If you do the commands quickly in succession, the "no buffer" , "ignored" , and "discarded frames" are about equal. It's running latest IOS for that platform (12.1(22)EA13) as are most of our other 2950s. I've also seen this on older 2924XLs (complaints of buffers / input discards), almost always on the uplink port. Is this just a case of the "discard tagged traffic for which I have no destination" being reported as buffer errors, or something else entirely? Jeff From ogun at ogun.org Thu Feb 18 10:21:10 2010 From: ogun at ogun.org (Johan Grip) Date: Thu, 18 Feb 2010 16:21:10 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D3F12.4000100@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> Message-ID: On Thu, 18 Feb 2010 14:22:26 +0100, Steve Bertrand wrote: > On 2010.02.18 03:22, Brian Turnbow wrote: >> Besides the reload in xx that several have mentioned you can also put >> secondary Ips on the link >> Nad then cancel the primary. >> >> I.e. >> interface ATM0/0.32 point-to-point >> Ip add 2.2.2.2 255.255.255.252 secondary >> >> Telnet/ssh to this address using source address 2.2.2.1 >> Then no ip add 1.1.1.1 255.255.255.252 >> The 2.2.2.2 address becomes the priamry and you should not loose the >> management session. > > Does this work differently on a serial interface? On an fa int: > > route-server1(config)#int lo75 > route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 > route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec > route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 > > Must delete secondary before deleting primary > > Steve This is how I usually do it. --- Router#sh run int fa0/0 Building configuration... Current configuration : 136 bytes ! interface FastEthernet0/0 ip address 2.2.2.2 255.255.255.0 secondary ip address 1.1.1.1 255.255.255.0 duplex auto speed auto end Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa0/0 Router(config-if)#ip add 2.2.2.2 255.255.255.0 Router(config-if)#^Z Router# Router#sh run int fa0/0 Building configuration... Current configuration : 92 bytes ! interface FastEthernet0/0 ip address 2.2.2.2 255.255.255.0 duplex auto speed auto end Router# --- //Johan From pdavis at i2k.com Thu Feb 18 12:06:15 2010 From: pdavis at i2k.com (Philip Davis) Date: Thu, 18 Feb 2010 12:06:15 -0500 Subject: [c-nsp] CIR with Radius on PPP interfaces Message-ID: <4B7D7387.1030604@i2k.com> Hello, Is there a way to policing/cir/sla on a virtual PPP interface via radius, or am I asking the wrong question? I'm trying to set service levels on an LNS where the access layer doesn't support radius provisioning. Should I try to do this, or should service level always be dictated at the access level? Thanks, Phil -- Philip Davis Systems Administrator I-2000 Inc. (616) 532-8425 888-234-4254 From avayner at cisco.com Thu Feb 18 13:31:05 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 18 Feb 2010 19:31:05 +0100 Subject: [c-nsp] CIR with Radius on PPP interfaces In-Reply-To: <4B7D7387.1030604@i2k.com> References: <4B7D7387.1030604@i2k.com> Message-ID: Philip, Take a look here: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xi/feature/guide/123X IQoS.html You can download a policy-map profile name from RADIUS for PPP sessions. The policy-map in your case could only have a class-default class with a single action to police the traffic to the correct rate. Note that you need to pre-configure the different policy-maps according to the different rates you want to use for your customer profiles... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Philip Davis Sent: Thursday, February 18, 2010 19:06 To: cisco-nsp Subject: [c-nsp] CIR with Radius on PPP interfaces Hello, Is there a way to policing/cir/sla on a virtual PPP interface via radius, or am I asking the wrong question? I'm trying to set service levels on an LNS where the access layer doesn't support radius provisioning. Should I try to do this, or should service level always be dictated at the access level? Thanks, Phil -- Philip Davis Systems Administrator I-2000 Inc. (616) 532-8425 888-234-4254 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at motorcitynet.com Thu Feb 18 14:44:39 2010 From: lists at motorcitynet.com (Mike) Date: Thu, 18 Feb 2010 14:44:39 -0500 Subject: [c-nsp] Network-to-network connection - MPLS / non-MPLS Message-ID: <50797b9b1002181144n2e5c801ar1d17df5b8bcc4070@mail.gmail.com> What options are available for establishing network-to-network connections between an MPLS network and a native IP network that has no current MPLS capability? The scenario I have is a single POP ISP (non-MPLS) that is desirous of establishing a connection to a larger MPLS-based ISP. The idea being the ability sell circuits off the larger network's footprint and back-haul the traffic to the smaller network, thereby extending the physical reach of the smaller ISP. I know this can be done using a IP aggregation type setup, but are there other options available, particularly something that would provide visibility at the lower layers for troubleshooting isolation purposes? Thanks, Mike From moua0100 at umn.edu Thu Feb 18 14:50:06 2010 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 18 Feb 2010 13:50:06 -0600 Subject: [c-nsp] Network-to-network connection - MPLS / non-MPLS In-Reply-To: <50797b9b1002181144n2e5c801ar1d17df5b8bcc4070@mail.gmail.com> References: <50797b9b1002181144n2e5c801ar1d17df5b8bcc4070@mail.gmail.com> Message-ID: <4B7D99EE.8050805@umn.edu> * EoMPLS over GRE * L2TPv3 -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- Mike wrote: > What options are available for establishing network-to-network connections > between an MPLS network and a native IP network that has no current MPLS > capability? > > The scenario I have is a single POP ISP (non-MPLS) that is desirous of > establishing a connection to a larger MPLS-based ISP. The idea being the > ability sell circuits off the larger network's footprint and back-haul the > traffic to the smaller network, thereby extending the physical reach of the > smaller ISP. > > I know this can be done using a IP aggregation type setup, but are there > other options available, particularly something that would provide > visibility at the lower layers for troubleshooting isolation purposes? > > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Thu Feb 18 15:05:45 2010 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 18 Feb 2010 21:05:45 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D47A0.4090809@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> <4B7D47A0.4090809@ibctech.ca> Message-ID: <20100218200545.GE9556@greenie.muc.de> Hi, On Thu, Feb 18, 2010 at 08:58:56AM -0500, Steve Bertrand wrote: > I suppose that considering that this is a PtP link, the OP could apply > an IPv6 address to each end, verify reachability, and temporarily remove > all v4 addresses and still maintain a connection until the work is > complete :) Haha, cool approach. (But given that this is Cisco and ATM, chances are that IPv6 will not work in this specific combination of IOS + ATM setup + ATM hardware...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From linux.yahoo at gmail.com Thu Feb 18 15:09:36 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Thu, 18 Feb 2010 21:09:36 +0100 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002171358r79714ab5o461b1f01567b82a3@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> <257d19981002171358r79714ab5o461b1f01567b82a3@mail.gmail.com> Message-ID: <7100ed371002181209r122f18c6yfd2bcf787fa45eba@mail.gmail.com> switchport nonegociate missing on the pe? 2010/2/17, Ioan Branet : > Hello, > > I used also vlan-tagging but with same result: > > show configuration interfaces xe-3/1/0 > description "** Link To PE1 **"; > vlan-tagging; > link-mode full-duplex; > gigether-options { > no-auto-negotiation; > } > unit 999 { > bandwidth 10g; > vlan-id 999; > family inet { > accounting { > source-class-usage { > input; > } > } > no-redirects; > sampling { > input; > } > address 150.1.1.2/30 { > primary; > preferred; > } > } > } > > #ping 150.1.1.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > On Wed, Feb 17, 2010 at 7:06 PM, Manu Chao wrote: > >> Hello, >> >> It is just a config problem on your J CE1: You needn't >> flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) >> >> R/ >> Manu >> On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet wrote: >> >>> Hello, >>> >>> I tried with Cisco 7600 as CE instead of Juniper and it works, I have to >>> find out what is wrong there. >>> >>> Thank you for your help, >>> Regards, >>> John >>> >>> ---------- Forwarded message ---------- >>> From: Ioan Branet >>> Date: Wed, Feb 17, 2010 at 11:44 AM >>> Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface >>> between two 7600 >>> To: Tassos Chatzithomaoglou >>> Cc: cisco-nsp at puck.nether.net >>> >>> >>> Hello, >>> >>> Maybe there is a bug with SRB IOS. >>> I still have VC up on both ends but I cant ping between CE1 and CE2. >>> >>> On CE1 (Juniper side) I learn arp address of remote CE2 device and >>> receive >>> arp request and send arp reply: >>> >>> >>> show arp no-resolve | match xe-3/1/0 >>> 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none >>> >>> >>> Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 >>> Device Media Type Extension TLV #3, length 1, value: Ethernet >>> (1) >>> Logical Interface Encapsulation Extension TLV #6, length 1, >>> value: >>> Ethernet (14) >>> Device Interface Index Extension TLV #1, length 2, value: 193 >>> Logical Interface Index Extension TLV #4, length 4, value: 126 >>> Logical Unit Number Extension TLV #5, length 4, value: 32767 >>> -----original packet----- >>> 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length >>> 64: >>> vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 >>> 11:34:01.878596 Out >>> Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 >>> Device Media Type Extension TLV #3, length 1, value: Ethernet >>> (1) >>> Logical Interface Encapsulation Extension TLV #6, length 1, >>> value: >>> Ethernet (14) >>> Device Interface Index Extension TLV #1, length 2, value: 193 >>> Logical Interface Index Extension TLV #4, length 4, value: 126 >>> Logical Unit Number Extension TLV #5, length 4, value: 32767 >>> -----original packet----- >>> 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), >>> length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at >>> 0:21:59:a7:c4:30. >>> >>> The issue is that I can't upgrade to SRD IOS. >>> >>> thank you, >>> John >>> >>> >>> >>> On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < >>> achatz at forthnet.gr> wrote: >>> >>> > I'm running EoMPLS between 10GE subif and 1GE subif without any >>> > problem. >>> > >>> > 7600-a>sh mpls l2 vc 3601 >>> > >>> > Local intf Local circuit Dest address VC ID >>> Status >>> > ------------- -------------------------- --------------- ---------- >>> > ---------- >>> > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP >>> > >>> > >>> > 7600-b>sh mpls l2 vc 3601 >>> > >>> > Local intf Local circuit Dest address VC ID >>> Status >>> > ------------- -------------------------- --------------- ---------- >>> > ---------- >>> > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP >>> > >>> > >>> > Both 7600s are running SRD3. >>> > >>> > -- >>> > Tassos >>> > >>> > Ioan Branet wrote on 17/02/2010 10:49: >>> > >>> >> Hello, >>> >> >>> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not >>> >> run >>> >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >>> >> >>> >> Any feedback is appreciated. >>> >> Thank you, >>> >> John >>> >> >>> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson >> >> >wrote: >>> >> >>> >> >>> >> >>> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> >>> >>> You should answer to the list, answering just to me doesn't make much >>> >>> sense. >>> >>> >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >>> >>> remember), or go SRD3 or later. >>> >>> >>> >>> >>> >>> Hello, >>> >>> >>> >>> >>> >>>> We are running on both PEs the following: >>> >>>> sh ver | i IOS >>> >>>> Cisco IOS Software, c7600s72033_rp Software >>> >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >>> >>>> SOFTWARE >>> >>>> (fc3) >>> >>>> >>> >>>> 10G card on PE1 is: >>> >>>> show module 7 >>> >>>> Mod Ports Card Type Model >>> >>>> Serial >>> >>>> No. >>> >>>> --- ----- -------------------------------------- ------------------ >>> >>>> ----------- >>> >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>> >>>> SAL1337YN4W >>> >>>> >>> >>>> and 1G on PE2 is: >>> >>>> >>> >>>> >>> >>>> ro-sv01a-rd2#show module 2 >>> >>>> Mod Ports Card Type Model >>> >>>> Serial >>> >>>> No. >>> >>>> --- ----- -------------------------------------- ------------------ >>> >>>> ----------- >>> >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>> >>>> SAL1005CBXG >>> >>>> >>> >>>> Mod MAC addresses Hw Fw Sw >>> >>>> Status >>> >>>> --- ---------------------------------- ------ ------------ >>> ------------ >>> >>>> ------- >>> >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 >>> 12.2(33)SRB4 >>> >>>> Ok >>> >>>> >>> >>>> Mod Sub-Module Model Serial Hw >>> >>>> Status >>> >>>> ---- --------------------------- ------------------ ----------- >>> ------- >>> >>>> ------- >>> >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >>> >>>> Ok >>> >>>> >>> >>>> Mod Online Diag Status >>> >>>> ---- ------------------- >>> >>>> 2 Pass >>> >>>> >>> >>>> Thank you, >>> >>>> John >>> >>>> >>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < >>> swmike at swm.pp.se >>> >>>> >>> >>>> >>> >>>>> wrote: >>> >>>>> >>> >>>>> >>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>>> >>> >>>> >>> >>>>> GE interface between two 7600 as PE. >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>>> >>> >>>>>> >>> >>>>> You forgot to include what software you're running. >>> >>>>> >>> >>>>> -- >>> >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>> -- >>> >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >>> >>> >>> >>> >>> >> _______________________________________________ >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >>> >> >>> >> >>> > >>> > _______________________________________________ >>> > cisco-nsp mailing list cisco-nsp at puck.nether.net >>> > https://puck.nether.net/mailman/listinfo/cisco-nsp >>> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > > > -- > Ioan Branet > CCIE #23474 R&S > -- Envoy? avec mon mobile From frnkblk at iname.com Thu Feb 18 17:30:52 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Thu, 18 Feb 2010 16:30:52 -0600 Subject: [c-nsp] Missing BGP MIB support on Cisco 2621 Message-ID: According to Cisco's MIB Locator, c2600-is4-mz.123-26.bin should have CISCO-BGP4-MIB support, but when I try to walk that part of the tree (1.3.6.1.4.1.9.9.187) in v1 or v2c that fails. I'm using this router to do IPv6 tunneling, and the only routes exchanged on this router are IPv6. Anyone else see this? Or is there a special knob I need to turn that on? Frank From ww10ww10 at yahoo.com Thu Feb 18 22:08:44 2010 From: ww10ww10 at yahoo.com (Tom) Date: Thu, 18 Feb 2010 19:08:44 -0800 (PST) Subject: [c-nsp] BGP Event Process Message-ID: <387779df-edea-466c-b874-5a5c457a773c@g11g2000yqe.googlegroups.com> Hello, Does anyone know what that BGP event process does? Can't seem to find any references to it on cisco's website. show processes | i BGP|PID PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process 211 ME 412D1F30 59728232 138200687 432 5484/9000 0 BGP Router 213 ME 412CDAAC 11536972 56303999 204 4560/6000 0 BGP I/ O 269 Lsi 412CBC28 437391668 4077502 107271 7428/9000 0 BGP Scanner 270 Mwe 41335F2C 110700 603 183582 4872/6000 0 BGP Event <<<<<<<<< Thank you. From gk at ax.tc Thu Feb 18 23:09:23 2010 From: gk at ax.tc (Gerald Krause) Date: Fri, 19 Feb 2010 05:09:23 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall In-Reply-To: <4B582133.5030002@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc> Message-ID: <4B7E0EF3.4060604@ax.tc> Am 21.01.2010 10:41, Gerald Krause schrieb: > Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb: ... >> you might want to look at the "Half-Duplex VRF" feature, which allows to >> build a hub & spoke VPN setup without having to put each "branch" on the >> same PE into a different VRF. HD VRF will assign a different VRF for >> upstream and downstream traffic, so packets entering the LNS from the >> branch will only see the Hub routes, and not the other branches' routes. >> >> check out >> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html > > Ok, that sounds interesting. I'll check the docs. I have tried it now but I'am not able to get a user authenticated when using the "downstream ..." configuration command to enable HDVRF. My config on the LNS (7200/NPE-G2 with 12.2(33)SRD3) looks like this: ! ip vrf VRFTEST rd 100:0 route-target export 100:0 route-target import 100:0 ! ip vrf VRFTEST-DOWN rd 102:0 route-target export 102:0 ! interface Loopback102 description VRFTEST ip vrf forwarding VRFTEST ip address 10.99.17.254 255.255.255.255 ! This is a excerpt from the RADIUS user profile for "cpe2-vrftest": Cisco-AVPair += lcp:interface-config#1=ip verify unicast reverse-path Cisco-AVPair += lcp:interface-config#2=ip vrf forwarding VRFTEST downstream VRFTEST-DOWN Cisco-AVPair += lcp:interface-config#3=ip unnumbered Loopback102 Framed-IP-Address = 10.99.17.2 Framed-Protocol = PPP Framed-Route = 10.98.2.0/24 Service-Type = Framed I've got this error message when the authentication take place: %VPDN-3-NORESOURCE: L2TP LNS no resources for user cpe2-vrftest; Result 2, Error 4, SSS Manager disconnected session When I remove the "downstrem VRFTEST-DOWN" part from the Cisco-AVPair the user authenticates fine and the session will be established. Can someone point me to the right direction to solve this problem? Gerald From gk at ax.tc Fri Feb 19 00:43:04 2010 From: gk at ax.tc (Gerald Krause) Date: Fri, 19 Feb 2010 06:43:04 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall In-Reply-To: <4B7E0EF3.4060604@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc> <4B7E0EF3.4060604@ax.tc> Message-ID: <4B7E24E8.1070008@ax.tc> Am 19.02.2010 05:09, Gerald Krause schrieb: ... > I've got this error message when the authentication take place: > > %VPDN-3-NORESOURCE: L2TP LNS no resources for user cpe2-vrftest; Result > 2, Error 4, SSS Manager disconnected session > > When I remove the "downstrem VRFTEST-DOWN" part from the Cisco-AVPair > the user authenticates fine and the session will be established. Can > someone point me to the right direction to solve this problem? Grrrr... maybe 12.2(33)SRD3 doesn't support HDVRF even it's mentioned that it should do so in the FN??? I just stumbled upon the fact this IOS seems not to recognize the "downstream" keyword: ROUTER(config-if)#vrf forwarding VRFTEST ? Gerald From oboehmer at cisco.com Fri Feb 19 01:54:54 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 19 Feb 2010 07:54:54 +0100 Subject: [c-nsp] BGP Event Process In-Reply-To: <387779df-edea-466c-b874-5a5c457a773c@g11g2000yqe.googlegroups.com> References: <387779df-edea-466c-b874-5a5c457a773c@g11g2000yqe.googlegroups.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F013EB5BF@XMB-AMS-103.cisco.com> > > Hello, > Does anyone know what that BGP event process does? Can't seem to find > any references to it on cisco's website. > BGP event handles "critical" events like next-hop changes. why do you ask? oli From matt at melbourne.org.uk Fri Feb 19 04:08:34 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Fri, 19 Feb 2010 09:08:34 +0000 Subject: [c-nsp] Interface flaps affecting BGP and IS-IS Message-ID: Hi, We have a an edge router which connects to our upstream transit provider over a 10Gbps interface. Recently, on a couple of occasions, this interface has flapped resulting in BGP processes consuming ~100% CPU (we are receiving a full table over this peering). Consequently, when the CPU is pegged at ~100% we begin to lose IS-IS adjacencies. Is there any way of mitigating against this kind of cause and effect during periods of link instability - obviously the real fix is to get the carrier to provide a stable link :-) The 10G link terminates on a WS-X6704-10GE in a 7606, running 12.2(18)SXF7. Cheers, Matt -- Matthew Melbourne From michel.renfer at finecom.ch Fri Feb 19 05:07:17 2010 From: michel.renfer at finecom.ch (Michel Renfer) Date: Fri, 19 Feb 2010 11:07:17 +0100 Subject: [c-nsp] Interface flaps affecting BGP and IS-IS In-Reply-To: References: Message-ID: <7ABEE57B986BDA429B535673CBE0C623040E819D@xanthe.lan.intra> Hi Matt We same similar issues with 7604, SXF7 and iBGP flaps due to flapping eBGP sessions. We're still searching for a solution and are also interested for other comments on this... cheers, michel -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne Sent: Friday, February 19, 2010 10:09 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Interface flaps affecting BGP and IS-IS Hi, We have a an edge router which connects to our upstream transit provider over a 10Gbps interface. Recently, on a couple of occasions, this interface has flapped resulting in BGP processes consuming ~100% CPU (we are receiving a full table over this peering). Consequently, when the CPU is pegged at ~100% we begin to lose IS-IS adjacencies. Is there any way of mitigating against this kind of cause and effect during periods of link instability - obviously the real fix is to get the carrier to provide a stable link :-) The 10G link terminates on a WS-X6704-10GE in a 7606, running 12.2(18)SXF7. Cheers, Matt -- Matthew Melbourne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From perc69 at gmail.com Fri Feb 19 05:23:04 2010 From: perc69 at gmail.com (Per Carlson) Date: Fri, 19 Feb 2010 11:23:04 +0100 Subject: [c-nsp] Interface flaps affecting BGP and IS-IS In-Reply-To: References: Message-ID: <746ca6da1002190223s69f38f27sf9753701e54302de@mail.gmail.com> Hi > We have a an edge router which connects to our upstream transit > provider over a 10Gbps interface. Recently, on a couple of occasions, > this interface has flapped resulting in BGP processes consuming ~100% > CPU (we are receiving a full table over this peering). Consequently, > when the CPU is pegged at ~100% we begin to lose IS-IS adjacencies. Is > there any way of mitigating against this kind of cause and effect > during periods of link instability - obviously the real fix is to get > the carrier to provide a stable link :-) Try enabling "dampening" (http://www.cisco.com/en/US/docs/ios/iproute_pi/command/reference/iri_pi1.html#wp1011620) on the interface. -- Pelle A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? From gk at ax.tc Fri Feb 19 05:29:03 2010 From: gk at ax.tc (Gerald Krause) Date: Fri, 19 Feb 2010 11:29:03 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall In-Reply-To: <4B7E24E8.1070008@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc> <4B7E0EF3.4060604@ax.tc> <4B7E24E8.1070008@ax.tc> Message-ID: <4B7E67EF.2030909@ax.tc> Am 19.02.2010 06:43, Gerald Krause schrieb: > Grrrr... maybe 12.2(33)SRD3 doesn't support HDVRF even it's mentioned > that it should do so in the FN??? I just stumbled upon the fact this IOS > seems not to recognize the "downstream" keyword: > > ROUTER(config-if)#vrf forwarding VRFTEST ? > For the record: I was able to track this down with Oli (thx again!!). 1) In SRD3 the MPLS Half Duplex VRF (HDVRF) Feature is (still?) hidden an you must use "service internal" to activate it. 2) The RADIUS Profile for PPP HDVRF Sessions should look like this... Cisco-avpair="ip:vrf-id=VRFTEST downstream VRFTEST-DOWN", Cisco-avpair="ip:ip-unnumbered=Loopback102" ...and *not* like this as I tried it before: Cisco-AVPair="lcp:interface-config#2=ip vrf forwarding VRFTEST downstream VRFTEST-DOWN" Cisco-AVPair="lcp:interface-config#3=ip unnumbered Loopback102" Cheers, Gerald From Jon.Harald.Bovre at hafslund.no Fri Feb 19 05:46:08 2010 From: Jon.Harald.Bovre at hafslund.no (=?iso-8859-1?Q?B=F8vre_Jon_Harald?=) Date: Fri, 19 Feb 2010 11:46:08 +0100 Subject: [c-nsp] Interface flaps affecting BGP and IS-IS In-Reply-To: <746ca6da1002190223s69f38f27sf9753701e54302de@mail.gmail.com> Message-ID: Increasing SPD or hold-queue might help http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00809d16f0.shtml#interfacein Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Per Carlson Sendt: 19. februar 2010 11:23 Til: cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Interface flaps affecting BGP and IS-IS Hi > We have a an edge router which connects to our upstream transit > provider over a 10Gbps interface. Recently, on a couple of occasions, > this interface has flapped resulting in BGP processes consuming ~100% > CPU (we are receiving a full table over this peering). Consequently, > when the CPU is pegged at ~100% we begin to lose IS-IS adjacencies. Is > there any way of mitigating against this kind of cause and effect > during periods of link instability - obviously the real fix is to get > the carrier to provide a stable link :-) Try enabling "dampening" (http://www.cisco.com/en/US/docs/ios/iproute_pi/command/reference/iri_pi1.html#wp1011620) on the interface. -- Pelle A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Robert.Smales at cw.com Fri Feb 19 06:01:46 2010 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 19 Feb 2010 11:01:46 -0000 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: Message-ID: <602ACF092EFFB044931BD8746C19AD2F0275E5FA@gbcwswiem006.ad.plc.cwintra.com> Another option is to have a loopback address on the far end device with a static route on the near end device pointing at the exit interface (not the next-hop IP). That way you can telnet to the loopback address and overwrite the interface address without breaking your telnet session. Reload in 5 as a precaution, of course. Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Johan Grip > Sent: 18 February 2010 15:21 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Renumbering serial interfaces > > > On Thu, 18 Feb 2010 14:22:26 +0100, Steve Bertrand > > wrote: > > > On 2010.02.18 03:22, Brian Turnbow wrote: > >> Besides the reload in xx that several have mentioned you > can also put > >> secondary Ips on the link > >> Nad then cancel the primary. > >> > >> I.e. > >> interface ATM0/0.32 point-to-point > >> Ip add 2.2.2.2 255.255.255.252 secondary > >> > >> Telnet/ssh to this address using source address 2.2.2.1 > >> Then no ip add 1.1.1.1 255.255.255.252 > >> The 2.2.2.2 address becomes the priamry and you should not > loose the > >> management session. > > > > Does this work differently on a serial interface? On an fa int: > > > > route-server1(config)#int lo75 > > route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 > > route-server1(config-if)#ip address 208.70.109.156 > 255.255.255.255 sec > > route-server1(config-if)#no ip address 208.70.109.155 > 255.255.255.255 > > > > Must delete secondary before deleting primary > > > > Steve > > This is how I usually do it. > > --- > Router#sh run int fa0/0 > Building configuration... > > Current configuration : 136 bytes > ! > interface FastEthernet0/0 > ip address 2.2.2.2 255.255.255.0 secondary > ip address 1.1.1.1 255.255.255.0 > duplex auto > speed auto > end > > Router#conf t > Enter configuration commands, one per line. End with CNTL/Z. > Router(config)#int fa0/0 > Router(config-if)#ip add 2.2.2.2 255.255.255.0 > Router(config-if)#^Z > Router# > Router#sh run int fa0/0 > Building configuration... > > Current configuration : 92 bytes > ! > interface FastEthernet0/0 > ip address 2.2.2.2 255.255.255.0 > duplex auto > speed auto > end > > Router# > --- > > //Johan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cwworldwide.com/managed-exchange The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From achatz at forthnet.gr Fri Feb 19 06:24:29 2010 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 19 Feb 2010 13:24:29 +0200 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <20100217203057.GW9556@greenie.muc.de> References: <20100217203057.GW9556@greenie.muc.de> Message-ID: <4B7E74ED.3020704@forthnet.gr> Isn't configuration rollback supposed to bypass the "reload in 5" issue? -- Tassos Gert Doering wrote on 17/02/2010 22:30: > Always remember to put in "reload in 5" before you do anything that might > lock you out, and "reload cancel" afterwards... > > gert > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rens at autempspourmoi.be Fri Feb 19 06:09:48 2010 From: rens at autempspourmoi.be (Rens) Date: Fri, 19 Feb 2010 12:09:48 +0100 Subject: [c-nsp] ASR 1002-F Message-ID: <12470F60E7BB4189B956D965C8572447@EU.corp.clearwire.com> Does the ASR 1002-F support L2TPv3? I can't find it any where in the feature navigator. Anyone has experience with this? Regards, Rens From chris at noodles.org.uk Fri Feb 19 07:15:14 2010 From: chris at noodles.org.uk (Chris Mason) Date: Fri, 19 Feb 2010 12:15:14 +0000 Subject: [c-nsp] Inter-VRF OSPF Redistribution Message-ID: <4B7E80D2.1090906@noodles.org.uk> Hi, Does anyone know whether it is possible to redistribute routes between two different OSPF processes when they are associated with different VRFs? I have the following setup on some routers running 12.4(15)T: +-----+ [VRF] +----+ | CPE +-[0/0]--------[0/0]-+ S1 | +--+--+ 192.168.0.0/30 +----+ | [0/1] 172.16.10.0/24 | On the CPE, interface 0/0 is contained within a vrf "VPN" and the interface 0/1 is within the global table. I could place both interfaces within different VRFs and use redistribution, but I need to maintain 0/1 within the global table and routing table seperation between them. Traffic from S1 needs to reach the LAN attached to 0/1 on the CPE. I could use route leaking to global using a static for traffic from S1 to the CPE LAN, but the problem arises with the return traffic. I don't know the source address of the traffic, but it is advertised into OSPF from S1 (S1 is a roaming host which can connect to different CPE devices and depending on what S1 connects depends on the source address). To identify the source address (/32) I advertise the source from S1 with an arbituary tag in a Type 5 LSA. I then need a way to redistribute that route into the global table for return traffic. I was hoping to use something like this, but it is rejected when I attempt to do inter-vrf redistribution: ----- @ CPE ----- router ospf 10 redistribute ospf 20 vrf VPN subnets route-map OSPF20_to_OSPF10 ! route-map OSPF20_to_OSPF10 match tag ! router ospf 20 vrf VPN capability vrf-lite network 192.168.0.0 0.0.0.3 area 0 ! I get the following error: %OSPF process 20 is attached to VRF VPN Is there anyway to get around this? Thanks, Chris From ioan.branet at gmail.com Fri Feb 19 07:26:31 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Fri, 19 Feb 2010 14:26:31 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <7100ed371002181209r122f18c6yfd2bcf787fa45eba@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> <257d19981002171358r79714ab5o461b1f01567b82a3@mail.gmail.com> <7100ed371002181209r122f18c6yfd2bcf787fa45eba@mail.gmail.com> Message-ID: <257d19981002190426x3d022b68ua369e25539ce2fd3@mail.gmail.com> Hello, I do not have x-connect interface attached as I can see: #show MPLS platform EoMPLS | include 7/3 # If I create an EOMPLS on a 6500 with 10G interface connected to the same Juniper it works ,i can ping between CE1 and CE2 so the problem seemd to be on the 7600. Thank you, John On Thu, Feb 18, 2010 at 10:09 PM, Manu Chao wrote: > switchport nonegociate missing on the pe? > > 2010/2/17, Ioan Branet : > > Hello, > > > > I used also vlan-tagging but with same result: > > > > show configuration interfaces xe-3/1/0 > > description "** Link To PE1 **"; > > vlan-tagging; > > link-mode full-duplex; > > gigether-options { > > no-auto-negotiation; > > } > > unit 999 { > > bandwidth 10g; > > vlan-id 999; > > family inet { > > accounting { > > source-class-usage { > > input; > > } > > } > > no-redirects; > > sampling { > > input; > > } > > address 150.1.1.2/30 { > > primary; > > preferred; > > } > > } > > } > > > > #ping 150.1.1.2 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: > > ..... > > Success rate is 0 percent (0/5) > > > > On Wed, Feb 17, 2010 at 7:06 PM, Manu Chao > wrote: > > > >> Hello, > >> > >> It is just a config problem on your J CE1: You needn't > >> flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) > >> > >> R/ > >> Manu > >> On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet >wrote: > >> > >>> Hello, > >>> > >>> I tried with Cisco 7600 as CE instead of Juniper and it works, I have > to > >>> find out what is wrong there. > >>> > >>> Thank you for your help, > >>> Regards, > >>> John > >>> > >>> ---------- Forwarded message ---------- > >>> From: Ioan Branet > >>> Date: Wed, Feb 17, 2010 at 11:44 AM > >>> Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE > subinterface > >>> between two 7600 > >>> To: Tassos Chatzithomaoglou > >>> Cc: cisco-nsp at puck.nether.net > >>> > >>> > >>> Hello, > >>> > >>> Maybe there is a bug with SRB IOS. > >>> I still have VC up on both ends but I cant ping between CE1 and CE2. > >>> > >>> On CE1 (Juniper side) I learn arp address of remote CE2 device and > >>> receive > >>> arp request and send arp reply: > >>> > >>> > >>> show arp no-resolve | match xe-3/1/0 > >>> 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none > >>> > >>> > >>> Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 > >>> Device Media Type Extension TLV #3, length 1, value: Ethernet > >>> (1) > >>> Logical Interface Encapsulation Extension TLV #6, length 1, > >>> value: > >>> Ethernet (14) > >>> Device Interface Index Extension TLV #1, length 2, value: 193 > >>> Logical Interface Index Extension TLV #4, length 4, value: 126 > >>> Logical Unit Number Extension TLV #5, length 4, value: 32767 > >>> -----original packet----- > >>> 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length > >>> 64: > >>> vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 > >>> 11:34:01.878596 Out > >>> Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 > >>> Device Media Type Extension TLV #3, length 1, value: Ethernet > >>> (1) > >>> Logical Interface Encapsulation Extension TLV #6, length 1, > >>> value: > >>> Ethernet (14) > >>> Device Interface Index Extension TLV #1, length 2, value: 193 > >>> Logical Interface Index Extension TLV #4, length 4, value: 126 > >>> Logical Unit Number Extension TLV #5, length 4, value: 32767 > >>> -----original packet----- > >>> 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), > >>> length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at > >>> 0:21:59:a7:c4:30. > >>> > >>> The issue is that I can't upgrade to SRD IOS. > >>> > >>> thank you, > >>> John > >>> > >>> > >>> > >>> On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < > >>> achatz at forthnet.gr> wrote: > >>> > >>> > I'm running EoMPLS between 10GE subif and 1GE subif without any > >>> > problem. > >>> > > >>> > 7600-a>sh mpls l2 vc 3601 > >>> > > >>> > Local intf Local circuit Dest address VC ID > >>> Status > >>> > ------------- -------------------------- --------------- ---------- > >>> > ---------- > >>> > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 > UP > >>> > > >>> > > >>> > 7600-b>sh mpls l2 vc 3601 > >>> > > >>> > Local intf Local circuit Dest address VC ID > >>> Status > >>> > ------------- -------------------------- --------------- ---------- > >>> > ---------- > >>> > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 > UP > >>> > > >>> > > >>> > Both 7600s are running SRD3. > >>> > > >>> > -- > >>> > Tassos > >>> > > >>> > Ioan Branet wrote on 17/02/2010 10:49: > >>> > > >>> >> Hello, > >>> >> > >>> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not > >>> >> run > >>> >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. > >>> >> > >>> >> Any feedback is appreciated. > >>> >> Thank you, > >>> >> John > >>> >> > >>> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson < > swmike at swm.pp.se > >>> >> >wrote: > >>> >> > >>> >> > >>> >> > >>> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>> >>> > >>> >>> You should answer to the list, answering just to me doesn't make > much > >>> >>> sense. > >>> >>> > >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't > >>> >>> remember), or go SRD3 or later. > >>> >>> > >>> >>> > >>> >>> Hello, > >>> >>> > >>> >>> > >>> >>>> We are running on both PEs the following: > >>> >>>> sh ver | i IOS > >>> >>>> Cisco IOS Software, c7600s72033_rp Software > >>> >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE > >>> >>>> SOFTWARE > >>> >>>> (fc3) > >>> >>>> > >>> >>>> 10G card on PE1 is: > >>> >>>> show module 7 > >>> >>>> Mod Ports Card Type Model > >>> >>>> Serial > >>> >>>> No. > >>> >>>> --- ----- -------------------------------------- > ------------------ > >>> >>>> ----------- > >>> >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > >>> >>>> SAL1337YN4W > >>> >>>> > >>> >>>> and 1G on PE2 is: > >>> >>>> > >>> >>>> > >>> >>>> ro-sv01a-rd2#show module 2 > >>> >>>> Mod Ports Card Type Model > >>> >>>> Serial > >>> >>>> No. > >>> >>>> --- ----- -------------------------------------- > ------------------ > >>> >>>> ----------- > >>> >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP > >>> >>>> SAL1005CBXG > >>> >>>> > >>> >>>> Mod MAC addresses Hw Fw Sw > >>> >>>> Status > >>> >>>> --- ---------------------------------- ------ ------------ > >>> ------------ > >>> >>>> ------- > >>> >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 > >>> 12.2(33)SRB4 > >>> >>>> Ok > >>> >>>> > >>> >>>> Mod Sub-Module Model Serial > Hw > >>> >>>> Status > >>> >>>> ---- --------------------------- ------------------ ----------- > >>> ------- > >>> >>>> ------- > >>> >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S > 2.0 > >>> >>>> Ok > >>> >>>> > >>> >>>> Mod Online Diag Status > >>> >>>> ---- ------------------- > >>> >>>> 2 Pass > >>> >>>> > >>> >>>> Thank you, > >>> >>>> John > >>> >>>> > >>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < > >>> swmike at swm.pp.se > >>> >>>> > >>> >>>> > >>> >>>>> wrote: > >>> >>>>> > >>> >>>>> > >>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>> >>>> > >>> >>>> > >>> >>>>> GE interface between two 7600 as PE. > >>> >>>>> > >>> >>>>> > >>> >>>>> > >>> >>>>>> > >>> >>>>>> > >>> >>>>> You forgot to include what software you're running. > >>> >>>>> > >>> >>>>> -- > >>> >>>>> Mikael Abrahamsson email: swmike at swm.pp.se > >>> >>>>> > >>> >>>>> > >>> >>>>> > >>> >>>>> > >>> >>>> -- > >>> >>> Mikael Abrahamsson email: swmike at swm.pp.se > >>> >>> > >>> >>> > >>> >>> > >>> >> _______________________________________________ > >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> >> > >>> >> > >>> >> > >>> > > >>> > _______________________________________________ > >>> > cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> > https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> > archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> > >> > > > > > > -- > From oboehmer at cisco.com Fri Feb 19 07:44:14 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 19 Feb 2010 13:44:14 +0100 Subject: [c-nsp] Inter-VRF OSPF Redistribution In-Reply-To: <4B7E80D2.1090906@noodles.org.uk> References: <4B7E80D2.1090906@noodles.org.uk> Message-ID: <6E4D2678AC543844917CA081C9D6B33F013EB83A@XMB-AMS-103.cisco.com> Chris, > Does anyone know whether it is possible to redistribute routes between > two different OSPF processes when they are associated with different VRFs? you need to use BGP and route-target import/export to exchange routes between the VRFs (even with vrf-lite). for example to import green routes into red: i.e. ip vrf red rd 1:1 route-target both 1:1 route-target import 1:2 ! ip vrf green rd 1:2 route-target both 1:2 router ospf 1 vrf red .. router ospf 2 vrf green .. ! router bgp 65000 address-family ipv4 vrf green redistribute ospf 2 match internal external .. ! you can use import/export maps to do a more granular import/export. oli From chris at noodles.org.uk Fri Feb 19 07:47:42 2010 From: chris at noodles.org.uk (Chris Mason) Date: Fri, 19 Feb 2010 12:47:42 +0000 Subject: [c-nsp] Inter-VRF OSPF Redistribution In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F013EB83A@XMB-AMS-103.cisco.com> References: <4B7E80D2.1090906@noodles.org.uk> <6E4D2678AC543844917CA081C9D6B33F013EB83A@XMB-AMS-103.cisco.com> Message-ID: <4B7E886E.8060004@noodles.org.uk> Hi Oli, > Chris, > >> Does anyone know whether it is possible to redistribute routes between >> two different OSPF processes when they are associated with different > VRFs? > > you need to use BGP and route-target import/export to exchange routes > between the VRFs (even with vrf-lite). for example to import green > routes into red: > > i.e. > > ip vrf red > rd 1:1 > route-target both 1:1 > route-target import 1:2 > ! > ip vrf green > rd 1:2 > route-target both 1:2 > > router ospf 1 vrf red > .. > router ospf 2 vrf green > .. > ! > router bgp 65000 > address-family ipv4 vrf green > redistribute ospf 2 match internal external .. > ! > > you can use import/export maps to do a more granular import/export. That works fine if both interfaces are within VRFs, but one interface is within a VRF and another is within the global table. The route within the VRF needs to be leaked to the global table, but dynamically. > > oli Chris From oboehmer at cisco.com Fri Feb 19 07:50:50 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 19 Feb 2010 13:50:50 +0100 Subject: [c-nsp] Inter-VRF OSPF Redistribution In-Reply-To: <4B7E886E.8060004@noodles.org.uk> References: <4B7E80D2.1090906@noodles.org.uk> <6E4D2678AC543844917CA081C9D6B33F013EB83A@XMB-AMS-103.cisco.com> <4B7E886E.8060004@noodles.org.uk> Message-ID: <6E4D2678AC543844917CA081C9D6B33F013EB846@XMB-AMS-103.cisco.com> Chris, > > you need to use BGP and route-target import/export to exchange routes > > between the VRFs (even with vrf-lite). for example to import green > > routes into red: > > That works fine if both interfaces are within VRFs, but one interface is > within a VRF and another is within the global table. The route within > the VRF needs to be leaked to the global table, but dynamically. sorry, missed this one. Unfortunately, this is not possible :-( You could move all global interfaces into "vrf global", but need to make sure all services you use in global are vrf-aware in your version.. oli From chris at noodles.org.uk Fri Feb 19 07:54:48 2010 From: chris at noodles.org.uk (Chris Mason) Date: Fri, 19 Feb 2010 12:54:48 +0000 Subject: [c-nsp] Inter-VRF OSPF Redistribution In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F013EB846@XMB-AMS-103.cisco.com> References: <4B7E80D2.1090906@noodles.org.uk> <6E4D2678AC543844917CA081C9D6B33F013EB83A@XMB-AMS-103.cisco.com> <4B7E886E.8060004@noodles.org.uk> <6E4D2678AC543844917CA081C9D6B33F013EB846@XMB-AMS-103.cisco.com> Message-ID: <4B7E8A18.1010008@noodles.org.uk> Oli, > > sorry, missed this one. Unfortunately, this is not possible :-( > > You could move all global interfaces into "vrf global", but need to make > sure all services you use in global are vrf-aware in your version.. > That is the current solution that I am testing, which seems to work, but makes it more difficult from a implementation aspect on a live site and also from an operational aspect as people don't expect WAN interfaces to be in VRFs that are normally within global! Thanks! From jmayer at loplof.de Fri Feb 19 07:54:07 2010 From: jmayer at loplof.de (Joerg Mayer) Date: Fri, 19 Feb 2010 13:54:07 +0100 Subject: [c-nsp] Roadmap questions reqarding various IPv6 features Message-ID: <20100219125407.GR14923@thot.informatik.uni-kl.de> Hello, as our SE has been unable to answer our questions regarding the IPv6 roadmap for 2960 and 3560 switches, maybe someone on this list can help out. The setup: Student Dormitory Network - one IPv4 Address per appartment - appartment==IPv4==Port Quota via Netflow(v9) from central device (option 82) - no way for a user to use a different IPv4 than the assigned one (IPSG) - no MAC-Addr registration - Hardware: central aggregation: 6500 / SUP720 one 3560 as local router, L2 bondary, and some access-ports multiple 2960 switches directly and cascaded connected to router IPv4 solution: - DHCP-Snooping + DAI + IPSG - DHCP IP-Address assignment using Option82 remote-id + port-info extracted from circuit-id We would like to implement something like that with IPv6. Essential features that are missing in IPv6 right now: 1) option 82 support 2) RA-guard (or IPv6 port acls on 2960) 3) DHCPv6 snooping 4) equivalent to DAI (ND-Filtering based on DHCPv6 snooping) 5) IPv6 source guard While I'a at it, a question regarding IPv6 on the WiSM: 1) Is there / will there be any ra-guard feature? This missing feature causes about 200000 DHCPv6 requests per hour, compared to 4000 DHCPv4. 2) MLD-snooping So if anyone on this list knows about Cisco's plans regarding any of these features, please share. Thanks Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From lmeade at signal.ca Fri Feb 19 10:25:35 2010 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 19 Feb 2010 07:25:35 -0800 Subject: [c-nsp] [cisco-voip] FW: Getting Unity to work when in SRST mode. References: <1689825391190843B77E2B252432E89301649358@rwc-exch-prd1.myopwv.com> <1689825391190843B77E2B252432E893016493F3@rwc-exch-prd1.myopwv.com> Message-ID: One way it can be done, depending on how many people need voicemail while the link is down, as it uses spare DID?s Is to change the outbound calling number to a DID that is not in use and when it hits your gateway/callmanager use a translation pattern to change the calling number back into their local. Since the link is down the default (if you got it setup) it to on fail goto voicemail. Example CME user has ext 2106 , get the dial plan to ring the ?new DID? 604-345-5670, when it rings this number make a translation pattern to change it back into 2106. But this depends on how many unused DID?s you got and how many people. It is not very scalable buy it gets around the RDNIS issues and it works. Leslie From lmeade at signal.ca Fri Feb 19 11:10:02 2010 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 19 Feb 2010 08:10:02 -0800 Subject: [c-nsp] 6509-e IOS update In-Reply-To: <20100219125407.GR14923@thot.informatik.uni-kl.de> References: <20100219125407.GR14923@thot.informatik.uni-kl.de> Message-ID: I have a question about these devices, I am a voice man not a R&S man so my kungfu is not strong in this.. I am wanting to update the IOS on this and I am not quite sure on something Is the booting of this device controlled by the Sup-bootdisk ? I.e. if I change the code in the configs to boot the new ios and reload it should work ? The question is this what is bootflash: used for? Should I also update is as well ? DTCCAT-CORE01#sh bootflash: -#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name 1 .. image 3CA5FC8A 1098158 38 16875736 May 5 2007 21:26:10 +00:00 c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin DTCCAT-CORE01#sh sup-bootdisk: -#- --length-- -----date/time------ path 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin 2 58262020 Aug 23 2008 18:58:58 s3223-advipservicesk9_wan-mz.122-33.SXH3.bin 3 26843548 Aug 23 2008 19:05:40 sea_log.dat Cheers Leslie From ww10ww10 at yahoo.com Fri Feb 19 11:17:44 2010 From: ww10ww10 at yahoo.com (Tom) Date: Fri, 19 Feb 2010 08:17:44 -0800 (PST) Subject: [c-nsp] BGP Event Process In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F013EB5BF@XMB-AMS-103.cisco.com> References: <387779df-edea-466c-b874-5a5c457a773c@g11g2000yqe.googlegroups.com> <6E4D2678AC543844917CA081C9D6B33F013EB5BF@XMB-AMS-103.cisco.com> Message-ID: Thanks Oli from your response. I saw the process in my edge router but I can't find any links on Cisco's website that talks about it. Do you know of any? Thank you. On Feb 19, 12:54?am, "Oliver Boehmer (oboehmer)" wrote: > > Hello, > > Does anyone know what that BGP event process does? Can't seem to find > > any references to it on cisco's website. > > BGP event handles "critical" events like next-hop changes. why do you > ask? > > ? ? ? ? oli > _______________________________________________ > cisco-nsp mailing list ?cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsp > archive athttp://puck.nether.net/pipermail/cisco-nsp/ From denaccie at gmail.com Fri Feb 19 11:44:00 2010 From: denaccie at gmail.com (My Name) Date: Fri, 19 Feb 2010 11:44:00 -0500 Subject: [c-nsp] availability Message-ID: Does anyone have information concerning calculating network availability based on a network design? For example, is redundant P and PE routers more available statistically than single P and PEs with redundant route processors, etc .....? I am looking to input network design parameters and produce an availability/probability number? is there such an animal? joe From amsoares at netcabo.pt Fri Feb 19 12:04:11 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 19 Feb 2010 17:04:11 -0000 Subject: [c-nsp] 6509-e IOS update In-Reply-To: References: <20100219125407.GR14923@thot.informatik.uni-kl.de> Message-ID: <0F0396020EB944A7A7486FC270AAA424@int.convex.pt> The config-register defines how the boot process will occur. Usually we have the default values of 0x2102 or 0x102 meaning that the router/switch will take a look to the config and there usually we have a "boot system flash device:filename" command. So in your case i would do something like: no boot system flash device:old_ios boot system flash device:new_ios boot system flash device:old_ios Then confirm that everything looks fine with the "show bootvar" command. You don't need to touch the bootflash. You are running in native mode (not the old hybrid catos+ios mode) so you don't need the MSFC2 file for nothing. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade Sent: sexta-feira, 19 de Fevereiro de 2010 16:10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6509-e IOS update I have a question about these devices, I am a voice man not a R&S man so my kungfu is not strong in this.. I am wanting to update the IOS on this and I am not quite sure on something Is the booting of this device controlled by the Sup-bootdisk ? I.e. if I change the code in the configs to boot the new ios and reload it should work ? The question is this what is bootflash: used for? Should I also update is as well ? DTCCAT-CORE01#sh bootflash: -#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name 1 .. image 3CA5FC8A 1098158 38 16875736 May 5 2007 21:26:10 +00:00 c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin DTCCAT-CORE01#sh sup-bootdisk: -#- --length-- -----date/time------ path 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin 2 58262020 Aug 23 2008 18:58:58 s3223-advipservicesk9_wan-mz.122-33.SXH3.bin 3 26843548 Aug 23 2008 19:05:40 sea_log.dat Cheers Leslie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Fri Feb 19 12:27:19 2010 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 19 Feb 2010 09:27:19 -0800 Subject: [c-nsp] 6509-e IOS update In-Reply-To: <0F0396020EB944A7A7486FC270AAA424@int.convex.pt> References: <20100219125407.GR14923@thot.informatik.uni-kl.de> <0F0396020EB944A7A7486FC270AAA424@int.convex.pt> Message-ID: Many thanks.. -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: Friday, February 19, 2010 9:04 AM To: Leslie Meade; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 6509-e IOS update The config-register defines how the boot process will occur. Usually we have the default values of 0x2102 or 0x102 meaning that the router/switch will take a look to the config and there usually we have a "boot system flash device:filename" command. So in your case i would do something like: no boot system flash device:old_ios boot system flash device:new_ios boot system flash device:old_ios Then confirm that everything looks fine with the "show bootvar" command. You don't need to touch the bootflash. You are running in native mode (not the old hybrid catos+ios mode) so you don't need the MSFC2 file for nothing. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade Sent: sexta-feira, 19 de Fevereiro de 2010 16:10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6509-e IOS update I have a question about these devices, I am a voice man not a R&S man so my kungfu is not strong in this.. I am wanting to update the IOS on this and I am not quite sure on something Is the booting of this device controlled by the Sup-bootdisk ? I.e. if I change the code in the configs to boot the new ios and reload it should work ? The question is this what is bootflash: used for? Should I also update is as well ? DTCCAT-CORE01#sh bootflash: -#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name 1 .. image 3CA5FC8A 1098158 38 16875736 May 5 2007 21:26:10 +00:00 c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin DTCCAT-CORE01#sh sup-bootdisk: -#- --length-- -----date/time------ path 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin 2 58262020 Aug 23 2008 18:58:58 s3223-advipservicesk9_wan-mz.122-33.SXH3.bin 3 26843548 Aug 23 2008 19:05:40 sea_log.dat Cheers Leslie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From msaskin at gmail.com Fri Feb 19 12:52:37 2010 From: msaskin at gmail.com (Matthew Saskin) Date: Fri, 19 Feb 2010 12:52:37 -0500 Subject: [c-nsp] [cisco-voip] FW: Getting Unity to work when in SRST mode. In-Reply-To: References: <1689825391190843B77E2B252432E89301649358@rwc-exch-prd1.myopwv.com> <1689825391190843B77E2B252432E893016493F3@rwc-exch-prd1.myopwv.com> Message-ID: The only thing I can offer to this is good luck getting RDNIS to work. I can't recall once where I've seen RDNIS make it all the way through the PSTN cloud to the site hosting Unity. Matthew Saskin msaskin at gmail.com 203-253-9571 July 18, 2010 - 1500m swim (in the hudson), 40k bike, 10k run Please support the Leukemia & Lyphoma Society http://pages.teamintraining.org/nyc/nyctri10/msaskin On Fri, Feb 19, 2010 at 10:25 AM, Leslie Meade wrote: > > > > > One way it can be done, depending on how many people need voicemail while > the link is down, as it uses spare DID?s > > > > Is to change the outbound calling number to a DID that is not in use and > when it hits your gateway/callmanager use a translation pattern to change > the calling number back into their local. Since the link is down the default > (if you got it setup) it to on fail goto voicemail. > > > > Example CME user has ext 2106 , get the dial plan to ring the ?new DID? > 604-345-5670, when it rings this number make a translation pattern to change > it back into 2106. > > But this depends on how many unused DID?s you got and how many people. It > is not very scalable buy it gets around the RDNIS issues and it works. > > > > Leslie > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From pkranz at unwiredltd.com Fri Feb 19 13:23:17 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Fri, 19 Feb 2010 10:23:17 -0800 Subject: [c-nsp] 6509-e IOS update In-Reply-To: References: <20100219125407.GR14923@thot.informatik.uni-kl.de> <0F0396020EB944A7A7486FC270AAA424@int.convex.pt> Message-ID: <008a01cab190$9b5b2850$d21178f0$@unwiredltd.com> FYI Based on the dates on your flash, are you thinking of moving to this image: 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin I would think you should be on this image instead: S3223-advipservicesk9_wan-mz.122-33.SXI3.bin I believe most have skipped the SXH train, but could be wrong.. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade Sent: Friday, February 19, 2010 9:27 AM To: Antonio Soares; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6509-e IOS update Many thanks.. -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: Friday, February 19, 2010 9:04 AM To: Leslie Meade; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 6509-e IOS update The config-register defines how the boot process will occur. Usually we have the default values of 0x2102 or 0x102 meaning that the router/switch will take a look to the config and there usually we have a "boot system flash device:filename" command. So in your case i would do something like: no boot system flash device:old_ios boot system flash device:new_ios boot system flash device:old_ios Then confirm that everything looks fine with the "show bootvar" command. You don't need to touch the bootflash. You are running in native mode (not the old hybrid catos+ios mode) so you don't need the MSFC2 file for nothing. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade Sent: sexta-feira, 19 de Fevereiro de 2010 16:10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6509-e IOS update I have a question about these devices, I am a voice man not a R&S man so my kungfu is not strong in this.. I am wanting to update the IOS on this and I am not quite sure on something Is the booting of this device controlled by the Sup-bootdisk ? I.e. if I change the code in the configs to boot the new ios and reload it should work ? The question is this what is bootflash: used for? Should I also update is as well ? DTCCAT-CORE01#sh bootflash: -#- ED ----type---- --crc--- -seek-- nlen -length- ---------date/time--------- name 1 .. image 3CA5FC8A 1098158 38 16875736 May 5 2007 21:26:10 +00:00 c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin DTCCAT-CORE01#sh sup-bootdisk: -#- --length-- -----date/time------ path 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin 2 58262020 Aug 23 2008 18:58:58 s3223-advipservicesk9_wan-mz.122-33.SXH3.bin 3 26843548 Aug 23 2008 19:05:40 sea_log.dat Cheers Leslie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bacon at walleyesoftware.com Fri Feb 19 15:46:56 2010 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Fri, 19 Feb 2010 14:46:56 -0600 Subject: [c-nsp] 6816 vs 6724 Message-ID: <5A69C25361FED34F83ABF05F5047524507F0612C@wally.walleyetrading.net> Is there any compelling reason to use a 6724 linecard over a 6816 (_not_ a 6516, thank you very much), assuming you only need 6-10 gig fiber ports? Assume this is for a 6500/sup720-2B, with DFCs thrown on, mix of multicast and unicast, bursty loads. I've been using 6816s and the only real annoyance is that they do ingress multicast replication, not egress. port buffer is a little smaller but so far it hasn't been a major issue. The ingress replication is really annoying for SPAN sessions. But the price difference is massive; no one wants 6816/DFCs, it would seem. Anything I'm missing? Thanks, -bacon From ayourtch at cisco.com Fri Feb 19 16:36:07 2010 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Fri, 19 Feb 2010 22:36:07 +0100 (CET) Subject: [c-nsp] VPN Client 64-bit support for Windows 7 / Windows Vista: 5.0.7 beta Message-ID: Hi all, If you remember the threads about the 64-bit support on the IPSEC VPN client for Windows: thank you for the feedback. Adding to that: <$me mode="messenger"> In addition to serving as a general maintenance release, the Cisco VPN Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit environments. A 64-bit specific compatible image is available for installation on these platforms. Please communicate the feedback (both positive and problems) to cvc-beta at cisco.com. Key Capabilities available for Beta Testing: New Platform support - Windows 7 & Windows Vista 64-bit platform compatibility Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730 (under 5.BETA) Software is available for download by any customer with a Cisco.com SMARTnet(tm) enabled login. Have a nice weekend. cheers, andrew From ATolstykh at integrysgroup.com Fri Feb 19 16:35:59 2010 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Fri, 19 Feb 2010 15:35:59 -0600 Subject: [c-nsp] Cisco Posted the 64bit IPSec VPN client (Beta winx64-msi-5.0.07.0240) Message-ID: <3F3802329EC1534FBCEAB6DDC0BD807C04A67E34@DOB-BXVS3.integrysgroup.net> Finally it's here, had a bunch of users asking for it for ages. vpnclient-winx64-msi-5.0.07.0240-k9-BETA.exe Release Date: 18/Feb/2010 BETA VPN Client Software for x86 64bit version of Windows 7 - Microsoft Installer Size:?4898.50 KB? (5016064?bytes) From maddison at lightbound.net Fri Feb 19 17:00:25 2010 From: maddison at lightbound.net (Matt Addison) Date: Fri, 19 Feb 2010 17:00:25 -0500 Subject: [c-nsp] VPN Client 64-bit support for Windows 7 / Windows Vista: 5.0.7 beta In-Reply-To: References: Message-ID: > In addition to serving as a general maintenance release, the Cisco VPN > Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit > environments. A 64-bit specific compatible image is available for > installation on these platforms. Are there release notes still to be posted to the main site covering what else is fixed/changed? Or are they being withheld until final release? ~Matt From steve at ibctech.ca Fri Feb 19 18:01:12 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Fri, 19 Feb 2010 18:01:12 -0500 Subject: [c-nsp] Display nei as name in 'sh ip bgp sum' Message-ID: <4B7F1838.60605@ibctech.ca> Is there a way to have a Cisco format the output of a "show ip bgp summary" to replace the neighbour IP with a name as opposed to the IP(v6) address of the neighbour? I haven't been able to find any docs in this regard. It's only one more step to "sh ip bgp nei xxxx", but I thought that if it was possible, viewing the name of the neighbour in the summary could save a step in many cases. Steve From matt at melbourne.org.uk Fri Feb 19 21:19:15 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Sat, 20 Feb 2010 02:19:15 +0000 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> References: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> Message-ID: On looking at this again, it appears that BGP Multipath only works when the eBGP sessions are terminated on the same box. The scenario here is two eBGP session to the same ISP, but terminating on two different customer edge routers (with an iBGP session between them). In the lab tests I've done, I can see the two entries in the BGP table (one learned via the directly connected eBGP neighbour and one learned through iBGP (from the other eBGP session on the other router), but only the best path (via the eBGP link) gets entered into the RIB. There is a command "maximum-paths eibgp" to load-share across eBGP and iBGP paths, but this is limited to connections within an MPLS VPN, and not the global routing table.. Maybe the outbound load-sharing will occur naturally through the IGP, and dynamic default routing (i.e. the closest exit point)? Alternatively, another possibility may be to arbitrarily prefer one link for some traffic, using AS paths or prefix lists together with NetFlow data, as a 'first cut' and then optimise over time. Cheers, Matt On 9 February 2010 05:52, Aftab Siddiqui wrote: > hi Matthew, > > Keeping the current internet?full feed in view its around 300k routes?and > sup720-3BXL should support 1million routes (its cisco though :p). So even if > you terminate the links on 2 different edges coming from the same AS it > should work fine. > > If you are trying "bgp bestpath as-path multipath-relax" kindly share the > outcomes because in my opinion it is used to load share between different > as-path. I have never tried it before. > Regards, > > Aftab A. Siddiqui > > > On Tue, Feb 9, 2010 at 12:59 AM, Matthew Melbourne > wrote: >> >> Thanks for the pointers towards eBGP Multipath. Can I check that this >> still >> works if two links are terminated on different edge routers (though with >> iBGP between the edge routers). I assume this will use additional TCAM >> resources (Sup720-3BXL) in maintaining two routes per prefix, which could >> be >> significant for a full BGP feed? >> >> Cheers, >> >> Matt >> >> -----Original Message----- >> From: Erik Cuevas [mailto:ecuevas at fxcm.com] >> Sent: 05 February 2010 12:33 >> To: Matthew Melbourne >> Subject: RE: [c-nsp] Load-sharing with two links to the same ISP >> >> Did you check out BGP multipath? >> >> >> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 >> .shtml >> >> >> or is the AS Path is different try... >> >> bgp bestpath as-path multipath-relax(its hidden) >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne >> Sent: Friday, February 05, 2010 6:33 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Load-sharing with two links to the same ISP >> >> Hi, >> >> What techniques are available to load-share traffic on two links (of >> equal bandwidth) to the same ISP ?(same AS) given that BGP only enters >> the best path into the RIB? We could announce our prefixes over both >> links, but splitting the preferred path announcements over the two >> links, either using MED or ISP communities, but this only really >> addresses inbound traffic. More of an issue is trying to load-share >> outbound traffic; we assume we'll learn the same set of prefixes over >> both links from the same ISP - one technique may be to simple split >> the IPv4 address space in half and local-pref accordingly to prefer >> one link or the other depending on the destination IP prefix? >> >> Cheers, >> >> Matt >> >> -- >> Matthew Melbourne >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 >> 07:35:00 >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- Matthew Melbourne From cnsp at shreddedmail.com Fri Feb 19 21:33:44 2010 From: cnsp at shreddedmail.com (Rick Ernst) Date: Fri, 19 Feb 2010 18:33:44 -0800 Subject: [c-nsp] Cisco ONS 15454 for dummies Message-ID: I'm getting ready to do some facilities expansion to a building about 300 cable-feet away. I currently have Ethernet, OC-N, and DS-N services, clear-channel and channelized that can land on access equipment or handed off as Out-of-Band connections to customers. We have multiple ILECs and CLECs servicing our building. I'm also planning on moving (or building) some telco facility in/to the new building. I need the ability to land OC-N and DS-3 circuits and peel DS-3s and DS-1s out of them. I would also like to be able to chose which DS-1s go to which facility, combine them into something like a PA-MCT3+ for IP, etc.I'm savvy with layer3-7 with IP and layer1-2 with Ethernet, T-1, and DS-3. "Everybody" seems to be using the ONS 15454 to mix-n-match TDM between nodes. I've used some Google-fu and read through the Cisco ONS manual, but still have some basic questions that I haven't been able to answer. Part of my confusion is Cisco listing MSPP, MSTP and SONET vs SDH all under the same "ONS" umbrella. Any pointers to an "ONS for dummies" resource to help me make an intelligent decision on where to focus my research? Would I potentially be better served by some form of simpler Add/Drop mux(es) of some nature? I don't know enough yet to ask the right questions, so I'm hoping I'll get some questions in return. :) Thanks, From jackson.tim at gmail.com Fri Feb 19 22:33:47 2010 From: jackson.tim at gmail.com (Tim Jackson) Date: Fri, 19 Feb 2010 21:33:47 -0600 Subject: [c-nsp] Cisco ONS 15454 for dummies In-Reply-To: <4407932e1002191929pca37b00uf31a4f915f239050@mail.gmail.com> References: <4407932e1002191929pca37b00uf31a4f915f239050@mail.gmail.com> Message-ID: <4407932e1002191933p64b70787wc7054655471d95a5@mail.gmail.com> The ONS is really just a SONET/SDH ADM... MSTP is the DWDM platform using muxponders/transponders/amps/etc powered and controlled by the chassis. What your after is the 454 MSPP, which is basically a modular ADM that can do ethernet over SONET and tdm etc... Depending on the scale of your VT1.5 needs the 454 may not be a good choice... May be better off with some Turin/Farce10 gear for it.. On Feb 19, 2010 8:36 PM, "Rick Ernst" wrote: I'm getting ready to do some facilities expansion to a building about 300 cable-feet away. I currently have Ethernet, OC-N, and DS-N services, clear-channel and channelized that can land on access equipment or handed off as Out-of-Band connections to customers. We have multiple ILECs and CLECs servicing our building. I'm also planning on moving (or building) some telco facility in/to the new building. I need the ability to land OC-N and DS-3 circuits and peel DS-3s and DS-1s out of them. I would also like to be able to chose which DS-1s go to which facility, combine them into something like a PA-MCT3+ for IP, etc.I'm savvy with layer3-7 with IP and layer1-2 with Ethernet, T-1, and DS-3. "Everybody" seems to be using the ONS 15454 to mix-n-match TDM between nodes. I've used some Google-fu and read through the Cisco ONS manual, but still have some basic questions that I haven't been able to answer. Part of my confusion is Cisco listing MSPP, MSTP and SONET vs SDH all under the same "ONS" umbrella. Any pointers to an "ONS for dummies" resource to help me make an intelligent decision on where to focus my research? Would I potentially be better served by some form of simpler Add/Drop mux(es) of some nature? I don't know enough yet to ask the right questions, so I'm hoping I'll get some questions in return. :) Thanks, _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kloch at kl.net Sat Feb 20 01:47:35 2010 From: kloch at kl.net (Kevin Loch) Date: Sat, 20 Feb 2010 01:47:35 -0500 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> Message-ID: <4B7F8587.4030606@kl.net> Matthew Melbourne wrote: > On looking at this again, it appears that BGP Multipath only works > when the eBGP sessions are terminated on the same box. > > The scenario here is two eBGP session to the same ISP, but terminating > on two different customer edge routers (with an iBGP session between > them). In the lab tests I've done, I can see the two entries in the > BGP table (one learned via the directly connected eBGP neighbour and > one learned through iBGP (from the other eBGP session on the other > router), but only the best path (via the eBGP link) gets entered into > the RIB. That is done to prevent loops. If you can aggregate the traffic on other routers first, then ibgp multipath could work for you. Another option is if the uplinks are ethernet and you are able to extend vlans between your two routers. Then there are several ways to implement a full mesh (four eBGP sessions) so each of your routers would see an equal cost path over each uplink. - Kevin From saku at ytti.fi Sat Feb 20 10:16:17 2010 From: saku at ytti.fi (Saku Ytti) Date: Sat, 20 Feb 2010 17:16:17 +0200 Subject: [c-nsp] availability In-Reply-To: References: Message-ID: <20100220151617.GA26028@mx.ytti.net> On (2010-02-19 11:44 -0500), My Name wrote: > Does anyone have information concerning calculating > network availability based on a network design? > > For example, is redundant P and PE routers more available statistically > than single P and PEs with redundant route processors, etc .....? > > I am looking to input network design parameters and produce an > availability/probability number? > is there such an animal? If not anything else, this might point to some directions or help with more precise questions: http://iplu.vtt.fi/ Unfortunately some of the material is finncryp() and it is also very high level, done by professional academics on goverment grands, some co-workers of mine have met these people to give them some real life data to work with and they reported that it was really hard to follow what they were doing, so expect formulae etc. I think in real life engineers know this stuff intuitively. I sometimes wonder if high network quality even pays off, at least our claimed SLA compensations are very low so it would be hard to justify any CAPEX increase to increase quality. Rather it would seem that network quality can be decreased if it means we can be more competitive or have higher margins. Spending money on brand, creating high perceived quality might be wiser than actually trying to increase quality, since actual quality is quite hard to measure. But of course it is much more fun and satisfying to create the best network you can. Too bad majority of customers claim they want quality, but seen to choose cheapest option from market, perhaps even the worst product is good enough. -- ++ytti From bdikici at gmail.com Sat Feb 20 10:34:23 2010 From: bdikici at gmail.com (Burak Dikici) Date: Sat, 20 Feb 2010 17:34:23 +0200 Subject: [c-nsp] Question about routing table size on the route reflector Message-ID: Hello, I am trying to understand the requirements of the route reflector's routing table size. Here is the scenario ; - internet router is doing multihoming with three different ISPs. It is getting full internet routes from all of them. - There are 25 PE routers in the topology. How can i define the requirement of route reflector's IPv4 and VPNv4 routing table size ? 1 million , 2 million or whatelse ??? Could you help me to understand the logic of this requirement? Kind Regards... Burak Dikici From mtinka at globaltransit.net Sat Feb 20 07:39:28 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 20 Feb 2010 20:39:28 +0800 Subject: [c-nsp] DHCP client-identifier/hardware-address Issue Message-ID: <201002202039.33213.mtinka@globaltransit.net> Hello all. I have an issue where neither 'client-identifier' nor 'hardware-address' will force the host address assigned to a Cisco AP1242AG job. Box is running 12.2(33)SRC5 (7206-VXR/NPE-G2), AP is on 12.4(10b)JDA3. I've seen a number of complaints online re: spotty results for this depending on OS and/or NIC type. Thoughts? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From david.freedman at uk.clara.net Sat Feb 20 11:04:26 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Sat, 20 Feb 2010 16:04:26 +0000 Subject: [c-nsp] Load-sharing with two links to the same ISP References: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> <4B7F8587.4030606@kl.net> Message-ID: You could, for instance use MPLS LSPs back to your ingress PE routers (providing of course you are happy for them to carry these prefixes in their tables) such to ensure that two TE tunnels exist back to your egress PE and then load share between them... Dave. From tvarriale at comcast.net Sat Feb 20 15:39:46 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Sat, 20 Feb 2010 14:39:46 -0600 Subject: [c-nsp] VPN Client 64-bit support for Windows 7 / WindowsVista: 5.0.7 beta References: Message-ID: <7361D1FB45A347E0B0D920A2EE70A9B6@flamdt01> ----- Original Message ----- From: "Matt Addison" To: ; Sent: Friday, February 19, 2010 4:00 PM Subject: Re: [c-nsp] VPN Client 64-bit support for Windows 7 / WindowsVista: 5.0.7 beta >> In addition to serving as a general maintenance release, the Cisco VPN >> Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit >> environments. A 64-bit specific compatible image is available for >> installation on these platforms. > > Are there release notes still to be posted to the main site covering > what else is fixed/changed? Or are they being withheld until final > release? > > ~Matt Should be available this week. tv From sethm at rollernet.us Sat Feb 20 19:02:38 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 20 Feb 2010 16:02:38 -0800 Subject: [c-nsp] Determining manufacturing date Message-ID: <4B80781E.4080903@rollernet.us> Is there a way to determine the date a card or chassis was manufactured from its serial number? ~Seth From ayourtch at cisco.com Sat Feb 20 22:12:45 2010 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Sun, 21 Feb 2010 04:12:45 +0100 (CET) Subject: [c-nsp] VPN Client 64-bit support for Windows 7 / Windows Vista: 5.0.7 beta In-Reply-To: References: Message-ID: On Fri, 19 Feb 2010, Matt Addison wrote: >> In addition to serving as a general maintenance release, the Cisco VPN >> Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit >> environments. A 64-bit specific compatible image is available for >> installation on these platforms. > > Are there release notes still to be posted to the main site covering > what else is fixed/changed? Or are they being withheld until final > release? Twice the bit count: code ran faster than data in a race to spring. In a non-attempt-at-haiku form - the code was ready a bit earlier, and the folks made a decision to release it for the 64-bit testing immediately rather than holding off. Please give it a week or two for the notes :-) cheers, andrew From zivl at gilat.net Sun Feb 21 02:57:11 2010 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 21 Feb 2010 09:57:11 +0200 Subject: [c-nsp] Missing BGP MIB support on Cisco 2621 In-Reply-To: <8770c70a-0897-49ad-b10d-f4e4a31d1d86@exch2k7.gilat.local> References: <8770c70a-0897-49ad-b10d-f4e4a31d1d86@exch2k7.gilat.local> Message-ID: I think you should download the specific MIB for your release and try to browse it with some MIB Browser or using the Cisco MIB Locator Here's a link for the v2 MIB http://tools.cisco.com/ITDIT/MIBS/MainServlet?ReleaseSel=0&PlatformSel=0&fsSel=0&IMAGE_NAME=c2600-is4-mz.123-26.bin&SUBMIT2=Submit HTH Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Friday, February 19, 2010 12:31 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Missing BGP MIB support on Cisco 2621 According to Cisco's MIB Locator, c2600-is4-mz.123-26.bin should have CISCO-BGP4-MIB support, but when I try to walk that part of the tree (1.3.6.1.4.1.9.9.187) in v1 or v2c that fails. I'm using this router to do IPv6 tunneling, and the only routes exchanged on this router are IPv6. Anyone else see this? Or is there a special knob I need to turn that on? Frank _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From cstand141 at gmail.com Sun Feb 21 10:52:07 2010 From: cstand141 at gmail.com (chris stand) Date: Sun, 21 Feb 2010 09:52:07 -0600 Subject: [c-nsp] Cisco ONS 15454 for dummies Message-ID: <22bb306c1002210752v21c1276ak4eca07b37c428ca0@mail.gmail.com> Message: 3 Date: Fri, 19 Feb 2010 18:33:44 -0800 From: Rick Ernst To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ONS 15454 for dummies Message-ID: Content-Type: text/plain; charset=ISO-8859-1 > I'm getting ready to do some facilities expansion to a building about 300 > cable-feet away. I currently have Ethernet, OC-N, and DS-N services, > clear-channel and channelized that can land on access equipment or handed > off as Out-of-Band connections to customers. We have multiple ILECs and > CLECs servicing our building. I'm also planning on moving (or building) > some telco facility in/to the new building. I need the ability to land > OC-N > and DS-3 circuits and peel DS-3s and DS-1s out of them. I would also like > to > be able to chose which DS-1s go to which facility, combine them into > something like a PA-MCT3+ for IP, etc.I'm savvy with layer3-7 with IP and > layer1-2 with Ethernet, T-1, and DS-3. > > "Everybody" seems to be using the ONS 15454 to mix-n-match TDM between > nodes. Rick, If you do not yet have this equipment you might want to look at Ciena. Some of the more complex - but still "small" environments use this - shoot me an off post email if you wish. Disclaimer: I have no interest in either company and know people who work for both. From asturluismi at gmail.com Sun Feb 21 12:53:13 2010 From: asturluismi at gmail.com (luismi) Date: Sun, 21 Feb 2010 18:53:13 +0100 Subject: [c-nsp] multicast udlr experiences? Message-ID: <1266774793.24495.3.camel@hal9000> Is there anyone using multicast udlr? I would like to hear about experiences, and how to deploy properly becuase the documentation I found is a bit confused for me. From listacct at tulsaconnect.com Sun Feb 21 12:58:07 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun, 21 Feb 2010 11:58:07 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: <4B81742F.3070808@tulsaconnect.com> Hi Jon, We've got a boatload of 3550-EMI's (for colo/server aggregation duties) and are looking at replacing them in the next 12-24 months The C3750G-24/48-E series seem to be a good upgrade path (all gig ports, layer3 routing, IPv6 support, fairly easy to source on the used market) -- curious as to why you said they didn't look viable... Jon Lewis wrote: >> We will be moving away from them and don't see C3560 or C3750 as >> a viable replacement. --Mike From v.jones at networkingunlimited.com Sun Feb 21 13:42:53 2010 From: v.jones at networkingunlimited.com (Vincent C Jones) Date: Sun, 21 Feb 2010 13:42:53 -0500 Subject: [c-nsp] availability In-Reply-To: <20100220151617.GA26028@mx.ytti.net> References: <20100220151617.GA26028@mx.ytti.net> Message-ID: <1266777773.26255.277.camel@X61.NetworkingUnlimited.nul> On Sat, 2010-02-20 at 17:16 +0200, Saku Ytti wrote: > On (2010-02-19 11:44 -0500), My Name wrote: > > > Does anyone have information concerning calculating > > network availability based on a network design? > > > > For example, is redundant P and PE routers more available statistically > > than single P and PEs with redundant route processors, etc .....? > > > > I am looking to input network design parameters and produce an > > availability/probability number? > > is there such an animal? > > If not anything else, this might point to some directions or help with more > precise questions: http://iplu.vtt.fi/ > > Unfortunately some of the material is finncryp() and it is also very high > level, done by professional academics on goverment grands, some co-workers > of mine have met these people to give them some real life data to work with > and they reported that it was really hard to follow what they were doing, > so expect formulae etc. > I think in real life engineers know this stuff intuitively. > > I sometimes wonder if high network quality even pays off, at least our > claimed SLA compensations are very low so it would be hard to justify any > CAPEX increase to increase quality. Rather it would seem that network > quality can be decreased if it means we can be more competitive or have > higher margins. > Spending money on brand, creating high perceived quality might be wiser > than actually trying to increase quality, since actual quality is quite > hard to measure. > But of course it is much more fun and satisfying to create the best network > you can. Too bad majority of customers claim they want quality, but seen to > choose cheapest option from market, perhaps even the worst product is good > enough. There is an overview of the math involved in calculating the availability of a network design in the first chapter of my book "High Availability Networking with Cisco." While quite simple in theory, it can be notoriously inaccurate in the real world due to GIGO (if the component availabilities you start with are garbage, so will the calculated overall availability). The book is out of print, but is frequently available on Amazon at bargain prices. Feel free to contact me off-list if you have trouble finding a copy. Do keep in mind Saku's warnings. Over the years I've seen a number of networks where the added redundancy decreased availability. If not implemented properly, the only thing which will be improved are the vendor's profit. Good luck and have fun! -- Vincent C. Jones Networking Unlimited, Inc. Phone: +1 201 568-7810 V.Jones at NetworkingUnlimited.com From achatz at forthnet.gr Sun Feb 21 14:24:01 2010 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sun, 21 Feb 2010 21:24:01 +0200 Subject: [c-nsp] availability In-Reply-To: <1266777773.26255.277.camel@X61.NetworkingUnlimited.nul> References: <20100220151617.GA26028@mx.ytti.net> <1266777773.26255.277.camel@X61.NetworkingUnlimited.nul> Message-ID: <4B818851.402@forthnet.gr> Some presentations at http://www.cisco.com/en/US/products/ps6550/prod_presentation_list.html include the basic calculations that you can use in order to simulate serial or parallel scenarios. Besides Vincent's excellent book, there is "*High Availability Network Fundamentals*" by Chris Oggerino, which is also a very good read if you're interested in maths. It also includes its own availability calculator: SHARC. btw, there is a reference of some internal cisco tools (i.e. NARC) in the the above cisco link, but i was never able to get them from my account manager :( -- Tassos Vincent C Jones wrote on 21/02/2010 20:42: > On Sat, 2010-02-20 at 17:16 +0200, Saku Ytti wrote: > >> On (2010-02-19 11:44 -0500), My Name wrote: >> >> >>> Does anyone have information concerning calculating >>> network availability based on a network design? >>> >>> For example, is redundant P and PE routers more available statistically >>> than single P and PEs with redundant route processors, etc .....? >>> >>> I am looking to input network design parameters and produce an >>> availability/probability number? >>> is there such an animal? >>> >> If not anything else, this might point to some directions or help with more >> precise questions: http://iplu.vtt.fi/ >> >> Unfortunately some of the material is finncryp() and it is also very high >> level, done by professional academics on goverment grands, some co-workers >> of mine have met these people to give them some real life data to work with >> and they reported that it was really hard to follow what they were doing, >> so expect formulae etc. >> I think in real life engineers know this stuff intuitively. >> >> I sometimes wonder if high network quality even pays off, at least our >> claimed SLA compensations are very low so it would be hard to justify any >> CAPEX increase to increase quality. Rather it would seem that network >> quality can be decreased if it means we can be more competitive or have >> higher margins. >> Spending money on brand, creating high perceived quality might be wiser >> than actually trying to increase quality, since actual quality is quite >> hard to measure. >> But of course it is much more fun and satisfying to create the best network >> you can. Too bad majority of customers claim they want quality, but seen to >> choose cheapest option from market, perhaps even the worst product is good >> enough. >> > > There is an overview of the math involved in calculating the > availability of a network design in the first chapter of my book "High > Availability Networking with Cisco." While quite simple in theory, it > can be notoriously inaccurate in the real world due to GIGO (if the > component availabilities you start with are garbage, so will the > calculated overall availability). The book is out of print, but is > frequently available on Amazon at bargain prices. Feel free to contact > me off-list if you have trouble finding a copy. > > Do keep in mind Saku's warnings. Over the years I've seen a number of > networks where the added redundancy decreased availability. If not > implemented properly, the only thing which will be improved are the > vendor's profit. > > Good luck and have fun! > -- Tassos From sthaug at nethelp.no Sun Feb 21 14:29:04 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sun, 21 Feb 2010 20:29:04 +0100 (CET) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B81742F.3070808@tulsaconnect.com> References: <4B81742F.3070808@tulsaconnect.com> Message-ID: <20100221.202904.74695555.sthaug@nethelp.no> > We've got a boatload of 3550-EMI's (for colo/server aggregation duties) and are > looking at replacing them in the next 12-24 months The C3750G-24/48-E series > seem to be a good upgrade path (all gig ports, layer3 routing, IPv6 support, > fairly easy to source on the used market) -- curious as to why you said they > didn't look viable... I'd say it depends a lot on how you use your 3550s. One point which is significantly different on 3560/3750 is QoS/policing. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From listacct at tulsaconnect.com Sun Feb 21 16:00:12 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun, 21 Feb 2010 15:00:12 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100221.202904.74695555.sthaug@nethelp.no> References: <4B81742F.3070808@tulsaconnect.com> <20100221.202904.74695555.sthaug@nethelp.no> Message-ID: <4B819EDC.305@tulsaconnect.com> We currently aren't doing any QoS, and a limited amount of policing. Besides the C3750G, are there any other switches worth a look? We're a mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as well. We need something that will do OSPF and limited BGP (just to announce customer subnets back in to the network). sthaug at nethelp.no wrote: >> We've got a boatload of 3550-EMI's (for colo/server aggregation duties) and are >> looking at replacing them in the next 12-24 months The C3750G-24/48-E series >> seem to be a good upgrade path (all gig ports, layer3 routing, IPv6 support, >> fairly easy to source on the used market) -- curious as to why you said they >> didn't look viable... > > I'd say it depends a lot on how you use your 3550s. One point which is > significantly different on 3560/3750 is QoS/policing. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no -- ----------------------------------------- Mike Bacher / listacct at tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From tvarriale at comcast.net Sun Feb 21 16:19:41 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Sun, 21 Feb 2010 15:19:41 -0600 Subject: [c-nsp] what is it with 3550s? References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> Message-ID: <50857E429F6A4704B6040EAF68EC11E5@flamdt01> ----- Original Message ----- From: "TCIS List Acct" To: Cc: ; Sent: Sunday, February 21, 2010 3:00 PM Subject: Re: [c-nsp] what is it with 3550s? > We currently aren't doing any QoS, and a limited amount of policing. > Besides the C3750G, are there any other switches worth a look? We're a > mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as well. > We need something that will do OSPF and limited BGP (just to announce > customer subnets back in to the network). If you aren't going to use Stackwise look at the 3560s. In the J lineup, the EX4200s should suit you well. tv From listacct at tulsaconnect.com Sun Feb 21 16:34:29 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun, 21 Feb 2010 15:34:29 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <50857E429F6A4704B6040EAF68EC11E5@flamdt01> References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> Message-ID: <4B81A6E5.6060405@tulsaconnect.com> The 3560G's w/ipservices (-E) seem to be more expensive than the corresponding 3750G counterparts for some reason, so we've been primarily looking at those. Tony Varriale wrote: > > ----- Original Message ----- From: "TCIS List Acct" > > To: > Cc: ; > Sent: Sunday, February 21, 2010 3:00 PM > Subject: Re: [c-nsp] what is it with 3550s? > > >> We currently aren't doing any QoS, and a limited amount of policing. >> Besides the C3750G, are there any other switches worth a look? We're >> a mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as >> well. We need something that will do OSPF and limited BGP (just to >> announce customer subnets back in to the network). > > If you aren't going to use Stackwise look at the 3560s. In the J > lineup, the EX4200s should suit you well. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ----------------------------------------- Mike Bacher / listacct at tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From listacct at tulsaconnect.com Sun Feb 21 16:37:29 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun, 21 Feb 2010 15:37:29 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <50857E429F6A4704B6040EAF68EC11E5@flamdt01> References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> Message-ID: <4B81A799.6090501@tulsaconnect.com> Also, we've been looking more towards the Cisco's because the Juniper EX series seem to require a "feature license" for even basic BGP on the 2200/3200 series. Our BGP needs are quite modest (just announcing customer subnets back into the network), and this priced them out of the budget.. Tony Varriale wrote: > > ----- Original Message ----- From: "TCIS List Acct" > > To: > Cc: ; > Sent: Sunday, February 21, 2010 3:00 PM > Subject: Re: [c-nsp] what is it with 3550s? > > >> We currently aren't doing any QoS, and a limited amount of policing. >> Besides the C3750G, are there any other switches worth a look? We're >> a mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as >> well. We need something that will do OSPF and limited BGP (just to >> announce customer subnets back in to the network). > > If you aren't going to use Stackwise look at the 3560s. In the J > lineup, the EX4200s should suit you well. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ----------------------------------------- Mike Bacher / listacct at tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From lists at hojmark.org Sun Feb 21 17:08:43 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Sun, 21 Feb 2010 23:08:43 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B81A799.6090501@tulsaconnect.com> References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> <4B81A799.6090501@tulsaconnect.com> Message-ID: On Sun, 21 Feb 2010 15:37:29 -0600, you wrote: > Also, we've been looking more towards the Cisco's because the Juniper EX series > seem to require a "feature license" for even basic BGP on the 2200/3200 series. S? does Cisco. BGP is in IP Services on the switches. -A From john at vanoppen.com Sun Feb 21 18:05:15 2010 From: john at vanoppen.com (John van Oppen) Date: Sun, 21 Feb 2010 15:05:15 -0800 Subject: [c-nsp] what is it with 3550s? References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com><50857E429F6A4704B6040EAF68EC11E5@flamdt01><4B81A799.6090501@tulsaconnect.com> Message-ID: Do either the 3550s or 3750s do ipv6 BGP? My read of the specifications is that they don't but a real world confirmation would be nice as we are trying to figure out if we need to move in the direction of force10 (which clearly support multiprotocol BGP) as we start swapping out our 3500s which we use with iBGP as customer facing aggregation in a few places. Thanks, John van Oppen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Sunday, February 21, 2010 2:09 PM To: TCIS List Acct Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] what is it with 3550s? On Sun, 21 Feb 2010 15:37:29 -0600, you wrote: > Also, we've been looking more towards the Cisco's because the Juniper EX series > seem to require a "feature license" for even basic BGP on the 2200/3200 series. S? does Cisco. BGP is in IP Services on the switches. -A _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From listacct at tulsaconnect.com Sun Feb 21 18:33:04 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun, 21 Feb 2010 17:33:04 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> <4B81A799.6090501@tulsaconnect.com> Message-ID: <4B81C2B0.3050403@tulsaconnect.com> Yes, but the ipservices license is much more affordable and comes pre-loaded on the -E models.. Asbjorn Hojmark - Lists wrote: > On Sun, 21 Feb 2010 15:37:29 -0600, you wrote: > >> Also, we've been looking more towards the Cisco's because the Juniper EX series >> seem to require a "feature license" for even basic BGP on the 2200/3200 series. > > S? does Cisco. BGP is in IP Services on the switches. > > -A -- ----------------------------------------- Mike Bacher / listacct at tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From p.mayers at imperial.ac.uk Sun Feb 21 18:22:13 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 21 Feb 2010 23:22:13 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: Message-ID: <20100221232213.GA20762@wildfire.net.ic.ac.uk> On Sun, Feb 21, 2010 at 11:05:15PM +0000, John van Oppen wrote: >Do either the 3550s or 3750s do ipv6 BGP? My read of the specifications is that they don't but a real world confirmation would be nice as we are trying to figure out if we need to move in the direction of force10 (which clearly support multiprotocol BGP) as we start swapping out our 3500s which we use with iBGP as customer facing aggregation in a few places. > We use a pair of 3750s with ipv6 BGP (talking to a vpnv6 peering on a 6500 in fact); image is: C3750-IPSERVICESK9-M, Version 12.2(52)SE It works fine. From BBlackford at nwresd.k12.or.us Sun Feb 21 20:19:01 2010 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Sun, 21 Feb 2010 17:19:01 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <50857E429F6A4704B6040EAF68EC11E5@flamdt01> References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> Message-ID: <6069A203FD01884885C037F81DD750801748C4B718@wsc-mail-01.intra.nwresd.k12.or.us> I'm using EX3200's in this role (OSPF, BGP customer aggregation). I do like how the EX4200's can do dual power and/or VC. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Sunday, February 21, 2010 1:20 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] what is it with 3550s? ----- Original Message ----- From: "TCIS List Acct" To: Cc: ; Sent: Sunday, February 21, 2010 3:00 PM Subject: Re: [c-nsp] what is it with 3550s? > We currently aren't doing any QoS, and a limited amount of policing. > Besides the C3750G, are there any other switches worth a look? We're a > mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as well. > We need something that will do OSPF and limited BGP (just to announce > customer subnets back in to the network). If you aren't going to use Stackwise look at the 3560s. In the J lineup, the EX4200s should suit you well. tv _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rsm at fast-serv.com Sun Feb 21 21:05:15 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Sun, 21 Feb 2010 21:05:15 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <6069A203FD01884885C037F81DD750801748C4B718@wsc-mail-01.intra.nwresd.k12.or.us> References: <4B81742F.3070808@tulsaconnect.com><20100221.202904.74695555.sthaug@nethelp.no> <4B819EDC.305@tulsaconnect.com> <50857E429F6A4704B6040EAF68EC11E5@flamdt01> <6069A203FD01884885C037F81DD750801748C4B718@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <20100222020320.M7816@fast-serv.com> Another switch to consider could be Foundry/Brocade FESX (PREM). All the features of the 3560 with more throughput (10G option) plus dual hot swap power supply. -- Randy ---------- Original Message ----------- From: Bill Blackford To: "'Tony Varriale'" , "cisco-nsp at puck.nether.net" Sent: Sun, 21 Feb 2010 17:19:01 -0800 Subject: Re: [c-nsp] what is it with 3550s? > I'm using EX3200's in this role (OSPF, BGP customer aggregation). I > do like how the EX4200's can do dual power and/or VC. > > -b > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Sunday, > February 21, 2010 1:20 PM To: cisco-nsp at puck.nether.net Subject: > Re: [c-nsp] what is it with 3550s? > > ----- Original Message ----- > From: "TCIS List Acct" > To: > Cc: ; > Sent: Sunday, February 21, 2010 3:00 PM > Subject: Re: [c-nsp] what is it with 3550s? > > > We currently aren't doing any QoS, and a limited amount of policing. > > Besides the C3750G, are there any other switches worth a look? We're a > > mixed Juniper/Cisco shop, so I've been looking at the EX3200 line as well. > > We need something that will do OSPF and limited BGP (just to announce > > customer subnets back in to the network). > > If you aren't going to use Stackwise look at the 3560s. In the J > lineup, the EX4200s should suit you well. > > tv > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From brad.henshaw at qcn.com.au Sun Feb 21 20:27:54 2010 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Mon, 22 Feb 2010 11:27:54 +1000 Subject: [c-nsp] Network-to-network connection - MPLS / non-MPLS Message-ID: <8B25B862BC09784B9B74FB950D4F64D42BC62C@qcnapp01.corp.qcn> Mike wrote: > What options are available for establishing network-to-network > connections between an MPLS network and a native IP network that has > no current MPLS capability? I'm coming in a bit late on this one, but I will briefly point out (in addition to Ge Moua's response) that Cisco seem to like reinventing the wheel with different terminology and slight variations on implementation which of course impacts platform support. Here are some phrases you can throw into the cisco.com search engine, feature navigator or Google: * MPLS L3VPN over IP Tunnels (a.k.a. MPLS over L2TPv3) * L3VPN over GRE * MPLS over GRE * MPLS VPN over multipoint GRE * Dynamic L3VPN using multipoint GRE * 2547oDMVPN Enjoy. (said with just a little sarcasm) Regards, Brad From mailers at oranged.to Mon Feb 22 00:10:21 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Mon, 22 Feb 2010 05:10:21 +0000 (UTC) Subject: [c-nsp] ASA5510 with SIP dropping intermittent In-Reply-To: Message-ID: <139394384.138.1266815420915.JavaMail.root@poops.oranged.to> Hi Tony, Thanks for your response. In the log files I see the following right before the call drops Feb 22 06:34:38 syslog-server %ASA-7-609001: Built local-host Outside: Feb 22 06:34:38 syslog-server %ASA-6-106015: Deny TCP (no connection) from /59191 to /5060 flags PSH ACK on interface Outside Feb 22 06:34:38 syslog-server %ASA-7-609002: Teardown local-host Outside: duration 0:00:00 I have doubled the time out's and its made little to no effect. Any advice would be really appreciated. Regards, Jimmy Stewpot. ----- Original Message ----- From: "Tony Varriale" To: cisco-nsp at puck.nether.net Sent: Wednesday, 17 February, 2010 3:43:45 PM Subject: Re: [c-nsp] ASA5510 with SIP dropping intermittent That bug was supposedly first found in 8.2(1). My first thought is that the control channel is staying up on the voice SP, but is timing out in the translation table. Do you log your set ups and tear downs to a syslog server? If so, go back and try and chase that source port to see if there's a timeout/teardown prior to that timestamp. You need the SIP inspection since you are NATing. No way around it and I don't think that's the issue at this point. Or, better said, at this point in the data collection phase. tv ----- Original Message ----- From: "Jimmy Stewpot" To: Sent: Tuesday, February 16, 2010 9:03 PM Subject: [c-nsp] ASA5510 with SIP dropping intermittent > Hello, > > I am currently running a Cisco ASA 5510 device running software version > 8.0(3)6. The configuration is very simple, we have a group of voice > servers behind the system talking to an upstream Voice service provider > using SIP. Outbound calls work 100% of the time, however we have a policy > in place with permits inbound connections. Most of the time it works > however in an apparently random fashion it drops incoming calls. There > have been no changes to the device in months and its only started to occur > over the last week. I have been ripping my hair out trying to resolve this > issue with little to no luck. > > When I check what is going on I see the following messages in the log. > > Feb 16 10:48:10 %ASA-6-106015: Deny TCP (no connection) from /57345 > to /5060 flags PSH ACK on interface Outside > > The configuration is as follows. > > Voice Server (192.168.1.20/24) -> ASA internal (192.168.1.254) || ASA > External (Public Address) -> Internet. > > We have an inbound policy permitting any inbound SIP udp and tcp to the > Public Address. We then have a one to one mapping > > static (inside,Outside) 192.168.1.20 netmask 255.255.255.255 > > Everything seems fine, and I don't understand why its dropping the > connections on a very intermittent basis. It seems that its probably > something to do with the inspect. If we disable inspect it breaks all > phone connections. I found the following bug reference number in the > release notes for 8.2. CSCtb23281 but I don't have Cisco Logins which > provide me with the bugs db any more... > > Any advice or assistance would be greatly appreciated. > > Regards, > > Jimmy Stewpot. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ardabalkanay at gmail.com Mon Feb 22 06:07:50 2010 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Mon, 22 Feb 2010 11:07:50 +0000 Subject: [c-nsp] Display nei as name in 'sh ip bgp sum' In-Reply-To: <4B7F1838.60605@ibctech.ca> References: <4B7F1838.60605@ibctech.ca> Message-ID: <9af987421002220307y6db32eechdad5b9ca859be2fd@mail.gmail.com> AFAIK it is not possible by default show commands, but first thing coming into mind is using embedded event managers for this. This may be possible by modifying the output of a show ip bgp summary command by eem scripts. good examples are at : http://blog.ioshints.info/search/label/EEM On Fri, Feb 19, 2010 at 11:01 PM, Steve Bertrand wrote: > Is there a way to have a Cisco format the output of a "show ip bgp > summary" to replace the neighbour IP with a name as opposed to the > IP(v6) address of the neighbour? > > I haven't been able to find any docs in this regard. > > It's only one more step to "sh ip bgp nei xxxx", but I thought that if > it was possible, viewing the name of the neighbour in the summary could > save a step in many cases. > > Steve > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From anthony.mcgarry at plannet21.ie Mon Feb 22 06:49:31 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Mon, 22 Feb 2010 11:49:31 +0000 Subject: [c-nsp] BRAS Redundancy Message-ID: <4B826F4B.8040003@plannet21.ie> Hi, I was hoping someone can help me with the following issue. I currently have a 7301 acting as my BRAS running on 12.2(33)SRD3. I use the ISG feature to terminate PPPoE sessions on QinQ subinterfaces. The virtual templates associated with the bba groups use ip unnumbered loopback 0. The IP on loopback 0 is x.x.96.1/21 DHCP is configured for client IP address assignment using DHCP pools as relay agents to a central DHCP server. ip dhcp pool DHCP relay source x.x.96.0 255.255.248.0 class DHCP relay target x.x.111.5 I would now like to install a second 7301 for load balancing/redundancy. I currently trunk the QinQ vlans to the existing 7301 so I just do the same for the second 7301. On the second 7301 I assign a new /21 network for DHCP assignment. This works fine for dynamic IP assignment. My problem is that we have multiple customers with static IP address assignment from the DHCP server. How can I assign the same IP address to a certain client session if they login to either BRAS when each BRAS has a unique network associated with the loopback 0 interface. I was thinking mobile IP but I have not tested in the lab and not sure if it is a supported solution. Anthony From marco.regini at ascotlc.it Mon Feb 22 08:30:46 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Mon, 22 Feb 2010 14:30:46 +0100 Subject: [c-nsp] MVR and PIM Message-ID: Hi and thanks for the help to my previous post "multicast on transit LAN". I read about Multicast Vlan Registration, the configuration seems very easy but in my network there are some multicast sources and receivers that are not directly connected to the "mvr" apparatus. Have you any suggestions on how to deal with this situation? To do a concrete example I have: Source--- PIM_ROUTER --- MVR_SWITCH ---MVR_SWITCH---Receiver and also Receiver--- PIM_ROUTER --- MVR_SWITCH ---MVR_SWITCH---Source Marco From gert at greenie.muc.de Mon Feb 22 08:41:21 2010 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 22 Feb 2010 14:41:21 +0100 Subject: [c-nsp] EoMPLS VC gettings stuck (Sup32, SXI2a)? Message-ID: <20100222134121.GS9556@greenie.muc.de> Hi, "weird happenings" day... this started out as a query for a problem, now I found a workaround, and this is now "for the record"... (and in the hope that someone knows whether this is fixed in a recent IOS). I have two 6500s happily EoMPLSing to each other (and to other routers in the network) without any issues so far. So we set up a new EoMPLS link, which worked fine for a few days. Very basic config: End A (Sup32-10G, SXI2a): interface GigabitEthernet2/6 no ip address xconnect 1.1.1.74 11240001 encapsulation mpls end End B (Sup720-3B, SXF13a): interface GigabitEthernet3/8 no ip address xconnect 1.1.1.67 11240001 encapsulation mpls end The VC is still up and well: Cisco#sh mpls l2transport vc 11240001 det Local interface: Gi2/6 up, line protocol up, Ethernet up Destination address: 1.1.1.74, VC ID: 11240001, VC status: up Output interface: Vl13, imposed label stack {154 83} Preferred path: not configured Default path: active Next hop: 1.2.3.66 Create time: 00:09:26, last status change time: 00:09:22 Signaling protocol: LDP, peer 1.1.1.74:0 up Targeted Hello: 1.1.1.67(LDP Id) -> 1.1.1.74 MPLS VC labels: local 42, remote 83 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: SWM: XXX Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 69, send 0 byte totals: receive 37069, send 0 packet drops: receive 0, send 0 Here, the problem is already visible: the VC is not sending packets. The gi2/6 port is connected to a fairly active network, so the port is receiving tons of broadcasts: GigabitEthernet2/6 is up, line protocol is up (connected) ... 5 minute input rate 6000 bits/sec, 8 packets/sec ... 8412 packets input, 903398 bytes, 0 no buffer Received 8237 broadcasts (0 IP multicasts) -> but "send 0", the packets don't go out via the VC. The *other* direction actually works (verfied with tcpdump on one of the systems on the network). This is something that really baffles me - I can't see any way this could fail in a way that has the "vc up" but still not sending packets. I can find lots of ways that packets might get lost (blackholing in the network, MTU problems, etc. etc.) but all these would not be visible to the sending router - so it would still increment its "send" counters(!!), with the receiving router just not receiving the appropriate number of packets. But "send 0" is "the packets are getting lost inside the box" weirdness. So, to troubleshoot this, I tried: - shut/no shut (no change) - remove vc, change port to "switchport", change back, re-add vc (no change) - change VC ID on both ends (no change) - change the IGP topology to force a different path and different labes (no change) - move the VC to a differnet port (gi2/4 -> gi2/6, and gi2/15) (no change) I might be tempted to blaim the card in question (6516A), but it has one other active EoMPLS on Gi2/1, which happily shoves packets back and forth just fine, and up until recently had a second one on Gi2/5...: Cisco#sh mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi2/1 Ethernet 1.1.1.64 10010001 UP Fa3/18 Ethernet 1.1.1.71 11210001 UP Fa3/19 Ethernet 1.1.1.71 11210002 UP Gi2/15 Ethernet 1.1.1.74 11240001 UP Gi2/5 Ethernet 1.1.1.78 11300001 ADMIN DOWN Mmmmh. Gi2/5 worked until a few days ago, and was temporarily moved to another box, and just configured to "shutdown", but not removed. Let's remove the config, just for the fun of it... Cisco(config)#int g2/5 Cisco(config-if)#no xconnect 1.1.1.78 11300001 encapsulation mpls ... but what's that? Now my *other* VC starts forwarding traffic! Cisco-M-XLI#sh mpls l2transport vc 11240001 det Local interface: Gi2/15 up, line protocol up, Ethernet up Destination address: 1.1.1.74, VC ID: 11240001, VC status: up Output interface: Vl13, imposed label stack {154 83} Preferred path: not configured Default path: active Next hop: 1.2.3.66 Create time: 00:09:51, last status change time: 00:09:49 Signaling protocol: LDP, peer 1.1.1.74:0 up Targeted Hello: 1.1.1.67(LDP Id) -> 1.1.1.74 MPLS VC labels: local 289, remote 83 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: SWM: XXX Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 76, send 1742 byte totals: receive 40571, send 188463 packet drops: receive 0, send 0 so it seems that having an EoMPLS configuration on a "shutdown" interface can block an unrelated EoMPLS VC on the same router, but on a different VC! - now I don't actually need advice on the problem anymore, but would of course like to hear more about this - is this a known bug, is this just me again? (I'm going to open a TAC case on this, but right now, Cisco is somehow unable to get new contracts registered, so this router has no active contract *sigh*). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From arla at rn.dk Mon Feb 22 09:18:25 2010 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Mon, 22 Feb 2010 15:18:25 +0100 Subject: [c-nsp] vs tacacs+ and Nexus5K Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> Hi all. Has anyone seen this before. I have a user under a tacacs server that uses the username 26rt. This user doesn't work, all other users works fine. It seems that the box accept the request but doen't login. If I change the username to g6rt or r26tg etc., then it works fine. It's the only user that I have that uses this "type" off name, so that's why I haven't seen it before. The funny thing is, the username works on all our IOS boxes. Is there a known bug on NX-OS ?? /Arne From zivl at gilat.net Mon Feb 22 10:16:28 2010 From: zivl at gilat.net (Ziv Leyes) Date: Mon, 22 Feb 2010 17:16:28 +0200 Subject: [c-nsp] vs tacacs+ and Nexus5K In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> Message-ID: This reminds me of once I had to access a customer's router and they sent me a mail with the username. For this example lets use your username, his mail was something like this: "You can log in with 26rt. The password is blahblah" Then I tried several times to login as 26rt and couldn't get in!! Until I went over the customer's mail again one more time and then tried to log in with "26rt." (pay attention to the ending dot) Guess what? That was the problem, his username actually contained a dot at the end and I omitted it because we're always used to ignore the dot at the end of the sentence... I'm not sure this is your case, I just thought it may be useful... -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Monday, February 22, 2010 4:18 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vs tacacs+ and Nexus5K Hi all. Has anyone seen this before. I have a user under a tacacs server that uses the username 26rt. This user doesn't work, all other users works fine. It seems that the box accept the request but doen't login. If I change the username to g6rt or r26tg etc., then it works fine. It's the only user that I have that uses this "type" off name, so that's why I haven't seen it before. The funny thing is, the username works on all our IOS boxes. Is there a known bug on NX-OS ?? /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From arla at rn.dk Mon Feb 22 10:39:26 2010 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Mon, 22 Feb 2010 16:39:26 +0100 Subject: [c-nsp] vs tacacs+ and Nexus5K In-Reply-To: References: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156E27E778@SRVEXC02.aas.its.nja.dk> Thanks for your answer, but I'm afraid that isn't it. The username is just 26rt, I've checked it several times, it doesn't give any meaning. /Arne -----Oprindelig meddelelse----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Ziv Leyes Sendt: 22. februar 2010 16:16 Til: cisco-nsp at puck.nether.net Emne: Re: [c-nsp] vs tacacs+ and Nexus5K This reminds me of once I had to access a customer's router and they sent me a mail with the username. For this example lets use your username, his mail was something like this: "You can log in with 26rt. The password is blahblah" Then I tried several times to login as 26rt and couldn't get in!! Until I went over the customer's mail again one more time and then tried to log in with "26rt." (pay attention to the ending dot) Guess what? That was the problem, his username actually contained a dot at the end and I omitted it because we're always used to ignore the dot at the end of the sentence... I'm not sure this is your case, I just thought it may be useful... -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Monday, February 22, 2010 4:18 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vs tacacs+ and Nexus5K Hi all. Has anyone seen this before. I have a user under a tacacs server that uses the username 26rt. This user doesn't work, all other users works fine. It seems that the box accept the request but doen't login. If I change the username to g6rt or r26tg etc., then it works fine. It's the only user that I have that uses this "type" off name, so that's why I haven't seen it before. The funny thing is, the username works on all our IOS boxes. Is there a known bug on NX-OS ?? /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Mon Feb 22 10:48:54 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 22 Feb 2010 16:48:54 +0100 Subject: [c-nsp] vs tacacs+ and Nexus5K In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2802156E27E775@SRVEXC02.aas.its.nja.dk> Message-ID: Arne, This is a restriction on Nexus with release 4. You cannot use usernames starting with digits (the same applies for hostnames). This is documented in CSCta00308 This should be fixed in release 4.2.3 Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Monday, February 22, 2010 16:18 To: cisco-nsp at puck.nether.net Subject: [c-nsp] vs tacacs+ and Nexus5K Hi all. Has anyone seen this before. I have a user under a tacacs server that uses the username 26rt. This user doesn't work, all other users works fine. It seems that the box accept the request but doen't login. If I change the username to g6rt or r26tg etc., then it works fine. It's the only user that I have that uses this "type" off name, so that's why I haven't seen it before. The funny thing is, the username works on all our IOS boxes. Is there a known bug on NX-OS ?? /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Mon Feb 22 11:55:52 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 22 Feb 2010 16:55:52 +0000 Subject: [c-nsp] EoMPLS VC gettings stuck (Sup32, SXI2a)? In-Reply-To: <20100222134121.GS9556@greenie.muc.de> References: <20100222134121.GS9556@greenie.muc.de> Message-ID: <4B82B718.10708@uk.clara.net> > so it seems that having an EoMPLS configuration on a "shutdown" interface > can block an unrelated EoMPLS VC on the same router, but on a different VC! could this be due to internal vlan consumption for the attachment circuit? I've noted the ability of newly created internal vlans to block traffic and become "stuck" whilst new ones assigned around them work fine, of course, if your new stuck intvlan is on a port and you move this port, you can end up moving the stuck intvlan with it! the last time I came across this it was with IP traffic and was down to a misprogrammed internal ACL being applied (remote command switch show tcam interface vlan XX acl in ip), could be related, just a thought... Dave. From david.freedman at uk.clara.net Mon Feb 22 11:55:52 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 22 Feb 2010 16:55:52 +0000 Subject: [c-nsp] EoMPLS VC gettings stuck (Sup32, SXI2a)? In-Reply-To: <20100222134121.GS9556@greenie.muc.de> References: <20100222134121.GS9556@greenie.muc.de> Message-ID: <4B82B718.10708@uk.clara.net> > so it seems that having an EoMPLS configuration on a "shutdown" interface > can block an unrelated EoMPLS VC on the same router, but on a different VC! could this be due to internal vlan consumption for the attachment circuit? I've noted the ability of newly created internal vlans to block traffic and become "stuck" whilst new ones assigned around them work fine, of course, if your new stuck intvlan is on a port and you move this port, you can end up moving the stuck intvlan with it! the last time I came across this it was with IP traffic and was down to a misprogrammed internal ACL being applied (remote command switch show tcam interface vlan XX acl in ip), could be related, just a thought... Dave. From jfitz at Princeton.EDU Mon Feb 22 12:00:32 2010 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Mon, 22 Feb 2010 12:00:32 -0500 Subject: [c-nsp] IPSec (ESP) and FWSM bug ? Message-ID: <6E551C6B-11B9-4CC9-8AA8-766B135CE055@Princeton.EDU> I have 6500 running SXI3 with FWSM running 4.0(6) FWSM is running in Bridging MODE The FWSM has 3 bridge groups which are composed of the following vlans... ISP1 (I1) router vlan 3553 FWSM vlan 4051 ISP2 (I1) router vlan 4000 FWSM vlan 4050 ISP3 (I2) router vlan 4001 FWSM vlan 4052 The vlans 4050-4052 connect to each of the ISPs. The traffic originates from within our network and is destined to the I2 ISP. The router makes the correct lookup for the BEST PATH being out the vlan 4001 (I2). Vlans 3553,4000,4001 are basically the input streams to the FWSM. The FWSM for some reason takes the input vlan 4001 traffic that contains IPSec traffic and passes it out the I1 vlan 4051. The issue is only with IPSec traffic. Has anybody seen this? Thanks in advance. Jeff Fitzwater OIT Network Systems Princeton University From mtinka at globaltransit.net Mon Feb 22 12:09:14 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 01:09:14 +0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100221232213.GA20762@wildfire.net.ic.ac.uk> References: <20100221232213.GA20762@wildfire.net.ic.ac.uk> Message-ID: <201002230109.19628.mtinka@globaltransit.net> On Monday 22 February 2010 07:22:13 am Phil Mayers wrote: > We use a pair of 3750s with ipv6 BGP (talking to a vpnv6 > peering on a 6500 in fact); image is: > > C3750-IPSERVICESK9-M, Version 12.2(52)SE If only they had v6 support for IS-IS in this code for the switches. Pipeline, hope it's no pipe dream. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Mon Feb 22 12:11:17 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 01:11:17 +0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <6069A203FD01884885C037F81DD750801748C4B718@wsc-mail-01.intra.nwresd.k12.or.us> References: <50857E429F6A4704B6040EAF68EC11E5@flamdt01> <6069A203FD01884885C037F81DD750801748C4B718@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <201002230111.18082.mtinka@globaltransit.net> On Monday 22 February 2010 09:19:01 am Bill Blackford wrote: > I'm using EX3200's in this role (OSPF, BGP customer > aggregation). My only issue with the EX3200's is the last 4-port tax when you use a 4x 1Gbps uplink module. Otherwise, we've been happy with them - the code has been terrible for the past several releases, but it's gotten much better since (JUNOS 9.5R4.3). I do like the fact that Juniper ship each unit with PoE support (at least 8 ports in the base models). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Mon Feb 22 11:38:51 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 00:38:51 +0800 Subject: [c-nsp] availability In-Reply-To: <20100220151617.GA26028@mx.ytti.net> References: <20100220151617.GA26028@mx.ytti.net> Message-ID: <201002230038.56483.mtinka@globaltransit.net> On Saturday 20 February 2010 11:16:17 pm Saku Ytti wrote: > I sometimes wonder if high network quality even pays off, > at least our claimed SLA compensations are very low so > it would be hard to justify any CAPEX increase to > increase quality. Rather it would seem that network > quality can be decreased if it means we can be more > competitive or have higher margins. > Spending money on brand, creating high perceived quality > might be wiser than actually trying to increase quality, > since actual quality is quite hard to measure. > But of course it is much more fun and satisfying to > create the best network you can. Too bad majority of > customers claim they want quality, but seen to choose > cheapest option from market, perhaps even the worst > product is good enough. I agree - routing and switching platforms have become both fairly advanced and generally reliable that some providers are able to offer dirt-cheap prices because they can land customers on so-called "Layer 3 switches" and do eBGP Multi- Hop upstream. Many ports, high-speed IP forwarding, cheap- cheap pricing, e.t.c. Other examples in this vein abound. The point is, platforms today can aggregate multiple functions. Collapsing a core and edge into a single chassis and landing 10Gbps in it (effectively offering you economies of scale at capacity) means bandwidth will be too cheap, that customers will, instinctively, move toward having multiple cheap providers rather than fewer high-SLA ones. We love to build the dream networks, but the fiscal realities of doing so today are just against us when some operators seem to get by on architectures that would have most of us cringing in our slumber. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Mon Feb 22 11:53:45 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 00:53:45 +0800 Subject: [c-nsp] Question about routing table size on the route reflector In-Reply-To: References: Message-ID: <201002230053.49500.mtinka@globaltransit.net> On Saturday 20 February 2010 11:34:23 pm Burak Dikici wrote: > I am trying to understand the requirements of the route > reflector's routing table size. Here is the scenario ; > > - internet router is doing multihoming with three > different ISPs. It is getting full internet routes from > all of them. Well, the number of peers your peering routers have is not relevant to the number of routes your route reflectors will see from this peering router. The route reflector will only "see" the best paths chosen by your peering router (for better or worse, but those are the rules). So assuming today's full table of some 309,000 IPv4 entries, if your peering router has 3x 309,000 views, the route reflector will see only 1x 309,000 views from this peering router. In this case, you likely need to be more worried about sizing your peering routers with the right memory compliment (both software and hardware) so they don't overflow, than your route reflector... but I digress :-). > - There are 25 PE routers in the topology. How many routes are being announced by each, to the route reflector? L3VPN's are real routing slot hoggers. > How can i define the requirement of route reflector's > IPv4 and VPNv4 routing table size ? 1 million , 2 > million or whatelse ??? > > Could you help me to understand the logic of this > requirement? Kind Regards... The reason I choose software-based routers as route reflectors, first, is because: - If you run dedicated route reflectors, they aren't in the forwarding path. - DRAM is cheaper than TCAM/SSRAM/RLDRAM, e.t.c. The only reason I'd consider using a hardware-based platform to handle route reflection is because that's all we have today. Cisco's ASR1004 and ASR1006 platforms, for instance, have a new RP (Route Processor), capable of 16GB DRAM. It's a bit of waste as a dedicated route reflector, but what you're after is memory. Then again, I know of a situation where a customer bought a certain vendor's router purely for route reflection because it was the only one that had 4GB of DRAM in the control plane at the time. I guess Quagga + Super Micro lost out there :-). On the other hand, we're still very happy with the Cisco 7201 as a route reflector. With 2GB of DRAM and ~1.8GB available after loading IOS 12.2(33)SRC5, we can't really complain. If you're sizing a route reflector, unless you suspect it'll be in the forwarding path, look at tons and tons of DRAM memory and great CPU performance. aside: I have seen some platforms from vendors that claim to have installed a route in the forwarding engine (hardware-based platform), but actually didn't. Makes for interesting conditions :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jlewis at lewis.org Mon Feb 22 12:50:30 2010 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 22 Feb 2010 12:50:30 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B81742F.3070808@tulsaconnect.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> Message-ID: On Sun, 21 Feb 2010, TCIS List Acct wrote: > We've got a boatload of 3550-EMI's (for colo/server aggregation duties) and > are looking at replacing them in the next 12-24 months The C3750G-24/48-E > series seem to be a good upgrade path (all gig ports, layer3 routing, IPv6 > support, fairly easy to source on the used market) -- curious as to why you > said they didn't look viable... I haven't played with the 3750 line, but assuming it's similar in software to the 3560, the trouble with them (vs the 3550), particularly in a colo/server aggregation setup, is a serious lack of flexibility in per-port policing. With the 3550, you can use input/output service-policy to police each port to arbitrary bandwidh. If you want to limit a customer to 2mbit/s in both directions, it's trivial to do. With the newer switches, cisco no longer supports per-port egress policing. Instead, you have srr-queue bandwidth limit [10-90], which limits the egress port speed to 10-90% of physical speed. i.e. srr-queue bandwidth 10 on a 100mbit port results in 10mbit/s. That would be the lowest "policed" rate you can configure for egress. If you can live with that, then it's not so bad, because you can come up with the %'s for all the other rates you'd want to limit ports to. Also, because the egress bandwidth limit is configured for the "whole port" you can't use service-policy and ACLs to police some traffic but not other, or police certain types of traffic to different rates on the same port. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rsm at fast-serv.com Mon Feb 22 14:14:10 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Mon, 22 Feb 2010 14:14:10 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> Message-ID: <20100222191250.M38310@fast-serv.com> We've always used in/out policing without any issues on physical interfaces on our 3750G's. -- Randy ---------- Original Message ----------- From: Jon Lewis To: TCIS List Acct Cc: cisco-nsp Sent: Mon, 22 Feb 2010 12:50:30 -0500 (EST) Subject: Re: [c-nsp] what is it with 3550s? > On Sun, 21 Feb 2010, TCIS List Acct wrote: > > > We've got a boatload of 3550-EMI's (for colo/server aggregation duties) and > > are looking at replacing them in the next 12-24 months The C3750G-24/48-E > > series seem to be a good upgrade path (all gig ports, layer3 routing, IPv6 > > support, fairly easy to source on the used market) -- curious as to why you > > said they didn't look viable... > > I haven't played with the 3750 line, but assuming it's similar in > software to the 3560, the trouble with them (vs the 3550), > particularly in a colo/server aggregation setup, is a serious lack > of flexibility in per-port policing. > > With the 3550, you can use input/output service-policy to police > each port to arbitrary bandwidh. If you want to limit a customer to > 2mbit/s in both directions, it's trivial to do. > > With the newer switches, cisco no longer supports per-port egress > policing. Instead, you have srr-queue bandwidth limit [10-90], > which limits the egress port speed to 10-90% of physical speed. > i.e. srr-queue bandwidth 10 on a 100mbit port results in 10mbit/s. > That would be the lowest "policed" rate you can configure for > egress. If you can live with that, then it's not so bad, because > you can come up with the %'s for all the other rates you'd want to > limit ports to. > > Also, because the egress bandwidth limit is configured for the > "whole port" you can't use service-policy and ACLs to police some > traffic but not other, or police certain types of traffic to > different rates on the same port. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public > key_________ _______________________________________________ cisco- > nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jlewis at lewis.org Mon Feb 22 14:24:25 2010 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 22 Feb 2010 14:24:25 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100222191250.M38310@fast-serv.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> Message-ID: On Mon, 22 Feb 2010, Randy McAnally wrote: > We've always used in/out policing without any issues on physical interfaces on > our 3750G's. With what sorts of police rates and with what syntax (on egress)? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rsm at fast-serv.com Mon Feb 22 14:31:12 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Mon, 22 Feb 2010 14:31:12 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> Message-ID: <20100222193008.M31488@fast-serv.com> Example: class-map match-any ip-any match access-group 1 ! policy-map 100Mbps class ip-any police 95000000 1000000 exceed-action drop policy-map 15Mbps class ip-any police 14000000 1000000 exceed-action drop policy-map 50Mbps class ip-any police 47000000 1000000 exceed-action drop policy-map 70Mbps class ip-any police 65000000 1000000 exceed-action drop policy-map 10Mbps class ip-any police 9000000 1000000 exceed-action drop policy-map 20Mbps class ip-any police 19000000 1000000 exceed-action drop policy-map 30Mbps class ip-any police 28500000 1000000 exceed-action drop policy-map 30Mbps-small class ip-any police 25000000 8000 exceed-action drop ! interface GigabitEthernet1/0/8 switchport access vlan 24 spanning-tree portfast service-policy input 10Mbps ! And so forth... -- Randy www.FastServ.com ---------- Original Message ----------- From: Jon Lewis To: Randy McAnally Cc: cisco-nsp Sent: Mon, 22 Feb 2010 14:24:25 -0500 (EST) Subject: Re: [c-nsp] what is it with 3550s? > On Mon, 22 Feb 2010, Randy McAnally wrote: > > > We've always used in/out policing without any issues on physical interfaces on > > our 3750G's. > > With what sorts of police rates and with what syntax (on egress)? > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------- End of Original Message ------- From jlewis at lewis.org Mon Feb 22 14:39:05 2010 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 22 Feb 2010 14:39:05 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100222193008.M31488@fast-serv.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> Message-ID: On Mon, 22 Feb 2010, Randy McAnally wrote: > interface GigabitEthernet1/0/8 > switchport access vlan 24 > spanning-tree portfast > service-policy input 10Mbps > ! Right...but on the 3750, can you interface GigabitEthernet1/0/8 switchport access vlan 24 spanning-tree portfast service-policy input 10Mbps-in service-policy output 10Mbps-out On the 3550, you can do this. We use different policies (for in/out) because the supported class-map matching for ingress/egress are different. My understanding is, on the 3560 (and likely the 3750, as it's about the same as a 3560 with stacking) that output service-policy is not configurable. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rsm at fast-serv.com Mon Feb 22 14:52:24 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Mon, 22 Feb 2010 14:52:24 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> Message-ID: <20100222195155.M57911@fast-serv.com> Correct..input only: Switch(config-if)#service-policy output 10Mbps police command is not supported for this interface Configuration failed! Warning: Assigning a policy map to the output side of an interface not supported -- Randy ---------- Original Message ----------- From: Jon Lewis To: Randy McAnally Cc: cisco-nsp Sent: Mon, 22 Feb 2010 14:39:05 -0500 (EST) Subject: Re: [c-nsp] what is it with 3550s? > On Mon, 22 Feb 2010, Randy McAnally wrote: > > > interface GigabitEthernet1/0/8 > > switchport access vlan 24 > > spanning-tree portfast > > service-policy input 10Mbps > > ! > > Right...but on the 3750, can you > > interface GigabitEthernet1/0/8 > switchport access vlan 24 > spanning-tree portfast > service-policy input 10Mbps-in > service-policy output 10Mbps-out > > On the 3550, you can do this. We use different policies (for in/out) > because the supported class-map matching for ingress/egress are different. > > My understanding is, on the 3560 (and likely the 3750, as it's about > the same as a 3560 with stacking) that output service-policy is not configurable. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------- End of Original Message ------- From avayner at cisco.com Mon Feb 22 14:52:26 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 22 Feb 2010 20:52:26 +0100 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B826F4B.8040003@plannet21.ie> References: <4B826F4B.8040003@plannet21.ie> Message-ID: Anthony, Usually for static IP assignments you would have to redistribute the connected/static (static for routes) prefixes into the routing protocol (I would recommend BGP) so that you advertise them as /32. No magic... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony McGarry Sent: Monday, February 22, 2010 13:50 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BRAS Redundancy Hi, I was hoping someone can help me with the following issue. I currently have a 7301 acting as my BRAS running on 12.2(33)SRD3. I use the ISG feature to terminate PPPoE sessions on QinQ subinterfaces. The virtual templates associated with the bba groups use ip unnumbered loopback 0. The IP on loopback 0 is x.x.96.1/21 DHCP is configured for client IP address assignment using DHCP pools as relay agents to a central DHCP server. ip dhcp pool DHCP relay source x.x.96.0 255.255.248.0 class DHCP relay target x.x.111.5 I would now like to install a second 7301 for load balancing/redundancy. I currently trunk the QinQ vlans to the existing 7301 so I just do the same for the second 7301. On the second 7301 I assign a new /21 network for DHCP assignment. This works fine for dynamic IP assignment. My problem is that we have multiple customers with static IP address assignment from the DHCP server. How can I assign the same IP address to a certain client session if they login to either BRAS when each BRAS has a unique network associated with the loopback 0 interface. I was thinking mobile IP but I have not tested in the lab and not sure if it is a supported solution. Anthony _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Mon Feb 22 15:07:17 2010 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 22 Feb 2010 15:07:17 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100222195155.M57911@fast-serv.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> Message-ID: On Mon, 22 Feb 2010, Randy McAnally wrote: > Correct..input only: > > Switch(config-if)#service-policy output 10Mbps > police command is not supported for this interface > Configuration failed! > Warning: Assigning a policy map to the output side of an interface not supported And that's the issue. Normally, progress means newer gear supports the features of older gear plus new features. In this case, egress policing took a large step backwards. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sethm at rollernet.us Mon Feb 22 15:45:29 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 22 Feb 2010 12:45:29 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> Message-ID: <4B82ECE9.5010902@rollernet.us> On 2/22/10 12:07 PM, Jon Lewis wrote: > On Mon, 22 Feb 2010, Randy McAnally wrote: > >> Correct..input only: >> >> Switch(config-if)#service-policy output 10Mbps >> police command is not supported for this interface >> Configuration failed! >> Warning: Assigning a policy map to the output side of an interface not >> supported > > And that's the issue. Normally, progress means newer gear supports the > features of older gear plus new features. In this case, egress policing > took a large step backwards. > Exactly. Correct me if I'm wrong, but as far as I know the only way to get that functionality back is a 6500, and that's a *huge* step. ~Seth From jlewis at lewis.org Mon Feb 22 15:59:38 2010 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 22 Feb 2010 15:59:38 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B82ECE9.5010902@rollernet.us> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> Message-ID: On Mon, 22 Feb 2010, Seth Mattinen wrote: > Exactly. Correct me if I'm wrong, but as far as I know the only way to > get that functionality back is a 6500, and that's a *huge* step. Not just any 6500. If you want similar (to the 3550) ability to police at arbitrary rates via service-policy in both directions, you need a Sup720. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jeff-kell at utc.edu Mon Feb 22 16:11:24 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Mon, 22 Feb 2010 16:11:24 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B82ECE9.5010902@rollernet.us> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> Message-ID: <4B82F2FC.80108@utc.edu> On 2/22/2010 3:45 PM, Seth Mattinen wrote: > Exactly. Correct me if I'm wrong, but as far as I know the only way to > get that functionality back is a 6500, and that's a *huge* step. > Umm, 4500 Sup-IV appears to support input/output (or at least doesn't bitch at the configs in a quick test...). Jeff From tom at netspot.com.au Mon Feb 22 17:14:31 2010 From: tom at netspot.com.au (Tom Lanyon) Date: Tue, 23 Feb 2010 08:44:31 +1030 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B82F2FC.80108@utc.edu> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> <4B82F2FC.80108@utc.edu> Message-ID: <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> On 23/02/2010, at 7:41 AM, Jeff Kell wrote: > On 2/22/2010 3:45 PM, Seth Mattinen wrote: >> Exactly. Correct me if I'm wrong, but as far as I know the only way to >> get that functionality back is a 6500, and that's a *huge* step. >> > > Umm, 4500 Sup-IV appears to support input/output (or at least doesn't > bitch at the configs in a quick test...). Does that mean a 4948/4900M could possibly support it too? Tom From vvasilev at vvasilev.net Mon Feb 22 17:40:49 2010 From: vvasilev at vvasilev.net (Vladislav Vasilev) Date: Mon, 22 Feb 2010 22:40:49 +0000 Subject: [c-nsp] ip igmp join-group x.x.x.x Message-ID: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> Hello all, I thought that applying "ip igmp join-group 239.1.1.1" makes the interface under which is executed a member of 239.1.1.1 for as long as the command is there. The problem is that the switch (in this case ME3400) never sends another IGMP report and the multicast stream gets pruned. I guess it is a bug? Regards, V.Vasilev From gk at ax.tc Mon Feb 22 17:49:35 2010 From: gk at ax.tc (Gerald Krause) Date: Mon, 22 Feb 2010 23:49:35 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <4B7E5655.2000506@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc> <4B7E24E8.1070008@ax.tc> <6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com> <4B7E4579.8080802@ax.tc> <6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com> <4B7E5655.2000506@ax.tc> Message-ID: <4B8309FF.4000102@ax.tc> Am 19.02.2010 10:13, Gerald Krause schrieb: > I hope the rest of my Half Duplex VRF will work now as this initial > problem seems to be solved. I'am still unable to separate the branches (LANs) on the LNS/PE. I would expect, that any certain LAN1 from CPE1 isn't allowed to access a LAN2 behind a CPE2 directly through the LNS/PE but this isn't the case. Maybe I have a wrong understanding how I should configure the two Down/UP-VRFs correctly and/or how the export/import works in such a case. Any suggestions would be appreciate. ----------------------------------------------------------------- Network: 10.98.1.0/24 10.98.2.0/24 / / / / LAN1 LAN2 | | CPE1 CPE2 : : : : Vi2.123 Vi2.121 +----------+ | LNS/PE | +----------+ | | | | ...to the core ----------------------------------------------------------------- Test from CPE1: (10.98.2.0/24 is LAN2 behind CPE2) cpe1-vrftest#ping ip 10.98.2.1 source ethernet 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.98.2.1, timeout is 2 seconds: Packet sent with a source address of 10.98.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 148/153/160 ms cpe1-vrftest# ----------------------------------------------------------------- LNS/PE Config: ! ip vrf VRFTEST-DOWN rd 102:0 route-target export 102:2 ! ip vrf VRFTEST-UP rd 101:0 route-target import 101:0 ! ! interface Loopback102 description VRFTEST ip vrf forwarding VRFTEST-UP ip address 10.99.17.254 255.255.255.255 ! ----------------------------------------------------------------- RADIUS: Cisco-AVPair += ip:vrf-id=VRFTEST-UP downstream VRFTEST-DOWN Cisco-AVPair += ip:ip-unnumbered=Loopback102 ----------------------------------------------------------------- LNS#sh user wi | inc vrftest Vi2.121 cpe2-vrftest Vi2.123 cpe1-vrftest ----------------------------------------------------------------- LNS#sh vrf det VRF VRFTEST-DOWN (VRF Id = 6); default RD 102:0; default VPNID Interfaces: Vi2.121 [D] Vi2.123 [D] Address family ipv4 (Table ID = 6 (0x6)): Export VPN route-target communities RT:102:2 No Import VPN route-target communities No import route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix Address family ipv6 not active. VRF VRFTEST-UP (VRF Id = 7); default RD 101:0; default VPNID Interfaces: Lo102 Vi2.121 Vi2.123 Address family ipv4 (Table ID = 7 (0x7)): No Export VPN route-target communities Import VPN route-target communities RT:101:0 No import route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix Address family ipv6 not active. ----------------------------------------------------------------- LNS#sh ip cef vrf VRFTEST-DOWN Prefix Next Hop Interface 0.0.0.0/0 no route 0.0.0.0/8 drop 0.0.0.0/32 receive 10.98.1.0/24 10.99.17.1 Virtual-Access2.123 10.98.2.0/24 10.99.17.2 Virtual-Access2.121 10.99.17.1/32 attached Virtual-Access2.123 10.99.17.2/32 attached Virtual-Access2.121 127.0.0.0/8 drop 224.0.0.0/4 drop 224.0.0.0/24 receive 240.0.0.0/4 drop 255.255.255.255/32 receive LNS#sh ip cef vrf VRFTEST-UP Prefix Next Hop Interface 0.0.0.0/0 no route 0.0.0.0/8 drop 0.0.0.0/32 receive 10.99.17.254/32 receive Loopback102 127.0.0.0/8 drop 224.0.0.0/4 drop 224.0.0.0/24 receive 240.0.0.0/4 drop 255.255.255.255/32 receive -- Gerald From sethm at rollernet.us Mon Feb 22 17:50:02 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 22 Feb 2010 14:50:02 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> <4B82F2FC.80108@utc.edu> <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> Message-ID: <4B830A1A.8050800@rollernet.us> On 2/22/10 2:14 PM, Tom Lanyon wrote: > On 23/02/2010, at 7:41 AM, Jeff Kell wrote: > >> On 2/22/2010 3:45 PM, Seth Mattinen wrote: >>> Exactly. Correct me if I'm wrong, but as far as I know the only way to >>> get that functionality back is a 6500, and that's a *huge* step. >>> >> >> Umm, 4500 Sup-IV appears to support input/output (or at least doesn't >> bitch at the configs in a quick test...). > > > Does that mean a 4948/4900M could possibly support it too? > I believe the 4900M is a Sup6 equivalent. I know it supports IPv6 in hardware whereas the 4948 does not. ~Seth From shaharurrizal at gmail.com Mon Feb 22 18:31:07 2010 From: shaharurrizal at gmail.com (coredump) Date: Mon, 22 Feb 2010 15:31:07 -0800 (PST) Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B826F4B.8040003@plannet21.ie> References: <4B826F4B.8040003@plannet21.ie> Message-ID: <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> You can try use PADO Delay attributes but that features IMHO is only available is the 12.2(33)SB terrain in Cisco 10k routers. http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_pppoe_sss.html /Rizal From paul at paulstewart.org Mon Feb 22 19:56:44 2010 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 22 Feb 2010 19:56:44 -0500 Subject: [c-nsp] 6500 SVI Question Message-ID: <011b01cab423$11552c10$33ff8430$@org> Hi there... Typically when we require higher bandwidth, we upgrade the interface to something larger ... recently though we were faced with having to do 2XGE on a LAG until our new 10GE ports arrive. The SVI interface shows a bandwidth of 1 Gig even though there are two physical GigE interfaces "connected" to it.... will there be any issues doing more than a Gig on this SVI interface? This is the first time amazingly that I've run across this ;) The card where the two GigE's come into is a 6148A-GE-TX and the ports are at opposite ends of the physical card... Thanks, appreciate it as always... Paul From tstevens at cisco.com Mon Feb 22 20:11:53 2010 From: tstevens at cisco.com (Tim Stevenson) Date: Mon, 22 Feb 2010 17:11:53 -0800 Subject: [c-nsp] 6500 SVI Question In-Reply-To: <011b01cab423$11552c10$33ff8430$@org> References: <011b01cab423$11552c10$33ff8430$@org> Message-ID: <201002230111.o1N1BxSk000417@sj-core-3.cisco.com> Hi Paul, The bandwidth does not affect the throughput etc and doesn't take into account the underlying L2 interfaces bandwidth. It strictly for use by the routing protocols to determine metrics (and can be modified using the "bandwidth" interface command). Also you can change the reference b/w using "ospf auto-cost reference-bandwidth" under the "router ospf" process. Hope that helps, Tim At 04:56 PM 2/22/2010, Paul Stewart mumbled: >Hi there... > > > >Typically when we require higher bandwidth, we upgrade the interface to >something larger ... recently though we were faced with having to do 2XGE on >a LAG until our new 10GE ports arrive. The SVI interface shows a bandwidth >of 1 Gig even though there are two physical GigE interfaces "connected" to >it.... will there be any issues doing more than a Gig on this SVI interface? >This is the first time amazingly that I've run across this ;) > > > >The card where the two GigE's come into is a 6148A-GE-TX and the ports are >at opposite ends of the physical card... > > > >Thanks, appreciate it as always... > > > >Paul > > > > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at >http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From paul at paulstewart.org Mon Feb 22 20:30:50 2010 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 22 Feb 2010 20:30:50 -0500 Subject: [c-nsp] 6500 SVI Question In-Reply-To: <201002230111.o1N1BxSk000417@sj-core-3.cisco.com> References: <011b01cab423$11552c10$33ff8430$@org> <201002230111.o1N1BxSk000417@sj-core-3.cisco.com> Message-ID: <012301cab427$d4e397d0$7eaac770$@org> Thanks Tim.... whew! ;) Actually, I was misreading the bandwidth statement itself - missed a zero earlier so thought you could only set it to 1 Gig, now I realized you can set it up to 10GE. Updated it to 2Gig and everything good now.. Much appreciated, Paul -----Original Message----- From: Tim Stevenson [mailto:tstevens at cisco.com] Sent: February-22-10 8:12 PM To: Paul Stewart; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 SVI Question Hi Paul, The bandwidth does not affect the throughput etc and doesn't take into account the underlying L2 interfaces bandwidth. It strictly for use by the routing protocols to determine metrics (and can be modified using the "bandwidth" interface command). Also you can change the reference b/w using "ospf auto-cost reference-bandwidth" under the "router ospf" process. Hope that helps, Tim At 04:56 PM 2/22/2010, Paul Stewart mumbled: >Hi there... > > > >Typically when we require higher bandwidth, we upgrade the interface to >something larger ... recently though we were faced with having to do 2XGE on >a LAG until our new 10GE ports arrive. The SVI interface shows a bandwidth >of 1 Gig even though there are two physical GigE interfaces "connected" to >it.... will there be any issues doing more than a Gig on this SVI interface? >This is the first time amazingly that I've run across this ;) > > > >The card where the two GigE's come into is a 6148A-GE-TX and the ports are >at opposite ends of the physical card... > > > >Thanks, appreciate it as always... > > > >Paul > > > > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net /mailman/listinfo/cisco-nsp >archive at >http://puck.nether.net/piperma il/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From oboehmer at cisco.com Tue Feb 23 03:02:31 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 23 Feb 2010 09:02:31 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <4B8309FF.4000102@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc><4B7E24E8.1070008@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com><4B7E4579.8080802@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com><4B7E5655.2000506@ax.tc> <4B8309FF.4000102@ax.tc> Message-ID: <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> > > Am 19.02.2010 10:13, Gerald Krause schrieb: > > I hope the rest of my Half Duplex VRF will work now as this initial > > problem seems to be solved. > > I'am still unable to separate the branches (LANs) on the LNS/PE. I would > expect, that any certain LAN1 from CPE1 isn't allowed to access a LAN2 > behind a CPE2 directly through the LNS/PE but this isn't the case. > > Maybe I have a wrong understanding how I should configure the two > Down/UP-VRFs correctly and/or how the export/import works in such a > case. Any suggestions would be appreciate. Interesting.. Your config looks ok. I don't have a lab setup ready, but can you inject a (bogus or valid) default from a remote PE into the "VRFTEST-UP" so you actually provide any routing for the branches? i.e. hostname hub-PE ! ip vrf VRFTEST-HUB rd x:y route-target export 101:0 route-target import 102:2 ! int lo123 ip vrf forwarding VRFTEST-HUB ip address 1.1.1.1 255.255.255.255 ! router bgp .. address-family ipv4 vrf VRFTEST-HUB default-information originate redistribute static redistribute connected ! ip route vrf 0.0.0.0 0.0.0.0 Null0 oli From sven at darkman.de Tue Feb 23 03:26:58 2010 From: sven at darkman.de (Sven 'Darkman' Michels) Date: Tue, 23 Feb 2010 09:26:58 +0100 Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea? In-Reply-To: <8e157ab41001310205n600a64bbs7db9deb57d3998a8@mail.gmail.com> References: <4B4D6234.7050101@darkman.de> <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com> <4B4E21CF.10803@darkman.de> <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com> <4B5EE8C6.40106@darkman.de> <8e157ab41001310205n600a64bbs7db9deb57d3998a8@mail.gmail.com> Message-ID: <4B839152.9070802@darkman.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, sorry for comming back to this topic and "old" email, but this one seems to be the problem. When i disable ip very unicast, the problem vanishes away :( The 6500 is actually running on SXF, but not latest: i'm running SXF15a on it, i know that SXF16 is already there but when i last checked cisco, it states when trying to download 16 that there is a more recent version which fixes $things available - but i didn't found anything newer than 16 for download...?! Two remaining questions for me: is there an "easy" way to get something similar like verify unicast rx for the pvlan? i guess it won't change the ip networks often, so some accesslist or so would work, too (but i would only use it, if it doesn't impact the 6500 much, so software accesslist would be not what i want...) second: i'm running sxf due to the possibility of fast failover to another sup. the other two images do not provide the fast failover feature, but i read on the list, that you can do a "manual" failover for upgrades etc. with only a short (say 60-90 sec) downtime, which would, for me, be okay... anything else i'm missing? could another image fix the ip unicast verify problem? Thanks again for all suggestions + time you spend with me, helped a lot :) Regards, Sven Matt Buford schrieb: > On Tue, Jan 26, 2010 at 7:06 AM, Sven 'Darkman' Michels > wrote: > > Now the problem: ping from 6509: > > c6509#ping ip xx.xx.xx.13 repeat 5 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds: > ..!.! > > > Your basic PVLAN configuration looks good. Try disabling ARP > inspection, DHCP snooping, and ip verify unicast. Enabling extra > features often break things, so I think it is best for you to test with > the simplest config. If that doesn't do it, try upgrading code to at > least SXF. You could also perhaps try pinging from a host behind the > 6500 instead of pinging from the 6500 management interface itself > (though you SHOULD be able to ping from the router, and I can on my PVLANs). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuDkVEACgkQQoCguWUBzByVlACgpnNUD9Rs3q3H1QLXmp2bnZta R9wAn0jUzbWn+ma/5I+8HbaYDAjDjzy3 =pI1W -----END PGP SIGNATURE----- From anthony.mcgarry at plannet21.ie Tue Feb 23 05:38:30 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Tue, 23 Feb 2010 10:38:30 +0000 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> References: <4B826F4B.8040003@plannet21.ie> <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> Message-ID: <4B83B026.9040700@plannet21.ie> Thanks for the input but I'm not to worried about which BRAS the client logs into, the one that responds first would be fine. What I really need to know is how to assign static IPs to clients if they log into either BRAS when both BRASs have a different network range on their loopbacks. Although this feature would give more granularity, maybe cisco will add this feature to the 7300 in a later release. Anthony coredump wrote: > You can try use PADO Delay attributes but that features IMHO is only > available is the 12.2(33)SB terrain in Cisco 10k routers. > http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_pppoe_sss.html > > > /Rizal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gk at ax.tc Tue Feb 23 05:40:49 2010 From: gk at ax.tc (Gerald Krause) Date: Tue, 23 Feb 2010 11:40:49 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc><4B7E24E8.1070008@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com><4B7E4579.8080802@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com><4B7E5655.2000506@ax.tc> <4B8309FF.4000102@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> Message-ID: <4B83B0B1.50103@ax.tc> Am 23.02.2010 09:02, Oliver Boehmer (oboehmer) schrieb: > >> Am 19.02.2010 10:13, Gerald Krause schrieb: >>> I hope the rest of my Half Duplex VRF will work now as this initial >>> problem seems to be solved. >> I'am still unable to separate the branches (LANs) on the LNS/PE. I > would >> expect, that any certain LAN1 from CPE1 isn't allowed to access a LAN2 >> behind a CPE2 directly through the LNS/PE but this isn't the case. >> >> Maybe I have a wrong understanding how I should configure the two >> Down/UP-VRFs correctly and/or how the export/import works in such a >> case. Any suggestions would be appreciate. > > Interesting.. Your config looks ok. I don't have a lab setup ready, but > can you inject a (bogus or valid) default from a remote PE into the > "VRFTEST-UP" so you actually provide any routing for the branches? > > i.e. > > hostname hub-PE > ! > ip vrf VRFTEST-HUB > rd x:y > route-target export 101:0 > route-target import 102:2 > ! > int lo123 > ip vrf forwarding VRFTEST-HUB > ip address 1.1.1.1 255.255.255.255 > ! > router bgp .. > address-family ipv4 vrf VRFTEST-HUB > default-information originate > redistribute static > redistribute connected > ! > ip route vrf 0.0.0.0 0.0.0.0 Null0 Hello Oli, thx for your support again. I have configured the HUB/PE as suggested: ! interface Loopback102 ip vrf forwarding VRFTEST-HUB ip address 10.99.17.253 255.255.255.255 ! ip route vrf VRFTEST-HUB 0.0.0.0 0.0.0.0 Null0 ! The export/import looks good: LNS#sh ip route vrf VRFTEST-DOWN 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks U 10.98.1.0/24 [1/0] via 10.99.17.1 U 10.98.2.0/24 [1/0] via 10.99.17.2 C 10.99.17.1/32 is directly connected, Virtual-Access2.123 C 10.99.17.2/32 is directly connected, Virtual-Access2.121 LNS#sh ip route vrf VRFTEST-UP B* 0.0.0.0/0 [200/0] via x.x.x.x 00:10:25 10.0.0.0/32 is subnetted, 2 subnets B 10.99.17.253 [200/0] via x.x.x.x, 00:10:25 C 10.99.17.254 is directly connected, Loopback102 HUB#sh ip route vrf VRFTEST-HUB S* 0.0.0.0/0 is directly connected, Null0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B 10.98.1.0/24 [200/0] via 212.79.49.200, 00:13:07 B 10.98.2.0/24 [200/0] via 212.79.49.200, 00:13:07 C 10.99.17.253/32 is directly connected, Loopback102 I see that a traceroute from CPE1 to CPE2 now take the path over the HUB and then back to the LNS as expected: cpe1-vrftest#traceroute Target IP address: 10.98.2.1 Source address: 10.98.1.1 Tracing the route to 10.98.2.1 1 10.99.17.254 72 msec 60 msec 64 msec (Loopback102 LNS) 2 10.99.17.253 68 msec 64 msec 64 msec (Loopback102 HUB) 3 10.99.17.254 72 msec 72 msec 64 msec (Loopback102 LNS) 4 10.99.17.2 152 msec * 148 msec (CPE2) cpe1-vrftest# When I remove the def-route on the HUB, I'am still able to reach CPE2 from CPE1 directly over the LNS: cpe1-vrftest#traceroute Target IP address: 10.98.2.1 Source address: 10.98.1.1 Tracing the route to 10.98.2.1 1 10.99.17.254 68 msec 60 msec 64 msec (Loopback102 LNS) 2 10.99.17.2 152 msec * 148 msec (CPE2) So I *can* re-direct the traffic from CPE to CPE through the HUB but in the case the HUB fails, the CPEs are directly connected again through the LNS/SPOKE PE. Is that the expected behaviour? Or is there still some thing I'am missing (RPF is enabled on the Vi's)? -- Gerald From jon at host-it.co.uk Tue Feb 23 05:28:13 2010 From: jon at host-it.co.uk (Jon Duggan) Date: Tue, 23 Feb 2010 10:28:13 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> Message-ID: Correct me if i'm wrong but I believe you can achieve this with sup32 also (i think you need pfc3, which the sup32 has), which is much cheaper than the 720. Jon > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: 22 February 2010 21:00 > To: Seth Mattinen > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > On Mon, 22 Feb 2010, Seth Mattinen wrote: > > > Exactly. Correct me if I'm wrong, but as far as I know the only way > to > > get that functionality back is a 6500, and that's a *huge* step. > > Not just any 6500. If you want similar (to the 3550) ability to police > at > arbitrary rates via service-policy in both directions, you need a > Sup720. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Tue Feb 23 06:05:41 2010 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 23 Feb 2010 13:05:41 +0200 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B83B026.9040700@plannet21.ie> References: <4B826F4B.8040003@plannet21.ie> <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> <4B83B026.9040700@plannet21.ie> Message-ID: <4B83B685.1010707@forthnet.gr> I'm using LAM (Local Area Mobility) for a similar scenario. You may want to have a look at it. It's pretty damn simple to setup; just 3 commands) -- Tassos Anthony McGarry wrote on 23/02/2010 12:38: > Thanks for the input but I'm not to worried about which BRAS the > client logs into, the one that responds first would be fine. > What I really need to know is how to assign static IPs to clients if > they log into either BRAS when both BRASs have a different network > range on their loopbacks. > Although this feature would give more granularity, maybe cisco will > add this feature to the 7300 in a later release. > > Anthony > > coredump wrote: >> You can try use PADO Delay attributes but that features IMHO is only >> available is the 12.2(33)SB terrain in Cisco 10k routers. >> http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_pppoe_sss.html >> >> >> >> /Rizal >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From anthony.mcgarry at plannet21.ie Tue Feb 23 06:06:46 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Tue, 23 Feb 2010 11:06:46 +0000 Subject: [c-nsp] BRAS Redundancy In-Reply-To: References: <4B826F4B.8040003@plannet21.ie> Message-ID: <4B83B6C6.4080705@plannet21.ie> Arie, Seems straight forward. Would there be an issue with the default gateway assignment from the DHCP server. BRAS-A Loopback 0 x.x.96.1/21 BRAS-A DHCP scope x.x.96.20 - x.x.103.254 options router x.x.96.1 BRAS-B Loopback 0 x.x.104.1/21 BRAS-B DHCP scope x.x.104.20 - x.x.111.254 options router x.x.104.1 So if a client logs into BRAS-A and is assigned a static IP from the DHCP scope x.x.96.54 with a default gateway of x.x.96.1 there is no problems If the same client logs into BRAS-B and is assigned the same static IP x.x.96.54 with a default gateway of x.x.96.1 how would the client route out of his subnet. client --------------------------- BRAS-B ---------------------------------- BRAS-A ------------ x.x.96.54 ----------- x.x.104.1 ----- x.x.1.1 -- iBGP -- x.x.1.2 ----------- x.x.96.1 ------- I am not even sure that what I want to do is possible because the DHCP server will see the giaddr in the dhcp request from BRAS-B as x.x.104.1 and will try assign an address from the the BRAS-B scope and my static assignment is from the BRAS-A scope. I use username to assign static address on the DHCP server host custid_xxxxxxxxxx { option dhcp-client-identifier "\xxxxxxxxxxxx at xxxxxxx.xxx"; fixed-address x.x.96.54; } Maybe I need to revisit how I assign IP to customers. Would you have any recommendations. Thanks Anthony Arie Vayner (avayner) wrote: > Anthony, > > Usually for static IP assignments you would have to redistribute the > connected/static (static for routes) prefixes into the routing protocol > (I would recommend BGP) so that you advertise them as /32. No magic... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony McGarry > Sent: Monday, February 22, 2010 13:50 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] BRAS Redundancy > > Hi, > > I was hoping someone can help me with the following issue. > > I currently have a 7301 acting as my BRAS running on 12.2(33)SRD3. I use > > the ISG feature to terminate PPPoE sessions on QinQ subinterfaces. > > The virtual templates associated with the bba groups use ip unnumbered > loopback 0. > The IP on loopback 0 is x.x.96.1/21 > > DHCP is configured for client IP address assignment using DHCP pools as > relay agents to a central DHCP server. > > ip dhcp pool DHCP > relay source x.x.96.0 255.255.248.0 > class DHCP > relay target x.x.111.5 > > I would now like to install a second 7301 for load balancing/redundancy. > > I currently trunk the QinQ vlans to the existing 7301 so I just do the > same for the second 7301. > > On the second 7301 I assign a new /21 network for DHCP assignment. > This works fine for dynamic IP assignment. > > My problem is that we have multiple customers with static IP address > assignment from the DHCP server. > > How can I assign the same IP address to a certain client session if they > > login to either BRAS when each BRAS has a unique network associated with > > the loopback 0 interface. > > I was thinking mobile IP but I have not tested in the lab and not sure > if it is a supported solution. > > Anthony > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Tue Feb 23 05:27:56 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 18:27:56 +0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <4B82ECE9.5010902@rollernet.us> Message-ID: <201002231827.57590.mtinka@globaltransit.net> On Tuesday 23 February 2010 04:59:38 am Jon Lewis wrote: > Not just any 6500. If you want similar (to the 3550) > ability to police at arbitrary rates via service-policy > in both directions, you need a Sup720. That's why for pure Layer 2 Ethernet switching, I'm happy with both the Cisco 3560G and Juniper EX3200/4200 platforms. But if I want to turn those into the "Layer 3 switches" that the world has since become, something tells me I'd want the Juniper most times. It's biggest issue now is the code (lots of catching up to do). While the hardware isn't as great as what you get in the routing platforms (obviously), it works much more like a router for a switch (oh my, did I just say that?) when you need it for "basic" IPv4/IPv6 routing/forwarding. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Feb 23 05:23:26 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 23 Feb 2010 18:23:26 +0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <20100222195155.M57911@fast-serv.com> Message-ID: <201002231823.31022.mtinka@globaltransit.net> On Tuesday 23 February 2010 04:07:17 am Jon Lewis wrote: > And that's the issue. Normally, progress means newer > gear supports the features of older gear plus new > features. In this case, egress policing took a large > step backwards. As did SVI support for BFD on the 6500 on later code, but let me not wake Gert and others :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From devon at noved.org Tue Feb 23 06:35:11 2010 From: devon at noved.org (Devon True) Date: Tue, 23 Feb 2010 06:35:11 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> <4B82F2FC.80108@utc.edu> <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> Message-ID: On Feb 22, 2010, at 17:14, Tom Lanyon wrote: > On 23/02/2010, at 7:41 AM, Jeff Kell wrote: > >> On 2/22/2010 3:45 PM, Seth Mattinen wrote: >>> Exactly. Correct me if I'm wrong, but as far as I know the only >>> way to >>> get that functionality back is a 6500, and that's a *huge* step. >>> >> >> Umm, 4500 Sup-IV appears to support input/output (or at least doesn't >> bitch at the configs in a quick test...). > > > Does that mean a 4948/4900M could possibly support it too? > > Tom The 4948 does support input and output service policies. -- Devon From ppauly at gmail.com Tue Feb 23 08:22:31 2010 From: ppauly at gmail.com (Peter Pauly) Date: Tue, 23 Feb 2010 08:22:31 -0500 Subject: [c-nsp] Cisco 4948 power supply OID? Message-ID: I need to detect with Nagios if one of the dual power supplies in a Cisco 4948 top-of-rack switch has gone bad or has lost power. Does anyone have an SNMP OID suggestion? Thanks. From ml at kenweb.org Tue Feb 23 08:43:13 2010 From: ml at kenweb.org (ML) Date: Tue, 23 Feb 2010 08:43:13 -0500 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: Message-ID: <4B83DB71.3070603@kenweb.org> On 2/18/2010 5:29 AM, Marco Regini wrote: > Hi, > i did some progress on this topic, with the help of "ip igmp helper > address". > At L3 my network lab is like this, the vlan/network between 3560 and > 3750 is the vlan 100. > > Customers_cpe--Cisco3560-| > Customers_cpe--Cisco3560-| > Customers_cpe--Cisco3560-| > ........................-|-----------Cisco3750---Core > Customers_cpe--Cisco3560-| > > > Al L1 is simply a daisy-chain on the gigabit interface with a trunk that > carry only the vlan100. > > Well, "IGMP snooping, CGMP, RGMP" do not limit the multicast packet on > the vlan 100, I do not know why. Perhaps this is because all apparatus > are routing and switching the vlan 100: on cisco doc I see dedicated L2 > only switch connecting customers cpe and provider router. But this is > only an ipotesis, I need to capture some traffic to understand. > > The workaround I have found is to put on the customer interface "ip igmp > helper address 151.1.1.1", in this way the multicast join/leave of the > customers cpe "are forwarded" by the 3560 to the Cisco3750. > This has 2 nice effect: > > 1) IGMP snooping start working on Vlan100. > 2) "show ip igmp groups" on the 4006 show me multicast group > registration on all the 3560. > > Questions: > > Why a need "igmp helper address" hack? > Is anyone of you using "igmp helper address" in a production > environment? If I understand you correctly you have two pim speakers which communicate over VLAN100. When two PIM neighbors traverse an L2 VLAN IGMP snooping has no effect. Your L2 switch gear cannot tell where multicast streams are supposed to go therefor every group gets flooded to all ports that have PIM speakers attached. PIM snooping is what you are looking for. I don't if that feature exists on your platforms. From avayner at cisco.com Tue Feb 23 10:25:16 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 23 Feb 2010 16:25:16 +0100 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B83B6C6.4080705@plannet21.ie> References: <4B826F4B.8040003@plannet21.ie> <4B83B6C6.4080705@plannet21.ie> Message-ID: Anthony, I have never really seen static IP assignments in this environments using DHCP... Usually you would use a PPP (PPPoE?) session which would be terminated on a specific BRAS, and then provisioned with the fixed IP information coming from RADIUS. If your environment is small (will not grow beyond this scale) then maybe you could use a DHCP pool on each router, setting the gateway locally, while providing the actual address from the DHCP server. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony McGarry Sent: Tuesday, February 23, 2010 13:07 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BRAS Redundancy Arie, Seems straight forward. Would there be an issue with the default gateway assignment from the DHCP server. BRAS-A Loopback 0 x.x.96.1/21 BRAS-A DHCP scope x.x.96.20 - x.x.103.254 options router x.x.96.1 BRAS-B Loopback 0 x.x.104.1/21 BRAS-B DHCP scope x.x.104.20 - x.x.111.254 options router x.x.104.1 So if a client logs into BRAS-A and is assigned a static IP from the DHCP scope x.x.96.54 with a default gateway of x.x.96.1 there is no problems If the same client logs into BRAS-B and is assigned the same static IP x.x.96.54 with a default gateway of x.x.96.1 how would the client route out of his subnet. client --------------------------- BRAS-B ---------------------------------- BRAS-A ------------ x.x.96.54 ----------- x.x.104.1 ----- x.x.1.1 -- iBGP -- x.x.1.2 ----------- x.x.96.1 ------- I am not even sure that what I want to do is possible because the DHCP server will see the giaddr in the dhcp request from BRAS-B as x.x.104.1 and will try assign an address from the the BRAS-B scope and my static assignment is from the BRAS-A scope. I use username to assign static address on the DHCP server host custid_xxxxxxxxxx { option dhcp-client-identifier "\xxxxxxxxxxxx at xxxxxxx.xxx"; fixed-address x.x.96.54; } Maybe I need to revisit how I assign IP to customers. Would you have any recommendations. Thanks Anthony Arie Vayner (avayner) wrote: > Anthony, > > Usually for static IP assignments you would have to redistribute the > connected/static (static for routes) prefixes into the routing protocol > (I would recommend BGP) so that you advertise them as /32. No magic... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony McGarry > Sent: Monday, February 22, 2010 13:50 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] BRAS Redundancy > > Hi, > > I was hoping someone can help me with the following issue. > > I currently have a 7301 acting as my BRAS running on 12.2(33)SRD3. I use > > the ISG feature to terminate PPPoE sessions on QinQ subinterfaces. > > The virtual templates associated with the bba groups use ip unnumbered > loopback 0. > The IP on loopback 0 is x.x.96.1/21 > > DHCP is configured for client IP address assignment using DHCP pools as > relay agents to a central DHCP server. > > ip dhcp pool DHCP > relay source x.x.96.0 255.255.248.0 > class DHCP > relay target x.x.111.5 > > I would now like to install a second 7301 for load balancing/redundancy. > > I currently trunk the QinQ vlans to the existing 7301 so I just do the > same for the second 7301. > > On the second 7301 I assign a new /21 network for DHCP assignment. > This works fine for dynamic IP assignment. > > My problem is that we have multiple customers with static IP address > assignment from the DHCP server. > > How can I assign the same IP address to a certain client session if they > > login to either BRAS when each BRAS has a unique network associated with > > the loopback 0 interface. > > I was thinking mobile IP but I have not tested in the lab and not sure > if it is a supported solution. > > Anthony > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Tue Feb 23 10:47:04 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 23 Feb 2010 16:47:04 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <4B83B0B1.50103@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc><4B7E24E8.1070008@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com><4B7E4579.8080802@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com><4B7E5655.2000506@ax.tc> <4B8309FF.4000102@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> <4B83B0B1.50103@ax.tc> Message-ID: <6E4D2678AC543844917CA081C9D6B33F01459F9D@XMB-AMS-103.cisco.com> > Hello Oli, thx for your support again. I have configured the HUB/PE as > suggested: > [..] > I see that a traceroute from CPE1 to CPE2 now take the path over the HUB > and then back to the LNS as expected: > [...] > When I remove the def-route on the HUB, I'am still able to reach CPE2 > from CPE1 directly over the LNS: > > cpe1-vrftest#traceroute > Target IP address: 10.98.2.1 > Source address: 10.98.1.1 > Tracing the route to 10.98.2.1 > 1 10.99.17.254 68 msec 60 msec 64 msec (Loopback102 LNS) > 2 10.99.17.2 152 msec * 148 msec (CPE2) > > So I *can* re-direct the traffic from CPE to CPE through the HUB but in > the case the HUB fails, the CPEs are directly connected again through > the LNS/SPOKE PE. Is that the expected behaviour? Or is there still some > thing I'am missing (RPF is enabled on the Vi's)? That's strange.. Can you open a TAC case to get this looked at? I just tried this with "regular" serial interfaces, and I don't see the issue, i.e. without a default route, the CEs don't see each other. Can you remove urpf and try again? oli From nicotine at warningg.com Tue Feb 23 11:03:49 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 23 Feb 2010 10:03:49 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> <4B82F2FC.80108@utc.edu> <78F6E4DB-992A-4F8D-B569-368273103915@netspot.com.au> Message-ID: <20100223160348.GA11049@radiological.warningg.com> On Tue, Feb 23, 2010 at 06:35:11AM -0500, Devon True wrote: > > The 4948 does support input and output service policies. > > -- > Devon But does not support IPv6 in hardware, IIRC. Something to keep in mind. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From lukasz at bromirski.net Tue Feb 23 11:56:06 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 23 Feb 2010 17:56:06 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <4B81742F.3070808@tulsaconnect.com> <20100222191250.M38310@fast-serv.com> <20100222193008.M31488@fast-serv.com> <20100222195155.M57911@fast-serv.com> <4B82ECE9.5010902@rollernet.us> Message-ID: <4B8408A6.5060306@bromirski.net> On 2010-02-23 11:28, Jon Duggan wrote: > Correct me if i'm wrong but I believe you can achieve this with > sup32 also (i think you need pfc3, which the sup32 has), which > is much cheaper than the 720. Exactly. Policing (and QoS in general) is a function of a PFC. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end." | http://lukasz.bromirski.net From matt at overloaded.net Tue Feb 23 13:27:32 2010 From: matt at overloaded.net (Matt Buford) Date: Tue, 23 Feb 2010 12:27:32 -0600 Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea? In-Reply-To: <4B839152.9070802@darkman.de> References: <4B4D6234.7050101@darkman.de> <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com> <4B4E21CF.10803@darkman.de> <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com> <4B5EE8C6.40106@darkman.de> <8e157ab41001310205n600a64bbs7db9deb57d3998a8@mail.gmail.com> <4B839152.9070802@darkman.de> Message-ID: <8e157ab41002231027u33830aadgddb28cd9a772685e@mail.gmail.com> On Tue, Feb 23, 2010 at 2:26 AM, Sven 'Darkman' Michels wrote: > sorry for comming back to this topic and "old" email, but this one seems to > be > the problem. When i disable ip very unicast, the problem vanishes away :( > Have you confirmed that the problem happens to packets going through the switch? What you pasted before was pings originating from the switch. In general, I wouldn't assume that the behavior of pings to/from the switch are the same as packets through the switch. They take a very different path through the switch. For example, put one host on a non-pvlan SVI, and then put another host on your pvlan SVI. Do you get the same packetloss problem? From NMaio at guesswho.com Tue Feb 23 11:36:51 2010 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Tue, 23 Feb 2010 11:36:51 -0500 Subject: [c-nsp] Cisco 4948 power supply OID? In-Reply-To: References: Message-ID: <2AA600764E54964491083B1E0EC81A30477030C7E8@EXCLUS.nationala-1advertising.com> You might be able to do this with RANCID if you modify the script to add the show power detail command or something similar. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Pauly Sent: Tuesday, February 23, 2010 8:23 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 4948 power supply OID? I need to detect with Nagios if one of the dual power supplies in a Cisco 4948 top-of-rack switch has gone bad or has lost power. Does anyone have an SNMP OID suggestion? Thanks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kka at netuse.de Tue Feb 23 13:34:27 2010 From: kka at netuse.de (Klaus Kastens) Date: Tue, 23 Feb 2010 19:34:27 +0100 Subject: [c-nsp] Cisco 4948 power supply OID? In-Reply-To: References: Message-ID: <20100223183427.GA25126@boss.intern.netuse.de> Hi Peter, > I need to detect with Nagios if one of the dual power supplies in a > Cisco 4948 top-of-rack switch has gone bad or has lost power. Does > anyone have an SNMP OID suggestion? Thanks. Try CISCO-ENVMON-MIB::ciscoEnvMonSupplyState, numeric OID is 1.3.6.1.4.1.9.9.13.1.5.1.3, works with cat4k/cat6k/(cat3k). CISCO-ENVMON-MIB::ciscoEnvMonSupplyStatusDescr.1 = "Power Supply 1, WS-CAC-6000W" CISCO-ENVMON-MIB::ciscoEnvMonSupplyStatusDescr.2 = "Power Supply 2, WS-CAC-6000W" CISCO-ENVMON-MIB::ciscoEnvMonSupplyState.1 = normal(1) CISCO-ENVMON-MIB::ciscoEnvMonSupplyState.2 = normal(1) CISCO-ENVMON-MIB::ciscoEnvMonSupplySource.1 = internalRedundant(5) CISCO-ENVMON-MIB::ciscoEnvMonSupplySource.2 = internalRedundant(5) Klaus -- Klaus Kastens NetUSE AG Dr.-Hell-Str. 6, D-24107 Kiel, Germany Fon: +49 431 2390 400 (07:00 UTC - 17:00 UTC) Fax: +49 431 2390 499 Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang Aufsichtsrat: Detlev Huebner (Vorsitz) Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942 Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. From SPfister at dps.k12.oh.us Tue Feb 23 14:27:48 2010 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 23 Feb 2010 14:27:48 -0500 Subject: [c-nsp] Getting serial number for 3640s Message-ID: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> I've going over a customer's inventory, and I'm having some trouble with serial numbers. How do you get the serial number for a 3640 router? I usually look for the processor board ID in 'sho ver', but that's not matching what's listed in the inventory. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From nick at inex.ie Tue Feb 23 14:57:30 2010 From: nick at inex.ie (Nick Hilliard) Date: Tue, 23 Feb 2010 19:57:30 +0000 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <4B84332A.1050408@inex.ie> On 23/02/2010 19:27, Steven Pfister wrote: > I've going over a customer's inventory, and I'm having some trouble with > serial numbers. How do you get the serial number for a 3640 router? I > usually look for the processor board ID in 'sho ver', but that's not > matching what's listed in the inventory. "show inventory"? Nick From SPfister at dps.k12.oh.us Tue Feb 23 15:01:39 2010 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 23 Feb 2010 15:01:39 -0500 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <4B84332A.1050408@inex.ie> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie> Message-ID: <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> Is that supported by 3640? We may have old versions of IOS... it doesn't seem to be recognized by any of the ones I've tried. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> Nick Hilliard 2/23/2010 2:57 PM >>> On 23/02/2010 19:27, Steven Pfister wrote: > I've going over a customer's inventory, and I'm having some trouble with > serial numbers. How do you get the serial number for a 3640 router? I > usually look for the processor board ID in 'sho ver', but that's not > matching what's listed in the inventory. "show inventory"? Nick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pavel.skovajsa at gmail.com Tue Feb 23 15:01:16 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Tue, 23 Feb 2010 21:01:16 +0100 Subject: [c-nsp] 6500 SVI Question In-Reply-To: <012301cab427$d4e397d0$7eaac770$@org> References: <011b01cab423$11552c10$33ff8430$@org> <201002230111.o1N1BxSk000417@sj-core-3.cisco.com> <012301cab427$d4e397d0$7eaac770$@org> Message-ID: <323aca891002231201w5d13881eo7b6f56a9726d7804@mail.gmail.com> Hi Paul, All virtual interfaces have "bandwidth" that has nothing to do with real number of bytes per second that can flow through the link, For example: - all VSI interfaces have by default bandwidth of: "MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,", even tough the real interfaces "behind" are 10/half.... One way to explain this is that 10 years ago, in the time of hybrid Catalysts, the switching part of Catalyst (SP) was autonomous and consisted of real interfaces, and the routing MSFC part (RP) consisted of only SVIs. - all tunnel interface have default "bandwidth" of 8000kb, which is tricky way of saying to the routing protocol to not to prefer the route over the tunnel and use it only as last resort Also, all serial interface have default bandwidth of 1024kb, eventough they might be fractional T1's or anything else. -pavel skovajsa On Tue, Feb 23, 2010 at 2:30 AM, Paul Stewart wrote: > Thanks Tim.... whew! ;) > > Actually, I was misreading the bandwidth statement itself ?- missed a zero > earlier so thought you could only set it to 1 Gig, now I realized you can > set it up to 10GE. ?Updated it to 2Gig and everything good now.. > > Much appreciated, > > Paul > > > -----Original Message----- > From: Tim Stevenson [mailto:tstevens at cisco.com] > Sent: February-22-10 8:12 PM > To: Paul Stewart; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6500 SVI Question > > Hi Paul, > > The bandwidth does not affect the throughput etc and doesn't take > into account the underlying L2 interfaces bandwidth. It strictly for > use by the routing protocols to determine metrics (and can be > modified using the "bandwidth" interface command). Also you can > change the reference b/w using "ospf auto-cost reference-bandwidth" > under the "router ospf" process. > > Hope that helps, > Tim > > > At 04:56 PM 2/22/2010, Paul Stewart mumbled: > >>Hi there... >> >> >> >>Typically when we require higher bandwidth, we upgrade the interface to >>something larger ... recently though we were faced with having to do 2XGE > on >>a LAG until our new 10GE ports arrive. ?The SVI interface shows a bandwidth >>of 1 Gig even though there are two physical GigE interfaces "connected" to >>it.... will there be any issues doing more than a Gig on this SVI > interface? >>This is the first time amazingly that I've run across this ;) >> >> >> >>The card where the two GigE's come into is a 6148A-GE-TX and the ports are >>at opposite ends of the physical card... >> >> >> >>Thanks, appreciate it as always... >> >> >> >>Paul >> >> >> >> >> >> >> >>_______________________________________________ >>cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>https://puck.nether.net > /mailman/listinfo/cisco-nsp >>archive at >>http://puck.nether.net/piperma > il/cisco-nsp/ > > > > > Tim Stevenson, tstevens at cisco.com > Routing & Switching CCIE #5561 > Technical Marketing Engineer, Cisco Nexus 7000 > Cisco - http://www.cisco.com > IP Phone: 408-526-6759 > ******************************************************** > The contents of this message may be *Cisco Confidential* > and are intended for the specified recipients only. > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dwbielawa at liberty.edu Tue Feb 23 15:13:57 2010 From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS)) Date: Tue, 23 Feb 2010 15:13:57 -0500 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie> <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> Hello, We had a similar problem with our 7200 series. According to TAC some Cisco products do not report the serial number. That was the case with us, and the only way to verify was to physically go to the box and check. Given the age of the 3600 series routers, I would guess the same limitation applies to your case. Thank You Daniel Bielawa Network Engineer Liberty University Network Services Email: dwbielawa at liberty.edu Phone: 434-592-7987 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Tuesday, February 23, 2010 3:02 PM To: Nick Hilliard; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Getting serial number for 3640s Is that supported by 3640? We may have old versions of IOS... it doesn't seem to be recognized by any of the ones I've tried. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> Nick Hilliard 2/23/2010 2:57 PM >>> On 23/02/2010 19:27, Steven Pfister wrote: > I've going over a customer's inventory, and I'm having some trouble with > serial numbers. How do you get the serial number for a 3640 router? I > usually look for the processor board ID in 'sho ver', but that's not > matching what's listed in the inventory. "show inventory"? Nick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ppauly at gmail.com Tue Feb 23 15:30:00 2010 From: ppauly at gmail.com (Peter Pauly) Date: Tue, 23 Feb 2010 15:30:00 -0500 Subject: [c-nsp] Cisco 4948 power supply OID? In-Reply-To: <20100223183427.GA25126@boss.intern.netuse.de> References: <20100223183427.GA25126@boss.intern.netuse.de> Message-ID: Thanks for everyone's help. Here's what I've ended up with and it seems to work fine. Posted here for future reference: define service{ use generic-service host_name cisco4948 service_description PS1 check_command check_snmp!-C snmppassword -o .1.3.6.1.4.1.9.9.91.1.1.1.1.4.9 -r 1 } define service{ use generic-service host_name cisco4948 service_description PS2 check_command check_snmp!-C snmppassword -o .1.3.6.1.4.1.9.9.91.1.1.1.1.4.12 -r 1 } From harbor235 at gmail.com Tue Feb 23 15:07:51 2010 From: harbor235 at gmail.com (harbor235) Date: Tue, 23 Feb 2010 15:07:51 -0500 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie> <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <836bf1f91002231207s3f6ead1wb8f9e1964d9fd7b1@mail.gmail.com> It is supported with 12.3 for sure ...... On Tue, Feb 23, 2010 at 3:01 PM, Steven Pfister wrote: > Is that supported by 3640? We may have old versions of IOS... it doesn't > seem to be recognized by any of the ones I've tried. > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > >>> Nick Hilliard 2/23/2010 2:57 PM >>> > On 23/02/2010 19:27, Steven Pfister wrote: > > I've going over a customer's inventory, and I'm having some trouble with > > serial numbers. How do you get the serial number for a 3640 router? I > > usually look for the processor board ID in 'sho ver', but that's not > > matching what's listed in the inventory. > > "show inventory"? > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sigurbjornl at vodafone.is Tue Feb 23 15:09:46 2010 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Tue, 23 Feb 2010 20:09:46 +0000 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> Message-ID: show c3600 will give you the serial of the mainboard itself, perhaps that is what you need Kind regards, Sibbi > From: Steven Pfister > Date: Tue, 23 Feb 2010 15:01:39 -0500 > To: Nick Hilliard , > Subject: Re: [c-nsp] Getting serial number for 3640s > > Is that supported by 3640? We may have old versions of IOS... it doesn't seem > to be recognized by any of the ones I've tried. > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > >>>> Nick Hilliard 2/23/2010 2:57 PM >>> > On 23/02/2010 19:27, Steven Pfister wrote: >> I've going over a customer's inventory, and I'm having some trouble with >> serial numbers. How do you get the serial number for a 3640 router? I >> usually look for the processor board ID in 'sho ver', but that's not >> matching what's listed in the inventory. > > "show inventory"? > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Tue Feb 23 16:02:30 2010 From: tdurack at gmail.com (Tim Durack) Date: Tue, 23 Feb 2010 16:02:30 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Message-ID: <9e246b4d1002231302l449f5b3cm33ba33ee844e336d@mail.gmail.com> On Fri, Feb 5, 2010 at 10:38 AM, Tim Durack wrote: > Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: > > sh int g1/9 | i error > ? ? 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > ? ? 0 output errors, 0 collisions, 0 interface resets > > The other side is clean. What do input errors alone indicate? > > (Have tested/replaced fiber/SFPs, without success.) Looks like this is actually being caused by some ERSPAN traffic from a (non-cisco) downstream switch. My guess is the frames are maximum size, leaving no room for the FCS. I don't have an easy way of proving this, aside from the fact that problem is controlled by enabling/disabling the ERSPAN. -- Tim:> From tdurack at gmail.com Tue Feb 23 16:07:42 2010 From: tdurack at gmail.com (Tim Durack) Date: Tue, 23 Feb 2010 16:07:42 -0500 Subject: [c-nsp] mvrf leaking In-Reply-To: <4A807FA8.4010901@cisco.com> References: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> <4A807FA8.4010901@cisco.com> Message-ID: <9e246b4d1002231307p4455d478rcaf47e6e8020cca7@mail.gmail.com> On Mon, Aug 10, 2009 at 3:14 PM, Rodney Dunn wrote: > I don't *think* so. I think to get traffic from the VRF's you need MVPN > Extranet support: > > http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/extvpnsb.html Anybody used this in anger? I've got multicast between vrfs working in the lab, but it isn't configured as I expected. 6500, Sup720, 12.2(33)SXI3, PE-PE, CE directly connect interface on PE. So far I need "ip pim sparse-dense mode" configured on the CE facing vlan int, and sparse-dense mode on a loopback in the vrf. Multicast then works between vrfs on the same PE. Sparse mode does not work, even with various rp/bsr configs. Confused. -- Tim:> Sent from New York, NY, United States From anthony.mcgarry at plannet21.ie Tue Feb 23 16:40:56 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Tue, 23 Feb 2010 21:40:56 +0000 Subject: [c-nsp] BRAS Redundancy In-Reply-To: References: <4B826F4B.8040003@plannet21.ie> <4B83B6C6.4080705@plannet21.ie> Message-ID: <4B844B68.9000001@plannet21.ie> Arie, I am going to set up the lab and do some testing with radius providing the IP and redistributing connected routes. I might also have a look at providing a L2 link between the BRASs or mobile IP. Thanks Anthony Arie Vayner (avayner) wrote: > Anthony, > > I have never really seen static IP assignments in this environments > using DHCP... Usually you would use a PPP (PPPoE?) session which would > be terminated on a specific BRAS, and then provisioned with the fixed IP > information coming from RADIUS. > > If your environment is small (will not grow beyond this scale) then > maybe you could use a DHCP pool on each router, setting the gateway > locally, while providing the actual address from the DHCP server. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony McGarry > Sent: Tuesday, February 23, 2010 13:07 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BRAS Redundancy > > Arie, > > Seems straight forward. Would there be an issue with the default gateway > > assignment from the DHCP server. > > BRAS-A > Loopback 0 > x.x.96.1/21 > > BRAS-A DHCP scope > x.x.96.20 - x.x.103.254 > options router x.x.96.1 > > BRAS-B > Loopback 0 > x.x.104.1/21 > > BRAS-B DHCP scope > x.x.104.20 - x.x.111.254 > options router x.x.104.1 > > So if a client logs into BRAS-A and is assigned a static IP from the > DHCP scope x.x.96.54 with a default gateway of x.x.96.1 there is no > problems > If the same client logs into BRAS-B and is assigned the same static IP > x.x.96.54 with a default gateway of x.x.96.1 how would the client route > out of his subnet. > > client --------------------------- BRAS-B > ---------------------------------- BRAS-A ------------ > x.x.96.54 ----------- x.x.104.1 ----- x.x.1.1 -- iBGP -- x.x.1.2 > ----------- x.x.96.1 ------- > > I am not even sure that what I want to do is possible because the DHCP > server will see the giaddr in the dhcp request from BRAS-B as x.x.104.1 > and will try assign an address from the the BRAS-B scope and my static > assignment is from the BRAS-A scope. > I use username to assign static address on the DHCP server > host custid_xxxxxxxxxx { option dhcp-client-identifier > "\xxxxxxxxxxxx at xxxxxxx.xxx"; fixed-address x.x.96.54; } > > Maybe I need to revisit how I assign IP to customers. Would you have any > > recommendations. > > Thanks > Anthony > > Arie Vayner (avayner) wrote: > >> Anthony, >> >> Usually for static IP assignments you would have to redistribute the >> connected/static (static for routes) prefixes into the routing >> > protocol > >> (I would recommend BGP) so that you advertise them as /32. No magic... >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony >> > McGarry > >> Sent: Monday, February 22, 2010 13:50 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] BRAS Redundancy >> >> Hi, >> >> I was hoping someone can help me with the following issue. >> >> I currently have a 7301 acting as my BRAS running on 12.2(33)SRD3. I >> > use > >> the ISG feature to terminate PPPoE sessions on QinQ subinterfaces. >> >> The virtual templates associated with the bba groups use ip unnumbered >> > > >> loopback 0. >> The IP on loopback 0 is x.x.96.1/21 >> >> DHCP is configured for client IP address assignment using DHCP pools >> > as > >> relay agents to a central DHCP server. >> >> ip dhcp pool DHCP >> relay source x.x.96.0 255.255.248.0 >> class DHCP >> relay target x.x.111.5 >> >> I would now like to install a second 7301 for load >> > balancing/redundancy. > >> I currently trunk the QinQ vlans to the existing 7301 so I just do the >> > > >> same for the second 7301. >> >> On the second 7301 I assign a new /21 network for DHCP assignment. >> This works fine for dynamic IP assignment. >> >> My problem is that we have multiple customers with static IP address >> assignment from the DHCP server. >> >> How can I assign the same IP address to a certain client session if >> > they > >> login to either BRAS when each BRAS has a unique network associated >> > with > >> the loopback 0 interface. >> >> I was thinking mobile IP but I have not tested in the lab and not sure >> > > >> if it is a supported solution. >> >> Anthony >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Tue Feb 23 16:41:18 2010 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 23 Feb 2010 22:41:18 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <201002231823.31022.mtinka@globaltransit.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <20100222195155.M57911@fast-serv.com> <201002231823.31022.mtinka@globaltransit.net> Message-ID: <20100223214118.GB9556@greenie.muc.de> Hi, On Tue, Feb 23, 2010 at 06:23:26PM +0800, Mark Tinka wrote: > As did SVI support for BFD on the 6500 on later code, but > let me not wake Gert and others :-). Ho humm, I was visiting Cisco Munich today, but I didn't even get to *that* point. When I started ranting to the AM present about the 20 different operating systems on Cisco devices today, and the 6500/7600 BU mess, he was already entering brainwash mode ("you have to understand how a big company works! there are good reasons to this! this is the best path for Cisco and our customers!"). I have no idea how to get that point (BFD is good! make it happen! on SVI!) across to the relevant people... *sigh* gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From anthony.mcgarry at plannet21.ie Tue Feb 23 16:42:22 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Tue, 23 Feb 2010 21:42:22 +0000 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B83B685.1010707@forthnet.gr> References: <4B826F4B.8040003@plannet21.ie> <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> <4B83B026.9040700@plannet21.ie> <4B83B685.1010707@forthnet.gr> Message-ID: <4B844BBE.30702@plannet21.ie> Sounds like an option, Ill set it up in the lab and do some testing. Thanks Tassos Chatzithomaoglou wrote: > I'm using LAM (Local Area Mobility) for a similar scenario. You may want > to have a look at it. > It's pretty damn simple to setup; just 3 commands) > > From dmeister at sisunet.org Tue Feb 23 15:25:13 2010 From: dmeister at sisunet.org (Meister, Daniel J.) Date: Tue, 23 Feb 2010 14:25:13 -0600 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie><4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> Message-ID: <557BFF27F2FCAF44B45E8C5352C674C1040ACE91@mail05.sisunet.org> While not exactly the same, we've got a 3660 running old IOS that supports the command 'show c3600' which will display the chassis serial number. -Dan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bielawa, Daniel W. (NS) Sent: Tuesday, February 23, 2010 2:14 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Getting serial number for 3640s Hello, We had a similar problem with our 7200 series. According to TAC some Cisco products do not report the serial number. That was the case with us, and the only way to verify was to physically go to the box and check. Given the age of the 3600 series routers, I would guess the same limitation applies to your case. Thank You Daniel Bielawa Network Engineer Liberty University Network Services Email: dwbielawa at liberty.edu Phone: 434-592-7987 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Tuesday, February 23, 2010 3:02 PM To: Nick Hilliard; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Getting serial number for 3640s Is that supported by 3640? We may have old versions of IOS... it doesn't seem to be recognized by any of the ones I've tried. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> Nick Hilliard 2/23/2010 2:57 PM >>> On 23/02/2010 19:27, Steven Pfister wrote: > I've going over a customer's inventory, and I'm having some trouble with > serial numbers. How do you get the serial number for a 3640 router? I > usually look for the processor board ID in 'sho ver', but that's not > matching what's listed in the inventory. "show inventory"? Nick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This message may contain confidential and privileged information. This e-mail and any files transmitted with it are intended solely for the use of the individual(s) to which they are addressed. Inappropriate disclosure, copying, distribution, or reuse of this information is prohibited. If you have received this message in error, please contact the sender via reply e-mail immediately and delete the message from your system. From gk at ax.tc Tue Feb 23 17:16:12 2010 From: gk at ax.tc (Gerald Krause) Date: Tue, 23 Feb 2010 23:16:12 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F01459F9D@XMB-AMS-103.cisco.com> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc><4B7E24E8.1070008@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com><4B7E4579.8080802@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com><4B7E5655.2000506@ax.tc> <4B8309FF.4000102@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> <4B83B0B1.50103@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459F9D@XMB-AMS-103.cisco.com> Message-ID: <4B8453AC.9090805@ax.tc> Am 23.02.2010 16:47, Oliver Boehmer (oboehmer) schrieb: > >> Hello Oli, thx for your support again. I have configured the HUB/PE as >> suggested: >> [..] >> I see that a traceroute from CPE1 to CPE2 now take the path over the > HUB >> and then back to the LNS as expected: >> [...] >> When I remove the def-route on the HUB, I'am still able to reach CPE2 >> from CPE1 directly over the LNS: >> >> cpe1-vrftest#traceroute >> Target IP address: 10.98.2.1 >> Source address: 10.98.1.1 >> Tracing the route to 10.98.2.1 >> 1 10.99.17.254 68 msec 60 msec 64 msec (Loopback102 LNS) >> 2 10.99.17.2 152 msec * 148 msec (CPE2) >> >> So I *can* re-direct the traffic from CPE to CPE through the HUB but > in >> the case the HUB fails, the CPEs are directly connected again through >> the LNS/SPOKE PE. Is that the expected behaviour? Or is there still > some >> thing I'am missing (RPF is enabled on the Vi's)? > > That's strange.. Can you open a TAC case to get this looked at? Ok, I will do so if I can't get ahead soon. > I just > tried this with "regular" serial interfaces, and I don't see the issue, > i.e. without a default route, the CEs don't see each other. I assume even without any MP-BGP between the SPOKE and HUB PEs, it should be possible to isolate two interfaces on the SPOKE/PE with the Half Duplex VRF feature enabled. I'am right here? So how looks your SPOKE/PE test setup regarding the VRF configuration (VRF definition, interfaces and static routes for that VRF)? That would be interesting for me. Maybe I can build a similar setup with some unused FastEth's in my LNS/SPOKE/PE. > Can you remove urpf and try again? I've tried that, looks like uRPF has no influence. I get the same resluts with and without. Thx a lot so far! -- Gerald From lists at hojmark.org Tue Feb 23 18:42:17 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 24 Feb 2010 00:42:17 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100223214118.GB9556@greenie.muc.de> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <20100222195155.M57911@fast-serv.com> <201002231823.31022.mtinka@globaltransit.net> <20100223214118.GB9556@greenie.muc.de> Message-ID: On Tue, 23 Feb 2010 22:41:18 +0100, you wrote: > I have no idea how to get that point (BFD is good! make it happen! > on SVI!) across to the relevant people... *sigh* The SP people do get it, and I'm sure it's now (again) roadmapped for the 7600, where it's relevant. Whether it'll ever show up on a campus switch (6500) may be another story. -A From lists at hojmark.org Tue Feb 23 18:47:34 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 24 Feb 2010 00:47:34 +0100 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <557BFF27F2FCAF44B45E8C5352C674C1040ACE91@mail05.sisunet.org> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie><4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> <557BFF27F2FCAF44B45E8C5352C674C1040ACE91@mail05.sisunet.org> Message-ID: On Tue, 23 Feb 2010 14:25:13 -0600, you wrote: > While not exactly the same, we've got a 3660 running old IOS that > supports the command 'show c3600' which will display the chassis serial > number. Something also worth trying is 'sh diag', which works on all the old gear, and gives a chassis serial number for some of it. I don't know if it works on a 3600, but it does work on the 3725 that I at home. -A From cayers at ena.com Tue Feb 23 18:55:36 2010 From: cayers at ena.com (Cory Ayers) Date: Tue, 23 Feb 2010 17:55:36 -0600 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie><4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> Message-ID: > Hello, > We had a similar problem with our 7200 series. According to TAC > some Cisco products do not report the serial number. That was the case > with us, and the only way to verify was to physically go to the box and > check. Given the age of the 3600 series routers, I would guess the same > limitation applies to your case. > > Thank You > > Daniel Bielawa > Network Engineer > Liberty University Network Services > Email: dwbielawa at liberty.edu > Phone: 434-592-7987 > > > > I've going over a customer's inventory, and I'm having some trouble > with > > serial numbers. How do you get the serial number for a 3640 router? I > > usually look for the processor board ID in 'sho ver', but that's not > > matching what's listed in the inventory. I don't believe there is a way to pull chassis serial from the command line on the older router models (2600, 3600, 7200). You can pull the mainboard serial, but this does not match the sticker on the outside of the chassis. From jason at lixfeld.ca Tue Feb 23 18:32:13 2010 From: jason at lixfeld.ca (Jason Lixfeld) Date: Tue, 23 Feb 2010 18:32:13 -0500 Subject: [c-nsp] ES20 throughput in the weeds? Message-ID: We've got an 7600-ES20-GE3CXL HW 1.2 FW 12.2(33r)SRB SW 12.2(33)SRC4 in a 7609/Sup720 3BXL chassis. We ran some performance tests for a customer, and we were quite appalled by the results. We're using Exfo test sets to run RFC2544 patterns between two ports. We're using 7 frame sizes; 64, 128, 256, 512, 1024, 1280, 1518. When we look at the throughput results, we see this: Frame Size TX-to-RX - Layer 1-2-3 (Mbps) 64 449.197861 128 538.181818 256 560.97561 512 974.358974 1024 956.043956 1280 1000 1518 994.825356 Now if we do that same test on another card, say a WS-X6724-SFP, we get very different results: Frame Size TX-to-RX - Layer 1-2-3 (Mbps) 64 1000 128 1000 256 1000 512 1000 1024 1000 1280 1000 1518 1000 I've tried the same test on a Juniper EX4200, and an ME3400E-12CS and all the results are identical to the WS-X6724-SFP. The ES20 seems to be the anomaly here. I know that processing smaller packets is generally much more taxing than processing large packets, so I didn't really expect to see line rate on any of the tests that were run, but considering the 6724 reported what seem to be line rate results vs. the ES20, I can't help but to wonder whether I've got a bad card or something. From gert at greenie.muc.de Wed Feb 24 02:29:54 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Feb 2010 08:29:54 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <20100222195155.M57911@fast-serv.com> <201002231823.31022.mtinka@globaltransit.net> <20100223214118.GB9556@greenie.muc.de> Message-ID: <20100224072954.GE9556@greenie.muc.de> Hi, On Wed, Feb 24, 2010 at 12:42:17AM +0100, Asbjorn Hojmark - Lists wrote: > On Tue, 23 Feb 2010 22:41:18 +0100, you wrote: > > > I have no idea how to get that point (BFD is good! make it happen! > > on SVI!) across to the relevant people... *sigh* > > The SP people do get it, and I'm sure it's now (again) roadmapped for > the 7600, where it's relevant. Whether it'll ever show up on a campus > switch (6500) may be another story. Now that you mention it. I did not rant over the BU split for at least two months, did I? The decision for which (mid-to-high end platforms) a certain feature is "relevant" is something I find highly interesting. As if enterprise customers don't want high availability. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From lists at hojmark.org Wed Feb 24 02:43:54 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 24 Feb 2010 08:43:54 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100224072954.GE9556@greenie.muc.de> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <20100222195155.M57911@fast-serv.com> <201002231823.31022.mtinka@globaltransit.net> <20100223214118.GB9556@greenie.muc.de> <20100224072954.GE9556@greenie.muc.de> Message-ID: On Wed, 24 Feb 2010 08:29:54 +0100, you wrote: >> The SP people do get it, and I'm sure it's now (again) roadmapped for >> the 7600, where it's relevant. Whether it'll ever show up on a campus >> switch (6500) may be another story. > Now that you mention it. I did not rant over the BU split for at least > two months, did I? No I don't think so, but the bait worked very well ;-) -A From gert at greenie.muc.de Wed Feb 24 03:42:10 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Feb 2010 09:42:10 +0100 Subject: [c-nsp] BRAS Redundancy In-Reply-To: <4B83B026.9040700@plannet21.ie> References: <4B826F4B.8040003@plannet21.ie> <6ae95a02-b582-4c42-9857-17ed1199478a@s36g2000prf.googlegroups.com> <4B83B026.9040700@plannet21.ie> Message-ID: <20100224084210.GH9556@greenie.muc.de> hi, On Tue, Feb 23, 2010 at 10:38:30AM +0000, Anthony McGarry wrote: > What I really need to know is how to assign static IPs to clients if > they log into either BRAS when both BRASs have a different network range > on their loopbacks. Dynamic routing between the BRASs and their next-hop router. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From oboehmer at cisco.com Wed Feb 24 03:53:26 2010 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 24 Feb 2010 09:53:26 +0100 Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF) In-Reply-To: <4B8453AC.9090805@ax.tc> References: <4B579590.6050506@ax.tc> <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com> <4B582133.5030002@ax.tc><4B7E0EF3.4060604@ax.tc><4B7E24E8.1070008@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB5C6@XMB-AMS-103.cisco.com><4B7E4579.8080802@ax.tc><6E4D2678AC543844917CA081C9D6B33F013EB62B@XMB-AMS-103.cisco.com><4B7E5655.2000506@ax.tc> <4B8309FF.4000102@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459BF7@XMB-AMS-103.cisco.com> <4B83B0B1.50103@ax.tc> <6E4D2678AC543844917CA081C9D6B33F01459F9D@XMB-AMS-103.cisco.com> <4B8453AC.9090805@ax.tc> Message-ID: <6E4D2678AC543844917CA081C9D6B33F0145A27E@XMB-AMS-103.cisco.com> > > I just > > tried this with "regular" serial interfaces, and I don't see the issue, > > i.e. without a default route, the CEs don't see each other. > > I assume even without any MP-BGP between the SPOKE and HUB PEs, it > should be possible to isolate two interfaces on the SPOKE/PE with the > Half Duplex VRF feature enabled. I'am right here? So how looks your > SPOKE/PE test setup regarding the VRF configuration (VRF definition, > interfaces and static routes for that VRF)? That would be interesting > for me. very simple: ip vrf down rd 1:2 ! ip vrf up rd 1:1 ! ip cef ! interface Loopback1 ip vrf forwarding up ip address 1.0.0.1 255.255.255.255 ! interface Serial2/0 ip vrf forwarding up downstream down ip unnumbered Loopback1 ip verify unicast reverse-path encapsulation ppp peer default ip address pool default serial restart-delay 0 ! interface Serial2/1 ip vrf forwarding up downstream down ip unnumbered Loopback1 ip verify unicast reverse-path encapsulation ppp peer default ip address pool default serial restart-delay 0 ! ip local pool default 2.0.0.1 2.0.0.10 Didn't try with static routes.. also don't have MPLS/BGP configured on this "PE".. it's a standalone box.. > Maybe I can build a similar setup with some unused FastEth's in > my LNS/SPOKE/PE. hmm, not sure if FastEth will work, HD-VRF is only supported on unnumbered interfaces. oli From gongwei.nus at gmail.com Wed Feb 24 06:07:51 2010 From: gongwei.nus at gmail.com (Gong Wei) Date: Wed, 24 Feb 2010 19:07:51 +0800 Subject: [c-nsp] cisco-nsp Digest, Vol 87, Issue 84 In-Reply-To: References: Message-ID: <816a9aa91002240307x93b37bmef9ed0ed3e582583@mail.gmail.com> Password On 2/24/10, cisco-nsp-request at puck.nether.net wrote: > Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp > or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > > You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cisco-nsp digest..." > > > Today's Topics: > > 1. Re: MPLS VPN with lot of PPP interfaces and central firewall > (Half Duplex VRF / HDVRF) (Gerald Krause) > 2. Re: what is it with 3550s? (Asbjorn Hojmark - Lists) > 3. Re: Getting serial number for 3640s (Asbjorn Hojmark - Lists) > 4. Re: Getting serial number for 3640s (Cory Ayers) > 5. ES20 throughput in the weeds? (Jason Lixfeld) > 6. Re: what is it with 3550s? (Gert Doering) > 7. Re: what is it with 3550s? (Asbjorn Hojmark - Lists) > 8. Re: BRAS Redundancy (Gert Doering) > 9. Re: MPLS VPN with lot of PPP interfaces and central firewall > (Half Duplex VRF / HDVRF) (Oliver Boehmer (oboehmer)) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 23 Feb 2010 23:16:12 +0100 > From: Gerald Krause > To: "Oliver Boehmer (oboehmer)" > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS VPN with lot of PPP interfaces and central > firewall (Half Duplex VRF / HDVRF) > Message-ID: <4B8453AC.9090805 at ax.tc> > Content-Type: text/plain; charset=ISO-8859-1 > > Am 23.02.2010 16:47, Oliver Boehmer (oboehmer) schrieb: >> >>> Hello Oli, thx for your support again. I have configured the HUB/PE as >>> suggested: >>> [..] >>> I see that a traceroute from CPE1 to CPE2 now take the path over the >> HUB >>> and then back to the LNS as expected: >>> [...] >>> When I remove the def-route on the HUB, I'am still able to reach CPE2 >>> from CPE1 directly over the LNS: >>> >>> cpe1-vrftest#traceroute >>> Target IP address: 10.98.2.1 >>> Source address: 10.98.1.1 >>> Tracing the route to 10.98.2.1 >>> 1 10.99.17.254 68 msec 60 msec 64 msec (Loopback102 LNS) >>> 2 10.99.17.2 152 msec * 148 msec (CPE2) >>> >>> So I *can* re-direct the traffic from CPE to CPE through the HUB but >> in >>> the case the HUB fails, the CPEs are directly connected again through >>> the LNS/SPOKE PE. Is that the expected behaviour? Or is there still >> some >>> thing I'am missing (RPF is enabled on the Vi's)? >> >> That's strange.. Can you open a TAC case to get this looked at? > > Ok, I will do so if I can't get ahead soon. > >> I just >> tried this with "regular" serial interfaces, and I don't see the issue, >> i.e. without a default route, the CEs don't see each other. > > I assume even without any MP-BGP between the SPOKE and HUB PEs, it > should be possible to isolate two interfaces on the SPOKE/PE with the > Half Duplex VRF feature enabled. I'am right here? So how looks your > SPOKE/PE test setup regarding the VRF configuration (VRF definition, > interfaces and static routes for that VRF)? That would be interesting > for me. Maybe I can build a similar setup with some unused FastEth's in > my LNS/SPOKE/PE. > >> Can you remove urpf and try again? > > I've tried that, looks like uRPF has no influence. I get the same > resluts with and without. > > Thx a lot so far! > -- > Gerald > > > > ------------------------------ > > Message: 2 > Date: Wed, 24 Feb 2010 00:42:17 +0100 > From: Asbjorn Hojmark - Lists > To: Gert Doering > Cc: cisco-nsp at puck.nether.net, Jon Lewis > Subject: Re: [c-nsp] what is it with 3550s? > Message-ID: > Content-Type: text/plain; charset=us-ascii > > On Tue, 23 Feb 2010 22:41:18 +0100, you wrote: > >> I have no idea how to get that point (BFD is good! make it happen! >> on SVI!) across to the relevant people... *sigh* > > The SP people do get it, and I'm sure it's now (again) roadmapped for > the 7600, where it's relevant. Whether it'll ever show up on a campus > switch (6500) may be another story. > > -A > > > ------------------------------ > > Message: 3 > Date: Wed, 24 Feb 2010 00:47:34 +0100 > From: Asbjorn Hojmark - Lists > To: "Meister, Daniel J." > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Getting serial number for 3640s > Message-ID: > Content-Type: text/plain; charset=us-ascii > > On Tue, 23 Feb 2010 14:25:13 -0600, you wrote: > >> While not exactly the same, we've got a 3660 running old IOS that >> supports the command 'show c3600' which will display the chassis serial >> number. > > Something also worth trying is 'sh diag', which works on all the old > gear, and gives a chassis serial number for some of it. I don't know > if it works on a 3600, but it does work on the 3725 that I at home. > > -A > > > ------------------------------ > > Message: 4 > Date: Tue, 23 Feb 2010 17:55:36 -0600 > From: "Cory Ayers" > To: "Bielawa, Daniel W. (NS)" , > > Subject: Re: [c-nsp] Getting serial number for 3640s > Message-ID: > Content-Type: text/plain; charset="Windows-1252" > >> Hello, >> We had a similar problem with our 7200 series. According to TAC >> some Cisco products do not report the serial number. That was the case >> with us, and the only way to verify was to physically go to the box and >> check. Given the age of the 3600 series routers, I would guess the same >> limitation applies to your case. >> >> Thank You >> >> Daniel Bielawa >> Network Engineer >> Liberty University Network Services >> Email: dwbielawa at liberty.edu >> Phone: 434-592-7987 >> >> >> > I've going over a customer's inventory, and I'm having some trouble >> with >> > serial numbers. How do you get the serial number for a 3640 router? I >> > usually look for the processor board ID in 'sho ver', but that's not >> > matching what's listed in the inventory. > > I don't believe there is a way to pull chassis serial from the command line > on the older router models (2600, 3600, 7200). You can pull the mainboard > serial, but this does not match the sticker on the outside of the chassis. > > > ------------------------------ > > Message: 5 > Date: Tue, 23 Feb 2010 18:32:13 -0500 > From: Jason Lixfeld > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ES20 throughput in the weeds? > Message-ID: > Content-Type: text/plain; charset=us-ascii > > We've got an 7600-ES20-GE3CXL HW 1.2 FW 12.2(33r)SRB SW 12.2(33)SRC4 in a > 7609/Sup720 3BXL chassis. We ran some performance tests for a customer, and > we were quite appalled by the results. We're using Exfo test sets to run > RFC2544 patterns between two ports. > > We're using 7 frame sizes; 64, 128, 256, 512, 1024, 1280, 1518. > > When we look at the throughput results, we see this: > > Frame Size TX-to-RX - Layer 1-2-3 (Mbps) > 64 449.197861 > 128 538.181818 > 256 560.97561 > 512 974.358974 > 1024 956.043956 > 1280 1000 > 1518 994.825356 > > Now if we do that same test on another card, say a WS-X6724-SFP, we get very > different results: > > Frame Size TX-to-RX - Layer 1-2-3 (Mbps) > 64 1000 > 128 1000 > 256 1000 > 512 1000 > 1024 1000 > 1280 1000 > 1518 1000 > > I've tried the same test on a Juniper EX4200, and an ME3400E-12CS and all > the results are identical to the WS-X6724-SFP. The ES20 seems to be the > anomaly here. > > I know that processing smaller packets is generally much more taxing than > processing large packets, so I didn't really expect to see line rate on any > of the tests that were run, but considering the 6724 reported what seem to > be line rate results vs. the ES20, I can't help but to wonder whether I've > got a bad card or something. > > ------------------------------ > > Message: 6 > Date: Wed, 24 Feb 2010 08:29:54 +0100 > From: Gert Doering > To: Asbjorn Hojmark - Lists > Cc: Gert Doering , Jon Lewis , > cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > Message-ID: <20100224072954.GE9556 at greenie.muc.de> > Content-Type: text/plain; charset="us-ascii" > > Hi, > > On Wed, Feb 24, 2010 at 12:42:17AM +0100, Asbjorn Hojmark - Lists wrote: >> On Tue, 23 Feb 2010 22:41:18 +0100, you wrote: >> >> > I have no idea how to get that point (BFD is good! make it happen! >> > on SVI!) across to the relevant people... *sigh* >> >> The SP people do get it, and I'm sure it's now (again) roadmapped for >> the 7600, where it's relevant. Whether it'll ever show up on a campus >> switch (6500) may be another story. > > Now that you mention it. I did not rant over the BU split for at least > two months, did I? > > The decision for which (mid-to-high end platforms) a certain feature is > "relevant" is something I find highly interesting. As if enterprise > customers don't want high availability. > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 305 bytes > Desc: not available > URL: > > > ------------------------------ > > Message: 7 > Date: Wed, 24 Feb 2010 08:43:54 +0100 > From: Asbjorn Hojmark - Lists > To: Gert Doering > Cc: Gert Doering , Jon Lewis , > cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > Message-ID: > Content-Type: text/plain; charset=us-ascii > > On Wed, 24 Feb 2010 08:29:54 +0100, you wrote: > >>> The SP people do get it, and I'm sure it's now (again) roadmapped for >>> the 7600, where it's relevant. Whether it'll ever show up on a campus >>> switch (6500) may be another story. > >> Now that you mention it. I did not rant over the BU split for at least >> two months, did I? > > No I don't think so, but the bait worked very well ;-) > > -A > > > ------------------------------ > > Message: 8 > Date: Wed, 24 Feb 2010 09:42:10 +0100 > From: Gert Doering > To: Anthony McGarry > Cc: "cisco-nsp at puck.nether.net" > Subject: Re: [c-nsp] BRAS Redundancy > Message-ID: <20100224084210.GH9556 at greenie.muc.de> > Content-Type: text/plain; charset="us-ascii" > > hi, > > On Tue, Feb 23, 2010 at 10:38:30AM +0000, Anthony McGarry wrote: >> What I really need to know is how to assign static IPs to clients if >> they log into either BRAS when both BRASs have a different network range >> on their loopbacks. > > Dynamic routing between the BRASs and their next-hop router. > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 305 bytes > Desc: not available > URL: > > > ------------------------------ > > Message: 9 > Date: Wed, 24 Feb 2010 09:53:26 +0100 > From: "Oliver Boehmer (oboehmer)" > To: "Gerald Krause" > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS VPN with lot of PPP interfaces and central > firewall (Half Duplex VRF / HDVRF) > Message-ID: > <6E4D2678AC543844917CA081C9D6B33F0145A27E at XMB-AMS-103.cisco.com> > Content-Type: text/plain; charset="US-ASCII" > > > >> > I just >> > tried this with "regular" serial interfaces, and I don't see the > issue, >> > i.e. without a default route, the CEs don't see each other. >> >> I assume even without any MP-BGP between the SPOKE and HUB PEs, it >> should be possible to isolate two interfaces on the SPOKE/PE with the >> Half Duplex VRF feature enabled. I'am right here? So how looks your >> SPOKE/PE test setup regarding the VRF configuration (VRF definition, >> interfaces and static routes for that VRF)? That would be interesting >> for me. > > very simple: > > ip vrf down > rd 1:2 > ! > ip vrf up > rd 1:1 > ! > ip cef > ! > interface Loopback1 > ip vrf forwarding up > ip address 1.0.0.1 255.255.255.255 > ! > interface Serial2/0 > ip vrf forwarding up downstream down > ip unnumbered Loopback1 > ip verify unicast reverse-path > encapsulation ppp > peer default ip address pool default > serial restart-delay 0 > ! > interface Serial2/1 > ip vrf forwarding up downstream down > ip unnumbered Loopback1 > ip verify unicast reverse-path > encapsulation ppp > peer default ip address pool default > serial restart-delay 0 > ! > ip local pool default 2.0.0.1 2.0.0.10 > > Didn't try with static routes.. also don't have MPLS/BGP configured on > this "PE".. it's a standalone box.. > >> Maybe I can build a similar setup with some unused FastEth's in >> my LNS/SPOKE/PE. > > hmm, not sure if FastEth will work, HD-VRF is only supported on > unnumbered interfaces. > > oli > > > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 87, Issue 84 > ***************************************** > -- Sent from my mobile device From asturluismi at gmail.com Wed Feb 24 07:52:37 2010 From: asturluismi at gmail.com (luismi) Date: Wed, 24 Feb 2010 13:52:37 +0100 Subject: [c-nsp] ip igmp join-group x.x.x.x In-Reply-To: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> References: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> Message-ID: <1267015957.1688.11.camel@hal9000> Be aware of the command, I dont know the behaviour of your platform, but in our 7206 npe-g2 we have issues with it. Multicast video and audio was broken because the command makes the multicast to be "process switched" , if my memory is ok. El lun, 22-02-2010 a las 22:40 +0000, Vladislav Vasilev escribi?: > Hello all, > > I thought that applying "ip igmp join-group 239.1.1.1" makes the interface > under which is executed a member of 239.1.1.1 for as long as the command is > there. The problem is that the switch (in this case ME3400) never sends > another IGMP report and the multicast stream gets pruned. I guess it is a > bug? > > > Regards, > V.Vasilev > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jonas.jonsson at netent.com Wed Feb 24 07:14:26 2010 From: jonas.jonsson at netent.com (Jonas Jonsson) Date: Wed, 24 Feb 2010 13:14:26 +0100 Subject: [c-nsp] Cisco IOS BGP 4-Byte ASN Support for 3750? Message-ID: <78DD389C2574C947AD8B34B9D043309E049E6A86@ex01.netentertainment.com> Hi, I know that this is currently not a supported feature, but is this on the roadmap or will it never happen? Ref: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599 /data_sheet_C78-521821.html /// Best regards, Jonas From md at bts.sk Wed Feb 24 08:35:09 2010 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Wed, 24 Feb 2010 14:35:09 +0100 Subject: [c-nsp] ip igmp join-group x.x.x.x In-Reply-To: <1267015957.1688.11.camel@hal9000> References: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> <1267015957.1688.11.camel@hal9000> Message-ID: <20100224133509.GA62243@bts.sk> On Wed, Feb 24, 2010 at 01:52:37PM +0100, luismi wrote: > Be aware of the command, I dont know the behaviour of your platform, but > in our 7206 npe-g2 we have issues with it. Multicast video and audio was > broken because the command makes the multicast to be "process > switched" , if my memory is ok. You need to use "ip igmp static-group ..." instead. M. > El lun, 22-02-2010 a las 22:40 +0000, Vladislav Vasilev escribi?: > > Hello all, > > > > I thought that applying "ip igmp join-group 239.1.1.1" makes the interface > > under which is executed a member of 239.1.1.1 for as long as the command is > > there. The problem is that the switch (in this case ME3400) never sends > > another IGMP report and the multicast stream gets pruned. I guess it is a > > bug? > > > > > > Regards, > > V.Vasilev From sven at darkman.de Wed Feb 24 08:43:06 2010 From: sven at darkman.de (Sven 'Darkman' Michels) Date: Wed, 24 Feb 2010 14:43:06 +0100 Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea? In-Reply-To: <8e157ab41002231027u33830aadgddb28cd9a772685e@mail.gmail.com> References: <4B4D6234.7050101@darkman.de> <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com> <4B4E21CF.10803@darkman.de> <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com> <4B5EE8C6.40106@darkman.de> <8e157ab41001310205n600a64bbs7db9deb57d3998a8@mail.gmail.com> <4B839152.9070802@darkman.de> <8e157ab41002231027u33830aadgddb28cd9a772685e@mail.gmail.com> Message-ID: <4B852CEA.30608@darkman.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Matt Buford schrieb: > Have you confirmed that the problem happens to packets going through the > switch? What you pasted before was pings originating from the switch. > In general, I wouldn't assume that the behavior of pings to/from the > switch are the same as packets through the switch. They take a very > different path through the switch. > > For example, put one host on a non-pvlan SVI, and then put another host > on your pvlan SVI. Do you get the same packetloss problem? i've tested it, again, just to be sure. The device is on the 3650 Switch in the pvlan, 6500 does the routing and holds the svi for the pvlan. I started pinging the testdevice which worked fine so far. Then i enabled ip verify unicast source reachable-via rx and got massive loss. After disableing it, the ping worked fine again: 64 bytes from x.x.x.13: icmp_seq=50 ttl=63 time=603 usec 64 bytes from x.x.x.13: icmp_seq=51 ttl=63 time=613 usec 64 bytes from x.x.x.13: icmp_seq=52 ttl=63 time=616 usec 64 bytes from x.x.x.13: icmp_seq=53 ttl=63 time=616 usec 64 bytes from x.x.x.13: icmp_seq=54 ttl=63 time=599 usec 64 bytes from x.x.x.13: icmp_seq=55 ttl=63 time=616 usec - - enable - 64 bytes from x.x.x.13: icmp_seq=58 ttl=63 time=726 usec 64 bytes from x.x.x.13: icmp_seq=60 ttl=63 time=640 usec 64 bytes from x.x.x.13: icmp_seq=67 ttl=63 time=667 usec 64 bytes from x.x.x.13: icmp_seq=69 ttl=63 time=641 usec - - disable - 64 bytes from x.x.x.13: icmp_seq=71 ttl=63 time=642 usec 64 bytes from x.x.x.13: icmp_seq=72 ttl=63 time=625 usec 64 bytes from x.x.x.13: icmp_seq=73 ttl=63 time=617 usec 64 bytes from x.x.x.13: icmp_seq=74 ttl=63 time=591 usec 64 bytes from x.x.x.13: icmp_seq=75 ttl=63 time=574 usec 64 bytes from x.x.x.13: icmp_seq=76 ttl=63 time=605 usec 64 bytes from x.x.x.13: icmp_seq=77 ttl=63 time=609 usec 64 bytes from x.x.x.13: icmp_seq=78 ttl=63 time=582 usec so its definitivly a problem with the verify stuff and pvlan :( Regards and thanks, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuFLOoACgkQQoCguWUBzBy88wCfXCYsR58eEM+JMUg60kQP1Vqt sQEAoITLxOKnzAcNFDNtBS2KY1iK2w+2 =u4HR -----END PGP SIGNATURE----- From Jon.Harald.Bovre at hafslund.no Wed Feb 24 08:21:25 2010 From: Jon.Harald.Bovre at hafslund.no (=?iso-8859-1?Q?B=F8vre_Jon_Harald?=) Date: Wed, 24 Feb 2010 14:21:25 +0100 Subject: [c-nsp] ip igmp join-group x.x.x.x In-Reply-To: <1267015957.1688.11.camel@hal9000> Message-ID: You might be using this command to avoid process switching: ip igmp static-group x.x.x.x Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av luismi Sendt: 24. februar 2010 13:53 Til: Vladislav Vasilev Kopi: cisco-nsp at puck.nether.net Emne: Re: [c-nsp] ip igmp join-group x.x.x.x Be aware of the command, I dont know the behaviour of your platform, but in our 7206 npe-g2 we have issues with it. Multicast video and audio was broken because the command makes the multicast to be "process switched" , if my memory is ok. El lun, 22-02-2010 a las 22:40 +0000, Vladislav Vasilev escribi?: > Hello all, > > I thought that applying "ip igmp join-group 239.1.1.1" makes the > interface under which is executed a member of 239.1.1.1 for as long as > the command is there. The problem is that the switch (in this case > ME3400) never sends another IGMP report and the multicast stream gets > pruned. I guess it is a bug? > > > Regards, > V.Vasilev > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From arturnrm at gmail.com Wed Feb 24 10:10:04 2010 From: arturnrm at gmail.com (Artur) Date: Wed, 24 Feb 2010 12:10:04 -0300 Subject: [c-nsp] ip igmp join-group x.x.x.x In-Reply-To: <20100224133509.GA62243@bts.sk> References: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> <1267015957.1688.11.camel@hal9000> <20100224133509.GA62243@bts.sk> Message-ID: <4B85414C.7070705@gmail.com> for static join use *ip igmp static-group* for troubleshooting purposes use *ip igmp join-group* the router will answer to pings to the multicast group address On 2/24/2010 10:35 AM, Marian ?urkovi? wrote: > On Wed, Feb 24, 2010 at 01:52:37PM +0100, luismi wrote: > >> Be aware of the command, I dont know the behaviour of your platform, but >> in our 7206 npe-g2 we have issues with it. Multicast video and audio was >> broken because the command makes the multicast to be "process >> switched" , if my memory is ok. >> > You need to use "ip igmp static-group ..." instead. > > M. > > >> El lun, 22-02-2010 a las 22:40 +0000, Vladislav Vasilev escribi?: >> >>> Hello all, >>> >>> I thought that applying "ip igmp join-group 239.1.1.1" makes the interface >>> under which is executed a member of 239.1.1.1 for as long as the command is >>> there. The problem is that the switch (in this case ME3400) never sends >>> another IGMP report and the multicast stream gets pruned. I guess it is a >>> bug? >>> >>> >>> Regards, >>> V.Vasilev >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Wed Feb 24 10:36:40 2010 From: asturluismi at gmail.com (luismi) Date: Wed, 24 Feb 2010 16:36:40 +0100 Subject: [c-nsp] ip igmp join-group x.x.x.x In-Reply-To: <20100224133509.GA62243@bts.sk> References: <353e59af1002221440k5ae75879k9ba8ab89197e06bb@mail.gmail.com> <1267015957.1688.11.camel@hal9000> <20100224133509.GA62243@bts.sk> Message-ID: <1267025800.1688.12.camel@hal9000> Ah! ok interesting :D El mi?, 24-02-2010 a las 14:35 +0100, Marian ?urkovi? escribi?: > On Wed, Feb 24, 2010 at 01:52:37PM +0100, luismi wrote: > > Be aware of the command, I dont know the behaviour of your platform, but > > in our 7206 npe-g2 we have issues with it. Multicast video and audio was > > broken because the command makes the multicast to be "process > > switched" , if my memory is ok. > > You need to use "ip igmp static-group ..." instead. > > M. > > > El lun, 22-02-2010 a las 22:40 +0000, Vladislav Vasilev escribi?: > > > Hello all, > > > > > > I thought that applying "ip igmp join-group 239.1.1.1" makes the interface > > > under which is executed a member of 239.1.1.1 for as long as the command is > > > there. The problem is that the switch (in this case ME3400) never sends > > > another IGMP report and the multicast stream gets pruned. I guess it is a > > > bug? > > > > > > > > > Regards, > > > V.Vasilev From chris.flav at yahoo.ca Wed Feb 24 12:23:59 2010 From: chris.flav at yahoo.ca (Chris Flav) Date: Wed, 24 Feb 2010 09:23:59 -0800 (PST) Subject: [c-nsp] PPPoE LNS Message-ID: <554500.41648.qm@web111113.mail.gq1.yahoo.com> We currently use the 7204VXR platform with NPE-G1 controllers to terminate PPPoE over L2TP. We are able to handle 5k subscribers @ 80,000pps before the CPU is beyond useability. We are looking to move to a G2 controller, however our experience with G2 controllers vs CPU/pps rates compared to the G1 was not very conclusive. Similar CPU usages seemed to be the case. Any suggestions as to an alternate cost-effective platform to handle the above loads? Thanks, C. Flav __________________________________________________________________ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com. From vvasilev at vvasilev.net Wed Feb 24 13:19:11 2010 From: vvasilev at vvasilev.net (Vladislav Vasilev) Date: Wed, 24 Feb 2010 18:19:11 +0000 Subject: [c-nsp] PPPoE LNS In-Reply-To: <554500.41648.qm@web111113.mail.gq1.yahoo.com> References: <554500.41648.qm@web111113.mail.gq1.yahoo.com> Message-ID: <353e59af1002241019y5d0e98a0va49b9961ce0beb7c@mail.gmail.com> You should consider using Redback SE100 or even better SE400. It is incomparably faster and it is in this price range. Regards, V.Vasilev On Wed, Feb 24, 2010 at 5:23 PM, Chris Flav wrote: > We currently use the 7204VXR platform with NPE-G1 controllers to terminate > PPPoE over L2TP. We are able to handle 5k subscribers @ 80,000pps before > the CPU is beyond useability. > > We are looking to move to a G2 controller, however our experience with G2 > controllers vs CPU/pps rates compared to the G1 was not very conclusive. > Similar CPU usages seemed to be the case. > > Any suggestions as to an alternate cost-effective platform to handle the > above loads? > > > Thanks, > > C. Flav > > > __________________________________________________________________ > Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your > favourite sites. Download it now > http://ca.toolbar.yahoo.com. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From avayner at cisco.com Wed Feb 24 13:32:18 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 24 Feb 2010 19:32:18 +0100 Subject: [c-nsp] PPPoE LNS In-Reply-To: <554500.41648.qm@web111113.mail.gq1.yahoo.com> References: <554500.41648.qm@web111113.mail.gq1.yahoo.com> Message-ID: Take a look at the ASR1K. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Flav Sent: Wednesday, February 24, 2010 19:24 To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPoE LNS We currently use the 7204VXR platform with NPE-G1 controllers to terminate PPPoE over L2TP. We are able to handle 5k subscribers @ 80,000pps before the CPU is beyond useability. We are looking to move to a G2 controller, however our experience with G2 controllers vs CPU/pps rates compared to the G1 was not very conclusive. Similar CPU usages seemed to be the case. Any suggestions as to an alternate cost-effective platform to handle the above loads? Thanks, C. Flav __________________________________________________________________ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cm at n-home.ru Wed Feb 24 16:50:25 2010 From: cm at n-home.ru (Cyrill Malevanov) Date: Thu, 25 Feb 2010 00:50:25 +0300 Subject: [c-nsp] PPPoE LNS In-Reply-To: <554500.41648.qm@web111113.mail.gq1.yahoo.com> References: <554500.41648.qm@web111113.mail.gq1.yahoo.com> Message-ID: <609A00F0-BB61-4EC9-92B4-0B2A755FD125@n-home.ru> On Feb 24, 2010, at 8:23 PM, Chris Flav wrote: > We currently use the 7204VXR platform with NPE-G1 controllers to terminate PPPoE over L2TP. We are able to handle 5k subscribers @ 80,000pps before the CPU is beyond useability. > Any suggestions as to an alternate cost-effective platform to handle the above loads? ASR1002F From paveldimow at gmail.com Wed Feb 24 16:56:28 2010 From: paveldimow at gmail.com (Pavel Dimow) Date: Wed, 24 Feb 2010 22:56:28 +0100 Subject: [c-nsp] Forwarding traffic to "transparent" device Message-ID: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> Hi, as I am not native english speaker I don't know how to name my problem but I will try to give as much details as possible. Here it is, I have Cisco 7600 wich is core switch, and it have one uplink to our edge router (it is SVI interface). Now, I would like to insert a transparent cache engine. That would not be a problem, except that connection between edge and core is fiber and transparent device has only a copper ports. I know that I can buy media converters, but what I would really like before is to connect cache to core and forward all (to and from internet) via cache and then back to core and so on. Something like this: ------------ | EDGE | ------------ | --|-- | C | | O |-------CACHE | R |-------- | E | ----- USERS Is this possible at all, and is there are any other solutions? Thank you. From florin at futurefreedom.ro Wed Feb 24 17:11:10 2010 From: florin at futurefreedom.ro (Florin Veres) Date: Thu, 25 Feb 2010 00:11:10 +0200 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> Message-ID: <471397ca1002241411y4dfa695avd77107f957ca86ad@mail.gmail.com> Hey, That is possible - just use vlan mapping and OSPF/ISIS/other IGP between your core and your edge. If you want, I could send you a configuration example. On Wed, Feb 24, 2010 at 11:56 PM, Pavel Dimow wrote: > Hi, > > as I am not native english speaker I don't know how to name my problem > but I will try to give as much details as possible. > Here it is, I have Cisco 7600 wich is core switch, and it have one > uplink to our edge router (it is SVI interface). Now, I would like to > insert > a transparent cache engine. That would not be a problem, except that > connection between edge and core is fiber and > transparent device has only a copper ports. I know that I can buy > media converters, but what I would really like before > is to connect cache to core and forward all (to and from internet) via > cache and then back to core and so on. > Something like this: > > > ------------ > | EDGE | > ------------ > | > --|-- > | C | > | O |-------CACHE > | R |-------- > | E | > ----- > > USERS > > > > Is this possible at all, and is there are any other solutions? > > Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From MatlockK at exempla.org Wed Feb 24 17:17:11 2010 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 24 Feb 2010 15:17:11 -0700 Subject: [c-nsp] Forwarding traffic to "transparent" device References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489EAD6@LMC-MAIL2.exempla.org> Two ways I can think of off the top of my head. 1) WCCP 2) Policy-based routing If #1 is supported on both, that would be by FAR my recommendation. Ken ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Pavel Dimow Sent: Wed 2/24/2010 2:56 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Forwarding traffic to "transparent" device Hi, as I am not native english speaker I don't know how to name my problem but I will try to give as much details as possible. Here it is, I have Cisco 7600 wich is core switch, and it have one uplink to our edge router (it is SVI interface). Now, I would like to insert a transparent cache engine. That would not be a problem, except that connection between edge and core is fiber and transparent device has only a copper ports. I know that I can buy media converters, but what I would really like before is to connect cache to core and forward all (to and from internet) via cache and then back to core and so on. Something like this: ------------ | EDGE | ------------ | --|-- | C | | O |-------CACHE | R |-------- | E | ----- USERS Is this possible at all, and is there are any other solutions? Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Wed Feb 24 17:19:48 2010 From: rwest at zyedge.com (Ryan West) Date: Wed, 24 Feb 2010 22:19:48 +0000 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> Message-ID: <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> Pavel, > -----Original Message----- > Sent: Wednesday, February 24, 2010 4:56 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Forwarding traffic to "transparent" device > > Hi, > > as I am not native english speaker I don't know how to name my problem > but I will try to give as much details as possible. > Here it is, I have Cisco 7600 wich is core switch, and it have one > uplink to our edge router (it is SVI interface). Now, I would like to > insert > a transparent cache engine. That would not be a problem, except that > connection between edge and core is fiber and > transparent device has only a copper ports. I know that I can buy > media converters, but what I would really like before > is to connect cache to core and forward all (to and from internet) via > cache and then back to core and so on. > Something like this: > > > ------------ > | EDGE | > ------------ > | > --|-- > | C | > | O |-------CACHE > | R |-------- > | E | > ----- > > USERS > > > > Is this possible at all, and is there are any other solutions? > Are you sure your core and cache engine do not support WCCP? That might be your best bet. The VLAN mapping option will also work, but if your caching engine decides to fail and does support a hardware based fail-open, no more traffic will flow. -ryan From paveldimow at gmail.com Wed Feb 24 17:25:37 2010 From: paveldimow at gmail.com (Pavel Dimow) Date: Wed, 24 Feb 2010 23:25:37 +0100 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> Message-ID: <6d2cb0d51002241425m57b38f68mbb04a49989c4fea0@mail.gmail.com> Hello all, thank you for your suggestions, but as this is transparent device (ie it acts just like a wire) wccp is not and option. Beside that, it can cache bittorrent traffic which I belive is not wccp friendly :) On Wed, Feb 24, 2010 at 11:19 PM, Ryan West wrote: > Pavel, > >> -----Original Message----- >> Sent: Wednesday, February 24, 2010 4:56 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Forwarding traffic to "transparent" device >> >> Hi, >> >> as I am not native english speaker I don't know how to name my problem >> but I will try to give as much details as possible. >> Here it is, I have Cisco 7600 wich is core switch, and it have one >> uplink to our edge router (it is SVI interface). Now, I would like to >> insert >> a transparent cache engine. That would not be a problem, except that >> connection between edge and core is fiber and >> transparent device has only a copper ports. I know that I can buy >> media converters, but what I would really like before >> is to connect cache to core and forward all (to and from internet) via >> cache and then back to core and so on. >> Something like this: >> >> >> ------------ >> | EDGE | >> ------------ >> ? ? ? | >> ? ?--|-- >> ? ?| C | >> ? ?| O |-------CACHE >> ? ?| R |-------- >> ? ?| E | >> ? ?----- >> >> USERS >> >> >> >> Is this possible at all, and is there are any other solutions? >> > > Are you sure your core and cache engine do not support WCCP? ?That might be your best bet. ?The VLAN mapping option will also work, but if your caching engine decides to fail and does support a hardware based fail-open, no more traffic will flow. > > -ryan > From frnkblk at iname.com Thu Feb 25 01:36:30 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Thu, 25 Feb 2010 00:36:30 -0600 Subject: [c-nsp] Missing BGP MIB support on Cisco 2621 In-Reply-To: References: <8770c70a-0897-49ad-b10d-f4e4a31d1d86@exch2k7.gilat.local> Message-ID: Thanks for the suggestion, but querying for it specifically via snmpget and snmpwalk failed, so I don't think downloading the MIB itself would help. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes Sent: Sunday, February 21, 2010 1:57 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Missing BGP MIB support on Cisco 2621 I think you should download the specific MIB for your release and try to browse it with some MIB Browser or using the Cisco MIB Locator Here's a link for the v2 MIB http://tools.cisco.com/ITDIT/MIBS/MainServlet?ReleaseSel=0&PlatformSel=0&fsS el=0&IMAGE_NAME=c2600-is4-mz.123-26.bin&SUBMIT2=Submit HTH Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Friday, February 19, 2010 12:31 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Missing BGP MIB support on Cisco 2621 According to Cisco's MIB Locator, c2600-is4-mz.123-26.bin should have CISCO-BGP4-MIB support, but when I try to walk that part of the tree (1.3.6.1.4.1.9.9.187) in v1 or v2c that fails. I'm using this router to do IPv6 tunneling, and the only routes exchanged on this router are IPv6. Anyone else see this? Or is there a special knob I need to turn that on? Frank _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ **************************************************************************** ******** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. **************************************************************************** ******** _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Thu Feb 25 03:34:50 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Thu, 25 Feb 2010 14:04:50 +0530 Subject: [c-nsp] netstatCLOSE_WAIT Message-ID: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com> dear team, how to clear CLOSE_WAIT status from netstat From gert at greenie.muc.de Thu Feb 25 04:00:47 2010 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 25 Feb 2010 10:00:47 +0100 Subject: [c-nsp] netstatCLOSE_WAIT In-Reply-To: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com> References: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com> Message-ID: <20100225090047.GO9556@greenie.muc.de> Hi, On Thu, Feb 25, 2010 at 02:04:50PM +0530, vijay gore wrote: > how to clear CLOSE_WAIT status from netstat reboot. (With the information you have given us, like "what operating system" or "what is the underlying problem", reboot is the only answer that is guaranteed to help getting rid of CLOSE_WAIT on *every* platform) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From vijaygore27 at gmail.com Thu Feb 25 04:19:19 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Thu, 25 Feb 2010 14:49:19 +0530 Subject: [c-nsp] netstatCLOSE_WAIT In-Reply-To: <20100225090047.GO9556@greenie.muc.de> References: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com> <20100225090047.GO9556@greenie.muc.de> Message-ID: <31533f201002250119u6f03c41fj201dd0382b334b91@mail.gmail.com> i dont want to reboot my win xp OS On Thu, Feb 25, 2010 at 2:30 PM, Gert Doering wrote: > Hi, > > On Thu, Feb 25, 2010 at 02:04:50PM +0530, vijay gore wrote: > > how to clear CLOSE_WAIT status from netstat > > reboot. > > (With the information you have given us, like "what operating system" > or "what is the underlying problem", reboot is the only answer that is > guaranteed to help getting rid of CLOSE_WAIT on *every* platform) > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From atif.jauhar at gmail.com Thu Feb 25 05:36:08 2010 From: atif.jauhar at gmail.com (Muhammad Atif Jauahar) Date: Thu, 25 Feb 2010 15:36:08 +0500 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> Message-ID: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Hi, > We are going to upgrade our Data Center we need 2 (redundant) core > switches with top of rack switches (Edge). > > We get two Proposals > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) and few Nexus 2000 fabric extender (Edge). Which Proposal is best and why? comments needed. > > > -- > Regards, > > Muhammad Atif Jauhar > (+92-33-3346-0000) > From gert at greenie.muc.de Thu Feb 25 05:46:40 2010 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 25 Feb 2010 11:46:40 +0100 Subject: [c-nsp] netstatCLOSE_WAIT In-Reply-To: <31533f201002250119u6f03c41fj201dd0382b334b91@mail.gmail.com> References: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com> <20100225090047.GO9556@greenie.muc.de> <31533f201002250119u6f03c41fj201dd0382b334b91@mail.gmail.com> Message-ID: <20100225104640.GP9556@greenie.muc.de> Hi, On Thu, Feb 25, 2010 at 02:49:19PM +0530, vijay gore wrote: > i dont want to reboot my win xp OS Ah, Windows. Rebooting *always* helps with windows problems. (You *did* notice that this is a *cisco* list, not an "I have a windows system and need help!"-list?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From nick at inex.ie Thu Feb 25 06:00:55 2010 From: nick at inex.ie (Nick Hilliard) Date: Thu, 25 Feb 2010 11:00:55 +0000 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: <4B865867.3030006@inex.ie> On 25/02/2010 10:36, Muhammad Atif Jauahar wrote: >> We are going to upgrade our Data Center we need 2 (redundant) core >> switches with top of rack switches (Edge). >> >> We get two Proposals >> > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) > and few Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. Cisco, definitely. I always recommend Cisco because their colour scheme is nicer. In return, can you answer a question that's been puzzling me for a while? I need to buy some string for tying things together: can you recommend the correct type and length that will suit my requirements, and why? It's important for me to ensure that the length isn't too long and isn't too short, and is just the correct strength. I need redundancy here! Please provide reasons. thanks, Nick From sthaug at nethelp.no Thu Feb 25 06:04:41 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 25 Feb 2010 12:04:41 +0100 (CET) Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: <20100225.120441.41722127.sthaug@nethelp.no> > > We are going to upgrade our Data Center we need 2 (redundant) core > > switches with top of rack switches (Edge). > > > > We get two Proposals > > > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) > and few Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. "We got two proposals, one Ford and one GM. Which is best and why?" You haven't said *anything* about what your real requirements are... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jp at softnet.si Thu Feb 25 06:45:10 2010 From: jp at softnet.si (Primoz Jeroncic) Date: Thu, 25 Feb 2010 12:45:10 +0100 (CET) Subject: [c-nsp] MPLS and NAT Message-ID: Hi I have very specific config of MPLS and to be honest, I have no idea how to configure this. In this rare case CCO doesn't seem to be very helpful... or at least I can't find any samples for this. I have central location, and few subsidaries. MPLS VPN is configured between these, and everything works fine. Now there will be some changes in config, and client would want that all subsidaries would be connecting over NAT with one single IP address. This means, that I should be doing NAT on PE router (on vrf interface), so that I would translate all subsidaries' networks into one single IP on central (main) location. On central location's PE my (relevant) config looks like this: ip vrf mpls1 description MPLS VPN for Bankart-Emporium rd 65001:10 route-target export 65001:1 route-target import 65001:1 ! mpls label protocol ldp no mpls ip propagate-ttl ! interface FastEthernet0/0 ip address 20.20.20.2 mpls ip mpls mtu 1546 ! interface FastEthernet0/1 ip vrf forwarding mpls1 ip address 10.10.10.1 255.255.255.0 ! router bgp 65001 no synchronization no bgp log-neighbor-changes neighbor 30.30.30.1 remote-as 65001 neighbor 30.30.30.1 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 30.30.30.1 activate neighbor 30.30.30.1 send-community extended exit-address-family ! address-family ipv4 vrf mpls1 no auto-summary no synchronization network 10.10.10.0 mask 255.255.255.0 exit-address-family ! ip route 30.30.30.1 255.255.255.255 20.20.20.1 ! On subsidary location, config is pretty much same, and their IP addresses on VRF mpls1 are 1.1.1.0/24. Now I would like to translate all 1.1.1.0/24 addresses to 10.10.10.10, so subsidaries would access servers on 10.10.10.0/24 network as 10.10.10.10. Any hint, link, or sample config for this would be really appreciated :) Thanks for help. Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From dana.konkin at sunrise.net Thu Feb 25 07:18:48 2010 From: dana.konkin at sunrise.net (Konkin, Dana) Date: Thu, 25 Feb 2010 13:18:48 +0100 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com><6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: Please buy both any report your results, I would like to hear the answerl. All the best, Dana From tomas at soitron.com Thu Feb 25 07:37:22 2010 From: tomas at soitron.com (Daniska, Tomas) Date: Thu, 25 Feb 2010 13:37:22 +0100 Subject: [c-nsp] 6500/SXI/CSCtc03951 - MS NLB packet dropping Message-ID: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> Hello good people... has anyone encountered CSCtc03951 - IP packets with unicast DSTIP and multicast DMAC dropped when incoming and leaving the same distributed etherchannel? I have customer with a large installed base of MS NLB clusters, the setup is based around VSS and multichassis (i.e., distributed) etherchannels, and I'm seeking for a simple workaround until the vendor C gets the issue fixed. It's reported with PFC3C, downgrade to PFC3B mode is not possible as it would conflict with VSS, and topological workarounds seem being quite complicated - there are multiple VLANS with such clusters and I would have to isolate them to a separate VRF each in order to make the traffic always pass some other interface for server-to-server communications. Any experience shared will be much appreciated Thanks -- Tomas Daniska Senior CSE/BDM Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224000, fax: +421 2 58224520 All generalizations are false, including this one. -- Mark Twain From tomas at soitron.com Thu Feb 25 07:41:54 2010 From: tomas at soitron.com (Daniska, Tomas) Date: Thu, 25 Feb 2010 13:41:54 +0100 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302C9C372@kenya.tronet.as> and why there is a problem with simply using VLANs to insert the cache into the path? -- deejay > -----Original Message----- > From: Daniska, Tomas > Sent: Thursday, February 25, 2010 1:41 PM > To: 'Pavel Dimow' > Subject: RE: [c-nsp] Forwarding traffic to "transparent" device > > and why there is a problem with simply using VLANs to insert the cache > into the path? > > -- > > deejay > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Pavel Dimow > > Sent: Wednesday, February 24, 2010 11:26 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Forwarding traffic to "transparent" device > > > > Hello all, > > > > thank you for your suggestions, but as this is transparent device (ie > > it acts just like a wire) wccp is not and option. Beside that, it can > > cache bittorrent traffic which I belive is not wccp friendly :) > > > > > > On Wed, Feb 24, 2010 at 11:19 PM, Ryan West wrote: > > > Pavel, > > > > > >> -----Original Message----- > > >> Sent: Wednesday, February 24, 2010 4:56 PM > > >> To: cisco-nsp at puck.nether.net > > >> Subject: [c-nsp] Forwarding traffic to "transparent" device > > >> > > >> Hi, > > >> > > >> as I am not native english speaker I don't know how to name my > > problem > > >> but I will try to give as much details as possible. > > >> Here it is, I have Cisco 7600 wich is core switch, and it have one > > >> uplink to our edge router (it is SVI interface). Now, I would like > > to > > >> insert > > >> a transparent cache engine. That would not be a problem, except > that > > >> connection between edge and core is fiber and > > >> transparent device has only a copper ports. I know that I can buy > > >> media converters, but what I would really like before > > >> is to connect cache to core and forward all (to and from internet) > > via > > >> cache and then back to core and so on. > > >> Something like this: > > >> > > >> > > >> ------------ > > >> | EDGE | > > >> ------------ > > >> | > > >> --|-- > > >> | C | > > >> | O |-------CACHE > > >> | R |-------- > > >> | E | > > >> ----- > > >> > > >> USERS > > >> > > >> > > >> > > >> Is this possible at all, and is there are any other solutions? > > >> > > > > > > Are you sure your core and cache engine do not support WCCP? That > > might be your best bet. The VLAN mapping option will also work, but > if > > your caching engine decides to fail and does support a hardware based > > fail-open, no more traffic will flow. > > > > > > -ryan > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jshearer at amedisys.com Thu Feb 25 08:11:36 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Thu, 25 Feb 2010 07:11:36 -0600 Subject: [c-nsp] netstatCLOSE_WAIT In-Reply-To: <20100225104640.GP9556@greenie.muc.de> References: <31533f201002250034w4667113bu43adeeb0369ce3bb@mail.gmail.com><20 100225090047.GO9556@greenie.muc.de><31533f201002250119u6f03c41fj201dd0382b3 34b91@mail.gmail.com><20100225104640.GP9556@greenie.muc.de> Message-ID: Rebooting a windows machine is a dangerous proposition :) I bet if you disable/enabled the adapter it would clear. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Thursday, February 25, 2010 4:47 AM To: vijay gore Cc: Gert Doering; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] netstatCLOSE_WAIT Hi, On Thu, Feb 25, 2010 at 02:49:19PM +0530, vijay gore wrote: > i dont want to reboot my win xp OS Ah, Windows. Rebooting *always* helps with windows problems. (You *did* notice that this is a *cisco* list, not an "I have a windows system and need help!"-list?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From jshearer at amedisys.com Thu Feb 25 08:13:58 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Thu, 25 Feb 2010 07:13:58 -0600 Subject: [c-nsp] Comparision between Cisco and Juniper Data CenterSwitches In-Reply-To: <20100225.120441.41722127.sthaug@nethelp.no> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com><6a 51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com><6a51198a10022502 36v6e447d16me2c9843c7a701370@mail.gmail.com><20100225.120441.41722127.sthaug@nethelp.no> Message-ID: Ummm.....Ford is in a better cash position that GM. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no Sent: Thursday, February 25, 2010 5:05 AM To: atif.jauhar at gmail.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Comparision between Cisco and Juniper Data CenterSwitches > > We are going to upgrade our Data Center we need 2 (redundant) core > > switches with top of rack switches (Edge). > > > > We get two Proposals > > > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) > and few Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. "We got two proposals, one Ford and one GM. Which is best and why?" You haven't said *anything* about what your real requirements are... Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From NMaio at guesswho.com Thu Feb 25 08:34:10 2010 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Thu, 25 Feb 2010 08:34:10 -0500 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> Message-ID: <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Just a quick consensus. Have many people experienced chassis/backplane failure in the 45xx/65xx/76xx lines? I have not yet (knock on wood) and I would just like to know if people have experienced this and how often. I have read a few posts where this has happened. Thanks in advance. From c-nsp at djvh.nl Thu Feb 25 08:52:34 2010 From: c-nsp at djvh.nl (Dirk-Jan van Helmond) Date: Thu, 25 Feb 2010 14:52:34 +0100 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: Once, a 6500. We had an environment with 8x 6500, this was a new one. When we brought it into service we had very strange behavior. Dropping OSPF sessions, packet-loss, etc. We swapped everything (sup, linecards, even PSUs) before the chassis backplane became a suspect. The new chassis solved all problems. rgds, Dirk On Feb 25, 2010, at 2:34 PM, wrote: > Just a quick consensus. > > Have many people experienced chassis/backplane failure in the 45xx/65xx/76xx lines? I have not yet (knock on wood) and I would just like to know if people have experienced this and how often. I have read a few posts where this has happened. > > Thanks in advance. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jasongurtz at npumail.com Thu Feb 25 09:17:58 2010 From: jasongurtz at npumail.com (Jason Gurtz) Date: Thu, 25 Feb 2010 09:17:58 -0500 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com><6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: > 1. [...] few EX4200 Switches (Edge) > 2. [...] 2 Nexus 5000 + Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. One trivially obvious difference: Nexus 5k + 2K is L2 only while EX4200 is L3 capable. ~JasonG From imaginarywave at gmail.com Thu Feb 25 09:44:04 2010 From: imaginarywave at gmail.com (Matt Martini) Date: Thu, 25 Feb 2010 09:44:04 -0500 Subject: [c-nsp] Getting serial number for 3640s In-Reply-To: References: <4B83E5BA.9E6F.00B8.0@dps.k12.oh.us> <4B84332A.1050408@inex.ie><4B83EDAA.9E6F.00B8.0@dps.k12.oh.us> <00C0F7C1912DA04585B1ECA7A0CD3CC0066D966556@LUEMS04VS.University.liberty.edu> Message-ID: <6EE2B921-E611-499C-BCC0-2354280FD534@gmail.com> One thing you can do to help with this in the future is to put the S/N into the config. Something like: alias exec SerialNumber SN_ That way it is always available with a show config. True this doesn't help you get the S/N the first time, for that you still have to do a visual inspection. It is a good idea to have this in your deployment procedure for all equipment. Matt On Feb 23, 2010, at 6:55 PM, Cory Ayers wrote: >> Hello, >> We had a similar problem with our 7200 series. According to TAC >> some Cisco products do not report the serial number. That was the case >> with us, and the only way to verify was to physically go to the box and >> check. Given the age of the 3600 series routers, I would guess the same >> limitation applies to your case. >> >> >>> I've going over a customer's inventory, and I'm having some trouble >>> serial numbers. How do you get the serial number for a 3640 router? I >>> usually look for the processor board ID in 'sho ver', but that's not >>> matching what's listed in the inventory. > > I don't believe there is a way to pull chassis serial from the command line on the older router models (2600, 3600, 7200). You can pull the mainboard serial, but this does not match the sticker on the outside of the chassis. From A.L.M.Buxey at lboro.ac.uk Thu Feb 25 09:46:03 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 25 Feb 2010 14:46:03 +0000 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: <20100225144603.GA11765@lboro.ac.uk> Hi, > We swapped everything (sup, linecards, even PSUs) before the chassis backplane became a suspect. The new chassis solved all problems. we have one 6509 here that appears to be having a backplane issue - we are swapping it out today. first time ever from my own memory - and we have over a dozen of them. alan From tomas at soitron.com Thu Feb 25 09:59:51 2010 From: tomas at soitron.com (Daniska, Tomas) Date: Thu, 25 Feb 2010 15:59:51 +0100 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as><2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302C9C3FC@kenya.tronet.as> The only chassis-related RMA I have experienced were 1) several times the chassis came damaged due to transport 2) a failed env-mon PCB on a 7500 lots of years ago. The folk from TAC has sent me a new chassis only to replace the tiny PCB and send the chassis back :) -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Dirk-Jan van Helmond > Sent: Thursday, February 25, 2010 2:53 PM > To: > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Chassis Failure Rate > > Once, a 6500. > > We had an environment with 8x 6500, this was a new one. When we brought > it into service we had very strange behavior. Dropping OSPF sessions, > packet-loss, etc. > We swapped everything (sup, linecards, even PSUs) before the chassis > backplane became a suspect. The new chassis solved all problems. > > > rgds, > Dirk > > > > On Feb 25, 2010, at 2:34 PM, > wrote: > > > Just a quick consensus. > > > > Have many people experienced chassis/backplane failure in the > 45xx/65xx/76xx lines? I have not yet (knock on wood) and I would just > like to know if people have experienced this and how often. I have > read a few posts where this has happened. > > > > Thanks in advance. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From c.byelong at ucl.ac.uk Thu Feb 25 10:26:57 2010 From: c.byelong at ucl.ac.uk (Colin Byelong) Date: Thu, 25 Feb 2010 15:26:57 +0000 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: <4B8696C1.7050209@ucl.ac.uk> I think we had one 6509 chassis that had to be swapped we have had around 20 of them for 10 years Thanks Colin > Just a quick consensus. > > Have many people experienced chassis/backplane failure in the 45xx/65xx/76xx lines? I have not yet (knock on wood) and I would just like to know if people have experienced this and how often. I have read a few posts where this has happened. > > Thanks in advance. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ----------------------------------------------------------------------- Colin Byelong Email: C.Byelong at ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT ------------------------------------------------------------------------ From rmacharia at gmail.com Thu Feb 25 10:46:31 2010 From: rmacharia at gmail.com (Raymond Macharia) Date: Thu, 25 Feb 2010 18:46:31 +0300 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: A way to approach it is to list down your requirements. List what you must have and what is nice to have line them up side by side withe equipment and see which delivers what the most of your requirements At the best price if cost is an issue also Raymond On 2/25/10, Muhammad Atif Jauahar wrote: > Hi, > > >> We are going to upgrade our Data Center we need 2 (redundant) core >> switches with top of rack switches (Edge). >> >> We get two Proposals >> > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) > and few Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. > >> >> >> -- >> Regards, >> >> Muhammad Atif Jauhar >> (+92-33-3346-0000) >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Sent from my mobile device Raymond Macharia From fitzgeraldb at camosun.bc.ca Thu Feb 25 10:53:28 2010 From: fitzgeraldb at camosun.bc.ca (Brian Fitzgerald) Date: Thu, 25 Feb 2010 07:53:28 -0800 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: Once with a 6500 - we had a chassis that stopped recognizing the left power supply. It still delivered power, but the Sup couldn't tell what model PS it was, so assumed it was a 1300W unit (and shut down half the chassis if the other supply failed). Numerous fan failures with Cat4000s, but no problems with our 4500s Brian On 10-02-25 5:34 AM, "NMaio at guesswho.com" wrote: > Just a quick consensus. > > Have many people experienced chassis/backplane failure in the 45xx/65xx/76xx > lines? I have not yet (knock on wood) and I would just like to know if people > have experienced this and how often. I have read a few posts where this has > happened. > > Thanks in advance. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From johnps at IowaTelecom.com Thu Feb 25 11:28:28 2010 From: johnps at IowaTelecom.com (John P. Schneider) Date: Thu, 25 Feb 2010 10:28:28 -0600 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302C9C372@kenya.tronet.as> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> <5DC4853C6CC3EE4788779E0726E034DD123B7E@zy-ex1.zyedge.local> <6B43981C32F8464CB24CEE209DA32BD302C9C372@kenya.tronet.as> Message-ID: I see this as giving the caching device an IP off of the 7600 core switch and using policy based routing (both directions) Let me also recommend ip sla tracking. If the caching device is the one I have experience with you will want to dynamically stop the PBR in the event the caching appliance has problems Best Regards, John -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniska, Tomas Sent: Thursday, February 25, 2010 6:42 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Forwarding traffic to "transparent" device and why there is a problem with simply using VLANs to insert the cache into the path? -- deejay > -----Original Message----- > From: Daniska, Tomas > Sent: Thursday, February 25, 2010 1:41 PM > To: 'Pavel Dimow' > Subject: RE: [c-nsp] Forwarding traffic to "transparent" device > > and why there is a problem with simply using VLANs to insert the cache > into the path? > > -- > > deejay > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Pavel Dimow > > Sent: Wednesday, February 24, 2010 11:26 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Forwarding traffic to "transparent" device > > > > Hello all, > > > > thank you for your suggestions, but as this is transparent device (ie > > it acts just like a wire) wccp is not and option. Beside that, it can > > cache bittorrent traffic which I belive is not wccp friendly :) > > > > > > On Wed, Feb 24, 2010 at 11:19 PM, Ryan West wrote: > > > Pavel, > > > > > >> -----Original Message----- > > >> Sent: Wednesday, February 24, 2010 4:56 PM > > >> To: cisco-nsp at puck.nether.net > > >> Subject: [c-nsp] Forwarding traffic to "transparent" device > > >> > > >> Hi, > > >> > > >> as I am not native english speaker I don't know how to name my > > problem > > >> but I will try to give as much details as possible. > > >> Here it is, I have Cisco 7600 wich is core switch, and it have one > > >> uplink to our edge router (it is SVI interface). Now, I would like > > to > > >> insert > > >> a transparent cache engine. That would not be a problem, except > that > > >> connection between edge and core is fiber and transparent device > > >> has only a copper ports. I know that I can buy media converters, > > >> but what I would really like before is to connect cache to core > > >> and forward all (to and from internet) > > via > > >> cache and then back to core and so on. > > >> Something like this: > > >> > > >> > > >> ------------ > > >> | EDGE | > > >> ------------ > > >> | > > >> --|-- > > >> | C | > > >> | O |-------CACHE > > >> | R |-------- > > >> | E | > > >> ----- > > >> > > >> USERS > > >> > > >> > > >> > > >> Is this possible at all, and is there are any other solutions? > > >> > > > > > > Are you sure your core and cache engine do not support WCCP? That > > might be your best bet. The VLAN mapping option will also work, but > if > > your caching engine decides to fail and does support a hardware based > > fail-open, no more traffic will flow. > > > > > > -ryan > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Feb 25 11:43:37 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 25 Feb 2010 11:43:37 -0500 Subject: [c-nsp] Netflow - GSR engine 5 Message-ID: Howdy, Should ingress packets dropped by ACLs still hit Netflow on the GSR with E5 linecards? Gi2/0/2 10.1.123.32 Null 10.1.123.3 11 A29F 0035 1 Gi2/0/2 is one of our Internet connections 10.1.123.32 (changed to protect, is one of our routed public IPs that isn't routed in our network (spoofing?)) 10.1.123.3 (changed to protect) is the IP address of one of our DNS servers. So basically a packet is being sent in from the Internet sourced from one of my own IP addresses, and I assume it is being dropped because of the ACL on our Internet connections that says we don't want traffic coming in from ourselves, but why is it showing up in the netflow exports? Thanks, -Drew From amsoares at netcabo.pt Thu Feb 25 11:57:02 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 25 Feb 2010 16:57:02 -0000 Subject: [c-nsp] PIX/ASA "show counters" command Message-ID: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> Group, I need help with the PIX/ASA "show counters" command: http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086 As you can see, the command reference doesn't give too much details about the command. The CLI "show counters description" command gives us additional information, for example: ++++++++++++++++++++++++++++++++++++++++++ PIX1# show counters description | inc TCP IP TO_TCP Packets delivered to TCP stack TCP IN_PKTS Packets received TCP OUT_PKTS Packets transmitted TCP RCV_GOOD Received good packets TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.) TCP IN_NO_PRIV Packets dropped due to no TCB TCP BD_CKSUM Packets received with a bad checksum TCP BD_LEN Packets received with a bad length TCP NOT_ALLWD Packets dropped due to security level TCP INV_HOST Packets dropped invalid host and least secured interface TCP NO_APP Packets dropped no one listening TCP DROP_NRST Packets dropped no one listening - no reset sent TCP SESS_CLSD Packets dropped session closed TCP SESS_CTOD Packets dropped session slosed due to timeout TCP DRP_LIS_RST Packets dropped Listen state received reset TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags TCP SYNS_RST Packets dropped SynSent state received reset TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received syn TCP CONN_REFD Packets dropped SynRcvd state conn refused TCP BAD_FLAG Packets dropped invalid flag for state TCP NACK1 Packets dropped Est, CloseWait state received ack - not established TCP NACK2 Packets dropped Fin1 state received ack - not established TCP NACK3 Packets dropped Fin2 state received ack - not established TCP NACK4 Packets dropped Closing state received ack - not established TCP DROP_UNACC Packets dropped do not save or rearrange segments TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote fin/ack - data ignored TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored TCP OUT_CLSD Packets out dropped Conn Closed TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.) TCP OUT_NO_BLKS Packets out no blocks TCP OUT_NO_PRIV Packets out due to no TCB TCP OUT_CONNRDY Packets out dropped connection not ready TCP HASH_ADD User hash add TCP HASH_ADD_DUP User hash add dup TCP HASH_MISS User srch hash miss TCP HASH_HIT User srch hash hit TCP HASH_DEL User hash delete TCP HASH_DMISS User hash delete miss TCP MOVE_FAILED Move listener failed TCP NO_USER_MEM Alloc user failed TCP FORCE_FREE Users Forcefully removed due to context deletion TCP SND_SYN send syn TCP SND_RST send rst TCP SND_ACK send ack TCP RCV_ACK receive ack TCP RCV_ACK_NEST receive ack not established NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail PIX1# ++++++++++++++++++++++++++++++++++++++++++ Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or both ? I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was what the customer was looking for. I don't have access to real gear right now and under dynamips/pemu, i don't see anything... Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt From tdurack at gmail.com Thu Feb 25 13:01:40 2010 From: tdurack at gmail.com (Tim Durack) Date: Thu, 25 Feb 2010 13:01:40 -0500 Subject: [c-nsp] 6500, SUP720, 12.2(33)SXI3, BGP path-mtu flap Message-ID: <9e246b4d1002251001o46e754a8te760b5e1b116e85@mail.gmail.com> 6500, SUP720, 12.2(33)SXI3. Couple of iBGP neighbors keep flapping on one box. Looks like a path-mtu issue, yet the discovered path looks correct: sh bgp ipv4 unicast summary | i Neighbor|10.116.0.1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.116.0.1 4 65116 165937 690347 268786 0 61 00:00:50 0 path-mtu discovers 9116: Address tracking is enabled, the RIB does have a route to 10.116.0.1 Connections established 3937; dropped 3936 Last reset 00:02:22, due to BGP Notification sent, hold time expired External BGP neighbor may be up to 255 hops away. Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Mininum incoming TTL 0, Outgoing TTL 255 Local host: 10.1.0.1, Local port: 46013 Foreign host: 10.116.0.1, Foreign port: 179 Enqueued packets for retransmit: 2, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x146C10A6C): Timer Starts Wakeups Next Retrans 9 5 0x146C121A4 TimeWait 0 0 0x0 AckHold 1 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 0 0x0 DeadWait 0 0 0x0 iss: 3884779463 snduna: 3884779560 sndnxt: 3884788712 sndwnd: 16288 irs: 1703625207 rcvnxt: 1703625304 rcvwnd: 16288 delrcvwnd: 96 SRTT: 99 ms, RTTO: 1539 ms, RTV: 1440 ms, KRTT: 49248 ms minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms Flags: higher precedence, nagle, path mtu capable, path mtu discovery Datagrams (max data segment is 9116 bytes): Rcvd: 4 (out of order: 0), with data: 2, total data bytes: 96 Sent: 5 (retransmit: 5), with data: 3, total data bytes: 9248 Pinging between loopbacks with df-bit and mtu 9156 is successful. Disabling path-mtu on the neighbor session "fixes" the problem. The problem only started occurring after some outages caused the sessions to flap. Anyone seen odd path-mtu related issues? -- Tim:> Sent from New York, NY, United States From anthony.mcgarry at plannet21.ie Thu Feb 25 13:06:25 2010 From: anthony.mcgarry at plannet21.ie (Anthony McGarry) Date: Thu, 25 Feb 2010 18:06:25 +0000 Subject: [c-nsp] MPLS and NAT In-Reply-To: References: Message-ID: <4B86BC21.2090002@plannet21.ie> I am assuming you need to give a central service (NMS, VOIP) to customer your VRFs. See the following links http://www.ciscosystems.ro/en/US/products/ps6604/products_qanda_item09186a00800b2cd7.shtml http://www.cisco.biz/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatvpn.html Anthony Primoz Jeroncic wrote: > Hi > > I have very specific config of MPLS and to be honest, I have no idea > how to configure this. In this rare case CCO doesn't seem to be very > helpful... or at least I can't find any samples for this. > > I have central location, and few subsidaries. MPLS VPN is configured > between these, and everything works fine. Now there will be some changes > in config, and client would want that all subsidaries would be connecting > over NAT with one single IP address. This means, that I should be doing > NAT on PE router (on vrf interface), so that I would translate all > subsidaries' networks into one single IP on central (main) location. > On central location's PE my (relevant) config looks like this: > > ip vrf mpls1 > description MPLS VPN for Bankart-Emporium > rd 65001:10 > route-target export 65001:1 > route-target import 65001:1 > ! > mpls label protocol ldp > no mpls ip propagate-ttl > ! > interface FastEthernet0/0 > ip address 20.20.20.2 > mpls ip > mpls mtu 1546 > ! > interface FastEthernet0/1 > ip vrf forwarding mpls1 > ip address 10.10.10.1 255.255.255.0 > ! > router bgp 65001 > no synchronization > no bgp log-neighbor-changes > neighbor 30.30.30.1 remote-as 65001 > neighbor 30.30.30.1 update-source Loopback0 > no auto-summary > ! > address-family vpnv4 > neighbor 30.30.30.1 activate > neighbor 30.30.30.1 send-community extended > exit-address-family > ! > address-family ipv4 vrf mpls1 > no auto-summary > no synchronization > network 10.10.10.0 mask 255.255.255.0 > exit-address-family > ! > ip route 30.30.30.1 255.255.255.255 20.20.20.1 > ! > > On subsidary location, config is pretty much same, and their IP addresses > on VRF mpls1 are 1.1.1.0/24. > > Now I would like to translate all 1.1.1.0/24 addresses to 10.10.10.10, so > subsidaries would access servers on 10.10.10.0/24 network as 10.10.10.10. > > Any hint, link, or sample config for this would be really appreciated :) > > Thanks for help. > > Have fun, > Primoz Jeroncic > Support - IP Connectivity & Routing > ------------------------------------------------------------------- > Softnet d.o.o. tel: +386 1 562 31 40 | > Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 > 1236 Trzin primoz(at)softnet.si | for larger values of 1 > Slovenija http://flea.softnet.si/ > ------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dwhitejr at cisco.com Thu Feb 25 13:35:14 2010 From: dwhitejr at cisco.com (David White, Jr. (dwhitejr)) Date: Thu, 25 Feb 2010 13:35:14 -0500 Subject: [c-nsp] PIX/ASA "show counters" command In-Reply-To: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> References: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> Message-ID: <4B86C2E2.1040002@cisco.com> Hi Antonio, Please see inline.. Antonio Soares wrote: > Group, > > I need help with the PIX/ASA "show counters" command: > > http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086 > > As you can see, the command reference doesn't give too much details about the command. > > The CLI "show counters description" command gives us additional information, for example: > > ++++++++++++++++++++++++++++++++++++++++++ > PIX1# show counters description | inc TCP > IP TO_TCP Packets delivered to TCP stack > TCP IN_PKTS Packets received > TCP OUT_PKTS Packets transmitted > TCP RCV_GOOD Received good packets > TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.) > TCP IN_NO_PRIV Packets dropped due to no TCB > TCP BD_CKSUM Packets received with a bad checksum > TCP BD_LEN Packets received with a bad length > TCP NOT_ALLWD Packets dropped due to security level > TCP INV_HOST Packets dropped invalid host and least secured interface > TCP NO_APP Packets dropped no one listening > TCP DROP_NRST Packets dropped no one listening - no reset sent > TCP SESS_CLSD Packets dropped session closed > TCP SESS_CTOD Packets dropped session slosed due to timeout > TCP DRP_LIS_RST Packets dropped Listen state received reset > TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags > TCP SYNS_RST Packets dropped SynSent state received reset > TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags > TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset > TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset > TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received syn > TCP CONN_REFD Packets dropped SynRcvd state conn refused > TCP BAD_FLAG Packets dropped invalid flag for state > TCP NACK1 Packets dropped Est, CloseWait state received ack - not established > TCP NACK2 Packets dropped Fin1 state received ack - not established > TCP NACK3 Packets dropped Fin2 state received ack - not established > TCP NACK4 Packets dropped Closing state received ack - not established > TCP DROP_UNACC Packets dropped do not save or rearrange segments > TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored > TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored > TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored > TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote fin/ack > - data ignored > TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored > TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored > TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored > TCP OUT_CLSD Packets out dropped Conn Closed > TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.) > TCP OUT_NO_BLKS Packets out no blocks > TCP OUT_NO_PRIV Packets out due to no TCB > TCP OUT_CONNRDY Packets out dropped connection not ready > TCP HASH_ADD User hash add > TCP HASH_ADD_DUP User hash add dup > TCP HASH_MISS User srch hash miss > TCP HASH_HIT User srch hash hit > TCP HASH_DEL User hash delete > TCP HASH_DMISS User hash delete miss > TCP MOVE_FAILED Move listener failed > TCP NO_USER_MEM Alloc user failed > TCP FORCE_FREE Users Forcefully removed due to context deletion > TCP SND_SYN send syn > TCP SND_RST send rst > TCP SND_ACK send ack > TCP RCV_ACK receive ack > TCP RCV_ACK_NEST receive ack not established > NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail > PIX1# > ++++++++++++++++++++++++++++++++++++++++++ > > Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or > both ? > They are for packets to/from the PIX/ASA's stack. > I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why > would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was > what the customer was looking for. > With clientless WebVPN, and other sessions that terminate on the box, it is yet another way to debug/troubleshoot some issues :-) Sincerely, David. > I don't have access to real gear right now and under dynamips/pemu, i don't see anything... > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ayourtch at cisco.com Thu Feb 25 13:55:52 2010 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Thu, 25 Feb 2010 19:55:52 +0100 (CET) Subject: [c-nsp] PIX/ASA "show counters" command In-Reply-To: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> References: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> Message-ID: On Thu, 25 Feb 2010, Antonio Soares wrote: > I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why > would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was > what the customer was looking for. To add to David's reply - if the customer is looking for debugging the connections through the box (I presume something is dropped where they would not expect to), the "show asp drop" would be a useful area to explore. And a capture with the type "asp-drop" will be helpful in verifying which exactly packets are being dropped for each of the reasons. cheers, andrew From KaeglerM at tessco.com Thu Feb 25 13:50:57 2010 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Thu, 25 Feb 2010 13:50:57 -0500 Subject: [c-nsp] Chassis Failure Rate In-Reply-To: <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> References: <6B43981C32F8464CB24CEE209DA32BD302C9C36D@kenya.tronet.as> <2AA600764E54964491083B1E0EC81A3048CEBD06AD@EXCLUS.nationala-1advertising.com> Message-ID: <10A696EC3BCC3C488C2205A17507128C0197688F@EXCHANGE-1.tessco.com> 6500: One backplane failure in 120 chassis-years (number of chassis running times the number of years they've been running). 4500: Zero in 20 chassis-years. -porkchop -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of NMaio at guesswho.com Sent: Thursday, February 25, 2010 8:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Chassis Failure Rate Just a quick consensus. Have many people experienced chassis/backplane failure in the 45xx/65xx/76xx lines? I have not yet (knock on wood) and I would just like to know if people have experienced this and how often. I have read a few posts where this has happened. Thanks in advance. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeremyparr at gmail.com Thu Feb 25 14:58:31 2010 From: jeremyparr at gmail.com (Jeremy Parr) Date: Thu, 25 Feb 2010 14:58:31 -0500 Subject: [c-nsp] IP Base vs IP Services with 3750Es Message-ID: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> Is there a good breakdown anywhere comparing the functionality of the Enterprise (IP Services) feature set compared to Standard (IP Base) besides a big dollar difference? From ed at edgeoc.net Thu Feb 25 15:02:18 2010 From: ed at edgeoc.net (Edward Salonia) Date: Thu, 25 Feb 2010 20:02:18 +0000 Subject: [c-nsp] IP Base vs IP Services with 3750Es Message-ID: <1817107021-1267128234-cardhu_decombobulator_blackberry.rim.net-1340582015-@bda056.bisx.prod.on.blackberry> You can expect the ipservices to give you dynamic routing, among other things. Check out http://cisco.com/go/fn and compare 2 images to see the specific features. - Ed ------Original Message------ From: Jeremy Parr Sender: cisco-nsp-bounces at puck.nether.net To: cisco-nsp at puck.nether.net Subject: [c-nsp] IP Base vs IP Services with 3750Es Sent: Feb 25, 2010 2:58 PM Is there a good breakdown anywhere comparing the functionality of the Enterprise (IP Services) feature set compared to Standard (IP Base) besides a big dollar difference? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Thu Feb 25 15:17:27 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 25 Feb 2010 20:17:27 -0000 Subject: [c-nsp] PIX/ASA "show counters" command In-Reply-To: <4B86C2E2.1040002@cisco.com> References: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> <4B86C2E2.1040002@cisco.com> Message-ID: David/Andrew, Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the CISCO-UNIFIED-MIB can help: ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] Sent: quinta-feira, 25 de Fevereiro de 2010 18:35 To: Antonio Soares Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PIX/ASA "show counters" command Hi Antonio, Please see inline.. Antonio Soares wrote: > Group, > > I need help with the PIX/ASA "show counters" command: > > http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086 > > As you can see, the command reference doesn't give too much details about the command. > > The CLI "show counters description" command gives us additional information, for example: > > ++++++++++++++++++++++++++++++++++++++++++ > PIX1# show counters description | inc TCP > IP TO_TCP Packets delivered to TCP stack > TCP IN_PKTS Packets received > TCP OUT_PKTS Packets transmitted > TCP RCV_GOOD Received good packets > TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.) > TCP IN_NO_PRIV Packets dropped due to no TCB > TCP BD_CKSUM Packets received with a bad checksum > TCP BD_LEN Packets received with a bad length > TCP NOT_ALLWD Packets dropped due to security level > TCP INV_HOST Packets dropped invalid host and least secured interface > TCP NO_APP Packets dropped no one listening > TCP DROP_NRST Packets dropped no one listening - no reset sent > TCP SESS_CLSD Packets dropped session closed > TCP SESS_CTOD Packets dropped session slosed due to timeout > TCP DRP_LIS_RST Packets dropped Listen state received reset > TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags > TCP SYNS_RST Packets dropped SynSent state received reset > TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags > TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset > TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset > TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received syn > TCP CONN_REFD Packets dropped SynRcvd state conn refused > TCP BAD_FLAG Packets dropped invalid flag for state > TCP NACK1 Packets dropped Est, CloseWait state received ack - not established > TCP NACK2 Packets dropped Fin1 state received ack - not established > TCP NACK3 Packets dropped Fin2 state received ack - not established > TCP NACK4 Packets dropped Closing state received ack - not established > TCP DROP_UNACC Packets dropped do not save or rearrange segments > TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored > TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored > TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored > TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote fin/ack > - data ignored > TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored > TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored > TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored > TCP OUT_CLSD Packets out dropped Conn Closed > TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.) > TCP OUT_NO_BLKS Packets out no blocks > TCP OUT_NO_PRIV Packets out due to no TCB > TCP OUT_CONNRDY Packets out dropped connection not ready > TCP HASH_ADD User hash add > TCP HASH_ADD_DUP User hash add dup > TCP HASH_MISS User srch hash miss > TCP HASH_HIT User srch hash hit > TCP HASH_DEL User hash delete > TCP HASH_DMISS User hash delete miss > TCP MOVE_FAILED Move listener failed > TCP NO_USER_MEM Alloc user failed > TCP FORCE_FREE Users Forcefully removed due to context deletion > TCP SND_SYN send syn > TCP SND_RST send rst > TCP SND_ACK send ack > TCP RCV_ACK receive ack > TCP RCV_ACK_NEST receive ack not established > NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail > PIX1# > ++++++++++++++++++++++++++++++++++++++++++ > > Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or > both ? > They are for packets to/from the PIX/ASA's stack. > I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why > would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was > what the customer was looking for. > With clientless WebVPN, and other sessions that terminate on the box, it is yet another way to debug/troubleshoot some issues :-) Sincerely, David. > I don't have access to real gear right now and under dynamips/pemu, i don't see anything... > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cm at n-home.ru Thu Feb 25 16:11:36 2010 From: cm at n-home.ru (Cyrill Malevanov) Date: Fri, 26 Feb 2010 00:11:36 +0300 Subject: [c-nsp] Forwarding traffic to "transparent" device In-Reply-To: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> References: <6d2cb0d51002241356s426bd52awa76820ed573ae3dd@mail.gmail.com> Message-ID: <0F7542A6-ED9D-43D9-A1FA-8B2E178F9494@n-home.ru> On Feb 25, 2010, at 12:56 AM, Pavel Dimow wrote: > Hi, > > as I am not native english speaker I don't know how to name my problem > but I will try to give as much details as possible. > Here it is, I have Cisco 7600 wich is core switch, and it have one > uplink to our edge router (it is SVI interface). Now, I would like to > insert > a transparent cache engine. That would not be a problem, except that > connection between edge and core is fiber and > transparent device has only a copper ports. I know that I can buy > media converters, but what I would really like before > is to connect cache to core and forward all (to and from internet) via > cache and then back to core and so on. > Something like this: > > > ------------ > | EDGE | > ------------ > | > --|-- > | C | > | O |-------CACHE > | R |-------- > | E | > ----- > > USERS > > > > Is this possible at all, and is there are any other solutions? > vlan 20 is looking at edge from the core. You use vlan 20 on edge, vlan enters the fiber port from edge, then you delete int vlan 20. Vlan 20 then should go to cache through access port. Then you receive that vlan from the cache, but name it vlan 30. Receive it via access port and move your core ip address from int vlan 20 to int vlan 30. Port 1 - edge. it was sw mo trunk, sw tr al vl 20 And you have int vlan 20 / ip addr 1.2.3.2/30 Now port1 - edge. sw mo tr sw tr al vl 20 port2 - traffic from edge to cache sw mo ac sw ac vl 20 port 3 - traffic from cache to core. sw mo ac sw ac vl 30 And int vlan 30 ip addr 1.2.3.2/30 When you route 0/0 points to 1.2.3.1, traffic goes this way: what is an arp of 1.2.3.1? send broadcast broadcast goes out via vlan 30, out from core via vlan 30 port 3, through cache, enters core as vlan 20 into port2, goes out as vlan20 from port1. ARP reply goes to port1, vlan 20. Then it looking up mac-table - where is ma? from vlan20 had been seen? port2. Then traffic goes out from port2, vlan 20, through cache and then enters vlan 30 into port 3. Wow! that's my mac in that vlan. > Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Thu Feb 25 16:37:21 2010 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 25 Feb 2010 22:37:21 +0100 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: References: Message-ID: <20100225213721.GT9556@greenie.muc.de> Hi, On Thu, Feb 25, 2010 at 11:43:37AM -0500, Drew Weaver wrote: > Should ingress packets dropped by ACLs still hit Netflow on the GSR with E5 linecards? > > Gi2/0/2 10.1.123.32 Null 10.1.123.3 11 A29F 0035 1 I'm not sure whether this is documented anywhere, but this is expected, and it is actually recommended to use "Netflow dest if=null" instead of "ACL logging" to see which packets your network is refusing. > So basically a packet is being sent in from the Internet sourced > from one of my own IP addresses, and I assume it is being dropped > because of the ACL on our Internet connections that says we don't > want traffic coming in from ourselves, but why is it showing up in > the netflow exports? So that you can keep track of what you're dropping. You might want to know about it :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Thu Feb 25 16:40:42 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 25 Feb 2010 21:40:42 +0000 Subject: [c-nsp] IP Base vs IP Services with 3750Es In-Reply-To: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> References: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> Message-ID: <20100225214042.GB13823@lboro.ac.uk> Hi, > Is there a good breakdown anywhere comparing the functionality of the > Enterprise (IP Services) feature set compared to Standard (IP Base) besides > a big dollar difference? theres document on the cisco site that lets you see. IPv6 only exists in the IP advanced services right now it seems ...what is 'advanced' about IPv6 ? :-( http://www.cisco.com/en/US/products/ps7077/ alan From ayourtch at cisco.com Thu Feb 25 16:40:32 2010 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Thu, 25 Feb 2010 22:40:32 +0100 (CET) Subject: [c-nsp] PIX/ASA "show counters" command In-Reply-To: References: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> <4B86C2E2.1040002@cisco.com> Message-ID: Antonio, On Thu, 25 Feb 2010, Antonio Soares wrote: > David/Andrew, > > Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the > PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those > systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the > CISCO-UNIFIED-MIB can help: > > ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my You can take a look at the output of "show snmp-server oidlist" to see what's queryable. (We've a bug filed to get this command documented) An output close to what they could be looking for is "show perfmon"; "detail" keyword adds the setup rates in the end of its output: # sh perfmon detail PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 0/s 0/s TCP Intercept Established Conns 0/s 0/s TCP Intercept Attempts 9/s 0/s TCP Embryonic Conns Timeout 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s VALID CONNS RATE in TCP INTERCEPT: Current Average 0.00% 0.00% SETUP RATES: Connections for 1 minute = 0/s; 5 minutes = 0/s TCP Conns for 1 minute = 0/s; 5 minutes = 0/s UDP Conns for 1 minute = 0/s; 5 minutes = 0/s If you want the more detailed stats, you can configure the "threat-detection statistics" - http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499 But that of course at a need of very noticeable amount of memory to store these stats. In the case of the spoofed TCP SYNs in case the embryonic limit is reached, the reaction to them is stateless, so there are no per-host statistics kept by default. cheers, andrew > > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] > Sent: quinta-feira, 25 de Fevereiro de 2010 18:35 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] PIX/ASA "show counters" command > > Hi Antonio, > > Please see inline.. > > Antonio Soares wrote: >> Group, >> >> I need help with the PIX/ASA "show counters" command: >> >> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086 >> >> As you can see, the command reference doesn't give too much details about the command. >> >> The CLI "show counters description" command gives us additional information, for example: >> >> ++++++++++++++++++++++++++++++++++++++++++ >> PIX1# show counters description | inc TCP >> IP TO_TCP Packets delivered to TCP stack >> TCP IN_PKTS Packets received >> TCP OUT_PKTS Packets transmitted >> TCP RCV_GOOD Received good packets >> TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.) >> TCP IN_NO_PRIV Packets dropped due to no TCB >> TCP BD_CKSUM Packets received with a bad checksum >> TCP BD_LEN Packets received with a bad length >> TCP NOT_ALLWD Packets dropped due to security level >> TCP INV_HOST Packets dropped invalid host and least secured interface >> TCP NO_APP Packets dropped no one listening >> TCP DROP_NRST Packets dropped no one listening - no reset sent >> TCP SESS_CLSD Packets dropped session closed >> TCP SESS_CTOD Packets dropped session slosed due to timeout >> TCP DRP_LIS_RST Packets dropped Listen state received reset >> TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags >> TCP SYNS_RST Packets dropped SynSent state received reset >> TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags >> TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset >> TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset >> TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received > syn >> TCP CONN_REFD Packets dropped SynRcvd state conn refused >> TCP BAD_FLAG Packets dropped invalid flag for state >> TCP NACK1 Packets dropped Est, CloseWait state received ack - not established >> TCP NACK2 Packets dropped Fin1 state received ack - not established >> TCP NACK3 Packets dropped Fin2 state received ack - not established >> TCP NACK4 Packets dropped Closing state received ack - not established >> TCP DROP_UNACC Packets dropped do not save or rearrange segments >> TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored >> TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored >> TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored >> TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote > fin/ack >> - data ignored >> TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored >> TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored >> TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored >> TCP OUT_CLSD Packets out dropped Conn Closed >> TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.) >> TCP OUT_NO_BLKS Packets out no blocks >> TCP OUT_NO_PRIV Packets out due to no TCB >> TCP OUT_CONNRDY Packets out dropped connection not ready >> TCP HASH_ADD User hash add >> TCP HASH_ADD_DUP User hash add dup >> TCP HASH_MISS User srch hash miss >> TCP HASH_HIT User srch hash hit >> TCP HASH_DEL User hash delete >> TCP HASH_DMISS User hash delete miss >> TCP MOVE_FAILED Move listener failed >> TCP NO_USER_MEM Alloc user failed >> TCP FORCE_FREE Users Forcefully removed due to context deletion >> TCP SND_SYN send syn >> TCP SND_RST send rst >> TCP SND_ACK send ack >> TCP RCV_ACK receive ack >> TCP RCV_ACK_NEST receive ack not established >> NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail >> PIX1# >> ++++++++++++++++++++++++++++++++++++++++++ >> >> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or >> both ? >> > > They are for packets to/from the PIX/ASA's stack. > >> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why >> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was >> what the customer was looking for. >> > > With clientless WebVPN, and other sessions that terminate on the box, it > is yet another way to debug/troubleshoot some issues :-) > > Sincerely, > > David. >> I don't have access to real gear right now and under dynamips/pemu, i don't see anything... >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From saxon.jones at gmail.com Thu Feb 25 17:08:15 2010 From: saxon.jones at gmail.com (Saxon Jones) Date: Thu, 25 Feb 2010 15:08:15 -0700 Subject: [c-nsp] IP Base vs IP Services with 3750Es In-Reply-To: <20100225214042.GB13823@lboro.ac.uk> References: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> <20100225214042.GB13823@lboro.ac.uk> Message-ID: <86b512c31002251408ic59d954y7e0acc9598aeca24@mail.gmail.com> IPv6 exists in IP Services now and the advanced IP services train has been EoL'd. You have to change your SDM profile to get IPv6, so it will initially seem to be absent (it even rejects config commands until you change the profile). -saxon On 25 February 2010 14:40, Alan Buxey wrote: > Hi, > > Is there a good breakdown anywhere comparing the functionality of the > > Enterprise (IP Services) feature set compared to Standard (IP Base) > besides > > a big dollar difference? > > theres document on the cisco site that lets you see. > > IPv6 only exists in the IP advanced services right now it seems ...what is > 'advanced' > about IPv6 ? :-( > > http://www.cisco.com/en/US/products/ps7077/ > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Thu Feb 25 17:13:36 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 25 Feb 2010 23:13:36 +0100 Subject: [c-nsp] IP Base vs IP Services with 3750Es In-Reply-To: <20100225214042.GB13823@lboro.ac.uk> References: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> <20100225214042.GB13823@lboro.ac.uk> Message-ID: On Thu, 25 Feb 2010 21:40:42 +0000, you wrote: > IPv6 only exists in the IP advanced services right now it seems No, actually IPv6 was moved to IP Base and IP Services (same as IPv4) with 12.2(50)SE. -A From Jay.Murphy at state.nm.us Thu Feb 25 17:13:26 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Thu, 25 Feb 2010 15:13:26 -0700 Subject: [c-nsp] IP Base vs IP Services with 3750Es In-Reply-To: <86b512c31002251408ic59d954y7e0acc9598aeca24@mail.gmail.com> References: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com><20100225214042.GB13823@lboro.ac.uk> <86b512c31002251408ic59d954y7e0acc9598aeca24@mail.gmail.com> Message-ID: It the feature sets that are deemed "advanced". You can leverage these if necessary, however, per the previous thread, it's what you do, that enables the changes. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones Sent: Thursday, February 25, 2010 3:08 PM To: Alan Buxey Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IP Base vs IP Services with 3750Es IPv6 exists in IP Services now and the advanced IP services train has been EoL'd. You have to change your SDM profile to get IPv6, so it will initially seem to be absent (it even rejects config commands until you change the profile). -saxon On 25 February 2010 14:40, Alan Buxey wrote: > Hi, > > Is there a good breakdown anywhere comparing the functionality of the > > Enterprise (IP Services) feature set compared to Standard (IP Base) > besides > > a big dollar difference? > > theres document on the cisco site that lets you see. > > IPv6 only exists in the IP advanced services right now it seems ...what is > 'advanced' > about IPv6 ? :-( > > http://www.cisco.com/en/US/products/ps7077/ > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This inbound email has been scanned for malicious software and transmitted safely to you using Webroot Email Security. ______________________________________________________________________ Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. ______________________________________________________________________ Confidentiality Notice: This e-mail,including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,use,disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. This email has been scanned using Webroot Email Security. ______________________________________________________________________ From A.L.M.Buxey at lboro.ac.uk Thu Feb 25 17:19:58 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 25 Feb 2010 22:19:58 +0000 Subject: [c-nsp] IP Base vs IP Services with 3750Es In-Reply-To: <86b512c31002251408ic59d954y7e0acc9598aeca24@mail.gmail.com> References: <91dee5fc1002251158k12492e1at8aae779af6c67206@mail.gmail.com> <20100225214042.GB13823@lboro.ac.uk> <86b512c31002251408ic59d954y7e0acc9598aeca24@mail.gmail.com> Message-ID: <20100225221958.GE13823@lboro.ac.uk> Hi, > IPv6 exists in IP Services now and the advanced IP services train has been EoL'd. You have to change your SDM profile to get IPv6, so it will initially seem to be absent (it even rejects config commands until you change the profile). ah! that might explain a few things.... when will cisco flush out their old pages to correlate with this actuality? sdm prefer dual-ipv4-and-ipv6 default . refreshing . alan From amsoares at netcabo.pt Thu Feb 25 19:01:42 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 26 Feb 2010 00:01:42 -0000 Subject: [c-nsp] PIX/ASA "show counters" command In-Reply-To: References: <564861BFCF4442999230D19A8BBB3632@int.convex.pt> <4B86C2E2.1040002@cisco.com> Message-ID: <3D2FA0C028BA429783CAE669513C122F@int.convex.pt> Thanks Andrew, i will investigate the options you mentioned. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Andrew Yourtchenko [mailto:ayourtch at cisco.com] Sent: quinta-feira, 25 de Fevereiro de 2010 21:41 To: Antonio Soares Cc: dwhitejr at cisco.com; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] PIX/ASA "show counters" command Antonio, On Thu, 25 Feb 2010, Antonio Soares wrote: > David/Andrew, > > Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the > PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those > systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the > CISCO-UNIFIED-MIB can help: > > ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my You can take a look at the output of "show snmp-server oidlist" to see what's queryable. (We've a bug filed to get this command documented) An output close to what they could be looking for is "show perfmon"; "detail" keyword adds the setup rates in the end of its output: # sh perfmon detail PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 0/s 0/s TCP Intercept Established Conns 0/s 0/s TCP Intercept Attempts 9/s 0/s TCP Embryonic Conns Timeout 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s VALID CONNS RATE in TCP INTERCEPT: Current Average 0.00% 0.00% SETUP RATES: Connections for 1 minute = 0/s; 5 minutes = 0/s TCP Conns for 1 minute = 0/s; 5 minutes = 0/s UDP Conns for 1 minute = 0/s; 5 minutes = 0/s If you want the more detailed stats, you can configure the "threat-detection statistics" - http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499 But that of course at a need of very noticeable amount of memory to store these stats. In the case of the spoofed TCP SYNs in case the embryonic limit is reached, the reaction to them is stateless, so there are no per-host statistics kept by default. cheers, andrew > > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] > Sent: quinta-feira, 25 de Fevereiro de 2010 18:35 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] PIX/ASA "show counters" command > > Hi Antonio, > > Please see inline.. > > Antonio Soares wrote: >> Group, >> >> I need help with the PIX/ASA "show counters" command: >> >> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086 >> >> As you can see, the command reference doesn't give too much details about the command. >> >> The CLI "show counters description" command gives us additional information, for example: >> >> ++++++++++++++++++++++++++++++++++++++++++ >> PIX1# show counters description | inc TCP >> IP TO_TCP Packets delivered to TCP stack >> TCP IN_PKTS Packets received >> TCP OUT_PKTS Packets transmitted >> TCP RCV_GOOD Received good packets >> TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.) >> TCP IN_NO_PRIV Packets dropped due to no TCB >> TCP BD_CKSUM Packets received with a bad checksum >> TCP BD_LEN Packets received with a bad length >> TCP NOT_ALLWD Packets dropped due to security level >> TCP INV_HOST Packets dropped invalid host and least secured interface >> TCP NO_APP Packets dropped no one listening >> TCP DROP_NRST Packets dropped no one listening - no reset sent >> TCP SESS_CLSD Packets dropped session closed >> TCP SESS_CTOD Packets dropped session slosed due to timeout >> TCP DRP_LIS_RST Packets dropped Listen state received reset >> TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags >> TCP SYNS_RST Packets dropped SynSent state received reset >> TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags >> TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset >> TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset >> TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received > syn >> TCP CONN_REFD Packets dropped SynRcvd state conn refused >> TCP BAD_FLAG Packets dropped invalid flag for state >> TCP NACK1 Packets dropped Est, CloseWait state received ack - not established >> TCP NACK2 Packets dropped Fin1 state received ack - not established >> TCP NACK3 Packets dropped Fin2 state received ack - not established >> TCP NACK4 Packets dropped Closing state received ack - not established >> TCP DROP_UNACC Packets dropped do not save or rearrange segments >> TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored >> TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored >> TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored >> TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote > fin/ack >> - data ignored >> TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored >> TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored >> TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored >> TCP OUT_CLSD Packets out dropped Conn Closed >> TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.) >> TCP OUT_NO_BLKS Packets out no blocks >> TCP OUT_NO_PRIV Packets out due to no TCB >> TCP OUT_CONNRDY Packets out dropped connection not ready >> TCP HASH_ADD User hash add >> TCP HASH_ADD_DUP User hash add dup >> TCP HASH_MISS User srch hash miss >> TCP HASH_HIT User srch hash hit >> TCP HASH_DEL User hash delete >> TCP HASH_DMISS User hash delete miss >> TCP MOVE_FAILED Move listener failed >> TCP NO_USER_MEM Alloc user failed >> TCP FORCE_FREE Users Forcefully removed due to context deletion >> TCP SND_SYN send syn >> TCP SND_RST send rst >> TCP SND_ACK send ack >> TCP RCV_ACK receive ack >> TCP RCV_ACK_NEST receive ack not established >> NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail >> PIX1# >> ++++++++++++++++++++++++++++++++++++++++++ >> >> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or >> both ? >> > > They are for packets to/from the PIX/ASA's stack. > >> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why >> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was >> what the customer was looking for. >> > > With clientless WebVPN, and other sessions that terminate on the box, it > is yet another way to debug/troubleshoot some issues :-) > > Sincerely, > > David. >> I don't have access to real gear right now and under dynamips/pemu, i don't see anything... >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From rdobbins at arbor.net Thu Feb 25 19:28:07 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 26 Feb 2010 00:28:07 +0000 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: References: Message-ID: <65A9AE2E-B3E7-4D43-A1BD-A4DDFB292A4E@arbor.net> On Feb 26, 2010, at 12:43 AM, Drew Weaver wrote: > but why is it showing up in the netflow exports? Because that's how NetFlow is supposed to work on a real router, vs. the broken implementation on 6500/7600 with current hardware. ;> It's of great operational significance to know that even though you're dropping traffic on your side of a link via uRPF, S/RTBH, ACLs, whatever, said traffic is still pummeling your router. You can then work with your peer/upstream/downstream/customer to get the traffic squelched closer to the actual source(s). ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From apowers at lancope.com Thu Feb 25 21:04:15 2010 From: apowers at lancope.com (Adam Powers) Date: Thu, 25 Feb 2010 21:04:15 -0500 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: <20100225213721.GT9556@greenie.muc.de> Message-ID: Also keep in mind that the packet did actually ingress on some interface on the router somewhere prior to it being dropped by the ACL. The NetFlow record must be sent to the collector in order for the ingress interface traffic to be reported correctly in the collector. In other words, if the router doesn?t export the ACL-dropped flows your collector will under report traffic stats. On 2/25/10 4:37 PM, "Gert Doering" wrote: > Hi, > > On Thu, Feb 25, 2010 at 11:43:37AM -0500, Drew Weaver wrote: >> > Should ingress packets dropped by ACLs still hit Netflow on the GSR with E5 >> linecards? >> > >> > Gi2/0/2 10.1.123.32 Null 10.1.123.3 11 A29F 0035 1 > > I'm not sure whether this is documented anywhere, but this is expected, > and it is actually recommended to use "Netflow dest if=null" instead > of "ACL logging" to see which packets your network is refusing. > >> > So basically a packet is being sent in from the Internet sourced >> > from one of my own IP addresses, and I assume it is being dropped >> > because of the ACL on our Internet connections that says we don't >> > want traffic coming in from ourselves, but why is it showing up in >> > the netflow exports? > > So that you can keep track of what you're dropping. You might want > to know about it :-) > > gert > > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cangurobostero at gmail.com Fri Feb 26 01:57:56 2010 From: cangurobostero at gmail.com (Javi in AUS) Date: Fri, 26 Feb 2010 16:57:56 +1000 Subject: [c-nsp] Input queue flushes and drops Message-ID: <5301820a1002252257u7f022192v1c5e28341b6a655c@mail.gmail.com> Gents, We have a WAN facing Cisco 3845 which is showing the numbers below on it's Gi0/1 interface: Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: 714432 Of course, these counters are increasing and we have a bunch of users at the other side of the link complaining about poor VoIP performance (they hear us intermittently although we can hear them Ok). CEF is enabled globaly, input queue is set to default (75). GigabitEthernet0/1 is up, line protocol is up Hardware is BCM1125 Internal MAC, address is 001b.d37d.f8a2 (bia 001b.d37d.f8a2) Internet address is 10.83.2.17/30 MTU 1500 bytes, BW 20000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 11/255, rxload 10/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 3w3d Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: 714432 Queueing strategy: Class-based queueing Output queue: 0/1000/0 (size/max total/drops) 30 second input rate 848000 bits/sec, 634 packets/sec 30 second output rate 874000 bits/sec, 604 packets/sec 1146444284 packets input, 1913512714 bytes, 0 no buffer Received 1785 broadcasts, 0 runts, 0 giants, 1 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 6993 multicast, 0 pause input 0 input packets with dribble condition detected 1121611018 packets output, 2544901813 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Should we increase the input queue size to 150,200,250, etc ? Could these flushed/drops be the cause of the poor VoIP performance? Many thanks, P From vijaygore27 at gmail.com Fri Feb 26 06:14:24 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 26 Feb 2010 16:44:24 +0530 Subject: [c-nsp] Optimal MTU Rate ?? Message-ID: <31533f201002260314q5d8c691fodcc7ec6292daca05@mail.gmail.com> Dear Team, What wiil be the Optimal MTU Rate for wireless Tunnel Network ?? From jens.neu at biotronik.com Fri Feb 26 05:46:28 2010 From: jens.neu at biotronik.com (Jens Neu) Date: Fri, 26 Feb 2010 11:46:28 +0100 Subject: [c-nsp] Strange Time window when running nfdump Message-ID: Dear all, I've encountered a strange behavior of nfdump when running it with the -s and -t options. Sometimes it works as expected, sometimes it gives me strange values in "Time window:", e.g. Time window: 2010-01-01 00:00:22 - 2010-03-13 04:34:32 when running with -t 2010/01/01.00:00:00-2010/01/31.00:00:00 details see: http://paste.debian.net/61554/ what could be the explanation? NTP issues on the router, or qualifies for a bug report? best regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens.neu at biotronik.de From nsp-list at pollok.net Fri Feb 26 05:54:41 2010 From: nsp-list at pollok.net (Sascha Pollok) Date: Fri, 26 Feb 2010 11:54:41 +0100 (CET) Subject: [c-nsp] GSR: 3GE-GBIC-SC v4 traffic influenced by v6 traffic? Message-ID: Good day, the 3GE-GBIC-SC card does IPv6 in software on the linecard. Is anyone aware of a problem that IPv6 traffic that is software-forwarded could influence IPv4 hardware forwarding? It looks like a linecard could hit 100% with ~80 Mbit/s of v6 traffic + other tasks like TAG Stats Backgr or CEF process etc and also suddenly stops forwarding IPv4 traffic or AT LEAST stops responding to ICMP Echo (directed to the interface IP) or loses IP protocols like LDP or OSPF which could point to problems GRP/PRP -> Interface. It seems like this happens exactly at that moment when the card's CPU hits 100%. I had expected that the CPU forwarded v6 could lead to higher RTT for v6 etc but I am surprised that it seems like it could influence IP protocols. I know that the Engine 2 card is not state-of-the-art especially for v6 traffic but I am looking for a confirmation that this behaviour is indeed something that could happen. If so, I might go to for 4GE-SFP-LC or similar which does v6 in hardware AFAIK. Thank you Sascha From jan.gregor at chronix.org Fri Feb 26 06:18:59 2010 From: jan.gregor at chronix.org (Jan Gregor) Date: Fri, 26 Feb 2010 12:18:59 +0100 Subject: [c-nsp] Dynamic IP VPN clients on a dual-ISP ASA 5505 In-Reply-To: References: Message-ID: <4B87AE23.2050209@chronix.org> Hi, from what they tell you, I suspect that they sugest that you should statically route ip adresses of one group of clients (that's the reason why static ip adresses - you need to define them). The feature you are looking for should be acompished with policy based routing, but this is not supported by ASA device, we do it with IOS based router. Also you will probably do need traffic clasification to be used later inside PBR, this can't be done by asa either :) . So to conclude, it is doable, but you need one device between ASA and the internet to do the PBR and one device between ASA and the HQ LAN to do the markings (or maybe you have such device there). If this solution is better than buiyng static ip adresses is entirely up to you :). Best regards, Jan Frank Bulk wrote: > We have a customer that recently added a second ISP uplink to their ASA 5505 > at the hub (headquarters) and would like to migrate some of their spokes > (IPSec) sites to terminate on the new uplink at the hub. Secondly, they > would like the new uplink to be their hub's primary internet link (using > PAT). > > Their spokes are predominately using SOHO gear on different ISP services > that have dynamic IP addresses, and behind each spoke is a unique private > subnet. > > What Cisco is telling us that if we want to use dual-ISP interfaces that the > spokes cannot use a dynamic WAN IP addresses. If the spokes have static WAN > IP address it will work -- something with how the VPN session gets setup and > the fact that the default router is for the new uplink, we're told. But the > client wants to avoid the $10/month charge for a static for each spoke, if > at all possible. > > With all the knobs and buttons that the ASA has, I find this a little > surprising. Does anyone have a similar setup for which they would be > willing to share a configuration snippet? > > Here's an abbreviated configuration: > > headquarters > 192.168.x.0/24 > | > ASA 5505 > / \ > ISP #1 ISP #2 > | | > INTERNET > | | > | | > dynamic IP dynamic IP > Remote A Remote B > 192.168.a.0/24 192.168.b.0/24 > > A bonus would be if HQ could automatically fail over to the other ISP link, > > Thanks in advance for any assistance. > > Regards, > > Frank Bulk > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From peter.haag at switch.ch Fri Feb 26 07:38:19 2010 From: peter.haag at switch.ch (Peter Haag) Date: Fri, 26 Feb 2010 13:38:19 +0100 Subject: [c-nsp] cisco-nsp Digest, Vol 87, Issue 93 In-Reply-To: References: Message-ID: <4B87C0BB.50908@switch.ch> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jens, I will look into that. - Peter > > Dear all, > > I've encountered a strange behavior of nfdump when running it with the -s > and -t options. Sometimes it works as expected, sometimes it gives me > strange values in "Time window:", e.g. > > Time window: 2010-01-01 00:00:22 - 2010-03-13 04:34:32 > > when running with > > -t 2010/01/01.00:00:00-2010/01/31.00:00:00 > > details see: http://paste.debian.net/61554/ > > what could be the explanation? NTP issues on the router, or qualifies for > a bug report? > > best regards > > Jens Neu > Health Services Network Administration > > Phone: +49 (0) 30 68905-2412 > Mail: jens.neu at biotronik.de > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 87, Issue 93 > ***************************************** - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: peter.haag at switch.ch Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBS4fAuf5AbZRALNr/AQL5UgP9GhwEqmBnrrctH5YjO0a4gkOhfnEWdeyi v/18yOU4+6z4nAb8p8xDgL124oUaBL0qZ/LfIfrTayUdIrB+nY42NAQ/fMXx+K/7 jQBfWkilwg+c3BuetimgrLkrLzE3s7/Ob+HSGxAKZHSI4/RBvexC4nIqen7cKJe7 xrijJJeAwXU= =faGP -----END PGP SIGNATURE----- From gert at greenie.muc.de Fri Feb 26 07:57:11 2010 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 26 Feb 2010 13:57:11 +0100 Subject: [c-nsp] Optimal MTU Rate ?? In-Reply-To: <31533f201002260314q5d8c691fodcc7ec6292daca05@mail.gmail.com> References: <31533f201002260314q5d8c691fodcc7ec6292daca05@mail.gmail.com> Message-ID: <20100226125711.GX9556@greenie.muc.de> Hi, On Fri, Feb 26, 2010 at 04:44:24PM +0530, vijay gore wrote: > What wiil be the Optimal MTU Rate for wireless Tunnel Network ?? 417.3 MTU per second. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From matt at melbourne.org.uk Fri Feb 26 07:59:15 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Fri, 26 Feb 2010 12:59:15 +0000 Subject: [c-nsp] PVLANs in a Hosting Environment Message-ID: Hi, We are investigating options to provide a "VLAN-per-customer" within a hosting environment. Inside each VLAN could be hosting services, e.g. hosted web servers, AD, Exchange (etc). In order to maximum the number of supported VLANs, then the use of Private VLANs has been raised. However, although L2 isolation is desirable between customers (effectively a PVLAN community), there may be a requirement to communicate at L3 (e.g. one customer accessing the web site of another). A classical VLAN per customer would utilise more address space than a PVLAN and would require an SVI per customer. What do others do in this type of environment? We would want to offer additional services going forward, e.g. firewalling/load-balancing which may have implications for PVLAN awareness. A number of services may well be hosted within a virtual environment, and it is my understanding that all devices need to support PVLANs including virtual switches within any VMware/HyperV-like server environment? Cheers, Matt -- Matthew Melbourne From sandmaier at schlund.net Fri Feb 26 08:10:23 2010 From: sandmaier at schlund.net (Jan Sandmaier) Date: Fri, 26 Feb 2010 14:10:23 +0100 Subject: [c-nsp] GSR: 3GE-GBIC-SC v4 traffic influenced by v6 traffic? In-Reply-To: References: Message-ID: <4B87C83F.3010504@schlund.net> Hi Sascha, > the 3GE-GBIC-SC card does IPv6 in software on the linecard. Is anyone > aware of a problem that IPv6 traffic that is software-forwarded > could influence IPv4 hardware forwarding? It looks like a linecard > could hit 100% with ~80 Mbit/s of v6 traffic + other tasks > like TAG Stats Backgr or CEF process etc and also suddenly stops > forwarding IPv4 traffic or AT LEAST stops responding to ICMP Echo > (directed to the interface IP) or loses IP protocols like > LDP or OSPF which could point to problems GRP/PRP -> Interface. > It seems like this happens exactly at that moment when the > card's CPU hits 100%. this was exactly the reason why we de-activated IPv6 on these lincards. This applies for all Engine 2 linecards. > > I had expected that the CPU forwarded v6 could lead to higher > RTT for v6 etc but I am surprised that it seems like it could > influence IP protocols. > > I know that the Engine 2 card is not state-of-the-art especially > for v6 traffic but I am looking for a confirmation that this > behaviour is indeed something that could happen. If so, I might > go to for 4GE-SFP-LC or similar which does v6 in hardware AFAIK. 4GE-SFP-LC and any other Engine 3 linecard works well.. Best regards, Jan From listacct at tulsaconnect.com Fri Feb 26 08:43:09 2010 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri, 26 Feb 2010 07:43:09 -0600 Subject: [c-nsp] PVLANs in a Hosting Environment In-Reply-To: References: Message-ID: <4B87CFED.7010908@tulsaconnect.com> Matt, We looked at doing this ourselves a few years back. We decided to push L2 responsibility down to the customer rack and do all L3 at the distribution layer. We use the venerable WS-C3550-48-EMI switches for this duty, and they have been rock solid for years. We did have a few customers complain at first that they were now required to buy a switch whereas we provided L2 beforehand, but this was a minority of customers and it has since turned out to be a great decision. We are now looking at our upgrade path from the 3550's to the next generation that supports IPv6 and all Gigabit ports, etc.. (looking at the 3750G's, Juniper EX series, and Foundry FESX-PREMs) Matthew Melbourne wrote: > Hi, > > We are investigating options to provide a "VLAN-per-customer" within a > hosting environment. Inside each VLAN could be hosting services, e.g. > hosted web servers, AD, Exchange (etc). In order to maximum the number > of supported VLANs, then the use of Private VLANs has been raised. > However, although L2 isolation is desirable between customers > (effectively a PVLAN community), there may be a requirement to > communicate at L3 (e.g. one customer accessing the web site of > another). A classical VLAN per customer would utilise more address > space than a PVLAN and would require an SVI per customer. What do > others do in this type of environment? We would want to offer > additional services going forward, e.g. firewalling/load-balancing > which may have implications for PVLAN awareness. A number of services > may well be hosted within a virtual environment, and it is my > understanding that all devices need to support PVLANs including > virtual switches within any VMware/HyperV-like server environment? > > Cheers, > > Matt > -- ----------------------------------------- Mike Bacher / listacct at tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From rdobbins at arbor.net Fri Feb 26 08:47:32 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 26 Feb 2010 13:47:32 +0000 Subject: [c-nsp] GSR: 3GE-GBIC-SC v4 traffic influenced by v6 traffic? In-Reply-To: References: Message-ID: <05DB84D8-1AA8-4515-85A4-5E0DF3FDC8C0@arbor.net> On Feb 26, 2010, at 6:54 PM, Sascha Pollok wrote: > If so, I might > go to for 4GE-SFP-LC or similar which does v6 in hardware AFAIK. You should be running E3 or E5 linecards at your edges, as these are required to support NetFlow, uRPF, and ACLs. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From stmagconsulting at gmail.com Fri Feb 26 08:51:26 2010 From: stmagconsulting at gmail.com (Stephane MAGAND) Date: Fri, 26 Feb 2010 14:51:26 +0100 Subject: [c-nsp] Add IPv6 on Cisco 7301 / BGP Message-ID: Hi actually, i have a small labs: 1 Cisco 6506/Sup720 2 Cisco 7301 1 Cisco 7204 All are connected to the 6500 with IPv4, ISIS and MPLS (MP BGP) The first Cisco 7301 are connected to a ISP A and the Second connected to the ISP B in classic IPv4 Bgp. I want add IPv6 on this network. My question: Anyone have a sample of BGP Config for the Cisco 7301 (Same routeur, same AS but IPv4 and IPv6) ? Same for Isis ? Very thanks for your help From nick at inex.ie Fri Feb 26 09:20:18 2010 From: nick at inex.ie (Nick Hilliard) Date: Fri, 26 Feb 2010 14:20:18 +0000 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> Message-ID: <4B87D8A2.4000903@inex.ie> On 25/02/2010 10:36, Muhammad Atif Jauahar wrote: >> We are going to upgrade our Data Center we need 2 (redundant) core >> switches with top of rack switches (Edge). >> >> We get two Proposals >> > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches (Edge) > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution layer) > and few Nexus 2000 fabric extender (Edge). > > Which Proposal is best and why? comments needed. Muhammad, Sarcasm aside, your original post didn't really contain any information about your engineering requirements. As a general guideline, your first question should be: "what am I trying to do". This will lead to a list of engineering requirements which will lead to a design and a requirements specification for your proposed networking equipment. The requirements specification will include details on technical features, cost, environmentals (size, power draw, etc), availability and so forth. The design will give you a good idea about how things ought to slot together. Once you know what you're looking for, you can then start looking around at what fits the bill, and what equipment features / misfeatures are likely to be relevant to you. You can then pass a carefully selected specification to potential suppliers / manufacturers so that they can confirm what would or wouldn't be appropriate for your installation. Juniper and Cisco have good quality engineers at their disposal, and it's entirely possible that they could make useful and insightful suggestions about how to improve your design or fine-tune your requirements. Both the Juniper EX8200 and Cisco N7K product lines are very fine pieces of engineering. But they are both very expensive, and if you plan to spend a couple of hundred thousand ? / $ on this sort of kit, the least you ought to do is come up with compelling reasons to choose one over the other. Nick From steve at ibctech.ca Fri Feb 26 09:32:17 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Fri, 26 Feb 2010 09:32:17 -0500 Subject: [c-nsp] Add IPv6 on Cisco 7301 / BGP In-Reply-To: References: Message-ID: <4B87DB71.5010709@ibctech.ca> On 2010.02.26 08:51, Stephane MAGAND wrote: > Hi > > actually, i have a small labs: > > 1 Cisco 6506/Sup720 > 2 Cisco 7301 > 1 Cisco 7204 > > All are connected to the 6500 with IPv4, ISIS and MPLS (MP BGP) > > The first Cisco 7301 are connected to a ISP A and the Second connected > to the ISP B > in classic IPv4 Bgp. > > I want add IPv6 on this network. My question: > > Anyone have a sample of BGP Config for the Cisco 7301 (Same routeur, same AS > but IPv4 and IPv6) ? Not from a 7301, but this cut/slice/paste shouldn't be much different: router bgp 14270 neighbor 208.70.111.30 remote-as 64765 neighbor 208.70.111.30 peer-group toc neighbor 208.70.111.30 description eBGP Peering from Works Dept ... neighbor 2001:470:1F0D:12E::1 remote-as 6939 neighbor 2001:470:1F0D:12E::1 peer-group v6-transit neighbor 2001:470:1F0D:12E::1 description he.net ... address-family ipv4 ... neighbor toc send-community neighbor toc default-originate neighbor toc remove-private-as neighbor toc soft-reconfiguration inbound neighbor toc prefix-list DEFAULT-OUT-V4 out neighbor toc route-map CUST-PREF-V4 in neighbor toc route-map COMMUNITY-NO-EXPORT out ... neighbor 208.70.111.30 activate neighbor 208.70.111.30 prefix-list WORKS-IN in address-family ipv6 ... neighbor v6-transit prefix-list V6-TRANSIT-IN in neighbor v6-transit prefix-list V6-TRANSIT-OUT out neighbor 2001:470:1F0D:12E::1 activate ... I don't know about IS-IS, as I use OSPF internally. Steve From drew.weaver at thenap.com Fri Feb 26 09:35:56 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 26 Feb 2010 09:35:56 -0500 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: <65A9AE2E-B3E7-4D43-A1BD-A4DDFB292A4E@arbor.net> References: <65A9AE2E-B3E7-4D43-A1BD-A4DDFB292A4E@arbor.net> Message-ID: Hey Roland, You mean if the provider can figure out where the traffic is coming from right? Haven't had too much luck with that so far. thanks, -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland Sent: Thursday, February 25, 2010 7:28 PM To: Cisco-nsp Subject: Re: [c-nsp] Netflow - GSR engine 5 On Feb 26, 2010, at 12:43 AM, Drew Weaver wrote: > but why is it showing up in the netflow exports? Because that's how NetFlow is supposed to work on a real router, vs. the broken implementation on 6500/7600 with current hardware. ;> It's of great operational significance to know that even though you're dropping traffic on your side of a link via uRPF, S/RTBH, ACLs, whatever, said traffic is still pummeling your router. You can then work with your peer/upstream/downstream/customer to get the traffic squelched closer to the actual source(s). ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Fri Feb 26 09:36:53 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 26 Feb 2010 09:36:53 -0500 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: <20100225213721.GT9556@greenie.muc.de> References: <20100225213721.GT9556@greenie.muc.de> Message-ID: You're of course right, because if it didn't I never would've known this was happening =) The problem now is getting my upstream to figure out what the source is =( -Drew -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Thursday, February 25, 2010 4:37 PM To: Drew Weaver Cc: Cisco-nsp Subject: Re: [c-nsp] Netflow - GSR engine 5 Hi, On Thu, Feb 25, 2010 at 11:43:37AM -0500, Drew Weaver wrote: > Should ingress packets dropped by ACLs still hit Netflow on the GSR with E5 linecards? > > Gi2/0/2 10.1.123.32 Null 10.1.123.3 11 A29F 0035 1 I'm not sure whether this is documented anywhere, but this is expected, and it is actually recommended to use "Netflow dest if=null" instead of "ACL logging" to see which packets your network is refusing. > So basically a packet is being sent in from the Internet sourced from > one of my own IP addresses, and I assume it is being dropped because > of the ACL on our Internet connections that says we don't want traffic > coming in from ourselves, but why is it showing up in the netflow > exports? So that you can keep track of what you're dropping. You might want to know about it :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From devon at noved.org Fri Feb 26 09:38:53 2010 From: devon at noved.org (Devon True) Date: Fri, 26 Feb 2010 09:38:53 -0500 Subject: [c-nsp] Netflow - GSR engine 5 In-Reply-To: <65A9AE2E-B3E7-4D43-A1BD-A4DDFB292A4E@arbor.net> References: <65A9AE2E-B3E7-4D43-A1BD-A4DDFB292A4E@arbor.net> Message-ID: <4B87DCFD.7060303@noved.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/25/2010 7:28 PM, Dobbins, Roland wrote: > Because that's how NetFlow is supposed to work on a real router, vs. > the broken implementation on 6500/7600 with current hardware. I am running Netflow v5 on a 7600 with 12.2(33)SRC5 and I see packets in my Netflow data that are dropped by an ingress ACL on the interface. I understand that other aspects of Netflow is broken on these platforms, but this "feature" seems to work (unless I am misunderstanding something). - -- Devon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuH3P0ACgkQWP2WrBTHBS9bRQCg9QVsUxTIAzECI0AYtGTP0izZ w1gAoMgG/rX68ELVLSC/rA3rvuL4U2YZ =Kv+Y -----END PGP SIGNATURE----- From pdavis at i2k.com Fri Feb 26 09:57:41 2010 From: pdavis at i2k.com (Philip Davis) Date: Fri, 26 Feb 2010 09:57:41 -0500 Subject: [c-nsp] ASR v VXR Message-ID: <4B87E165.8090804@i2k.com> Hello, I've got a pair of 7200VXRs w/ NPE400s doing bba for 3 ATM DS3s as well as T-1 aggregation and a server farm. I was looking at my options for upgrading and consolidating these boxes and I think it would either be an 7200VXR-G1 (G2?) or an ASR1002. These two options seem to carry similar price tags, so I'm looking for feedback. Is it mostly a question of desired feature set? Also, I realize that the ASR doesn't support ATM DS3. What solutions are people using to terminate these circuits? I was thinking maybe a small ATM switch? Does such a thing exist anymore? Thanks, Phil -- Philip Davis Systems Administrator I-2000 Inc. (616) 532-8425 888-234-4254 From mtinka at globaltransit.net Fri Feb 26 10:18:24 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 26 Feb 2010 23:18:24 +0800 Subject: [c-nsp] ASR v VXR In-Reply-To: <4B87E165.8090804@i2k.com> References: <4B87E165.8090804@i2k.com> Message-ID: <201002262318.25120.mtinka@globaltransit.net> On Friday 26 February 2010 10:57:41 pm Philip Davis wrote: > I've got a pair of 7200VXRs w/ NPE400s doing bba for > 3 ATM DS3s as well as T-1 aggregation and a server farm. > I was looking at my options for upgrading and > consolidating these boxes and I think it would either be > an 7200VXR-G1 (G2?) or an ASR1002. These two options > seem to carry similar price tags, so I'm looking for > feedback. Is it mostly a question of desired feature > set? > Also, I realize that the ASR doesn't support ATM DS3. > What solutions are people using to terminate these > circuits? I was thinking maybe a small ATM switch? Does > such a thing exist anymore? I haven't had the chance to run the ASR1000 platform in a BRAS + Subscriber Management role, but for all intents and purposes, it would out-perform an NPE-G1 or NPE-G2 any day, given that much of the packet services are processed in the ESP (hardware). IOS XE has been getting additional support for BRAS features, but you want to check and make sure that it mirrors current feature set, as much as possible. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From saxon.jones at gmail.com Fri Feb 26 11:22:30 2010 From: saxon.jones at gmail.com (Saxon Jones) Date: Fri, 26 Feb 2010 09:22:30 -0700 Subject: [c-nsp] PVLANs in a Hosting Environment In-Reply-To: References: Message-ID: <86b512c31002260822y259d3fbcrbcf690c01a625ccf@mail.gmail.com> We used to use (at a previous job) 3550's, private VLAN's, and local-proxy-arp to achieve this. It would occasionally irritate customers because our 3550 would win the ARP response for traffic going between their hosts, though this usually wasn't an issue since we'd happily push those few customers to a dedicated VLAN. -saxon On 26 February 2010 05:59, Matthew Melbourne wrote: > Hi, > > We are investigating options to provide a "VLAN-per-customer" within a > hosting environment. Inside each VLAN could be hosting services, e.g. > hosted web servers, AD, Exchange (etc). In order to maximum the number > of supported VLANs, then the use of Private VLANs has been raised. > However, although L2 isolation is desirable between customers > (effectively a PVLAN community), there may be a requirement to > communicate at L3 (e.g. one customer accessing the web site of > another). A classical VLAN per customer would utilise more address > space than a PVLAN and would require an SVI per customer. What do > others do in this type of environment? We would want to offer > additional services going forward, e.g. firewalling/load-balancing > which may have implications for PVLAN awareness. A number of services > may well be hosted within a virtual environment, and it is my > understanding that all devices need to support PVLANs including > virtual switches within any VMware/HyperV-like server environment? > > Cheers, > > Matt > > -- > Matthew Melbourne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From thirdfrl.nsp at gmail.com Fri Feb 26 12:09:15 2010 From: thirdfrl.nsp at gmail.com (Ryan Lambert) Date: Fri, 26 Feb 2010 12:09:15 -0500 Subject: [c-nsp] SecureACS Appliance & AD Authentication Message-ID: <56665ca71002260909t5fb16437k321bb13c0879913f@mail.gmail.com> Hi everyone, Figure this is as good a place as any to reach out and see if anyone has some experience with this. I'm currently debating whether I use LDAP or a Remote Agent for Windows with my SecureACS Appliance to authenticate network users via AD. I've read through the documentation a bit, but I still have a couple questions: - If I use the remote agent, is there a way I can only allow specific users in an AD domain to log onto network devices? For obvious reasons I would not want to allow each and every user in the domain to access my routers/switches via SSH. - Is there a method to doing this same restriction via LDAP? - As a network admin with little/no access to the actual AD admin snap-in, I'd much PREFER to have all of this in my control, with the exception of obviously installing the Agent software on a member server if that's the route we eventually go. Thanks in advance. -Ryan From b.turnbow at twt.it Fri Feb 26 12:23:39 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 26 Feb 2010 18:23:39 +0100 Subject: [c-nsp] ASR v VXR In-Reply-To: <4B87E165.8090804@i2k.com> References: <4B87E165.8090804@i2k.com> Message-ID: >Hello, > I've got a pair of 7200VXRs w/ NPE400s doing bba for 3 ATM DS3s as >well as T-1 aggregation and a server farm. I was looking at my options >for upgrading and consolidating these boxes and I think it would either >be an 7200VXR-G1 (G2?) or an ASR1002. These two options seem to carry >similar price tags, so I'm looking for feedback. Is it mostly a question >of desired feature set? > Also, I realize that the ASR doesn't support ATM DS3. What solutions >are people using to terminate these circuits? I was thinking maybe a >small ATM switch? Does such a thing exist anymore? Note that the ASR does not support PPPoA which you may be using in ATM. AFAIK it is not coming any time soon. We use G2 and G1s and G2s out perform g1s for forwarding packets. Cisco upgrade path for us would be to 10k series, of course this changes the budget. Not that an asr plus a 8500 would differ much.... Brian From scott at labyrinth.org Fri Feb 26 12:37:59 2010 From: scott at labyrinth.org (Scott Keoseyan) Date: Fri, 26 Feb 2010 12:37:59 -0500 Subject: [c-nsp] SecureACS Appliance & AD Authentication In-Reply-To: <56665ca71002260909t5fb16437k321bb13c0879913f@mail.gmail.com> References: <56665ca71002260909t5fb16437k321bb13c0879913f@mail.gmail.com> Message-ID: Yes Ryan, you can restrict access based on LDAP or AD groups to specific groups of devices and access levels, however, I would STRONGLY recommend the direct LDAP approach, using LDAPS with certificates, as opposed to the AD plugin, which has been rife with memory leaks and other stability issues for years now. I have lost a measurable amount of sleep over these issues in the past. If you need to use AD, run the Windows version on a Windows server. Scott On Feb 26, 2010, at 12:09 PM, Ryan Lambert wrote: > Hi everyone, > > Figure this is as good a place as any to reach out and see if anyone > has > some experience with this. > > I'm currently debating whether I use LDAP or a Remote Agent for > Windows with > my SecureACS Appliance to authenticate network users via AD. I've read > through the documentation a bit, but I still have a couple questions: > > - If I use the remote agent, is there a way I can only allow > specific users > in an AD domain to log onto network devices? For obvious reasons I > would not > want to allow each and every user in the domain to access my > routers/switches via SSH. > - Is there a method to doing this same restriction via LDAP? > - As a network admin with little/no access to the actual AD admin > snap-in, > I'd much PREFER to have all of this in my control, with the > exception of > obviously installing the Agent software on a member server if that's > the > route we eventually go. > > Thanks in advance. > > -Ryan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Fri Feb 26 13:32:10 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 26 Feb 2010 18:32:10 +0000 Subject: [c-nsp] SecureACS Appliance & AD Authentication Message-ID: <5W9rbnwVGk5v@Yx0sWmS2> Personally i'd go for freeradius or radiator RADIUS server for the backend policy/logic - both work well with AD and handle many EAP types . Proxying etc --- original message --- From: "Ryan Lambert" Subject: [c-nsp] SecureACS Appliance & AD Authentication Date: 26th February 2010 Time: 5:11:16 Hi everyone, Figure this is as good a place as any to reach out and see if anyone has some experience with this. I'm currently debating whether I use LDAP or a Remote Agent for Windows with my SecureACS Appliance to authenticate network users via AD. I've read through the documentation a bit, but I still have a couple questions: - If I use the remote agent, is there a way I can only allow specific users in an AD domain to log onto network devices? For obvious reasons I would not want to allow each and every user in the domain to access my routers/switches via SSH. - Is there a method to doing this same restriction via LDAP? - As a network admin with little/no access to the actual AD admin snap-in, I'd much PREFER to have all of this in my control, with the exception of obviously installing the Agent software on a member server if that's the route we eventually go. Thanks in advance. -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From james at mor-pah.net Fri Feb 26 13:41:20 2010 From: james at mor-pah.net (James Greig) Date: Fri, 26 Feb 2010 18:41:20 -0000 Subject: [c-nsp] SecureACS Appliance & AD Authentication In-Reply-To: <5W9rbnwVGk5v@Yx0sWmS2> References: <5W9rbnwVGk5v@Yx0sWmS2> Message-ID: <000a01cab713$49da37e0$dd8ea7a0$@net> Hi, Just a note on this one. Within our organisation we have a number of systems, freeradius etc so we decided to consolidate and use Microsoft's Network Policy Server with RADIUS to authenticate against Active Directory. It's all built in to 2008. You can set certain users, or groups to have access to certain devices etc. We're using this against our 7200 series edge routers, core 3750 switches and numerous Cisco ASAs (anything that supports radius). You can also set access times which comes in handy for rancid. It's not everyone's cup of tea being Microsoft, but it works well for us and we cannot fault it. James Greig -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alan Buxey Sent: 26 February 2010 18:32 To: Ryan Lambert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SecureACS Appliance & AD Authentication Personally i'd go for freeradius or radiator RADIUS server for the backend policy/logic - both work well with AD and handle many EAP types . Proxying etc --- original message --- From: "Ryan Lambert" Subject: [c-nsp] SecureACS Appliance & AD Authentication Date: 26th February 2010 Time: 5:11:16 Hi everyone, Figure this is as good a place as any to reach out and see if anyone has some experience with this. I'm currently debating whether I use LDAP or a Remote Agent for Windows with my SecureACS Appliance to authenticate network users via AD. I've read through the documentation a bit, but I still have a couple questions: - If I use the remote agent, is there a way I can only allow specific users in an AD domain to log onto network devices? For obvious reasons I would not want to allow each and every user in the domain to access my routers/switches via SSH. - Is there a method to doing this same restriction via LDAP? - As a network admin with little/no access to the actual AD admin snap-in, I'd much PREFER to have all of this in my control, with the exception of obviously installing the Agent software on a member server if that's the route we eventually go. Thanks in advance. -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pkranz at unwiredltd.com Fri Feb 26 15:34:37 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Fri, 26 Feb 2010 12:34:37 -0800 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. Message-ID: <02b001cab723$1d690280$583b0780$@unwiredltd.com> I have some CF 1 GB modules that are recognized on insert: Feb 25 10:45:11.034 PST: %FILESYS-SP-5-DEV: PCMCIA flash card inserted into disk0 But won't format: xxx#format disk0: Format operation may take a while. Continue? [confirm]y Format operation will destroy all data in "disk0:". Continue? [confirm]y %Error formatting disk0 (No such device) This is not cisco branded CF, but in the past I've had good luck with a variety of other manuf. CF cards. Any hints on how to make sure the CF card I purchase is going to be compatible? Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com From dan.holme at gmail.com Fri Feb 26 16:05:02 2010 From: dan.holme at gmail.com (Dan Holme) Date: Fri, 26 Feb 2010 21:05:02 +0000 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <02b001cab723$1d690280$583b0780$@unwiredltd.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> Message-ID: Peter Unfortunately you can't just use any flash card in the 6500/7600. Theoretically all that is required is a standard ATA CF but I have found that not all work. You can find more info on the CF card like so "show disk0: filesys" I have only had good experiences with: ATA CARD GEOMETRY Manufacturer Name SanDisk ..but I am sure there are others that work okay. Here is an example of one that I can read but am unable to boot from: ATA CARD GEOMETRY Manufacturer Name Vendor Model Number CF Card As you can see I've had mixed experiences with different card types, if somebody can be sure how to tell which cards will work and which won't then that info would be useful. --Dan On Fri, Feb 26, 2010 at 8:34 PM, Peter Kranz wrote: > I have some CF 1 GB modules that are recognized on insert: > > > > Feb 25 10:45:11.034 PST: %FILESYS-SP-5-DEV: PCMCIA flash card inserted into > disk0 > > > > But won't format: > > > > xxx#format disk0: > > Format operation may take a while. Continue? [confirm]y > > Format operation will destroy all data in "disk0:". ?Continue? [confirm]y > > %Error formatting disk0 (No such device) > > > > This is not cisco branded CF, but in the past I've had good luck with a > variety of other manuf. CF cards. Any hints on how to make sure the CF card > I purchase is going to be compatible? > > > > Peter Kranz > > Founder/CEO - Unwired Ltd > > ? www.UnwiredLtd.com > > Desk: 510-868-1614 x100 > > Mobile: 510-207-0000 > > ? pkranz at unwiredltd.com > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- --Dan Holme From jasongurtz at npumail.com Fri Feb 26 16:19:37 2010 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 26 Feb 2010 16:19:37 -0500 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> Message-ID: > Unfortunately you can't just use any flash card in the 6500/7600. > Theoretically all that is required is a standard ATA CF but I have > found that not all work. > > You can find more info on the CF card like so "show disk0: filesys" > > I have only had good experiences with: > ATA CARD GEOMETRY > Manufacturer Name SanDisk > > ..but I am sure there are others that work okay. Recently, on another mailing list, a developer working with ATA drivers made claim that SanDisk is known to follow the ATA specs accurately, unlike many other manufacturers. Something about a RESET command or something. Maybe the SUP is sensitive to these kind of things and doesn't have workarounds coded up. Around here SanDisk isn't too expensive, so it seems like good peace of mind. ~JasonG -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5103 bytes Desc: not available URL: From nsp-list at pollok.net Fri Feb 26 16:25:08 2010 From: nsp-list at pollok.net (Sascha E. Pollok) Date: Fri, 26 Feb 2010 22:25:08 +0100 (CET) Subject: [c-nsp] GSR: 3GE-GBIC-SC v4 traffic influenced by v6 traffic? In-Reply-To: <4B87C83F.3010504@schlund.net> References: <4B87C83F.3010504@schlund.net> Message-ID: Hello Jan, thanks for your reply. It sheds some light on that annoying problem. >> forwarding IPv4 traffic or AT LEAST stops responding to ICMP Echo >> (directed to the interface IP) or loses IP protocols like >> LDP or OSPF which could point to problems GRP/PRP -> Interface. >> It seems like this happens exactly at that moment when the >> card's CPU hits 100%. > > this was exactly the reason why we de-activated IPv6 on these lincards. This > applies for all Engine 2 linecards. do you remember any ways to track this problem e.g. how I can check how much a certain buffer is filling up etc? I checked several things on the linecard with sh contr frfab and tofab etc but couldn't find any evidence for internal buckets filling up. >> I know that the Engine 2 card is not state-of-the-art especially >> for v6 traffic but I am looking for a confirmation that this >> behaviour is indeed something that could happen. If so, I might >> go to for 4GE-SFP-LC or similar which does v6 in hardware AFAIK. > > 4GE-SFP-LC and any other Engine 3 linecard works well.. 4GE cards are on their way... :-) Thanks again Sascha From dan.holme at gmail.com Fri Feb 26 16:34:37 2010 From: dan.holme at gmail.com (Dan Holme) Date: Fri, 26 Feb 2010 21:34:37 +0000 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> Message-ID: Well, that would fit my experiences Jason. Looking through a few other SUPs running 12.2SR they all seem to have SanDisk CF in. However the ones I have running 12.2SX do not show the vendor of the CF. Not sure whether that is IOS or CF related. On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz wrote: >> Unfortunately you can't just use any flash card in the 6500/7600. >> Theoretically all that is required is a standard ATA CF but I have >> found that not all work. >> >> You can find more info on the CF card like so "show disk0: filesys" >> >> I have only had good experiences with: >> ATA CARD GEOMETRY >> ? ?Manufacturer Name ? ? ?SanDisk >> >> ..but I am sure there are others that work okay. > > Recently, on another mailing list, a developer working with ATA drivers > made claim that SanDisk is known to follow the ATA specs accurately, > unlike many other manufacturers. ?Something about a RESET command or > something. ?Maybe the SUP is sensitive to these kind of things and doesn't > have workarounds coded up. > > Around here SanDisk isn't too expensive, so it seems like good peace of > mind. > > ~JasonG > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Dan Holme From rsm at fast-serv.com Fri Feb 26 17:17:58 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 26 Feb 2010 17:17:58 -0500 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> Message-ID: <20100226221732.M42540@fast-serv.com> Ours are SanDisk. They were sold to us by a vendor who assured us of the compatibility. -- Randy www.FastServ.com ---------- Original Message ----------- From: Dan Holme To: Jason Gurtz Cc: cisco-nsp at puck.nether.net Sent: Fri, 26 Feb 2010 21:34:37 +0000 Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > Well, that would fit my experiences Jason. > > Looking through a few other SUPs running 12.2SR they all seem to have > SanDisk CF in. > However the ones I have running 12.2SX do not show the vendor of the > CF. Not sure whether that is IOS or CF related. > > On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz > wrote: > >> Unfortunately you can't just use any flash card in the 6500/7600. > >> Theoretically all that is required is a standard ATA CF but I have > >> found that not all work. > >> > >> You can find more info on the CF card like so "show disk0: filesys" > >> > >> I have only had good experiences with: > >> ATA CARD GEOMETRY > >> ? ?Manufacturer Name ? ? ?SanDisk > >> > >> ..but I am sure there are others that work okay. > > > > Recently, on another mailing list, a developer working with ATA drivers > > made claim that SanDisk is known to follow the ATA specs accurately, > > unlike many other manufacturers. ?Something about a RESET command or > > something. ?Maybe the SUP is sensitive to these kind of things and doesn't > > have workarounds coded up. > > > > Around here SanDisk isn't too expensive, so it seems like good peace of > > mind. > > > > ~JasonG > > > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > Dan Holme > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From pkranz at unwiredltd.com Fri Feb 26 17:23:58 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Fri, 26 Feb 2010 14:23:58 -0800 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <20100226221732.M42540@fast-serv.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> <20100226221732.M42540@fast-serv.com> Message-ID: <000301cab732$63dbfdd0$2b93f970$@unwiredltd.com> And the max capacity for a Sup720 is 1GB right, no 2GB and up modules allowed? Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy McAnally Sent: Friday, February 26, 2010 2:18 PM To: Dan Holme; Jason Gurtz Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. Ours are SanDisk. They were sold to us by a vendor who assured us of the compatibility. -- Randy www.FastServ.com ---------- Original Message ----------- From: Dan Holme To: Jason Gurtz Cc: cisco-nsp at puck.nether.net Sent: Fri, 26 Feb 2010 21:34:37 +0000 Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > Well, that would fit my experiences Jason. > > Looking through a few other SUPs running 12.2SR they all seem to have > SanDisk CF in. > However the ones I have running 12.2SX do not show the vendor of the > CF. Not sure whether that is IOS or CF related. > > On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz > wrote: > >> Unfortunately you can't just use any flash card in the 6500/7600. > >> Theoretically all that is required is a standard ATA CF but I have > >> found that not all work. > >> > >> You can find more info on the CF card like so "show disk0: filesys" > >> > >> I have only had good experiences with: > >> ATA CARD GEOMETRY > >> ? ?Manufacturer Name ? ? ?SanDisk > >> > >> ..but I am sure there are others that work okay. > > > > Recently, on another mailing list, a developer working with ATA > > drivers made claim that SanDisk is known to follow the ATA specs > > accurately, unlike many other manufacturers. ?Something about a > > RESET command or something. ?Maybe the SUP is sensitive to these > > kind of things and doesn't have workarounds coded up. > > > > Around here SanDisk isn't too expensive, so it seems like good peace > > of mind. > > > > ~JasonG > > > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > Dan Holme > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From devinkinch at gmail.com Fri Feb 26 19:12:50 2010 From: devinkinch at gmail.com (Devin Kinch) Date: Fri, 26 Feb 2010 16:12:50 -0800 Subject: [c-nsp] Comparision between Cisco and Juniper Data Center Switches In-Reply-To: <4B87D8A2.4000903@inex.ie> References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com> <6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com> <6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com> <4B87D8A2.4000903@inex.ie> Message-ID: <1bd413ac1002261612r13aaf983mea3374643c19b714@mail.gmail.com> Current Nexus 2148T doesn't support Etherchannel in the strictest sense (you can do 2 port vPC down to the servers) or 100BASE-T. They are strictly 1000BASE-T only -- this may bite you if you need 100BASE-T management ports, etc. Also keep in mind that the fabric extenders do not even perform L2 switching. They are just Ethernet Host Virtualizers, which means they mux all traffic up to the 5ks for processing. And the N5ks do not support L3. There are many limitations. But, if you need the SAN, virtualization, or 802.1ae features, there is no comparison. I would wait until late spring when the next model of N2k comes out (should have proper Etherchannel, 100BASE-T, actual features, etc), and then go Cisco. Also NX-OS 5.0 is coming out soon too, and has a lot of great features: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps9494/ps9372/product_bulletin_c25-577133.html I mean, how cool is OTV? Devin Kinch On Fri, Feb 26, 2010 at 6:20 AM, Nick Hilliard wrote: > On 25/02/2010 10:36, Muhammad Atif Jauahar wrote: > >> We are going to upgrade our Data Center we need 2 (redundant) core > >> switches with top of rack switches (Edge). > >> > >> We get two Proposals > >> > > 1. 2 x EX8216 Switches (Core) and few EX4200 Switches > (Edge) > > 2. 2 x Nexus 7000 (Core), 2 Nexus 5000 (Distribution > layer) > > and few Nexus 2000 fabric extender (Edge). > > > > Which Proposal is best and why? comments needed. > > Muhammad, > > Sarcasm aside, your original post didn't really contain any information > about your engineering requirements. As a general guideline, your first > question should be: "what am I trying to do". This will lead to a list of > engineering requirements which will lead to a design and a requirements > specification for your proposed networking equipment. > > The requirements specification will include details on technical features, > cost, environmentals (size, power draw, etc), availability and so forth. > The design will give you a good idea about how things ought to slot > together. > > Once you know what you're looking for, you can then start looking around at > what fits the bill, and what equipment features / misfeatures are likely to > be relevant to you. You can then pass a carefully selected specification > to potential suppliers / manufacturers so that they can confirm what would > or wouldn't be appropriate for your installation. Juniper and Cisco have > good quality engineers at their disposal, and it's entirely possible that > they could make useful and insightful suggestions about how to improve your > design or fine-tune your requirements. > > Both the Juniper EX8200 and Cisco N7K product lines are very fine pieces of > engineering. But they are both very expensive, and if you plan to spend a > couple of hundred thousand ? / $ on this sort of kit, the least you ought > to do is come up with compelling reasons to choose one over the other. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From bbasler at cisco.com Fri Feb 26 20:33:18 2010 From: bbasler at cisco.com (Ben Basler (bbasler)) Date: Fri, 26 Feb 2010 17:33:18 -0800 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <000301cab732$63dbfdd0$2b93f970$@unwiredltd.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> <20100226221732.M42540@fast-serv.com> <000301cab732$63dbfdd0$2b93f970$@unwiredltd.com> Message-ID: As of SXI 2GB Cisco CF is supported: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/features.html#wp4208036 Issue with 3rd party vendor CF's is that each CF has an internal controller that sits before the actual flash memory. Vendors change those internal controller versions w/o necessarily indicating this on the packaging/to the user. The quality/timings of these internal controllers varies vastly which can result in interop issues. Cheers, Ben > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Peter Kranz > Sent: Friday, February 26, 2010 2:24 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > > And the max capacity for a Sup720 is 1GB right, no 2GB and up modules > allowed? > > Peter Kranz > Founder/CEO - Unwired Ltd > www.UnwiredLtd.com > Desk: 510-868-1614 x100 > Mobile: 510-207-0000 > pkranz at unwiredltd.com > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy McAnally > Sent: Friday, February 26, 2010 2:18 PM > To: Dan Holme; Jason Gurtz > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > > Ours are SanDisk. They were sold to us by a vendor who assured us of the > compatibility. > > -- > Randy > www.FastServ.com > > ---------- Original Message ----------- > From: Dan Holme > To: Jason Gurtz > Cc: cisco-nsp at puck.nether.net > Sent: Fri, 26 Feb 2010 21:34:37 +0000 > Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > > > Well, that would fit my experiences Jason. > > > > Looking through a few other SUPs running 12.2SR they all seem to have > > SanDisk CF in. > > However the ones I have running 12.2SX do not show the vendor of the > > CF. Not sure whether that is IOS or CF related. > > > > On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz > > wrote: > > >> Unfortunately you can't just use any flash card in the 6500/7600. > > >> Theoretically all that is required is a standard ATA CF but I have > > >> found that not all work. > > >> > > >> You can find more info on the CF card like so "show disk0: filesys" > > >> > > >> I have only had good experiences with: > > >> ATA CARD GEOMETRY > > >> ? ?Manufacturer Name ? ? ?SanDisk > > >> > > >> ..but I am sure there are others that work okay. > > > > > > Recently, on another mailing list, a developer working with ATA > > > drivers made claim that SanDisk is known to follow the ATA specs > > > accurately, unlike many other manufacturers. ?Something about a > > > RESET command or something. ?Maybe the SUP is sensitive to these > > > kind of things and doesn't have workarounds coded up. > > > > > > Around here SanDisk isn't too expensive, so it seems like good peace > > > of mind. > > > > > > ~JasonG > > > > > > _______________________________________________ > > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > -- > > Dan Holme > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------- End of Original Message ------- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Fri Feb 26 21:09:59 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 26 Feb 2010 21:09:59 -0500 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <02b001cab723$1d690280$583b0780$@unwiredltd.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> Message-ID: <9e246b4d1002261809l6074e05fxfd974c575d4d2ebe@mail.gmail.com> On Fri, Feb 26, 2010 at 3:34 PM, Peter Kranz wrote: > I have some CF 1 GB modules that are recognized on insert: I have found these to work consistently on and old and new Sups: SanDisk SDCFB-1024-A10 1GB CF Type 1 Card For some reason, VS-S720-10G sups support a wider range of CF cards than the older 720s. Probably something to do with the various vendor/part codes programmed in the CF. -- Tim:> From tvarriale at comcast.net Sat Feb 27 01:27:54 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Sat, 27 Feb 2010 00:27:54 -0600 Subject: [c-nsp] Comparision between Cisco and Juniper Data CenterSwitches References: <6a51198a1002250230y530797e3l62578adc9686da8d@mail.gmail.com><6a51198a1002250235k3be00762hdfa3ce1377f7b354@mail.gmail.com><6a51198a1002250236v6e447d16me2c9843c7a701370@mail.gmail.com><4B87D8A2.4000903@inex.ie> <1bd413ac1002261612r13aaf983mea3374643c19b714@mail.gmail.com> Message-ID: Not necessarily directed at you Devin... If you consider some of these design features an issue, I would recommend getting with your account team and getting a NDA in place. There will be some changes made very soon that will have a major impact on the flexibility and general architecture of the Nexus platforms. >I mean, how cool is OTV? Sort of. tv ----- Original Message ----- From: "Devin Kinch" To: "Nick Hilliard" Cc: Sent: Friday, February 26, 2010 6:12 PM Subject: Re: [c-nsp] Comparision between Cisco and Juniper Data CenterSwitches Current Nexus 2148T doesn't support Etherchannel in the strictest sense (you can do 2 port vPC down to the servers) or 100BASE-T. They are strictly 1000BASE-T only -- this may bite you if you need 100BASE-T management ports, etc. Also keep in mind that the fabric extenders do not even perform L2 switching. They are just Ethernet Host Virtualizers, which means they mux all traffic up to the 5ks for processing. And the N5ks do not support L3. There are many limitations. But, if you need the SAN, virtualization, or 802.1ae features, there is no comparison. I would wait until late spring when the next model of N2k comes out (should have proper Etherchannel, 100BASE-T, actual features, etc), and then go Cisco. Also NX-OS 5.0 is coming out soon too, and has a lot of great features: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps9494/ps9372/product_bulletin_c25-577133.html I mean, how cool is OTV? Devin Kinch From nick at inex.ie Sat Feb 27 06:45:05 2010 From: nick at inex.ie (Nick Hilliard) Date: Sat, 27 Feb 2010 11:45:05 +0000 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <20100226221732.M42540@fast-serv.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> <20100226221732.M42540@fast-serv.com> Message-ID: <4B8905C1.6040804@inex.ie> On 26/02/2010 22:17, Randy McAnally wrote: > Ours are SanDisk. They were sold to us by a vendor who assured us of the > compatibility. i use kingston 512M CF cards. Under the hood, they appear to be Toshiba THNCF units. Never had any problems with them. Nick From nvoth at estreet.com Sat Feb 27 10:23:55 2010 From: nvoth at estreet.com (Nick Voth) Date: Sat, 27 Feb 2010 08:23:55 -0700 Subject: [c-nsp] Newbie question on OC3 on 7206VXR Message-ID: Folks, I am about to light up our first OC3 on a 7206VXR NPE400 running 12.2(29b). It's an ATM circuit from Qwest and will have a lot of sub interfaces on it for individual DSL accounts for customers of ours. I've been doing this for years on DS3's, but have never done an OC3. My current set up on one of the DS3's is pretty standard: interface ATM1/0 no ip address no ip redirects no ip unreachables no ip route-cache cef no ip mroute-cache atm scrambling cell-payload no atm ilmi-keepalive ! interface ATM1/0.32 point-to-point pvc 1/32 ubr 1500 encapsulation aal5mux ppp Virtual-Template1 ! ! interface ATM1/0.33 point-to-point pvc 1/33 ubr 1500 encapsulation aal5mux ppp Virtual-Template1 . . .and so on.... The card I've been told will work for the OC3 is a PA-A3-OC3SMI. I'm just curious if anyone has any tips or tricks for a similar setup. I'd really love to avoid the "banging my head on the desk" stage in this setup... Thanks very much for any advice you may have. -Nick Voth From rodunn at cisco.com Sat Feb 27 20:26:20 2010 From: rodunn at cisco.com (Rodney Dunn) Date: Sat, 27 Feb 2010 20:26:20 -0500 Subject: [c-nsp] Input queue flushes and drops In-Reply-To: <5301820a1002252257u7f022192v1c5e28341b6a655c@mail.gmail.com> References: <5301820a1002252257u7f022192v1c5e28341b6a655c@mail.gmail.com> Message-ID: <4B89C63C.5010904@cisco.com> On 2/26/10 1:57 AM, Javi in AUS wrote: > Gents, > > We have a WAN facing Cisco 3845 which is showing the numbers below on it's > Gi0/1 interface: > > Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: > 714432 > Turn off SPD: config t no spd enable end > > Of course, these counters are increasing and we have a bunch of users at the > other side of the link complaining about poor VoIP performance (they hear > us intermittently although we can hear them Ok). > CEF is enabled globaly, input queue is set to default (75). > > GigabitEthernet0/1 is up, line protocol is up > Hardware is BCM1125 Internal MAC, address is 001b.d37d.f8a2 (bia > 001b.d37d.f8a2) > Internet address is 10.83.2.17/30 > MTU 1500 bytes, BW 20000 Kbit/sec, DLY 100 usec, > reliability 255/255, txload 11/255, rxload 10/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s, media type is RJ45 > output flow-control is XON, input flow-control is XON > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters 3w3d > Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: > 714432 > Queueing strategy: Class-based queueing > Output queue: 0/1000/0 (size/max total/drops) > 30 second input rate 848000 bits/sec, 634 packets/sec > 30 second output rate 874000 bits/sec, 604 packets/sec > 1146444284 packets input, 1913512714 bytes, 0 no buffer > Received 1785 broadcasts, 0 runts, 0 giants, 1 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 6993 multicast, 0 pause input > 0 input packets with dribble condition detected > 1121611018 packets output, 2544901813 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 unknown protocol drops > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 pause output > 0 output buffer failures, 0 output buffers swapped out > > What is your policy doing on that interface for the output drops? sh policy-map interface gig 0/1 What does 'sh int stat' show...the input queue is only for process switched traffic so you need to figure that out? What code?...12.4(20)T and later you can do an EPC trace on the punt path coming in the interface to see what traffic it is. Or try to catch the packets in 'sh buffers input-interface gig 0/1 packet' > Should we increase the input queue size to 150,200,250, etc ? Could these > flushed/drops be the cause of the poor VoIP performance? Yeah..set it to the max of 4096. Rodney > Many thanks, > > P > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nvoth at estreet.com Sat Feb 27 21:42:49 2010 From: nvoth at estreet.com (Nick Voth) Date: Sat, 27 Feb 2010 19:42:49 -0700 Subject: [c-nsp] Newbie question on OC3 on 7206VXR In-Reply-To: <20100228023403.GA3971@jeeves.rigozsaurus.com> Message-ID: Thanks very much John. I've seen the use of that pvc range command before but haven't ever really messed with it much. I'll give that a shot. The OC3 side of the config looks pretty straight forward. Thanks for the input! -Nick Voth > From: John Osmon > Date: Sat, 27 Feb 2010 19:34:03 -0700 > To: Nick Voth > Cc: > Subject: Re: [c-nsp] Newbie question on OC3 on 7206VXR > > On Sat, Feb 27, 2010 at 08:23:55AM -0700, Nick Voth wrote: > [...Qwest ATM for DSL -- config request...] > >> The card I've been told will work for the OC3 is a PA-A3-OC3SMI. I'm just >> curious if anyone has any tips or tricks for a similar setup. I'd really >> love to avoid the "banging my head on the desk" stage in this setup... > > Below is a cut-n-paste from another Qwest OC-3 aggregation port. > We used a PA-A3-OC3SMI: > !Slot 6: type ATM WAN OC3 SMI, 1 ports > !Slot 6: hvers 2.0 rev A0 > !Slot 6: part 73-2427-04 > > I won't guarantee that it is the ideal solution -- but it worked for > several years. The 'range' command is useful to keep your config > looking cleaner. The 'pvc-in-range' command is useful for "one off" > situations. > > Hope this helps... (If it is useful, an engineer that worked for me > put things together. If it isn't useful -- it's all my fault...) > > ! > interface ATM6/0 > description Qwest DSL aggregation > no ip address > no atm ilmi-keepalive > no atm enable-ilmi-trap > bundle-enable > ! > interface ATM6/0.10000 point-to-point > description DSL Qwest > no atm enable-ilmi-trap > range qwestdslA pvc 1/32 1/1023 > dbs enable > encapsulation aal5mux ppp Virtual-Template1 > ! > pvc-in-range 1/53 > encapsulation aal5mux ppp Virtual-Template2 > ! > interface Virtual-Template1 > ip unnumbered Loopback1 > ip verify unicast reverse-path > no logging event link-status > peer default ip address pool default > ppp authentication pap > ppp multilink > From josmon at rigozsaurus.com Sat Feb 27 21:34:03 2010 From: josmon at rigozsaurus.com (John Osmon) Date: Sat, 27 Feb 2010 19:34:03 -0700 Subject: [c-nsp] Newbie question on OC3 on 7206VXR In-Reply-To: References: Message-ID: <20100228023403.GA3971@jeeves.rigozsaurus.com> On Sat, Feb 27, 2010 at 08:23:55AM -0700, Nick Voth wrote: [...Qwest ATM for DSL -- config request...] > The card I've been told will work for the OC3 is a PA-A3-OC3SMI. I'm just > curious if anyone has any tips or tricks for a similar setup. I'd really > love to avoid the "banging my head on the desk" stage in this setup... Below is a cut-n-paste from another Qwest OC-3 aggregation port. We used a PA-A3-OC3SMI: !Slot 6: type ATM WAN OC3 SMI, 1 ports !Slot 6: hvers 2.0 rev A0 !Slot 6: part 73-2427-04 I won't guarantee that it is the ideal solution -- but it worked for several years. The 'range' command is useful to keep your config looking cleaner. The 'pvc-in-range' command is useful for "one off" situations. Hope this helps... (If it is useful, an engineer that worked for me put things together. If it isn't useful -- it's all my fault...) ! interface ATM6/0 description Qwest DSL aggregation no ip address no atm ilmi-keepalive no atm enable-ilmi-trap bundle-enable ! interface ATM6/0.10000 point-to-point description DSL Qwest no atm enable-ilmi-trap range qwestdslA pvc 1/32 1/1023 dbs enable encapsulation aal5mux ppp Virtual-Template1 ! pvc-in-range 1/53 encapsulation aal5mux ppp Virtual-Template2 ! interface Virtual-Template1 ip unnumbered Loopback1 ip verify unicast reverse-path no logging event link-status peer default ip address pool default ppp authentication pap ppp multilink From dale.shaw+cisco-nsp at gmail.com Sun Feb 28 01:36:31 2010 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Sun, 28 Feb 2010 17:36:31 +1100 Subject: [c-nsp] Input queue flushes and drops In-Reply-To: <4B89C63C.5010904@cisco.com> References: <5301820a1002252257u7f022192v1c5e28341b6a655c@mail.gmail.com> <4B89C63C.5010904@cisco.com> Message-ID: <3329cbb41002272236l5e81cd5el8633d6956023f9ef@mail.gmail.com> Hi Rodney, On Sun, Feb 28, 2010 at 12:26 PM, Rodney Dunn wrote: > >> Should we increase the input queue size to 150,200,250, etc ? Could these >> flushed/drops be the cause of the poor VoIP performance? > > Yeah..set it to the max of 4096. This is a platform-specific recommendation or a "just do it everywhere" type thing? Could you elaborate a bit? Always good to squeeze out a bit more performance or reliability. Are there any trade-offs? Just on input or output as well? cheers, Dale From ianh at ianh.net.au Sun Feb 28 01:18:10 2010 From: ianh at ianh.net.au (Ian Henderson) Date: Sun, 28 Feb 2010 14:18:10 +0800 (WST) Subject: [c-nsp] DS3 over STM1 In-Reply-To: References: Message-ID: On Tue, 12 Jan 2010, Ian Henderson wrote: > The new carrier has provisioned a 45Mbit clear channel service with a > DS3 at the remote site, and a channelised STM1 at the head office. I > can't seem to find a combination of router/card/mux to make this work. For the archives, we got this working using an Adtran Opti-6100 for about $5k AUD. It uses an E3M3B card to connect to the head office PA-2T3+, with an OMM3VIR card to connect to the carrier's STM1. Mapping the VC3 to the physical DS3 interface is simply a matter of selecting the inbound circuit on the left side of the screen, and the outbound circuit on the right side of the screen. Rgds, - I. From amr.ccie at gmail.com Sun Feb 28 04:24:08 2010 From: amr.ccie at gmail.com (Jason Alex) Date: Sun, 28 Feb 2010 11:24:08 +0200 Subject: [c-nsp] IOS to XR IOS Conversion Message-ID: Dear All, Is there is any tool can be used to convert from Cisco IOS to XR IOS , in order to save some time during the migration from Cisco IOS to XR IOS ? I think if there is any tool like this , it will be very usefull to me Appreciate your help. Thanks alot Regards Jason CCIE#24775 From linux.yahoo at gmail.com Sun Feb 28 06:58:48 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Sun, 28 Feb 2010 12:58:48 +0100 Subject: [c-nsp] IOS to XR IOS Conversion In-Reply-To: References: Message-ID: <7100ed371002280358j44a7435eke499aefe3c605e28@mail.gmail.com> AFAIK no On Sun, Feb 28, 2010 at 10:24 AM, Jason Alex wrote: > Dear All, > Is there is any tool can be used to convert from Cisco IOS to XR > IOS , in order to save some time during the migration from Cisco IOS to XR > IOS ? > > I think if there is any tool like this , it will be very usefull to me > > Appreciate your help. > > Thanks alot > > Regards > Jason > CCIE#24775 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From james at mor-pah.net Sun Feb 28 07:58:44 2010 From: james at mor-pah.net (James Greig) Date: Sun, 28 Feb 2010 12:58:44 -0000 Subject: [c-nsp] compact flash modules for Sup720-3bxl.. In-Reply-To: <000301cab732$63dbfdd0$2b93f970$@unwiredltd.com> References: <02b001cab723$1d690280$583b0780$@unwiredltd.com> <20100226221732.M42540@fast-serv.com> <000301cab732$63dbfdd0$2b93f970$@unwiredltd.com> Message-ID: <000001cab875$cf967930$6ec36b90$@net> Hi, Just a note - we're using a 4GB CF in our sup32. Not sure on the make/model of the CF though I think it's a sandisk. James Greig -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Kranz Sent: 26 February 2010 22:24 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. And the max capacity for a Sup720 is 1GB right, no 2GB and up modules allowed? Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy McAnally Sent: Friday, February 26, 2010 2:18 PM To: Dan Holme; Jason Gurtz Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. Ours are SanDisk. They were sold to us by a vendor who assured us of the compatibility. -- Randy www.FastServ.com ---------- Original Message ----------- From: Dan Holme To: Jason Gurtz Cc: cisco-nsp at puck.nether.net Sent: Fri, 26 Feb 2010 21:34:37 +0000 Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. > Well, that would fit my experiences Jason. > > Looking through a few other SUPs running 12.2SR they all seem to have > SanDisk CF in. > However the ones I have running 12.2SX do not show the vendor of the > CF. Not sure whether that is IOS or CF related. > > On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz > wrote: > >> Unfortunately you can't just use any flash card in the 6500/7600. > >> Theoretically all that is required is a standard ATA CF but I have > >> found that not all work. > >> > >> You can find more info on the CF card like so "show disk0: filesys" > >> > >> I have only had good experiences with: > >> ATA CARD GEOMETRY > >> ? ?Manufacturer Name ? ? ?SanDisk > >> > >> ..but I am sure there are others that work okay. > > > > Recently, on another mailing list, a developer working with ATA > > drivers made claim that SanDisk is known to follow the ATA specs > > accurately, unlike many other manufacturers. ?Something about a > > RESET command or something. ?Maybe the SUP is sensitive to these > > kind of things and doesn't have workarounds coded up. > > > > Around here SanDisk isn't too expensive, so it seems like good peace > > of mind. > > > > ~JasonG > > > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > Dan Holme > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Sun Feb 28 09:55:22 2010 From: graham at g-rock.net (Graham Wooden) Date: Sun, 28 Feb 2010 08:55:22 -0600 Subject: [c-nsp] Safe operating temps - Somewhat OT Message-ID: Hi all, The AC unit in my little datacenter room was recently upgraded/serviced. Since then I have started to monitor the my 6500's temp. I have been noticing a swing in the RP in/out on a Sup32 going from 37c to 39c and then back to 37 within 30-40 minutes timeframe. Room temp seems to be stable right at 25c, all the time. Are these safe swings? Or are these too dramatic only to shorten the life of the box this much sooner. Unfortunately I don't have any previous history data on the sups, only the room. Thanks, -graham From mario.velazquez at gmail.com Sun Feb 28 15:23:31 2010 From: mario.velazquez at gmail.com (Mario Velazquez) Date: Sun, 28 Feb 2010 14:23:31 -0600 Subject: [c-nsp] IOS to XR IOS Conversion In-Reply-To: <7100ed371002280358j44a7435eke499aefe3c605e28@mail.gmail.com> References: <7100ed371002280358j44a7435eke499aefe3c605e28@mail.gmail.com> Message-ID: <2a2764b61002281223s6a396761sfdfe87c4d58ddcd9@mail.gmail.com> there was a tool available to make this conversion (available to cisco SE) maybe you can talk to them. cheers Mario On Sun, Feb 28, 2010 at 5:58 AM, Manu Chao wrote: > AFAIK no > > On Sun, Feb 28, 2010 at 10:24 AM, Jason Alex wrote: > > > Dear All, > > Is there is any tool can be used to convert from Cisco IOS to > XR > > IOS , in order to save some time during the migration from Cisco IOS to > XR > > IOS ? > > > > I think if there is any tool like this , it will be very usefull to me > > > > Appreciate your help. > > > > Thanks alot > > > > Regards > > Jason > > CCIE#24775 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cangurobostero at gmail.com Sun Feb 28 18:13:16 2010 From: cangurobostero at gmail.com (Javi) Date: Mon, 1 Mar 2010 09:13:16 +1000 Subject: [c-nsp] Input queue flushes and drops In-Reply-To: <4B89C63C.5010904@cisco.com> References: <5301820a1002252257u7f022192v1c5e28341b6a655c@mail.gmail.com> <4B89C63C.5010904@cisco.com> Message-ID: <5301820a1002281513t2f976382l17b2293d23366938@mail.gmail.com> Thanks guys. 12.4(13r)T, we have a policy-map with 4 classes: policy-map QOS-OUT class DSCP-OUT-RT-VO priority 1110 138750 police cir 1110000 bc 138750 be 138750 conform-action set-dscp-transmit ef exceed-action set-dscp-transmit ef violate-action set-dscp-transmit ef class DSCP-OUT-D1-RT bandwidth percent 7 random-detect dscp-based random-detect dscp 34 25 75 20 random-detect dscp 36 12 24 20 service-policy QOS-OUT-D1-RT class DSCP-OUT-D2-BA bandwidth percent 55 random-detect dscp-based random-detect dscp 18 61 122 20 random-detect dscp 20 34 68 20 service-policy QOS-OUT-D2-BA class DSCP-OUT-D3-TO bandwidth percent 21 random-detect dscp-based random-detect dscp 10 48 96 20 random-detect dscp 12 31 62 20 service-policy QOS-OUT-D3-TO class DSCP-OUT-RT-VI bandwidth percent 6 queue-limit 30 packets police 460000 57500 57500 conform-action set-dscp-transmit af43 exceed-action set-dscp-transmit af21 violate-action set-dscp-transmit default And sh int stats: GigabitEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 311249998 1622425452 311496548 1640497685 Route cache 910779860 166070169 883679645 1324432555 Total 1222029858 1788495621 1195176193 2964930240 I'll increase the interface input queue and monitor for a few hours. Cheers, Javi On Sun, Feb 28, 2010 at 11:26 AM, Rodney Dunn wrote: > > > On 2/26/10 1:57 AM, Javi in AUS wrote: > >> Gents, >> >> We have a WAN facing Cisco 3845 which is showing the numbers below on it's >> Gi0/1 interface: >> >> Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: >> 714432 >> >> > Turn off SPD: > > config t > no spd enable > end > > > > > >> Of course, these counters are increasing and we have a bunch of users at >> the >> other side of the link complaining about poor VoIP performance (they hear >> us intermittently although we can hear them Ok). >> CEF is enabled globaly, input queue is set to default (75). >> >> GigabitEthernet0/1 is up, line protocol is up >> Hardware is BCM1125 Internal MAC, address is 001b.d37d.f8a2 (bia >> 001b.d37d.f8a2) >> Internet address is 10.83.2.17/30 >> MTU 1500 bytes, BW 20000 Kbit/sec, DLY 100 usec, >> reliability 255/255, txload 11/255, rxload 10/255 >> Encapsulation ARPA, loopback not set >> Keepalive set (10 sec) >> Full-duplex, 100Mb/s, media type is RJ45 >> output flow-control is XON, input flow-control is XON >> ARP type: ARPA, ARP Timeout 04:00:00 >> Last input 00:00:00, output 00:00:00, output hang never >> Last clearing of "show interface" counters 3w3d >> Input queue: 0/75/9/71805 (size/max/drops/flushes); Total output drops: >> 714432 >> Queueing strategy: Class-based queueing >> Output queue: 0/1000/0 (size/max total/drops) >> 30 second input rate 848000 bits/sec, 634 packets/sec >> 30 second output rate 874000 bits/sec, 604 packets/sec >> 1146444284 packets input, 1913512714 bytes, 0 no buffer >> Received 1785 broadcasts, 0 runts, 0 giants, 1 throttles >> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored >> 0 watchdog, 6993 multicast, 0 pause input >> 0 input packets with dribble condition detected >> 1121611018 packets output, 2544901813 bytes, 0 underruns >> 0 output errors, 0 collisions, 0 interface resets >> 0 unknown protocol drops >> 0 babbles, 0 late collision, 0 deferred >> 0 lost carrier, 0 no carrier, 0 pause output >> 0 output buffer failures, 0 output buffers swapped out >> >> >> > What is your policy doing on that interface for the output drops? > > sh policy-map interface gig 0/1 > > What does 'sh int stat' show...the input queue is only for process switched > traffic so you need to figure that out? > > What code?...12.4(20)T and later you can do an EPC trace on the punt path > coming in the interface to see what traffic it is. > > Or try to catch the packets in 'sh buffers input-interface gig 0/1 packet' > > > > Should we increase the input queue size to 150,200,250, etc ? Could these >> flushed/drops be the cause of the poor VoIP performance? >> > > Yeah..set it to the max of 4096. > > Rodney > > > Many thanks, >> >> P >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From sethm at rollernet.us Sun Feb 28 21:26:28 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 28 Feb 2010 18:26:28 -0800 Subject: [c-nsp] Safe operating temps - Somewhat OT In-Reply-To: References: Message-ID: <4B8B25D4.7050408@rollernet.us> On 2/28/10 6:55 AM, Graham Wooden wrote: > Hi all, > > The AC unit in my little datacenter room was recently upgraded/serviced. > Since then I have started to monitor the my 6500's temp. I have been > noticing a swing in the RP in/out on a Sup32 going from 37c to 39c and then > back to 37 within 30-40 minutes timeframe. Room temp seems to be stable > right at 25c, all the time. > > Are these safe swings? Or are these too dramatic only to shorten the life of > the box this much sooner. Unfortunately I don't have any previous history > data on the sups, only the room. > I see 2 degree shifts continuously with all of the Cisco stuff that I graph temperature on. I think it's unlikely to be a problem since it's been like that for as long as I can remember without any failures. ~Seth From mailers at oranged.to Sun Feb 28 22:32:08 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Mon, 1 Mar 2010 03:32:08 +0000 (UTC) Subject: [c-nsp] ASA Debug Message-ID: <108604790.69.1267414328128.JavaMail.root@poops.oranged.to> Hello, I am interested to know if there is some more information relating to the debugging of the Cisco ASA products/software. I have extensive experience with other firewall/security products and have been unable to find how to do flow debugging on the ASA's. What I am trying to diagnose is why we keep getting Deny/Drop packets for SIP on a random basis. I would like to diagnose/debug the flow of the packet through the device so that we can see why its not being inspected by the SIP ALG and in turn gets dropped. I've set the following options logging monitor debugging logging buffered debugging logging trap debugging And it still does not really go into any further detail. I've also setup captures so that we can analyse the packets coming in. If I compare one working SIP call to a dropped incoming call then there is no obvious difference. Any additional advice would be greatly appreciated. Regards, Jimmy Stewpot. From graham at g-rock.net Sun Feb 28 22:33:50 2010 From: graham at g-rock.net (Graham Wooden) Date: Sun, 28 Feb 2010 21:33:50 -0600 Subject: [c-nsp] Safe operating temps - Somewhat OT In-Reply-To: <4B8B25D4.7050408@rollernet.us> Message-ID: Thanks Seth for the reply. I never really had to think of this stuff before, but wearing new hats everyday. -graham On 2/28/10 8:26 PM, "Seth Mattinen" wrote: > On 2/28/10 6:55 AM, Graham Wooden wrote: >> Hi all, >> >> The AC unit in my little datacenter room was recently upgraded/serviced. >> Since then I have started to monitor the my 6500's temp. I have been >> noticing a swing in the RP in/out on a Sup32 going from 37c to 39c and then >> back to 37 within 30-40 minutes timeframe. Room temp seems to be stable >> right at 25c, all the time. >> >> Are these safe swings? Or are these too dramatic only to shorten the life of >> the box this much sooner. Unfortunately I don't have any previous history >> data on the sups, only the room. >> > > I see 2 degree shifts continuously with all of the Cisco stuff that I > graph temperature on. I think it's unlikely to be a problem since it's > been like that for as long as I can remember without any failures. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From marc at sniff.de Sun Feb 28 23:19:13 2010 From: marc at sniff.de (Marc Binderberger) Date: Mon, 1 Mar 2010 04:19:13 +0000 Subject: [c-nsp] IOS to XR IOS Conversion In-Reply-To: <2a2764b61002281223s6a396761sfdfe87c4d58ddcd9@mail.gmail.com>; from mario.velazquez@gmail.com on Sun, Feb 28, 2010 at 02:23:31PM -0600 References: <7100ed371002280358j44a7435eke499aefe3c605e28@mail.gmail.com> <2a2764b61002281223s6a396761sfdfe87c4d58ddcd9@mail.gmail.com> Message-ID: <20100301041913.A60907@door.sniff.de> On Sun, Feb 28, 2010 at 02:23:31PM -0600, Mario Velazquez wrote: > there was a tool available to make this conversion (available to cisco SE) > maybe you can talk to them. SOX. To my knowledge only Cisco-internal, so yes, ask your friendly SE :-) (you want them being involved anyway to identify any differences between IOS and IOX that you otherwise may find out too late) Regards, Marc > On Sun, Feb 28, 2010 at 5:58 AM, Manu Chao wrote: > > > AFAIK no > > > > On Sun, Feb 28, 2010 at 10:24 AM, Jason Alex wrote: > > > > > Dear All, > > > Is there is any tool can be used to convert from Cisco IOS to > > XR > > > IOS , in order to save some time during the migration from Cisco IOS to > > XR > > > IOS ? > > > > > > I think if there is any tool like this , it will be very usefull to me > > > > > > Appreciate your help. > > > > > > Thanks alot > > > > > > Regards > > > Jason > > > CCIE#24775 -- Marc Binderberger From ralf_network at hotmail.com Sat Feb 27 03:20:39 2010 From: ralf_network at hotmail.com (Ralf NoTe) Date: Sat, 27 Feb 2010 15:20:39 +0700 Subject: [c-nsp] Please advice: Inter-AS VRF & Multicast Traffic Control (MPLS migration) Message-ID: Hi all experts, Need advice from experts, currently I work for MPLS network migration, the customer have 2 existing MPLS network with different AS number serve for different services. Old AS (AS65002) has existing old PE, RR and VRF service (VRF more than 1000). New AS (AS65003) has existing PE, RR, VLL & VRF service (VRF & VLL more than 2000). Customer want to expand coverage area of MPLS domain AS65003 by install new PE type which running IGP ISIS and BGP same with PE in MPLS AS65003 and replace existing old PE in MPLS AS65002. That means all of old VRF in old PE AS65002 must be migrated to new PE in AS65003. All of new PE in MPLS AS65003 is ASBR (more than 100 routers), Each new PE have 2 links connect by dual homing point to differrent 2 of ASBR (old) PE in MPLS AS65002. Currently multiple P in AS65002 act as RR with BGP cluster concept During or after migration, P/RR may be need to be migrated to P/PE/ASBR/RR by functionality. Requirement from customer 1. Traffic for old VRF in AS65002 (but already migrate to new PE in AS65003) should via old MPLS core AS65002. 2. ASBR in both of MPLS network dont want to participated with routes all of VRFs in existing domain. (may be Inter-AS option C will meet the requirement right? please advice.) 3 type of VRF traffic in new PE MPLS AS65003 VRF type 1: Traffic AS 65003 -> 65002 (e.g. Internet service) Traffic AS 65003 -> 65002 -> 65003 (e.g. peer to peer traffic in VRF internet service) VRF type 2: Traffic 65003 -> 65002 (in case of PE in different AS) Traffic 65003 -> 65002 -> 65003 (in case of PE in same AS65003) (e.g. old corporate VRF service in 65002) VRF type 3: Traffic 65003 -> 65003 (e.g. corparate VRF service in 65003) What is the solution of Inter-AS provider should be apply for this scenario? How to control VRF traffic for all of 3 type with different path between 2 MPLS network? How to share load of traffic between new PE (ASBR) in MPLS AS65003 Inter-AS with 2 of ASBR (PE) in MPLS AS65002? How to prevent BGP routing loop? If all of old PE in MPLS AS65002 running global multicast with pim spase mode, SSM & anycast RP, After migrate to new PE, How about multicast traffic? What is solution for multicast migration between different MPLS domain? Inter-domain by multicast BGP, MSDP, incongruent routing? Technical advice for migration solution highly requires urgently!!! Thank you for your kindly advice. All of your suggesstion have benefit to me. p.s. network diagram for you reference in the attachment. Best Regard, Ralf _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969