From rmikisa at gmail.com Mon Feb 1 02:15:34 2010 From: rmikisa at gmail.com (Mikisa Richard) Date: Mon, 01 Feb 2010 10:15:34 +0300 Subject: [c-nsp] Policer on c4503 In-Reply-To: <20100131153923.GC1461@geeks.org> References: <4B629163.3060207@gmail.com> <20100131153923.GC1461@geeks.org> Message-ID: <4B667F96.1070603@gmail.com> Hi all, UPDATE: Turned out the policer was fine. Just a small tweak on the ACL got it to work. Otherwise grateful for all the help Richard On 1/31/2010 6:39 PM, Doug McIntyre wrote: > On Fri, Jan 29, 2010 at 10:42:27AM +0300, Mikisa Richard wrote: > >> Hi all, >> >> Any ideas why the Policer policy below does not work. Intention is for >> me to lock down traffic to 3Mbps both ways on interface g3/11. >> >> !! >> class-map match-all ROKE-LIMIT >> match access-group name ROKE-SLAP >> ! >> policy-map POLICY-ROKE >> class ROKE-LIMIT >> police 3000000 bps 30000 byte conform-action transmit exceed-action drop >> ! >> interface GigabitEthernet3/11 >> description link to ROKE >> no switchport >> ip address x.x.x.x >> service-policy input POLICY-ROKE >> service-policy output POLICY-ROKE >> > > Looks like the correct thing, assuming the access-group traffic is > being matched. > > Do you have 'qos' enabled? Its off by default on the 4500. > > Just a simple 'qos' as a config option in this platform. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Michael.Robson at manchester.ac.uk Mon Feb 1 11:35:51 2010 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Mon, 1 Feb 2010 16:35:51 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <20100129190937.GB20301@lboro.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> Message-ID: <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> On 29 Jan 2010, at 17:07, David Prall wrote: > So XP doesn't support IPv6 DHCP, nor do they support IPv6 DNS. Not sure > about the macintosh. and I thought I was being clever pointing fec0:0:0:ffff::1, 2 and 3 to real DNSv6 servers and finding the "add dns" from within netsh only to be thwarted by an XP resolver that doesn't support IPV6 properly. On 29 Jan 2010, at 19:09, Alan Buxey wrote: > Hi, >> OK so looking at/listening to various recommendations, when allocating IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish out the DNS servers and domain looks the most appealing. Since the IOS version we are using on our 6500s doesn't support IPV6 DHCP relaying (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve the DNS and domain information but I cannot get it to work. When I use the following configuration the clients are configured with appropriate v6 IPs and can get out into the IPV6 Internet, but no DNS or domain information is received. Turning on "debug ipv6 DHCP" yields no entries in the log at all for either an iMac or an XP laptop: am I missing some configuration? > > > DHCPv6 and stateless configuration are pretty much still very messy right now. > yes, DHCPv6 would be a direct replacement for clients on the v6 landscape but > not many clients support it.... > I'm starting to realise that... > worse, stateless configuration, whilst in a way elegant, hardly anything gets > handed over to it....eg DNS or NTP information . theres also no way to hand over > any encrpytion or seed things eg for SeND - we've been in chats with people > about getting some nice extensions into the stateless RFC - it'd be good/useful > to have these things sorted. > RFC 5006 looks promising, although it does seem to only mention DNS servers. > ..now...what are those IPv6 youtube addresses, I've got an hour to burn ;-) > alan wahoo! Ta. Michael -- From A.L.M.Buxey at lboro.ac.uk Mon Feb 1 11:59:08 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 1 Feb 2010 16:59:08 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> Message-ID: <20100201165908.GB2090@lboro.ac.uk> Hi, > and I thought I was being clever pointing fec0:0:0:ffff::1, 2 and 3 to real DNSv6 servers and finding the "add dns" from within netsh only to be thwarted by an XP resolver that doesn't support IPV6 properly. those addresses...ah yes. when i first saw them in the ipconfig /all i thought several problems were surpassed...but those addresses are from an old and deprecated RFC IIRC and other RFCs now state that they cannot go beyond certain boundaries....so they might not (or should not) be routed now. ideal, i guess, for a basic network...SoHo or small network environment of with all systems on a flat network.... but for enterprise. nope. all gone :-( > > ..now...what are those IPv6 youtube addresses, I've got an hour to burn ;-) > > alan > wahoo! youtube is now IPv6 ready - thanks Lorenzo Colitti (and his buddies!) but the AAAA's are only given to their happy ipv6 select partners....(unfortunately we are not yet one of those because we cannot guarantee 100% happy google services on IPv6 for all of our network.... alan From pkranz at unwiredltd.com Mon Feb 1 15:59:55 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Mon, 1 Feb 2010 12:59:55 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. Message-ID: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Currently in our network we use dot1Q trunks to forward end-user/customer VLANs from Site A to Site B to provide them virtual point-to-point circuits between data centers without the overhead of some type of VPN tunnel. However if one of our backhauls between data centers fails, we would desire these VLAN's to forward via an alternative backhaul path (All of our data centers have at least 2 exits to other datacenters in our network, and are meshed via OSPF/BGP) It seems like there are a lot of different approaches to provide some level of self-healing/redundancy to these layer2 services we offer, I am interested in advice on which would be most straightforward to implement on top of our existing layer3 network. Perhaps implementing Rapid-PVST is the simplest approach, but I'd be interested in some best-practices knowledge here.. Thanks! Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com From mtinka at globaltransit.net Mon Feb 1 20:11:15 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 2 Feb 2010 09:11:15 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: <201002020911.15846.mtinka@globaltransit.net> On Tuesday 02 February 2010 04:59:55 am Peter Kranz wrote: > It seems like there are a lot of different approaches to > provide some level of self-healing/redundancy to these > layer2 services we offer, I am interested in advice on > which would be most straightforward to implement on top > of our existing layer3 network. > > Perhaps implementing Rapid-PVST is the simplest approach, > but I'd be interested in some best-practices knowledge > here.. If you can support MPLS, I'd recommend that for a "self- healing" control plane to transport Ethernet frames. Else, STP (or some flavor of it) or your vendor's incarnate of the same are your other options. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From brhedlun at cisco.com Mon Feb 1 23:56:50 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Mon, 1 Feb 2010 22:56:50 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> True, the Nexus 2000 does not locally switch, but lets explore that for a second... 1) a typical enterprise Data Center is running applications that are not latency sensitive, where latencies in the 10s of microseconds are perfectly OK and nobody is really counting anyway. Only in the small minority of Data Centers running high frequency trading, grid computing, or some other ultra low latency application, every *nanosecond* matters and local switching with fewer hops is of paramount importance. Furthermore, these applications are quickly migrating away from 1GE to 10GE attached servers for the obvious low latency advantages. 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus 2000 to handle the additional uplink load that may otherwise not be present on a 4948. 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus 2000 itself also uses cut-through for frames entering on 1GE and egressing on 10GE. The two combined often results in port-to-port latencies similar to a Catalyst 6500, even without the "local switching". If you are comfortable with your Catalyst 6500 local switching latencies, you can expect similar performance from a Nexus 2000/5000 combination. -- Brad Hedlund, CCIE #5530 Consulting Systems Engineer, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst >> 4948 as access layers switches? >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that >> could be used by servers with 10GbE/FCoE servers. > > The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more "traditional" access switch. Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment. > > > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ghira at mistral.co.uk Tue Feb 2 00:21:09 2010 From: ghira at mistral.co.uk (Adam Atkinson) Date: Tue, 02 Feb 2010 05:21:09 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <201002020911.15846.mtinka@globaltransit.net> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <201002020911.15846.mtinka@globaltransit.net> Message-ID: <4B67B645.5030309@mistral.co.uk> Mark Tinka wrote: > If you can support MPLS, I'd recommend that for a "self- > healing" control plane to transport Ethernet frames. > > Else, STP (or some flavor of it) or your vendor's incarnate > of the same are your other options. Or EAPS if your kit does it. From mksmith at adhost.com Tue Feb 2 00:27:58 2010 From: mksmith at adhost.com (Michael K. Smith) Date: Mon, 01 Feb 2010 21:27:58 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: On 2/1/10 12:59 PM, "Peter Kranz" wrote: > Currently in our network we use dot1Q trunks to forward end-user/customer > VLANs from Site A to Site B to provide them virtual point-to-point circuits > between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would desire > these VLAN's to forward via an alternative backhaul path (All of our data > centers have at least 2 exits to other datacenters in our network, and are > meshed via OSPF/BGP) > > It seems like there are a lot of different approaches to provide some level > of self-healing/redundancy to these layer2 services we offer, I am > interested in advice on which would be most straightforward to implement on > top of our existing layer3 network. > > Perhaps implementing Rapid-PVST is the simplest approach, but I'd be > interested in some best-practices knowledge here.. > > Thanks! We're using Cisco Resilient Ethernet Protocol (REP) which does the trick. Depending upon your gear, you could also look at 802.17 (RPR) or Spatial Reuse Protocol (SRP) on the routers. I'm sure there are more acronyms as well. Regards, Mike From stmagconsulting at gmail.com Tue Feb 2 00:59:49 2010 From: stmagconsulting at gmail.com (Stephane MAGAND) Date: Tue, 2 Feb 2010 06:59:49 +0100 Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? Message-ID: Hi I have a small EoMPLS tunnels : pseudowire-class EoMPLS encapsulation mpls interworking ethernet interface GigabitEthernet0/2.910 encapsulation dot1Q 910 no cdp enable xconnect 10.206.5.180 910 encapsulation mpls Anyone know what is the solution for limit this tunnels at 20 Mbits ? a Policy ? ACL ? Running on Cisco 7301 c7301-adventerprisek9_sna-mz.124-24.T.bin sorry for my english and thanks for your help. Stephane From avayner at cisco.com Tue Feb 2 02:58:20 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 2 Feb 2010 08:58:20 +0100 Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? In-Reply-To: References: Message-ID: Stephane, You should be able to add a policy-map on the interface with a policer in the class-default class. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND Sent: Tuesday, February 02, 2010 08:00 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Limit Debit on a EoMPLS tunnels ? Hi I have a small EoMPLS tunnels : pseudowire-class EoMPLS encapsulation mpls interworking ethernet interface GigabitEthernet0/2.910 encapsulation dot1Q 910 no cdp enable xconnect 10.206.5.180 910 encapsulation mpls Anyone know what is the solution for limit this tunnels at 20 Mbits ? a Policy ? ACL ? Running on Cisco 7301 c7301-adventerprisek9_sna-mz.124-24.T.bin sorry for my english and thanks for your help. Stephane _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 2 04:26:23 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 02 Feb 2010 09:26:23 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> Message-ID: <4B67EFBF.10500@imperial.ac.uk> On 02/01/2010 08:59 PM, Peter Kranz wrote: > Currently in our network we use dot1Q trunks to forward end-user/customer > VLANs from Site A to Site B to provide them virtual point-to-point circuits > between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would desire > these VLAN's to forward via an alternative backhaul path (All of our data > centers have at least 2 exits to other datacenters in our network, and are > meshed via OSPF/BGP) What equipment are you running the network on? EoMPLS occurs as an option, buf of course requires enabling MPLS. From matt at melbourne.org.uk Tue Feb 2 04:32:27 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Tue, 2 Feb 2010 09:32:27 +0000 Subject: [c-nsp] Rate-limiting VMs within the network Message-ID: Hi, I am looking seeking a mechanism to limit bandwidth utilised by virtual machines on a given host on a per-VM basis within a hosting environment. Ideally, any single VM should not be allowed to exceed an outbound bandwidth utilisation of 100Mbps. The current solution uses Microsoft Hyper-V and its virtual switch technology. The Hyper-V hosts are connected into Cisco 2960G access switches which are then uplinked to a redundant core of 6509 switches. I readily recognise an alternative solution to this would be to use VMware/Cisco Nexus 1000V instead to form a virtual distributed switch, but for this particular project we are limited to using the MS Hyper-V solution. We have no control of bandwidth utilisation within the MS Hyper-V vSwitch (apparently, this functionality may appear at a later date), so the expectation is that any rate-limiting could occur within the network. However, multiple VMs are hosted on the same physical server, and these VMs can move between hosts as resources are optimised, so any classical ?per-port? QoS policing is not likely to be straightforward and isn?t likely to scale (the principle concerns are the potential number of VMs and their mobility). To police on a per-IP address basis, I'd expect to have to define many classes (one for each VM) which, for potentially many hundreds (possibly thousands) of VMs could be serious scalability issue. An alternative solution we?ve been investigating into is ?Per-User Microflow Policing?, or User-Based Rate Limiting (UBRL), where we can police based on source IP address. An acceptable solution would be to limit each IP address within a certain range to use up to 100Mbps of outbound bandwidth. However, it appears that UBRL and NetFlow (which is also running on the core 6509s) are mutually exclusive when there is a flow-mask conflict. Full NetFlow data needs to be retained by the NetFlow collector for billing purposes. Are there any other mechisms to achieve per-VM rate-limiting within the network? Cheers, Matt -- Matthew Melbourne From rdobbins at arbor.net Tue Feb 2 04:59:05 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 2 Feb 2010 09:59:05 +0000 Subject: [c-nsp] Rate-limiting VMs within the network In-Reply-To: References: Message-ID: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> On Feb 2, 2010, at 5:32 PM, Matthew Melbourne wrote: > Full NetFlow data needs to be retained by the NetFlow collector for billing purposes. Due to the various well-known caveats associated with NetFlow on 6500/7600, it's largely operationally useless, and you certainly can't count on it for billing or anything else of importance. So, no conflict, after all. ;> ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From p.mayers at imperial.ac.uk Tue Feb 2 06:10:58 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 02 Feb 2010 11:10:58 +0000 Subject: [c-nsp] Rate-limiting VMs within the network In-Reply-To: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> References: <02486679-901A-4C1F-AE8E-D8FB2C8B4154@arbor.net> Message-ID: <4B680842.1040207@imperial.ac.uk> On 02/02/10 09:59, Dobbins, Roland wrote: > > On Feb 2, 2010, at 5:32 PM, Matthew Melbourne wrote: > >> Full NetFlow data needs to be retained by the NetFlow collector for >> billing purposes. > > Due to the various well-known caveats associated with NetFlow on > 6500/7600, it's largely operationally useless, and you certainly > can't count on it for billing or anything else of importance. So, no > conflict, after all. Certainly 6500 netflow is limited, and the limitations are unfortunate - but if you happen to live within or can tolerate those limitations, it works as expected. I hear "6500 netflow is useless" a lot on this list, and from the tone of such posts I can only assume that if people are outside those limits, it makes them very angry indeed ;o) We use it very successfully, with full mask, because the traffic profile within our network fits within TCAM at all times, and because we can live without egress netflow and sampling, and various other missing features. Without knowing more about the OPs network I can't tell if his concerns about netflow are relevant to the microflow policing question, but I can say that there's at least a possibility that, if he's using it, his netflow is far from useless. From kris at amy.id.au Tue Feb 2 08:06:40 2010 From: kris at amy.id.au (Kris Amy) Date: Tue, 2 Feb 2010 23:06:40 +1000 Subject: [c-nsp] DHCPv6 and Windows Message-ID: <79167dd71002020506n76255726r31066fc490068766@mail.gmail.com> Hi all, I'm having trouble getting DHCPv6 and Windows (specifically 7) to interop for the correct default gateway. It is picking up the address OK but the default gateway is staying as Link-Local IP. So far I've tried all combinations of enabling/disabling ipv6 nd managed-config-flag ipv6 nd other-config-flag on the relevant LAN interface and various combinations of netsh int ipv6 set int managedaddress=disabled advertise=disabled routerdiscovery=dhcp Hoping someone has the magic combination to get it to work. OS X worked first time without any changes. I believe if the M and O flags are set then the client should go into stateful mode and request the default gateway from the advertising router. Cheers, Kris From kris at amy.id.au Tue Feb 2 08:17:52 2010 From: kris at amy.id.au (Kris Amy) Date: Tue, 2 Feb 2010 23:17:52 +1000 Subject: [c-nsp] DHCPv6 and Windows In-Reply-To: References: <79167dd71002020506n76255726r31066fc490068766@mail.gmail.com> Message-ID: <79167dd71002020517w3b924b42n6d86672410380230@mail.gmail.com> Hi, We are using Prefix delegation from our LNS to deliver it to the CPE. I cannot ping the IP that it determines is the default gateway via Link-Local. Cheers, Kris On Tue, Feb 2, 2010 at 11:14 PM, Antonio Querubin wrote: > On Tue, 2 Feb 2010, Kris Amy wrote: > > I'm having trouble getting DHCPv6 and Windows (specifically 7) to interop >> for the correct default gateway. >> >> It is picking up the address OK but the default gateway is staying as >> Link-Local IP. >> > > What's wrong with using the link-local of the gateway? > > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: tony at lava.net > From pkranz at unwiredltd.com Tue Feb 2 13:13:03 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Tue, 2 Feb 2010 10:13:03 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <4B67EFBF.10500@imperial.ac.uk> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> Message-ID: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> The network is composed of 6509-e chassis with SUP 720 3BXL cards at all sites.. So far respondents have recommended the following options; (so many ways to skin this cat..!) EoMPLS Cisco Resilient Ethernet Protocol (REP) 802.17 (RPR) Spatial Reuse Protocol (SRP) STP Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 02, 2010 1:26 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Layer 2 VLAN advice.. On 02/01/2010 08:59 PM, Peter Kranz wrote: > Currently in our network we use dot1Q trunks to forward > end-user/customer VLANs from Site A to Site B to provide them virtual > point-to-point circuits between data centers without the overhead of some type of VPN tunnel. > > However if one of our backhauls between data centers fails, we would > desire these VLAN's to forward via an alternative backhaul path (All > of our data centers have at least 2 exits to other datacenters in our > network, and are meshed via OSPF/BGP) What equipment are you running the network on? EoMPLS occurs as an option, buf of course requires enabling MPLS. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From a.dhingra at neu.edu Tue Feb 2 14:38:15 2010 From: a.dhingra at neu.edu (Dhingra, Anand) Date: Tue, 2 Feb 2010 14:38:15 -0500 Subject: [c-nsp] Question about FCoE In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <9683A1EFE9214446A78BDA9EA8AF79DC4DE2103124@NEUBOS3ES816CLS.nunet.neu.edu> I was wondering if anyone has any real world experience with FCoE? We are looking at 5010 as a top of rack solution, with FC going to back to a brocade switch? Some questions I had was is this mature? Has anyone deployed this? What were your difficulties? Thanks Anand From mtinka at globaltransit.net Tue Feb 2 19:17:23 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 3 Feb 2010 08:17:23 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <201002030817.24147.mtinka@globaltransit.net> On Wednesday 03 February 2010 02:13:03 am Peter Kranz wrote: > The network is composed of 6509-e chassis with SUP 720 > 3BXL cards at all sites.. Oh that will do MPLS quite nicely :-). Of course, as someone else already mentioned, it means enabling MPLS in the network if you don't already have it running. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From zeusdadog at gmail.com Tue Feb 2 23:20:25 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 2 Feb 2010 23:20:25 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth Message-ID: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> I am trying to configure vrf aware IPSec VPN for remote access, coming into one VRF and tunneling into another VRF. Can I do that without XAUTH? I can't seem to find any reference to doing it without xauth. If it's possible and someone has done this, can you please post a sample config? Thanks! From atif.jauhar at gmail.com Wed Feb 3 00:36:44 2010 From: atif.jauhar at gmail.com (Muhammad Atif Jauahar) Date: Wed, 3 Feb 2010 10:36:44 +0500 Subject: [c-nsp] Cisco Wireless LAN and Windows Domain Group Policies enforcement Message-ID: <6a51198a1002022136s7666fbeyb50d03fdcc61854d@mail.gmail.com> Hi, In my organization, we have deploy Cisco WLCs with user based authentication via IAS (integrated with Microsoft Active Directory) and Lightweight Access Points for wireless network... we are facing issue to enforce Windows Domain Group Policies to wireless client... To enforce policies we force client to connect via wired network after policies implemented then we asked them now they can use wireless network... Kindly let me know, how I will enforce Domain Group Policies using wireless network. -- Regards, Muhammad Atif Jauhar (+92-33-3346-0000) From nick at inex.ie Wed Feb 3 05:16:14 2010 From: nick at inex.ie (Nick Hilliard) Date: Wed, 03 Feb 2010 10:16:14 +0000 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> Message-ID: <4B694CEE.2020400@inex.ie> On 02/02/2010 18:13, Peter Kranz wrote: > The network is composed of 6509-e chassis with SUP 720 3BXL cards at all > sites.. > > So far respondents have recommended the following options; (so many ways to > skin this cat..!) > > EoMPLS > Cisco Resilient Ethernet Protocol (REP) > 802.17 (RPR) > Spatial Reuse Protocol (SRP) > STP Of this list, sup720s and regular c65k lan cards support stp and eompls. RPR is supported on ONS gear, and REP is supported in some of the metro ethernet products (me3400 and me6500). I don't think that SRP was ever implemented, was it? Anyway, standard warnings apply to STP configurations. Nick From tom at netspot.com.au Wed Feb 3 05:37:23 2010 From: tom at netspot.com.au (Tom Lanyon) Date: Wed, 3 Feb 2010 21:07:23 +1030 Subject: [c-nsp] IPV6 again In-Reply-To: <20100201165908.GB2090@lboro.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: On 02/02/2010, at 3:29 AM, Alan Buxey wrote: > youtube is now IPv6 ready - thanks Lorenzo Colitti (and his > buddies!) but > the AAAA's are only given to their happy ipv6 select partners.... > (unfortunately > we are not yet one of those because we cannot guarantee 100% happy > google > services on IPv6 for all of our network.... Youtube via my home ADSL connection is happily coming in via IPv6 now and is working well... :) They are not handing out an AAAA for www.youtube.com but most of the content (img+video) servers are on v6. Tom From teun at moonblade.net Wed Feb 3 05:53:15 2010 From: teun at moonblade.net (Teun Vink) Date: Wed, 03 Feb 2010 11:53:15 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <1265194395.29797.66.camel@moridin.office.bit.nl.office.bit.nl> On Wed, 2010-02-03 at 21:07 +1030, Tom Lanyon wrote: > On 02/02/2010, at 3:29 AM, Alan Buxey wrote: > > youtube is now IPv6 ready - thanks Lorenzo Colitti (and his > > buddies!) but > > the AAAA's are only given to their happy ipv6 select partners.... > > (unfortunately > > we are not yet one of those because we cannot guarantee 100% happy > > google > > services on IPv6 for all of our network.... > > Youtube via my home ADSL connection is happily coming in via IPv6 now > and is working well... :) > > They are not handing out an AAAA for www.youtube.com but most of the > content (img+video) servers are on v6. Actually, they are handing out AAAA since today: % host www.youtube.com www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 74.125.79.102 youtube-ui.l.google.com has address 74.125.79.100 youtube-ui.l.google.com has address 74.125.79.101 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b -- Teun From dale.shaw+cisco-nsp at gmail.com Wed Feb 3 05:57:19 2010 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 3 Feb 2010 21:57:19 +1100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> Hi, On Wed, Feb 3, 2010 at 9:37 PM, Tom Lanyon wrote: > > They are not handing out an AAAA for www.youtube.com but most of the content > (img+video) servers are on v6. Hmm, really? I'm speaking to www.youtube.com (youtube-ui.l.google.com) on 2001:4860:c004::64 cheers, Dale From gert at greenie.muc.de Wed Feb 3 06:03:05 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Feb 2010 12:03:05 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> Message-ID: <20100203110305.GI857@greenie.muc.de> Hi, On Wed, Feb 03, 2010 at 09:07:23PM +1030, Tom Lanyon wrote: > They are not handing out an AAAA for www.youtube.com but most of the > content (img+video) servers are on v6. Actually you're missing all the fun :-) www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 74.125.79.102 youtube-ui.l.google.com has address 74.125.79.101 youtube-ui.l.google.com has address 74.125.79.100 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a (since this morning) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Feb 3 07:01:57 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 03 Feb 2010 12:01:57 +0000 Subject: [c-nsp] IPV6 again In-Reply-To: <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> Message-ID: <4B6965B5.6000302@imperial.ac.uk> On 03/02/10 10:57, Dale Shaw wrote: > Hi, > > On Wed, Feb 3, 2010 at 9:37 PM, Tom Lanyon wrote: >> >> They are not handing out an AAAA for www.youtube.com but most of the content >> (img+video) servers are on v6. > > Hmm, really? > > I'm speaking to www.youtube.com (youtube-ui.l.google.com) on 2001:4860:c004::64 Hmm. Nope - ns4.google.com returns A records only for me. A colleague suggests it's this: http://www.google.com/intl/en/ipv6/ You are maybe on a provider who has this enabled? Does anyone know the details - do the google DNS servers choose to reply with AAAA based on AS-path of the querying IP, or netblock? Inbound interface? From swmike at swm.pp.se Wed Feb 3 07:14:52 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 3 Feb 2010 13:14:52 +0100 (CET) Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: On Wed, 3 Feb 2010, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply with > AAAA based on AS-path of the querying IP, or netblock? Inbound interface? When I talked to google, they wanted to know what netblock(s) my resolvers were in, so I guess it's based on that. -- Mikael Abrahamsson email: swmike at swm.pp.se From j.vaningenschenau at utwente.nl Wed Feb 3 07:18:53 2010 From: j.vaningenschenau at utwente.nl (j.vaningenschenau at utwente.nl) Date: Wed, 3 Feb 2010 13:18:53 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: <63656D8795A13249B35AD1E5FFAB2F7F026BC1F0@EX04.service.utwente.nl> > Hmm. Nope - ns4.google.com returns A records only for me. > > A colleague suggests it's this: > > http://www.google.com/intl/en/ipv6/ > > You are maybe on a provider who has this enabled? That's probably the case. > Does anyone know the details - do the google DNS servers choose to > reply > with AAAA based on AS-path of the querying IP, or netblock? Inbound > interface? For our network, the IP addresses of our main resolvers have been whitelisted by Google (after contacting them, assuring we have native ipv6 connectivity and will offer support to our users if problems should arise). Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands From gert at greenie.muc.de Wed Feb 3 07:31:25 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Feb 2010 13:31:25 +0100 Subject: [c-nsp] IPV6 again In-Reply-To: <4B6965B5.6000302@imperial.ac.uk> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com> <4B6965B5.6000302@imperial.ac.uk> Message-ID: <20100203123125.GL857@greenie.muc.de> Hi, On Wed, Feb 03, 2010 at 12:01:57PM +0000, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply > with AAAA based on AS-path of the querying IP, or netblock? Inbound > interface? Netblock. You register your DNS resolvers' IP address(es) with them, and they whitelist you to receive AAAA records. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saxon.jones at gmail.com Wed Feb 3 09:14:21 2010 From: saxon.jones at gmail.com (Saxon Jones) Date: Wed, 3 Feb 2010 07:14:21 -0700 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: <86b512c31002030614v644af59dt6fc43a352d902f85@mail.gmail.com> In the tunnel interface configuration, "ip vrf forwarding" sets the VRF that traffic in the tunnel is a part of, and "tunnel vrf" sets the VRF that the tunnel travels over. Is this what you're asking? -saxon On 2 February 2010 21:20, Jay Nakamura wrote: > I am trying to configure vrf aware IPSec VPN for remote access, coming > into one VRF and tunneling into another VRF. Can I do that without > XAUTH? I can't seem to find any reference to doing it without xauth. > If it's possible and someone has done this, can you please post a > sample config? > > > Thanks! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nick.jon.griffin at gmail.com Wed Feb 3 09:16:11 2010 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 3 Feb 2010 08:16:11 -0600 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <4B694CEE.2020400@inex.ie> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> <4B694CEE.2020400@inex.ie> Message-ID: AFAIK, SRP was implemented/available in 12K's and 7200's, I used it in a cmts environment. This was 5 years ago, not sure about the offering nowdays. On Wed, Feb 3, 2010 at 4:16 AM, Nick Hilliard wrote: > On 02/02/2010 18:13, Peter Kranz wrote: > > The network is composed of 6509-e chassis with SUP 720 3BXL cards at all > > sites.. > > > > So far respondents have recommended the following options; (so many ways > to > > skin this cat..!) > > > > EoMPLS > > Cisco Resilient Ethernet Protocol (REP) > > 802.17 (RPR) > > Spatial Reuse Protocol (SRP) > > STP > > Of this list, sup720s and regular c65k lan cards support stp and eompls. > RPR is supported on ONS gear, and REP is supported in some of the metro > ethernet products (me3400 and me6500). I don't think that SRP was ever > implemented, was it? > > Anyway, standard warnings apply to STP configurations. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From linux.yahoo at gmail.com Wed Feb 3 10:13:59 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Wed, 3 Feb 2010 16:13:59 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> No AFAIK vPC is already available on N5K/N2K, active/active with FEX should be possible: Cisco Nexus 5000 NX-OS Software Rel 4.1(3)N2(1) "A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus 5000 Series switches or Cisco Nexus 2000 Series Fabric Extenders to appear as a single port channel by a third device (see the following figure). The third device can be a switch, server, or any other networking device. Beginning with Cisco NX-OS Release 4.1(3)N1(1), you can configure vPCs in topologies that include Cisco Nexus 5000 Seriesswitches connected to the Fabric Extender. A vPC can provide multipathing, which allows you to create redundancy by enabling multiple parallel paths between nodes and load balancing traffic where alternative paths exist" R/ Manu On Sat, Jan 30, 2010 at 12:56 AM, scott owens wrote: > > > > 1. Re: Nexus 2000 vs Catalyst 4948 for access layer > > (chris at lavin-llc.com) > > -------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 29 Jan 2010 14:16:59 -0500 > > From: chris at lavin-llc.com > > To: "Nick Hilliard" > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Message-ID: > > > > Content-Type: text/plain;charset=iso-8859-1 > > > > > wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young > > in > > > its development cycle; IOS is much more mature and has many more > > features. > > > > > > Nick > > > > > > I'm curious why you suggest that the NX-OS is very young. My > understanding > > (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS > > OS into a routing/switching combination with IOS. > > > > I had the recent experience of a Nexus CPOC down in RTP. Going into it I > > was apprehensive about learning a new OS. But through the CPOC I learned > > that it's not that much different from IOS. Seemed like they did a decent > > job of importing/aliasing the IOS related commands. I didn't feel as lost > > within the CLI as I had expected. > > > > -chris > > > > > We have about a dozen 2148Ts connected to 4 Nexus 5Ks and a couple of 7Ks > > I would absolutely NOT pick the 2148Ts for just switching unless you had > some larger data center needs; they and their "parent" 5Ks don't route .. > .so we do some ( and we wanted to) vlan tagging on servers to bypass > routing. > > I will say that "show log last 20" is worth every penny :) > > They are stable if you hook them up right - currently you can not do > active/active with a FEX connected to multiple 5Ks & do LACP teaming to > servers. > > Got question - shoot them on over ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From andy at xecu.net Wed Feb 3 10:39:46 2010 From: andy at xecu.net (Andy Dills) Date: Wed, 3 Feb 2010 10:39:46 -0500 (EST) Subject: [c-nsp] problems migrating to a 3550 Message-ID: <20100203100235.T43899@shell.xecu.net> I'm migrating a network from an old HP Procurve switch to a Cisco 3550. Simple setup, public and private vlans. Setup a port to be tagged on both vlans on the HP side, and on the cisco end set it to be in trunking mode. The cisco sees the vlans. I'm getting the full table from 'show mac address-table', with the appropriate vlans attached to the appropriate mac addresses. Things in vlan2 on the HP switch can reach the IP address of the 3550 on vlan2 just fine, vlan2 is solid. However, things in vlan1 on the HP switch cannot reach the IP of the 3550 on vlan1, and anything attached to 3550 on vlan1 ports cannot reach anything on vlan1 on the HP switch. Both switches have all of the correct mac addresses in their layer 2 forwarding table. However, whereas things on vlan2 are consistently reachable and populate the arp table, on vlan1 some things will show up in the arp table, most will not, and none will be pingable. Another symptom I'm noticing is that nothing on vlan1 on the HP switch can see the mac address for the vlan1 interface on the 3550, or of anything attached to vlan1 of the 3550. However, these mac addresses will be in both switches forwarding tables. And likewise, there will be addresses in the forwarding table of the 3550, but somehow the server is unable to get arp resolution for any of those very hosts. Config: ! interface FastEthernet0/48 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2 switchport mode trunk ! ! interface Vlan1 description Public ip address 10.0.0.126 255.255.255.128 ! interface Vlan2 description Private ip address 10.0.0.254 255.255.255.128 ! ip route 0.0.0.0 0.0.0.0 10.0.0.1 public#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/48 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/48 1-2 Port Vlans allowed and active in management domain Fa0/48 1-2 Port Vlans in spanning tree forwarding state and not pruned Fa0/48 1-2 Running Version 12.2(44)SE6. Any suggestions? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- From j.vaningenschenau at utwente.nl Wed Feb 3 11:58:12 2010 From: j.vaningenschenau at utwente.nl (j.vaningenschenau at utwente.nl) Date: Wed, 3 Feb 2010 17:58:12 +0100 Subject: [c-nsp] problems migrating to a 3550 In-Reply-To: <20100203100235.T43899@shell.xecu.net> References: <20100203100235.T43899@shell.xecu.net> Message-ID: <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> > Things in vlan2 on the HP switch can reach the IP address of the 3550 > on > vlan2 just fine, vlan2 is solid. > > However, things in vlan1 on the HP switch cannot reach the IP of the > 3550 > on vlan1, and anything attached to 3550 on vlan1 ports cannot reach > anything on vlan1 on the HP switch. You could try either: * Setting VLAN 1 as untagged on the Procurve side, or * configuring "switchport trunk native vlan tag" on the Cisco side. (or avoid using VLAN 1, which is what we always do between Cisco and HP switches) Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands From bacon at walleyesoftware.com Wed Feb 3 12:02:44 2010 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Wed, 3 Feb 2010 11:02:44 -0600 Subject: [c-nsp] what is it with 3550s? Message-ID: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> They seem to be an incredibly popular device, especially for telcos as CPE devices. Why? (I have no use for them, really, and they appear to be EOL, I'm just really curious.) From cnsp at shreddedmail.com Wed Feb 3 12:49:36 2010 From: cnsp at shreddedmail.com (Rick Ernst) Date: Wed, 3 Feb 2010 09:49:36 -0800 Subject: [c-nsp] Cat 4948 policer is greedy? Message-ID: I'm using a Catalyst 4948 as a bump in the cable between another network operator and a metro-ether backhaul to our POP. We land some IP on the 4948 as SVIs for the trunk facing the other operator. Other VLANs are provisioned as "pass-through" for out-of-band circuits. It was my previous experience that unless the policer was attached to the layer-2 interface, or that the traffic landed on the device, that a policer would not affect traffic. I've run into a situation where a policer on a shutdown interface is affecting traffic. Modifying the service-policy on Vlan3017 has an immediate effect on traffic passing across the VLAN. Should this be happening? It doesn't make sense to me based on the configuration and previous experience with policing. Thanks! ------------ policy-map BW_5M class class-default police 5 mbps 0.125 mbyte conform-action transmit exceed-action drop interface GigabitEthernet1/44 description X-Connect to POP switchport trunk encapsulation dot1q switchport trunk allowed vlan 3,3003,3004,3006,3007,3011,3015,3017,3019-3022 switchport trunk allowed vlan add 3025,3027-3029,3036-3039,3041-3099 switchport mode trunk interface GigabitEthernet1/45 description Trunk to WiMAX switchport trunk encapsulation dot1q switchport trunk allowed vlan 3000-3099 switchport mode trunk spanning-tree bpdufilter enable interface Vlan3017 description Customer OOB VLAN no ip address no ip redirects no ip proxy-arp shutdown ! service-policy was not removed when service was changed from ! access to OOB service-policy input BW_5M service-policy output BW_5M #show policy-map interface vlan3017 Vlan3017 Service-policy input: BW_5M Class-map: class-default (match-any) 2097190676 packets Match: any 2097190676 packets police: Per-interface Conform: 26477941465 bytes Exceed: 221088686 bytes Service-policy output: BW_5M Class-map: class-default (match-any) 1991735528 packets Match: any 1991735528 packets police: Per-interface Conform: 26477412954 bytes Exceed: 0 bytes From jlewis at lewis.org Wed Feb 3 12:50:10 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 12:50:10 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: On Wed, 3 Feb 2010, Jeff Bacon wrote: > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) They're one of cisco's earliest (first?) inexpensive fixed configuration layer 3 switches, do per-port policing (ingress and egress) with pretty good flexibility (better than the 3560 which "replaced" them) and because they're EOL, they've gotten very inexpensive. As CPE, I can see them being attractive where you need a router that's going to handle limited routes (preferably just default and maybe a few static routes, but with EMI software, they can do limited BGP4) but want wire rate packet forwarding performance. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From eric at atlantech.net Wed Feb 3 12:50:57 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 12:50:57 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jeff Bacon > Sent: Wednesday, February 03, 2010 12:03 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] what is it with 3550s? > > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) > They can do full layer 3 routing, have a diverse selection of model numbers, do decent QoS, and are cheap, cheap, cheap. -evt From iam at st-andrews.ac.uk Wed Feb 3 12:45:26 2010 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Wed, 03 Feb 2010 17:45:26 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: <4B69B636.9030100@st-andrews.ac.uk> Jeff Bacon wrote: > They seem to be an incredibly popular device, especially for telcos as > CPE devices. Why? (I have no use for them, really, and they appear to be > EOL, I'm just really curious.) > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Jeff, They're relatively fully featured, run relatively recent IOS, and are dirt cheap. (3550-24FX's run ~350UKP). The fibre ones were also kept "on the books" for quite a while, until the 3750-24FS launched (but they cost a fortune). In my experience, they don't suffer from the early 3750 reliability issues either. (I have some early (2004/2005 ish) C3750G-12S's that have mainboard capacitor explosions). Later C3750-12S's (starting sometime before Feb 2006, and marked -V4 on the label) have a different mainboard, with a differently designed power stage. ) -- ian Ian McDonald, ITS, University of St Andrews T: +441334462779 F: +441334462759 The University of St Andrews is a charity registered in Scotland: SC013532 From b.turnbow at twt.it Wed Feb 3 13:05:54 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 3 Feb 2010 19:05:54 +0100 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> Message-ID: >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Bacon >Sent: mercoled? 3 febbraio 2010 18.03 >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] what is it with 3550s? >They seem to be an incredibly popular device, especially for telcos as >CPE devices. Why? (I have no use for them, really, and they appear to be >EOL, I'm just really curious.) It depends on the model etc but they have an advantage over the 3750s in the way they slice up tcam resources. Like the 3550-12s had a reference of 24k routes with 16 svis , as compared to a 3750-12 that does max 20k with 8 svis Brian From cayers at ena.com Wed Feb 3 14:20:04 2010 From: cayers at ena.com (Cory Ayers) Date: Wed, 3 Feb 2010 13:20:04 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: > > They seem to be an incredibly popular device, especially for telcos > as > > CPE devices. Why? (I have no use for them, really, and they appear to > be > > EOL, I'm just really curious.) > > > > They can do full layer 3 routing, have a diverse selection of model > numbers, do decent QoS, and are cheap, cheap, cheap. > > -evt +1. They are dirt cheap, rock solid from our experience, and have options for 10 optical ports (c3550-12G). With that said, unless I'm missing something, I still don't see IPv6 routing support and they are EOL. We will be moving away from them and don't see C3560 or C3750 as a viable replacement. From brhedlun at cisco.com Wed Feb 3 14:23:38 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 3 Feb 2010 13:23:38 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> References: <7100ed371002030713j43a1f2b5k47b5a6e0c8667055@mail.gmail.com> Message-ID: <42D38646-6700-4EE1-B413-EACB68414589@cisco.com> That is correct. The Nexus 2000 can be connected to two Nexus 5000's with an active/active virtual port channel (vPC). However, if you do that, you cannot (yet) connect the Server to the Nexus 2000's with an active/active 802.3ad LACP NIC team. You can obviously use active/standby teaming, or, active/active transmit load balancing (TLB) with active/standby receive. If your Nexus 2000's are each singly homed to a single Nexus 500 like this: N2K1------>N5K1 || N2K2------>N5K2 then you CAN connect the Server to both N2K's with an active/active 802.3ad LACP team: N2K1------>N5K1 Server< || LACP N2K2------>N5K2 This architecture provides active/active with redundancy from the network through to the server. Check out this link for more info on how that's done: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html -- Brad Hedlund, CCIE #5530 Consulting Systems Engineer, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 3, 2010, at 9:13 AM, Manu Chao wrote: > No > > AFAIK vPC is already available on N5K/N2K, active/active with FEX should > be possible: > > Cisco Nexus 5000 NX-OS Software Rel 4.1(3)N2(1) > > "A virtual port channel (vPC) allows links that are physically connected to > two different Cisco Nexus 5000 Series switches or Cisco Nexus 2000 Series > Fabric Extenders to appear as a single port channel by a third device (see > the following figure). The third device can be a switch, server, or any > other networking device. Beginning with Cisco NX-OS Release 4.1(3)N1(1), you > can configure vPCs in topologies that include Cisco Nexus 5000 > Seriesswitches connected to the Fabric > Extender. A vPC can provide multipathing, which allows you to create > redundancy by enabling multiple parallel paths between nodes and load > balancing traffic where alternative paths exist" > > R/ > Manu > > On Sat, Jan 30, 2010 at 12:56 AM, scott owens wrote: > >>> >>> 1. Re: Nexus 2000 vs Catalyst 4948 for access layer >>> (chris at lavin-llc.com) >>> -------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Fri, 29 Jan 2010 14:16:59 -0500 >>> From: chris at lavin-llc.com >>> To: "Nick Hilliard" >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >>> Message-ID: >>> >>> Content-Type: text/plain;charset=iso-8859-1 >>> >>>> wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young >>> in >>>> its development cycle; IOS is much more mature and has many more >>> features. >>>> >>>> Nick >>> >>> >>> I'm curious why you suggest that the NX-OS is very young. My >> understanding >>> (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS >>> OS into a routing/switching combination with IOS. >>> >>> I had the recent experience of a Nexus CPOC down in RTP. Going into it I >>> was apprehensive about learning a new OS. But through the CPOC I learned >>> that it's not that much different from IOS. Seemed like they did a decent >>> job of importing/aliasing the IOS related commands. I didn't feel as lost >>> within the CLI as I had expected. >>> >>> -chris >>> >> >> >> We have about a dozen 2148Ts connected to 4 Nexus 5Ks and a couple of 7Ks >> >> I would absolutely NOT pick the 2148Ts for just switching unless you had >> some larger data center needs; they and their "parent" 5Ks don't route .. >> .so we do some ( and we wanted to) vlan tagging on servers to bypass >> routing. >> >> I will say that "show log last 20" is worth every penny :) >> >> They are stable if you hook them up right - currently you can not do >> active/active with a FEX connected to multiple 5Ks & do LACP teaming to >> servers. >> >> Got question - shoot them on over ... >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Wed Feb 3 14:30:06 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 14:30:06 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: On Wed, 3 Feb 2010, Cory Ayers wrote: > +1. They are dirt cheap, rock solid from our experience, and have > options for 10 optical ports (c3550-12G). With that said, unless I'm > missing something, I still don't see IPv6 routing support and they are > EOL. We will be moving away from them and don't see C3560 or C3750 as a > viable replacement. You're not going to see IPv6 routing support on the 3550 AFAIK. As colo/customer aggregation switches, the per port policing limitations on the 3560 make it a poor substitute for the 3550. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From eric at atlantech.net Wed Feb 3 15:01:33 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 15:01:33 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: Wednesday, February 03, 2010 2:30 PM > To: Cory Ayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > colo/customer aggregation switches, the per port policing limitations on > the 3560 make it a poor substitute for the 3550. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: Switch1(config)#ipv6 ? access-list Configure access lists general-prefix Configure a general IPv6 prefix hop-limit Configure hop count limit host Configure static hostnames icmp Configure ICMP parameters local Specify local options neighbor Neighbor route Configure static routes router Enable an IPV6 routing process source-route Process packets with source routing header options unicast-routing Enable unicast routing -evt From sethm at rollernet.us Wed Feb 3 15:03:53 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 03 Feb 2010 12:03:53 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <4B69D6A9.5090703@rollernet.us> On 2/3/10 12:01 PM, Eric Van Tol wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Jon Lewis >> Sent: Wednesday, February 03, 2010 2:30 PM >> To: Cory Ayers >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] what is it with 3550s? >> >> You're not going to see IPv6 routing support on the 3550 AFAIK. As >> colo/customer aggregation switches, the per port policing limitations on >> the 3560 make it a poor substitute for the 3550. >> >> ---------------------------------------------------------------------- >> Jon Lewis | I route >> Senior Network Engineer | therefore you are >> Atlantic Net | >> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >> _______________________________________________ > > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > Does it have a SDM template for dual v4-v6 mode? ~Seth From ed at edgeoc.net Wed Feb 3 15:08:03 2010 From: ed at edgeoc.net (Edward Salonia) Date: Wed, 3 Feb 2010 20:08:03 +0000 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net><2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local><2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> That is in SW only, if memory serves me. Also, I believe it has since been removed because of that. -----Original Message----- From: Eric Van Tol Date: Wed, 3 Feb 2010 15:01:33 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] what is it with 3550s? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: Wednesday, February 03, 2010 2:30 PM > To: Cory Ayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > colo/customer aggregation switches, the per port policing limitations on > the 3560 make it a poor substitute for the 3550. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: Switch1(config)#ipv6 ? access-list Configure access lists general-prefix Configure a general IPv6 prefix hop-limit Configure hop count limit host Configure static hostnames icmp Configure ICMP parameters local Specify local options neighbor Neighbor route Configure static routes router Enable an IPV6 routing process source-route Process packets with source routing header options unicast-routing Enable unicast routing -evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nicotine at warningg.com Wed Feb 3 15:09:39 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 3 Feb 2010 14:09:39 -0600 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> Message-ID: <20100203200939.GD2240@radiological.warningg.com> On Wed, Feb 03, 2010 at 03:01:33PM -0500, Eric Van Tol wrote: > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > IPv6 on 3550 is software-switched, as the ASICs on the platform aren't big enough for v6 addressing. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sthaug at nethelp.no Wed Feb 3 15:18:32 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 03 Feb 2010 21:18:32 +0100 (CET) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> Message-ID: <20100203.211832.74687696.sthaug@nethelp.no> > That is in SW only, if memory serves me. Also, I believe it has since been removed because of that. Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. Steinar Haug, Nethelp consulting, sthaug at nethelp.no > -----Original Message----- > From: Eric Van Tol > Date: Wed, 3 Feb 2010 15:01:33 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Jon Lewis > > Sent: Wednesday, February 03, 2010 2:30 PM > > To: Cory Ayers > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] what is it with 3550s? > > > > You're not going to see IPv6 routing support on the 3550 AFAIK. As > > colo/customer aggregation switches, the per port policing limitations on > > the 3560 make it a poor substitute for the 3550. > > > > ---------------------------------------------------------------------- > > Jon Lewis | I route > > Senior Network Engineer | therefore you are > > Atlantic Net | > > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > _______________________________________________ > > Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: > > Switch1(config)#ipv6 ? > access-list Configure access lists > general-prefix Configure a general IPv6 prefix > hop-limit Configure hop count limit > host Configure static hostnames > icmp Configure ICMP parameters > local Specify local options > neighbor Neighbor > route Configure static routes > router Enable an IPV6 routing process > source-route Process packets with source routing header options > unicast-routing Enable unicast routing > > -evt > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Wed Feb 3 15:31:44 2010 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 3 Feb 2010 15:31:44 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100203.211832.74687696.sthaug@nethelp.no> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> <20100203.211832.74687696.sthaug@nethelp.no> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> > -----Original Message----- > From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] > Sent: Wednesday, February 03, 2010 3:19 PM > To: ed at edgeoc.net > Cc: Eric Van Tol; cisco-nsp-bounces at puck.nether.net; cisco- > nsp at puck.nether.net > Subject: Re: [c-nsp] what is it with 3550s? > > > That is in SW only, if memory serves me. Also, I believe it has since > been removed because of that. > > Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no Yes, this is true. But what was said was, "You're not going to see IPv6 routing support on the 3550 AFAIK." I wouldn't turn it on unless your v6 traffic is extremely minimal, but it does support it. Just not well. -evt From enelsonm5 at yahoo.com Wed Feb 3 15:35:59 2010 From: enelsonm5 at yahoo.com (Erik Nelson) Date: Wed, 3 Feb 2010 12:35:59 -0800 (PST) Subject: [c-nsp] Cisco ACE module configuration question Message-ID: <579353.91231.qm@web65713.mail.ac4.yahoo.com> I have a ACE module in a 6500, and have basic load balancing (with sticky connections) working. The lab environment that I need to use this for will have 40+ servers, but all the traffic will be generated by just four servers. Each server will be simulating many users, each on a different source port. The traffic is HTTP, but not on port 80. Since there are programs generating the user traffic, I can't necessarily depend on them to behave completely like browsers (cookies, for instance). I have no control over the application software or load generator software. Also, each connection needs to be sticky. Any suggestions? I think I need the source port to be part of the load balancing decisions. But this is the first ACE I have touched, and am somewhat lost. Thanks! From jlewis at lewis.org Wed Feb 3 15:50:35 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 3 Feb 2010 15:50:35 -0500 (EST) Subject: [c-nsp] what is it with 3550s? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> References: <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <458197188-1265227771-cardhu_decombobulator_blackberry.rim.net-1847911455-@bda056.bisx.prod.on.blackberry> <20100203.211832.74687696.sthaug@nethelp.no> <2C05E949E19A9146AF7BDF9D44085B863BFB5856F1@exchange.aoihq.local> Message-ID: On Wed, 3 Feb 2010, Eric Van Tol wrote: >> Yes, the 3550 has no *hardware* support for IPv6 routing. End of story. >> >> Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > Yes, this is true. But what was said was, "You're not going to see IPv6 > routing support on the 3550 AFAIK." I wouldn't turn it on unless your > v6 traffic is extremely minimal, but it does support it. Just not well. I didn't think we would at all. Having it software switched on a 3550 probably means you can "do IPv6" in as much as just giving a v6 address to an SVI for management purposes, or for use in low bandwidth lab setups. IPv6 layer 3 ports for customers wanting to push much data isn't likely to work too well. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From pkranz at unwiredltd.com Wed Feb 3 16:11:49 2010 From: pkranz at unwiredltd.com (Peter Kranz) Date: Wed, 3 Feb 2010 13:11:49 -0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <201002030817.24147.mtinka@globaltransit.net> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <4B67EFBF.10500@imperial.ac.uk> <043e01caa433$5cf09b00$16d1d100$@unwiredltd.com> <201002030817.24147.mtinka@globaltransit.net> Message-ID: <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> So in terms of enabling MPLS on a fully meshed set of routers running BGP and OSPF.. Here are the general steps I believe; #conf t Tag-switching advertise-tags ! Int g0/0 Mtu 9216 Tag-switching ip ! However, what can I expect to happen when this is done, i.e. will existing BGP sessions drop between the routers who's interfaces I have changed to tag-switching IP? What other kinds of gotchas? Ideally I'd like to add MPLS capabilities in a hitless manner to the existing network. -Peter From jeff-kell at utc.edu Wed Feb 3 16:12:07 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:12:07 -0500 Subject: [c-nsp] QQ In-Reply-To: <4B69D6A9.5090703@rollernet.us> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> Message-ID: <4B69E6A7.6070800@utc.edu> The 3550-EMIs, particularly the 3550-12s, were a hot little switch in their day. L3 routing and up to 10 optical ports would otherwise spell a 4500 (only 6Gbps at the time) or 6500. We still use some 3550-12s, doing L3 routing and VRF-lite, pushing those capabilities out to some areas we couldn't otherwise afford. If you don't need IPv6 or advanced QoS, they're still a hot little switch. And yes, cheap aftermarket while they last. Jeff From RGoldberg at compudyne.net Wed Feb 3 16:01:06 2010 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Wed, 3 Feb 2010 15:01:06 -0600 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jay Nakamura > Sent: Tuesday, February 02, 2010 10:20 PM > To: cisco-nsp > Subject: [c-nsp] VRF aware IPSec for remote access without xauth > > I am trying to configure vrf aware IPSec VPN for remote access, coming > into one VRF and tunneling into another VRF. Can I do that without > XAUTH? I can't seem to find any reference to doing it without xauth. > If it's possible and someone has done this, can you please post a > sample config? I believe the following tidbits should get you going. This is from an 2801 running 12.4.24T1. Tunnels lands on vrf ISP2 and pops out into vrf LAN. ip vrf ISP2 rd 1:2 ip vrf LAN rd 1:3 crypto keyring ISP2 vrf ISP2 pre-shared-key address a.b.c.d key blahblahblah crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp profile ProfileForNuttyVendor vrf LAN keyring ISP2 match identity address a.b.c.d 255.255.255.255 ISP2 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map AwesomeMap 3 ipsec-isakmp description tunnel for Nutty Vendor set peer a.b.c.d set transform-set ESP-3DES-SHA set isakmp-profile ProfileForNuttyVendor match address 111 reverse-route interface FastEthernet0/1 ip vrf forwarding LAN ip address 10.1.19.250 255.255.255.0 nterface FastEthernet0/0 ip vrf forwarding ISP2 ip address w.x.y.z 255.255.255.248 access-list 111 remark Nutty Vendor tunnel access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 - Ryan From jeff-kell at utc.edu Wed Feb 3 16:33:43 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:33:43 -0500 Subject: [c-nsp] what is it with 3550s? (was: QQ In-Reply-To: <4B69E6A7.6070800@utc.edu> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> Message-ID: <4B69EBB7.8010102@utc.edu> I have *no* idea where that 'QQ' came from -- sorry for the unintentional thread/subject misdirection! While I'm "appending" the original post, let me add that 3550-12s boot *much* faster then the suggested 3750-12 replacements too :-) Jeff From rsm at fast-serv.com Wed Feb 3 16:42:25 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 3 Feb 2010 16:42:25 -0500 Subject: [c-nsp] what is it with 3550s? (was: QQ In-Reply-To: <4B69EBB7.8010102@utc.edu> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> <4B69EBB7.8010102@utc.edu> Message-ID: <20100203214106.M15257@fast-serv.com> Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared to their 3560/3750 counterparts? -- Randy ---------- Original Message ----------- From: Jeff Kell To: cisco-nsp Sent: Wed, 03 Feb 2010 16:33:43 -0500 Subject: Re: [c-nsp] what is it with 3550s? (was: QQ > I have *no* idea where that 'QQ' came from -- sorry for the > unintentional thread/subject misdirection! > > While I'm "appending" the original post, let me add that 3550-12s > boot *much* faster then the suggested 3750-12 replacements too :-) > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jeff-kell at utc.edu Wed Feb 3 16:55:43 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 03 Feb 2010 16:55:43 -0500 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <20100203214106.M15257@fast-serv.com> References: <5A69C25361FED34F83ABF05F5047524507F05E82@wally.walleyetrading.net> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EC@exchange.aoihq.local> <2C05E949E19A9146AF7BDF9D44085B863BFB5856EF@exchange.aoihq.local> <4B69D6A9.5090703@rollernet.us> <4B69E6A7.6070800@utc.edu> <4B69EBB7.8010102@utc.edu> <20100203214106.M15257@fast-serv.com> Message-ID: <4B69F0DF.4040301@utc.edu> On 2/3/2010 4:42 PM, Randy McAnally wrote: > Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared > to their 3560/3750 counterparts? > In our case (vrf-enabled, but not ipv6): foobar-3550#show sdm prefer (a 3550-12) The current template is the routing extended-match template. The selected template optimizes the resources in the switch to support this level of features for 16 routed interfaces and 1K VLANs. number of unicast mac addresses: 6K number of igmp groups: 6K number of qos aces: 1K number of security aces: 1K number of unicast routes: 12K number of multicast routes: 6K foobar-3750#show sdm prefer (a 3750-12) The current template is "aggregate default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 12K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 6K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.875k number of IPv4/MAC security aces: 1K From john at vanoppen.com Wed Feb 3 16:07:53 2010 From: john at vanoppen.com (John van Oppen) Date: Wed, 3 Feb 2010 13:07:53 -0800 Subject: [c-nsp] IPV6 again References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk><20100129190937.GB20301@lboro.ac.uk><5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk><20100201165908.GB2090@lboro.ac.uk><3329cbb41002030257s46c6468ax72c9d889406c02f8@mail.gmail.com><4B6965B5.6000302@imperial.ac.uk> Message-ID: yep, it is based on the netblocks the resolvers are in, we have it enabled too and had to provide the subnets that our resolvers send their outbound queries from. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: Wednesday, February 03, 2010 4:15 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPV6 again On Wed, 3 Feb 2010, Phil Mayers wrote: > Does anyone know the details - do the google DNS servers choose to reply with > AAAA based on AS-path of the querying IP, or netblock? Inbound interface? When I talked to google, they wanted to know what netblock(s) my resolvers were in, so I guess it's based on that. -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom at netspot.com.au Wed Feb 3 17:19:54 2010 From: tom at netspot.com.au (Tom Lanyon) Date: Thu, 4 Feb 2010 08:49:54 +1030 Subject: [c-nsp] IPV6 again In-Reply-To: <20100203110305.GI857@greenie.muc.de> References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk> <20100129190937.GB20301@lboro.ac.uk> <5CDA08CF-24D9-4913-B1E6-E9B248B3C3EE@manchester.ac.uk> <20100201165908.GB2090@lboro.ac.uk> <20100203110305.GI857@greenie.muc.de> Message-ID: <65F1E8FE-7220-403A-8494-3E8C9960DFCD@netspot.com.au> On 03/02/2010, at 9:33 PM, Gert Doering wrote: > On Wed, Feb 03, 2010 at 09:07:23PM +1030, Tom Lanyon wrote: >> They are not handing out an AAAA for www.youtube.com but most of the >> content (img+video) servers are on v6. > > Actually you're missing all the fun :-) > > www.youtube.com is an alias for youtube-ui.l.google.com. > youtube-ui.l.google.com has address 74.125.79.102 > youtube-ui.l.google.com has address 74.125.79.101 > youtube-ui.l.google.com has address 74.125.79.100 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 > youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a > > (since this morning) > > gert Hi Gert, I spoke too soon! That wasn't available for me 12 hours ago. :) Tom From ncnet at sbcglobal.net Wed Feb 3 17:42:59 2010 From: ncnet at sbcglobal.net (Larry Stites) Date: Wed, 03 Feb 2010 14:42:59 -0800 Subject: [c-nsp] what is it with 3550s? In-Reply-To: <4B69F0DF.4040301@utc.edu> Message-ID: A quick search through our inventory and I see current used market prices are: WS-C3550-12G $675/ea - $875/ea WS-C3550-24PWR-SMI - $350/ea - $450/ea WS-C3550-48-EMI $315/ea - $450/ea WS-C3550-48-SMI $250/ea - $350/ea ~.~ Best regards, Larry E. Stites Acquisitions and Sales Northern California Networks, Inc. Nevada City, Calif. 95959 on 2/3/10 1:55 PM, Jeff Kell wrote: > On 2/3/2010 4:42 PM, Randy McAnally wrote: >> Don't the 3550 have some pretty big TCAM and routed VLAN limitations compared >> to their 3560/3750 counterparts? >> > > In our case (vrf-enabled, but not ipv6): > > foobar-3550#show sdm prefer (a 3550-12) > The current template is the routing extended-match template. > The selected template optimizes the resources in > the switch to support this level of features for > 16 routed interfaces and 1K VLANs. > > number of unicast mac addresses: 6K > number of igmp groups: 6K > number of qos aces: 1K > number of security aces: 1K > number of unicast routes: 12K > number of multicast routes: 6K > > foobar-3750#show sdm prefer (a 3750-12) > The current template is "aggregate default" template. > The selected template optimizes the resources in > the switch to support this level of features for > 8 routed interfaces and 1024 VLANs. > > number of unicast mac addresses: 6K > number of IPv4 IGMP groups + multicast routes: 1K > number of IPv4 unicast routes: 12K > number of directly-connected IPv4 hosts: 6K > number of indirect IPv4 routes: 6K > number of IPv4 policy based routing aces: 0 > number of IPv4/MAC qos aces: 0.875k > number of IPv4/MAC security aces: 1K > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Wed Feb 3 18:18:33 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure Message-ID: Hey all... So we've been having issues with this 6500 for awhile now, just doing random stuff so we replaced the chassis and one of the Sups, so today while I was at lunch (doesn't it always happen this way) the switch had one of these: System returned to ROM by Stateful Switchover (SP by bus error at PC 0x402DF924, address 0x0) Good times, so after the switch finally "recovered" I noticed this in my log: .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was bounced by Consistency Check IDBS Up. .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was bounced by Consistency Check IDBS Up. ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was bounced by Consistency Check IDBS Up. Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was bounced by Consistency Check IDBS Down. .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was bounced by Consistency Check IDBS Down .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was bounced by Consistency Check IDBS Down. .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was bounced by Consistency Check IDBS Down Since then we replaced the other supervisor which we suspect might be bad, but we're trying to figure out if there is an actual REASON for that: Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was bounced by Consistency Check IDBS Down. error... We had to go in and shut/no shut interfaces 3/41 - 3/48 manually before the VLANs would come back up... We would like to avoid any more epilepsy from this box if possible, any ideas? thanks, -Drew From rsm at fast-serv.com Wed Feb 3 21:17:34 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 3 Feb 2010 21:17:34 -0500 Subject: [c-nsp] 6500 having a seizure In-Reply-To: References: Message-ID: <20100204021648.M52591@fast-serv.com> What software release? -- Randy ---------- Original Message ----------- From: Drew Weaver To: "cisco-nsp at puck.nether.net" Sent: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure > Hey all... > > So we've been having issues with this 6500 for awhile now, just > doing random stuff so we replaced the chassis and one of the Sups, > so today while I was at lunch (doesn't it always happen this way) > the switch had one of these: > > System returned to ROM by Stateful Switchover (SP by bus error at PC > 0x402DF924, address 0x0) > > Good times, so after the switch finally "recovered" I noticed this > in my log: > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > bounced by Consistency Check IDBS Up. > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > bounced by Consistency Check IDBS Up. > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > bounced by Consistency Check IDBS Down > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > bounced by Consistency Check IDBS Down > > Since then we replaced the other supervisor which we suspect might > be bad, but we're trying to figure out if there is an actual REASON > for that: > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > manually before the VLANs would come back up... > > We would like to avoid any more epilepsy from this box if possible, > any ideas? > > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From p_ambedkar at rediffmail.com Wed Feb 3 23:35:32 2010 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 4 Feb 2010 04:35:32 -0000 Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode_still_continues?= Message-ID: <20100204043532.58182.qmail@f4mail-235-134.rediffmail.com> Hi, my cisco 6509 rommon mode still continues.. previously i cleaned up the all modules, changed the batteries, now it is showing: rommon 1 > boot open: file "c7200-fslib-m" not found open(): Open Error = -1 loadprog: error - on file open cannot load the monitor library "bootflash:%c7200-fslib-m" from device: boot fla shboot: cannot open "bootflash:" boot: cannot determine first file name on device "bootflash:" rommon 2 > rommon 2 > can anybody help me. bye. From mark.carter at imperial.ac.uk Thu Feb 4 05:21:55 2010 From: mark.carter at imperial.ac.uk (Carter, Mark R) Date: Thu, 4 Feb 2010 10:21:55 +0000 Subject: [c-nsp] Cisco ACE module configuration question In-Reply-To: <579353.91231.qm@web65713.mail.ac4.yahoo.com> References: <579353.91231.qm@web65713.mail.ac4.yahoo.com> Message-ID: <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> Erik Nelson wrote: > I have a ACE module in a 6500, and have basic load balancing (with > sticky connections) working. The lab environment that I need to use > this for will have 40+ servers, but all the traffic will be generated > by just four servers. Each server will be simulating many users, each > on a different source port. The traffic is HTTP, but not on port 80. > Since there are programs generating the user traffic, I can't > necessarily depend on them to behave completely like browsers (cookies, > for instance). I have no control over the application software or load > generator software. Also, each connection needs to be sticky. > > Any suggestions? I think I need the source port to be part of the load > balancing decisions. But this is the first ACE I have touched, and am > somewhat lost. > I don't think it's possible to base stickiness on the source port. The options are either IP address or something from the payload. So unless each client sends a unique identifier in the http payload, I don't think you'll be able to do it. From Christophe.Cardon at bec.dk Thu Feb 4 06:09:11 2010 From: Christophe.Cardon at bec.dk (Christophe Cardon) Date: Thu, 4 Feb 2010 12:09:11 +0100 Subject: [c-nsp] Cisco ACE module configuration question In-Reply-To: <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> References: <579353.91231.qm@web65713.mail.ac4.yahoo.com> <323DE271DDCA6F4C989354B6113FE0302D85FA835F@ICEXM1.ic.ac.uk> Message-ID: <2460F1476CDEBC45835CD3506BA8BF3801A7D6F6C937@EX08.res.bec.dk> >From the Cisco documentation: Cisco ACE provides stickiness that allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session. Cisco ACE supports the following sticky methods: . Source or destination IP address . Cookie . HTTP header, and Generic Protocol Parsing for session level persistence such as SSL session ID Rgds, Christophe -----Oprindelig meddelelse----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Carter, Mark R Sendt: 4. februar 2010 11:22 Til: 'Erik Nelson'; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Cisco ACE module configuration question Erik Nelson wrote: > I have a ACE module in a 6500, and have basic load balancing (with > sticky connections) working. The lab environment that I need to use > this for will have 40+ servers, but all the traffic will be generated > by just four servers. Each server will be simulating many users, each > on a different source port. The traffic is HTTP, but not on port 80. > Since there are programs generating the user traffic, I can't > necessarily depend on them to behave completely like browsers > (cookies, for instance). I have no control over the application > software or load generator software. Also, each connection needs to be sticky. > > Any suggestions? I think I need the source port to be part of the load > balancing decisions. But this is the first ACE I have touched, and am > somewhat lost. > I don't think it's possible to base stickiness on the source port. The options are either IP address or something from the payload. So unless each client sends a unique identifier in the http payload, I don't think you'll be able to do it. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Feb 4 07:40:21 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 4 Feb 2010 07:40:21 -0500 Subject: [c-nsp] 6500 having a seizure In-Reply-To: <20100204021648.M52591@fast-serv.com> References: <20100204021648.M52591@fast-serv.com> Message-ID: Hey Randy, 12.2(18)SXF17 -Drew -----Original Message----- From: Randy McAnally [mailto:rsm at fast-serv.com] Sent: Wednesday, February 03, 2010 9:18 PM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 having a seizure What software release? -- Randy ---------- Original Message ----------- From: Drew Weaver To: "cisco-nsp at puck.nether.net" Sent: Wed, 3 Feb 2010 18:18:33 -0500 Subject: [c-nsp] 6500 having a seizure > Hey all... > > So we've been having issues with this 6500 for awhile now, just > doing random stuff so we replaced the chassis and one of the Sups, > so today while I was at lunch (doesn't it always happen this way) > the switch had one of these: > > System returned to ROM by Stateful Switchover (SP by bus error at PC > 0x402DF924, address 0x0) > > Good times, so after the switch finally "recovered" I noticed this > in my log: > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > bounced by Consistency Check IDBS Up. > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > bounced by Consistency Check IDBS Up. > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > bounced by Consistency Check IDBS Up. > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > bounced by Consistency Check IDBS Down > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > bounced by Consistency Check IDBS Down. > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > bounced by Consistency Check IDBS Down > > Since then we replaced the other supervisor which we suspect might > be bad, but we're trying to figure out if there is an actual REASON > for that: > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > bounced by Consistency Check IDBS Down. > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > manually before the VLANs would come back up... > > We would like to avoid any more epilepsy from this box if possible, > any ideas? > > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From mailandrewg at gmail.com Thu Feb 4 08:48:12 2010 From: mailandrewg at gmail.com (Andrew Gabriel) Date: Thu, 4 Feb 2010 19:18:12 +0530 Subject: [c-nsp] Cisco ACS question Message-ID: I don't have a lot of experience with Cisco ACS boxes and the Cisco documentation doesn't explain this clearly so am hoping somebody could share their experience or provide some ideas. We have 2 Cisco ACS boxes (4.2) that are currently used for providing Radius authentication to wireless users (Cisco WLC). At the back end it is linked to our Microsoft Active Directory and the ACS doesn't have any user accounts, it just interfaces between the Active Directory servers and the wireless clients. My question is, how do I use the existing ACS severs to run Radius and TACACS for AAA for various network devices on the network. In other words, how do I run a separate set of authentication for the network engineers to manage their devices, using the existing ACS infrastructure, without: 1. Disrupting or changing the existing authentication for Wireless 2. Allowing any general wireless user to authenticate to our network devices (I don't mind having a separate AD group for the network admins so the rest of the users can be filtered, or even manually setting up local accounts for the few network engineers on the ACS boxes). Would appreciate any suggestions or ideas. Thanks, -Andrew. From scottowens12 at gmail.com Thu Feb 4 09:16:06 2010 From: scottowens12 at gmail.com (scott owens) Date: Thu, 4 Feb 2010 08:16:06 -0600 Subject: [c-nsp] iSCSI versus FCOE with Nexus Message-ID: Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for your converged networking needs ? Problems , good points, ease of use, performance, size of deployment ( possibly what kind ) ? Thank you. From ck at sandcastl.es Thu Feb 4 09:20:23 2010 From: ck at sandcastl.es (ck) Date: Thu, 4 Feb 2010 06:20:23 -0800 Subject: [c-nsp] 6500 having a seizure In-Reply-To: References: <20100204021648.M52591@fast-serv.com> Message-ID: <8c308e8b1002040620m6a2ff85ex161d94a441715d6a@mail.gmail.com> sounds similar to CSCsi49150 On Thu, Feb 4, 2010 at 4:40 AM, Drew Weaver wrote: > Hey Randy, > > 12.2(18)SXF17 > > -Drew > > -----Original Message----- > From: Randy McAnally [mailto:rsm at fast-serv.com] > Sent: Wednesday, February 03, 2010 9:18 PM > To: Drew Weaver; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6500 having a seizure > > What software release? > > -- > Randy > > ---------- Original Message ----------- > From: Drew Weaver > To: "cisco-nsp at puck.nether.net" > Sent: Wed, 3 Feb 2010 18:18:33 -0500 > Subject: [c-nsp] 6500 having a seizure > > > Hey all... > > > > So we've been having issues with this 6500 for awhile now, just > > doing random stuff so we replaced the chassis and one of the Sups, > > so today while I was at lunch (doesn't it always happen this way) > > the switch had one of these: > > > > System returned to ROM by Stateful Switchover (SP by bus error at PC > > 0x402DF924, address 0x0) > > > > Good times, so after the switch finally "recovered" I noticed this > > in my log: > > > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/41 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/42 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/43 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/44 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/45 was > > bounced by Consistency Check IDBS Up. > > .Feb 3 15:46:59.272 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/46 was > > bounced by Consistency Check IDBS Up. > > ..Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa13/48 was > > bounced by Consistency Check IDBS Up. > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/42 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/43 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/44 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/45 was > > bounced by Consistency Check IDBS Down > > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/47 was > > bounced by Consistency Check IDBS Down. > > .Feb 3 15:47:00.304 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/48 was > > bounced by Consistency Check IDBS Down > > > > Since then we replaced the other supervisor which we suspect might > > be bad, but we're trying to figure out if there is an actual REASON > > for that: > > > > Feb 3 15:46:59.276 EST: %PM-SP-4-PORT_BOUNCED: Port Fa3/41 was > > bounced by Consistency Check IDBS Down. > > > > error... We had to go in and shut/no shut interfaces 3/41 - 3/48 > > manually before the VLANs would come back up... > > > > We would like to avoid any more epilepsy from this box if possible, > > any ideas? > > > > thanks, > > -Drew > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------- End of Original Message ------- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dwbielawa at liberty.edu Thu Feb 4 09:07:22 2010 From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS)) Date: Thu, 4 Feb 2010 09:07:22 -0500 Subject: [c-nsp] Cisco ACS question In-Reply-To: References: Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC004108002AA@LUEMS04VS.University.liberty.edu> Hello, The setup you are looking for is two parts. The first part is on the network device that you want to authenticate using TACACS. The second part is in the ACS server itself. In our network we use TACACS for authentication, authorization, and accounting for network logins. Below is a link to the Cisco TACACS configuration guide for a 3750. http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swauthen.html#wp1044243 In ACS we have our devices configured using TACACS. I would recommend setting up a separate group in ACS for your admin accounts. Then add those devices to that group, with the enable option set to the maximum privilege level of 15. Do not allow you general user group access to the devices configured for TACACS and they will not be able to login to them. Thank You Daniel Bielawa Network Engineer Liberty University Network Services Email: dwbielawa at liberty.edu Phone: 434-592-7987 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: Thursday, February 04, 2010 8:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ACS question I don't have a lot of experience with Cisco ACS boxes and the Cisco documentation doesn't explain this clearly so am hoping somebody could share their experience or provide some ideas. We have 2 Cisco ACS boxes (4.2) that are currently used for providing Radius authentication to wireless users (Cisco WLC). At the back end it is linked to our Microsoft Active Directory and the ACS doesn't have any user accounts, it just interfaces between the Active Directory servers and the wireless clients. My question is, how do I use the existing ACS severs to run Radius and TACACS for AAA for various network devices on the network. In other words, how do I run a separate set of authentication for the network engineers to manage their devices, using the existing ACS infrastructure, without: 1. Disrupting or changing the existing authentication for Wireless 2. Allowing any general wireless user to authenticate to our network devices (I don't mind having a separate AD group for the network admins so the rest of the users can be filtered, or even manually setting up local accounts for the few network engineers on the ACS boxes). Would appreciate any suggestions or ideas. Thanks, -Andrew. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mailers at oranged.to Thu Feb 4 18:34:23 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Thu, 4 Feb 2010 23:34:23 +0000 (UTC) Subject: [c-nsp] iSCSI versus FCOE with Nexus In-Reply-To: Message-ID: <2136206869.20.1265326463756.JavaMail.root@poops.oranged.to> Hello, We have stuck with iSCSI for the time being. The vendor support on the storage end is tried and tested/reliable. As more vendors start to support FCOE we may find that decision will change but not for some time. Regards, Jimmy. ----- Original Message ----- From: "scott owens" To: cisco-nsp at puck.nether.net Sent: Friday, 5 February, 2010 1:16:06 AM Subject: [c-nsp] iSCSI versus FCOE with Nexus Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for your converged networking needs ? Problems , good points, ease of use, performance, size of deployment ( possibly what kind ) ? Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 02:15:08 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 12:45:08 +0530 Subject: [c-nsp] find window's machine from Cisco Router Message-ID: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Dear Team, anybody cal tell me how to check window machine connected in Cisco Router, for ex. in show arp we are getting bunch of ip and MAC , how to verify from them which is linux machine ip and which windows machine ip ,, or if there is any other command OR other way to rectify to find it Router#sho arp Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 From andrew.gabriel at sanmina-sci.com Fri Feb 5 03:00:43 2010 From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel) Date: Fri, 5 Feb 2010 13:30:43 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From b.turnbow at twt.it Fri Feb 5 03:38:26 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 09:38:26 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerd? 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 04:42:11 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 15:12:11 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Dear Sir, access-list 101 permit any any % Unrecognized command On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > Though not as reliable as a port scanner, you could do something like this > even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Fri Feb 5 04:41:36 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 10:41:36 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Message-ID: sorry forgot the "ip" access-list 101 permit ip any any Brian Turnbow Network Manager TWT S.p.A. ________________________________ From: vijay gore [mailto:vijaygore27 at gmail.com] Sent: venerd? 5 febbraio 2010 10.42 To: Brian Turnbow Cc: Andrew Gabriel; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, access-list 101 permit any any % Unrecognized command On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerd? 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Fri Feb 5 04:57:13 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 15:27:13 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> Message-ID: <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up On Fri, Feb 5, 2010 at 3:12 PM, vijay gore wrote: > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > >> Though not as reliable as a port scanner, you could do something like this >> even from remote >> >> access-list 101 permit udp any any range 137 138 log >> access-list 101 permit any any >> >> interface fa1 >> ip access-group 101 in >> >> >> Then >> Show log >> to see netbios packet users >> >> Brian >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto: >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel >> Sent: venerd? 5 febbraio 2010 9.01 >> To: vijay gore >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] find window's machine from Cisco Router >> >> Use a port scanner like NMAP. >> >> -Andrew. >> >> >> >> >> On Fri, Feb 5, 2010 at 12:45 PM, vijay gore >> wrote: >> >> > Dear Team, >> > >> > anybody cal tell me how to check window machine connected in Cisco >> Router, >> > >> > >> > for ex. >> > >> > in show arp we are getting bunch of ip and MAC , how to verify from them >> > which is linux machine ip and which windows machine ip ,, >> > >> > or if there is any other command OR other way to rectify to find it >> > >> > >> > Router#sho arp >> > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA >> FastEthernet1 >> > Internet 192.168.8.4 111 002s.ae73.46de ARPA >> FastEthernet1 >> > Internet 192.168.8.5 1 002s.ae73.4778 ARPA >> FastEthernet1 >> > Internet 192.168.8.6 0 002s.ae73.db74 ARPA >> FastEthernet1 >> > Internet 192.168.8.12 18 002s.1913.6daa ARPA >> FastEthernet1 >> > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA >> FastEthernet1 >> > Internet 192.168.8.14 11 002s.1913.676c ARPA >> FastEthernet1 >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for use >> by the addressee(s) named herein and may contain legally privileged and/or >> confidential information. If you are not the intended recipient of this >> e-mail message, you are hereby notified that any dissemination, distribution >> or copying of this e-mail message, and any attachments thereto, is strictly >> prohibited. If you have received this e-mail message in error, please >> immediately notify the sender and permanently delete the original and any >> copies of this email and any prints thereof. >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS >> NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform >> Electronic Transactions Act or the applicability of any other law of similar >> substance and effect, absent an express statement to the contrary >> hereinabove, this e-mail message its contents, and any attachments hereto >> are not intended to represent an offer or acceptance to enter into a >> contract and are not otherwise intended to bind the sender, Sanmina-SCI >> Corporation (or any of its subsidiaries), or any other person or entity. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From vijaygore27 at gmail.com Fri Feb 5 05:39:11 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 16:09:11 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Message-ID: <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> No sir. it's not working, actually sir, in this router there are 7 PC's connected, some PC having Linux OS & some PC's having Windows OS, now i want to know which machine having Linux OS & which machine having Windows OS. please help me out this sir On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow wrote: > it looks like you have loggin enabled for warings only > > try > logging buffered debugging > > > another alternative if the first does not log, is to do a debug ip packet > using an access list that matches only netbios. > this could be more processor intensive..... > first create > access-list 102 permit udp any any range 137 138 > then > debug ip packet 102 > when done don't forget undebug all > > > > > Brian > > ------------------------------ > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > *Sent:* venerd? 5 febbraio 2010 10.57 > *To:* Brian Turnbow > > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state to > up > > > > From gururug at gmail.com Fri Feb 5 06:04:14 2010 From: gururug at gmail.com (Imran K) Date: Fri, 5 Feb 2010 22:04:14 +1100 Subject: [c-nsp] cisco-nsp Digest, Vol 87, Issue 11 In-Reply-To: References: Message-ID: <25d943641002050304l3be8b0c4y35da9ac6b58fb187@mail.gmail.com> TCL script to telnet to 445 i.e.; for each $MAC in MACS { telnet $IP port 445 ??? On Fri, Feb 5, 2010 at 8:59 PM, wrote: > Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp > or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > > You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cisco-nsp digest..." > > > Today's Topics: > > 1. Re: iSCSI versus FCOE with Nexus (Jimmy Stewpot) > 2. find window's machine from Cisco Router (vijay gore) > 3. Re: find window's machine from Cisco Router (Andrew Gabriel) > 4. Re: find window's machine from Cisco Router (Brian Turnbow) > 5. Re: find window's machine from Cisco Router (vijay gore) > 6. Re: find window's machine from Cisco Router (Brian Turnbow) > 7. Re: find window's machine from Cisco Router (vijay gore) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 4 Feb 2010 23:34:23 +0000 (UTC) > From: Jimmy Stewpot > To: scott owens > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] iSCSI versus FCOE with Nexus > Message-ID: > <2136206869.20.1265326463756.JavaMail.root at poops.oranged.to> > Content-Type: text/plain; charset=utf-8 > > Hello, > > We have stuck with iSCSI for the time being. The vendor support on the > storage end is tried and tested/reliable. As more vendors start to support > FCOE we may find that decision will change but not for some time. > > Regards, > > Jimmy. > > ----- Original Message ----- > From: "scott owens" > To: cisco-nsp at puck.nether.net > Sent: Friday, 5 February, 2010 1:16:06 AM > Subject: [c-nsp] iSCSI versus FCOE with Nexus > > Is anyone / has anyone migrated to or added more iSCSI instead of FCOE for > your converged networking needs ? > > Problems , good points, ease of use, performance, size of deployment ( > possibly what kind ) ? > > Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------ > > Message: 2 > Date: Fri, 5 Feb 2010 12:45:08 +0530 > From: vijay gore > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002042315v2a5f4888q7148d797fc80c163 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Team, > > anybody cal tell me how to check window machine connected in Cisco Router, > > > for ex. > > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, > > or if there is any other command OR other way to rectify to find it > > > Router#sho arp > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 > Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 > Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 > Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 > Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 > Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 > > > ------------------------------ > > Message: 3 > Date: Fri, 5 Feb 2010 13:30:43 +0530 > From: Andrew Gabriel > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > > > ------------------------------ > > Message: 4 > Date: Fri, 5 Feb 2010 09:38:26 +0100 > From: "Brian Turnbow" > To: "Andrew Gabriel" , "vijay gore" > > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > Though not as reliable as a port scanner, you could do something like this > even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use > by the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------ > > Message: 5 > Date: Fri, 5 Feb 2010 15:12:11 +0530 > From: vijay gore > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002050142w224927b4va5d782c13d3b4fdc at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > Though not as reliable as a port scanner, you could do something like > this > > even from remote > > > > access-list 101 permit udp any any range 137 138 log > > access-list 101 permit any any > > > > interface fa1 > > ip access-group 101 in > > > > > > Then > > Show log > > to see netbios packet users > > > > Brian > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto: > > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > > Sent: venerd? 5 febbraio 2010 9.01 > > To: vijay gore > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > Use a port scanner like NMAP. > > > > -Andrew. > > > > > > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > wrote: > > > > > Dear Team, > > > > > > anybody cal tell me how to check window machine connected in Cisco > > Router, > > > > > > > > > for ex. > > > > > > in show arp we are getting bunch of ip and MAC , how to verify from > them > > > which is linux machine ip and which windows machine ip ,, > > > > > > or if there is any other command OR other way to rectify to find it > > > > > > > > > Router#sho arp > > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > > FastEthernet1 > > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > > FastEthernet1 > > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > > FastEthernet1 > > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > > FastEthernet1 > > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > > FastEthernet1 > > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > > FastEthernet1 > > > Internet 192.168.8.14 11 002s.1913.676c ARPA > > FastEthernet1 > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > CONFIDENTIALITY > > This e-mail message and any attachments thereto, is intended only for use > > by the addressee(s) named herein and may contain legally privileged > and/or > > confidential information. If you are not the intended recipient of this > > e-mail message, you are hereby notified that any dissemination, > distribution > > or copying of this e-mail message, and any attachments thereto, is > strictly > > prohibited. If you have received this e-mail message in error, please > > immediately notify the sender and permanently delete the original and any > > copies of this email and any prints thereof. > > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS > NOT > > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > > Electronic Transactions Act or the applicability of any other law of > similar > > substance and effect, absent an express statement to the contrary > > hereinabove, this e-mail message its contents, and any attachments hereto > > are not intended to represent an offer or acceptance to enter into a > > contract and are not otherwise intended to bind the sender, Sanmina-SCI > > Corporation (or any of its subsidiaries), or any other person or entity. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > ------------------------------ > > Message: 6 > Date: Fri, 5 Feb 2010 10:41:36 +0100 > From: "Brian Turnbow" > To: "vijay gore" > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > sorry forgot the "ip" > access-list 101 permit ip any any > > > Brian Turnbow > Network Manager > > TWT S.p.A. > > > > > ________________________________ > > From: vijay gore [mailto:vijaygore27 at gmail.com] > Sent: venerd? 5 febbraio 2010 10.42 > To: Brian Turnbow > Cc: Andrew Gabriel; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Dear Sir, > > access-list 101 permit any any > > % Unrecognized command > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > Though not as reliable as a port scanner, you could do something > like this even from remote > > access-list 101 permit udp any any range 137 138 log > access-list 101 permit any any > > interface fa1 > ip access-group 101 in > > > Then > Show log > to see netbios packet users > > Brian > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > Sent: venerd? 5 febbraio 2010 9.01 > To: vijay gore > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > Use a port scanner like NMAP. > > -Andrew. > > > > > On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > wrote: > > > Dear Team, > > > > anybody cal tell me how to check window machine connected in Cisco > Router, > > > > > > for ex. > > > > in show arp we are getting bunch of ip and MAC , how to verify > from them > > which is linux machine ip and which windows machine ip ,, > > > > or if there is any other command OR other way to rectify to find > it > > > > > > Router#sho arp > > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > FastEthernet1 > > Internet 192.168.8.4 111 002s.ae73.46de ARPA > FastEthernet1 > > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > FastEthernet1 > > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > FastEthernet1 > > Internet 192.168.8.12 18 002s.1913.6daa ARPA > FastEthernet1 > > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > FastEthernet1 > > Internet 192.168.8.14 11 002s.1913.676c ARPA > FastEthernet1 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only > for use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient of > this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments thereto, > is strictly prohibited. If you have received this e-mail message in error, > please immediately notify the sender and permanently delete the original and > any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto > are not intended to represent an offer or acceptance to enter into a > contract and are not otherwise intended to bind the sender, Sanmina-SCI > Corporation (or any of its subsidiaries), or any other person or entity. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > ------------------------------ > > Message: 7 > Date: Fri, 5 Feb 2010 15:27:13 +0530 > From: vijay gore > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > Message-ID: > <31533f201002050157q7385a310v8e99c240551ab222 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state > to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state > to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state > to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state > to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state > to > up > > > > On Fri, Feb 5, 2010 at 3:12 PM, vijay gore wrote: > > > Dear Sir, > > > > access-list 101 permit any any > > > > % Unrecognized command > > > > > > > > > > On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow wrote: > > > >> Though not as reliable as a port scanner, you could do something like > this > >> even from remote > >> > >> access-list 101 permit udp any any range 137 138 log > >> access-list 101 permit any any > >> > >> interface fa1 > >> ip access-group 101 in > >> > >> > >> Then > >> Show log > >> to see netbios packet users > >> > >> Brian > >> > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net [mailto: > >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel > >> Sent: venerd? 5 febbraio 2010 9.01 > >> To: vijay gore > >> Cc: cisco-nsp at puck.nether.net > >> Subject: Re: [c-nsp] find window's machine from Cisco Router > >> > >> Use a port scanner like NMAP. > >> > >> -Andrew. > >> > >> > >> > >> > >> On Fri, Feb 5, 2010 at 12:45 PM, vijay gore > >> wrote: > >> > >> > Dear Team, > >> > > >> > anybody cal tell me how to check window machine connected in Cisco > >> Router, > >> > > >> > > >> > for ex. > >> > > >> > in show arp we are getting bunch of ip and MAC , how to verify from > them > >> > which is linux machine ip and which windows machine ip ,, > >> > > >> > or if there is any other command OR other way to rectify to find it > >> > > >> > > >> > Router#sho arp > >> > Internet 192.168.8.3 6 002a.ae73.ce1b ARPA > >> FastEthernet1 > >> > Internet 192.168.8.4 111 002s.ae73.46de ARPA > >> FastEthernet1 > >> > Internet 192.168.8.5 1 002s.ae73.4778 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.6 0 002s.ae73.db74 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.12 18 002s.1913.6daa ARPA > >> FastEthernet1 > >> > Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA > >> FastEthernet1 > >> > Internet 192.168.8.14 11 002s.1913.676c ARPA > >> FastEthernet1 > >> > _______________________________________________ > >> > cisco-nsp mailing list cisco-nsp at puck.nether.net > >> > https://puck.nether.net/mailman/listinfo/cisco-nsp > >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > >> > >> CONFIDENTIALITY > >> This e-mail message and any attachments thereto, is intended only for > use > >> by the addressee(s) named herein and may contain legally privileged > and/or > >> confidential information. If you are not the intended recipient of this > >> e-mail message, you are hereby notified that any dissemination, > distribution > >> or copying of this e-mail message, and any attachments thereto, is > strictly > >> prohibited. If you have received this e-mail message in error, please > >> immediately notify the sender and permanently delete the original and > any > >> copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS > >> NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > >> Electronic Transactions Act or the applicability of any other law of > similar > >> substance and effect, absent an express statement to the contrary > >> hereinabove, this e-mail message its contents, and any attachments > hereto > >> are not intended to represent an offer or acceptance to enter into a > >> contract and are not otherwise intended to bind the sender, Sanmina-SCI > >> Corporation (or any of its subsidiaries), or any other person or entity. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 87, Issue 11 > ***************************************** > From zeusdadog at gmail.com Fri Feb 5 06:26:33 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Fri, 5 Feb 2010 06:26:33 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <9418aca71002050326r1e673f46j1a17e59d0fd0da1b@mail.gmail.com> > in show arp we are getting bunch of ip and MAC , how to verify from them > which is linux machine ip and which windows machine ip ,, No, there is no way to find what OS a host is running from MAC and IP. There may be other ways to try to guess what the host is running like using nmap or looking for ports it's listening but that's getting into things that have nothing to do with this Cisco list. From b.turnbow at twt.it Fri Feb 5 05:27:01 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 5 Feb 2010 11:27:01 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> Message-ID: it looks like you have loggin enabled for warings only try logging buffered debugging another alternative if the first does not log, is to do a debug ip packet using an access list that matches only netbios. this could be more processor intensive..... first create access-list 102 permit udp any any range 137 138 then debug ip packet 102 when done don't forget undebug all Brian ________________________________ From: vijay gore [mailto:vijaygore27 at gmail.com] Sent: venerd? 5 febbraio 2010 10.57 To: Brian Turnbow Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up From teslenko.andrey at gmail.com Fri Feb 5 06:29:27 2010 From: teslenko.andrey at gmail.com (Anrey Teslenko) Date: Fri, 5 Feb 2010 13:29:27 +0200 Subject: [c-nsp] Configuring a Static L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface Message-ID: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> Hi All, I have some problem which i need to solve I have two Cisco 1841 routers For one of them CE i have Wan interface and ethernet interface (customer side) For second of them PE i have Wan interface andvlan sub-interface (customer side) I try to build xconnect over L2TPv3 tunnel between them But i observed that session was established only on CE side, and not connected on PE side What can i do that tunnels was working? Can i build L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface? --------------------------------------- configuration on CE l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/0 ! # Wan interface interface FastEthernet0/0 ip address 193.xxx.xxx.1 255.255.255.192 duplex auto speed auto ! # customer side interface interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 17437 31507 -------------------------------------- configuration on PE l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol l2tpv3 interworking-class ip local interface FastEthernet0/1.264 ! # Wan interface interface FastEthernet0/1.264 encapsulation dot1Q 264 ip address 195.xxx.xxx.2 255.255.255.252 ! # customer side interface interface FastEthernet0/1.602 encapsulation dot1Q 602 no cdp enable xconnect 193.xxx.xxx.1 60 pw-class inter-L2TP-TUNNEL From lists at quux.de Fri Feb 5 05:30:20 2010 From: lists at quux.de (Jens Link) Date: Fri, 05 Feb 2010 11:30:20 +0100 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: (Brian Turnbow's message of "Fri, 5 Feb 2010 09:38:26 +0100") References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> Message-ID: <87zl3ovutf.fsf@laphroiag.quux.de> "Brian Turnbow" writes: > Though not as reliable as a port scanner, you could do something like > this even from remote > > access-list 101 permit udp any any range 137 138 log access-list 101 > permit any any This might also match for some *NIX host running samba or any other kind of CIFS services. One might also to a telnet to port 137 / 138 / 445 from the router but this will also not show a difference between Windows and other CIFS Implementation. Running nmap (http://insecure.org) from a host is much more reliable. cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From matt at melbourne.org.uk Fri Feb 5 06:32:33 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Fri, 5 Feb 2010 11:32:33 +0000 Subject: [c-nsp] Load-sharing with two links to the same ISP Message-ID: Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne From vijaygore27 at gmail.com Fri Feb 5 07:02:19 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Fri, 5 Feb 2010 17:32:19 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <87zl3ovutf.fsf@laphroiag.quux.de> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <87zl3ovutf.fsf@laphroiag.quux.de> Message-ID: <31533f201002050402w4f98784at717dbdf59c65c003@mail.gmail.com> thanks On Fri, Feb 5, 2010 at 4:00 PM, Jens Link wrote: > "Brian Turnbow" writes: > > > Though not as reliable as a port scanner, you could do something like > > this even from remote > > > > access-list 101 permit udp any any range 137 138 log access-list 101 > > permit any any > > This might also match for some *NIX host running samba or any other kind > of CIFS services. > > One might also to a telnet to port 137 / 138 / 445 from the router but > this will also not show a difference between Windows and other CIFS > Implementation. > > Running nmap (http://insecure.org) from a host is much more reliable. > > cheers > > Jens > -- > ------------------------------------------------------------------------- > | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | > | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | > ------------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aftab.siddiqui at gmail.com Fri Feb 5 07:33:43 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Fri, 5 Feb 2010 17:33:43 +0500 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <3c605ce11002050433w4d517bb2ic5a35b21ea1a4636@mail.gmail.com> use "maximum-paths" in BGP peering. With this you can add multiple routes in the routing table as long as the routes you are getting from the same AS. BUT once this is added it is applied to all BGP peers, not possible to do it for some selected peers. If you have many neighbors on this router than care should be taken before making this decision. Regards, Aftab A. Siddiqui On Fri, Feb 5, 2010 at 4:32 PM, Matthew Melbourne wrote: > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From teslenko.andrey at gmail.com Fri Feb 5 08:04:56 2010 From: teslenko.andrey at gmail.com (Anrey Teslenko) Date: Fri, 5 Feb 2010 15:04:56 +0200 Subject: [c-nsp] Configuring a Static L2TPv3 Session Xconnect between an Ethernet Interface and VLAN Subinterface In-Reply-To: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> References: <3f0164571002050329p2600ed98gec8af02faab59260@mail.gmail.com> Message-ID: <3f0164571002050504v7b928741r7b12dc4721f385e6@mail.gmail.com> Hi all, I fix some configuration and now i have tunnel's status is established and session's status is established, but i am not observe the current session in this tunnel Another words i have working tunnel and have established session on both side, but i can't see one site from another (192.168.0.1/30 LAN1) --(ethernet)-- (1841) L2tp tunnel--(WAN) -- L2tp tunnel(1841)--ethernet -- (192.168.0.1/30 LAN2) For example #sh l2tun (On PE) L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocID RemID Remote Name State Remote Address Port *Sessions* L2TP Class/ VPDN Group *56239* 32597 CPE est 193.xxx.xxx.1 0 * 0* interworking-cl LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid, Circuit 31507 17437 *56239* 60, Fa0/1.602:602 est 00:26:51 977 What is wrong? Help me please. --------------------------------------- current config CE -------------------------------------- l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/0 ! interface FastEthernet0/0 ip address 193.xxx.xxx.1 255.255.255.192 duplex auto speed auto ! interface FastEthernet0/1 no ip address xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 222 111 l2tp hello interworking-class ---------------------------------------- current config PE --------------------------------------- l2tp-class interworking-class ! pseudowire-class inter-L2TP-TUNNEL encapsulation l2tpv3 protocol none ip local interface FastEthernet0/1.264 ! interface FastEthernet0/1.264 encapsulation dot1Q 264 ip address 195.xxx.xxx.2 255.255.255.252 ! interface FastEthernet0/1.602 encapsulation dot1Q 602 no cdp enable xconnect 193.xxx.xxx.1 60 encapsulation l2tpv3 manual pw-class inter-L2TP-TUNNEL l2tp id 111 222 l2tp hello interworking-class 2010/2/5 Anrey Teslenko > Hi All, > > I have some problem which i need to solve > I have two Cisco 1841 routers > For one of them CE i have Wan interface and ethernet interface (customer > side) > For second of them PE i have Wan interface andvlan sub-interface (customer > side) > > I try to build xconnect over L2TPv3 tunnel between them > But i observed that session was established only on CE side, > and not connected on PE side > > What can i do that tunnels was working? > Can i build L2TPv3 Session Xconnect between an Ethernet Interface and > VLAN Subinterface? > > --------------------------------------- > configuration on CE > > l2tp-class interworking-class > ! > pseudowire-class inter-L2TP-TUNNEL > encapsulation l2tpv3 > protocol none > ip local interface FastEthernet0/0 > ! > # Wan interface > interface FastEthernet0/0 > ip address 193.xxx.xxx.1 255.255.255.192 > duplex auto > speed auto > ! > # customer side interface > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > no cdp enable > xconnect 195.xxx.xxx.2 60 encapsulation l2tpv3 manual pw-class > inter-L2TP-TUNNEL > l2tp id 17437 31507 > -------------------------------------- > configuration on PE > > l2tp-class interworking-class > ! > pseudowire-class inter-L2TP-TUNNEL > encapsulation l2tpv3 > protocol l2tpv3 interworking-class > ip local interface FastEthernet0/1.264 > ! > # Wan interface > interface FastEthernet0/1.264 > encapsulation dot1Q 264 > ip address 195.xxx.xxx.2 255.255.255.252 > ! > # customer side interface > interface FastEthernet0/1.602 > encapsulation dot1Q 602 > no cdp enable > xconnect 193.xxx.xxx.1 60 pw-class inter-L2TP-TUNNEL > > > > > From johnps at IowaTelecom.com Fri Feb 5 09:36:27 2010 From: johnps at IowaTelecom.com (John P. Schneider) Date: Fri, 5 Feb 2010 08:36:27 -0600 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> References: <31533f201002042315v2a5f4888q7148d797fc80c163@mail.gmail.com> <31533f201002050142w224927b4va5d782c13d3b4fdc@mail.gmail.com> <31533f201002050157q7385a310v8e99c240551ab222@mail.gmail.com> <31533f201002050239t5dd7d157td1728468fa64baa9@mail.gmail.com> Message-ID: Maybe I'm over simplifying this but can't you just compare the MAC addresses? If you only have 7 machines it would not take very long. Thank You, John Schneider -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore Sent: Friday, February 05, 2010 4:39 AM To: Brian Turnbow Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router No sir. it's not working, actually sir, in this router there are 7 PC's connected, some PC having Linux OS & some PC's having Windows OS, now i want to know which machine having Linux OS & which machine having Windows OS. please help me out this sir On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow wrote: > it looks like you have loggin enabled for warings only > > try > logging buffered debugging > > > another alternative if the first does not log, is to do a debug ip > packet using an access list that matches only netbios. > this could be more processor intensive..... > first create > access-list 102 permit udp any any range 137 138 then debug ip packet > 102 when done don't forget undebug all > > > > > Brian > > ------------------------------ > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > *Sent:* venerd? 5 febbraio 2010 10.57 > *To:* Brian Turnbow > > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > Dear Sir, > > > > it's giving me below output, it's not showing net bios packet users, > > Router#sho log > Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > No Active Message Discriminator. > > No Inactive Message Discriminator. > > Console logging: level debugging, 40 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level warnings, 10 messages logged, xml disabled, > filtering disabled > Logging Exception size (4096 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > No active filter modules. > ESM: 0 messages dropped > Trap logging: level informational, 43 message lines logged > Log Buffer (51200 bytes): > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed > state to > up > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed > state to > up > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed > state to > up > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed > state to > up > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed > state to > up > > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ivan.pepelnjak at zaplana.net Fri Feb 5 09:48:05 2010 From: ivan.pepelnjak at zaplana.net (Ivan Pepelnjak) Date: Fri, 5 Feb 2010 15:48:05 +0100 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <001b01caa672$3a961f80$afc25e80$@pepelnjak@zaplana.net> This might help: http://www.nil.com/ipcorner/LoadBalancingBGP/ Ivan Pepelnjak blog.ioshints.info / www.ioshints.info > -----Original Message----- > From: Matthew Melbourne [mailto:matt at melbourne.org.uk] > Sent: Friday, February 05, 2010 12:33 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Load-sharing with two links to the same ISP > > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne From tdurack at gmail.com Fri Feb 5 10:38:38 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 10:38:38 -0500 Subject: [c-nsp] WS-X6748-SFP input errors Message-ID: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: sh int g1/9 | i error 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets The other side is clean. What do input errors alone indicate? (Have tested/replaced fiber/SFPs, without success.) -- Tim:> Sent from Brooklyn, NY, United States From tdurack at gmail.com Fri Feb 5 10:49:04 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 10:49:04 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> Message-ID: <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L wrote: > Can you paste in the full 'show int', my guess is you're getting input > buffer failures (need to see the 'Input Queue' line in particular). sh int g1/9 GigabitEthernet1/9 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001e.1357.fbd0 (bia 001e.1357.fbd0) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:23, output hang never Last clearing of "show interface" counters 01:05:50 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 4572000 bits/sec, 1295 packets/sec 5 minute output rate 6576000 bits/sec, 1271 packets/sec 2841615 packets input, 1464896475 bytes, 0 no buffer Received 9233 broadcasts (4717 multicasts) 0 runts, 0 giants, 0 throttles 4101 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2471204 packets output, 1795192240 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out -- Tim:> Sent from Brooklyn, NY, United States From ewitkop at gmail.com Fri Feb 5 10:54:55 2010 From: ewitkop at gmail.com (Erik Witkop) Date: Fri, 5 Feb 2010 10:54:55 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Message-ID: Here is a link that I will refer to from time to time. I don't know if it will help. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfd6.shtml#l3_l2 On Fri, Feb 5, 2010 at 10:38 AM, Tim Durack wrote: > Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: > > sh int g1/9 | i error > 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 output errors, 0 collisions, 0 interface resets > > The other side is clean. What do input errors alone indicate? > > (Have tested/replaced fiber/SFPs, without success.) > -- > Tim:> > Sent from Brooklyn, NY, United States > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Fri Feb 5 11:07:51 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 05 Feb 2010 11:07:51 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> Message-ID: <4B6C4257.4040307@utc.edu> On 2/5/2010 10:49 AM, Tim Durack wrote: > On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L > wrote: > >> Can you paste in the full 'show int', my guess is you're getting input >> buffer failures (need to see the 'Input Queue' line in particular). >> Input errors on LH fiber... try "show int g1/9 count err" and look for symbol errors. Jeff From tdurack at gmail.com Fri Feb 5 11:11:26 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:11:26 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C4257.4040307@utc.edu> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> Message-ID: <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: > On 2/5/2010 10:49 AM, Tim Durack wrote: >> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >> wrote: >> >>> Can you paste in the full 'show int', my guess is you're getting input >>> buffer failures (need to see the 'Input Queue' line in particular). >>> > > Input errors on LH fiber... try "show int g1/9 count err" and look for > symbol errors. Only Rcv-Err: sh int g1/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Gi1/9 0 0 0 16840 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/9 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/9 0 0 0 0 0 -- Tim:> Sent from Brooklyn, NY, United States From cisco-nsp at slepicka.net Fri Feb 5 11:28:29 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 05 Feb 2010 10:28:29 -0600 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> Message-ID: <4B6C472D.7090503@slepicka.net> sh int gi1/9 trans detail? Tim Durack wrote: > On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: > >> On 2/5/2010 10:49 AM, Tim Durack wrote: >> >>> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >>> wrote: >>> >>> >>>> Can you paste in the full 'show int', my guess is you're getting input >>>> buffer failures (need to see the 'Input Queue' line in particular). >>>> >>>> >> Input errors on LH fiber... try "show int g1/9 count err" and look for >> symbol errors. >> > > Only Rcv-Err: > > sh int g1/9 counters errors > > Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards > Gi1/9 0 0 0 16840 0 0 > > Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen > Runts Giants > Gi1/9 0 0 0 0 0 > 0 0 > > Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err > Gi1/9 0 0 0 0 0 > > From cisco-nsp at slepicka.net Fri Feb 5 11:32:55 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 05 Feb 2010 10:32:55 -0600 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C472D.7090503@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> Message-ID: <4B6C4837.8030608@slepicka.net> also, check sh queueing int gi1/9 James Slepicka wrote: > sh int gi1/9 trans detail? > > Tim Durack wrote: >> On Fri, Feb 5, 2010 at 11:07 AM, Jeff Kell wrote: >> >>> On 2/5/2010 10:49 AM, Tim Durack wrote: >>> >>>> On Fri, Feb 5, 2010 at 10:42 AM, Matlock, Kenneth L >>>> wrote: >>>> >>>> >>>>> Can you paste in the full 'show int', my guess is you're getting >>>>> input >>>>> buffer failures (need to see the 'Input Queue' line in particular). >>>>> >>>>> >>> Input errors on LH fiber... try "show int g1/9 count err" and look for >>> symbol errors. >>> >> >> Only Rcv-Err: >> >> sh int g1/9 counters errors >> >> Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize >> OutDiscards >> Gi1/9 0 0 0 16840 >> 0 0 >> >> Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen >> Runts Giants >> Gi1/9 0 0 0 0 0 >> 0 0 >> >> Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err >> Symbol-Err >> Gi1/9 0 0 0 >> 0 0 >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Fri Feb 5 11:34:45 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:34:45 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C472D.7090503@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> Message-ID: <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> On Fri, Feb 5, 2010 at 11:28 AM, James Slepicka wrote: > sh int gi1/9 trans detail? sh int g1/9 transceiver detail Module 1 doesn't support DOM (Thanks Cisco.) -- Tim:> Sent from Brooklyn, NY, United States From tdurack at gmail.com Fri Feb 5 11:38:43 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 11:38:43 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C4837.8030608@slepicka.net> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> Message-ID: <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> On Fri, Feb 5, 2010 at 11:32 AM, James Slepicka wrote: > also, check sh queueing int gi1/9 Queues are clean. It's not a very busy link. I still think this smells like a L1 problem. Our fiber guys swear it's clean. (Although they always do that. Eventually they will probably fess up to some kinky 62.5/50.0 mismatch fiber issue.) -- Tim:> Sent from Brooklyn, NY, United States From MatlockK at exempla.org Fri Feb 5 10:42:07 2010 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Fri, 5 Feb 2010 08:42:07 -0700 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> Can you paste in the full 'show int', my guess is you're getting input buffer failures (need to see the 'Input Queue' line in particular). Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack Sent: Friday, February 05, 2010 8:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WS-X6748-SFP input errors Cisco 6509, SUP720, 12.2(33)SXI3, WS-X6748-SFP, port shows: sh int g1/9 | i error 3915 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets The other side is clean. What do input errors alone indicate? (Have tested/replaced fiber/SFPs, without success.) -- Tim:> Sent from Brooklyn, NY, United States _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From md at bts.sk Fri Feb 5 12:07:14 2010 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Fri, 5 Feb 2010 18:07:14 +0100 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <9e246b4d1002050834q9a7f034qb1ce590617b2171a@mail.gmail.com> Message-ID: <20100205165544.M48599@bts.sk> On Fri, 5 Feb 2010 11:34:45 -0500, Tim Durack wrote > On Fri, Feb 5, 2010 at 11:28 AM, James Slepicka nsp at slepicka.net> wrote: > > sh int gi1/9 trans detail? > > sh int g1/9 transceiver detail > Module 1 doesn't support DOM > > (Thanks Cisco.) :-(( If you have DOM-enabled SFPs, try to plug the link to any switch with properly supports DOM and read the power levels - just yesterday we installed a new link where both ends were up/up, but the received power levels were -8 dBm at one side and -22 dBm (!) at the other side... With kind regards, M. From A.L.M.Buxey at lboro.ac.uk Fri Feb 5 12:13:23 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 5 Feb 2010 17:13:23 +0000 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> Message-ID: <20100205171323.GA21875@lboro.ac.uk> Hi, > I still think this smells like a L1 problem. Our fiber guys swear it's > clean. (Although they always do that. Eventually they will probably > fess up to some kinky 62.5/50.0 mismatch fiber issue.) ..i was hinking the same thing - what about the interfaces at each end (eg are they both LH... what is the distance of the link?) alan From Robert.Smales at cw.com Fri Feb 5 12:38:37 2010 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 5 Feb 2010 17:38:37 -0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: Message-ID: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From tdurack at gmail.com Fri Feb 5 13:12:16 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 13:12:16 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <20100205171323.GA21875@lboro.ac.uk> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> Message-ID: <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> On Fri, Feb 5, 2010 at 12:13 PM, Alan Buxey wrote: > ..i was hinking the same thing - what about the interfaces at each end > (eg are they both LH... what is the distance of the link?) LX/LH on both sides. It's an intra-building run, couple of hundred metres at most. (It's LX over mmf as we have standardized on LX optics. We're trying to encourage the deployment of smf in our buildings.) -- Tim:> From jshearer at amedisys.com Fri Feb 5 13:42:41 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 5 Feb 2010 12:42:41 -0600 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: As a previous poster recommended NMAP is going to be your best bet for fingerprinting the OS. There are ways to obfuscate the stack and trick NMAP but it will get stock machines most of the time. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 11:39 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From jim at tgasolutions.com Fri Feb 5 13:48:26 2010 From: jim at tgasolutions.com (Jim McBurnett) Date: Fri, 5 Feb 2010 13:48:26 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: I did not read all the posts... But why not add: http://www.hanewin.net/lldp-e.htm or the linux version? Then on the Cisco switch show lldp...... Later, Jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 12:39 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick at inex.ie Fri Feb 5 13:50:39 2010 From: nick at inex.ie (Nick Hilliard) Date: Fri, 05 Feb 2010 18:50:39 +0000 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7065D3EAD@LMC-MAIL2.exempla.org> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> Message-ID: <4B6C687F.4080103@inex.ie> On 05/02/2010 18:12, Tim Durack wrote: > (It's LX over mmf as we have standardized on LX optics. o_O If you're using mode conditioning cables at each end, I'll upgrade your chances of success with this link to: "Pray to Cthulu. Hard". You need to get a power meter and measure the Rx strength each end of the link, in both directions. If you want to find out exactly where the problem is, measure it at each patch point along the way. You can rent or buy these things pretty cheaply. You can then check the received power against your SFP/GBIC spec and see if it's within budget. Nick From tdurack at gmail.com Fri Feb 5 14:09:07 2010 From: tdurack at gmail.com (Tim Durack) Date: Fri, 5 Feb 2010 14:09:07 -0500 Subject: [c-nsp] WS-X6748-SFP input errors In-Reply-To: <4B6C687F.4080103@inex.ie> References: <9e246b4d1002050738x8a02cf9u51e4160d4c6b05ab@mail.gmail.com> <9e246b4d1002050749x1d75306dvafea77642f63e6c2@mail.gmail.com> <4B6C4257.4040307@utc.edu> <9e246b4d1002050811ge723287u575bd68ac242af95@mail.gmail.com> <4B6C472D.7090503@slepicka.net> <4B6C4837.8030608@slepicka.net> <9e246b4d1002050838g185dd674p71a7d905f477c44e@mail.gmail.com> <20100205171323.GA21875@lboro.ac.uk> <9e246b4d1002051012g23166f9bu829d74b61f999b9c@mail.gmail.com> <4B6C687F.4080103@inex.ie> Message-ID: <9e246b4d1002051109o1af5910cjed78acf7563d254c@mail.gmail.com> On Fri, Feb 5, 2010 at 1:50 PM, Nick Hilliard wrote: > On 05/02/2010 18:12, Tim Durack wrote: >> (It's LX over mmf as we ?have standardized on LX optics. > > o_O > > If you're using mode conditioning cables at each end, I'll upgrade your > chances of success with this link to: "Pray to Cthulu. Hard". LX is supported over mmf. Usually this works for us... > You need to get a power meter and measure the Rx strength each end of the > link, in both directions. ?If you want to find out exactly where the > problem is, measure it at each patch point along the way. ?You can rent or > buy these things pretty cheaply. ?You can then check the received power > against your SFP/GBIC spec and see if it's within budget. I'll leave that to the fiber contractor :-) Mean time, I'm going to swap fiber with the redundant link, and see if the errors follow the fiber or stay with the port. > Nick > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tim:> Sent from Brooklyn, NY, United States From CFlint at mt.gov Fri Feb 5 14:36:57 2010 From: CFlint at mt.gov (Flint, Chris) Date: Fri, 5 Feb 2010 12:36:57 -0700 Subject: [c-nsp] WS-X6748-SFP input errors Message-ID: <169F1B4CBA47CC4F93BF2BD0A504C0552F139A2C57@doaisd05222.state.mt.ads> Hi Tim, Assuming you're running older fiber, you probably need mode-conditioning patch cords for LX over MMF. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/product_bulletin_c25-530836.html We ran into this with LX4 optics over MMF... several closets worked correctly, but one in particular wouldn't link up. We found this document and fixed the problem. Chris ======================================= Message: 5 Date: Fri, 5 Feb 2010 13:12:16 -0500 From: Tim Durack <.> To: Alan Buxey <.> Cc: "cisco-nsp at puck.nether.net" Subject: Re: [c-nsp] WS-X6748-SFP input errors Message-ID: <9e246b4d1002051012g23166f9bu829d74b61f999b9c at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Fri, Feb 5, 2010 at 12:13 PM, Alan Buxey wrote: > ..i was thinking the same thing - what about the interfaces at each end > (eg are they both LH... what is the distance of the link?) LX/LH on both sides. It's an intra-building run, couple of hundred metres at most. (It's LX over mmf as we have standardized on LX optics. We're trying to encourage the deployment of smf in our buildings.) -- Tim:> From mays at win.net Fri Feb 5 15:23:04 2010 From: mays at win.net (Joseph Mays) Date: Fri, 5 Feb 2010 15:23:04 -0500 Subject: [c-nsp] AS5300/AS5400 power supplies Message-ID: <01f901caa6a1$079fd060$b52118d8@engineering01> Does anyone know if the power supplies in AS5300's and AS5400's are interchangeable? From chris at k7sle.com Fri Feb 5 17:33:57 2010 From: chris at k7sle.com (Chris Gauthier) Date: Fri, 5 Feb 2010 14:33:57 -0800 (PST) Subject: [c-nsp] OT - Infoblox vs. Bluecat In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net> Message-ID: <20677750.2571265409237480.JavaMail.root@giskard> When I worked for a previous employer, we evaluated bluecat and infoblox. Bluecat was quickly ruled out because of price and complexity. The Infoblox got a lot more attention and they were great to work with during our eval of the hardware. One manager was ready to purchase and was about to pick u pthe phone and call when another manager railroaded the big boss to go with Windows DNS/DHCP (in a non-AD environment) at the last second. I *really* liked the manageability, tech support, and expertise of the product. The HA worked great, including DHCP failover. I liked them so much, I've tried to bring them to my current employer, but the solutions are just too expensive for the budget. Another point that I liked was that Cricket Liu (author of the DNS and Bind O'Reilly books and the DNS on Windows Server 2000 and DNS on Windows Server 2003 books) is part of their executive team. They're also MS certified, a plus for my current employer. I liked the detail in logging, too. Some of the reporting was a challenge, but I was asking for stats (can't remember which) that had to gathered programatically. Hope this helps all of you! Chris Gauthier, CCNA Security Salem, Oregon, USA ----- Original Message ----- From: "Charles Church" To: "nsp-cisco" Sent: Friday, January 15, 2010 7:09:55 AM GMT -08:00 US/Canada Pacific Subject: [c-nsp] OT - Infoblox vs. Bluecat I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijaygore27 at gmail.com Sat Feb 6 00:11:39 2010 From: vijaygore27 at gmail.com (vijay gore) Date: Sat, 6 Feb 2010 10:41:39 +0530 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: <31533f201002052111w38a5fce5r862f9846a809c061@mail.gmail.com> Dear Sir, i am having 200 location each location having 7-10 machine, and out of them each and every time i have to found which is Linux host and which is Windows host. On Fri, Feb 5, 2010 at 11:08 PM, Smales, Robert wrote: > You can't identify the OS from a MAC address, MAC addresses are assigned by > whoever made the Ethernet chip, the Linux boxes could have cards from the > same manufacturer as the Windows boxes - I've got two home-built PCs, > identical hardware, one runs Windows 7, the other Debian Etch, you couldn't > tell them apart by their MAC addresses. > > If there are only 7 devices on the OPs network, wouldn't it be simpler to > walk round the room to see what was what? > > Robert > Robert Smales > Technical Engineer > Cable&Wireless Worldwide > www.cw.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > > P. Schneider > > Sent: 05 February 2010 14:36 > > To: 'vijay gore'; Brian Turnbow > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > > > Maybe I'm over simplifying this but can't you just compare > > the MAC addresses? If you only have 7 machines it would not > > take very long. > > > > > > Thank You, > > John Schneider > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > > Sent: Friday, February 05, 2010 4:39 AM > > To: Brian Turnbow > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > > No sir. > > > > it's not working, > > > > actually sir, in this router there are 7 PC's connected, > > some PC having Linux OS & some PC's having Windows OS, now i > > want to know which machine having Linux OS & which machine > > having Windows OS. > > > > please help me out this sir > > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > > wrote: > > > > > it looks like you have loggin enabled for warings only > > > > > > try > > > logging buffered debugging > > > > > > > > > another alternative if the first does not log, is to do a debug ip > > > packet using an access list that matches only netbios. > > > this could be more processor intensive..... > > > first create > > > access-list 102 permit udp any any range 137 138 then debug > > ip packet > > > 102 when done don't forget undebug all > > > > > > > > > > > > > > > Brian > > > > > > ------------------------------ > > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > > *Sent:* venerd? 5 febbraio 2010 10.57 > > > *To:* Brian Turnbow > > > > > > *Cc:* cisco-nsp at puck.nether.net > > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > > > Dear Sir, > > > > > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > > > Router#sho log > > > Syslog logging: enabled (1 messages dropped, 0 messages > > rate-limited, > > > 0 flushes, 0 overruns, xml disabled, > > filtering disabled) > > > No Active Message Discriminator. > > > > > > No Inactive Message Discriminator. > > > > > > Console logging: level debugging, 40 messages logged, > > xml disabled, > > > filtering disabled > > > Monitor logging: level debugging, 0 messages logged, > > xml disabled, > > > filtering disabled > > > Buffer logging: level warnings, 10 messages logged, > > xml disabled, > > > filtering disabled > > > Logging Exception size (4096 bytes) > > > Count and timestamp logging messages: disabled > > > Persistent logging: disabled > > > No active filter modules. > > > ESM: 0 messages dropped > > > Trap logging: level informational, 43 message lines logged > > > Log Buffer (51200 bytes): > > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > > FastEthernet0, changed > > > state to > > > up > > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > > FastEthernet1, changed > > > state to > > > up > > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > > FastEthernet9, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet8, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet7, changed > > > state to > > > up > > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > > FastEthernet6, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet5, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet4, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet3, changed > > > state to > > > up > > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > > FastEthernet2, changed > > > state to > > > up > > > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > This e-mail has been scanned for viruses by the Cable & Wireless e-mail > security system - powered by MessageLabs. For more information on a > proactive managed e-mail security service, visit > http://www.cw.com/uk/emailprotection/ > > The information contained in this e-mail is confidential and may also be > subject to legal privilege. It is intended only for the recipient(s) named > above. If you are not named above as a recipient, you must not read, copy, > disclose, forward or otherwise use the information contained in this email. > If you have received this e-mail in error, please notify the sender (whose > contact details are above) immediately by reply e-mail and delete the > message and any attachments without retaining any copies. > > Cable and Wireless plc > Registered in England and Wales.Company Number 238525 > Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ecables at gmail.com Sat Feb 6 00:21:54 2010 From: ecables at gmail.com (Eric Cables) Date: Fri, 5 Feb 2010 21:21:54 -0800 Subject: [c-nsp] 2610 + NM-16ESW -- What IOS supports this card? Message-ID: I have an old 2610 router that I am attempting to use an NM-16ESW card in, but despite my efforts I cannot find an IOS image that supports this card. Cisco's documentation ( http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html) indicates that 12.2(8)T and above should support the module in a 2600 series router, but there are no downloadable 12.2T images on Cisco.com, and though I have tried multiple 12.3 images, none have worked. Here are a couple of versions that I've tried without success: c2600-ik9o3s3-mz.123-26.bin c2600-ik9o3s3-mz.123-18a.bin Here is what I see after inserting the module and booting up (relevant messages): smart init is sizing iomem ID MEMORY_REQ TYPE 000091 0X0008B800 C2600 single Ethernet 0002A9 0X001FCE2F 16 port ethernet switch 0X00098670 public buffer pools 0X00211000 public particle pools TOTAL: 0X00531C9F If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 6Mb. Using 9 percent iomem. [6Mb/64Mb] %PA-3-NOTSUPPORTED: PA in slot1 (Unknown (type 681)) is not supported on this image. Please issue "show diag" in fully loaded IOS image to get the PA's information and verify if it is supported by this image, a newer version may be needed. Slot 1: Unknown (type 681) Port adapter Port adapter is disabled Port adapter insertion time unknown EEPROM contents at hardware discovery: Hardware Revision : 1.0 Top Assy. Part Number : 800-15156-01 Board Revision : E0 Deviation Number : 0-0 Fab Version : 03 PCB Serial Number : FOC08490SW4 RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Unknown Field (type 00CF): 00 12 01 55 E8 87 MAC Address block size : 17 Product (FRU) Number : NM-16ESW EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 02 A9 41 01 00 C0 46 03 20 00 3B 34 01 0x10: 42 45 30 80 00 00 00 00 02 03 C1 8B 46 4F 43 30 0x20: 38 34 39 30 53 57 34 03 00 81 00 00 00 00 04 00 0x30: CF 06 00 12 01 55 E8 87 43 00 11 FF FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF <-- snip -- I've opened a ticket with TAC, to try and get an IOS recommendation, but I was told that the 2610 has reached the "end of support" cycle, meaning I'm SOL. Additionally, the Software Adviser does not return any available images for the platform & hardware combination. If anyone has a 2600 series router (non-XM) that has a working NM-16ESW module, can you please provide the IOS version (if available to download on Cisco.com), or send me the image itself? The 2610's memory is maxed out (64MB) with 16MB of flash. Thanks, -- Eric Cables From gururug at gmail.com Sat Feb 6 01:34:09 2010 From: gururug at gmail.com (Imran K) Date: Sat, 6 Feb 2010 17:34:09 +1100 Subject: [c-nsp] find window's machine from Cisco Router Message-ID: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> As stated by other posters, the best "passive" way to determine this is via stack operations. ( sequencing, etc ), which is best done "off router" due to the specific nature ( active ). Is it not possible to write a custom IDS signature that will analyse similar footprints ( passively ) as nmap. From fwissue at gmail.com Sat Feb 6 02:43:01 2010 From: fwissue at gmail.com (Michael Lee) Date: Fri, 5 Feb 2010 23:43:01 -0800 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> Message-ID: <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> maybe setup an acl for port range 137 to 139 with log then check on the logg On Fri, Feb 5, 2010 at 10:34 PM, Imran K wrote: > As stated by other posters, the best "passive" way to determine this is via > stack operations. ( sequencing, etc ), which is best done "off router" due > to the specific nature ( active ). > > Is it not possible to write a custom IDS signature that will analyse > similar > footprints ( passively ) as nmap. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Sat Feb 6 07:37:18 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Sat, 6 Feb 2010 12:37:18 +0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> Message-ID: <20100206123718.GB24093@lboro.ac.uk> Hi, > maybe setup an acl for port range 137 to 139 with log > then check on the logg OS fingerprinting with ISC DHCPD (if you have a DHCP environment) tcpdump listening to a PSAN intance on that subnet...very soon you'll see all the pretty broadcast rubbish from the windows hosts alan From sony.scaria at gmail.com Sat Feb 6 09:46:35 2010 From: sony.scaria at gmail.com (Sony Scaria) Date: Sat, 6 Feb 2010 20:16:35 +0530 Subject: [c-nsp] Hybrid to Native conversion Message-ID: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Hi, I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration to IOS format. Is there any tool available which expedite the process than a manual conversion? Sony. From Charles.Church at harris.com Sat Feb 6 10:03:30 2010 From: Charles.Church at harris.com (Church, Charles) Date: Sat, 6 Feb 2010 10:03:30 -0500 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: References: <602ACF092EFFB044931BD8746C19AD2F0275E554@gbcwswiem006.ad.plc.cwintra.com> Message-ID: <290EF89F13F04F4E924BB235A46D18F108C6769D38@MLBMXUS2.cs.myharris.net> Sorry, meant to send this yesterday, had some email issues.... Why not enable netflow on the router, and see who's using what ports? If you can capture enough source and destination port info, you can compare that to the 'fingerprint' type stuff that NMAP does and make some educated guesses. But NMAP from a remote machine will be far easier. Just make sure you own all the gear between the NMAP machine and the end hosts, since any ISP filtering might throw off the results. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 12:39 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer Cable&Wireless Worldwide www.cw.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of John > P. Schneider > Sent: 05 February 2010 14:36 > To: 'vijay gore'; Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > > Maybe I'm over simplifying this but can't you just compare > the MAC addresses? If you only have 7 machines it would not > take very long. > > > Thank You, > John Schneider > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vijay gore > Sent: Friday, February 05, 2010 4:39 AM > To: Brian Turnbow > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] find window's machine from Cisco Router > > No sir. > > it's not working, > > actually sir, in this router there are 7 PC's connected, > some PC having Linux OS & some PC's having Windows OS, now i > want to know which machine having Linux OS & which machine > having Windows OS. > > please help me out this sir > On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow > wrote: > > > it looks like you have loggin enabled for warings only > > > > try > > logging buffered debugging > > > > > > another alternative if the first does not log, is to do a debug ip > > packet using an access list that matches only netbios. > > this could be more processor intensive..... > > first create > > access-list 102 permit udp any any range 137 138 then debug > ip packet > > 102 when done don't forget undebug all > > > > > > > > > > Brian > > > > ------------------------------ > > *From:* vijay gore [mailto:vijaygore27 at gmail.com] > > *Sent:* venerd? 5 febbraio 2010 10.57 > > *To:* Brian Turnbow > > > > *Cc:* cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] find window's machine from Cisco Router > > > > Dear Sir, > > > > > > > > it's giving me below output, it's not showing net bios packet users, > > > > Router#sho log > > Syslog logging: enabled (1 messages dropped, 0 messages > rate-limited, > > 0 flushes, 0 overruns, xml disabled, > filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > > Console logging: level debugging, 40 messages logged, > xml disabled, > > filtering disabled > > Monitor logging: level debugging, 0 messages logged, > xml disabled, > > filtering disabled > > Buffer logging: level warnings, 10 messages logged, > xml disabled, > > filtering disabled > > Logging Exception size (4096 bytes) > > Count and timestamp logging messages: disabled > > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 43 message lines logged > > Log Buffer (51200 bytes): > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet0, changed > > state to > > up > > *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface > FastEthernet1, changed > > state to > > up > > *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface > FastEthernet9, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet8, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet7, changed > > state to > > up > > *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface > FastEthernet6, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet5, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet4, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet3, changed > > state to > > up > > *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface > FastEthernet2, changed > > state to > > up > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6514 bytes Desc: not available URL: From aaron at wsc.ma.edu Sat Feb 6 10:12:23 2010 From: aaron at wsc.ma.edu (Childs, Aaron) Date: Sat, 6 Feb 2010 10:12:23 -0500 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Message-ID: <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> Hi Sony, There aren't any tools that I know of. I converted all of our SUP720's and SUP2's last summer using the directions here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015bfa6.shtml The process isn't as painful as it looks, just a little time consuming. Good Luck! Aaron ----------- Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Sony Scaria [sony.scaria at gmail.com] Sent: Saturday, February 06, 2010 9:46 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Hybrid to Native conversion Hi, I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration to IOS format. Is there any tool available which expedite the process than a manual conversion? Sony. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shaw38 at gmail.com Sat Feb 6 15:27:16 2010 From: shaw38 at gmail.com (Steve Shaw) Date: Sat, 6 Feb 2010 15:27:16 -0500 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> <3760B7E1B344364AA0384B231FE7BA691314B9E9A2@ex-be1.ads.wsc.ma.edu> Message-ID: <1d3cfae11002061227h411da319o77c06e536b10f604@mail.gmail.com> Sony, There's a java-based conversion utility for the CatOS to IOS conversion: Utility: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008070f124.shtml#Download Instructions: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008070f124.shtml Hope that helps. Steve On Sat, Feb 6, 2010 at 10:12 AM, Childs, Aaron wrote: > Hi Sony, > > There aren't any tools that I know of. I converted all of our SUP720's and > SUP2's last summer using the directions here: > http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015bfa6.shtml > > The process isn't as painful as it looks, just a little time consuming. > > Good Luck! > Aaron > ----------- > Aaron Childs > Assistant Director, Networking > Westfield State College > http://www.wsc.ma.edu/it/ > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of Sony Scaria [sony.scaria at gmail.com] > Sent: Saturday, February 06, 2010 9:46 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Hybrid to Native conversion > > Hi, > > > > I have an old 6500 with SUP2 and MSFC2. I Need to convert the > configuration > to IOS format. Is there any tool available which expedite the process than > a > manual conversion? > > > > Sony. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter.hicks at poggs.co.uk Sat Feb 6 18:10:04 2010 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Sat, 06 Feb 2010 23:10:04 +0000 Subject: [c-nsp] find window's machine from Cisco Router In-Reply-To: <20100206123718.GB24093@lboro.ac.uk> References: <25d943641002052234s2f33bd03o6d5058e8bf8c7733@mail.gmail.com> <709a72991002052343m979d0b5sfaba6575cf34b89e@mail.gmail.com> <20100206123718.GB24093@lboro.ac.uk> Message-ID: <4B6DF6CC.2010303@poggs.co.uk> Alan Buxey wrote: > tcpdump listening to a PSAN intance on that subnet...very soon you'll > see all the pretty broadcast rubbish from the windows hosts +1 for that. Windows machines are the ones wearing loud hawaiian shirts being very loud. Peter From Bryan at bryanfields.net Sat Feb 6 20:55:12 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sat, 06 Feb 2010 20:55:12 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 Message-ID: <4B6E1D80.8000209@bryanfields.net> I was trouble shooing my network today and found a nasty little bug when some one does 'show isis database' from exec mode on C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. After issuing the command you get the output of it, and some time in the next 30 sec the router crashes. example: LTRKAKHQR01-c1811w#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL STPBFLGURT1.00-00 0x00005F0A 0x49A3 907 0/0/0 galaxydoor.00-00 0x0000200A 0x2DF0 900 0/0/0 LTRKAKHQR01-c1.00-00* 0x00000953 0x64C1 1099 0/0/0 TAMQFLTART1.00-00 0x00005859 0x1542 908 0/0/0 IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL STPBFLGURT1.00-00 0x000060A8 0x1149 914 0/0/0 galaxydoor.00-00 0x0000200F 0x645F 912 0/0/0 LTRKAKHQR01-c1.00-00* 0x00000991 0xF41F 916 0/0/0 TAMQFLTART1.00-00 0x00005926 0x83FD 913 0/0/0 LTRKAKHQR01-c1811w#term mon LTRKAKHQR01-c1811w#sh clock 01:44:47.438 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:44:56.418 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:01.690 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:06.182 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:10.146 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:12.658 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock 01:45:16.222 UTC Sun Feb 7 2010 LTRKAKHQR01-c1811w#sh clock ______BAM! Lockup at this point______ from the log output: Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:20 UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Check heaps. Feb 6 20:45:27 192.168.3.210 104: LTRKAKHQR01-c1811w: -Traceback= 0x8007CCB0z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 105: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:22 UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (0/0),process = Check heaps. Feb 6 20:45:27 192.168.3.210 106: LTRKAKHQR01-c1811w: -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), -Traceback= 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MTRACE: mallocfree: addr, pc Feb 6 20:45:27 192.168.3.210 109: LTRKAKHQR01-c1811w: 86297A44,80BAE58C 86297A44,40000294 86CC08A0,80BAE570 86CC08A0,3000021E Feb 6 20:45:27 192.168.3.210 110: LTRKAKHQR01-c1811w: 86DC8180,8154FFC0 866536C8,8154FE24 866536C8,8154FE24 866536C8,8154FE88 Feb 6 20:45:27 192.168.3.210 111: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MTRACE: mallocfree: addr, pc Feb 6 20:45:27 192.168.3.210 112: LTRKAKHQR01-c1811w: 8666F860,81569A98 866536C8,8154FE88 866536C8,8154FE24 866536C8,8154FE24 Feb 6 20:45:27 192.168.3.210 113: LTRKAKHQR01-c1811w: 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 Feb 6 20:45:27 192.168.3.210 114: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 86AC28DC, words 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 20:45:28 192.168.3.210 115: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28DC: 0x813E0508 0x0 0x0 0x8364CCBC Feb 6 20:45:28 192.168.3.210 116: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28EC: 0x8012DAC4 0x86AC57F0 0x86AB9C1C 0x80001772 Feb 6 20:45:28 192.168.3.210 117: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-MEMDUMP: 0x86AC28FC: 0x1 0x86AC2980 0x15C 0x86D41800 Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, 12/12000 Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 01:45:39 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to down ------- Some times I'll get a crashinfo file, other times I will not. >From a previous crash info: ------------- CMD: 'sh isis database' 21:23:27 UTC Sat Feb 6 2010 validblock_diagnose, code = 2 current memory block, bp = 0x8700E0B0, memorypool type is Processor data check, ptr = 0x8700E0E0 next memory block, bp = 0x87010FC4, memorypool type is Processor data check, ptr = 0x87010FF4 previous memory block, bp = 0x870053DC, memorypool type is Processor data check, ptr = 0x8700540C ========= Dump bp = 0x8700E0B0 ====================== 8700DFB0: 0 8700EAB0 FFFFFFFF 0 0 0 0 0 8700DFD0: 0 0 6347E519 0 8207070C D02688F2 6347E519 85F7C994 8700DFF0: 85F7C994 811AEC4C 8700E010 811AB16C D0D0D0D 245EBB78 D0D0D0D 867CD2F4 8700E010: 8700E040 813B2838 D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 82070710 8700E030: 85F7C994 6347E519 875E3258 875E3214 8700E070 813B2B8C D0D0D0D 48822022 8700E050: 1 8700E2D8 0 0 8700E070 6347E519 8700E400 0 8700E070: 8700E0B0 813B4470 0 0 28822022 6347E519 0 0 8700E090: 0 0 6347E519 85F7C994 0 0 8700E400 0 8700E0B0: 8700E350 813E0508 0 0 8012DAC4 87010FC4 870053F0 80001772 8700E0D0: 1 0 8700E158 872550DC FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E0F0: 0 0 FFFFFFFF FFFFFFFF FFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E110: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 8700E130: 2F 86427028 0 85F7C994 0 6347E519 6347E519 245EBB78 8700E150: 8700E2F0 867CD2F4 8700E1D8 811ABDE0 FFFFFFFF 6347E519 D02688F2 2F 8700E170: 0 0 0 C0 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 8700E190: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF ========= Feb 6 2010 21:24:09 UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/1),process = Check heaps. -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Dump bp->next = 0x87010FC4 ====================== 87010EC4: 61780000 87010EF0 84228082 73796E74 A4CB80 7002FD0 87010F20 87010E70 87010EE4: 87010EF8 83EB0000 83EB0000 0 83EB0000 0 A4CB80 0 87010F04: 0 867F2054 0 0 86493648 87010FB0 80B77310 FFFFFF 87010F24: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 87010F44: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 2A 1 FFFFFFFF 87010F64: FFFFFFFF 0 0 0 0 0 0 0 87010F84: 0 0 0 0 0 0 0 0 87010FA4: 0 0 0 87010FB8 8012086C 0 80124418 FD0110DF 87010FC4: AB1234CD E40000 15F 873074D0 80B4FCA0 87015E18 8700E0C4 80002712 87010FE4: 1 8200EA4C 166 872550DC 0 0 87307494 0 87011004: 87307494 258 2C7 140018 2C1 0 0 0 87011024: 0 430000 83EC2BBC 41414120 536D616C 6C204368 756E0000 87011B6C 87011044: 87015E14 0 0 87011B70 87011B88 87011BA0 87011BB8 87011BD0 87011064: 87011BE8 87011C00 87011C18 87011C30 87011C48 87011C60 87011C78 87011C90 87011084: 87011CA8 87011CC0 87011CD8 87011CF0 87011D08 87011D20 87011D38 87011D50 870110A4: 87011D68 87011D80 87011D98 87011DB0 87011DC8 87011DE0 87011DF8 87011E10 ========== Dump bp->previous = 0x870053F0 ===================== 870052F0: 0 0 0 0 0 0 0 0 87005310: 0 FD0110DF AB1234CD FFFE0000 0 82FC74AC 81BDE144 87005390 87005330: 870052A8 80000024 1 0 1 850B5B2C 83824BA0 0 87005350: 0 0 1 0 Feb 6 2010 21:24:11 UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (1/1),process = Check heaps. -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z 0 0 0 90000 87005370: 1 870051FC 0 0 0 0 0 FD0110DF 87005390: AB1234CD FFFE0000 0 82FC74AC 81BD9178 870053DC 8700532C 8000000E 870053B0: 1 0 1 850B5B2C 1 0 0 0 870053D0: 0 0 FD0110DF AB1234CD 750000 75 83646E94 82C4EED4 870053F0: 8700E0B0 870053A4 4652 0 82C89068 7C 850B1410 DEADBEEF 87005410: 82C89068 0 D0D0D0D 83EC321C 83EC3218 D0D0D0D D0D0D0D D0D0D0D 87005430: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005450: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005470: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 87005490: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 870054B0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D 870054D0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D ============================================ Feb 6 2010 21:24:12 UTC: %SYS-3-BADMAGIC: Corrupt block at 8700E0B0 (magic 8700E350), -Traceback= 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc 873068BC,80BAE58C 873068BC,40000294 859EC9B4,80BAE570 859EC9B4,3000021E 86EAC770,8154FFC0 86EA8998,8154FE24 86EA8998,8154FE24 859EC9B4,81540E3C Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc 859EC9B4,8153B354 859EC9B4,3000021E 86EA8998,8154FE88 86EAB098,81569A98 86EA8998,8154FE88 86EA8998,8154FE24 86EA8998,8154FE24 86EA8998,8154EE70 Feb 6 2010 21:24:12 UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 8700E0B0, words 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0B0: 0x8700E350 0x813E0508 0x0 0x0 Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0C0: 0x8012DAC4 0x87010FC4 0x870053F0 0x80001772 Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0D0: 0x1 0x0 0x8700E158 0x872550DC %Software-forced reload 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector 1500, PC = 0x8011E220, LR = 0x8011E1E4 -Traceback= 0x8011E220z 0x8011E1E4z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z CPU Register Context: MSR = 0x02029220 CR = 0x28000042 CTR = 0x81F26400 XER = 0x00000000 R0 = 0x8011E1E4 R1 = 0x8511CBA8 R2 = 0xFFE97C10 R3 = 0x83FA9978 R4 = 0x82F869BC R5 = 0x00000000 R6 = 0x83970000 R7 = 0x82F60000 R8 = 0x02029220 R9 = 0x83AD0000 R10 = 0x00000000 R11 = 0x00000000 R12 = 0x24000088 R13 = 0xFFE994A8 R14 = 0x820554DC R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x83D60000 R23 = 0x83D60000 R24 = 0xAB1234AB R25 = 0xAB1234CD R26 = 0x83D60000 R27 = 0x85FBD91C R28 = 0x00000000 R29 = 0x83647534 R30 = 0x83980000 R31 = 0x00000000 ------ I've tried this on both 1811w's on my network and had the exact same problems. Any one else seen this or know if it's a known bug? I've searched the cisco site and cannot find a reference to this issue. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From david at davidcoulson.net Sat Feb 6 21:38:17 2010 From: david at davidcoulson.net (David Coulson) Date: Sat, 06 Feb 2010 21:38:17 -0500 Subject: [c-nsp] Telnet to Pix via VPN Message-ID: <4B6E2799.904@davidcoulson.net> I have a number of ASAs and Pix devices with interconnected VPNs. From each LAN I can telnet into the local device, however on both an ASA5510 and Pix515 running 8.0 I am unable to telnet into the device from across a VPN. An older Pix501 running 6.3 will allow me. I can ping across the VPNs to each device. In all cases 'management-access inside' is enabled and the appropriate remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet client thinks the connection is open, but I don't get a login prompt. Log output when I attempt to telnet to the 515 - Not sure I understand the TCP intercept part of this. Maybe that is the smoking gun. Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity Ifc:172.16.5.1/23 (172.16.5.1/23) Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity Ifc:172.16.5.1/23 (172.16.5.1/23) From jrjahangir at yahoo.com Sat Feb 6 22:58:38 2010 From: jrjahangir at yahoo.com (mdjahangir hossain) Date: Sat, 6 Feb 2010 19:58:38 -0800 (PST) Subject: [c-nsp] Netflow problem in cisco SAR-7606 router Message-ID: <536733.90533.qm@web53603.mail.re2.yahoo.com> Dear concern: I faced a problem in cisco? SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. Here the router IOS information: BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin Thanks Jahangir Hossain From lukasz at bromirski.net Sun Feb 7 03:45:13 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sun, 07 Feb 2010 09:45:13 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E1D80.8000209@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> Message-ID: <4B6E7D99.1000409@bromirski.net> On 2010-02-07 02:55, Bryan Fields wrote: > I was trouble shooing my network today and found a nasty little bug when some > one does 'show isis database' from exec mode on C181X Software > (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. > After issuing the command you get the output of it, and some time in the next > 30 sec the router crashes. > example: > LTRKAKHQR01-c1811w#sh isis database Hard to reproduce or something else is causing the crash, I just tried this on my farm of 9 different 18xx and no crash at all: c180x#sh ver | i IOS Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2) c180x#sh isis database IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL c180x.00-00 * 0x00002DA1 0x2975 1142 0/0/0 tor-core.00-00 0x00002D98 0xCD09 1073 0/0/0 w-ts.00-00 0x00001019 0x899B 584 0/0/0 w-ts.01-00 0x00001015 0xAEB4 863 0/0/0 c180x#sh clock 09:40:26.110 CET Sun Feb 7 2010 c180x#sh clock 09:40:32.818 CET Sun Feb 7 2010 c180x#sh clock 09:40:41.810 CET Sun Feb 7 2010 c180x#sh clock 09:40:48.898 CET Sun Feb 7 2010 c180x#sh clock 09:40:56.338 CET Sun Feb 7 2010 c180x#sh clock 09:41:02.018 CET Sun Feb 7 2010 c180x#sh clock 09:41:07.971 CET Sun Feb 7 2010 c180x#sh clock 09:41:12.963 CET Sun Feb 7 2010 > from the log output: > Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:20 > UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs > (0/0),process = Check heaps. > UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), -Traceback= > 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk 86AC28DC, words > 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= > 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z > Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 01:45:24 > UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, 12/12000 > Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 01:45:39 UTC: > %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to down Some process is behaving badly, if the Check Heaps has a problem validating the alignments. Then it seems something writes some gibberish out of it's memory slice and then things start to fall down. > %Software-forced reload > 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector 1500, PC = > 0x8011E220, LR = 0x8011E1E4 > Any one else seen this or know if it's a known bug? I've searched the cisco > site and cannot find a reference to this issue. Open a case. Have it reproduced and then nailed down to some specific bug. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From dwhitejr at cisco.com Sun Feb 7 10:05:09 2010 From: dwhitejr at cisco.com (David White, Jr. (dwhitejr)) Date: Sun, 07 Feb 2010 10:05:09 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6E2799.904@davidcoulson.net> References: <4B6E2799.904@davidcoulson.net> Message-ID: <4B6ED6A5.1020803@cisco.com> Hi David, It sounds like you are running into CSCsj53102. What version are you running on your 8.0 devices? Sincerely, David. David Coulson wrote: > I have a number of ASAs and Pix devices with interconnected VPNs. From > each LAN I can telnet into the local device, however on both an > ASA5510 and Pix515 running 8.0 I am unable to telnet into the device > from across a VPN. An older Pix501 running 6.3 will allow me. I can > ping across the VPNs to each device. > > In all cases 'management-access inside' is enabled and the appropriate > remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet > client thinks the connection is open, but I don't get a login prompt. > > Log output when I attempt to telnet to the 515 - Not sure I understand > the TCP intercept part of this. Maybe that is the smoking gun. > > Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 > for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity > Ifc:172.16.5.1/23 (172.16.5.1/23) > Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for > outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration > 0:00:00 bytes 0 Flow terminated by TCP Intercept > Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 > for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity > Ifc:172.16.5.1/23 (172.16.5.1/23) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Sun Feb 7 10:19:29 2010 From: petelists at templin.org (Pete Templin) Date: Sun, 07 Feb 2010 09:19:29 -0600 Subject: [c-nsp] Hybrid to Native conversion In-Reply-To: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> References: <4b6d80d2.5744f10a.1846.ffffbf3f@mx.google.com> Message-ID: <4B6EDA01.1080104@templin.org> Sony Scaria wrote: > I have an old 6500 with SUP2 and MSFC2. I Need to convert the configuration > to IOS format. Is there any tool available which expedite the process than a > manual conversion? Do you have any Sup2/MSFC2 that are already native? If so, format some extra PCMCIA cards in IOS with your desired image on them. You'll format faster (most likely) and have much quicker software copy times. I just did a pile of these in November and January, and having a ready stack of cards cut the conversion time to probably <30 minutes, including some reloads and reboots afterward to verify config registers and configuration loads. pt From david at davidcoulson.net Sun Feb 7 10:20:45 2010 From: david at davidcoulson.net (David Coulson) Date: Sun, 07 Feb 2010 10:20:45 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6ED6A5.1020803@cisco.com> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> Message-ID: <4B6EDA4D.7030307@davidcoulson.net> 8.0(3) on both Pix515 and ASA5510 On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: > Hi David, > > It sounds like you are running into CSCsj53102. What version are you > running on your 8.0 devices? > > Sincerely, > > David. > > David Coulson wrote: > >> I have a number of ASAs and Pix devices with interconnected VPNs. From >> each LAN I can telnet into the local device, however on both an >> ASA5510 and Pix515 running 8.0 I am unable to telnet into the device >> from across a VPN. An older Pix501 running 6.3 will allow me. I can >> ping across the VPNs to each device. >> >> In all cases 'management-access inside' is enabled and the appropriate >> remote subnet is in a 'telnet x.x.x.x y.y.y.y' statement. The telnet >> client thinks the connection is open, but I don't get a login prompt. >> >> Log output when I attempt to telnet to the 515 - Not sure I understand >> the TCP intercept part of this. Maybe that is the smoking gun. >> >> Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 367 >> for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity >> Ifc:172.16.5.1/23 (172.16.5.1/23) >> Feb 06 2010 21:36:13: %PIX-6-302014: Teardown TCP connection 367 for >> outside:172.17.6.102/3158 to NP Identity Ifc:172.16.5.1/23 duration >> 0:00:00 bytes 0 Flow terminated by TCP Intercept >> Feb 06 2010 21:36:13: %PIX-6-302013: Built inbound TCP connection 368 >> for outside:172.17.6.102/3158 (172.17.6.102/3158) to NP Identity >> Ifc:172.16.5.1/23 (172.16.5.1/23) >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From scottowens12 at gmail.com Sun Feb 7 12:40:45 2010 From: scottowens12 at gmail.com (scott owens) Date: Sun, 7 Feb 2010 11:40:45 -0600 Subject: [c-nsp] Hybrid to Native conversion Message-ID: Make sure you have enough ram & flash before you start down this path. IOS images can be much larger than what is on your Sup IIs - even if you upgraded them with one of the early Cisco upgrade paths. scott From david at davidcoulson.net Sun Feb 7 12:55:41 2010 From: david at davidcoulson.net (David Coulson) Date: Sun, 07 Feb 2010 12:55:41 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6ED6A5.1020803@cisco.com> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> Message-ID: <4B6EFE9D.8040809@davidcoulson.net> I upgraded my 515E pair to 8.0(4) and it appears to have solved the problem. David On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: > Hi David, > > It sounds like you are running into CSCsj53102. What version are you > running on your 8.0 devices? > > Sincerely, > > David. From Bryan at bryanfields.net Sun Feb 7 14:04:32 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sun, 07 Feb 2010 14:04:32 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E7D99.1000409@bromirski.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> Message-ID: <4B6F0EC0.70506@bryanfields.net> On 2/7/2010 03:45, ?ukasz Bromirski wrote: > On 2010-02-07 02:55, Bryan Fields wrote: >> I was trouble shooing my network today and found a nasty little bug when some >> one does 'show isis database' from exec mode on C181X Software >> (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. >> After issuing the command you get the output of it, and some time in the next >> 30 sec the router crashes. >> example: >> LTRKAKHQR01-c1811w#sh isis database > > Hard to reproduce or something else is causing the crash, I just tried > this on my farm of 9 different 18xx and no crash at all: > > c180x#sh ver | i IOS > Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version > 15.0(1)M, RELEASE SOFTWARE (fc2) I'm running the 15.0(1)M1 Advanced IP services, which is a different IOS image. > Some process is behaving badly, if the Check Heaps has a > problem validating the alignments. Then it seems > something writes some gibberish out of it's memory slice > and then things start to fall down. A multitasking os with out memory protection strikes once again! > Open a case. Have it reproduced and then nailed down to some > specific bug. This is my personal network, I don't have a support contract on any of it. I like to demo the newer IOS on it for that reason. Figured it was worth a shot to ask over here, maybe some cisco engineer watches this or some one ran into this before. I would suspect not, as no one would run ISIS on this platform, as it's kinda a half ass ISIS implementation to begin with. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From lukasz at bromirski.net Sun Feb 7 14:35:42 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sun, 07 Feb 2010 20:35:42 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F0EC0.70506@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> Message-ID: <4B6F160E.4080009@bromirski.net> On 2010-02-07 20:04, Bryan Fields wrote: >> Hard to reproduce or something else is causing the crash, I just tried >> this on my farm of 9 different 18xx and no crash at all: >> c180x#sh ver | i IOS >> Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version >> 15.0(1)M, RELEASE SOFTWARE (fc2) > I'm running the 15.0(1)M1 Advanced IP services, which is a different IOS image. I tried Adv IP Services also, and a 15.0(1)M1 release. No luck, but I'll try to dig deeper. Rodney is also on the list, maybe he will pickup the thread as his time permits. > I would suspect not, as no one would run ISIS on this platform, as it's kinda > a half ass ISIS implementation to begin with. Well, it works and is supported, so... what's there not from your perspective that makes it "half ass"? IS-IS is actually run on a number of "small" boxes by a couple of SPs that just need a routing protocol for their own AS that is separate from IP. NANOG usually hosts discussion about that once a quarter or so. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From Bryan at bryanfields.net Sun Feb 7 14:48:35 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sun, 07 Feb 2010 14:48:35 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F160E.4080009@bromirski.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> <4B6F160E.4080009@bromirski.net> Message-ID: <4B6F1913.3060909@bryanfields.net> On 2/7/2010 14:35, ?ukasz Bromirski wrote: > I tried Adv IP Services also, and a 15.0(1)M1 release. No luck, > but I'll try to dig deeper. Rodney is also on the list, maybe > he will pickup the thread as his time permits. Hmm, I have two routers on my network that it happens to, both are 1811w models. >> I would suspect not, as no one would run ISIS on this platform, as it's kinda >> a half ass ISIS implementation to begin with. > > Well, it works and is supported, so... what's there not from your > perspective that makes it "half ass"? No ipv6 support in the ISIS implementation. I consider that "half-assed". Perhaps in the future cisco will drop the other cheek :-) -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From jared at puck.nether.net Sun Feb 7 15:21:09 2010 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 7 Feb 2010 15:21:09 -0500 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6F0EC0.70506@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> <4B6E7D99.1000409@bromirski.net> <4B6F0EC0.70506@bryanfields.net> Message-ID: <9C0AFBD2-A2D6-4EC8-B148-2D89282CEA5C@puck.nether.net> On Feb 7, 2010, at 2:04 PM, Bryan Fields wrote: > A multitasking os with out memory protection strikes once again! Time to discontinue old technology. - Jared From dwhitejr at cisco.com Sun Feb 7 16:47:57 2010 From: dwhitejr at cisco.com (David White, Jr. (dwhitejr)) Date: Sun, 07 Feb 2010 16:47:57 -0500 Subject: [c-nsp] Telnet to Pix via VPN In-Reply-To: <4B6EFE9D.8040809@davidcoulson.net> References: <4B6E2799.904@davidcoulson.net> <4B6ED6A5.1020803@cisco.com> <4B6EFE9D.8040809@davidcoulson.net> Message-ID: <4B6F350D.50301@cisco.com> Hi David, Based on running 8.0(3) and upgrading to 8.0(4) resolved the issue, I would guess your PIXes have VAC/VAC+ in them, and thus you were running into CSCsi79159. Sincerely, David. David Coulson wrote: > I upgraded my 515E pair to 8.0(4) and it appears to have solved the > problem. > > David > > On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote: >> Hi David, >> >> It sounds like you are running into CSCsj53102. What version are you >> running on your 8.0 devices? >> >> Sincerely, >> >> David. From eninja at gmail.com Sun Feb 7 18:00:29 2010 From: eninja at gmail.com (Eninja) Date: Mon, 8 Feb 2010 00:00:29 +0100 Subject: [c-nsp] 'show isis database' delayed crash on 15.0(1)M1 In-Reply-To: <4B6E1D80.8000209@bryanfields.net> References: <4B6E1D80.8000209@bryanfields.net> Message-ID: <38AE3CD7-DBD1-4036-A15C-3F8231B267C3@gmail.com> Bryan, Your box crashed because the memory got corrupted. This is a software bug. Set it up for a core dump and send to bug manufacturer for rectification. /eninja On Feb 7, 2010, at 2:55 AM, Bryan Fields wrote: > I was trouble shooing my network today and found a nasty little bug > when some > one does 'show isis database' from exec mode on C181X Software > (C181X-ADVIPSERVICESK9-M), Version 15.0(1)M1, IOS. > > After issuing the command you get the output of it, and some time in > the next > 30 sec the router crashes. > > example: > LTRKAKHQR01-c1811w#sh isis database > > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > STPBFLGURT1.00-00 0x00005F0A 0x49A3 907 > 0/0/0 > galaxydoor.00-00 0x0000200A 0x2DF0 900 > 0/0/0 > LTRKAKHQR01-c1.00-00* 0x00000953 0x64C1 1099 > 0/0/0 > TAMQFLTART1.00-00 0x00005859 0x1542 908 > 0/0/0 > IS-IS Level-2 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > STPBFLGURT1.00-00 0x000060A8 0x1149 914 > 0/0/0 > galaxydoor.00-00 0x0000200F 0x645F 912 > 0/0/0 > LTRKAKHQR01-c1.00-00* 0x00000991 0xF41F 916 > 0/0/0 > TAMQFLTART1.00-00 0x00005926 0x83FD 913 > 0/0/0 > LTRKAKHQR01-c1811w#term mon > LTRKAKHQR01-c1811w#sh clock > 01:44:47.438 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:44:56.418 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:01.690 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:06.182 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:10.146 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:12.658 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > 01:45:16.222 UTC Sun Feb 7 2010 > LTRKAKHQR01-c1811w#sh clock > > ______BAM! Lockup at this point______ > > from the log output: > Feb 6 20:45:27 192.168.3.210 103: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:20 > UTC: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000) > msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 104: LTRKAKHQR01-c1811w: -Traceback= > 0x8007CCB0z > 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z 0x82050E18z 0x82052364z > 0x82052770z > 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 105: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:22 > UTC: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000) > msecs > (0/0),process = Check heaps. > Feb 6 20:45:27 192.168.3.210 106: LTRKAKHQR01-c1811w: -Traceback= > 0x8007CCB8z > 0x80B20C18z 0x80B22528z 0x80B20EC8z 0x820500E4z 0x82050E54z > 0x82052364z > 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz 0x80124418z > Feb 6 20:45:27 192.168.3.210 107: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-3-BADMAGIC: Corrupt block at 86AC28DC (magic 813E0508), - > Traceback= > 0x82052388z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z > Feb 6 20:45:27 192.168.3.210 108: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > Feb 6 20:45:27 192.168.3.210 109: LTRKAKHQR01-c1811w: > 86297A44,80BAE58C > 86297A44,40000294 86CC08A0,80BAE570 86CC08A0,3000021E > Feb 6 20:45:27 192.168.3.210 110: LTRKAKHQR01-c1811w: > 86DC8180,8154FFC0 > 866536C8,8154FE24 866536C8,8154FE24 866536C8,8154FE88 > Feb 6 20:45:27 192.168.3.210 111: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MTRACE: mallocfree: addr, pc > Feb 6 20:45:27 192.168.3.210 112: LTRKAKHQR01-c1811w: > 8666F860,81569A98 > 866536C8,8154FE88 866536C8,8154FE24 866536C8,8154FE24 > Feb 6 20:45:27 192.168.3.210 113: LTRKAKHQR01-c1811w: > 866536C8,8154EE70 > 866536C8,8154EE70 866536C8,8154EE70 866536C8,8154EE70 > Feb 6 20:45:27 192.168.3.210 114: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-BLKINFO: Corrupted magic value in in-use block blk > 86AC28DC, words > 6002, alloc 8012DAC4, InUse, dealloc FFFFFFFF, rfcnt 1, -Traceback= > 0x82010150z 0x82052618z 0x82052770z 0x82055410z 0x820555CCz > 0x8012086Cz > 0x80124418z > Feb 6 20:45:28 192.168.3.210 115: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28DC: 0x813E0508 0x0 0x0 0x8364CCBC > Feb 6 20:45:28 192.168.3.210 116: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28EC: 0x8012DAC4 0x86AC57F0 0x86AB9C1C 0x80001772 > Feb 6 20:45:28 192.168.3.210 117: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-MEMDUMP: 0x86AC28FC: 0x1 0x86AC2980 0x15C 0x86D41800 > Feb 6 20:45:28 192.168.3.210 118: LTRKAKHQR01-c1811w: Feb 7 2010 > 01:45:24 > UTC: %SYS-6-STACKLOW: Stack for process Virtual Exec running low, > 12/12000 > Feb 6 20:45:40 192.168.3.250 1038: TAMQFLTART1: Feb 7 2010 > 01:45:39 UTC: > %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed > state to down > ------- > > Some times I'll get a crashinfo file, other times I will not. >> From a previous crash info: > > ------------- > CMD: 'sh isis database' 21:23:27 UTC Sat Feb 6 2010 > validblock_diagnose, code = 2 > > current memory block, bp = 0x8700E0B0, > memorypool type is Processor > data check, ptr = 0x8700E0E0 > > next memory block, bp = 0x87010FC4, > memorypool type is Processor > data check, ptr = 0x87010FF4 > > previous memory block, bp = 0x870053DC, > memorypool type is Processor > data check, ptr = 0x8700540C > ========= Dump bp = 0x8700E0B0 ====================== > > 8700DFB0: 0 8700EAB0 FFFFFFFF 0 0 > 0 0 0 > 8700DFD0: 0 0 6347E519 0 8207070C D02688F2 > 6347E519 85F7C994 > 8700DFF0: 85F7C994 811AEC4C 8700E010 811AB16C D0D0D0D 245EBB78 > D0D0D0D 867CD2F4 > 8700E010: 8700E040 813B2838 D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D 82070710 > 8700E030: 85F7C994 6347E519 875E3258 875E3214 8700E070 813B2B8C > D0D0D0D 48822022 > 8700E050: 1 8700E2D8 0 0 8700E070 6347E519 > 8700E400 0 > 8700E070: 8700E0B0 813B4470 0 0 28822022 > 6347E519 0 0 > 8700E090: 0 0 6347E519 85F7C994 0 0 > 8700E400 0 > > 8700E0B0: 8700E350 813E0508 0 0 8012DAC4 87010FC4 > 870053F0 80001772 > 8700E0D0: 1 0 8700E158 872550DC FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E0F0: 0 0 FFFFFFFF FFFFFFFF FFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E110: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF 0 > 8700E130: 2F 86427028 0 85F7C994 0 6347E519 > 6347E519 245EBB78 > 8700E150: 8700E2F0 867CD2F4 8700E1D8 811ABDE0 FFFFFFFF 6347E519 > D02688F2 2F > 8700E170: 0 0 0 C0 FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 8700E190: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > ========= > Feb 6 2010 21:24:09 UTC: %SYS-3-CPUHOG: Task is running for (2000) > msecs, more > than (2000)msecs (1/1),process = Check heaps. > -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22C8Cz 0x80B20EC8z > 0x82050E18z > 0x82052364z 0x82052770z 0x82055410z 0x820555CCz 0x8012086Cz > 0x80124418z Dump > bp->next = 0x87010FC4 ====================== > > 87010EC4: 61780000 87010EF0 84228082 73796E74 A4CB80 7002FD0 > 87010F20 87010E70 > 87010EE4: 87010EF8 83EB0000 83EB0000 0 83EB0000 0 > A4CB80 0 > 87010F04: 0 867F2054 0 0 86493648 87010FB0 > 80B77310 FFFFFF > 87010F24: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > FFFFFFFF FFFFFFFF > 87010F44: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 2A 1 FFFFFFFF > 87010F64: FFFFFFFF 0 0 0 0 > 0 0 0 > 87010F84: 0 0 0 0 0 > 0 0 0 > 87010FA4: 0 0 0 87010FB8 8012086C 0 80124418 > FD0110DF > 87010FC4: AB1234CD E40000 15F 873074D0 80B4FCA0 87015E18 > 8700E0C4 80002712 > 87010FE4: 1 8200EA4C 166 872550DC 0 0 87307494 > 0 > 87011004: 87307494 258 2C7 140018 2C1 > 0 0 0 > 87011024: 0 430000 83EC2BBC 41414120 536D616C 6C204368 > 756E0000 87011B6C > 87011044: 87015E14 0 0 87011B70 87011B88 87011BA0 > 87011BB8 87011BD0 > 87011064: 87011BE8 87011C00 87011C18 87011C30 87011C48 87011C60 > 87011C78 87011C90 > 87011084: 87011CA8 87011CC0 87011CD8 87011CF0 87011D08 87011D20 > 87011D38 87011D50 > 870110A4: 87011D68 87011D80 87011D98 87011DB0 87011DC8 87011DE0 > 87011DF8 87011E10 > ========== Dump bp->previous = 0x870053F0 ===================== > > 870052F0: 0 0 0 0 0 > 0 0 0 > 87005310: 0 FD0110DF AB1234CD FFFE0000 0 82FC74AC > 81BDE144 87005390 > 87005330: 870052A8 80000024 1 0 1 850B5B2C > 83824BA0 0 > 87005350: 0 0 1 0 > Feb 6 2010 21:24:11 UTC: %SYS-3-CPUHOG: Task is running for (4000) > msecs, more > than (2000)msecs (1/1),process = Check heaps. > -Traceback= 0x8007CCB8z 0x80B20C18z 0x80B22528z 0x80B20EC8z > 0x820500E4z > 0x82050E54z 0x82052364z 0x82052770z 0x82055410z 0x820555CCz > 0x8012086Cz > 0x80124418z 0 0 0 90000 > 87005370: 1 870051FC 0 0 0 > 0 0 FD0110DF > 87005390: AB1234CD FFFE0000 0 82FC74AC 81BD9178 870053DC > 8700532C 8000000E > 870053B0: 1 0 1 850B5B2C 1 > 0 0 0 > 870053D0: 0 0 FD0110DF AB1234CD 750000 75 > 83646E94 82C4EED4 > 870053F0: 8700E0B0 870053A4 4652 0 82C89068 7C > 850B1410 DEADBEEF > > 87005410: 82C89068 0 D0D0D0D 83EC321C 83EC3218 D0D0D0D > D0D0D0D D0D0D0D > 87005430: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005450: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005470: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 87005490: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 870054B0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > 870054D0: D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D D0D0D0D > D0D0D0D D0D0D0D > ============================================ > > Feb 6 2010 21:24:12 UTC: %SYS-3-BADMAGIC: Corrupt block at 8700E0B0 > (magic > 8700E350), -Traceback= 0x82052388z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc > 873068BC,80BAE58C 873068BC,40000294 859EC9B4,80BAE570 > 859EC9B4,3000021E > 86EAC770,8154FFC0 86EA8998,8154FE24 86EA8998,8154FE24 > 859EC9B4,81540E3C > Feb 6 2010 21:24:12 UTC: %SYS-6-MTRACE: mallocfree: addr, pc > 859EC9B4,8153B354 859EC9B4,3000021E 86EA8998,8154FE88 > 86EAB098,81569A98 > 86EA8998,8154FE88 86EA8998,8154FE24 86EA8998,8154FE24 > 86EA8998,8154EE70 > Feb 6 2010 21:24:12 UTC: %SYS-6-BLKINFO: Corrupted magic value in > in-use > block blk 8700E0B0, words 6002, alloc 8012DAC4, InUse, dealloc > FFFFFFFF, rfcnt > 1, -Traceback= 0x82010150z 0x82052618z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0B0: 0x8700E350 > 0x813E0508 > 0x0 0x0 > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0C0: 0x8012DAC4 > 0x87010FC4 > 0x870053F0 0x80001772 > Feb 6 2010 21:24:12 UTC: %SYS-6-MEMDUMP: 0x8700E0D0: 0x1 0x0 > 0x8700E158 > 0x872550DC > > %Software-forced reload > > > 21:24:12 UTC Sat Feb 6 2010: Unexpected exception to CPU: vector > 1500, PC = > 0x8011E220, LR = 0x8011E1E4 > > -Traceback= 0x8011E220z 0x8011E1E4z 0x82052770z 0x82055410z > 0x820555CCz > 0x8012086Cz 0x80124418z > > CPU Register Context: > MSR = 0x02029220 CR = 0x28000042 CTR = 0x81F26400 XER = 0x00000000 > R0 = 0x8011E1E4 R1 = 0x8511CBA8 R2 = 0xFFE97C10 R3 = > 0x83FA9978 > R4 = 0x82F869BC R5 = 0x00000000 R6 = 0x83970000 R7 = > 0x82F60000 > R8 = 0x02029220 R9 = 0x83AD0000 R10 = 0x00000000 R11 = 0x00000000 > R12 = 0x24000088 R13 = 0xFFE994A8 R14 = 0x820554DC R15 = 0x00000000 > R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 > R20 = 0x00000000 R21 = 0x00000000 R22 = 0x83D60000 R23 = > 0x83D60000 > R24 = 0xAB1234AB R25 = 0xAB1234CD R26 = 0x83D60000 R27 = > 0x85FBD91C > R28 = 0x00000000 R29 = 0x83647534 R30 = 0x83980000 R31 = 0x00000000 > ------ > > I've tried this on both 1811w's on my network and had the exact same > problems. > Any one else seen this or know if it's a known bug? I've searched > the cisco > site and cannot find a reference to this issue. > > -- > Bryan Fields > > 727-409-1194 - Voice > 727-214-2508 - Fax > http://bryanfields.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From roddy.strachan at staff.netspace.net.au Sun Feb 7 18:05:39 2010 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Mon, 08 Feb 2010 10:05:39 +1100 Subject: [c-nsp] ASR etherchannel Message-ID: Hey all, Currently we run two ASR 1004?s in an LNS environment, we are about to reach the maximum of 1GB on the port into our core network, so I?m thinking of ways to give us more bandwidth. One way that came to mind was using etherchannel/port-channel. I?ve set this up using a 7301 to our core quite well and it seems to work. Has anyone had any experience with the ASR side of things? Any known issues/bugs that exist? We are currently running IOS Version 12.2(33)XNB3 It seems the config options are there. Basically I just want to add another gig port to the group, so we get 2GB into the core from the LNS. Thanks This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mcdonald.richards at gmail.com Sun Feb 7 19:38:04 2010 From: mcdonald.richards at gmail.com (McDonald Richards) Date: Mon, 8 Feb 2010 11:38:04 +1100 Subject: [c-nsp] ASR etherchannel In-Reply-To: References: Message-ID: <8bde567b1002071638k66bb9101taad5bc5a8b63fd0f@mail.gmail.com> Hi Roddy, I think you're after etherchannel load-balancing (instead of per-VLAN) which only started in 2.4 (XND). I've not been game to use it myself so let us know how you go with it. Macca On Mon, Feb 8, 2010 at 10:05 AM, Roddy Strachan < roddy.strachan at staff.netspace.net.au> wrote: > Hey all, > > Currently we run two ASR 1004?s in an LNS environment, we are about to > reach > the maximum of 1GB on the port into our core network, so I?m thinking of > ways to give us more bandwidth. One way that came to mind was using > etherchannel/port-channel. > > I?ve set this up using a 7301 to our core quite well and it seems to work. > > Has anyone had any experience with the ASR side of things? > > Any known issues/bugs that exist? > > We are currently running IOS Version 12.2(33)XNB3 > > It seems the config options are there. > > Basically I just want to add another gig port to the group, so we get 2GB > into the core from the LNS. > > > > Thanks > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jrjahangir at yahoo.com Sun Feb 7 23:45:20 2010 From: jrjahangir at yahoo.com (mdjahangir hossain) Date: Sun, 7 Feb 2010 20:45:20 -0800 (PST) Subject: [c-nsp] Netflow problem ...In Cisco 7606 Router Message-ID: <332919.67370.qm@web53608.mail.re2.yahoo.com> Dear concern: I faced a problem in cisco? SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. Here the router IOS information: BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin Thanks Jahangir Hossain From kloch at kl.net Mon Feb 8 00:30:11 2010 From: kloch at kl.net (Kevin Loch) Date: Mon, 08 Feb 2010 00:30:11 -0500 Subject: [c-nsp] Netflow problem ...In Cisco 7606 Router In-Reply-To: <332919.67370.qm@web53608.mail.re2.yahoo.com> References: <332919.67370.qm@web53608.mail.re2.yahoo.com> Message-ID: <4B6FA163.4090101@kl.net> mdjahangir hossain wrote: > Dear concern: > > I faced a problem in cisco SAR-7606 router about netflow.when i enable netflow , access to this router so slow.it would be nice for me can any one help how can i enable netflow in cisco 7606 router without this type of problem. > > Here the router IOS information: > > BOOTLDR: Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2) > > System image file is "sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin As badly as netflow is broken on the 7600's (and more so than usual in SRD*) It shouldn't affect your RP cpu to the point of being "so slow". It sounds like you have enabled something that can only be done in software on the RP. A quick search found: http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/prod_qas0900aecd80350bfc.html > table 3: > > Bridged NetFlow, Multicast NetFlow with v9 export > Cisco IOS Software only I don't have any sup32's so I don't know if it's any netflow v9 or just the specific types listed. You might try a different type than v9 and/or try increasing the sub-sampling level. I use: mls nde sender version 5 mls sampling packet-based 1024 8192 I also recommend avoiding SRD for netflow, SRC seems to be much less buggy. - Kevin From elmi at 4ever.de Mon Feb 8 03:26:20 2010 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 8 Feb 2010 09:26:20 +0100 Subject: [c-nsp] ASR etherchannel In-Reply-To: References: Message-ID: <20100208082620.GR26720@ronin.4ever.de> roddy.strachan at staff.netspace.net.au (Roddy Strachan) wrote: > Currently we run two ASR 1004?s in an LNS environment, we are about to reach > the maximum of 1GB on the port into our core network, so I?m thinking of > ways to give us more bandwidth. One way that came to mind was using > etherchannel/port-channel. > > I?ve set this up using a 7301 to our core quite well and it seems to work. > > Has anyone had any experience with the ASR side of things? Yes. It simply doesn't work. ("It" being a dot1q trunk to a pair of 3750s in my case) Lucky me only had to put two VLANs on that bundle, so I could disentangle (but lost redundancy, of course). That's 12.2(33)XNC1t, btw. I haven't reported that bug yet, because I though "why should it always be me?", but I have not heard of a fix yet. Yours, Elmar. From THamdi at sbm.com.sa Mon Feb 8 03:58:24 2010 From: THamdi at sbm.com.sa (Tarig Hamdi) Date: Mon, 8 Feb 2010 11:58:24 +0300 Subject: [c-nsp] Tarig Hamdi is out of the office. Message-ID: I will be out of the office starting 02/08/2010 and will not return until 02/15/2010. From jawwad14 at gmail.com Mon Feb 8 05:12:51 2010 From: jawwad14 at gmail.com (Muhammad Jawwad Paracha) Date: Mon, 8 Feb 2010 15:12:51 +0500 Subject: [c-nsp] Cisco 6506 ACL problem Message-ID: Dear All, We are facing problem in Cisco 6506 equipment regarding ACL's. It has occured 3 times that ACL's that are being implement on device stops working for 1,2 minute. Appreciate if you can suggest any solution to this problem. Thank you From asturluismi at gmail.com Mon Feb 8 08:15:29 2010 From: asturluismi at gmail.com (luismi) Date: Mon, 08 Feb 2010 14:15:29 +0100 Subject: [c-nsp] PGM and multicast Message-ID: <1265634929.7354.6.camel@hal9000> Is there anyone here using multicast and PGM? We have several multicast services -video and audio streams- and sometimes we use to have incidents because the service is not ok, and we would like to deploy PGM to have more control. So, my questions are... Is possible to manage the rx buffer of the multicast in a router to add a delay (around 2secs) to avoid disruptions while the PGM is asking for the packet lost to the other hop? Windows XP looks to support PGM, what about linux? any experience? Any commercial encoder with PGM support there? Is possible to collect information throught snmp about PGM stats? (I asked this to create alarms in nagios as well some graphics :) Any other comments would be welcome too. From koug at intracom.gr Mon Feb 8 08:29:53 2010 From: koug at intracom.gr (John Kougoulos) Date: Mon, 8 Feb 2010 15:29:53 +0200 (EET) Subject: [c-nsp] Cisco 6506 ACL problem In-Reply-To: References: Message-ID: On Mon, 8 Feb 2010, Muhammad Jawwad Paracha wrote: > Dear All, > > We are facing problem in Cisco 6506 equipment regarding ACL's. It has > occured 3 times that ACL's that are being implement on device stops working > for 1,2 minute. Hello, I think that I recently saw somewhere to prefer named ACLs instead of numeric because numeric are merged line by line while named when you press ^Z Regards, John From copse at xy.org Mon Feb 8 08:55:56 2010 From: copse at xy.org (Roger Wiklund) Date: Mon, 8 Feb 2010 14:55:56 +0100 Subject: [c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing? Message-ID: Hi We have an MPLS customer who is running IS-IS on their LAN, and then redistributing that into BGP to our core. This was the original standard setup: PE----ebgp-----CE----ebgp-----CUSOMER----ISIS So that worked just fine, but the customer wanted the IS-IS metric to be injected into BGP MED. This can be done, but with the setup above, MED is only sent to the CE router, after that its removed. So what we did was to setup eBGP multihop from the PE directly to the customers router. We then used BGP on the CE to the customers router, and from the CE to PE we used a default route. Now, this site is the customers HUB site so somewhere in their LAN, they have an Internet breakout. So the customer is injecting a default route from their router, into the MPLS. So what happened now is when another stanard site in the MPLS tried to reach the internet, we had a loop between the PE and CE. Cause the PE will send it to the CE, and the CE will have a static default route back to the PE. So to fix this, I skipped the default static route on the CE, and enabled eBGP between the PE and CE. That way the CE have full knowledge about each sides. However, this is not an optimal soultion, I dont want to have 2 BGP peerings on the PE. So, what I came up with, and this is where I would like your input on. In my lab, I have the same setup, so I removed all the static routes and dynamic routing on the CE. So basically everyting is broken, because the CE doesnt know where to send the traffic to. I then configured policy based routing, and created an ACL permit all traffic, and created 2 route-maps, that matches on the ACL, and sets the next hop. I then applied the route-maps to each interface on the CE. So, when traffic coming into the CE from the PE, I match on everything, and set the next hop to the customers router. And vice versa in the other direction. I tested it and it worked, and it has no dynamic routing what so ever. But this is just in the Lab, I really cant say what will happen in the live network. Have anyone done anything similar? Will PBR eat up all the CPU process? Any other problems that may occur? I mean, all I want to do on the CE is shuffle the traffic from one interface to another. Thanks Regards Roger From me at falz.net Mon Feb 8 09:11:44 2010 From: me at falz.net (Chris Wopat) Date: Mon, 8 Feb 2010 08:11:44 -0600 Subject: [c-nsp] 2811 login issues Message-ID: I have a 2811 that stopped accepting logins from its FastEthernet interface last week out of the blue. When this happened there were no config changes, router reboots, etc. It has a Multilink bundle unnumbered via that FastEthernet interface and it *does* accept logins from this direction. Config is simple, a default route via FA and a /24 via MU. A few other odd symptoms: - 'copy tftp flash' will work for about 12 seconds and then begin to timeout. - telnetting from the router to anywhere immediately gives "Destination unreachable; gateway or host down" without even really trying. What's even more strange is that everything works fine the first 5-10 minutes after a reboot. It was running 12.4(15)XY1 and I was able to get it to 12.4(15)XY3 to see if it was a bug. It's running XY for support for its HWIC-4T1/E1. In an attempt to rule out an upstream routing problem I've added its default gateway (3.89) to the login ACL and it gives the same symptoms when connecting from there. It seems to be completely dropping packets vs rejecting them as it still does if you connect from an IP not on that ACL. 'debug ip packet' shows this when connecting via telnet or ssh: Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, rcvd 2 Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, stop process pak for forus packet Thoughts? --Chris From philxor at gmail.com Mon Feb 8 09:33:12 2010 From: philxor at gmail.com (Phil Bedard) Date: Mon, 8 Feb 2010 09:33:12 -0500 Subject: [c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing? In-Reply-To: References: Message-ID: What kind of devices are you using? The device will probably make more difference than anything else with regards to PBR. I would say generally having the two BGP peering connections is one solution to the ebgp multihop problem. Another solution would be to use a tunnel (prob GRE) between the customer router to your PE through the CE, and run ebgp directly over the tunnel interfaces, but you still need to know how to get to the endpoints. What about using static MEDs? More information on what they want to accomplish by using MEDs would be useful as well. Phil On Feb 8, 2010, at 8:55 AM, Roger Wiklund wrote: > Hi > > We have an MPLS customer who is running IS-IS on their LAN, and then > redistributing that into BGP to our core. > > This was the original standard setup: > PE----ebgp-----CE----ebgp-----CUSOMER----ISIS > > So that worked just fine, but the customer wanted the IS-IS metric to be > injected into BGP MED. This can be done, but with the setup above, MED is > only sent to the CE router, after that its removed. > > So what we did was to setup eBGP multihop from the PE directly to the > customers router. We then used BGP on the CE to the customers router, and > from the CE to PE we used a default route. > > Now, this site is the customers HUB site so somewhere in their LAN, they > have an Internet breakout. So the customer is injecting a default route from > their router, into the MPLS. > > So what happened now is when another stanard site in the MPLS tried to reach > the internet, we had a loop between the PE and CE. Cause the PE will send it > to the CE, and the CE will have a static default route back to the PE. > > So to fix this, I skipped the default static route on the CE, and enabled > eBGP between the PE and CE. That way the CE have full knowledge about each > sides. > However, this is not an optimal soultion, I dont want to have 2 BGP peerings > on the PE. > > So, what I came up with, and this is where I would like your input on. > > In my lab, I have the same setup, so I removed all the static routes and > dynamic routing on the CE. So basically everyting is broken, because the CE > doesnt know where to send the traffic to. > I then configured policy based routing, and created an ACL permit all > traffic, and created 2 route-maps, that matches on the ACL, and sets the > next hop. I then applied the route-maps to each interface on the CE. > > So, when traffic coming into the CE from the PE, I match on everything, and > set the next hop to the customers router. And vice versa in the other > direction. I tested it and it worked, and it has no dynamic routing what so > ever. > > But this is just in the Lab, I really cant say what will happen in the live > network. > > Have anyone done anything similar? Will PBR eat up all the CPU process? Any > other problems that may occur? I mean, all I want to do on the CE is shuffle > the traffic from one interface to another. > > Thanks > > Regards > Roger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From awain567 at yahoo.com Mon Feb 8 10:47:27 2010 From: awain567 at yahoo.com (Alex Wa) Date: Mon, 8 Feb 2010 07:47:27 -0800 (PST) Subject: [c-nsp] weird issue with IBM blade cente switch 3012 Message-ID: <123834.11532.qm@web58004.mail.re3.yahoo.com> Hi guys, ? I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue?I can't really figure out. ? This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk,?I even see each other through CDP.? let's say 6509 side is A and 3012 is B. ? ?situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B ? situation #2?when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add ?(situation A) it's not able to ping A. ? debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. ? Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! ? comments, sugestions, ideas on what to do next? any help will be highly appreciatted ? alejandro wainshtok From Jonathan.Soler at eu.didata.com Mon Feb 8 11:26:44 2010 From: Jonathan.Soler at eu.didata.com (Jonathan Soler (Europe)) Date: Mon, 8 Feb 2010 17:26:44 +0100 Subject: [c-nsp] Routing between site to site VPNs Message-ID: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> Hello, We would like to know if it is possible to forward traffic between site-to-site VPNs that are established in the same physical interface of a router? ?And in a firewall? Jonathan From mksmith at adhost.com Mon Feb 8 12:32:11 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 8 Feb 2010 09:32:11 -0800 Subject: [c-nsp] Routing between site to site VPNs In-Reply-To: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> References: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> Message-ID: <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> Hello Jonathan: That should be possible. See http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml about Intra-interface communications for the PIX/ASA. I'm not sure if the same exists for routers, however. Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jonathan Soler (Europe) > Sent: Monday, February 08, 2010 8:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Routing between site to site VPNs > > Hello, > > > > We would like to know if it is possible to forward traffic between > site-to-site VPNs that are established in the same physical interface > of a router? ?And in a firewall? > > > > Jonathan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Feb 8 12:55:51 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 8 Feb 2010 12:55:51 -0500 Subject: [c-nsp] ISR IPS module Message-ID: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> Has anyone used these cards on ISRs? https://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html Any opinions? How effective is it? Is it worth using? Also, what is your opinion on doing IPS without the hardware card on an ISR? My experience is it boggs down the router too much and you have to be so careful about what to include in scanning that it wasn't worth the effort. But that was before Cisco changed the signature format and how it scanned traffic at around 12.4(11)T. From nick.jon.griffin at gmail.com Mon Feb 8 13:08:27 2010 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Mon, 8 Feb 2010 12:08:27 -0600 Subject: [c-nsp] "show stats" question Message-ID: Can anyone confirm the command below, the Chars/in/out reference, are the results listed in bytes? I'm unable to find this command documented anywhere on CCO to get a better description of the command and its output. The 6509 ?show stats? command gives the following information: Vlan2 Switching path Pkts In Chars In Pkts Out Chars Out Processor 14342 1650437 2492 166010 Route cache 534 55212 149 11166 Distributed cache 7169590 6090148689 8831508 9040962158 Total 7184466 6091854338 8834149 9041139334 Thanks, Nick Griffin From andrew.gabriel at sanmina-sci.com Mon Feb 8 13:27:02 2010 From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel) Date: Mon, 8 Feb 2010 23:57:02 +0530 Subject: [c-nsp] Routing between site to site VPNs In-Reply-To: <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> References: <67FB78EB09CB274DBEF2FE672B640402015E1351@EUBEBRUSVEX1.eu.didata.local> <17838240D9A5544AAA5FF95F8D520316078DD62D@ad-exh01.adhost.lan> Message-ID: If you use a Cisco Router you can have a site-to-site VPN with multiple 'tunnel' interfaces on the router, which might all make use of the same physical interface. These work just like regular interfaces as far as routing is concerned and you can easily route between them. Regards, Andrew Gabriel. On Mon, Feb 8, 2010 at 11:02 PM, Michael K. Smith - Adhost < mksmith at adhost.com> wrote: > Hello Jonathan: > > That should be possible. See > http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtmlabout Intra-interface communications for the PIX/ASA. I'm not sure if the > same exists for routers, however. > > Mike > > -- > Michael K. Smith - CISSP, GSEC, GISP > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Jonathan Soler (Europe) > > Sent: Monday, February 08, 2010 8:27 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Routing between site to site VPNs > > > > Hello, > > > > > > > > We would like to know if it is possible to forward traffic between > > site-to-site VPNs that are established in the same physical interface > > of a router? ?And in a firewall? > > > > > > > > Jonathan > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From unixhead at gmail.com Mon Feb 8 13:40:20 2010 From: unixhead at gmail.com (Matt Bennett) Date: Mon, 8 Feb 2010 18:40:20 +0000 Subject: [c-nsp] weird issue with IBM blade cente switch 3012 In-Reply-To: <123834.11532.qm@web58004.mail.re3.yahoo.com> References: <123834.11532.qm@web58004.mail.re3.yahoo.com> Message-ID: Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa wrote: > Hi guys, > > I have to configure several Cisco 3012 switches for a project and i'm kind > of stuck with an issue I can't really figure out. > > This is the situation. I have a two 6509s core to which i'm connecting 12 > 3012s. most of them work fine but with 3 of them i'm not able to ping each > other (through 2 vlan interfaces on same vlan). trunks are configured > between them, spanning tree runnign as it should, vlan allowed on trunk, I > even see each other through CDP. let's say 6509 side is A and 3012 is B. > > situation #1: when you ping B from A, B have correct entries in the arp > and mac-add tables (for A), A doesn't have them for B. A still unable to > ping B > > situation #2 when you ping A from B, B is not able to resolve A's mac-add > so arp entry for A is incomplete. but the curious thing is that even when B > has A mac-add (situation A) it's not able to ping A. > > debug commands show encapsulation failure (as it should with an regular > incomplete entry). nothing on the log. masks verified as the same. > > Also tried creating all over again with different secuence (VLAN, int VLAN, > trunk) with same results. And, the most weird thing of all: it works on some > switches with the exact same config and layout!! > > comments, sugestions, ideas on what to do next? any help will be highly > appreciatted > > alejandro wainshtok > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From awain567 at yahoo.com Mon Feb 8 14:10:51 2010 From: awain567 at yahoo.com (Alex Wa) Date: Mon, 8 Feb 2010 11:10:51 -0800 (PST) Subject: [c-nsp] weird issue with IBM blade cente switch 3012 In-Reply-To: Message-ID: <291680.53808.qm@web58002.mail.re3.yahoo.com> Matt, ? I'll need to ask the IBM guys if they did so.?I received the switches in their current positions. ? Thanks, Alejandro Wainshtok --- On Mon, 2/8/10, Matt Bennett wrote: From: Matt Bennett Subject: Re: [c-nsp] weird issue with IBM blade cente switch 3012 To: "Alex Wa" Cc: cisco-nsp at puck.nether.net Date: Monday, February 8, 2010, 10:40 AM Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa wrote: Hi guys, ? I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue?I can't really figure out. ? This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk,?I even see each other through CDP.? let's say 6509 side is A and 3012 is B. ? ?situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B ? situation #2?when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add ?(situation A) it's not able to ping A. ? debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. ? Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! ? comments, sugestions, ideas on what to do next? any help will be highly appreciatted ? alejandro wainshtok _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Mon Feb 8 14:27:01 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Mon, 08 Feb 2010 20:27:01 +0100 Subject: [c-nsp] ISR IPS module In-Reply-To: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> References: <9418aca71002080955o76ace1e3lca159311edd382a@mail.gmail.com> Message-ID: <4B706585.2070804@bromirski.net> On 2010-02-08 18:55, Jay Nakamura wrote: > Any opinions? How effective is it? Is it worth using? It is a appliance on a card, so it is as effective as the real box, however with less performance due to slower CPU. > Also, what is your opinion on doing IPS without the hardware card on > an ISR? My experience is it boggs down the router too much and you > have to be so careful about what to include in scanning that it wasn't > worth the effort. But that was before Cisco changed the signature > format and how it scanned traffic at around 12.4(11)T. Performance should be better at 12.4(15)T and later, but as You said, doing inspection on a traffic requires a lot of CPU cycles. CPUs driving ISRs are in that term a lot slower than the x86-family CPUs driving addon modules so the outcome is obvious. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From matt at melbourne.org.uk Mon Feb 8 14:59:36 2010 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Mon, 8 Feb 2010 19:59:36 -0000 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: References: Message-ID: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> Thanks for the pointers towards eBGP Multipath. Can I check that this still works if two links are terminated on different edge routers (though with iBGP between the edge routers). I assume this will use additional TCAM resources (Sup720-3BXL) in maintaining two routes per prefix, which could be significant for a full BGP feed? Cheers, Matt -----Original Message----- From: Erik Cuevas [mailto:ecuevas at fxcm.com] Sent: 05 February 2010 12:33 To: Matthew Melbourne Subject: RE: [c-nsp] Load-sharing with two links to the same ISP Did you check out BGP multipath? http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml or is the AS Path is different try... bgp bestpath as-path multipath-relax(its hidden) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne Sent: Friday, February 05, 2010 6:33 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Load-sharing with two links to the same ISP Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 07:35:00 From kunkel at w-link.net Mon Feb 8 14:08:26 2010 From: kunkel at w-link.net (Rick Kunkel) Date: Mon, 8 Feb 2010 11:08:26 -0800 (Pacific Standard Time) Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 Message-ID: Hello all... Right now, I've got a bunch of customers connected to a bunch of switchports using different VLANs. I've got 802.1q running between the switches, and then a router attached with a bunch of subinterfaces, one for each VLAN. Assigned to each of these subinterfaces is the customer's gateway IP address. So, for instance, have something like this for the customer port interface FastEthernet 1/12 switchport access vlan 80 Then the switch is connected to a router, with an interface like this interface GigabitEthernet 0/1.80 encapsulation dot1Q 80 ip address X.X.X.2 255.255.255.252 Pretty standard stuff.... So, now, we're opening another location, and we've got some customers interested in having some equipment in the first location and some in the second, and having it all be part of the same network. The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a "bad" idea to use an 802.1q trunk for backbone connectivity? 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in "routed" mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in "switchport" mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it "acceptable" to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? Thanks! Rick From rupeni_t at usp.ac.fj Mon Feb 8 15:29:16 2010 From: rupeni_t at usp.ac.fj (Terry Rupeni (ITS-USP)) Date: Tue, 9 Feb 2010 08:29:16 +1200 Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 In-Reply-To: References: Message-ID: <004401caa8fd$62fb0250$28f106f0$@ac.fj> I'd go with the 802.1q Trunked backbone. It gives you the flexibility of spanning vlans across a network. As for point 3 how about a virtual vlan interface on one of the 6509. If you have ample capacity over your backbones I don't see a problem on where the virtual vlan is to be terminated also with subinterfaces you run the risk of oversubscribing the actual physical interface bandwidth. hope I'm making sense! Terry Rupeni -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rick Kunkel Sent: Tuesday, 9 February 2010 7:08 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 Hello all... Right now, I've got a bunch of customers connected to a bunch of switchports using different VLANs. I've got 802.1q running between the switches, and then a router attached with a bunch of subinterfaces, one for each VLAN. Assigned to each of these subinterfaces is the customer's gateway IP address. So, for instance, have something like this for the customer port interface FastEthernet 1/12 switchport access vlan 80 Then the switch is connected to a router, with an interface like this interface GigabitEthernet 0/1.80 encapsulation dot1Q 80 ip address X.X.X.2 255.255.255.252 Pretty standard stuff.... So, now, we're opening another location, and we've got some customers interested in having some equipment in the first location and some in the second, and having it all be part of the same network. The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a "bad" idea to use an 802.1q trunk for backbone connectivity? 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in "routed" mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in "switchport" mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it "acceptable" to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? Thanks! Rick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gururug at gmail.com Mon Feb 8 17:09:47 2010 From: gururug at gmail.com (Imran K) Date: Tue, 9 Feb 2010 09:09:47 +1100 Subject: [c-nsp] Routing between site to site VPNs Message-ID: <25d943641002081409t5bfef84dta9fec6c8e2e6cdcd@mail.gmail.com> You will have to supply more information on what exactly you are trying to do here. The "Physical" interface is transparent to the routing process except for linking the tunnel to it. You may require some *route maps* if you are trying to achieve something non basic. From bacon at walleyesoftware.com Mon Feb 8 18:09:04 2010 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Mon, 8 Feb 2010 17:09:04 -0600 Subject: [c-nsp] 3560G as WAN-aggregation-layer Message-ID: <5A69C25361FED34F83ABF05F5047524507F05FB1@wally.walleyetrading.net> Greetings. I know this is going to sound pretty, well, lame. But... I currently have a couple of routers (a 7204/NPE-G1 and a 3845) front-ending my WAN connections, which are all metro Ethernet, mostly gig ports which are policed at some CIR, or 100Mbit. The routers are big, expensive, and really don't do much - oh, someday I would like to do some QoS...someday. So, there is this pile of 3560Gs in the corner. I've had less-than-impressive experiences with them as server-farm access switches, which is why they are there. However, I'm thinking that for handling a handful (4-6) of Gig-Es/100Ms which are mostly not running at capacity, as long as I distribute the ports out amongst the port ASICs (so each line has the full 2Mbit TX buffer of the port ASIC to itself), and as long as I don't do something stupid like put all 4 ports of a 4-port etherchannel in ports 1-4, they ought to be fine. The switches don't need to do much - pass the traffic, run EIGRP, a little light QoS. Our route table is tiny, relatively. Am I going to regret this? Conversely, how much can I really expect out of an NPE-G1? From jay at west.net Mon Feb 8 21:42:47 2010 From: jay at west.net (Jay Hennigan) Date: Mon, 08 Feb 2010 18:42:47 -0800 Subject: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30 In-Reply-To: References: Message-ID: <4B70CBA7.7090805@west.net> Rick Kunkel wrote: > Hello all... > The connection between the two location is ethnernet, and the hardware > is (well, will be as soon as we upgrade out of a 7200) a 6509 on either > side, and I think it'd be pretty cool to run an 802.1q trunk between > them using 6509 switchports instead of routed ports. However, I've got > some problems, or at least I'm having trouble wrapping my brain around > some things... > > 1. In the interests of keeping things simple, is it a "bad" idea to use > an 802.1q trunk for backbone connectivity? One thing to consider is contention for the link among the VLANs. You'll want some form of QoS and/or rate limiting to ensure that a particular VLAN can't choke the link. > 2. I'd normally set up this kind of point-to-point link using a /30, > using interfaces in "routed" mode, and assigning the addresses to the > interfaces on each end of the link. If using and 802.1q trunk with > interafaces in "switchport" mode, would it be advisable to use loopback > interfaces for these addresses instead? > > 3. I'm used to having the customer's gateway set on that Gigabit > subinterface, as above. But if I want this customer to have their stuff > on the same VLAN in both locations, AFAIK, I should set switchport > access VLAN 80 on both their access ports. I'm then stuck figuring out > where to put the gateway address for their IP space. Again, would > loopback interfaces be good candidates for this? Or perhaps a VLAN > interface, as weird as that seems to me? A VLAN interface is what I would use here. You're providing a layer 2 connection between the two customer locations so their IP-layer addresses won't show up in your routing table at all. The VLAN interface is needed as the gateway, with whatever subnet mask is appropriate for the customer's network needs. See below for why this may not be a good idea. > 4. My motivation for doing any of this in the first place, as opposed > to a simple /30 point-to-point interface, is to allow customers to have > access to layer 2 across our network, whether it be for internal use or > for purchasing third-party connectivity. Is it "acceptable" to use our > single point-to-point ethernet for this, or should I be using a separate > network for this entirely? As a rule, a hybrid solution with layer 2 across the customer endpoints with a layer 3 gateway to the Internet on a VLAN interface doesn't scale very well. If the customer wants their own firewall there are issues. It isn't unusual for them to have a lot of internal traffic (file server, etc.) with lower Internet needs. Metering this for billing can be an issue. What we usually do in this scenario is to provide a layer 2 VLAN bridge on one VLAN for the customer's internal network. Then, on a separate VLAN, provide Internet access to one location. The customer can then put their own NAT firewall between the two VLANs. For scaling among more than two customer locations and cutting down broadcast noise, consider MPLS with a VRF per customer and offer them a private routed layer 3 network. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From aftab.siddiqui at gmail.com Tue Feb 9 00:52:49 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Tue, 9 Feb 2010 10:52:49 +0500 Subject: [c-nsp] Load-sharing with two links to the same ISP In-Reply-To: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> References: <000901caa8f9$3e9cd8b0$bbd68a10$@org.uk> Message-ID: <3c605ce11002082152w32998e09qfdd81ae6c34f9017@mail.gmail.com> hi Matthew, Keeping the current internet full feed in view its around 300k routes and sup720-3BXL should support 1million routes (its cisco though :p). So even if you terminate the links on 2 different edges coming from the same AS it should work fine. If you are trying "bgp bestpath as-path multipath-relax" kindly share the outcomes because in my opinion it is used to load share between different as-path. I have never tried it before. Regards, Aftab A. Siddiqui On Tue, Feb 9, 2010 at 12:59 AM, Matthew Melbourne wrote: > Thanks for the pointers towards eBGP Multipath. Can I check that this still > works if two links are terminated on different edge routers (though with > iBGP between the edge routers). I assume this will use additional TCAM > resources (Sup720-3BXL) in maintaining two routes per prefix, which could > be > significant for a full BGP feed? > > Cheers, > > Matt > > -----Original Message----- > From: Erik Cuevas [mailto:ecuevas at fxcm.com] > Sent: 05 February 2010 12:33 > To: Matthew Melbourne > Subject: RE: [c-nsp] Load-sharing with two links to the same ISP > > Did you check out BGP multipath? > > > http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 > .shtml > > > or is the AS Path is different try... > > bgp bestpath as-path multipath-relax(its hidden) > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Melbourne > Sent: Friday, February 05, 2010 6:33 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Load-sharing with two links to the same ISP > > Hi, > > What techniques are available to load-share traffic on two links (of > equal bandwidth) to the same ISP (same AS) given that BGP only enters > the best path into the RIB? We could announce our prefixes over both > links, but splitting the preferred path announcements over the two > links, either using MED or ISP communities, but this only really > addresses inbound traffic. More of an issue is trying to load-share > outbound traffic; we assume we'll learn the same set of prefixes over > both links from the same ISP - one technique may be to simple split > the IPv4 address space in half and local-pref accordingly to prefer > one link or the other depending on the destination IP prefix? > > Cheers, > > Matt > > -- > Matthew Melbourne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 > 07:35:00 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 02:58:59 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 08:58:59 +0100 Subject: [c-nsp] Best practice - Core vs Access Router Message-ID: I am running one 6509 as a core router: IOS: SXF15a 1x WS-SUP720-3BXL 1x WS-X6748-GE-TX 2x WS-X6704-10GE On this core I am doing BGP with 2 upstreams (full BGP table IN) and 10 downstreams (full BGP table OUT). I am also doing OSPF with 4 other core routers in this AS. On top of that there is one VLAN on this core that serves as a default gateway for approximatively 5000 servers, producing around 30 GBps outbound traffic and 10 GBps inbound. Recently I noticed that this core router becomes very unresponsive from time to time, dropping OSPF and BGP sessions (hold time expired and so on). SNMP generated stats become useless as well, because most SNMP requests to that core are timing out. It's really just the core that is rather slow, but reachability to my customers and from my customers to the internet remains perfect. Pinging the loopback interface of the core or any default gateway IP address of the busy VLAN can show up to 60% packet loss Therefore I was thinking to split the core and move this very active VLAN to a different router behind the core and only add a static route to the core, so that the new router can handle these many MAC addresses and hopefully get my core more responsive again. Does this scenario make any sense at all? Is it wise to have one core router with many transit (in and out) BGP sessions also act as an access router / default gateway for several thousand servers? What is usually the best practice here? Thank you for your clues. Andy From livio.zanol.puppim at gmail.com Tue Feb 9 05:40:59 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Tue, 9 Feb 2010 08:40:59 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: Yeah, You are right. But I would like to use my nexus 5000 10GE/FCoE ports just for access servers, maximizing it's use... The uplinks from Nexus 2000 could easially go directly to my distribution/core. Unfortunally, nexus 2000 is just an fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO changes it's later... Let's think: 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost 1 switch (2RU). I haven't figure out yet what's the advantage of having this design (nexus 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus 7000/cisco 6500). That's what I'm talking about. The only REAL advantage so far is the vPC... 2010/2/2 Brad Hedlund > > True, the Nexus 2000 does not locally switch, but lets explore that for a > second... > > 1) a typical enterprise Data Center is running applications that are not > latency sensitive, where latencies in the 10s of microseconds are perfectly > OK and nobody is really counting anyway. Only in the small minority of Data > Centers running high frequency trading, grid computing, or some other ultra > low latency application, every *nanosecond* matters and local switching with > fewer hops is of paramount importance. Furthermore, these applications are > quickly migrating away from 1GE to 10GE attached servers for the obvious low > latency advantages. > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus > 2000 to handle the additional uplink load that may otherwise not be present > on a 4948. > > 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus > 2000 itself also uses cut-through for frames entering on 1GE and egressing > on 10GE. The two combined often results in port-to-port latencies similar > to a Catalyst 6500, even without the "local switching". If you are > comfortable with your Catalyst 6500 local switching latencies, you can > expect similar performance from a Nexus 2000/5000 combination. > > > -- > Brad Hedlund, CCIE #5530 > Consulting Systems Engineer, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > >> Can anyone please tell me the advantages of using Nexus 2000 over > Catalyst > >> 4948 as access layers switches? > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that > >> could be used by servers with 10GbE/FCoE servers. > > > > The N2K does no local switching so if you have any east-west traffic > between ports on the same switch you'll be better served by a more > "traditional" access switch. Naturally the N2K offers centralised > management etc etc but that may or may not be of interest depending on the > size of your deployment. > > > > > > > > David > > ... > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- []'s L?vio Zanol Puppim From oldnick at oldnick.ru Tue Feb 9 06:15:15 2010 From: oldnick at oldnick.ru (Sergey Nikitin) Date: Tue, 09 Feb 2010 14:15:15 +0300 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <4B7143C3.1030005@oldnick.ru> May be you should try to find out what is the reason of the packet loss? Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. Andy B. wrote: > I am running one 6509 as a core router: > > IOS: SXF15a > 1x WS-SUP720-3BXL > 1x WS-X6748-GE-TX > 2x WS-X6704-10GE > > On this core I am doing BGP with 2 upstreams (full BGP table IN) and > 10 downstreams (full BGP table OUT). > I am also doing OSPF with 4 other core routers in this AS. > > On top of that there is one VLAN on this core that serves as a default > gateway for approximatively 5000 servers, producing around 30 GBps > outbound traffic and 10 GBps inbound. > > Recently I noticed that this core router becomes very unresponsive > from time to time, dropping OSPF and BGP sessions (hold time expired > and so on). SNMP generated stats become useless as well, because most > SNMP requests to that core are timing out. It's really just the core > that is rather slow, but reachability to my customers and from my > customers to the internet remains perfect. Pinging the loopback > interface of the core or any default gateway IP address of the busy > VLAN can show up to 60% packet loss > > Therefore I was thinking to split the core and move this very active > VLAN to a different router behind the core and only add a static route > to the core, so that the new router can handle these many MAC > addresses and hopefully get my core more responsive again. > > Does this scenario make any sense at all? Is it wise to have one core > router with many transit (in and out) BGP sessions also act as an > access router / default gateway for several thousand servers? What is > usually the best practice here? > > Thank you for your clues. > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 07:21:47 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 13:21:47 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B7143C3.1030005@oldnick.ru> References: <4B7143C3.1030005@oldnick.ru> Message-ID: CPU load is fairly normal at 20-30% No congestion. Most links are under 50%. I have no Control Plane Policies in place, but I have already been advised to do so - this might help, right? Redesigning the network and shifting the busy (uncongested!) VLAN to another router seemed like the only choice we have left, unless this CPP can help? Andy On Tue, Feb 9, 2010 at 12:15 PM, Sergey Nikitin wrote: > > May be you should try to find out what is the reason of the packet loss? ?Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. > > > Andy B. wrote: >> >> I am running one 6509 as a core router: >> >> IOS: SXF15a >> 1x WS-SUP720-3BXL >> 1x WS-X6748-GE-TX >> 2x WS-X6704-10GE >> >> On this core I am doing BGP with 2 upstreams (full BGP table IN) and >> 10 downstreams (full BGP table OUT). >> I am also doing OSPF with 4 other core routers in this AS. >> >> On top of that there is one VLAN on this core that serves as a default >> gateway for approximatively 5000 servers, producing around 30 GBps >> outbound traffic and 10 GBps inbound. >> >> Recently I noticed that this core router becomes very unresponsive >> from time to time, dropping OSPF and BGP sessions (hold time expired >> and so on). SNMP generated stats become useless as well, because most >> SNMP requests to that core are timing out. It's really just the core >> that is rather slow, but reachability to my customers and from my >> customers to the internet remains perfect. Pinging the loopback >> interface of the core or any default gateway IP address of the busy >> VLAN can show up to 60% packet loss >> >> Therefore I was thinking to split the core and move this very active >> VLAN to a different router behind the core and only add a static route >> to the core, so that the new router can handle these many MAC >> addresses and hopefully get my core more responsive again. >> >> Does this scenario make any sense at all? Is it wise to have one core >> router with many transit (in and out) BGP sessions also act as an >> access router / default gateway for several thousand servers? What is >> usually the best practice here? >> >> Thank you for your clues. >> >> Andy >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From linux.yahoo at gmail.com Tue Feb 9 07:25:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 13:25:04 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Two key advantages: - Technical: FCoE, vPC - Management: you needn't to manage N2Ks R/ Manu On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Yeah, You are right. > > But I would like to use my nexus 5000 10GE/FCoE ports just for access > servers, maximizing it's use... The uplinks from Nexus 2000 could easially > go directly to my distribution/core. Unfortunally, nexus 2000 is just an > fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO > changes it's later... > > Let's think: > > 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must > use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost > 1 > switch (2RU). > > I haven't figure out yet what's the advantage of having this design (nexus > 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus > 7000/cisco 6500). That's what I'm talking about. > > The only REAL advantage so far is the vPC... > > 2010/2/2 Brad Hedlund > > > > > True, the Nexus 2000 does not locally switch, but lets explore that for a > > second... > > > > 1) a typical enterprise Data Center is running applications that are not > > latency sensitive, where latencies in the 10s of microseconds are > perfectly > > OK and nobody is really counting anyway. Only in the small minority of > Data > > Centers running high frequency trading, grid computing, or some other > ultra > > low latency application, every *nanosecond* matters and local switching > with > > fewer hops is of paramount importance. Furthermore, these applications > are > > quickly migrating away from 1GE to 10GE attached servers for the obvious > low > > latency advantages. > > > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink > for > > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus > > 2000 to handle the additional uplink load that may otherwise not be > present > > on a 4948. > > > > 3) The upstream Nexus 5000 implements cut-through switching, and the > Nexus > > 2000 itself also uses cut-through for frames entering on 1GE and > egressing > > on 10GE. The two combined often results in port-to-port latencies > similar > > to a Catalyst 6500, even without the "local switching". If you are > > comfortable with your Catalyst 6500 local switching latencies, you can > > expect similar performance from a Nexus 2000/5000 combination. > > > > > > -- > > Brad Hedlund, CCIE #5530 > > Consulting Systems Engineer, Data Center > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > > > >> Can anyone please tell me the advantages of using Nexus 2000 over > > Catalyst > > >> 4948 as access layers switches? > > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, > that > > >> could be used by servers with 10GbE/FCoE servers. > > > > > > The N2K does no local switching so if you have any east-west traffic > > between ports on the same switch you'll be better served by a more > > "traditional" access switch. Naturally the N2K offers centralised > > management etc etc but that may or may not be of interest depending on > the > > size of your deployment. > > > > > > > > > > > > David > > > ... > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From livio.zanol.puppim at gmail.com Tue Feb 9 07:37:00 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Tue, 9 Feb 2010 10:37:00 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Message-ID: Neus 2000 does not have FCoE. 2010/2/9 Manu Chao > Two key advantages: > - Technical: FCoE, vPC > - Management: you needn't to manage N2Ks > > R/ > Manu > > On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < > livio.zanol.puppim at gmail.com> wrote: > >> Yeah, You are right. >> >> But I would like to use my nexus 5000 10GE/FCoE ports just for access >> servers, maximizing it's use... The uplinks from Nexus 2000 could easially >> go directly to my distribution/core. Unfortunally, nexus 2000 is just an >> fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >> changes it's later... >> >> Let's think: >> >> 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must >> use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost >> 1 >> switch (2RU). >> >> I haven't figure out yet what's the advantage of having this design (nexus >> 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >> 7000/cisco 6500). That's what I'm talking about. >> >> The only REAL advantage so far is the vPC... >> >> 2010/2/2 Brad Hedlund >> >> > >> > True, the Nexus 2000 does not locally switch, but lets explore that for >> a >> > second... >> > >> > 1) a typical enterprise Data Center is running applications that are not >> > latency sensitive, where latencies in the 10s of microseconds are >> perfectly >> > OK and nobody is really counting anyway. Only in the small minority of >> Data >> > Centers running high frequency trading, grid computing, or some other >> ultra >> > low latency application, every *nanosecond* matters and local switching >> with >> > fewer hops is of paramount importance. Furthermore, these applications >> are >> > quickly migrating away from 1GE to 10GE attached servers for the obvious >> low >> > latency advantages. >> > >> > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink >> for >> > 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus >> > 2000 to handle the additional uplink load that may otherwise not be >> present >> > on a 4948. >> > >> > 3) The upstream Nexus 5000 implements cut-through switching, and the >> Nexus >> > 2000 itself also uses cut-through for frames entering on 1GE and >> egressing >> > on 10GE. The two combined often results in port-to-port latencies >> similar >> > to a Catalyst 6500, even without the "local switching". If you are >> > comfortable with your Catalyst 6500 local switching latencies, you can >> > expect similar performance from a Nexus 2000/5000 combination. >> > >> > >> > -- >> > Brad Hedlund, CCIE #5530 >> > Consulting Systems Engineer, Data Center >> > bhedlund at cisco.com >> > http://www.internetworkexpert.org >> > >> > >> > >> > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: >> > >> > > >> > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: >> > > >> > >> Can anyone please tell me the advantages of using Nexus 2000 over >> > Catalyst >> > >> 4948 as access layers switches? >> > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, >> that >> > >> could be used by servers with 10GbE/FCoE servers. >> > > >> > > The N2K does no local switching so if you have any east-west traffic >> > between ports on the same switch you'll be better served by a more >> > "traditional" access switch. Naturally the N2K offers centralised >> > management etc etc but that may or may not be of interest depending on >> the >> > size of your deployment. >> > > >> > > >> > > >> > > David >> > > ... >> > > _______________________________________________ >> > > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > >> >> >> -- >> []'s >> >> L?vio Zanol Puppim >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- []'s L?vio Zanol Puppim From saku at ytti.fi Tue Feb 9 07:44:35 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 14:44:35 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: <20100209124435.GA27615@mx.ytti.net> On (2010-02-09 13:21 +0100), Andy B. wrote: > CPU load is fairly normal at 20-30% What is more important if this is process or interrupt. 'show proc cpu' you have x/y, y is interrupt and should be 0, if not, you are software switching something due to misconfiguration or software defect. > No congestion. Most links are under 50%. > I have no Control Plane Policies in place, but I have already been > advised to do so - this might help, right? > Redesigning the network and shifting the busy (uncongested!) VLAN to > another router seemed like the only choice we have left, unless this > CPP can help? Do you see any input drops in 'sh int | i Input|^[A-Z]' Are you within bounds of PFC resources? show platform hardware capacity pfc -- ++ytti From p.mayers at imperial.ac.uk Tue Feb 9 07:50:10 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 12:50:10 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: <4B715A02.8010604@imperial.ac.uk> On 09/02/10 12:21, Andy B. wrote: > CPU load is fairly normal at 20-30% Is this average or during a performance event? What about the SP and any DFC CPUs? What linecards do you have in the box? > No congestion. Most links are under 50%. > I have no Control Plane Policies in place, but I have already been > advised to do so - this might help, right? > > Redesigning the network and shifting the busy (uncongested!) VLAN to > another router seemed like the only choice we have left, unless this Your network doesn't sound that unusual to me. Provided you have PFC-3B/XL (and DFC-3B/XL if you're running DFCs) the 6500 ought to be able to handle it in a "steady state" (see below). What does: sh mls cef maximum-routes sh mls cef summary ...say? The first thing to do is determine why these performance problems are occurring. Otherwise, installing a new router might do nothing other than cost money. You say "so that the new router can handle these many MAC addresses"; do you have any reason to believe that MAC or adjacency table size is the problem? The 6500 can handle 64k MAC addresses at layer2 and variable numbers of ARP/layer3 adjacencies. Control-plane policing will only help if CPU-punted or CPU-directed packets are causing the performance problems. MLS rate limiters may also help in that situation. Alternatively if you're getting the BGP scanner eating lots of CPU because of churn in your full feeds, then you need to address that. It could be ICMP redirects, or layer2 loops downstream. How often are these performance problems occurring? Is anything logged on the router at the time? What does the output of: sh proc cpu | ex 0.00 remote command switch sh proc cpu | ex 0.00 sh platform hardware capacity forwarding ...say after a window of poor performance? How long do the events last? As you can see, there's a lot to look into. As to whether it's "wise" to have one router doing both jobs - it depends. Some people will I guess say "no split them" but it's really a matter of costs and benefits. We do similar things where one 6500 does a *LOT* of work (without the full table) and have no problems. From linux.yahoo at gmail.com Tue Feb 9 07:51:57 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 13:51:57 +0100 Subject: [c-nsp] "show stats" question In-Reply-To: References: Message-ID: <7100ed371002090451q710ecd2dmd3b6fdcb8a0594f8@mail.gmail.com> Hello Nick, AFAIK "show stats" command doesn't exist?? If you mean "show interfaces stats" command then you have following description in CCO: Chars In: Number of characters received in each switching mechanism Chars Out: Number of characters sent out each switching mechanism I assume we are speaking about ASCII character (8 bits) but I am not 100% sure :) R/ Manu On Mon, Feb 8, 2010 at 7:08 PM, Nick Griffin wrote: > Can anyone confirm the command below, the Chars/in/out reference, are the > results listed in bytes? I'm unable to find this command documented > anywhere > on CCO to get a better description of the command and its output. > > The 6509 ?show stats? command gives the following information: > > Vlan2 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 14342 1650437 2492 166010 > Route cache 534 55212 149 11166 > Distributed cache 7169590 6090148689 8831508 9040962158 > Total 7184466 6091854338 8834149 9041139334 > > Thanks, > > Nick Griffin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 07:56:37 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 13:56:37 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209124435.GA27615@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> Message-ID: I think I am not software switching: CPU utilization for five seconds: 19%/5%; one minute: 46%; five minutes: 42% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 6 426848940 21297160 20042 2.71% 1.01% 1.23% 0 Check heaps 123 821446324 874103795 939 2.31% 2.42% 2.40% 0 IP Input 281 84726288 609026650 139 0.55% 0.25% 0.22% 0 Port manager per 169 98404740 5822749 16900 0.31% 0.31% 0.31% 0 Adj Manager 9 92306248 220930403 417 0.31% 0.43% 0.40% 0 ARP Input 180 64244512 51116025 1256 0.23% 0.26% 0.25% 0 CEF process 320 18645168 124211249 150 0.15% 1.26% 1.10% 0 BGP I/O 307 28557284 371501297 76 0.07% 0.10% 0.06% 0 MLD 167 27023688 387372814 69 0.07% 0.12% 0.09% 0 IPv6 Input 286 91380880 67881032 1346 0.07% 4.58% 3.92% 0 BGP Router 322 24944 12735 1958 0.07% 0.09% 0.02% 1 SSH Process ... #show platform hardware capacity pfc L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3383 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315002 60% 144 bits (IP mcast, IPv6) 262144 2904 1% detail: Protocol Used %Used IPv4 315002 60% MPLS 0 0% EoM 0 0% IPv6 2842 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5046 1% Forwarding engine load: Module pps peak-pps peak-time 5 4443376 10849623 12:44:28 CEST Mon Dec 21 2009 Netflow Resources TCAM utilization: Module Created Failed %Used 5 262020 0 100% ICAM utilization: Module Created Failed %Used 5 4 5228242 3% Flowmasks: Mask# Type Features IPv4: 0 reserved none IPv4: 1 Intf FulFM_GUARDIAN IPv4: 2 unused none IPv4: 3 reserved none IPv6: 0 reserved none IPv6: 1 Intf FulFM_IPV6_GUARDIAN IPv6: 2 unused none IPv6: 3 reserved none CPU Rate Limiters Resources Rate limiters: Total Used Reserved %Used Layer 3 9 4 1 44% Layer 2 4 2 2 50% ACL/QoS TCAM Resources Key: ACLent - ACL TCAM entries, ACLmsk - ACL TCAM masks, AND - ANDOR, QoSent - QoS TCAM entries, QOSmsk - QoS TCAM masks, OR - ORAND, Lbl-in - ingress label, Lbl-eg - egress label, LOUsrc - LOU source, LOUdst - LOU destination, ADJ - ACL adjacency Module ACLent ACLmsk QoSent QoSmsk Lbl-in Lbl-eg LOUsrc LOUdst AND OR ADJ 5 1% 2% 1% 1% 1% 1% 0% 0% 0% 0% 1% I do see input drops - what does that mean? Andy On Tue, Feb 9, 2010 at 1:44 PM, Saku Ytti wrote: > On (2010-02-09 13:21 +0100), Andy B. wrote: > >> CPU load is fairly normal at 20-30% > > What is more important if this is process or interrupt. 'show proc cpu' you > have x/y, y is interrupt and should be 0, if not, you are software switching > something due to misconfiguration or software defect. > >> No congestion. Most links are under 50%. >> I have no Control Plane Policies in place, but I have already been >> advised to do so - this might help, right? > >> Redesigning the network and shifting the busy (uncongested!) VLAN to >> another router seemed like the only choice we have left, unless this >> CPP can help? > > Do you see any input drops in 'sh int | i Input|^[A-Z]' > > Are you within bounds of PFC resources? > show platform hardware capacity pfc > > -- > ?++ytti > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Tue Feb 9 08:04:21 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:04:21 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> Message-ID: <20100209130421.GA27687@mx.ytti.net> On (2010-02-09 13:56 +0100), Andy B. wrote: > I think I am not software switching: > > CPU utilization for five seconds: 19%/5%; one minute: 46%; five minutes: 42% Could you try to catch this when the five second value is >40% so we'll see what is causing the load. Currently what ever is happening, is not happening. Output 5s sorted list. > Module pps peak-pps peak-time > 5 4443376 10849623 12:44:28 CEST Mon Dec 21 2009 10Mpps peak, well within limits of CFC system, so you're not anywhere near the performance limits. > Netflow Resources > TCAM utilization: Module Created Failed %Used > 5 262020 0 100% Netflow full, highly typical and nothing to worry about. > I do see input drops - what does that mean? It means that you got more packets towards software than buffers could hold, default is 75 packets, which is way too little for even some normal situations, such as BGP, especially route reflector use. If it is normal, you should increase it to 1k or 2k. But it might also indicate that transit traffic is coming to control-plane, there are many tools 7600 offers to troubleshoot them. When you look at those interfaces where you see drops, do any of them display packets in input buffer /right now/, if so, you can use 'show buffers input-interface X header' to see those packets are, which will go long way to determine if they are normal or something to worry about. -- ++ytti From linux.yahoo at gmail.com Tue Feb 9 08:07:59 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:07:59 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <7100ed371002090425r5a942000r2521a67664cd865@mail.gmail.com> Message-ID: <7100ed371002090507g5212cbe2xb6784acb1890c4fc@mail.gmail.com> Correct, not yet On Tue, Feb 9, 2010 at 1:37 PM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Neus 2000 does not have FCoE. > > 2010/2/9 Manu Chao > > Two key advantages: >> - Technical: FCoE, vPC >> - Management: you needn't to manage N2Ks >> >> R/ >> Manu >> >> On Tue, Feb 9, 2010 at 11:40 AM, Livio Zanol Puppim < >> livio.zanol.puppim at gmail.com> wrote: >> >>> Yeah, You are right. >>> >>> But I would like to use my nexus 5000 10GE/FCoE ports just for access >>> servers, maximizing it's use... The uplinks from Nexus 2000 could >>> easially >>> go directly to my distribution/core. Unfortunally, nexus 2000 is just an >>> fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >>> changes it's later... >>> >>> Let's think: >>> >>> 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I >>> must >>> use at my nexus 5000. That's more than 1 entirelly switch (1RU) and >>> almost 1 >>> switch (2RU). >>> >>> I haven't figure out yet what's the advantage of having this design >>> (nexus >>> 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >>> 7000/cisco 6500). That's what I'm talking about. >>> >>> The only REAL advantage so far is the vPC... >>> >>> 2010/2/2 Brad Hedlund >>> >>> > >>> > True, the Nexus 2000 does not locally switch, but lets explore that for >>> a >>> > second... >>> > >>> > 1) a typical enterprise Data Center is running applications that are >>> not >>> > latency sensitive, where latencies in the 10s of microseconds are >>> perfectly >>> > OK and nobody is really counting anyway. Only in the small minority of >>> Data >>> > Centers running high frequency trading, grid computing, or some other >>> ultra >>> > low latency application, every *nanosecond* matters and local switching >>> with >>> > fewer hops is of paramount importance. Furthermore, these applications >>> are >>> > quickly migrating away from 1GE to 10GE attached servers for the >>> obvious low >>> > latency advantages. >>> > >>> > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink >>> for >>> > 4948. This results in a possible 1:1.2 oversubscription ratio for >>> Nexus >>> > 2000 to handle the additional uplink load that may otherwise not be >>> present >>> > on a 4948. >>> > >>> > 3) The upstream Nexus 5000 implements cut-through switching, and the >>> Nexus >>> > 2000 itself also uses cut-through for frames entering on 1GE and >>> egressing >>> > on 10GE. The two combined often results in port-to-port latencies >>> similar >>> > to a Catalyst 6500, even without the "local switching". If you are >>> > comfortable with your Catalyst 6500 local switching latencies, you can >>> > expect similar performance from a Nexus 2000/5000 combination. >>> > >>> > >>> > -- >>> > Brad Hedlund, CCIE #5530 >>> > Consulting Systems Engineer, Data Center >>> > bhedlund at cisco.com >>> > http://www.internetworkexpert.org >>> > >>> > >>> > >>> > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: >>> > >>> > > >>> > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: >>> > > >>> > >> Can anyone please tell me the advantages of using Nexus 2000 over >>> > Catalyst >>> > >> 4948 as access layers switches? >>> > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, >>> that >>> > >> could be used by servers with 10GbE/FCoE servers. >>> > > >>> > > The N2K does no local switching so if you have any east-west traffic >>> > between ports on the same switch you'll be better served by a more >>> > "traditional" access switch. Naturally the N2K offers centralised >>> > management etc etc but that may or may not be of interest depending on >>> the >>> > size of your deployment. >>> > > >>> > > >>> > > >>> > > David >>> > > ... >>> > > _______________________________________________ >>> > > cisco-nsp mailing list cisco-nsp at puck.nether.net >>> > > https://puck.nether.net/mailman/listinfo/cisco-nsp >>> > > archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >>> > >>> >>> >>> -- >>> []'s >>> >>> L?vio Zanol Puppim >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > > > -- > []'s > > L?vio Zanol Puppim > From globichen at gmail.com Tue Feb 9 08:08:47 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:08:47 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B715A02.8010604@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> Message-ID: On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers wrote: >> CPU load is fairly normal at 20-30% > > Is this average or during a performance event? What about the SP and any DFC > CPUs? This is average. Performance would go up to 99% if the BGP scanner is busy, but this does not happen very often. > > What linecards do you have in the box? #sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD082XXXXX 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD084XXXXX 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD114XXXXX 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL110XXXXX Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok Mod Online Diag Status ---- ------------------- 2 Pass 5 Pass 8 Pass 9 Pass > > > sh mls cef maximum-routes > sh mls cef summary #sh mls cef maximum-routes FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) #sh mls cef summary Total routes: 317940 IPv4 unicast routes: 315089 IPv4 Multicast routes: 3 MPLS routes: 0 IPv6 unicast routes: 2848 IPv6 multicast routes: 59 EoM routes: 0 > > You say "so that the new router can handle these many MAC addresses"; do you > have any reason to believe that MAC or adjacency table size is the problem? > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > ARP/layer3 adjacencies. No, I have no reason. I is just a desperate measure, because despite plenty of research I could not find out what is causing my core to become so unresponsive at management and BGP/OSPF level. > It could be ICMP redirects, or layer2 loops downstream. How would I detect that? > > How often are these performance problems occurring? Is anything logged on > the router at the time? What does the output of: It's at peak times, usually in the evening hours when there is a lot of traffic. It never happens in the afternoon or late at night - really only when we reached a certain amount of traffic or packets. > sh proc cpu | ex 0.00 > remote command switch sh proc cpu | ex 0.00 > sh platform hardware capacity forwarding > > ...say after a window of poor performance? How long do the events last? It's not peak time yet, but here the current results: #sh proc cpu sort | e 0.00 CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager per 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC Message H 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O #remote command switch sh proc cpu | ex 0.00 CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: 51% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan Statistics 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control Time 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning Tree 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat colle 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS Stats 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process #sh platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3386 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315005 60% 144 bits (IP mcast, IPv6) 262144 2911 1% detail: Protocol Used %Used IPv4 315005 60% MPLS 0 0% EoM 0 0% IPv6 2849 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5045 1% Forwarding engine load: Module pps peak-pps peak-time 5 4440416 10849623 12:44:28 CEST Mon Dec 21 2009 Thanks! Andy From globichen at gmail.com Tue Feb 9 08:20:06 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:20:06 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209130421.GA27687@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> Message-ID: On Tue, Feb 9, 2010 at 2:04 PM, Saku Ytti wrote: > Could you try to catch this when the five second value is >40% so we'll see > what is causing the load. Currently what ever is happening, is not > happening. Actually, last time when the core started to become very unresponsive, CPU load was lower than usual - 12-15%. Except when it was re-establishing BGP sessions with transit customers, then it went up to 99% for quite a while, but that is normal. > Output 5s sorted list. > >> ? ? ? ? ? ? ? ? ? ? ?Module ? ? ? pps ? peak-pps ? ? ? ? ? ? ? ? ? ? peak-time >> ? ? ? ? ? ? ? ? ? ? ?5 ? ? ? ?4443376 ? 10849623 ?12:44:28 CEST Mon Dec 21 2009 > > 10Mpps peak, well within limits of CFC system, so you're not anywhere near > the performance limits. > >> Netflow Resources >> ? ? ? ? ? TCAM utilization: ? ? ? Module ? ? ? Created ? ? ?Failed ? ? ? %Used >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 5 ? ? ? ? ? ? 262020 ? ? ? ? ? 0 ? ? ? ?100% > > Netflow full, highly typical and nothing to worry about. > >> I do see input drops - what does that mean? > > It means that you got more packets towards software than buffers could > hold, default is 75 packets, which is way too little for even some normal > situations, such as BGP, especially route reflector use. > If it is normal, you should increase it to 1k or 2k. > > But it might also indicate that transit traffic is coming to control-plane, > there are many tools 7600 offers to troubleshoot them. ?When you look at > those interfaces where you see drops, do any of them display packets in > input buffer /right now/, if so, you can use 'show buffers input-interface > X header' to see those packets are, which will go long way to determine if > they are normal or something to worry about. > Yes, here is some input buffer: #show buffers input-interface te9/1 header Buffer information for Small buffer at 0x5007A3A8 data_area 0x806EBC4, refcount 1, next 0x454585E0, flags 0x280 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:47.772) outputtime 47w4d (elapsed 00:00:30.952), oqnumber 65535 datagramstart 0x806EC3A, datagramsize 62, maximum size 308 mac_start 0x806EC3A, addr_start 0x806EC3A, info_start 0x0 network_start 0x806EC48, transport_start 0x806EC5C, caller_pc 0x4187C1F0 source: x.x.72.173, destination: y.y.161.0, id: 0x611D, ttl: 120, TOS: 0 prot: 6, source port 60922, destination port 47743 #show buffers input-interface te9/2 header Buffer information for Small buffer at 0x5002EA70 data_area 0x802C2C4, refcount 1, next 0x5007DA28, flags 0x200 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646CC78 (TenGigabitEthernet9/2), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:54.296) outputtime 47w4d (elapsed 00:00:43.944), oqnumber 65535 datagramstart 0x802C33A, datagramsize 70, maximum size 308 mac_start 0x802C33A, addr_start 0x802C33A, info_start 0x0 network_start 0x802C348, transport_start 0x802C35C, caller_pc 0x4187C1F0 source: y.y.226.89, destination: x.x.160.112, id: 0x5ADD, ttl: 52, TOS: 0 prot: 6, source port 52067, destination port 18309 Changes all the time. Sometimes it is empty, but it seems rarely to be the case. From noc at phibee.net Tue Feb 9 08:30:20 2010 From: noc at phibee.net (Phibee Network Operation Center) Date: Tue, 09 Feb 2010 14:30:20 +0100 Subject: [c-nsp] Cisco 7401ASR ? Message-ID: <4B71636C.2040704@phibee.net> Hi i am search a real information on the Cisco 7401ASR : If you have one units ;=) I want know if this cisco are same performence that the Cisco 7204 with a NPE 400 ? He support MPLS, Interworking and EoMPLS It's the same IOS that Cisco 7204 ? Thanks for your information. Jerome From saku at ytti.fi Tue Feb 9 08:32:24 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:32:24 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> Message-ID: <20100209133224.GA27783@mx.ytti.net> On (2010-02-09 14:20 +0100), Andy B. wrote: > source: x.x.72.173, destination: y.y.161.0, id: 0x611D, ttl: 120, > TOS: 0 prot: 6, source port 60922, destination port 47743 > > source: y.y.226.89, destination: x.x.160.112, id: 0x5ADD, ttl: 52, > TOS: 0 prot: 6, source port 52067, destination port 18309 > > Changes all the time. Sometimes it is empty, but it seems rarely to be the case. Are these receive addresses in the router or transit? sh mls cef lookup x.x.160.112 sh mls cef lookup x.x.160.112 detail sh mls cef adjacency entry 123 detail -- ++ytti From Charles.Church at harris.com Tue Feb 9 08:43:43 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 08:43:43 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Is it possible the NDE on the SP is the issue? I assume it's configured to export? What does a 'sh proc cpu hist' tell you on the RP and SP? Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 8:09 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers wrote: >> CPU load is fairly normal at 20-30% > > Is this average or during a performance event? What about the SP and any DFC > CPUs? This is average. Performance would go up to 99% if the BGP scanner is busy, but this does not happen very often. > > What linecards do you have in the box? #sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD082XXXXX 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD084XXXXX 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD114XXXXX 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL110XXXXX Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok Mod Online Diag Status ---- ------------------- 2 Pass 5 Pass 8 Pass 9 Pass > > > sh mls cef maximum-routes > sh mls cef summary #sh mls cef maximum-routes FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) #sh mls cef summary Total routes: 317940 IPv4 unicast routes: 315089 IPv4 Multicast routes: 3 MPLS routes: 0 IPv6 unicast routes: 2848 IPv6 multicast routes: 59 EoM routes: 0 > > You say "so that the new router can handle these many MAC addresses"; do you > have any reason to believe that MAC or adjacency table size is the problem? > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > ARP/layer3 adjacencies. No, I have no reason. I is just a desperate measure, because despite plenty of research I could not find out what is causing my core to become so unresponsive at management and BGP/OSPF level. > It could be ICMP redirects, or layer2 loops downstream. How would I detect that? > > How often are these performance problems occurring? Is anything logged on > the router at the time? What does the output of: It's at peak times, usually in the evening hours when there is a lot of traffic. It never happens in the afternoon or late at night - really only when we reached a certain amount of traffic or packets. > sh proc cpu | ex 0.00 > remote command switch sh proc cpu | ex 0.00 > sh platform hardware capacity forwarding > > ...say after a window of poor performance? How long do the events last? It's not peak time yet, but here the current results: #sh proc cpu sort | e 0.00 CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager per 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC Message H 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O #remote command switch sh proc cpu | ex 0.00 CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: 51% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan Statistics 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control Time 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning Tree 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat colle 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS Stats 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process #sh platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 65536 3386 5% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 524288 315005 60% 144 bits (IP mcast, IPv6) 262144 2911 1% detail: Protocol Used %Used IPv4 315005 60% MPLS 0 0% EoM 0 0% IPv6 2849 1% IPv4 mcast 3 1% IPv6 mcast 59 1% Adjacency usage: Total Used %Used 1048576 5045 1% Forwarding engine load: Module pps peak-pps peak-time 5 4440416 10849623 12:44:28 CEST Mon Dec 21 2009 Thanks! Andy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From globichen at gmail.com Tue Feb 9 08:45:25 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:45:25 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209133224.GA27783@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: > Are these receive addresses in the router or transit? > > sh mls cef lookup x.x.160.112 > sh mls cef lookup x.x.160.112 detail > > sh mls cef adjacency entry 123 detail > #show buffers input-interface te9/1 header Buffer information for Small buffer at 0x50070DC8 data_area 0x80667C4, refcount 1, next 0x45475F58, flags 0x280 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) inputtime 47w4d (elapsed 00:00:09.252) outputtime 47w4d (elapsed 00:03:54.772), oqnumber 65535 datagramstart 0x806683A, datagramsize 62, maximum size 308 mac_start 0x806683A, addr_start 0x806683A, info_start 0x0 network_start 0x8066848, transport_start 0x8066878, caller_pc 0x4187C1F0 source: x.x.224.116, destination: y.y.176.97, id: 0x79FD, ttl: 121, TOS: 0 prot: 6, source port 2844, destination port 445 x.x = outside y.y = server connected to the core #sh mls cef lookup x.x.224.116 Codes: decap - Decapsulation, + - Push Label Index Prefix Adjacency 298605 x.x.192.0/18 Te9/1 , 0022.5517.0f00 #sh mls cef lookup y.y.176.97 Codes: decap - Decapsulation, + - Push Label Index Prefix Adjacency 20304 y.y.176.0/24 glean BCS#sh mls cef lookup y.y.176.97 detail Codes: M - mask entry, V - value entry, A - adjacency index, P - priority bit D - full don't switch, m - load balancing modnumber, B - BGP Bucket sel V0 - Vlan 0,C0 - don't comp bit 0,V1 - Vlan 1,C1 - don't comp bit 1 RVTEN - RPF Vlan table enable, RVTSEL - RPF Vlan table select Format: IPV4_DA - (8 | xtag vpn pi cr recirc tos prefix) Format: IPV4_SA - (9 | xtag vpn pi cr recirc prefix) M(20304 ): E | 1 FFF 0 0 0 0 255.255.255.0 V(20304 ): 8 | 1 0 0 0 0 0 y.y.176.0 (A:14 ,P:1,D:0,m:0 ,B:0 ) From saku at ytti.fi Tue Feb 9 08:45:29 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:45:29 +0200 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: <20100209134529.GA27827@mx.ytti.net> On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > i am search a real information on the Cisco 7401ASR : > If you have one units ;=) > > I want know if this cisco are same performence that the > Cisco 7204 with a NPE 400 ? ASR was the second product to be blessed (or cursed) with toaster chip a.k.a PXF. Like first product NSE-1 it was failure and newer software will disable and won't allow enabling PXF, so everything will be software switched, like in NPE400, performance is below NPE300. > He support MPLS, Interworking and EoMPLS > > It's the same IOS that Cisco 7204 ? No. Also it is EOL platform and as price for gray NPE300 is ridiculously small I personally wouldn't accept even free ASR's. -- ++ytti From linux.yahoo at gmail.com Tue Feb 9 08:47:48 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:47:48 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). If you have the budget, i would push for Cisco ASR or Juniper M Core R/ Manu From saku at ytti.fi Tue Feb 9 08:47:51 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 15:47:51 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: <20100209134751.GB27827@mx.ytti.net> On (2010-02-09 14:45 +0100), Andy B. wrote: > #sh mls cef lookup y.y.176.97 > > Codes: decap - Decapsulation, + - Push Label > Index Prefix Adjacency > 20304 y.y.176.0/24 glean Ok it it punted to resolve its MAC address. You could try 'mls rate-limit unicast cef glean 200 50' To limit glean to 200pps. However we can't prove problem you saw was due to excessive packets to glean adjacencies. -- ++ytti From globichen at gmail.com Tue Feb 9 08:50:12 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:50:12 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles wrote: > Is it possible the NDE on the SP is the issue? ?I assume it's configured to > export? ?What does a 'sh proc cpu hist' tell you on the RP and SP? > > Chuck I can almost certainly rule that out. Last time this happened I turned off NDE, but it did not change much. Here the result anways: #sh proc cpu hist 2222222288888555511111111111111111111111111111111111111113 4448888844444666677777444446666655555666667777777777999999 100 90 80 ***** 70 ***** 60 ********* 50 ********* 40 ********* * 30 ************** * 20 ********************** ******************************* 10 ********************************************************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 1 1 1 1 7907999979978997999980999998999899899097889889978997088899 4509292289154946699800675905966199809044339839881997055793 100 ** * * * **** ***** *** ** ** * ** ** * * 90 ** **** ** ** **** ********** ******* ** ** ** ****** 80 ************************************** ****************** 70 ********************************************************** 60 ********************************************************** 50 *******************************************************##* 40 ****************#**************************************### 30 #################*######################################## 20 ########################################################## 10 ########################################################## 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 100 ********************************************************************** 90 ********************************************************************** 80 ********************************************************************** 70 *******#**********************##************************************** 60 *******#**********************##************************************** 50 ******###*********************###******#********************#********* 40 #*##**###*#**##***#**#***#****###***##*#****#*****#**##**#####******** 30 #####*######*##########*###**#####*#####***####################***#### 20 ###################################################################### 10 ###################################################################### 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% #remote command switch sh proc cpu hist 3333322222222226666677777333331111222223333322222666667777 1111155555999990000077777000005555999997777755555777776666 100 90 80 ***** **** 70 ***** ********* 60 ********** ********* 50 ********** ********* 40 ********** ***** ********* 30 ****************************** ************************ 20 ********************************************************** 10 ********************************************************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 7977778888889999975798767688889888888988788888998988998878 7046543783562032129590344605798023115098878663008368337698 100 * * 90 * ** ******* * **** **** **** ********** * 80 ** ** #****##*#** *#* ***##****************####******* 70 ******#****##*#*** *#** *****##******#*********#####****** 60 ******##***##*#*#***#*******####*****#******#*######*****# 50 ******##***##*###***##******####**#**##****##*######***#*# 40 ##################*###****################################ 30 ########################################################## 20 ########################################################## 10 ########################################################## 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1111 1 1 1 9999999999999900009999999999999999999999899889998999909999999880908999 8968979889989900007367999999989999979583747981479337809999993870907900 100 ******************* ******************* * * ********* *** * 90 ********************************************************************** 80 ********************************************************************** 70 ****#***************************************************************** 60 **#*#*#######************##*#*######****************###*************** 50 #################****#################************########************ 40 ########################################*******###############*###***# 30 ###################################################################### 20 ###################################################################### 10 ###################################################################### 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% From linux.yahoo at gmail.com Tue Feb 9 08:51:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 14:51:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> For sure it may be possible to reduce/optimise the routing But in all case you will hit the platform limit ;( Full Internet Routing cost a lot On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles wrote: > Is it possible the NDE on the SP is the issue? I assume it's configured to > export? What does a 'sh proc cpu hist' tell you on the RP and SP? > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Tuesday, February 09, 2010 8:09 AM > To: Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > > On Tue, Feb 9, 2010 at 1:50 PM, Phil Mayers > wrote: > >> CPU load is fairly normal at 20-30% > > > > Is this average or during a performance event? What about the SP and any > DFC > > CPUs? > > This is average. Performance would go up to 99% if the BGP scanner is > busy, but this does not happen very often. > > > > > What linecards do you have in the box? > > #sh mod > Mod Ports Card Type Model Serial > No. > --- ----- -------------------------------------- ------------------ > ----------- > 2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX > SAD082XXXXX > 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL > SAD084XXXXX > 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > SAD114XXXXX > 9 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > SAL110XXXXX > > Mod MAC addresses Hw Fw Sw > Status > --- ---------------------------------- ------ ------------ ------------ > ------- > 2 0012.435e.07f8 to 0012.435e.0827 2.0 12.2(14r)S5 12.2(18)SXF1 Ok > 5 0011.21b9.ba54 to 0011.21b9.ba57 4.1 8.1(3) 12.2(18)SXF1 Ok > 8 0001.0002.0003 to 0001.0002.0006 1.6 12.2(14r)S5 12.2(18)SXF1 Ok > 9 001a.6c97.d074 to 001a.6c97.d077 2.5 12.2(14r)S5 12.2(18)SXF1 Ok > > Mod Sub-Module Model Serial Hw > Status > ---- --------------------------- ------------------ ----------- ------- > ------- > 2 Centralized Forwarding Card WS-F6700-CFC SAL083XXXXX 2.0 Ok > 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD084XXXXX 1.4 Ok > 5 MSFC3 Daughterboard WS-SUP720 SAD084XXXXX 2.2 Ok > 8 Centralized Forwarding Card WS-F6700-CFC SAL114XXXXX 2.0 Ok > 9 Centralized Forwarding Card WS-F6700-CFC SAL110XXXXX 2.1 Ok > > Mod Online Diag Status > ---- ------------------- > 2 Pass > 5 Pass > 8 Pass > 9 Pass > > > > > > > > > sh mls cef maximum-routes > > sh mls cef summary > > #sh mls cef maximum-routes > FIB TCAM maximum routes : > ======================= > Current :- > ------- > IPv4 + MPLS - 512k (default) > IPv6 + IP Multicast - 256k (default) > > > #sh mls cef summary > > Total routes: 317940 > IPv4 unicast routes: 315089 > IPv4 Multicast routes: 3 > MPLS routes: 0 > IPv6 unicast routes: 2848 > IPv6 multicast routes: 59 > EoM routes: 0 > > > > > You say "so that the new router can handle these many MAC addresses"; do > you > > have any reason to believe that MAC or adjacency table size is the > problem? > > The 6500 can handle 64k MAC addresses at layer2 and variable numbers of > > ARP/layer3 adjacencies. > > No, I have no reason. I is just a desperate measure, because despite > plenty of research I could not find out what is causing my core to > become so unresponsive at management and BGP/OSPF level. > > > > It could be ICMP redirects, or layer2 loops downstream. > > How would I detect that? > > > > > How often are these performance problems occurring? Is anything logged on > > the router at the time? What does the output of: > > It's at peak times, usually in the evening hours when there is a lot > of traffic. It never happens in the afternoon or late at night - > really only when we reached a certain amount of traffic or packets. > > > sh proc cpu | ex 0.00 > > remote command switch sh proc cpu | ex 0.00 > > sh platform hardware capacity forwarding > > > > ...say after a window of poor performance? How long do the events last? > > It's not peak time yet, but here the current results: > > #sh proc cpu sort | e 0.00 > CPU utilization for five seconds: 19%/7%; one minute: 35%; five minutes: > 32% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 286 91421068 67890635 1346 0.71% 4.54% 3.63% 0 BGP Router > 322 27520 15152 1816 0.71% 0.33% 0.27% 1 SSH Process > 281 84729936 609049960 139 0.55% 0.20% 0.21% 0 Port manager > per > 175 83539116 11590722 7207 0.47% 0.27% 0.25% 0 IPC LC > Message H > 169 98408344 5822966 16900 0.31% 0.31% 0.31% 0 Adj Manager > 180 64247088 51118007 1256 0.23% 0.21% 0.19% 0 CEF process > 9 92311304 220943432 417 0.15% 0.29% 0.35% 0 ARP Input > 320 18664520 124379650 150 0.15% 2.57% 1.67% 0 BGP I/O > > #remote command switch sh proc cpu | ex 0.00 > > CPU utilization for five seconds: 56%/16%; one minute: 45%; five minutes: > 51% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 42 11658287002654567248 439 3.51% 3.87% 3.84% 0 slcp process > 102 575122192 14545925 39538 1.75% 1.87% 1.93% 0 Vlan > Statistics > 106 184036308 36158906 5089 1.19% 0.62% 0.61% 0 FIB Control > Time > 127 37679084 135489087 278 0.07% 0.10% 0.11% 0 Spanning > Tree > 187 12308164 3092196 3980 0.07% 0.03% 0.05% 0 v6fib stat > colle > 232 60786688 23931437 2540 0.15% 0.16% 0.17% 0 Env Poll > 243 11847844 2874615 4121 0.07% 0.04% 0.05% 0 Const MPLS > Stats > 248 3799960368 673218956 5644 12.23% 13.87% 16.79% 0 NDE - IPV4 > 254 10876832 145705655 74 0.07% 0.06% 0.06% 0 DiagCard9/-1 > 257 79331296 46446985 1707 0.23% 0.19% 0.21% 0 CEF process > > #sh platform hardware capacity forwarding > L2 Forwarding Resources > MAC Table usage: Module Collisions Total Used > %Used > 5 0 65536 3386 > 5% > > VPN CAM usage: Total Used > %Used > 512 0 > 0% > L3 Forwarding Resources > FIB TCAM usage: Total Used > %Used > 72 bits (IPv4, MPLS, EoM) 524288 315005 > 60% > 144 bits (IP mcast, IPv6) 262144 2911 > 1% > > detail: Protocol Used > %Used > IPv4 315005 > 60% > MPLS 0 > 0% > EoM 0 > 0% > > IPv6 2849 > 1% > IPv4 mcast 3 > 1% > IPv6 mcast 59 > 1% > > Adjacency usage: Total Used > %Used > 1048576 5045 > 1% > > Forwarding engine load: > Module pps peak-pps > peak-time > 5 4440416 10849623 12:44:28 CEST Mon Dec 21 > 2009 > > > > > > Thanks! > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 08:54:19 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 14:54:19 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot I have other cores that do 40 times more BGP and they work like charm, with the exception that they do not have a few thousand servers connected to them. Only customers with routers. These routers are similar to this 6509, so nothing better or worse. Andy From linux.yahoo at gmail.com Tue Feb 9 09:09:04 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:09:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> trust me, change your design: - Core / Internet (ASR or Juniper) - Distribution / Datacenter (6509) with a default dynamic route from your Core to your Distribution On Tue, Feb 9, 2010 at 2:54 PM, Andy B. wrote: > On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > > For sure it may be possible to reduce/optimise the routing > > > > But in all case you will hit the platform limit ;( > > > > Full Internet Routing cost a lot > > I have other cores that do 40 times more BGP and they work like charm, > with the exception that they do not have a few thousand servers > connected to them. Only customers with routers. > These routers are similar to this 6509, so nothing better or worse. > > Andy > From linux.yahoo at gmail.com Tue Feb 9 09:11:37 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:11:37 +0100 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <20100209134529.GA27827@mx.ytti.net> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> Message-ID: <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> new ASR are better ;) On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > i am search a real information on the Cisco 7401ASR : > > If you have one units ;=) > > > > I want know if this cisco are same performence that the > > Cisco 7204 with a NPE 400 ? > > ASR was the second product to be blessed (or cursed) with toaster > chip a.k.a PXF. > Like first product NSE-1 it was failure and newer software will disable and > won't allow enabling PXF, so everything will be software switched, like in > NPE400, performance is below NPE300. > > > He support MPLS, Interworking and EoMPLS > > > > It's the same IOS that Cisco 7204 ? > > No. Also it is EOL platform and as price for gray NPE300 is ridiculously > small I personally wouldn't accept even free ASR's. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Tue Feb 9 09:13:08 2010 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 9 Feb 2010 09:13:08 -0500 (EST) Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: On Tue, 9 Feb 2010, Andy B. wrote: > I am running one 6509 as a core router: > > IOS: SXF15a > 1x WS-SUP720-3BXL > 1x WS-X6748-GE-TX > 2x WS-X6704-10GE > > On this core I am doing BGP with 2 upstreams (full BGP table IN) and > 10 downstreams (full BGP table OUT). > I am also doing OSPF with 4 other core routers in this AS. > > On top of that there is one VLAN on this core that serves as a default > gateway for approximatively 5000 servers, producing around 30 GBps > outbound traffic and 10 GBps inbound. If all of that traffic is transiting between the 6748 and 6704s, is it possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 has to the rest of the chassis during short traffic spikes? With that much going on, I'm surprised you're using a single 6509 vs having things split between a pair or more of them. Put some transit and some customers on each...that way if one has an issue, needs a software upgrade, etc., you can do a reload without the network going completely offline. Or are you already doing that, and the troubled 6509 is just one of multiple? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From saku at ytti.fi Tue Feb 9 09:19:24 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:19:24 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> References: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> Message-ID: <20100209141924.GA27965@mx.ytti.net> On (2010-02-09 14:47 +0100), Manu Chao wrote: > Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). > > If you have the budget, i would push for Cisco ASR or Juniper M Core There is nothing in the data that supports your remark, the routers peak pps rate is below CFC system performance and there is plenty of TCAM space free. Also I welcome you to look into JNPR MX, instead of M. -- ++ytti From drew.weaver at thenap.com Tue Feb 9 09:20:47 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 9 Feb 2010 09:20:47 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> Message-ID: Are you rate limiting ttl failures? mls rate-limit all ttl-failure 100 10 thanks, -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 7:22 AM To: Sergey Nikitin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router CPU load is fairly normal at 20-30% No congestion. Most links are under 50%. I have no Control Plane Policies in place, but I have already been advised to do so - this might help, right? Redesigning the network and shifting the busy (uncongested!) VLAN to another router seemed like the only choice we have left, unless this CPP can help? Andy On Tue, Feb 9, 2010 at 12:15 PM, Sergey Nikitin wrote: > > May be you should try to find out what is the reason of the packet loss? ?Is there a high CPU load? Do you have control-plane configured? Do you have traffic congestion? May be you don't really need to redesing you network. > > > Andy B. wrote: >> >> I am running one 6509 as a core router: >> >> IOS: SXF15a >> 1x WS-SUP720-3BXL >> 1x WS-X6748-GE-TX >> 2x WS-X6704-10GE >> >> On this core I am doing BGP with 2 upstreams (full BGP table IN) and >> 10 downstreams (full BGP table OUT). >> I am also doing OSPF with 4 other core routers in this AS. >> >> On top of that there is one VLAN on this core that serves as a default >> gateway for approximatively 5000 servers, producing around 30 GBps >> outbound traffic and 10 GBps inbound. >> >> Recently I noticed that this core router becomes very unresponsive >> from time to time, dropping OSPF and BGP sessions (hold time expired >> and so on). SNMP generated stats become useless as well, because most >> SNMP requests to that core are timing out. It's really just the core >> that is rather slow, but reachability to my customers and from my >> customers to the internet remains perfect. Pinging the loopback >> interface of the core or any default gateway IP address of the busy >> VLAN can show up to 60% packet loss >> >> Therefore I was thinking to split the core and move this very active >> VLAN to a different router behind the core and only add a static route >> to the core, so that the new router can handle these many MAC >> addresses and hopefully get my core more responsive again. >> >> Does this scenario make any sense at all? Is it wise to have one core >> router with many transit (in and out) BGP sessions also act as an >> access router / default gateway for several thousand servers? What is >> usually the best practice here? >> >> Thank you for your clues. >> >> Andy >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Tue Feb 9 09:21:48 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 9 Feb 2010 15:21:48 +0100 (CET) Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: On Tue, 9 Feb 2010, Phibee Network Operation Center wrote: > It's the same IOS that Cisco 7204 ? If it's anything like the 7120, then it won't take regular 7200 IOS images. 7401 went EoL end of 2009 and latest IOS available on CCO seems to be 12.4(15)T11, so you won't see any new images after that would be my guess. -- Mikael Abrahamsson email: swmike at swm.pp.se From globichen at gmail.com Tue Feb 9 09:22:44 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 15:22:44 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: On Tue, Feb 9, 2010 at 3:13 PM, Jon Lewis wrote: > If all of that traffic is transiting between the 6748 and 6704s, is it > possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 has > to the rest of the chassis during short traffic spikes? The 6748 is not really doing that much. Maybe 3-4 GBps. Incoming Transit and IBGP comes with one 6704. The other 6704 is port-channeled into the VLAN > With that much going on, I'm surprised you're using a single 6509 vs having > things split between a pair or more of them. ?Put some transit and some > customers on each...that way if one has an issue, needs a software upgrade, > etc., you can do a reload without the network going completely offline. ?Or > are you already doing that, and the troubled 6509 is just one of multiple? This is already partially the case - I am working on improvements here as well :) Andy From oldnick at oldnick.ru Tue Feb 9 09:27:39 2010 From: oldnick at oldnick.ru (Sergey Nikitin) Date: Tue, 09 Feb 2010 17:27:39 +0300 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <4B7170DB.7010602@oldnick.ru> What is the output of: show platform hardware capacity interface show fabric utilization detail ? Andy B. wrote: > On Tue, Feb 9, 2010 at 2:43 PM, Church, Charles > wrote: >> Is it possible the NDE on the SP is the issue? I assume it's configured to >> export? What does a 'sh proc cpu hist' tell you on the RP and SP? >> >> Chuck > > I can almost certainly rule that out. Last time this happened I turned > off NDE, but it did not change much. > > Here the result anways: > > #sh proc cpu hist > > 2222222288888555511111111111111111111111111111111111111113 > 4448888844444666677777444446666655555666667777777777999999 > 100 > 90 > 80 ***** > 70 ***** > 60 ********* > 50 ********* > 40 ********* * > 30 ************** * > 20 ********************** ******************************* > 10 ********************************************************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per second (last 60 seconds) > > 1 1 1 1 > 7907999979978997999980999998999899899097889889978997088899 > 4509292289154946699800675905966199809044339839881997055793 > 100 ** * * * **** ***** *** ** ** * ** ** * * > 90 ** **** ** ** **** ********** ******* ** ** ** ****** > 80 ************************************** ****************** > 70 ********************************************************** > 60 ********************************************************** > 50 *******************************************************##* > 40 ****************#**************************************### > 30 #################*######################################## > 20 ########################################################## > 10 ########################################################## > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > 1111111111111111111111111111111111111111111111111111111111111111111111 > 0000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000000000000000000000000000000000000000000000000000000000 > 100 ********************************************************************** > 90 ********************************************************************** > 80 ********************************************************************** > 70 *******#**********************##************************************** > 60 *******#**********************##************************************** > 50 ******###*********************###******#********************#********* > 40 #*##**###*#**##***#**#***#****###***##*#****#*****#**##**#####******** > 30 #####*######*##########*###**#####*#####***####################***#### > 20 ###################################################################### > 10 ###################################################################### > 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. > 0 5 0 5 0 5 0 5 0 5 0 5 0 > > CPU% per hour (last 72 hours) > * = maximum CPU% # = average CPU% > > #remote command switch sh proc cpu hist > > 3333322222222226666677777333331111222223333322222666667777 > 1111155555999990000077777000005555999997777755555777776666 > 100 > 90 > 80 ***** **** > 70 ***** ********* > 60 ********** ********* > 50 ********** ********* > 40 ********** ***** ********* > 30 ****************************** ************************ > 20 ********************************************************** > 10 ********************************************************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per second (last 60 seconds) > > > 7977778888889999975798767688889888888988788888998988998878 > 7046543783562032129590344605798023115098878663008368337698 > 100 * * > 90 * ** ******* * **** **** **** ********** * > 80 ** ** #****##*#** *#* ***##****************####******* > 70 ******#****##*#*** *#** *****##******#*********#####****** > 60 ******##***##*#*#***#*******####*****#******#*######*****# > 50 ******##***##*###***##******####**#**##****##*######***#*# > 40 ##################*###****################################ > 30 ########################################################## > 20 ########################################################## > 10 ########################################################## > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > 1111 1 1 1 > 9999999999999900009999999999999999999999899889998999909999999880908999 > 8968979889989900007367999999989999979583747981479337809999993870907900 > 100 ******************* ******************* * * ********* *** * > 90 ********************************************************************** > 80 ********************************************************************** > 70 ****#***************************************************************** > 60 **#*#*#######************##*#*######****************###*************** > 50 #################****#################************########************ > 40 ########################################*******###############*###***# > 30 ###################################################################### > 20 ###################################################################### > 10 ###################################################################### > 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. > 0 5 0 5 0 5 0 5 0 5 0 5 0 > > CPU% per hour (last 72 hours) > * = maximum CPU% # = average CPU% > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Tue Feb 9 09:27:52 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:27:52 +0200 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> Message-ID: <20100209142752.GB27965@mx.ytti.net> On (2010-02-09 15:11 +0100), Manu Chao wrote: > new ASR are better ;) Indeed, but of course 7400, ASR1k and ASR9k have nothing in common while name might suggest so, so 'new ASR' is bit stretching it. ASR1k is popey/QFP which is cisco IP, AFAIK based on tensilica di570t, running IOS as process on top of linux. ASR9k is EZchip NP(3c|4), which is 3rd party NPU with fabric is from nexus7k, running IOS-XR on top of QNX obviously. 7400 is plain old IOS, purely software router today as toaster/PXF cannot be enabled. I think ASR1k is very interesting platform for some applications while ASR9k as it is today is overshadowed by MX. CSCO will have to work hard to bridge the gap. > > On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > > > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > > > i am search a real information on the Cisco 7401ASR : > > > If you have one units ;=) > > > > > > I want know if this cisco are same performence that the > > > Cisco 7204 with a NPE 400 ? > > > > ASR was the second product to be blessed (or cursed) with toaster > > chip a.k.a PXF. > > Like first product NSE-1 it was failure and newer software will disable and > > won't allow enabling PXF, so everything will be software switched, like in > > NPE400, performance is below NPE300. > > > > > He support MPLS, Interworking and EoMPLS > > > > > > It's the same IOS that Cisco 7204 ? > > > > No. Also it is EOL platform and as price for gray NPE300 is ridiculously > > small I personally wouldn't accept even free ASR's. > > > > -- > > ++ytti > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- ++ytti From globichen at gmail.com Tue Feb 9 09:28:26 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 15:28:26 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B7170DB.7010602@oldnick.ru> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> Message-ID: On Tue, Feb 9, 2010 at 3:27 PM, Sergey Nikitin wrote: > What is the output of: > > show platform hardware capacity interface > show fabric utilization detail > #show platform hardware capacity interface Interface Resources Interface drops: Module Total drops: Tx Rx Highest drop port: Tx Rx 2 21586995208 13878964 13 24 5 0 6 0 1 8 26023 459918169 3 4 9 249981 480544167 1 4 Interface buffer sizes: Module Bytes: Tx buffer Rx buffer 2 1221120 152000 8 14622592 1914304 9 14622592 1914304 #show fabric utilization detail Fabric utilization: Ingress Egress Module Chanl Speed rate peak rate peak 2 0 20G 8% 0% 2% 0% 2 1 20G 29% 0% 61% 0% 5 0 20G 15% 0% 17% 0% 8 0 20G 34% 0% 5% 0% 8 1 20G 6% 0% 16% 0% 9 0 20G 36% 0% 8% 0% 9 1 20G 12% 0% 48% 0% From brhedlun at cisco.com Tue Feb 9 09:30:01 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 9 Feb 2010 08:30:01 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> The Nexus 2000->5000 design does require looking at things a bit differently than you have in the past. Data Center architecture is changing fast due to the rapid onset of Data Center virtualization. Server & Storage administrators have been struggling with this change as well, this isn't something unique to the Network. There is a tendency to view the Nexus 2000 as a switch. And understandably so because it's packaged like a switch, looks like a switch, and installs in the rack like a switch. Because of this perception it's easy to subject it to the typical switch design criteria. But in doing so you begin an exercise that leads to more frustration than clarity because you are apply old thinking to new technology. It makes more sense to view the Nexus 2000 as a linecard that has been pulled out of a switch, packaged up in sheet metal, and the backplane ports connecting to the supervisor engine changed to SFP+ ports. You know have a linecard that connects to its supervisor engine with cables. Why is that significant? Because it reduces the complexity (and therefore total cost of ownership) of adopting a Data Center virtualization architecture. (10) Nexus 2000's are managed no differently than (10) linecards. I think we can all agree that a linecard requires a lot less management than a switch. It also allows the Data Center to grow into larger L2 domains required by virtualization by minimizing the # of L2 nodes, because the Nexus 2000 links to data center with L1, versus L2. Business leaders are hearing a lot about cloud computing these days, and it's cost advantages to the business. Yet there is a valid concern with data privacy and security that comes with public cloud computing. If internal IT can transform their data centers into a private cloud, or at least drastically improve the operational efficiency and total cost of ownership of their own data centers ... the wholesale outsourcing of the data center applications to the public cloud become less attractive to the business leaders. -- Brad Hedlund, CCIE #5530, VCP Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 9, 2010, at 4:40 AM, Livio Zanol Puppim wrote: > Yeah, You are right. > > But I would like to use my nexus 5000 10GE/FCoE ports just for access servers, maximizing it's use... The uplinks from Nexus 2000 could easially go directly to my distribution/core. Unfortunally, nexus 2000 is just an fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO changes it's later... > > Let's think: > > 10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost 1 switch (2RU). > > I haven't figure out yet what's the advantage of having this design (nexus 2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus 7000/cisco 6500). That's what I'm talking about. > > The only REAL advantage so far is the vPC... > > 2010/2/2 Brad Hedlund > > True, the Nexus 2000 does not locally switch, but lets explore that for a second... > > 1) a typical enterprise Data Center is running applications that are not latency sensitive, where latencies in the 10s of microseconds are perfectly OK and nobody is really counting anyway. Only in the small minority of Data Centers running high frequency trading, grid computing, or some other ultra low latency application, every *nanosecond* matters and local switching with fewer hops is of paramount importance. Furthermore, these applications are quickly migrating away from 1GE to 10GE attached servers for the obvious low latency advantages. > > 2) the Nexus 2000 has 4x10GE uplink bandwidth versus the 2x10GE uplink for 4948. This results in a possible 1:1.2 oversubscription ratio for Nexus 2000 to handle the additional uplink load that may otherwise not be present on a 4948. > > 3) The upstream Nexus 5000 implements cut-through switching, and the Nexus 2000 itself also uses cut-through for frames entering on 1GE and egressing on 10GE. The two combined often results in port-to-port latencies similar to a Catalyst 6500, even without the "local switching". If you are comfortable with your Catalyst 6500 local switching latencies, you can expect similar performance from a Nexus 2000/5000 combination. > > > -- > Brad Hedlund, CCIE #5530 > Consulting Systems Engineer, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > > > On Jan 31, 2010, at 5:25 PM, David Hughes wrote: > > > > > On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: > > > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst > >> 4948 as access layers switches? > >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that > >> could be used by servers with 10GbE/FCoE servers. > > > > The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more "traditional" access switch. Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment. > > > > > > > > David > > ... > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > []'s > > L?vio Zanol Puppim From saku at ytti.fi Tue Feb 9 09:31:13 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 16:31:13 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209143113.GC27965@mx.ytti.net> On (2010-02-09 14:51 +0100), Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot You appear not to be aware of difference in XL and non-XL models, the device being discussed here can handle 1M IPv4 routes. There is nothing at all to support your conclusion that limits of the platform are being met. -- ++ytti From drew.weaver at thenap.com Tue Feb 9 09:33:05 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 9 Feb 2010 09:33:05 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: 6500s are just an awful platform and have caveats out the wazoo. Yes, the 3BXL will do full internet tables, but not as well as any router Cisco offers (GSR...) Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) Yes, the Supervisor will respond to traceroutes, but in software... (rate limit TTL) If you ping the 6500 while BGP scanner is running you will see 600ms responses... Most of these things (except for the 6724 line card suckage) are 'fixed' in hardware only platforms (GSR... etc) I probably sound bitter, but if one goes straight from what Cisco's documentation says they would think the 6500 is a great platform, but there should be a * next to everything in that entire white paper. -Drew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy B. Sent: Tuesday, February 09, 2010 8:54 AM To: Manu Chao Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 2:51 PM, Manu Chao wrote: > For sure it may be possible to reduce/optimise the routing > > But in all case you will hit the platform limit ;( > > Full Internet Routing cost a lot I have other cores that do 40 times more BGP and they work like charm, with the exception that they do not have a few thousand servers connected to them. Only customers with routers. These routers are similar to this 6509, so nothing better or worse. Andy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sven at darkman.de Tue Feb 9 09:35:43 2010 From: sven at darkman.de (Sven 'Darkman' Michels) Date: Tue, 09 Feb 2010 15:35:43 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <4B7172BF.2080209@darkman.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Andy B. schrieb: > I have other cores that do 40 times more BGP and they work like charm, > with the exception that they do not have a few thousand servers > connected to them. Only customers with routers. > These routers are similar to this 6509, so nothing better or worse. How about splitting the servers into different vlans? should lower the broadcasts etc and may help... (its hard for me to belive that you have one /19 or similar configured to one vlan, i hope there are a few subnets ;) Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktxcr8ACgkQQoCguWUBzBxNJACgoic90h9xxDA8VASDwyJ4OmP4 QMwAoIz/VigSz2nch4cRZXDcVZ1jaViC =LtsD -----END PGP SIGNATURE----- From linux.yahoo at gmail.com Tue Feb 9 09:47:44 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 15:47:44 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209141924.GA27965@mx.ytti.net> References: <7100ed371002090547i342e8223u131077d5e0fd9cc6@mail.gmail.com> <20100209141924.GA27965@mx.ytti.net> Message-ID: <7100ed371002090647n1f0b8234k2d8c417bba689d2d@mail.gmail.com> J MX and T work very very well you are right On Tue, Feb 9, 2010 at 3:19 PM, Saku Ytti wrote: > On (2010-02-09 14:47 +0100), Manu Chao wrote: > > > Too much BGP and traffic for your (old) 6509 router (even if with 3BXL). > > > > If you have the budget, i would push for Cisco ASR or Juniper M Core > > There is nothing in the data that supports your remark, the routers peak > pps rate is below CFC system performance and there is plenty of TCAM space > free. > Also I welcome you to look into JNPR MX, instead of M. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Charles.Church at harris.com Tue Feb 9 10:03:24 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 10:03:24 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> The weird part is the NDE process is still using CPU. Which netflow setting are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are getting crushed at times, seems like more than just a punted packet issue, since that would be primarily RP, wouldn't it? Chuck -----Original Message----- From: Andy B. [mailto:globichen at gmail.com] Sent: Tuesday, February 09, 2010 8:50 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router I can almost certainly rule that out. Last time this happened I turned off NDE, but it did not change much. Here the result anways: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Tue Feb 9 10:07:46 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:07:46 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> <7100ed371002090609y401da163h5c0a9d47463434b3@mail.gmail.com> Message-ID: <4B717A42.2090908@imperial.ac.uk> On 09/02/10 14:09, Manu Chao wrote: > trust me, change your design: > - Core / Internet (ASR or Juniper) > - Distribution / Datacenter (6509) > > with a default dynamic route from your Core to your Distribution I personally disagree that this is the right approach. Without taking the time to understand the reason the 6500 is failing to function, it might not help at all, and could be a big waste of money. It *might* be the right solution, but until the problem is identified, it is premature. From linux.yahoo at gmail.com Tue Feb 9 10:11:29 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 16:11:29 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: Message-ID: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> Can you please share following output: show fabric utilization On Tue, Feb 9, 2010 at 3:22 PM, Andy B. wrote: > On Tue, Feb 9, 2010 at 3:13 PM, Jon Lewis wrote: > > > If all of that traffic is transiting between the 6748 and 6704s, is it > > possible you're filling (perhaps overfilling) the 40Gbps fabric the 6748 > has > > to the rest of the chassis during short traffic spikes? > > The 6748 is not really doing that much. Maybe 3-4 GBps. > > Incoming Transit and IBGP comes with one 6704. > The other 6704 is port-channeled into the VLAN > > > With that much going on, I'm surprised you're using a single 6509 vs > having > > things split between a pair or more of them. Put some transit and some > > customers on each...that way if one has an issue, needs a software > upgrade, > > etc., you can do a reload without the network going completely offline. > Or > > are you already doing that, and the troubled 6509 is just one of > multiple? > > This is already partially the case - I am working on improvements here > as well :) > > Andy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Tue Feb 9 10:12:57 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 16:12:57 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> References: <7100ed371002090711q6055c009s40e5e90e587a2f63@mail.gmail.com> Message-ID: On Tue, Feb 9, 2010 at 4:11 PM, Manu Chao wrote: > Can you please share following output: > > show fabric utilization #show fabric utilization slot channel speed Ingress % Egress % 2 0 20G 7 2 2 1 20G 27 63 5 0 20G 14 17 8 0 20G 38 4 8 1 20G 6 18 9 0 20G 38 7 9 1 20G 12 48 From globichen at gmail.com Tue Feb 9 10:15:27 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 16:15:27 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: On Tue, Feb 9, 2010 at 4:03 PM, Church, Charles wrote: > The weird part is the NDE process is still using CPU. ?Which netflow setting > are you using for 'mls flow ip xxx'? ?Since both the RP and SP CPU are > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Netflow is basically configured like this: ip flow-cache entries 524288 ip flow-cache timeout active 1 mls ip slb purge global mls ip multicast flow-stat-timer 9 mls aging fast time 4 threshold 2 mls aging long 128 mls aging normal 64 mls netflow usage notify 80 300 mls flow ip interface-full mls flow ipv6 interface-full mls rate-limit unicast cef glean 200 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-aggregation cache as cache timeout active 1 export destination 9000 enabled From linux.yahoo at gmail.com Tue Feb 9 10:18:57 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Feb 2010 16:18:57 +0100 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <20100209142752.GB27965@mx.ytti.net> References: <4B71636C.2040704@phibee.net> <20100209134529.GA27827@mx.ytti.net> <7100ed371002090611w7ede2ec1tcd76770d7755449a@mail.gmail.com> <20100209142752.GB27965@mx.ytti.net> Message-ID: <7100ed371002090718l6830a75enb35a82b2e4ea1093@mail.gmail.com> Agreed ;) The gap was huge, it is now acceptable On Tue, Feb 9, 2010 at 3:27 PM, Saku Ytti wrote: > On (2010-02-09 15:11 +0100), Manu Chao wrote: > > > new ASR are better ;) > > Indeed, but of course 7400, ASR1k and ASR9k have nothing in common while > name might suggest so, so 'new ASR' is bit stretching it. > ASR1k is popey/QFP which is cisco IP, AFAIK based on tensilica di570t, > running IOS as process on top of linux. > ASR9k is EZchip NP(3c|4), which is 3rd party NPU with fabric is from > nexus7k, running IOS-XR on top of QNX obviously. > 7400 is plain old IOS, purely software router today as toaster/PXF cannot > be enabled. > > I think ASR1k is very interesting platform for some applications while > ASR9k as it is today is overshadowed by MX. CSCO will have to work hard to > bridge the gap. > > > > > > On Tue, Feb 9, 2010 at 2:45 PM, Saku Ytti wrote: > > > > > On (2010-02-09 14:30 +0100), Phibee Network Operation Center wrote: > > > > > > > i am search a real information on the Cisco 7401ASR : > > > > If you have one units ;=) > > > > > > > > I want know if this cisco are same performence that the > > > > Cisco 7204 with a NPE 400 ? > > > > > > ASR was the second product to be blessed (or cursed) with toaster > > > chip a.k.a PXF. > > > Like first product NSE-1 it was failure and newer software will disable > and > > > won't allow enabling PXF, so everything will be software switched, like > in > > > NPE400, performance is below NPE300. > > > > > > > He support MPLS, Interworking and EoMPLS > > > > > > > > It's the same IOS that Cisco 7204 ? > > > > > > No. Also it is EOL platform and as price for gray NPE300 is > ridiculously > > > small I personally wouldn't accept even free ASR's. > > > > > > -- > > > ++ytti > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Tue Feb 9 10:22:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:22:50 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <20100209124435.GA27615@mx.ytti.net> <20100209130421.GA27687@mx.ytti.net> <20100209133224.GA27783@mx.ytti.net> Message-ID: <4B717DCA.10601@imperial.ac.uk> On 09/02/10 13:45, Andy B. wrote: >> Are these receive addresses in the router or transit? >> >> sh mls cef lookup x.x.160.112 >> sh mls cef lookup x.x.160.112 detail >> >> sh mls cef adjacency entry 123 detail >> > > #show buffers input-interface te9/1 header > > Buffer information for Small buffer at 0x50070DC8 > data_area 0x80667C4, refcount 1, next 0x45475F58, flags 0x280 > linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 > if_input 0x4646B618 (TenGigabitEthernet9/1), if_output 0x0 (None) > inputtime 47w4d (elapsed 00:00:09.252) > outputtime 47w4d (elapsed 00:03:54.772), oqnumber 65535 > datagramstart 0x806683A, datagramsize 62, maximum size 308 > mac_start 0x806683A, addr_start 0x806683A, info_start 0x0 > network_start 0x8066848, transport_start 0x8066878, caller_pc 0x4187C1F0 > > source: x.x.224.116, destination: y.y.176.97, id: 0x79FD, ttl: 121, > TOS: 0 prot: 6, source port 2844, destination port 445 > > x.x = outside Ok, so this is an inbound TCP packet to port 445, for a host which isn't in the ARP table, hence the glean: > #sh mls cef lookup y.y.176.97 > > Codes: decap - Decapsulation, + - Push Label > Index Prefix Adjacency > 20304 y.y.176.0/24 glean Probably random malware/virus scanning. Obviously the CPU will handle gleans (things which need an ARP lookup). As has been pointed out, you can enable the "glean" rate limiter but two points to bear in mind: 1. It's box-global and there's no per-interface round-robin or anything. Basically you're telling it "only ever send me 200 packets which need an ARP lookup per second" and if some bad person on the internet sends you 201, they can crowd out legitimate local traffic (the glean rate-limiter should really be per input-SVI. Sigh...) 2. It seems a bit unlikely that you'll suddenly get 5x more glean traffic at the exact peak of your forwarding rate, so this might be just random background traffic. Personally I would use a SPAN or (E)RSPAN session monitoring the CPU during an outage to see what's actually hitting the CPU: http://cisco.cluepon.net/index.php/6500_SPAN_the_RP ...this is a lot easier under later IOS, but can be done under SXF. Why guess what's hitting the CPU when you can *know*? From saku at ytti.fi Tue Feb 9 10:26:52 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 17:26:52 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> Message-ID: <20100209152652.GA28195@mx.ytti.net> My guess is that you are sporadically getting flood of glean punts which are blocking your input buffers causing OSPF/BGP keepalives to be dropped. I suggest increasing hold-queue input on the interfaces where you see drops and also to implement glean rate-limit. For long term, setup ERSPAN for control-plane traffic so if it happens again in spite of the changes you'll have more data to work with. -- ++ytti From Charles.Church at harris.com Tue Feb 9 10:38:41 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 10:38:41 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA7D7@MLBMXUS2.cs.myharris.net> I haven't used the 'flow-aggregation ...' in the past, but it has a destination on it still. Not sure if that's still causing exporting to happen or not. Can you reduce the flow mask from 'interface-full' to something like 'source' so that it will use less TCAM space? Chuck -----Original Message----- From: Andy B. [mailto:globichen at gmail.com] Sent: Tuesday, February 09, 2010 10:15 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 4:03 PM, Church, Charles wrote: > The weird part is the NDE process is still using CPU. ?Which netflow setting > are you using for 'mls flow ip xxx'? ?Since both the RP and SP CPU are > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Netflow is basically configured like this: ip flow-cache entries 524288 ip flow-cache timeout active 1 mls ip slb purge global mls ip multicast flow-stat-timer 9 mls aging fast time 4 threshold 2 mls aging long 128 mls aging normal 64 mls netflow usage notify 80 300 mls flow ip interface-full mls flow ipv6 interface-full mls rate-limit unicast cef glean 200 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-aggregation cache as cache timeout active 1 export destination 9000 enabled -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From gert at greenie.muc.de Tue Feb 9 10:44:11 2010 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Feb 2010 16:44:11 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209154411.GP9556@greenie.muc.de> Hi, On Tue, Feb 09, 2010 at 09:33:05AM -0500, Drew Weaver wrote: > Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) Burst in which direction? Fabric->Line card? (This is pretty much unavoidable for any sort of hardware if you go from higher speed to lower speed interfaces - the question is, of course, "how big are the buffers"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 10:50:21 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 17:50:21 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <7100ed371002090551n34774411uf08fa31b730111a5@mail.gmail.com> Message-ID: <20100209155021.GA28238@mx.ytti.net> On (2010-02-09 09:33 -0500), Drew Weaver wrote: > 6500s are just an awful platform and have caveats out the wazoo. Yes, it is complex to operate successfully outside LAN environments, that complexity may well increase OPEX past any CAPEX benefit it had. > Yes, the 3BXL will do full internet tables, but not as well as any router Cisco offers (GSR...) I haven't experienced any relevant difference taking full table on GSR and on 7600. Of course when you have SUP720, RSP720, GRP-A, GRP-B, PRP-1, PRP-2, you'd need to be more specific what you mean. The BGP code is obviously mostly same. > Yes, the 6724 Line card can do 24 1Gbps connections, but not if you have bursty traffic (buffer overflows) To nitpick, it has single 20G fabric connection, so actually 20x1Gbps not 24. > Yes, the Supervisor will respond to traceroutes, but in software... (rate limit TTL) All devices do traceroute in software, GSR has distributed LC CPU, but still software. JNPR not long ago had chassis wide limit on traceroute 50pps per interface and 500pps per PFE, wasn't even configurable, unlike it is in 7600. In GSR still today there is nothing you can do to protect control-plane from say TTL exceeded attack, rACL and CoPP are done in LC CPU, while in 7600 they are done in hardware. It is trivial to bring GSR/IOS to its knees when dossed by someone who understands the platform, I no know way to DoS 7600 when not connected to it in L2 when it has been properly configured. > If you ping the 6500 while BGP scanner is running you will see 600ms responses... BGP has been event driven since 2006 with release of SRA. > Most of these things (except for the 6724 line card suckage) are 'fixed' in hardware only platforms (GSR... etc) GSR is not hardware only, as said control-plane can't be protected in hardware in IOS at all, E0 and E1 are pure software linecards. > I probably sound bitter, but if one goes straight from what Cisco's documentation says they would think the 6500 is a great platform, but there should be a * next to everything in that entire white paper. I'd say if you don't have time to invest on understaning the platform in-depth then neither 7600 or GSR will be easy or cheap to operate, JNPR in my experience requires far less from the pilot and is mostly competitively priced unless you're looking at purely LAN cards. -- ++ytti From p.mayers at imperial.ac.uk Tue Feb 9 10:56:06 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 15:56:06 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> Message-ID: <4B718596.2050602@imperial.ac.uk> On 09/02/10 15:03, Church, Charles wrote: > The weird part is the NDE process is still using CPU. Which netflow setting > are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are What evidence do we have for the RP and SP both being hit? > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Not if it were a loop From globichen at gmail.com Tue Feb 9 11:56:45 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 9 Feb 2010 17:56:45 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209152652.GA28195@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: On Tue, Feb 9, 2010 at 4:26 PM, Saku Ytti wrote: > My guess is that you are sporadically getting flood of glean punts which > are blocking your input buffers causing OSPF/BGP keepalives to be dropped. > Excuse me for being ignorant, but what are glean punts? Should I dig out my routing for dummies book :-/ Andy From tvarriale at comcast.net Mon Feb 8 23:25:44 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 8 Feb 2010 22:25:44 -0600 Subject: [c-nsp] 3560G as WAN-aggregation-layer References: <5A69C25361FED34F83ABF05F5047524507F05FB1@wally.walleyetrading.net> Message-ID: <8559330CD7FC4195A9836D019EB086B2@flamdt01> Care to share your server farm experience? There are many that do what you are trying to do as long as you understand the limitations and differences in QoS/etc (compared to routers). G1s, although being part of a software platform, are decent horsepower. If you are looking at some shaping/policing down from gig you may want to be careful (especially on multiple). But, if it's a 100mb line and you want to play they will do fairly well. tv ----- Original Message ----- From: "Jeff Bacon" To: Sent: Monday, February 08, 2010 5:09 PM Subject: [c-nsp] 3560G as WAN-aggregation-layer > Greetings. > > I know this is going to sound pretty, well, lame. But... > > I currently have a couple of routers (a 7204/NPE-G1 and a 3845) > front-ending my WAN connections, which are all metro Ethernet, mostly > gig ports which are policed at some CIR, or 100Mbit. The routers are > big, expensive, and really don't do much - oh, someday I would like to > do some QoS...someday. > > So, there is this pile of 3560Gs in the corner. I've had > less-than-impressive experiences with them as server-farm access > switches, which is why they are there. However, I'm thinking that for > handling a handful (4-6) of Gig-Es/100Ms which are mostly not running at > capacity, as long as I distribute the ports out amongst the port ASICs > (so each line has the full 2Mbit TX buffer of the port ASIC to itself), > and as long as I don't do something stupid like put all 4 ports of a > 4-port etherchannel in ports 1-4, they ought to be fine. > > The switches don't need to do much - pass the traffic, run EIGRP, a > little light QoS. Our route table is tiny, relatively. > > Am I going to regret this? > Conversely, how much can I really expect out of an NPE-G1? > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwcarder at wisc.edu Tue Feb 9 12:24:24 2010 From: dwcarder at wisc.edu (Dale W. Carder) Date: Tue, 09 Feb 2010 11:24:24 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <20100209152652.GA28195@mx.ytti.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: On Feb 9, 2010, at 9:26 AM, Saku Ytti wrote: > My guess is that you are sporadically getting flood of glean punts which > are blocking your input buffers causing OSPF/BGP keepalives to be dropped. Maybe, but does SPD prioritize glean traffic vs IGP? Dale From saku at ytti.fi Tue Feb 9 12:27:55 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 19:27:55 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <20100209172755.GA28533@mx.ytti.net> On (2010-02-09 17:56 +0100), Andy B. wrote: > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ No ignorance, sorry for being so terse, just wanted to avoid rambling on too much. Glean are packets which need to be punted because forwarding information is incomplete, in this case because it is locally connected destination without valid hardware (MAC) forwarding address. To resolve IP address, you'll ARP it, and this is software function, to be able to trigger ARP you'll need to punt the packet to software. As you have huge LAN, it is likely also very empty, so you might get sudden burst of packets spread around the LAN, which would suddenly punt many packets to software. If BGP/OSPF is running over same physical interface, incoming BGP/OSPF keepalive might be dropped, since there is no room to punt it (actually SPD should have some extra room for them) causing BGP keepalive to be dropped. When OSPF/BGP goes down, is it always one side tearing it down due due to hold-time expiring? If it is always the same and always the router under discussion this would support my hypothesis. -- ++ytti From me at falz.net Tue Feb 9 12:36:21 2010 From: me at falz.net (Chris Wopat) Date: Tue, 9 Feb 2010 11:36:21 -0600 Subject: [c-nsp] 2811 login issues Message-ID: On Mon, Feb 8, 2010 at 11:00 AM, wrote: > Subject: [c-nsp] 2811 login issues > Message-ID: > ? ? ? ? > Content-Type: text/plain; charset=ISO-8859-1 > > I have a 2811 that stopped accepting logins from its FastEthernet > interface last week out of the blue. When this happened there were no > config changes, router reboots, etc. It has a Multilink bundle > unnumbered via that FastEthernet interface and it *does* accept logins > from this direction. Config is simple, a default route via FA and a > /24 via MU. > > A few other odd symptoms: > > - 'copy tftp flash' will work for about 12 seconds and then begin to timeout. > > - telnetting from the router to anywhere immediately gives > "Destination unreachable; gateway or host down" without even really > trying. > > What's even more strange is that everything works fine the first 5-10 > minutes after a reboot. > It was running 12.4(15)XY1 and I was able to get it to 12.4(15)XY3 to > see if it was a bug. It's running XY for support for its HWIC-4T1/E1. > > In an attempt to rule out an upstream routing problem I've added its > default gateway (3.89) to the login ACL and it gives the same symptoms > when connecting from there. It seems to be completely dropping packets > vs rejecting them as it still does if you connect from an IP not on > that ACL. > > 'debug ip packet' shows this when connecting via telnet or ssh: > > Feb ?8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), > d=10.170.3.90, len 60, rcvd 2 > Feb ?8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), > d=10.170.3.90, len 60, stop process pak for forus packet Anyone have insight into this? I still have not come up with a solution. I've also temporarily enabled CDP to confirm that things are connected as they should be. --Chris From Charles.Church at harris.com Tue Feb 9 12:39:33 2010 From: Charles.Church at harris.com (Church, Charles) Date: Tue, 9 Feb 2010 12:39:33 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B718596.2050602@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> Message-ID: <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> I was going by the 'show proc cpu hist' he gave for both the SP and RP. Both looked pretty bad across the board. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 09, 2010 10:56 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On 09/02/10 15:03, Church, Charles wrote: > The weird part is the NDE process is still using CPU. Which netflow setting > are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are What evidence do we have for the RP and SP both being hit? > getting crushed at times, seems like more than just a punted packet issue, > since that would be primarily RP, wouldn't it? Not if it were a loop _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6595 bytes Desc: not available URL: From ray at oneunified.net Tue Feb 9 11:57:06 2010 From: ray at oneunified.net (Ray Burkholder) Date: Tue, 9 Feb 2010 12:57:06 -0400 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> Message-ID: <009f01caa9a8$e9b259a0$bd170ce0$@net> > > Business leaders are hearing a lot about cloud computing these days, > and it's cost advantages to the business. Yet there is a valid concern > with data privacy and security that comes with public cloud computing. > If internal IT can transform their data centers into a private cloud, > or at least drastically improve the operational efficiency and total > cost of ownership of their own data centers ... the wholesale > outsourcing of the data center applications to the public cloud become > less attractive to the business leaders. I'm not quite sure I understand the impact of that last statement... "become less attractive to the business leaders." Is that a good thing or a bad thing? i.e, is going into the public cloud a good thing or a bad thing? And if business leaders "transform their data centers into a private cloud", isn't that still a private network? Or are there additional ramifications of this, i.e, going the virtualization path and making everything server non-centric? Ray -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From p.mayers at imperial.ac.uk Tue Feb 9 12:44:05 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 17:44:05 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <4B719EE5.1080400@imperial.ac.uk> On 09/02/10 16:56, Andy B. wrote: > On Tue, Feb 9, 2010 at 4:26 PM, Saku Ytti wrote: >> My guess is that you are sporadically getting flood of glean punts which >> are blocking your input buffers causing OSPF/BGP keepalives to be dropped. >> > > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ Packets that need an ARP lookup before they are routed onwards, because the destination is a "connected" subnet but the destination IP isn't in the ARP table. The destination needs to be "gleaned" From p.mayers at imperial.ac.uk Tue Feb 9 12:56:34 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Feb 2010 17:56:34 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> Message-ID: <4B71A1D2.10909@imperial.ac.uk> On 09/02/10 17:39, Church, Charles wrote: > I was going by the 'show proc cpu hist' he gave for both the SP and RP. > Both looked pretty bad across the board. His graphs don't look that dis-similar to mine, and we have no such problems. The peak/avg CPU don't look so unreasonable to me given the load and setup he's described. To summarise in this thread, it has been suggested: 1. Netflow is the problem - to which the OP said he's already tried disabling it 2. CPU punts, specifically gleans, are the problem - in which case CoPP or MLS rate limiters can be tried, but the OP really IMHO needs to confirm this with a span of the CPU 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the load we've been told about; therefore something is wrong ...and lots more besides. I'm exhausted from following the thread, but my advice to the OP is to determine what is hitting the CPU *during an outage*, then proceed from there. I'm going to stop reading now. From lowen at pari.edu Tue Feb 9 12:06:42 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 9 Feb 2010 12:06:42 -0500 Subject: [c-nsp] Cisco 7401ASR ? In-Reply-To: <4B71636C.2040704@phibee.net> References: <4B71636C.2040704@phibee.net> Message-ID: <201002091206.42761.lowen@pari.edu> On Tuesday 09 February 2010 08:30:20 am Phibee Network Operation Center wrote: > i am search a real information on the Cisco 7401ASR : > If you have one units ;=) Have two of them here, one in use, the other in standby. > I want know if this cisco are same performence that the > Cisco 7204 with a NPE 400 ? Probably not; 7401ASR is a 1 rack unit single PA NSE-1. A little less performance than NPE-300. Has PXF; at least as of 12.4(21a), it's enabled and running: pari-7400-2#sh pxf int Intf I/f # Attributes Gi0/0 5 Raw, Encap, Unsupp Feat. Gi0/1 4 Raw, Encap PO1/0 6 Raw, Encap pari-7400-2#sh pxf info pxf: tmc type TMC ASIC Pass2 (T2-ECC) revision 2 ucode: filename 'system:pxf/ucode0' revision 1.1 state: is running, number of starts 1 uptime: 52w0d Memory Configuration: Bank Name Total Reserved In-use Free tmc internal memory column 0 16 Kb 2048 bytes 0 bytes 14 Kb tmc column 0 memory bank 0 32 Mb 31 Mb 16 Kb 352 Kb tmc internal memory column 1 16 Kb 512 bytes 0 bytes 15 Kb tmc column 1 memory bank 0 32 Mb 669 Kb 2279 Kb 29 Mb tmc internal memory column 2 16 Kb 6656 bytes 0 bytes 9728 bytes tmc column 2 memory bank 0 32 Mb 441 Kb 672 Kb 30 Mb tmc internal memory column 3 16 Kb 15 Kb 0 bytes 512 bytes tmc column 3 memory bank 0 32 Mb 2092 Kb 64 Kb 29 Mb pari-7400-2#sh pxf fea nat stat NAT translation processing information total nat entries = 4096, entries (used, free) = (107, 3989) untranslated flows: 0 translated flows: 3503431328 icmp extendable flows: 0 noop alloc miss: 0 entry alloc miss: 3096957 entry poke miss: 0 pari-7400-2# Having said all that, I'm seeing packets switched by the PXF (sh int stat) on Gi0/1 and PO1/0, but not on Gi0/0 (unsupported feature; doing something on Gi0/0 that PXF doesn't like, apparently, but not sure what); the number of packets actually PXF-switched is a pretty small percentage of the total traffic going through the box. > He support MPLS, Interworking and EoMPLS 7400 is designed to be CPE, and doesn't run S, SX, or SR train images (12.4 mainline and up to a point in 12.4T are available). Not designed for core stuff; having said that, I haven't tried any MPLS stuff on it. In my case, I'm doing edge NAT, BGP, OSPF, POS APS, CBAC, and Stateful NAT. Typical edge stuff; using the 7401 since it can handle OC-3 POS and do APS (which is how our OC3 is configured) paired currently with a 7507 running the same IOS (but which has different features; one of those things about IOS is how different the feature set can be platform to platform, and how you can somewhat see what the pedigree of a particular bit of hardware is by looking at the various feature footprints.... see feature diffs between Cat5k RSM versus RSFC, or Cat6k MSM versus MSFC; the RSM and MSM betray their pedigree by certain features lacking....). The two 7401's were paired for the OC3 POS APS, but the second one developed issues when loaded very heavily and is now a backup only. > It's the same IOS that Cisco 7204 ? No; almost the same as NSE-1, but specific to the chassis. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From tdurack at gmail.com Tue Feb 9 13:05:49 2010 From: tdurack at gmail.com (Tim Durack) Date: Tue, 9 Feb 2010 13:05:49 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <4B7170DB.7010602@oldnick.ru> <20100209152652.GA28195@mx.ytti.net> Message-ID: <9e246b4d1002091005kec474a2t37440709c54a84ea@mail.gmail.com> On Tue, Feb 9, 2010 at 11:56 AM, Andy B. wrote: > Excuse me for being ignorant, but what are glean punts? Should I dig > out my routing for dummies book :-/ Traffic for which there is no forwarding entry. For example, an ip that has no arp entry for the directly connected interface. Router then needs to arp to associate mac-ip. This is triggered by a glean adjacency covering the directly connected network. ("glean" didn't mean much to me until we inadvertently interrupted this normal process with a slightly too restrictive CoPP. Those kind of lessons tend to stick with you...) -- Tim:> Sent from New York, NY, United States From Michael.Balasko at cityofhenderson.com Tue Feb 9 13:56:53 2010 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Tue, 9 Feb 2010 10:56:53 -0800 Subject: [c-nsp] Cisco CNR - Was: RE: OT - Infoblox vs. Bluecat In-Reply-To: <20677750.2571265409237480.JavaMail.root@giskard> References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net> <20677750.2571265409237480.JavaMail.root@giskard> Message-ID: <9AF22D15085E7D409ED5710CBC779E930D8D533C@COHNTCS09.ci.henderson.nv.us> Is there a reason no one looks at Cisco's Enterprise solution? Network Registrar? We've been running if since before I got here (9 years) and it has been beyond rock solid. Runs on piles of OS's and also handles stateful DHCP extremely well. Worth a look if you ask me. Michael Balasko CCSP, MCSE Network Specialist II City of Henderson, Nevada 240 Water St. Henderson, Nevada 89015 702.267.4337 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gauthier Sent: Friday, February 05, 2010 2:34 PM To: Charles Church Cc: nsp-cisco Subject: Re: [c-nsp] OT - Infoblox vs. Bluecat When I worked for a previous employer, we evaluated bluecat and infoblox. Bluecat was quickly ruled out because of price and complexity. The Infoblox got a lot more attention and they were great to work with during our eval of the hardware. One manager was ready to purchase and was about to pick u pthe phone and call when another manager railroaded the big boss to go with Windows DNS/DHCP (in a non-AD environment) at the last second. I *really* liked the manageability, tech support, and expertise of the product. The HA worked great, including DHCP failover. I liked them so much, I've tried to bring them to my current employer, but the solutions are just too expensive for the budget. Another point that I liked was that Cricket Liu (author of the DNS and Bind O'Reilly books and the DNS on Windows Server 2000 and DNS on Windows Server 2003 books) is part of their executive team. They're also MS certified, a plus for my current employer. I liked the detail in logging, too. Some of the reporting was a challenge, but I was asking for stats (can't remember which) that had to gathered programatically. Hope this helps all of you! Chris Gauthier, CCNA Security Salem, Oregon, USA ----- Original Message ----- From: "Charles Church" To: "nsp-cisco" Sent: Friday, January 15, 2010 7:09:55 AM GMT -08:00 US/Canada Pacific Subject: [c-nsp] OT - Infoblox vs. Bluecat I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nicotine at warningg.com Tue Feb 9 14:23:34 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 9 Feb 2010 13:23:34 -0600 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP Message-ID: <20100209192334.GD24950@radiological.warningg.com> Some of the earlier threads today sparked me to re-check some CoPP I had deployed to see if the ARP limiting I placed in was affective, as I had experienced some episodes where it would take some time for the supervisor to learn ARP entries for new links. I found some confusing and misleading results, in both my counters, and the documentation on Cisco's site. Any input would be appreciated. First I did "show mls qos protocol arp": Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By Id Id ------------------------------------------------------------------------- CPP 6 In CoPP-CLASS 0 8 dscp 0 0 0 CPP 6 In class-defa 0 7 dscp 0 715557790 105287223 All 6 - Default 0 0* No 0 173681814237 0 The first line is a class that matches "protocol arp" -- the fact that none of my ARP traffic is matching this rule is disturbing, as the SXH configuration guide states: Layer 2 Protocols?Traffic used for address resolution protocol (ARP). Excessive ARP packets can potentially monopolize RP resources, starving other important processes; CoPP can be used to rate limit ARP packets to prevent this situation. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol classification criteria. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/copp.html However, in the same document, they also state: CoPP does not support ARP policies. ARP policing mechanisms provide protection against ARP storms. This doesn't appear to be happening, as confirmed by "show policy-map control-plane": Hardware Counters: class-map: CoPP-CLASS-ARP (match-all) Match: protocol arp police : 8192000 bps 256000 limit 256000 extended limit Earl in slot 6 : 0 bytes 5 minute offered rate 0 bps aggregate-forwarded 0 bytes action: transmit exceeded 0 bytes action: transmit aggregate-forward 0 bps exceed 0 bps Instead, the output from the first command seems to indicate that ARP traffic is being matched by class-default, and is being rate-limited along with other non-matched traffic. A friend pointed me at http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html which documents "mls qos protocol arp police", but there is a qualifier that states that this is not CoPP specific, as it will also rate-limit switched ARP packets through the switch, not just those directed at the router processor. What are other providers using for CoPP configurations on their 6500s? Is it functioning correctly for you? Are there any other pitfalls I should be aware of? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 14:37:32 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 21:37:32 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209192334.GD24950@radiological.warningg.com> References: <20100209192334.GD24950@radiological.warningg.com> Message-ID: <20100209193732.GA28912@mx.ytti.net> On (2010-02-09 13:23 -0600), Brandon Ewing wrote: > Some of the earlier threads today sparked me to re-check some CoPP I had > deployed to see if the ARP limiting I placed in was affective, as I had You must mean the thread where glean was mentioned, you probably are aware but just for sake of posterity policing glean and ARP are two different things, any packet can be glean punt while policing ARP is matching only incoming ARP packet. > What are other providers using for CoPP configurations on their 6500s? Is > it functioning correctly for you? Are there any other pitfalls I should be > aware of? I think you've gathered relevant and correct data, I don't think PFC3 supports ARP match in CoPP. So you must use MLS rate-limiter, where you have to remember that AFAIK this is also for transit ARP which you might be bridging as a switch. -- ++ytti From zeusdadog at gmail.com Tue Feb 9 14:41:53 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 9 Feb 2010 14:41:53 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> Message-ID: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> I have not explained my situation very well so let me restart. VPN is client VPN, not LAN to LAN. The old style IPsec Cisco VPN client, not Anyconnect client. Internet access on the router is on one VRF. Network we want to access via VPN is on another VRF. See below config. I have gotten it to work so far where it will connect, do Xauth, and establish connection. You can see the VPN client IP in the routing table of the Customer VRF. Traffic gets sent to the VPN from the client but nothing from the Customer VRF comes back out to the VPN. I do want to do this without XAuth if possible. Also, I used the loopback interface as the destination of the VPN so it could fail over if one link goes down. aaa new-model ! aaa authentication login CustomerVPNCliAuth local aaa authorization network CustomerVPNNetAuth local ! ip cef ! ip vrf Customer rd 12345:1100 import map internetVRFDefaultMap route-target export 12345:1100 route-target import 12345:1100 route-target import 12345:1 ! ip vrf internet rd 12345:1 route-target export 12345:1 route-target import 12345:1 ! crypto keyring CustomerVPNKey vrf internet local-address Loopback1 pre-shared-key address 0.0.0.0 0.0.0.0 key testtest no crypto xauth Loopback1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group CustomerVPNGroup key testtest pool CustomerVPNPool acl CustomerVPNSplitTunnel crypto isakmp profile CustomerVPN vrf Customer keyring CustomerVPNKey self-identity address match identity group CustomerVPNGroup client authentication list CustomerVPNCliAuth isakmp authorization list CustomerVPNNetAuth client configuration address initiate client configuration address respond client configuration group CustomerVPNGroup local-address Loopback1 ! ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac ! crypto dynamic-map CustomerVPNDynMap 1 set transform-set AES256 set isakmp-profile CustomerVPN reverse-route ! ! crypto map CustomerVPN local-address Loopback1 crypto map CustomerVPN 10 ipsec-isakmp dynamic CustomerVPNDynMap ! ! ! ! ! ! interface Loopback0 ip vrf forwarding internet ip address a.a.a.1 255.255.255.255 ! ! interface Loopback1 ip vrf forwarding internet ip address a.a.a.2 255.255.255.255 crypto map CustomerVPN ! ! interface Loopback2 ip vrf forwarding internet ip address a.a.a.3 255.255.255.255 ip nat outside ip virtual-reassembly ! ! interface GigabitEthernet0/0 ip address m.m.m.x 255.255.255.0 duplex auto speed auto ! ! interface GigabitEthernet0/0.802 encapsulation dot1Q 802 ip vrf forwarding internet ip address b.b.b.b 255.255.255.240 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/1.803 encapsulation dot1Q 803 ip vrf forwarding internet ip address c.c.c.c 255.255.255.240 ip nat outside ip virtual-reassembly ip ospf cost 15 ! interface GigabitEthernet0/1.811 encapsulation dot1Q 811 ip address n.n.n.n.x 255.255.255.0 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/2.1100 encapsulation dot1Q 1100 ip vrf forwarding Customer ip address 10.0.244.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/2.1101 encapsulation dot1Q 1101 ip vrf forwarding Customer ip address 10.0.245.1 255.255.255.0 ip nat inside ip virtual-reassembly ! router ospf 1 vrf internet log-adjacency-changes redistribute static metric-type 1 subnets passive-interface default no passive-interface GigabitEthernet0/0.802 no passive-interface GigabitEthernet0/1.803 network a.a.a.1 0.0.0.0 area 0 network b.b.b.b 0.0.0.15 area 0 network c.c.c.c 0.0.0.15 area 0 ! router bgp 12345 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Customer no synchronization redistribute static default-information originate exit-address-family ! address-family ipv4 vrf internet no synchronization redistribute ospf 1 vrf internet match internal external 1 external 2 default-information originate exit-address-family ! ip local pool CustomerVPNPool 192.168.254.1 192.168.254.254 recycle delay 10 ip forward-protocol nd ! ip extcommunity-list 1 permit rt 12345:1 ip nat inside source list CustomerNATACL interface Loopback2 vrf Customer overload ! ip access-list extended CustomerNATACL deny ip 10.0.244.0 0.0.1.255 192.168.254.0 0.0.0.255 permit ip 10.0.244.0 0.0.1.255 any ip access-list extended CustomerVPNSplitTunnel permit ip 10.0.244.0 0.0.0.255 192.168.254.0 0.0.0.255 permit ip 10.0.245.0 0.0.0.255 192.168.254.0 0.0.0.255 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ip prefix-list DefaultOnly seq 10 permit 192.168.254.0/24 ! route-map internetVRFDefaultMap permit 10 match ip address prefix-list DefaultOnly match extcommunity 1 On Wed, Feb 3, 2010 at 4:01 PM, Ryan Goldberg wrote: >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Jay Nakamura >> Sent: Tuesday, February 02, 2010 10:20 PM >> To: cisco-nsp >> Subject: [c-nsp] VRF aware IPSec for remote access without xauth >> >> I am trying to configure vrf aware IPSec VPN for remote access, coming >> into one VRF and tunneling into another VRF. ?Can I do that without >> XAUTH? ?I can't seem to find any reference to doing it without xauth. >> If it's possible and someone has done this, can you please post a >> sample config? > > I believe the following tidbits should get you going. ?This is from an 2801 running 12.4.24T1. ?Tunnels lands on vrf ISP2 and pops out into vrf LAN. > > ip vrf ISP2 > ?rd 1:2 > > ip vrf LAN > ?rd 1:3 > > crypto keyring ISP2 vrf ISP2 > ?pre-shared-key address a.b.c.d key blahblahblah > > crypto isakmp policy 2 > ?encr 3des > ?authentication pre-share > ?group 2 > > crypto isakmp profile ProfileForNuttyVendor > ? vrf LAN > ? keyring ISP2 > ? match identity address a.b.c.d 255.255.255.255 ISP2 > > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > > crypto map AwesomeMap 3 ipsec-isakmp > ?description tunnel for Nutty Vendor > ?set peer a.b.c.d > ?set transform-set ESP-3DES-SHA > ?set isakmp-profile ProfileForNuttyVendor > ?match address 111 > ?reverse-route > > interface FastEthernet0/1 > ?ip vrf forwarding LAN > ?ip address 10.1.19.250 255.255.255.0 > > nterface FastEthernet0/0 > ?ip vrf forwarding ISP2 > ?ip address w.x.y.z 255.255.255.248 > > > access-list 111 remark Nutty Vendor tunnel > access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 > > - > > Ryan > From nick at inex.ie Tue Feb 9 15:13:49 2010 From: nick at inex.ie (Nick Hilliard) Date: Tue, 09 Feb 2010 20:13:49 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209193732.GA28912@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> Message-ID: <4B71C1FD.4000609@inex.ie> On 09/02/2010 19:37, Saku Ytti wrote: > I think you've gathered relevant and correct data, I don't think PFC3 > supports ARP match in CoPP. So you must use MLS rate-limiter, where you > have to remember that AFAIK this is also for transit ARP which you might be > bridging as a switch. so, this looks like an effective attack vector for trashing sup720 RPs then - if you have l2 access to the device. Makes a good argument for implementing arp sponges on core paths and edges so that this cannot be exploited remotely. I assume that ipv6 nd is sufficiently high up the protocol stack that it can be managed by copp? Nick From nicotine at warningg.com Tue Feb 9 15:15:35 2010 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 9 Feb 2010 14:15:35 -0600 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209193732.GA28912@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> Message-ID: <20100209201535.GE24950@radiological.warningg.com> On Tue, Feb 09, 2010 at 09:37:32PM +0200, Saku Ytti wrote: > I think you've gathered relevant and correct data, I don't think PFC3 > supports ARP match in CoPP. So you must use MLS rate-limiter, where you > have to remember that AFAIK this is also for transit ARP which you might be > bridging as a switch. > > -- > ++ytti Even so, my ARP traffic would STILL hit the class-default class for the CoPP profile, and be rate-limited before reaching the Sup, no? Also, to rebutt, I found http://aharp.ittns.northwestern.edu/papers/copp.html In it, it says that Rodney Dunn contacted the author to state that matching protocol ARP in a class map on the Sup720 SHOULD work. I do see software matches for the ARP class in the policy-map: Software Counters: Class-map: CoPP-CLASS-ARP (match-all) 1492439 packets, 89546340 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: protocol arp police: cir 8192000 bps, bc 256000 bytes conformed 1492439 packets, 89546340 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit conformed 0000 bps, exceed 0000 bps However, the output from "show mls qos protocol arp" still seems to indicate that ARP traffic is being dropped somewhere, even though software and hardware counters for the ARP class show 0 drops. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From saku at ytti.fi Tue Feb 9 16:28:29 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 23:28:29 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71C1FD.4000609@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> Message-ID: <20100209212829.GA2183@mx.ytti.net> On (2010-02-09 20:13 +0000), Nick Hilliard wrote: > so, this looks like an effective attack vector for trashing sup720 RPs then > - if you have l2 access to the device. Makes a good argument for > implementing arp sponges on core paths and edges so that this cannot be > exploited remotely. I personally choose to police all ARP, so attack vector is to congest ARP so that no new hosts can't come up, but nothing that used to work, would break. If this would be JNPR then all hosts would break after ARP timeouts, as JNPR does not refresh ARP cache on traffic. But there are plenty of attack vectors in L2, like IXP or IS-IS packets, no special rate-limiter so will go 'class-default'. > I assume that ipv6 nd is sufficiently high up the protocol stack that it > can be managed by copp? There is mls rate-limiter for ND, but that will also affect transit traffic. -- ++ytti From saku at ytti.fi Tue Feb 9 16:30:14 2010 From: saku at ytti.fi (Saku Ytti) Date: Tue, 9 Feb 2010 23:30:14 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209201535.GE24950@radiological.warningg.com> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> Message-ID: <20100209213014.GB2183@mx.ytti.net> On (2010-02-09 14:15 -0600), Brandon Ewing wrote: > Even so, my ARP traffic would STILL hit the class-default class for the CoPP > profile, and be rate-limited before reaching the Sup, no? MLS rate-limiters are ran before CoPP, so what ever ARP would come through would indeed match your class-default. > In it, it says that Rodney Dunn contacted the author to state that > matching protocol ARP in a class map on the Sup720 SHOULD work. Oh cool, I wonder if it then was software issue always or if this is new feature in PFC3C. -- ++ytti From Bryan at bryanfields.net Tue Feb 9 17:18:31 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Tue, 09 Feb 2010 17:18:31 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> Message-ID: <4B71DF37.9080203@bryanfields.net> On 2/9/2010 14:41, Jay Nakamura wrote: > I have not explained my situation very well so let me restart. > > VPN is client VPN, not LAN to LAN. The old style IPsec Cisco VPN > client, not Anyconnect client. > > Internet access on the router is on one VRF. Network we want to > access via VPN is on another VRF. See below config. > > I have gotten it to work so far where it will connect, do Xauth, and > establish connection. You can see the VPN client IP in the routing > table of the Customer VRF. Traffic gets sent to the VPN from the > client but nothing from the Customer VRF comes back out to the VPN. Have you thought about doing this using a Virtual-Template so each client lives on a "real" interface. This prevents the retarded way packets get handled when they go out a crypto map on an interface. All you have to do it put the template interface in the VRF and it should work. Now I've never done something this crazy before, but I'm interested to see how it works. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From nick at inex.ie Tue Feb 9 17:18:28 2010 From: nick at inex.ie (Nick Hilliard) Date: Tue, 09 Feb 2010 22:18:28 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <20100209213014.GB2183@mx.ytti.net> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> <20100209213014.GB2183@mx.ytti.net> Message-ID: <4B71DF34.2060105@inex.ie> On 09/02/2010 21:30, Saku Ytti wrote: > Oh cool, I wonder if it then was software issue always or if this is > new feature in PFC3C. I think this was before the pfc3c's time; the original text is here: http://aharp.ittns.northwestern.edu/papers/copp.html ... last edited 2005. Nick From merlyn at Geeks.ORG Tue Feb 9 17:29:11 2010 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Tue, 9 Feb 2010 16:29:11 -0600 Subject: [c-nsp] problems migrating to a 3550 In-Reply-To: <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> References: <20100203100235.T43899@shell.xecu.net> <63656D8795A13249B35AD1E5FFAB2F7F026BC379@EX04.service.utwente.nl> Message-ID: <20100209222911.GA16479@geeks.org> On Wed, Feb 03, 2010 at 05:58:12PM +0100, j.vaningenschenau at utwente.nl wrote: > > Things in vlan2 on the HP switch can reach the IP address of the 3550 > > on > > vlan2 just fine, vlan2 is solid. > > > > However, things in vlan1 on the HP switch cannot reach the IP of the > > 3550 > > on vlan1, and anything attached to 3550 on vlan1 ports cannot reach > > anything on vlan1 on the HP switch. > > You could try either: > > * Setting VLAN 1 as untagged on the Procurve side, or > * configuring "switchport trunk native vlan tag" on the Cisco side. > > (or avoid using VLAN 1, which is what we always do between Cisco and HP > switches) Cisco itself recommends against using VLAN 1 in all configs beyond the basic setup as well (in some SRND). Mixing up traffic on VLAN1 between any vendor is a crapshot, highly recommended to avoid VLAN1. From tvarriale at comcast.net Tue Feb 9 17:59:33 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 9 Feb 2010 16:59:33 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <8F7A23CCABE9459DA149965D4659A22D@flamdt01> ----- Original Message ----- From: "Livio Zanol Puppim" To: "Brad Hedlund" Cc: "Cisco NSP ((E-mail))'" Sent: Tuesday, February 09, 2010 4:40 AM Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > The only REAL advantage so far is the vPC... You forgot the bottom line for most companies: cost. From tvarriale at comcast.net Tue Feb 9 18:14:19 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 9 Feb 2010 17:14:19 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> Message-ID: <0B4B5F938B6C42FD91139B6EC46D334D@flamdt01> ----- Original Message ----- From: "Livio Zanol Puppim" To: "Brad Hedlund" Cc: "Cisco NSP ((E-mail))'" Sent: Tuesday, February 09, 2010 4:40 AM Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > Unfortunally, nexus 2000 is just an >fabric extender and can ONLY be attached to Nexus 5000... Maybe CISCO >changes it's later... No maybe about it. >10 nexus 2000 using all uplink ports = 40 ports. Yes, 40 ports that I must >use at my nexus 5000. That's more than 1 entirelly switch (1RU) and almost >1 >switch (2RU). I wouldn't recommend designing a network that way. >I haven't figure out yet what's the advantage of having this design (nexus >2000 -> nexus 5000) other than the "old" one (catalyst 4948 -> nexus >7000/cisco 6500). That's what I'm talking about. Cheap, high density 1g, scalable infrastructure for right now. And, in the near future, they will throw some fantastic features on top of that. tv From amsoares at netcabo.pt Tue Feb 9 20:55:08 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 01:55:08 -0000 Subject: [c-nsp] WebVPN Issue Message-ID: Hello group, I'm facing a strange issue with IOS Based WebVPN: when user X is connected and then another user uses the same user X, the second user is not able to connect but the first user looses connectivity. I have this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. This is not expected behavior, right ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt From kuscent01 at yahoo.com.ph Tue Feb 9 20:56:48 2010 From: kuscent01 at yahoo.com.ph (Sherwin Torres) Date: Wed, 10 Feb 2010 09:56:48 +0800 (SGT) Subject: [c-nsp] Inbound traffic Message-ID: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Hi, I have multiple upstream provider, a combination of tier1 and tier2 network. Sample: 1. AS1 - AS200 - AS30 2. AS1 - AS300 - AS30 3. AS1 - AS400 - AS20 - AS30 In the above scenario, I am using AS30 and I need to access AS1. The outbound traffic can be force using the localpref to prefer which path I can use for the outbound however, my dilemma is the inbound traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, this might be the best in returned path while sample 3 is the least priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? Thanks in advance. From jlewis at lewis.org Tue Feb 9 22:23:25 2010 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 9 Feb 2010 22:23:25 -0500 (EST) Subject: [c-nsp] Inbound traffic In-Reply-To: <151074.37847.qm@web76513.mail.sg1.yahoo.com> References: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Message-ID: On Wed, 10 Feb 2010, Sherwin Torres wrote: > 1. AS1 - AS200 - AS30 > 2. AS1 - AS300 - AS30 > 3. AS1 - AS400 - AS20 - AS30 > > In the above scenario, I am using AS30 and I need to access AS1. The > outbound traffic can be force using the localpref to prefer which > path I can use for the outbound however, my dilemma is the inbound > traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, > this might be the best in returned path while sample 3 is the least > priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? The short answer is as-path prepending of your announced routes to as200 and as300. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From brhedlun at cisco.com Tue Feb 9 23:07:06 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 9 Feb 2010 22:07:06 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <009f01caa9a8$e9b259a0$bd170ce0$@net> References: <62D362B3-C7D5-4456-B6DC-91FD85203383@cisco.com> <8F2F3DB5-7970-41C4-969E-11445C507CDE@cisco.com> <009f01caa9a8$e9b259a0$bd170ce0$@net> Message-ID: Ray, My point there, put another way, is that Data Center operating costs are going to be scrutinized more now than ever before. Internal IT needs to get lean and mean. The real possibility of wholesale outsourcing of Data Center applications and operations to cloud providers is just around the corner. Depending on your role in IT, that could be a good thing, or a bad thing. Those who are viewed as champions for driving efficiency and reducing total cost of ownership will do just fine. Disclaimer: I speak for myself. These are my opinions, and not necessarily those of my employer. -- Brad Hedlund, CCIE #5530 Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org On Feb 9, 2010, at 10:57 AM, Ray Burkholder wrote: >> >> Business leaders are hearing a lot about cloud computing these days, >> and it's cost advantages to the business. Yet there is a valid concern >> with data privacy and security that comes with public cloud computing. >> If internal IT can transform their data centers into a private cloud, >> or at least drastically improve the operational efficiency and total >> cost of ownership of their own data centers ... the wholesale >> outsourcing of the data center applications to the public cloud become >> less attractive to the business leaders. > > I'm not quite sure I understand the impact of that last statement... "become > less attractive to the business leaders." Is that a good thing or a bad > thing? i.e, is going into the public cloud a good thing or a bad thing? > And if business leaders "transform their data centers into a private cloud", > isn't that still a private network? Or are there additional ramifications > of this, i.e, going the virtualization path and making everything server > non-centric? > > Ray > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Tue Feb 9 23:30:28 2010 From: mksmith at adhost.com (Michael K. Smith) Date: Tue, 09 Feb 2010 20:30:28 -0800 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: Message-ID: Brad: On 2/9/10 8:07 PM, "Brad Hedlund" wrote: > Ray, > My point there, put another way, is that Data Center operating costs are going > to be scrutinized more now than ever before. They are always scrutinized by those of us supplying those services. I'm sure there were some folks in the 90's .com bubble that were able to throw dollars around, but almost all data center ops that I know of are working with clearly defined cost/benefit data. > Internal IT needs to get lean and mean. The real possibility of wholesale > outsourcing of Data Center applications and operations to cloud providers is > just around the corner. Really. Centralize all that is decentralized and decentralize all that is centralized. Rinse. Repeat. I appreciate the benefit of decentralized infrastructure for particular applications and environments, but it is not a panacea. If you work in regulated environments (HIPAA, SOX, PCI, etc.) then "the cloud" is not sufficient for your regulatory needs. However, you can build your own "cloud" which we used to call a Wide Area Network. In addition, the true costs of data center operations, regardless of whether or not it's my DC or Google's DC, are power and cooling. And most of us are working *very* hard at minimizing those recurring costs. A switch? A router? Those costs are small in comparison to cooling 100k of data center with 15Kw per rack. > Depending on your role in IT, that could be a good thing, or a bad thing. > Those who are viewed as champions for driving efficiency and reducing total > cost of ownership will do just fine. > OPEX vs. CAPEX. Going to "the cloud" reduces CAPEX but I've yet to see where it uniformly reduces OPEX. There are lots of applications that benefit greatly, and others that don't. There are some evolutionary concepts at play, but I don't see the Sea change that $vendors are seizing. > Disclaimer: I speak for myself. These are my opinions, and not necessarily > those of my employer. > Then you should post from your gmail account. Regards, Mike From aftab.siddiqui at gmail.com Wed Feb 10 00:05:26 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Wed, 10 Feb 2010 10:05:26 +0500 Subject: [c-nsp] Inbound traffic In-Reply-To: References: <151074.37847.qm@web76513.mail.sg1.yahoo.com> Message-ID: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> Hi Sherwin, Inbound traffic can also be altered on the basis of prefix-advertisement. If you are advertising more specific prefix i.e. /22 or /24 (though not recommended with tier1 service providers) your inbound traffic will always take the desired path. and yes as-path prepend is also an option. Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis wrote: > On Wed, 10 Feb 2010, Sherwin Torres wrote: > > 1. AS1 - AS200 - AS30 >> 2. AS1 - AS300 - AS30 >> 3. AS1 - AS400 - AS20 - AS30 >> >> In the above scenario, I am using AS30 and I need to access AS1. The >> outbound traffic can be force using the localpref to prefer which >> path I can use for the outbound however, my dilemma is the inbound >> traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, >> this might be the best in returned path while sample 3 is the least >> priority due to longer path. Is there a way can I manipulate the inbound >> and outbound via sample 3 without contacting AS1? >> > > The short answer is as-path prepending of your announced routes to as200 > and as300. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Wed Feb 10 00:53:19 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 10 Feb 2010 00:53:19 -0500 (EST) Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: On Wed, 10 Feb 2010, Sherwin Torres wrote: > Anyway, I agree but you might confuse on my inquiry. In the internet > cloud, there are lots of interconnected AS and if I'm going to prepend > the announcement to AS200 and AS300 - all inbound traffic will pass to > AS20 alone. No necessarily. Based on the info you provided, prepending once to 200 and 300 will give you equal path lengths on the 3 paths, and something other than as-path will be used for best path selection. x> Actually, what I want is - to isolate specific AS (AS1) to pass via > AS400-AS20-AS30 as the primary returned path while other AS from the > internet cloud would be still the best path going to AS30. It sounds like what you want is providers who support BGP communities that would let you tune things like prepending or propagation of routes to certain of their peers. The further away from your network you're trying to influence things, the harder its going to be to do. i.e. if as200 and as300 supported it, you could announce your routes to them with tags that say to prepend a few times when advertising to as1, making the AS1 - AS400 - AS20 - AS30 path more favorable. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From aftab.siddiqui at gmail.com Wed Feb 10 00:55:10 2010 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Wed, 10 Feb 2010 10:55:10 +0500 Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: <3c605ce11002092155h2015611chebb67f5c8c05044f@mail.gmail.com> Dear Sherwin, You only want to influcence the traffic coming in from AS1 and from no where else. For that am afraid you have to contact AS1 in someway like almost all Tier1 providers have preset community attributes tp change the traffic going towards its peers. You have to send bgp community having AS1:xxx sort of value. I guess am making it more complicated for :) Kindly take a look at the following link, it will help you understand how Tier1 providers do that. http://www.onesc.net/communities/as7922/ Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 10:28 AM, Sherwin Torres wrote: > Hi Jon & Aftab, > > Thank you very much for your inputs. > > Anyway, I agree but you might confuse on my inquiry. In the internet cloud, > there are lots of interconnected AS and if I'm going to prepend the > announcement to AS200 and AS300 - all inbound traffic will pass to AS20 > alone. > > Actually, what I want is - to isolate specific AS (AS1) to pass via > AS400-AS20-AS30 as the primary returned path while other AS from the > internet cloud would be still the best path going to AS30. > > > Thanks. > > --- On *Wed, 2/10/10, Aftab Siddiqui * wrote: > > > From: Aftab Siddiqui > Subject: Re: [c-nsp] Inbound traffic > To: "Jon Lewis" > Cc: "Sherwin Torres" , cisco-nsp at puck.nether.net > Date: Wednesday, 10 February, 2010, 1:05 PM > > > Hi Sherwin, > > Inbound traffic can also be altered on the basis of prefix-advertisement. > If you are advertising more specific prefix i.e. /22 or /24 (though not > recommended with tier1 service providers) your inbound traffic will always > take the desired path. > > and yes as-path prepend is also an option. > > Regards, > > Aftab A. Siddiqui > > > On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis > > wrote: > >> On Wed, 10 Feb 2010, Sherwin Torres wrote: >> >> 1. AS1 - AS200 - AS30 >>> 2. AS1 - AS300 - AS30 >>> 3. AS1 - AS400 - AS20 - AS30 >>> >>> In the above scenario, I am using AS30 and I need to access AS1. The >>> outbound traffic can be force using the localpref to prefer which >>> path I can use for the outbound however, my dilemma is the inbound >>> traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, >>> this might be the best in returned path while sample 3 is the least >>> priority due to longer path. Is there a way can I manipulate the inbound >>> and outbound via sample 3 without contacting AS1? >>> >> >> The short answer is as-path prepending of your announced routes to as200 >> and as300. >> >> ---------------------------------------------------------------------- >> Jon Lewis | I route >> Senior Network Engineer | therefore you are >> Atlantic Net | >> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > ------------------------------ > Get connected with chat on network profile, blog, or any personal website! > > Yahoo! allows you to IM with Pingbox. Check it out! > From kuscent01 at yahoo.com.ph Wed Feb 10 00:28:46 2010 From: kuscent01 at yahoo.com.ph (Sherwin Torres) Date: Wed, 10 Feb 2010 13:28:46 +0800 (SGT) Subject: [c-nsp] Inbound traffic In-Reply-To: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> Message-ID: <551724.66623.qm@web76516.mail.sg1.yahoo.com> Hi Jon & Aftab, Thank you very much for your inputs. Anyway, I agree but you might confuse on my inquiry. In the internet cloud, there are lots of interconnected AS and if I'm going to prepend the announcement to AS200 and AS300 - all inbound traffic will pass to AS20 alone. Actually, what I want is - to isolate specific AS (AS1) to pass via AS400-AS20-AS30 as the primary returned path while other AS from the internet cloud would be still the best path going to AS30. Thanks. --- On Wed, 2/10/10, Aftab Siddiqui wrote: From: Aftab Siddiqui Subject: Re: [c-nsp] Inbound traffic To: "Jon Lewis" Cc: "Sherwin Torres" , cisco-nsp at puck.nether.net Date: Wednesday, 10 February, 2010, 1:05 PM Hi Sherwin, ? Inbound traffic can also?be altered on the basis of prefix-advertisement. If you are advertising more specific prefix i.e. /22 or /24 (though not recommended with tier1 service providers) your inbound traffic will always take the desired path. ? and yes as-path prepend is also an option. Regards, Aftab A. Siddiqui On Wed, Feb 10, 2010 at 8:23 AM, Jon Lewis wrote: On Wed, 10 Feb 2010, Sherwin Torres wrote: 1. AS1 - AS200 - AS30 2. AS1 - AS300 - AS30 3. AS1 - AS400 - AS20 - AS30 In the above scenario, I am using AS30 and I need to access AS1. The outbound traffic can be force using the localpref to prefer which path I can use for the outbound however, my dilemma is the inbound traffic. Since sample 1 and 2 has lesser path from AS1 going to AS30, this might be the best in returned path while sample 3 is the least priority due to longer path. Is there a way can I manipulate the inbound and outbound via sample 3 without contacting AS1? The short answer is as-path prepending of your announced routes to as200 and as300. ---------------------------------------------------------------------- ?Jon Lewis ? ? ? ? ? ? ? ? ? | ?I route ?Senior Network Engineer ? ? | ?therefore you are ?Atlantic Net ? ? ? ? ? ? ? ?| _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Design your own exclusive Pingbox today! It's easy to create your personal chat space on your blogs. http://ph.messenger.yahoo.com/pingbox From gert at greenie.muc.de Wed Feb 10 02:52:54 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Feb 2010 08:52:54 +0100 Subject: [c-nsp] Inbound traffic In-Reply-To: <551724.66623.qm@web76516.mail.sg1.yahoo.com> References: <3c605ce11002092105h5d6d08bcg4ca1eb2f0c288f61@mail.gmail.com> <551724.66623.qm@web76516.mail.sg1.yahoo.com> Message-ID: <20100210075254.GS9556@greenie.muc.de> Hi, On Wed, Feb 10, 2010 at 01:28:46PM +0800, Sherwin Torres wrote: > Actually, what I want is - to isolate specific AS (AS1) to pass > via AS400-AS20-AS30 as the primary returned path while other AS > from the internet cloud would be still the best path going to AS30. In some specific circumstances, this might work (AS400-20-30 having community settings to force traffic that way, and 30+20 honouring transitive communities). In most cases, it's not going to work. Welcome to the Internet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Feb 10 04:17:59 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 10 Feb 2010 09:17:59 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71C1FD.4000609@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> Message-ID: <4B7279C7.1020807@imperial.ac.uk> On 02/09/2010 08:13 PM, Nick Hilliard wrote: > On 09/02/2010 19:37, Saku Ytti wrote: >> I think you've gathered relevant and correct data, I don't think PFC3 >> supports ARP match in CoPP. So you must use MLS rate-limiter, where you >> have to remember that AFAIK this is also for transit ARP which you might be >> bridging as a switch. > > so, this looks like an effective attack vector for trashing sup720 RPs then > - if you have l2 access to the device. Makes a good argument for > implementing arp sponges on core paths and edges so that this cannot be > exploited remotely. Correct. > > I assume that ipv6 nd is sufficiently high up the protocol stack that it > can be managed by copp? Off the top of my head I think CoPP is run in software for ipv6 traffic. From saku at ytti.fi Wed Feb 10 04:45:44 2010 From: saku at ytti.fi (Saku Ytti) Date: Wed, 10 Feb 2010 11:45:44 +0200 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B7279C7.1020807@imperial.ac.uk> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <4B71C1FD.4000609@inex.ie> <4B7279C7.1020807@imperial.ac.uk> Message-ID: <20100210094544.GA5185@mx.ytti.net> On (2010-02-10 09:17 +0000), Phil Mayers wrote: > >I assume that ipv6 nd is sufficiently high up the protocol stack that it > >can be managed by copp? > > Off the top of my head I think CoPP is run in software for ipv6 traffic. Actually it is fully supported in hardware, I was also long under impression it is not. Of course one has to remember the ACL compression issue, PFC3 does not have enough bits in ACL TCAM for full IPv6 data, so you can decide one of two way to operate a) default - lookup up-to /128 in ACL is in hardware - lookup to L4 data is punted b) compressed - lookup up-to /88 is in hardware - lookup past /88 is punted - lookup to L4 ports and flags are hardware (16+16+8+88 -> 128) I would argue that default is mostly useless and that you want to run your system in compressed mode. Just remember always to round the IP lookup to /88, usually this shouldn't be any security concern, as you assign so large netblocks that all hosts inside /88 would have same security posture. -- ++ytti From rjs at eng.gxn.net Wed Feb 10 04:47:03 2010 From: rjs at eng.gxn.net (Rob Shakir) Date: Wed, 10 Feb 2010 09:47:03 +0000 Subject: [c-nsp] Cisco 6500/Sup720 ARP CoPP In-Reply-To: <4B71DF34.2060105@inex.ie> References: <20100209192334.GD24950@radiological.warningg.com> <20100209193732.GA28912@mx.ytti.net> <20100209201535.GE24950@radiological.warningg.com> <20100209213014.GB2183@mx.ytti.net> <4B71DF34.2060105@inex.ie> Message-ID: <7071A32D-7ECF-4410-A067-E4588FA8A197@eng.gxn.net> On 9 Feb 2010, at 22:18, Nick Hilliard wrote: > On 09/02/2010 21:30, Saku Ytti wrote: >> Oh cool, I wonder if it then was software issue always or if this is >> new feature in PFC3C. > > I think this was before the pfc3c's time; the original text is here: > > http://aharp.ittns.northwestern.edu/papers/copp.html Hi Nick, After some testing this morning, I'm a bit confused around this feature. There appears to be plenty of documentation that implies that CoPP is not supported for ARP on PFC3 (EARL7.5) type boxes. For example [0] - which is again from 2005, with the relevant quote being: "ARP policies are not supported by CoPP. To protect the system by ARP broadcast a useful tool is ?mls qos protocol arp police ?. " [1] also appears to say this too. So, my current understanding was that "match proto arp" is not something that one can do on 6500 (within CoPP). On our existing PFC3BXL boxes, I can check the hardware QoS entries for ARP, with a configured class-default (so, this would imply that arp should perhaps fall within this), and I get the following: 7600#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] T arp any any When I check this on a 6500 with PFC3C, I do get an entry that implies policing would occur: 6500#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] MAU arp any any AT arp any any T arp any any However, I'm not sure whether this is a function of having "match protocol arp" or whether this is being caught by class-default. With a CoPP policy that is very basic for example purposes: policy-map POLICY-COPP-INPUT class COPP-ARP police cir 80000000 bc 2500000 be 2500000 conform-action transmit exceed-action drop violate-action drop class class-default police cir 100000000 bc 312500 be 312500 conform-action transmit exceed-action drop violate-action drop This results in the MAU arp entry above. With a small amount of ARP traffic, I can see something in the software counters: Class-map: COPP-ARP (match-all) 61 packets, 3660 bytes However, sh mls qos arp shows that the COPP-ARP class map hasn't forwarded any traffic: 6500#sh mls qos arp | i CPP CPP 5 In COPP-ARP 0 3 dscp 0 0 0 CPP 5 In class-defa 0 1 dscp 0 665667 0 CPP 6 In COPP-ARP 0 3 dscp 0 0 0 CPP 6 In class-defa 0 1 dscp 0 0 0 In addition, the MAU entry in the hardware is actually related to the class-default as far as I can see, not my class COPP-ARP. Applying a policy-map that has no COPP-ARP in it (identical the one above, otherwise) produces a similar hardware entry. 6500#remote command switch show tcam interface vlan 1013 qos type2 arp | i ^([ ]+)[MAUFT] MAU arp any any AT arp any any T arp any any This behaviour doesn't seem unchanged whether I not I configure "mls qos protocol ARP police..." on the box in question. So, it appears to me like there's some confusion here - I'm not sure I can explain why the class-default in a policy-map on PFC3C appears to operate differently to PFC3BXL in terms of creating the hardware entry that the SP shows. In addition, I'm not entirely sure that this is being matched by the 'match proto arp' part of the policy-map. It'd be nice to get some clarification of what this is actually doing! On your 6K5/7K6s do you see the same thing as this, or is any ARP class-map showing forwarding and/or policing? Kind regards, Rob [0]: http://www.cisco.com/web/strategy/docs/gov/DATM_CoPP_ERSPAN_NetFlow.pdf [1]: http://www.ciscosystems.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html From asturluismi at gmail.com Wed Feb 10 06:54:14 2010 From: asturluismi at gmail.com (luismi) Date: Wed, 10 Feb 2010 12:54:14 +0100 Subject: [c-nsp] ip source guard in the switch layer without DHCP Message-ID: <1265802854.11279.3.camel@hal9000> According with this link http://www.packetlife.net/blog/2009/may/25/ip-source-guard-without-dhcp/ It is possible to deploy "ip source guard" without dhcp environment. I think it could be interesting for some parts of our network here. The problem is that the configuration is... SW(config)#ip source binding 001d.60b3.0add vlan 10 10.0.0.10 interface f0/10 SW(config)#ip source binding 0023.7d00.d0a8 vlan 10 10.0.0.20 interface f0/20 What about if the server connected to that port is sending multicast traffic? Is it possible to apply several entries to the same mac address with multiple addresses and also multicast addresses? From david.freedman at uk.clara.net Wed Feb 10 06:56:48 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 11:56:48 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B729F00.6070806@uk.clara.net> >IOS: SXF15a *ouch*, please upgrade to SXH/I to get event driven BGP.... From david.freedman at uk.clara.net Wed Feb 10 06:56:48 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 11:56:48 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B7143C3.1030005@oldnick.ru> <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B729F00.6070806@uk.clara.net> >IOS: SXF15a *ouch*, please upgrade to SXH/I to get event driven BGP.... From scottowens12 at gmail.com Wed Feb 10 07:52:20 2010 From: scottowens12 at gmail.com (scott owens) Date: Wed, 10 Feb 2010 06:52:20 -0600 Subject: [c-nsp] firewalling authenticated wireless traffic Message-ID: Hello, We offer wireless connectivity to about 500 to 1000 user/devices that authenticate with machine & domain credentials via WPA2. Currently we send this through a HA pair of ASA5520s where the rule for this traffic essentially is any->any := ok. Does anyone let this type of traffic directly into their core networks - perhaps still restricting other type of wlans with controllers or firewalls ? Did you start off with firewalls and move to direct connects, the other way around, just do it with ACLs, treat all wireless as foreign and have to authenticate "extra" ? My thought is that our wireless traffic is likely more secure that our plain wired networks - at this point without 802.1x on lan. Thank you, Scott From p.mayers at imperial.ac.uk Wed Feb 10 08:10:54 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 10 Feb 2010 13:10:54 +0000 Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: <4B72B05E.8080204@imperial.ac.uk> On 10/02/10 12:52, scott owens wrote: > Hello, > > We offer wireless connectivity to about 500 to 1000 user/devices that > authenticate with machine& domain credentials via WPA2. > Currently we send this through a HA pair of ASA5520s where the rule for this > traffic essentially is any->any := ok. > Does anyone let this type of traffic directly into their core networks - > perhaps still restricting other type of wlans with controllers or firewalls We do exactly the same thing. The main rationale is that we could drop in rules in a hurry during a mass outbreak such as Blaster or Slammer. > My thought is that our wireless traffic is likely more secure that our plain > wired networks - at this point without 802.1x on lan. Indeed. From koug at intracom.gr Wed Feb 10 09:12:32 2010 From: koug at intracom.gr (John Kougoulos) Date: Wed, 10 Feb 2010 16:12:32 +0200 (EET) Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: > > We offer wireless connectivity to about 500 to 1000 user/devices that > authenticate with machine & domain credentials via WPA2. > My thought is that our wireless traffic is likely more secure that our plain > wired networks - at this point without 802.1x on lan. > but the wireless signal travels probably outside your premises. Therefore someone who has stolen a laptop will stop near your building and get inside your network easily, since most probably the credentials are saved on the PC. And you rely on WPA2 because it has not been broken. yet. Client VPN & two factor authentication is safer I think, but I guess you'll have to forget about wifi phones. you can also block user-to-user traffic (like private vlans) to avoid eg attacks between the associated machines, while not connected on the vpn. Regards, John From brhedlun at cisco.com Wed Feb 10 10:01:30 2010 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 10 Feb 2010 09:01:30 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Michael- On Feb 9, 2010, at 10:30 PM, Michael K. Smith wrote: > > "the cloud" is not sufficient for your regulatory needs. However, you can > build your own "cloud" which we used to call a Wide Area Network. That's exactly my point if you've been following this thread. Internal IT *can* build/buy their own private cloud. The VCE vBlock is one example of that, and there is a good reason why the vBlock has fabric extenders. Applying the same old thinking to data center design isn't going to build a private cloud. > > A switch? A router? Those costs are small in comparison to cooling 100k of data center with 15Kw per rack. Agree 1000%. This thread started off in the minutia of server access layer switches, but there is a much larger equation here as you point out (the multitude of servers). However while the switch itself may seem like minutia, the architectural plays you make at the server access switching layer can have a broader reaching impact on power & cooling efficiencies. Again there is a reason the VCE vBlock has FCoE. > Then you should post from your gmail account. What difference would that make? We're all adults here. Cheers, Brad -- Brad Hedlund, CCIE #5530 Technology Solutions Architect, Data Center bhedlund at cisco.com http://www.internetworkexpert.org From jmplank at gmail.com Wed Feb 10 10:08:19 2010 From: jmplank at gmail.com (Jason Plank) Date: Wed, 10 Feb 2010 10:08:19 -0500 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Brad, You just made a terrible assumption. :) Jason >> Then you should post from your gmail account. > > What difference would that make? We're all adults here. > > > Cheers, > Brad > > > -- > Brad Hedlund, CCIE #5530 > Technology Solutions Architect, Data Center > bhedlund at cisco.com > http://www.internetworkexpert.org > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From mhuff at ox.com Wed Feb 10 10:14:00 2010 From: mhuff at ox.com (Matthew Huff) Date: Wed, 10 Feb 2010 10:14:00 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> With IP services on a 3560-E, is it possible to do server load balancing? If so, any caveat's that I should be aware of? We just need to front end two web servers (oracle identity management) for http and https (no ssl offloading needed). I hate to have to buy an ACE just for these two servers ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 From mtinka at globaltransit.net Wed Feb 10 09:45:52 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 10 Feb 2010 22:45:52 +0800 Subject: [c-nsp] Layer 2 VLAN advice.. In-Reply-To: <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> References: <023701caa381$81a9d4a0$84fd7de0$@unwiredltd.com> <201002030817.24147.mtinka@globaltransit.net> <078c01caa515$80907ed0$81b17c70$@unwiredltd.com> Message-ID: <201002102245.53583.mtinka@globaltransit.net> On Thursday 04 February 2010 05:11:49 am Peter Kranz wrote: > So in terms of enabling MPLS on a fully meshed set of > routers running BGP and OSPF.. > > Here are the general steps I believe; > > #conf t > Tag-switching advertise-tags > ! > Int g0/0 > Mtu 9216 > Tag-switching ip > ! Be very careful here - changing the interface MTU would bring down OSPF as adjacencies with other OSPF speakers depend on the link MTU being the same for both sides. However, yes, MPLS needs larger-than-default Ethernet MTU's to work, so 9,000 bytes is good. To guard against dropping your OSPF adjacencies, set 'ip mtu 15000' so that OSFP can continue to use 1,500 bytes while all other protocols (including MPLS) use 9,000. You can then regularize this setup once your MPLS turn-up is complete. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From dcp at dcptech.com Wed Feb 10 10:36:26 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 10:36:26 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> Message-ID: <01a101caaa66$cf5f5d00$6e1e1700$@com> IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. Could always use Anycast via a loopback on the servers and let CEF ECMP take care of it. But this is typically only done for UDP applications. Not sure if EOT is on the 3560-E for Static Routes, or you could use BGP from the servers. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Matthew Huff > Sent: Wednesday, February 10, 2010 10:14 AM > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > With IP services on a 3560-E, is it possible to do server load > balancing? If so, any caveat's that I should be aware of? We just need > to front end two web servers (oracle identity management) for http and > https (no ssl offloading needed). I hate to have to buy an ACE just for > these two servers > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > From psirt at cisco.com Wed Feb 10 11:00:00 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 10 Feb 2010 11:00:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Message-ID: <201002101100.ironport@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Advisory ID: cisco-sa-20100210-ironport Revision 1.0 For Public Release 2010 February 10 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities: ??? Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2 ??? Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1 ??? Cisco IronPort PostX MAP versions prior to 6.2.9.1 The version of software that is running on a Cisco IronPort Encryption Appliance is located on the "About" page of the Cisco IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface. It is possible to workaround the remote code execution vulnerability (IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort Encryption Appliance configuration files. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted: jboss/server/postx/deploy/http-invoker.sar jboss/server/postx/deploy/jms/jbossmq-httpil.sar The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file. After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Note: Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch of Blue Cross Blue Shield of Illinois. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. ??? cust-security-announce at cisco.com ??? first-bulletins at lists.first.org ??? bugtraq at securityfocus.com ??? vulnwatch at vulnwatch.org ??? cisco at spot.colorado.edu ??? cisco-nsp at puck.nether.net ??? full-disclosure at lists.grok.org.uk ??? comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??? Revision ??? ??? Initial ??? ??? 1.0 ??? 2010-FEB-10 ??? public ??? ??? ??? ??? release ??? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh H9asrIkxuFpOpSgFLdpV7D8= =ahIn -----END PGP SIGNATURE----- From amsoares at netcabo.pt Wed Feb 10 11:14:37 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 16:14:37 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: References: Message-ID: Thank you both for your inputs. I still cannot share the config since i saw this in a production network and i'm still trying to reproduce it in the lab. But the "debug ip routing" says it all: 1) When user X connects, he gets ip=10.10.10.166 RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] 2) When another user tries the connection with the same user X: RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] RT(VRF_X): delete subnet route to 10.10.10.166/32 RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] RT(VRF_X): delete subnet route to 10.10.10.166/32 So the router deletes the route, adds it and removes it again. This explains the loss of connectivity. We have radius authentication and the radius server assigns a pre-defined ip to each user. So when the radius server sends the same ip, it seems the router gets confused. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Farrukh Haroon Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 To: Antonio Soares Cc: cisco-nsp at puck.nether.net; Cisco certification Subject: Re: WebVPN Issue No it works fine for multiple users, we have it running. If you can post the sanitized config, I can have a look. Also check your 'show tcp brief' output to see if you have any stale connections there. We faced a similar issue, and putting 'service tcp-keepalives-in' fixed the issue (you may put 'out' as well).. We are running 12.4(15)Tx tough. Regards Farrukh On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares wrote: > Hello group, > > I'm facing a strange issue with IOS Based WebVPN: when user X is connected > and then another user uses the same user X, the second > user is not able to connect but the first user looses connectivity. I have > this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. > This is not expected behavior, right ? > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt From lists at hojmark.org Wed Feb 10 11:16:29 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 10 Feb 2010 17:16:29 +0100 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> Message-ID: On Wed, 10 Feb 2010 10:14:00 -0500, you wrote: > With IP services on a 3560-E, is it possible to do server load balancing? No. -A From mhuff at ox.com Wed Feb 10 11:20:13 2010 From: mhuff at ox.com (Matthew Huff) Date: Wed, 10 Feb 2010 11:20:13 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <01a101caaa66$cf5f5d00$6e1e1700$@com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. This is for straight revere-proxy web caches for Oracle WebCache so it uses http/https. We may have to purchase an ACE appliance. Anyone have any suggestions for a turnkey (not linux server based, etc) appliance that does http/https load balancing? Something as simple and cheap as possible. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: David Prall [mailto:dcp at dcptech.com] > Sent: Wednesday, February 10, 2010 10:36 AM > To: Matthew Huff; 'cisco-nsp' > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > Could always use Anycast via a loopback on the servers and let CEF ECMP take > care of it. But this is typically only done for UDP applications. Not sure > if EOT is on the 3560-E for Static Routes, or you could use BGP from the > servers. > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > Sent: Wednesday, February 10, 2010 10:14 AM > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > With IP services on a 3560-E, is it possible to do server load > > balancing? If so, any caveat's that I should be aware of? We just need > > to front end two web servers (oracle identity management) for http and > > https (no ssl offloading needed). I hate to have to buy an ACE just for > > these two servers > > > > ---- > > Matthew Huff?????? | One Manhattanville Rd > > OTA Management LLC | Purchase, NY 10577 > > http://www.ox.com | Phone: 914-460-4039 > > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > From dcp at dcptech.com Wed Feb 10 11:38:11 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 11:38:11 -0500 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Message-ID: <01c301caaa6f$6f76aa20$4e63fe60$@com> Create a loopback interface on the servers with the VIP. Point a static route for the VIP at the servers physical address, make the VIP on the same subnet as the physicals. Let CEF take care of it. You lose a lot of dynamic capabilities that are available via monitoring. You'll need Enhanced Object Tracking to monitor that the server is alive. David -- http://dcp.dcptech.com > -----Original Message----- > From: Matthew Huff [mailto:mhuff at ox.com] > Sent: Wednesday, February 10, 2010 11:20 AM > To: 'David Prall'; 'cisco-nsp' > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. > This is for straight revere-proxy web caches for Oracle WebCache so it > uses http/https. We may have to purchase an ACE appliance. Anyone have > any suggestions for a turnkey (not linux server based, etc) appliance > that does http/https load balancing? Something as simple and cheap as > possible. > > > > ---- > Matthew Huff?????? | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > > > -----Original Message----- > > From: David Prall [mailto:dcp at dcptech.com] > > Sent: Wednesday, February 10, 2010 10:36 AM > > To: Matthew Huff; 'cisco-nsp' > > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > > > Could always use Anycast via a loopback on the servers and let CEF > ECMP take > > care of it. But this is typically only done for UDP applications. Not > sure > > if EOT is on the 3560-E for Static Routes, or you could use BGP from > the > > servers. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > > Sent: Wednesday, February 10, 2010 10:14 AM > > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > > > With IP services on a 3560-E, is it possible to do server load > > > balancing? If so, any caveat's that I should be aware of? We just > need > > > to front end two web servers (oracle identity management) for http > and > > > https (no ssl offloading needed). I hate to have to buy an ACE just > for > > > these two servers > > > > > > ---- > > > Matthew Huff?????? | One Manhattanville Rd > > > OTA Management LLC | Purchase, NY 10577 > > > http://www.ox.com | Phone: 914-460-4039 > > > aim: matthewbhuff? | Fax:?? 914-460-4139 > > > > > From amsoares at netcabo.pt Wed Feb 10 12:24:12 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 17:24:12 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> Message-ID: <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> Yes, it works fine with local pool. In this case, the AC client gets a message saying "no address assigned". I was able to reproduce the problem in the meanwhile. It makes sense that the 2nd user is not able to establish the session but it doesn't make sense the 1st looses his connection. This seems a bug to me. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Roman Rodichev [mailto:romangs at iementor.com] Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue So that might be the problem. How can you assign a different IP from RADIUS for concurrent logins? It should work with local pool Sent from my iPhone On Feb 10, 2010, at 10:14 AM, "Antonio Soares" wrote: > Thank you both for your inputs. I still cannot share the config > since i saw this in a production network and i'm still trying to > reproduce it in the lab. > > But the "debug ip routing" says it all: > > 1) When user X connects, he gets ip=10.10.10.166 > > RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 > RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] > > 2) When another user tries the connection with the same user X: > > RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] > RT(VRF_X): delete subnet route to 10.10.10.166/32 > RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 > RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] > RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] > RT(VRF_X): delete subnet route to 10.10.10.166/32 > > So the router deletes the route, adds it and removes it again. This > explains the loss of connectivity. > > We have radius authentication and the radius server assigns a pre- > defined ip to each user. So when the radius server sends the same > ip, it seems the router gets confused. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf > Of Farrukh Haroon > Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 > To: Antonio Soares > Cc: cisco-nsp at puck.nether.net; Cisco certification > Subject: Re: WebVPN Issue > > No it works fine for multiple users, we have it running. If you can > post the > sanitized config, I can have a look. > > Also check your 'show tcp brief' output to see if you have any stale > connections there. We faced a similar issue, and putting 'service > tcp-keepalives-in' fixed the issue (you may put 'out' as well).. > > We are running 12.4(15)Tx tough. > > Regards > > Farrukh > > > > On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares > wrote: > >> Hello group, >> >> I'm facing a strange issue with IOS Based WebVPN: when user X is >> connected >> and then another user uses the same user X, the second >> user is not able to connect but the first user looses connectivity. >> I have >> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >> This is not expected behavior, right ? >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt > > From scottowens12 at gmail.com Wed Feb 10 12:30:39 2010 From: scottowens12 at gmail.com (scott owens) Date: Wed, 10 Feb 2010 11:30:39 -0600 Subject: [c-nsp] firewalling authenticated wireless traffic Message-ID: > > From: John Kougoulos > To: scott owens > > We offer wireless connectivity to about 500 to 1000 user/devices > that authenticate with machine & domain credentials via WPA2. > > > My thought is that our wireless traffic is likely more secure that our > plain wired networks - at this point without 802.1x on lan. > > > but the wireless signal travels probably outside your premises. Therefore > someone who has stolen a laptop will stop near your building and > get inside your network easily, since most probably the credentials > are saved on the PC. > > User credentials are not cached, machine ones are - of course. They really would not have to go to this effort - they could just plug a laptop into our network . 802.1x/NAC is not yet implemented internally. > And you rely on WPA2 because it has not been broken. yet. > Client VPN & two factor authentication is safer I think, but I guess you'll > have to forget about wifi phones. > > you can also block user-to-user traffic (like private vlans) to avoid > eg attacks between the associated machines, while not connected on the vpn. > > We do use Citrix SSL vpns for our app connectivity both internally and externally so there is no difference to the end user from a look and feel when they use a device and we do separate ssid/network for phones as well and it has acls restricting it to only the phone portion of network. There are a couple of options for Cisco wisms on where/how you do peer-to-peer bocking - we selected stopping it closest to client for the wireless PC devices. So I think you are in agreement it is ok to just plug into network directly ? Regards, > John > > > From gkg at gmx.de Wed Feb 10 12:50:09 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 18:50:09 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group Message-ID: <4B72F1D1.3080709@gmx.de> Hi, I've got a setup that could use some tweaking ... CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN being in a bridge group, LAN ip on the BVI1 interface. LAN ports are only for designated boxes, while there are select users that may use the WLAN link to connect. For those, the router is running as a DHCP server, too. Anyway, I would like to limit the DHCP answers to just the WLAN link. I know I could go ahead and just split up the bridge group, with routing between the networks, but due to some other requirements, WLAN and wired lan needs to be in the same broadcast domain (at least unless the customer goes through some major reconfiguration). I've received some suggestion as to using a policy map with class maps matching on proto dhcp and the incoming interfaces, dropping the traffic when it matched, while still forwarding the class default ... anyway, I tried setting that up, but still got DHCP on the FE ports ... Any other suggestions? Or some hint on what I missed? Here's an excerpt from the config ... --- class-map match-all NODHCP match protocol dhcp match input-interface FastEthernet0 class-map match-all NODHCP1 match protocol dhcp match input-interface FastEthernet1 class-map match-all NODHCP2 match protocol dhcp match input-interface FastEthernet2 class-map match-all NODHCP3 match protocol dhcp match input-interface FastEthernet3 policy-map NODHCP class NODHCP drop class NODHCP1 drop class NODHCP2 drop class NODHCP3 drop class class-default ! interface BVI1 ip address 10.1.1.1 255.255.255.0 service-policy input NODHCP Help appreciated, -garry From dcp at dcptech.com Wed Feb 10 13:04:47 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 13:04:47 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B72F1D1.3080709@gmx.de> References: <4B72F1D1.3080709@gmx.de> Message-ID: <01d101caaa7b$8855bca0$990135e0$@com> Match protocol is nbar, I can never remember which require "ip nbar protocol-discovery" on the interface. Why not use an access-list denying dhcp deny udp any eq bootpc any eq bootps David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Garry > Sent: Wednesday, February 10, 2010 12:50 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Limiting DHCP on a Bridge Group > > Hi, > > I've got a setup that could use some tweaking ... > > CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN > being in a bridge group, LAN ip on the BVI1 interface. > > LAN ports are only for designated boxes, while there are select users > that may use the WLAN link to connect. For those, the router is running > as a DHCP server, too. > Anyway, I would like to limit the DHCP answers to just the WLAN link. I > know I could go ahead and just split up the bridge group, with routing > between the networks, but due to some other requirements, WLAN and > wired > lan needs to be in the same broadcast domain (at least unless the > customer goes through some major reconfiguration). > > I've received some suggestion as to using a policy map with class maps > matching on proto dhcp and the incoming interfaces, dropping the > traffic > when it matched, while still forwarding the class default ... anyway, I > tried setting that up, but still got DHCP on the FE ports ... > > Any other suggestions? Or some hint on what I missed? Here's an excerpt > from the config ... > > --- > class-map match-all NODHCP > match protocol dhcp > match input-interface FastEthernet0 > class-map match-all NODHCP1 > match protocol dhcp > match input-interface FastEthernet1 > class-map match-all NODHCP2 > match protocol dhcp > match input-interface FastEthernet2 > class-map match-all NODHCP3 > match protocol dhcp > match input-interface FastEthernet3 > > policy-map NODHCP > class NODHCP > drop > class NODHCP1 > drop > class NODHCP2 > drop > class NODHCP3 > drop > class class-default > ! > interface BVI1 > ip address 10.1.1.1 255.255.255.0 > service-policy input NODHCP > > Help appreciated, -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From globichen at gmail.com Wed Feb 10 13:44:07 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 19:44:07 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B71A1D2.10909@imperial.ac.uk> References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: I am currently facing this strange behaviour once again. Nothing suspicious in terms of CPU: #sh proc cpu sort | ex 0.00 CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input #remote command switch sh proc cpu sort | ex 0.00 CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc Packet loss to the router (nothing behind it) is around 25%. And still loosing random BGP and OSPF sessions. SNMP graphs are not being generated either. Currently feeling quite desperate, because I have no clue where to look next... Andy On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: > On 09/02/10 17:39, Church, Charles wrote: >> >> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >> Both looked pretty bad across the board. > > His graphs don't look that dis-similar to mine, and we have no such > problems. The peak/avg CPU don't look so unreasonable to me given the load > and setup he's described. > > To summarise in this thread, it has been suggested: > > ?1. Netflow is the problem - to which the OP said he's already tried > disabling it > > ?2. CPU punts, specifically gleans, are the problem - in which case CoPP or > MLS rate limiters can be tried, but the OP really IMHO needs to confirm this > with a span of the CPU > > ?3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly > dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the > load we've been told about; therefore something is wrong > > ...and lots more besides. I'm exhausted from following the thread, but my > advice to the OP is to determine what is hitting the CPU *during an outage*, > then proceed from there. > > I'm going to stop reading now. > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Feb 10 13:48:25 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 18:48:25 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B72FF79.3030502@uk.clara.net> So, are you checking your interfaces for incrementing drop/error counters? Are you seeing any of this when there is the problem occuring? (clear counters , sh int summ etc..) Dave. What about Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: >> On 09/02/10 17:39, Church, Charles wrote: >>> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >>> Both looked pretty bad across the board. >> His graphs don't look that dis-similar to mine, and we have no such >> problems. The peak/avg CPU don't look so unreasonable to me given the load >> and setup he's described. >> >> To summarise in this thread, it has been suggested: >> >> 1. Netflow is the problem - to which the OP said he's already tried >> disabling it >> >> 2. CPU punts, specifically gleans, are the problem - in which case CoPP or >> MLS rate limiters can be tried, but the OP really IMHO needs to confirm this >> with a span of the CPU >> >> 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly >> dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the >> load we've been told about; therefore something is wrong >> >> ...and lots more besides. I'm exhausted from following the thread, but my >> advice to the OP is to determine what is hitting the CPU *during an outage*, >> then proceed from there. >> >> I'm going to stop reading now. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Feb 10 13:48:25 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 18:48:25 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B72FF79.3030502@uk.clara.net> So, are you checking your interfaces for incrementing drop/error counters? Are you seeing any of this when there is the problem occuring? (clear counters , sh int summ etc..) Dave. What about Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers wrote: >> On 09/02/10 17:39, Church, Charles wrote: >>> I was going by the 'show proc cpu hist' he gave for both the SP and RP. >>> Both looked pretty bad across the board. >> His graphs don't look that dis-similar to mine, and we have no such >> problems. The peak/avg CPU don't look so unreasonable to me given the load >> and setup he's described. >> >> To summarise in this thread, it has been suggested: >> >> 1. Netflow is the problem - to which the OP said he's already tried >> disabling it >> >> 2. CPU punts, specifically gleans, are the problem - in which case CoPP or >> MLS rate limiters can be tried, but the OP really IMHO needs to confirm this >> with a span of the CPU >> >> 3. The 6500 is just no good buy a juniper or asr1k (!) which I strongly >> dispute. It may be awkward and have odd limits, but it OUGHT TO HANDLE the >> load we've been told about; therefore something is wrong >> >> ...and lots more besides. I'm exhausted from following the thread, but my >> advice to the OP is to determine what is hitting the CPU *during an outage*, >> then proceed from there. >> >> I'm going to stop reading now. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Wed Feb 10 14:00:33 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:00:33 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B72FF79.3030502@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 7:48 PM, David Freedman wrote: > So, are you checking your interfaces for incrementing drop/error counters? > > Are you seeing any of this when there is the problem occuring? > (clear counters , sh int summ etc..) > I am having input drops all the time, no matter how high or low I set the incoming hold-queue. The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: TenGigabitEthernet8/1 is up, line protocol is up (connected) Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 TenGigabitEthernet9/1 is up, line protocol is up (connected) Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 TenGigabitEthernet9/2 is up, line protocol is up (connected) Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 These links are not congested! Te9/1 is the busiest with maybe 6.5 out of 10 Gig. The other two are below 5 Gig. From lmeade at signal.ca Wed Feb 10 14:00:55 2010 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 10 Feb 2010 11:00:55 -0800 Subject: [c-nsp] rate-limit command not accepting ? Message-ID: I have got a pair of 6509E switches, that we use for our core and they are connected with fiber ether channels. The plan is to use the 2nd for a failover core if the 1st has failed. My testing has failover working fine. But when I add a rate limit command on the vlan interface it is not allowing me. This is what I have on my primary core for a vlan int interface Vlan7 description Twilight_Production ip address 10.1.7.2 255.255.255.0 ip access-group USM in ip helper-address 10.1.6.10 no ip redirects no ip unreachables ip flow ingress rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop rate-limit output 2096000 128000 128000 conform-action transmit exceed-action drop ip route-cache flow no ip mroute-cache mls netflow sampling standby 15 ip 10.1.7.1 standby 15 priority 250 standby 15 preempt But when I add the rate-limit commands on the 2nd core I get this DTCCAT-CORE01(config)#interface Vlan7 DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop ^ % Invalid input detected at '^' marker. DTCCAT-CORE01(config-if)# rate-limit output 2096000 128000 128000 conform-action transmit exceed-action drop ^ % Invalid input detected at '^' marker. Both are running the same IOS of s3223_rp-ADVIPSERVICESK9_WAN-M, both have the same PFC and MSFC cards ? Any ideas ? From globichen at gmail.com Wed Feb 10 14:04:51 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:04:51 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: By the way, I am using Cacti to pull out data from all my routers. Here is what cacti is reporting when the router is behaving like now: 02/10/2010 07:39:12 PM - SPINE: Poller[0] Host[4] DS[594] WARNING: SNMP timeout detected [500 ms], ignoring host 'x.x.4.131' The cacti server is in a dedicated 'NOC vlan' right next to the core, not on any of these OSPF/BGP interfaces. Andy On Wed, Feb 10, 2010 at 8:00 PM, Andy B. wrote: > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > ?Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > ?Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > ?Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > From koug at intracom.gr Wed Feb 10 14:05:28 2010 From: koug at intracom.gr (John Kougoulos) Date: Wed, 10 Feb 2010 21:05:28 +0200 (EET) Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: Hello, > User credentials are not cached, machine ones are - of course. I think windows caches users credentials, so that you can logon to a PC when there is no network connectivity. I really don't know how WPA2/802.1x uses domain authentication. Is it Kerberos enabled EAP? > They really would not have to go to this effort - they could just plug a > laptop into our network . 802.1x/NAC is not yet implemented internally. Understood, but they should get into a building to get access to your network, and I suppose there is someone in the entrance that will allow only employees to enter the building? And in any case, in order to attack your network, they will have to be somewhere inside your premises, risking to be caught in action. When they are using wireless they just need a good antenna. > We do use Citrix SSL vpns for our app connectivity both internally and > externally so there is no difference to the end user from a look and feel > when they use a device and we do separate ssid/network for phones as well > and it has acls restricting it to only the phone portion of network. There > are a couple of options for Cisco wisms on where/how you do peer-to-peer > bocking - we selected stopping it closest to client for the wireless PC > devices. I guess the SSL vpns have proper authentication, so in this case you have to permit access only to these devices, instead of any->any. So if you trust the SSL vpns externally, and you allow access only there, I guess WPA2/802.1x/Domain doesn't really make a difference compared to an Internet user or no crypto on wireless, except perhaps for DoS protection, like DHCP pool exhaustion etc. More or less we agree that you need a crypto protection based on VPN technologies, and good authentication, so you treat a wireless user as if he was an Internet user. I don't see this solution as "just plug into network directly". Obviously the main question here is what are you trying to protect? Your network/application/data, or just your Internet connection which a neighbor may use to download videos, music (which also might get you into trouble)? Regards, John From gkg at gmx.de Wed Feb 10 14:06:25 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 20:06:25 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <01d101caaa7b$8855bca0$990135e0$@com> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> Message-ID: <4B7303B1.6080406@gmx.de> On 10.02.2010 19:04, David Prall wrote: > Match protocol is nbar, I can never remember which require "ip nbar > protocol-discovery" on the interface. Tried it (put it in the bvi1 interface), still getting DHCP replies though .. recognition is working fine, though ... dhcp 2 1 1180 352 The policy map/class seem to be attached to the BVI correctly, too: T#show policy-map int BVI1 Service-policy input: NODHCP Class-map: NODHCP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol dhcp Match: input-interface FastEthernet0 drop [..] Class-map: class-default (match-any) 931 packets, 57159 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any Even added another class with input interface of VLAN1, still no success ... on the show policy-map command, none of the class-maps show any IP traffic, except for the default class ... After setting up two seperate classes to check for either an interface, or the protocol, it looks like the protocol part is working, while the interface match seems to fail ... adding both vlan1 and bvi1, I guess the class/policy map isn't able to differentiate the incoming interface anymore at that stage, as all the traffic is listed under BVI1, though the computer used to connect to the router at that point is connected to Fa0 ...: Class-map: test1 (match-any) 81 packets, 4860 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: input-interface FastEthernet0 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet1 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet2 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface FastEthernet3 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface Vlan1 0 packets, 0 bytes 5 minute rate 0 bps Match: input-interface BVI1 81 packets, 4860 bytes 5 minute rate 0 bps Any suggestion as to how to get around this? Maybe adding seperate vlans to each port and binding them to the bridge group? > > Why not use an access-list denying dhcp > deny udp any eq bootpc any eq bootps Because I still need the DHCP to go through on the WLAN link? Tnx, garry From lukasz at bromirski.net Wed Feb 10 14:12:02 2010 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 10 Feb 2010 20:12:02 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <4B730502.3020700@bromirski.net> On 2010-02-10 19:44, Andy B. wrote: > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: Are you still running SXF15a? David advice was already - move to SXI to stay out of trouble, as SXF train is already EOS and will hit end of software maintenance by December 2011. If You need to stay by SXF go to SXF17 and then try to troubleshoot. My first guess is - have You had any problems with TCAMs overflowing in the past? If so, in the nearest service window reload the box, to clean up the cache and TCAM contents. I'm only guessing that's your problem, but mysterious drops on the traffic with no process hinting high RP/SP CPU may be the issue here. As well as David noted - any errors/drops on the interfaces themselves. Any CoPP configured on the box? mls rate-limiters? -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end." | http://lukasz.bromirski.net From david.freedman at uk.clara.net Wed Feb 10 14:13:21 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 19:13:21 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: <4B730551.9070608@uk.clara.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy B. wrote: > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. Are these supervisor ports or on a card (i.e 6704/6708?) Things I would check: - - That I understand 6704 has pathetically small per port buffers - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 for these - - No IGP hello padding (if you have large MTU and pad then you must punt these big things - - Check SPD headroom (show ip spd) - - The drops are not being reported on input due to lack of transmit buffer on output (i.e to lower speed card), check traffic flows/pps to low speed interfaces and adjust buffers appropriately Dave. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktzBVEACgkQtFWeqpgEZrIB+QCeKT5sqezBtRp5DWXD71VwH6Ke tJUAnRyC67nIKx1NpYBB+g+854TtBUq3 =g6FU -----END PGP SIGNATURE----- From dcp at dcptech.com Wed Feb 10 14:18:53 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:18:53 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <4B715A02.8010604@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> Message-ID: <01d601caaa85$e28b1b20$a7a15160$@com> Andy, By excluding 0.00 your excluding those that have had 0.00 anywhere in the time list. Just use sort and look at the top few. Although most likely the same. If you have a number of large Ethernet subnets with few systems on them, then "sh ip arp" will contain a number of incompletes. If it is the entire subnet filled with incompletes then someone is looking for all of your systems and is most likely doing a ping sweep, then enabling "mls rate-limit unicast cef glean" will be worthwhile. These are both Adj Manager and ARP Input I believe. The other one is if you've run out of TCAM space, because your over the limits with the number of routes you have. Don't know if you're running an XL or not. CPU doesn't look out of order currently. Need to capture it ongoing to see what process is pushing it to 24%, and even then it should still be forwarding traffic. You might need to look at the DFC's as well, to see if one is having issues: Remote command module X sh proc cpu sort David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Wednesday, February 10, 2010 1:44 PM > To: Phil Mayers > Cc: nsp-cisco > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > I am currently facing this strange behaviour once again. Nothing > suspicious in terms of CPU: > > #sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: > 23% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 123 823552748 891845755 923 1.35% 1.32% 1.24% 0 IP Input > 142 42990360 548209142 78 0.63% 0.15% 0.06% 0 IP SNMP > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP > ENGINE > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP > Router > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH > Process > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj > Manager > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP > Input > 320 20411156 140247526 145 0.15% 1.64% 1.57% 0 BGP I/O > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF > process > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 > Input > > #remote command switch sh proc cpu sort | ex 0.00 > CPU utilization for five seconds: 10%/0%; one minute: 14%; five > minutes: 20% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan > Statistics > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp > process > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF > process > 152 24224440 35123075 689 0.15% 0.08% 0.07% 0 CEF LC > Stats > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP > Download Lis > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM > Manager pro > 127 37865260 135955648 278 0.07% 0.07% 0.07% 0 Spanning > Tree > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib > stat colle > 239 11888108 8600338 1382 0.07% 0.04% 0.03% 0 LTL MGR > cc > > Packet loss to the router (nothing behind it) is around 25%. > And still loosing random BGP and OSPF sessions. SNMP graphs are not > being generated either. > > Currently feeling quite desperate, because I have no clue where to look > next... > > Andy > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers > wrote: > > On 09/02/10 17:39, Church, Charles wrote: > >> > >> I was going by the 'show proc cpu hist' he gave for both the SP and > RP. > >> Both looked pretty bad across the board. > > > > His graphs don't look that dis-similar to mine, and we have no such > > problems. The peak/avg CPU don't look so unreasonable to me given the > load > > and setup he's described. > > > > To summarise in this thread, it has been suggested: > > > > ?1. Netflow is the problem - to which the OP said he's already tried > > disabling it > > > > ?2. CPU punts, specifically gleans, are the problem - in which case > CoPP or > > MLS rate limiters can be tried, but the OP really IMHO needs to > confirm this > > with a span of the CPU > > > > ?3. The 6500 is just no good buy a juniper or asr1k (!) which I > strongly > > dispute. It may be awkward and have odd limits, but it OUGHT TO > HANDLE the > > load we've been told about; therefore something is wrong > > > > ...and lots more besides. I'm exhausted from following the thread, > but my > > advice to the OP is to determine what is hitting the CPU *during an > outage*, > > then proceed from there. > > > > I'm going to stop reading now. > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Wed Feb 10 14:22:30 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:22:30 -0500 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> Message-ID: <01d701caaa86$64041850$2c0c48f0$@com> Your drops and flushes counts are the same. A flush is a control plane packet that pushed to CPU even though the input queue was filled. I don't believe these two numbers should be the same unless all of the input queue was filled with these packets. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andy B. > Sent: Wednesday, February 10, 2010 2:01 PM > To: David Freedman > Cc: nsp-cisco > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: > > So, are you checking your interfaces for incrementing drop/error > counters? > > > > Are you seeing any of this when there is the problem occuring? > > (clear counters , sh int summ etc..) > > > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the > counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output > drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Wed Feb 10 14:25:31 2010 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 10 Feb 2010 19:25:31 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <01d701caaa86$64041850$2c0c48f0$@com> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <01d701caaa86$64041850$2c0c48f0$@com> Message-ID: <4B73082B.3010909@uk.clara.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Prall wrote: > Your drops and flushes counts are the same. All his drops are flushes, you usually see this when the system and SPD can't deal I believe, would be interested if the system buffers for the control plane are getting misses or creation churn (sh buff) Dave. A flush is a control plane > packet that pushed to CPU even though the input queue was filled. I don't > believe these two numbers should be the same unless all of the input queue > was filled with these packets. > > David > > -- > http://dcp.dcptech.com > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Andy B. >> Sent: Wednesday, February 10, 2010 2:01 PM >> To: David Freedman >> Cc: nsp-cisco >> Subject: Re: [c-nsp] Best practice - Core vs Access Router >> >> On Wed, Feb 10, 2010 at 7:48 PM, David Freedman >> wrote: >>> So, are you checking your interfaces for incrementing drop/error >> counters? >>> Are you seeing any of this when there is the problem occuring? >>> (clear counters , sh int summ etc..) >>> >> I am having input drops all the time, no matter how high or low I set >> the incoming hold-queue. >> >> The OSPF and IBGP interfaces approx. 30 minutes after I cleared the >> counters: >> >> TenGigabitEthernet8/1 is up, line protocol is up (connected) >> Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output >> drops: 0 >> >> TenGigabitEthernet9/1 is up, line protocol is up (connected) >> Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output >> drops: 0 >> >> TenGigabitEthernet9/2 is up, line protocol is up (connected) >> Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output >> drops: 0 >> >> >> These links are not congested! Te9/1 is the busiest with maybe 6.5 out >> of 10 Gig. The other two are below 5 Gig. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktzCCsACgkQtFWeqpgEZrI6ggCgtHrGhYMz78ldFns2Ord5uuBX H2MAn1O+MGZGkkr3pPRMDrh3EsJDNBLp =qE7B -----END PGP SIGNATURE----- From globichen at gmail.com Wed Feb 10 14:28:00 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:28:00 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730551.9070608@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 8:13 PM, David Freedman wrote: > - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 > for these I moved from 75 to 2000 yesterday and then tried 4096. The results were more or less the same. > - - No IGP hello padding (if you have large MTU and pad then you must punt > these big things MTU is 1500 on all my interfaces throughout the entire backbone. > - - Check SPD headroom (show ip spd) #show ip spd Current mode: normal. Queue min/max thresholds: 73/74, Headroom: 100, Extended Headroom: 10 IP normal queue: 1, priority queue: 0. SPD special drop mode: none > - - The drops are not being reported on input due to lack of transmit > buffer on output (i.e to lower speed card), check traffic flows/pps to > low speed interfaces and adjust buffers appropriately Can you explain this further? Andy From globichen at gmail.com Wed Feb 10 14:29:04 2010 From: globichen at gmail.com (Andy B.) Date: Wed, 10 Feb 2010 20:29:04 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B73082B.3010909@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <01d701caaa86$64041850$2c0c48f0$@com> <4B73082B.3010909@uk.clara.net> Message-ID: On Wed, Feb 10, 2010 at 8:25 PM, David Freedman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Prall wrote: >> Your drops and flushes counts are the same. > > All his drops are flushes, you usually see this when the system and SPD > can't deal I believe, would be interested if the system buffers for the > control plane are getting misses or creation churn (sh buff) #sh buf Buffer elements: 11983 in free list (500 max allowed) 2127613198 hits, 0 misses, 11500 created Public buffer pools: Small buffers, 104 bytes (total 1024, permanent 1024, peak 9446 @ 7w0d): 978 in free list (128 min, 2048 max allowed) 2986617305 hits, 7649 misses, 9639 trims, 9639 created 0 failures (0 no memory) Medium buffers, 256 bytes (total 3000, permanent 3000): 2992 in free list (64 min, 3000 max allowed) 505691343 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Middle buffers, 600 bytes (total 512, permanent 512): 511 in free list (64 min, 1024 max allowed) 267289397 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Big buffers, 1536 bytes (total 1000, permanent 1000): 999 in free list (64 min, 1000 max allowed) 1211957882 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) VeryBig buffers, 4520 bytes (total 10, permanent 10): 10 in free list (0 min, 100 max allowed) 561291 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Large buffers, 9240 bytes (total 8, permanent 8): 8 in free list (0 min, 10 max allowed) 21723 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Huge buffers, 18024 bytes (total 2, permanent 2, peak 11 @ 7w0d): 2 in free list (0 min, 4 max allowed) 637239 hits, 176 misses, 352 trims, 352 created 0 failures (0 no memory) Interface buffer pools: EOBC0/0 buffers, 1524 bytes (total 2400, permanent 2400): 923 in free list (0 min, 2400 max allowed) 1477 hits, 0 fallbacks 1200 max cache size, 956 in cache 1707029856 hits in cache, 277 misses in cache IPC buffers, 4096 bytes (total 672, permanent 672): 609 in free list (224 min, 2240 max allowed) 25575465 hits, 0 fallbacks, 0 trims, 0 created 0 failures (0 no memory) Private Huge IPC buffers, 18024 bytes (total 2, permanent 2): 2 in free list (1 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Private Huge buffers, 65280 bytes (total 2, permanent 2): 2 in free list (1 min, 4 max allowed) 3806 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Header pools: From dcp at dcptech.com Wed Feb 10 14:30:51 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:30:51 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B7303B1.6080406@gmx.de> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> Message-ID: <01d801caaa87$8e813620$ab83a260$@com> I think the match interface is looking at where the policy is assigned. I know the policy isn't supported on the physical interfaces. I have to do all my QoS on fa4 inbound. Why not place an acl on the vlan interface for the wired ports. Not sure if it would be hit first, or if the bvi would capture it. Moved to an 881 at home, so I don't have my 871W anymore. David -- http://dcp.dcptech.com > -----Original Message----- > From: Garry [mailto:gkg at gmx.de] > Sent: Wednesday, February 10, 2010 2:06 PM > To: c-nsp > Cc: David Prall > Subject: Re: [c-nsp] Limiting DHCP on a Bridge Group > > On 10.02.2010 19:04, David Prall wrote: > > Match protocol is nbar, I can never remember which require "ip nbar > > protocol-discovery" on the interface. > > Tried it (put it in the bvi1 interface), still getting DHCP replies > though .. recognition is working fine, though ... > > dhcp 2 1 > 1180 352 > > The policy map/class seem to be attached to the BVI correctly, too: > > T#show policy-map int > BVI1 > > Service-policy input: NODHCP > > Class-map: NODHCP (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol dhcp > Match: input-interface FastEthernet0 > drop > [..] > Class-map: class-default (match-any) > 931 packets, 57159 bytes > 5 minute offered rate 1000 bps, drop rate 0 bps > Match: any > > Even added another class with input interface of VLAN1, still no > success > ... on the show policy-map command, none of the class-maps show any IP > traffic, except for the default class ... > > After setting up two seperate classes to check for either an interface, > or the protocol, it looks like the protocol part is working, while the > interface match seems to fail ... adding both vlan1 and bvi1, I guess > the class/policy map isn't able to differentiate the incoming interface > anymore at that stage, as all the traffic is listed under BVI1, though > the computer used to connect to the router at that point is connected > to > Fa0 ...: > > Class-map: test1 (match-any) > 81 packets, 4860 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: input-interface FastEthernet0 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet1 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet2 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface FastEthernet3 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface Vlan1 > 0 packets, 0 bytes > 5 minute rate 0 bps > Match: input-interface BVI1 > 81 packets, 4860 bytes > 5 minute rate 0 bps > > Any suggestion as to how to get around this? Maybe adding seperate > vlans > to each port and binding them to the bridge group? > > > > Why not use an access-list denying dhcp > > deny udp any eq bootpc any eq bootps > > Because I still need the DHCP to go through on the WLAN link? > > Tnx, garry From gkg at gmx.de Wed Feb 10 14:38:46 2010 From: gkg at gmx.de (Garry) Date: Wed, 10 Feb 2010 20:38:46 +0100 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <01d801caaa87$8e813620$ab83a260$@com> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> <01d801caaa87$8e813620$ab83a260$@com> Message-ID: <4B730B46.8040600@gmx.de> On 10.02.2010 20:30, David Prall wrote: > I think the match interface is looking at where the policy is assigned. I > know the policy isn't supported on the physical interfaces. I have to do all > my QoS on fa4 inbound. > > Why not place an acl on the vlan interface for the wired ports. Not sure if > it would be hit first, or if the bvi would capture it. I recon it ends up in the BVI, as adding the access-list to vlan1 ends up with no hits, while adding the same to the BVI increases the hit counter correctly, and dhcp requests are blocked ... but BVI won't help as it would also block the requests on wlan ... From dcp at dcptech.com Wed Feb 10 14:46:35 2010 From: dcp at dcptech.com (David Prall) Date: Wed, 10 Feb 2010 14:46:35 -0500 Subject: [c-nsp] Limiting DHCP on a Bridge Group In-Reply-To: <4B730B46.8040600@gmx.de> References: <4B72F1D1.3080709@gmx.de> <01d101caaa7b$8855bca0$990135e0$@com> <4B7303B1.6080406@gmx.de> <01d801caaa87$8e813620$ab83a260$@com> <4B730B46.8040600@gmx.de> Message-ID: <01d901caaa89$c1335a10$439a0e30$@com> Garry, Wondering if you could do the wireless and vlan1 as unnumbered to a loopback. Then they are two distinct interfaces, on the same subnet. Or could always split the subnet into two distinct /25's instead of a single /24. David -- http://dcp.dcptech.com > -----Original Message----- > From: Garry [mailto:gkg at gmx.de] > Sent: Wednesday, February 10, 2010 2:39 PM > To: David Prall > Cc: 'c-nsp' > Subject: Re: [c-nsp] Limiting DHCP on a Bridge Group > > On 10.02.2010 20:30, David Prall wrote: > > I think the match interface is looking at where the policy is > assigned. I > > know the policy isn't supported on the physical interfaces. I have to > do all > > my QoS on fa4 inbound. > > > > Why not place an acl on the vlan interface for the wired ports. Not > sure if > > it would be hit first, or if the bvi would capture it. > > I recon it ends up in the BVI, as adding the access-list to vlan1 ends > up with no hits, while adding the same to the BVI increases the hit > counter correctly, and dhcp requests are blocked ... but BVI won't help > as it would also block the requests on wlan ... From tvarriale at comcast.net Wed Feb 10 14:51:36 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 10 Feb 2010 13:51:36 -0600 Subject: [c-nsp] Best practice - Core vs Access Router References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net><290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net><4B718596.2050602@imperial.ac.uk><290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net><4B71A1D2.10909@imperial.ac.uk><4B72FF79.3030502@uk.clara.net> Message-ID: <338E7BE4EDEC45CBA8D1D136DF6ACDB0@flamdt01> show ip traffic? Anything incrementing in there by a significant amount? How fast do your drops/flushes increment? I assume these are 6704s without DFCs? If not, what are those ports? tv ----- Original Message ----- From: "Andy B." To: "David Freedman" Cc: "nsp-cisco" Sent: Wednesday, February 10, 2010 1:00 PM Subject: Re: [c-nsp] Best practice - Core vs Access Router > On Wed, Feb 10, 2010 at 7:48 PM, David Freedman > wrote: >> So, are you checking your interfaces for incrementing drop/error >> counters? >> >> Are you seeing any of this when there is the problem occuring? >> (clear counters , sh int summ etc..) >> > > I am having input drops all the time, no matter how high or low I set > the incoming hold-queue. > > The OSPF and IBGP interfaces approx. 30 minutes after I cleared the > counters: > > TenGigabitEthernet8/1 is up, line protocol is up (connected) > Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: > 0 > > TenGigabitEthernet9/1 is up, line protocol is up (connected) > Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output > drops: 0 > > TenGigabitEthernet9/2 is up, line protocol is up (connected) > Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output > drops: 0 > > > These links are not congested! Te9/1 is the busiest with maybe 6.5 out > of 10 Gig. The other two are below 5 Gig. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ck at sandcastl.es Wed Feb 10 15:02:29 2010 From: ck at sandcastl.es (ck) Date: Wed, 10 Feb 2010 12:02:29 -0800 Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9E2BD1B393F@PUR-EXCH07.ox.com> <01a101caaa66$cf5f5d00$6e1e1700$@com> <483E6B0272B0284BA86D7596C40D29F9E2BD1B3948@PUR-EXCH07.ox.com> Message-ID: <8c308e8b1002101202y6bfa204eo9fa618dabaad2dc2@mail.gmail.com> i wouldn't waste money or time on an ace, you could easily get away with using haproxy or pound On Wed, Feb 10, 2010 at 8:20 AM, Matthew Huff wrote: > Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. > This is for straight revere-proxy web caches for Oracle WebCache so it uses > http/https. We may have to purchase an ACE appliance. Anyone have any > suggestions for a turnkey (not linux server based, etc) appliance that does > http/https load balancing? Something as simple and cheap as possible. > > > > ---- > Matthew Huff | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff | Fax: 914-460-4139 > > > > > -----Original Message----- > > From: David Prall [mailto:dcp at dcptech.com] > > Sent: Wednesday, February 10, 2010 10:36 AM > > To: Matthew Huff; 'cisco-nsp' > > Subject: RE: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E. > > > > Could always use Anycast via a loopback on the servers and let CEF ECMP > take > > care of it. But this is typically only done for UDP applications. Not > sure > > if EOT is on the 3560-E for Static Routes, or you could use BGP from the > > servers. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Matthew Huff > > > Sent: Wednesday, February 10, 2010 10:14 AM > > > To: 'cisco-nsp (cisco-nsp at puck.nether.net)' > > > Subject: [c-nsp] IOS Server Load Balancing on C3560-E switches ?? > > > > > > With IP services on a 3560-E, is it possible to do server load > > > balancing? If so, any caveat's that I should be aware of? We just need > > > to front end two web servers (oracle identity management) for http and > > > https (no ssl offloading needed). I hate to have to buy an ACE just for > > > these two servers > > > > > > ---- > > > Matthew Huff | One Manhattanville Rd > > > OTA Management LLC | Purchase, NY 10577 > > > http://www.ox.com | Phone: 914-460-4039 > > > aim: matthewbhuff | Fax: 914-460-4139 > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Joel.Snyder at Opus1.COM Wed Feb 10 14:32:15 2010 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 10 Feb 2010 12:32:15 -0700 Subject: [c-nsp] firewalling authenticated wireless traffic In-Reply-To: References: Message-ID: <4B7309BF.4000403@opus1.com> >>> My thought is that our wireless traffic is likely more secure that our >> plain wired networks - at this point without 802.1x on lan. > > So I think you are in agreement it is ok to just plug into network directly Well, I wouldn't agree that. (Of course, this is the famously "we don't need no stinkin' firewalls" list, but you're NOT really asking a Cisco-NSP question here--these guys are ISP BGP wonks for the most part) Your logic is, to me, pretty flawed: you're saying, in effect, "we have failed to implement good security on our wired LAN, so this is an excuse to not apply any additional security to our wireless LAN." I'd disagree with that on general principles, especially since your LAN security posture may change in the future and then where will your wireless be? I agree with Phil Mayers who said they use a similar approach because it lets them drop in firewall rules at any moment, which is a great idea. But this is not, to me, an excuse to have completely unfettered access when you do have the opportunity to "clean up" the traffic a little. I also think that the point John Kougoulos made of a stolen laptop, or stolen/borrowed credentials making you an easy target (whether intentional or unintentional--consider the infected consultant who borrows a staffer's credentials) is one you should heed. Obvious examples: by definition, does every single wireless user have a legitimate business need to get to every part of your network? If not, block those subnets, things that they would not normally be hitting directly (printer & VoIP vlans are obvious candidates, but other pieces may also be right depending on how your network is segmented). By definition, does every single wireless user have a legitimate business need to send all ports outbound? If not, block those ports proactively. Obvious trouble spots are SMTP--perhaps you want to destination NAT all SMTP to your anti-spam/anti-virus gateway, or block it except to official mail servers. But you could also proactively block known infection vectors--destination ports such as SQL Slammer's UDP attack. If wireless users are not domain-connected, then they probably also do not need Windows file sharing, a HUGE known vector for malware to spread, another good block candidate. It all depends on how you use the wireless and how much you use the wireless. If it's an either/or proposition for users---they are not supposed to care whether they're on Wi-Fi or wired---then a more lenient policy is appropriate. If wireless is more 'exceptional' use and people aren't expected to be working full-tilt there, then a much more aggressive filtering is appropriate. I would also ALWAYS put UTM features such as anti-malware and, more importantly, IPS, on that firewall between the Wi-Fi and the LAN; there is no better and simpler way to catch early attacks than by deploying cheap and simple protections at such choke points. (I am carefully biting my tongue here and not saying that you must upgrade your firewall to one that has UTM features, but you might read that in the subtext...) In any case, taking NO precautions (except a firewall with no rules) is probably too lenient. Certainly, if I were auditing you, I'd say that you missed a great opportunity to add a small amount of control that can save you a large amount of headache while costing you almost nothing. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms at Opus1.COM http://www.opus1.com/jms From lsawyer at gci.com Wed Feb 10 15:03:37 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Wed, 10 Feb 2010 11:03:37 -0900 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <01d601caaa85$e28b1b20$a7a15160$@com> Message-ID: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> Here's some of my common aliases. top is the one that you'll probably use !# Global Aliases (should work on all platforms ! alias exec ifsum sho int sum | incl ^\*|Interface|: |------ alias exec sib show ip interface brief | exclude (down|unass) alias exec sid show interface description | exclude (admin|unass) alias exec top sho proc cpu sort 5sec | excl 0.00% 0.00% 0.00% alias exec ip6 show ipv6 !# Cisco 3750 series, for qos asic monitoring # the next line will wrap, so replace underscores with spaces alias_exec_drops_show_platform_port-asic_stats_drop_|_excl_((e|s|:)_0|=|_Que|Statistics|Frames|^$) privilege exec level 1 show platform port-asic stats drop > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall > Sent: Wednesday, February 10, 2010 10:19 AM > To: 'Andy B.'; 'Phil Mayers' > Cc: 'nsp-cisco' > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > Andy, > By excluding 0.00 your excluding those that have had 0.00 > anywhere in the time list. Just use sort and look at the top > few. Although most likely the same. > > If you have a number of large Ethernet subnets with few > systems on them, then "sh ip arp" will contain a number of > incompletes. If it is the entire subnet filled with > incompletes then someone is looking for all of your systems > and is most likely doing a ping sweep, then enabling "mls > rate-limit unicast cef glean" will be worthwhile. These are > both Adj Manager and ARP Input I believe. > > The other one is if you've run out of TCAM space, because > your over the limits with the number of routes you have. > Don't know if you're running an XL or not. > > CPU doesn't look out of order currently. Need to capture it > ongoing to see what process is pushing it to 24%, and even > then it should still be forwarding traffic. > > You might need to look at the DFC's as well, to see if one is > having issues: > Remote command module X sh proc cpu sort > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Andy B. > > Sent: Wednesday, February 10, 2010 1:44 PM > > To: Phil Mayers > > Cc: nsp-cisco > > Subject: Re: [c-nsp] Best practice - Core vs Access Router > > > > I am currently facing this strange behaviour once again. Nothing > > suspicious in terms of CPU: > > > > #sh proc cpu sort | ex 0.00 > > CPU utilization for five seconds: 7%/3%; one minute: 24%; > five minutes: > > 23% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min > TTY Process > > 123 823552748 891845755 923 1.35% 1.32% 1.24% > 0 IP Input > > 142 42990360 548209142 78 0.63% 0.15% 0.06% > 0 IP SNMP > > 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP > > ENGINE > > 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP > > Router > > 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH > > Process > > 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj > > Manager > > 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP > > Input > > 320 20411156 140247526 145 0.15% 1.64% 1.57% > 0 BGP I/O > > 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF > > process > > 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 > > Input > > > > #remote command switch sh proc cpu sort | ex 0.00 CPU > utilization for > > five seconds: 10%/0%; one minute: 14%; five > > minutes: 20% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min > TTY Process > > 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan > > Statistics > > 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp > > process > > 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF > > process > > 152 24224440 35123075 689 0.15% 0.08% 0.07% > 0 CEF LC > > Stats > > 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP > > Download Lis > > 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM > > Manager pro > > 127 37865260 135955648 278 0.07% 0.07% 0.07% > 0 Spanning > > Tree > > 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib > > stat colle > > 239 11888108 8600338 1382 0.07% 0.04% 0.03% > 0 LTL MGR > > cc > > > > Packet loss to the router (nothing behind it) is around 25%. > > And still loosing random BGP and OSPF sessions. SNMP graphs are not > > being generated either. > > > > Currently feeling quite desperate, because I have no clue where to > > look next... > > > > Andy > > > > On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers > > > wrote: > > > On 09/02/10 17:39, Church, Charles wrote: > > >> > > >> I was going by the 'show proc cpu hist' he gave for both > the SP and > > RP. > > >> Both looked pretty bad across the board. > > > > > > His graphs don't look that dis-similar to mine, and we > have no such > > > problems. The peak/avg CPU don't look so unreasonable to me given > > > the > > load > > > and setup he's described. > > > > > > To summarise in this thread, it has been suggested: > > > > > > 1. Netflow is the problem - to which the OP said he's > already tried > > > disabling it > > > > > > 2. CPU punts, specifically gleans, are the problem - in > which case > > CoPP or > > > MLS rate limiters can be tried, but the OP really IMHO needs to > > confirm this > > > with a span of the CPU > > > > > > 3. The 6500 is just no good buy a juniper or asr1k (!) which I > > strongly > > > dispute. It may be awkward and have odd limits, but it OUGHT TO > > HANDLE the > > > load we've been told about; therefore something is wrong > > > > > > ...and lots more besides. I'm exhausted from following the thread, > > but my > > > advice to the OP is to determine what is hitting the CPU > *during an > > outage*, > > > then proceed from there. > > > > > > I'm going to stop reading now. > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Wed Feb 10 16:41:49 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 10 Feb 2010 16:41:49 -0500 Subject: [c-nsp] VRFs and redirect cache... Message-ID: <4B73281D.9060401@utc.edu> In the process of chasing down an odd problem earlier this week, I ran up against a grey cloud perhaps someone can clarify. We had moved an internal NTP-configured interface (loopback) that some of our gear was configured to use as a reference server. The disappearance of the /32 route led to taking a default route, which in our topology generated a redirect to another gateway (FWSM) which was then denying the connections. Tracking back to the switches in question and "show ip redirect" indicated the cached redirect information. "clear ip redirect" removed the problem. But there seems to be only one "redirect cache", that's not a VRF-aware thing on the Catalysts. Are redirects only done by the global VRF? What's up with that? I can disable redirects and avoid the issue (at some extra-hop cost when forwarding to a non-routing ASA that can't announce a default route), but curious how redirects are handled in a multi-VRF scenario. Jeff From jasonleblanc at gmail.com Wed Feb 10 16:55:13 2010 From: jasonleblanc at gmail.com (Jason LeBlanc) Date: Wed, 10 Feb 2010 14:55:13 -0700 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC511C2C37@fnb1mbx01.gci.com> Message-ID: <0487446D-8BC0-4A84-B05B-07B8B28439CB@gmail.com> These are great! Thanks Leif On Feb 10, 2010, at 1:03 PM, Leif Sawyer wrote: > Here's some of my common aliases. top is the one that you'll probably use > > !# Global Aliases (should work on all platforms > ! > alias exec ifsum sho int sum | incl ^\*|Interface|: |------ > > alias exec sib show ip interface brief | exclude (down|unass) > alias exec sid show interface description | exclude (admin|unass) > > alias exec top sho proc cpu sort 5sec | excl 0.00% 0.00% 0.00% > > alias exec ip6 show ipv6 > > !# Cisco 3750 series, for qos asic monitoring > # the next line will wrap, so replace underscores with spaces > alias_exec_drops_show_platform_port-asic_stats_drop_|_excl_((e|s|:)_0|=|_Que|Statistics|Frames|^$) > privilege exec level 1 show platform port-asic stats drop > > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall >> Sent: Wednesday, February 10, 2010 10:19 AM >> To: 'Andy B.'; 'Phil Mayers' >> Cc: 'nsp-cisco' >> Subject: Re: [c-nsp] Best practice - Core vs Access Router >> >> Andy, >> By excluding 0.00 your excluding those that have had 0.00 >> anywhere in the time list. Just use sort and look at the top >> few. Although most likely the same. >> >> If you have a number of large Ethernet subnets with few >> systems on them, then "sh ip arp" will contain a number of >> incompletes. If it is the entire subnet filled with >> incompletes then someone is looking for all of your systems >> and is most likely doing a ping sweep, then enabling "mls >> rate-limit unicast cef glean" will be worthwhile. These are >> both Adj Manager and ARP Input I believe. >> >> The other one is if you've run out of TCAM space, because >> your over the limits with the number of routes you have. >> Don't know if you're running an XL or not. >> >> CPU doesn't look out of order currently. Need to capture it >> ongoing to see what process is pushing it to 24%, and even >> then it should still be forwarding traffic. >> >> You might need to look at the DFC's as well, to see if one is >> having issues: >> Remote command module X sh proc cpu sort >> >> David >> >> -- >> http://dcp.dcptech.com >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Andy B. >>> Sent: Wednesday, February 10, 2010 1:44 PM >>> To: Phil Mayers >>> Cc: nsp-cisco >>> Subject: Re: [c-nsp] Best practice - Core vs Access Router >>> >>> I am currently facing this strange behaviour once again. Nothing >>> suspicious in terms of CPU: >>> >>> #sh proc cpu sort | ex 0.00 >>> CPU utilization for five seconds: 7%/3%; one minute: 24%; >> five minutes: >>> 23% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min >> TTY Process >>> 123 823552748 891845755 923 1.35% 1.32% 1.24% >> 0 IP Input >>> 142 42990360 548209142 78 0.63% 0.15% 0.06% >> 0 IP SNMP >>> 176 81597832 313530395 260 0.63% 0.20% 0.12% 0 SNMP >>> ENGINE >>> 286 95557652 68837887 1388 0.31% 4.77% 4.27% 0 BGP >>> Router >>> 46 8724 6895 1265 0.31% 0.33% 0.24% 2 SSH >>> Process >>> 169 98755140 5844411 16897 0.31% 0.31% 0.31% 0 Adj >>> Manager >>> 9 92740444 222352412 417 0.23% 0.40% 0.41% 0 ARP >>> Input >>> 320 20411156 140247526 145 0.15% 1.64% 1.57% >> 0 BGP I/O >>> 180 64470940 51288798 1257 0.15% 0.58% 0.44% 0 CEF >>> process >>> 167 27190044 390437731 69 0.15% 0.12% 0.10% 0 IPv6 >>> Input >>> >>> #remote command switch sh proc cpu sort | ex 0.00 CPU >> utilization for >>> five seconds: 10%/0%; one minute: 14%; five >>> minutes: 20% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min >> TTY Process >>> 102 577414400 14603714 39539 5.19% 2.76% 2.58% 0 Vlan >>> Statistics >>> 42 11702922242664309865 0 3.91% 3.83% 3.87% 0 slcp >>> process >>> 257 79620728 46604862 1708 0.23% 1.31% 0.92% 0 CEF >>> process >>> 152 24224440 35123075 689 0.15% 0.08% 0.07% >> 0 CEF LC >>> Stats >>> 33 29231032 224654615 130 0.15% 0.08% 0.07% 0 SCP >>> Download Lis >>> 131 39865856 1338254 29789 0.07% 0.08% 0.11% 0 TCAM >>> Manager pro >>> 127 37865260 135955648 278 0.07% 0.07% 0.07% >> 0 Spanning >>> Tree >>> 187 12366092 3103775 3984 0.07% 0.04% 0.05% 0 v6fib >>> stat colle >>> 239 11888108 8600338 1382 0.07% 0.04% 0.03% >> 0 LTL MGR >>> cc >>> >>> Packet loss to the router (nothing behind it) is around 25%. >>> And still loosing random BGP and OSPF sessions. SNMP graphs are not >>> being generated either. >>> >>> Currently feeling quite desperate, because I have no clue where to >>> look next... >>> >>> Andy >>> >>> On Tue, Feb 9, 2010 at 6:56 PM, Phil Mayers >> >>> wrote: >>>> On 09/02/10 17:39, Church, Charles wrote: >>>>> >>>>> I was going by the 'show proc cpu hist' he gave for both >> the SP and >>> RP. >>>>> Both looked pretty bad across the board. >>>> >>>> His graphs don't look that dis-similar to mine, and we >> have no such >>>> problems. The peak/avg CPU don't look so unreasonable to me given >>>> the >>> load >>>> and setup he's described. >>>> >>>> To summarise in this thread, it has been suggested: >>>> >>>> 1. Netflow is the problem - to which the OP said he's >> already tried >>>> disabling it >>>> >>>> 2. CPU punts, specifically gleans, are the problem - in >> which case >>> CoPP or >>>> MLS rate limiters can be tried, but the OP really IMHO needs to >>> confirm this >>>> with a span of the CPU >>>> >>>> 3. The 6500 is just no good buy a juniper or asr1k (!) which I >>> strongly >>>> dispute. It may be awkward and have odd limits, but it OUGHT TO >>> HANDLE the >>>> load we've been told about; therefore something is wrong >>>> >>>> ...and lots more besides. I'm exhausted from following the thread, >>> but my >>>> advice to the OP is to determine what is hitting the CPU >> *during an >>> outage*, >>>> then proceed from there. >>>> >>>> I'm going to stop reading now. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Wed Feb 10 18:05:55 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 10 Feb 2010 23:05:55 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <003201caaaa1$0a9c4330$1fd4c990$@com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> <003201caaaa1$0a9c4330$1fd4c990$@com> Message-ID: <1F027770303D4744BEA139DB10180A57@int.convex.pt> The session of the 1st user remains up and the vpn routes are there. But in the router the route back to the user is removed. So in the user's perspective, connectivity is broken and he doesn't have an idea why. Clearly a bug, don't you think ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quarta-feira, 10 de Fevereiro de 2010 22:33 To: 'Roman Rodichev'; 'Antonio Soares' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Actually it makes sense. You have duplicate IP's and the router needs to decide which one is valid, which often will cause a network interrupt. Although it doesn't allow the second connection it is terminating the first to process to make a decision about the conflict. At least that is what I interpret what you are seeing to be. Regards, ? Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Roman Rodichev Sent: Wednesday, February 10, 2010 12:28 PM To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue Probably just a "feature" :) Sent from my iPhone On Feb 10, 2010, at 11:24 AM, "Antonio Soares" wrote: > Yes, it works fine with local pool. In this case, the AC client gets > a message saying "no address assigned". > > I was able to reproduce the problem in the meanwhile. It makes sense > that the 2nd user is not able to establish the session but it > doesn't make sense the 1st looses his connection. > > This seems a bug to me. > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: Roman Rodichev [mailto:romangs at iementor.com] > Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 > To: Antonio Soares > Cc: Farrukh Haroon; ; Cisco certification > Subject: Re: WebVPN Issue > > So that might be the problem. How can you assign a different IP from > RADIUS for concurrent logins? > > It should work with local pool > > Sent from my iPhone > > On Feb 10, 2010, at 10:14 AM, "Antonio Soares" > wrote: > >> Thank you both for your inputs. I still cannot share the config >> since i saw this in a production network and i'm still trying to >> reproduce it in the lab. >> >> But the "debug ip routing" says it all: >> >> 1) When user X connects, he gets ip=10.10.10.166 >> >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> >> 2) When another user tries the connection with the same user X: >> >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> >> So the router deletes the route, adds it and removes it again. This >> explains the loss of connectivity. >> >> We have radius authentication and the radius server assigns a pre- >> defined ip to each user. So when the radius server sends the same >> ip, it seems the router gets confused. >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> -----Original Message----- >> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf >> Of Farrukh Haroon >> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 >> To: Antonio Soares >> Cc: cisco-nsp at puck.nether.net; Cisco certification >> Subject: Re: WebVPN Issue >> >> No it works fine for multiple users, we have it running. If you can >> post the >> sanitized config, I can have a look. >> >> Also check your 'show tcp brief' output to see if you have any stale >> connections there. We faced a similar issue, and putting 'service >> tcp-keepalives-in' fixed the issue (you may put 'out' as well).. >> >> We are running 12.4(15)Tx tough. >> >> Regards >> >> Farrukh >> >> >> >> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares >> wrote: >> >>> Hello group, >>> >>> I'm facing a strange issue with IOS Based WebVPN: when user X is >>> connected >>> and then another user uses the same user X, the second >>> user is not able to connect but the first user looses connectivity. >>> I have >>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >>> This is not expected behavior, right ? >>> >>> >>> Thanks. >>> >>> Regards, >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> amsoares at netcabo.pt From lists at hojmark.org Wed Feb 10 18:07:59 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 11 Feb 2010 00:07:59 +0100 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: Message-ID: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop > ^ > % Invalid input detected at '^' marker. The rate-limit command is not supported on Catalyst 6500. Use a policy-map with policing instead. -A From lmeade at signal.ca Wed Feb 10 20:10:35 2010 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 10 Feb 2010 17:10:35 -0800 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: While I would of agreed with you comment, why is it that I am able to put the rate limit commands on failover 6509 ? -----Original Message----- From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] Sent: Wednesday, February 10, 2010 3:08 PM To: Leslie Meade Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] rate-limit command not accepting ? On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 conform-action transmit exceed-action drop > ^ > % Invalid input detected at '^' marker. The rate-limit command is not supported on Catalyst 6500. Use a policy-map with policing instead. -A From amsoares at netcabo.pt Wed Feb 10 20:14:11 2010 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 11 Feb 2010 01:14:11 -0000 Subject: [c-nsp] WebVPN Issue In-Reply-To: <003d01caaaae$a17b8a60$e4729f20$@com> References: <228953D7-1A44-4DF5-81D2-8EA1A6F3BDD4@iementor.com> <6D6176D9927649BDA2E3133781A145AF@int.convex.pt> <003201caaaa1$0a9c4330$1fd4c990$@com> <1F027770303D4744BEA139DB10180A57@int.convex.pt> <003d01caaaae$a17b8a60$e4729f20$@com> Message-ID: Tyson, TAC SR in progress. I will let you know what they will call this :) Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quinta-feira, 11 de Fevereiro de 2010 0:11 To: 'Antonio Soares'; 'Roman Rodichev' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Antonio, It would be plausible that you could open a case with Cisco and call it a bug, or a feature enhancement, that if there is an IP conflict that it disconnects both sessions or refuses/ignores the radius attribute if it conflicts with an existing session; or gives an error message, but I wouldn't necessarily call that a bug. Typically I would classify a bug as a feature that does not operate as it should within normal conditions or expected error states. But that may be just me. More it sounds like a basic rule is being broken (assigning duplicate IP's) and adverse effects are happening from it. Currently there may not be an error check to handle the error state as you would hope. Please don't take offense, I can see myself making the same mistake, but a networking rule 101 is being broken and sometimes you will have strange results from such. Much like spanning-tree loops or duplicate IP's on the network. Sometimes it takes intervention to fix the basic problems. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: Antonio Soares [mailto:amsoares at netcabo.pt] Sent: Wednesday, February 10, 2010 6:06 PM To: 'Tyson Scott'; 'Roman Rodichev' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue The session of the 1st user remains up and the vpn routes are there. But in the router the route back to the user is removed. So in the user's perspective, connectivity is broken and he doesn't have an idea why. Clearly a bug, don't you think ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt -----Original Message----- From: Tyson Scott [mailto:tscott at ipexpert.com] Sent: quarta-feira, 10 de Fevereiro de 2010 22:33 To: 'Roman Rodichev'; 'Antonio Soares' Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification' Subject: RE: WebVPN Issue Actually it makes sense. You have duplicate IP's and the router needs to decide which one is valid, which often will cause a network interrupt. Although it doesn't allow the second connection it is terminating the first to process to make a decision about the conflict. At least that is what I interpret what you are seeing to be. Regards, ? Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tscott at ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Roman Rodichev Sent: Wednesday, February 10, 2010 12:28 PM To: Antonio Soares Cc: Farrukh Haroon; ; Cisco certification Subject: Re: WebVPN Issue Probably just a "feature" :) Sent from my iPhone On Feb 10, 2010, at 11:24 AM, "Antonio Soares" wrote: > Yes, it works fine with local pool. In this case, the AC client gets > a message saying "no address assigned". > > I was able to reproduce the problem in the meanwhile. It makes sense > that the 2nd user is not able to establish the session but it > doesn't make sense the 1st looses his connection. > > This seems a bug to me. > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoares at netcabo.pt > > -----Original Message----- > From: Roman Rodichev [mailto:romangs at iementor.com] > Sent: quarta-feira, 10 de Fevereiro de 2010 17:03 > To: Antonio Soares > Cc: Farrukh Haroon; ; Cisco certification > Subject: Re: WebVPN Issue > > So that might be the problem. How can you assign a different IP from > RADIUS for concurrent logins? > > It should work with local pool > > Sent from my iPhone > > On Feb 10, 2010, at 10:14 AM, "Antonio Soares" > wrote: > >> Thank you both for your inputs. I still cannot share the config >> since i saw this in a production network and i'm still trying to >> reproduce it in the lab. >> >> But the "debug ip routing" says it all: >> >> 1) When user X connects, he gets ip=10.10.10.166 >> >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> >> 2) When another user tries the connection with the same user X: >> >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1 >> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0] >> RT(VRF_X): delete subnet route to 10.10.10.166/32 >> >> So the router deletes the route, adds it and removes it again. This >> explains the loss of connectivity. >> >> We have radius authentication and the radius server assigns a pre- >> defined ip to each user. So when the radius server sends the same >> ip, it seems the router gets confused. >> >> >> Thanks. >> >> Regards, >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> amsoares at netcabo.pt >> >> -----Original Message----- >> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf >> Of Farrukh Haroon >> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27 >> To: Antonio Soares >> Cc: cisco-nsp at puck.nether.net; Cisco certification >> Subject: Re: WebVPN Issue >> >> No it works fine for multiple users, we have it running. If you can >> post the >> sanitized config, I can have a look. >> >> Also check your 'show tcp brief' output to see if you have any stale >> connections there. We faced a similar issue, and putting 'service >> tcp-keepalives-in' fixed the issue (you may put 'out' as well).. >> >> We are running 12.4(15)Tx tough. >> >> Regards >> >> Farrukh >> >> >> >> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares >> wrote: >> >>> Hello group, >>> >>> I'm facing a strange issue with IOS Based WebVPN: when user X is >>> connected >>> and then another user uses the same user X, the second >>> user is not able to connect but the first user looses connectivity. >>> I have >>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821. >>> This is not expected behavior, right ? >>> >>> >>> Thanks. >>> >>> Regards, >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> amsoares at netcabo.pt From junks2you at gmail.com Thu Feb 11 01:28:29 2010 From: junks2you at gmail.com (=?gb2312?B?SnVua3MyeW91?=) Date: Thu, 11 Feb 2010 16:28:29 +1000 Subject: [c-nsp] =?gb2312?b?SGlnaCBDUFUgYSBpc3N1ZSBmb3Igdm9pY2UgdHJhZmZp?= =?gb2312?b?Yz8=?= Message-ID: <4b73958c.0409c00a.1518.56b0@mx.google.com> Hi Guys, Currently we were hitting some high CPU issue. One of the 6509 with SUP720 standing in the core hiked to 96% percent very randomly in the past 72 hours or even longer. Write memory, SNMP, software switching could be the cause, we don't know yet. Everything seems working fine now. Although it now gets to normal level, am wondering if it could affect the voice calls (handled by Call manager 7) while the CPU usage reaches above 90%. Since we are not able to simulate this issue, I just hope it wouldn't be a 'bomb' there. Simply speaking, is high CPU utilisation a issue affecting voice traffic passing through this core switch? Thanks in advance for the input. Bill. From gregariouspearl at gmail.com Thu Feb 11 00:55:08 2010 From: gregariouspearl at gmail.com (MSZ) Date: Thu, 11 Feb 2010 10:55:08 +0500 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: <44c523751002102155u1c46f358r6084601b992c175d@mail.gmail.com> Try with the following ip access-list extended IP-All permit ip any any [MATCH PREFIXES YOU WANT] Class-map match-all IP-All match access-group name IP-All Policy-map RATE class IP-All police cir 2096000 bc 128000 be 128000 conform-action set-dscp-transmit default exceed-action drop violate-action drop int [Name] service-policy input RATE Service-policy output RATE Regards, Salman Zahid On Thu, Feb 11, 2010 at 6:10 AM, Leslie Meade wrote: > While I would of agreed with you comment, why is it that I am able to put > the rate limit commands on failover 6509 ? > > > -----Original Message----- > From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] > Sent: Wednesday, February 10, 2010 3:08 PM > To: Leslie Meade > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] rate-limit command not accepting ? > > On Wed, 10 Feb 2010 11:00:55 -0800, you wrote: > > > DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000 > conform-action transmit exceed-action drop > > ^ > > % Invalid input detected at '^' marker. > > The rate-limit command is not supported on Catalyst 6500. > Use a policy-map with policing instead. > > -A > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- You only live once, but if you work it right, once is enough...... From swnospam2 at yahoo.com Thu Feb 11 02:34:21 2010 From: swnospam2 at yahoo.com (Shing Wong) Date: Wed, 10 Feb 2010 23:34:21 -0800 (PST) Subject: [c-nsp] Cisco/Fibex 6732 Software Message-ID: <771976.1633.qm@web65705.mail.ac4.yahoo.com> Does any body know where I can get the management software for the Cisco/Fibex 6732? I have had two of them in my warehouse for years, but I can't find the EMS discs for them. From saku at ytti.fi Thu Feb 11 03:23:08 2010 From: saku at ytti.fi (Saku Ytti) Date: Thu, 11 Feb 2010 10:23:08 +0200 Subject: [c-nsp] rate-limit command not accepting ? In-Reply-To: References: <62f6n51sqn97jjoamf3mq1a3p318f5chck@hojmark.net> Message-ID: <20100211082308.GA7131@mx.ytti.net> On (2010-02-10 17:10 -0800), Leslie Meade wrote: > While I would of agreed with you comment, why is it that I am able to put the rate limit commands on failover 6509 ? Are both running 'mls qos'? Anyhow, I'm not sure how interesting it is in the end of the day why you can't configure it, as it is not supported. VXR will happily accept this command, but it won't do anything there, at least since 12.2(25)S which was released like 2003 or so. I'd be very surprised if you've programmed anything in TCAM at all in the other box where it appears to be working. -- ++ytti From rsm at fast-serv.com Thu Feb 11 11:15:40 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 11 Feb 2010 11:15:40 -0500 Subject: [c-nsp] ISSU on SXF -> SXI Message-ID: <20100211160934.M57476@fast-serv.com> Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual sup720-3bxl? -- Randy From pavel.skovajsa at gmail.com Thu Feb 11 12:01:51 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Thu, 11 Feb 2010 18:01:51 +0100 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211160934.M57476@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> Message-ID: <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> Hello Randy, as far as I am aware the ISSU works only for SXI train onward. See http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf -pavel On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > sup720-3bxl? > > -- > Randy > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From globichen at gmail.com Thu Feb 11 12:50:50 2010 From: globichen at gmail.com (Andy B.) Date: Thu, 11 Feb 2010 18:50:50 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730502.3020700@bromirski.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: > Are you still running SXF15a? David advice was already - move to SXI > to stay out of trouble, as SXF train is already EOS and will hit > end of software maintenance by December 2011. If You need to stay by > SXF go to SXF17 and then try to troubleshoot. Okay, updated the box to SXI3 about 12 hours ago. Still the same issue though - loosing BGP / OSPF sessions (hold time expired) and SNMP graphs again looking like crap. > > My first guess is - have You had any problems with TCAMs overflowing > in the past? If so, in the nearest service window reload the box, > to clean up the cache and TCAM contents. I'm only guessing that's your > problem, but mysterious drops on the traffic with no process hinting > high RP/SP CPU may be the issue here. As well as David noted - any > errors/drops on the interfaces themselves. > Due to the IOS upgrade the box has been rebooted - so we can rule this out, I guess? > Any CoPP configured on the box? mls rate-limiters? no CoPP configured yet - shame on me, but sh proc CPU does not reveal any strange or unusual load. mls rate-limiters: mls rate-limit unicast cef glean 5000 10 mls rate-limit unicast ip rpf-failure 1000 10 mls rate-limit unicast ip icmp redirect 1000 10 mls rate-limit unicast ip icmp unreachable no-route 1000 10 mls rate-limit unicast ip icmp unreachable acl-drop 1000 10 mls rate-limit unicast ip errors 1000 10 mls rate-limit all ttl-failure 1000 10 mls rate-limit all mtu-failure 1000 10 One more thing I am guessing: I have two 6704s, te8/1-4 and te9/1-4. Some OSPFs are on one card, some on the others. The busy VLAN with a few thousand servers is also channeled on both cards. Would it be better to regroup the vlan to let's say te8/1-4 and everything that is backbone related (OSPF/IBGP) to te9/1-4. I am not sure if I am hitting any fabric limitations. I really do not know where else to look at... Andy From mark.carter at imperial.ac.uk Thu Feb 11 13:21:34 2010 From: mark.carter at imperial.ac.uk (Carter, Mark R) Date: Thu, 11 Feb 2010 18:21:34 +0000 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: <323DE271DDCA6F4C989354B6113FE0302D85FA83A1@ICEXM1.ic.ac.uk> Andy B. wrote > I really do not know where else to look at... > If you haven't already, as Phil Mayers suggested, I would strongly recommend using a SPAN session to monitor the type and amount of traffic that is hitting the CPU: http://cisco.cluepon.net/index.php/6500_SPAN_the_RP From saku at ytti.fi Thu Feb 11 13:37:08 2010 From: saku at ytti.fi (Saku Ytti) Date: Thu, 11 Feb 2010 20:37:08 +0200 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B730502.3020700@bromirski.net> Message-ID: <20100211183708.GA11693@mx.ytti.net> On (2010-02-11 18:50 +0100), Andy B. wrote: > mls rate-limit unicast cef glean 5000 10 This might be too high. We know that you lose packets in hold-queue, even when it is 4k, this means you are getting too much packets to software processing, more than the box can handle. It is issue that needs to be fixed, whether it is the same issue which is causing packet loss and BGP/OSPF timeout, we can't tell. We also so far have seen from your output that the packets hitting hold-queue have been glean packets, with no example of other type of packets. Now, best would be to ERSPAN the control-plane traffic to get more accurate results on what the bulk of the packets are. And/or you could decrease glean to much smaller value, maybe 500, maybe 100. You have to remember, that you don't break anything /existing/ with tight glean limit, you only delay /new/ hosts from coming up during the event (or attack). -- ++ytti From rsm at fast-serv.com Thu Feb 11 14:48:04 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 11 Feb 2010 14:48:04 -0500 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> Message-ID: <20100211194447.M88975@fast-serv.com> Thanks for that information. What is the 'least problematic' method, step by step, to upgrade from SXF to SXI since I have dual sups? I can handle a single reboot but don't want to whack any config or cause the sups to lose redundancy or need multiple or extended downtimes. -- Randy ---------- Original Message ----------- From: Pavel Skovajsa To: Randy McAnally Cc: cisco-nsp at puck.nether.net Sent: Thu, 11 Feb 2010 18:01:51 +0100 Subject: Re: [c-nsp] ISSU on SXF -> SXI > Hello Randy, > > as far as I am aware the ISSU works only for SXI train onward. See > http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf > > -pavel > > On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > > sup720-3bxl? > > > > -- > > Randy > > > > > > _______________________________________________ > > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ------- End of Original Message ------- From jshearer at amedisys.com Thu Feb 11 15:01:19 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Thu, 11 Feb 2010 14:01:19 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211194447.M88975@fast-serv.com> References: <20100211160934.M57476@fast-serv.com><323aca891002110901k6206f32 3sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com> Message-ID: Just the rolling sup method. Upload new image to both sups, reload standby, reload primary. The standby reload will be non-service impacting. The primary sup will be service impacting as SSO/NSF is not enabled with a version mismatch. Outage will vary based on features enabled. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy McAnally Sent: Thursday, February 11, 2010 1:48 PM To: Pavel Skovajsa Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI Thanks for that information. What is the 'least problematic' method, step by step, to upgrade from SXF to SXI since I have dual sups? I can handle a single reboot but don't want to whack any config or cause the sups to lose redundancy or need multiple or extended downtimes. -- Randy ---------- Original Message ----------- From: Pavel Skovajsa To: Randy McAnally Cc: cisco-nsp at puck.nether.net Sent: Thu, 11 Feb 2010 18:01:51 +0100 Subject: Re: [c-nsp] ISSU on SXF -> SXI > Hello Randy, > > as far as I am aware the ISSU works only for SXI train onward. See > http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf > > -pavel > > On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally wrote: > > Anyone successfull with ISSU (SSO mode) with SXF -> SXI on a 6500 w/dual > > sup720-3bxl? > > > > -- > > Randy > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From livio.zanol.puppim at gmail.com Thu Feb 11 20:18:00 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Thu, 11 Feb 2010 23:18:00 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: Message-ID: Brad, Can?t I make ?the cloud? with traditional switches (4948 for example)? As I?ve said before, my only concern is that I?ll loose A LOT of access ports on Nexus 5000 that could be used by servers with 10GE/FCoE. Again, the only reasons you are giving me to use this design is ?management facility? and vPC. So, putting it in a balance I see more losses than benefits. What?s the big problem on connecting to another device to manage it? Is this really a big loss? It?ll take 5 minutes more to make a service. I don?t think that this is the best benefit of this design. I would really appreciate to have all switches of the same series managed by the same program (cisco DCNM), unfortunally I think we are going the other way. Loosing 20 access interfaces, isn?t a good option for me? I?m not talking about a huge datacenter. I will only need 10 1G switch for the next years, so ?big L2 domain? for me isn?t to much trouble. If you could explain better this problem maybe I change my mind? I?m expecting that 10G(with FCoE) will dominate the servers design, so my loss will be huge. I?ll maintain 1Gbps only for backward compatibility (10 years? hehehe). If Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite difficult to make that works) the deisgn would perfect fit for our needs? 2010/2/10 Jason Plank > Brad, > > You just made a terrible assumption. :) > > Jason > > >> Then you should post from your gmail account. > > > > What difference would that make? We're all adults here. > > > > > > Cheers, > > Brad > > > > > > -- > > Brad Hedlund, CCIE #5530 > > Technology Solutions Architect, Data Center > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > -- > Jason Plank > (CCIE #16560) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From rodunn at cisco.com Thu Feb 11 21:51:07 2010 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 11 Feb 2010 21:51:07 -0500 Subject: [c-nsp] High CPU a issue for voice traffic? In-Reply-To: <4b73958c.0409c00a.1518.56b0@mx.google.com> References: <4b73958c.0409c00a.1518.56b0@mx.google.com> Message-ID: <4B74C21B.1050501@cisco.com> On 2/11/10 1:28 AM, Junks2you wrote: > Hi Guys, > > Currently we were hitting some high CPU issue. One of the 6509 with SUP720 standing in the core hiked to 96% percent very randomly in the past 72 hours or even longer. Write memory, SNMP, software switching could be the cause, we don't know yet. Everything seems working fine now. Although it now gets to normal level, am wondering if it could affect the voice calls (handled by Call manager 7) while the CPU usage reaches above 90%. Since we are not able to simulate this issue, I just hope it wouldn't be a 'bomb' there. Simply speaking, is high CPU utilisation a issue affecting voice traffic passing through this core switch? > yes and no..if your RP CPU gets to the point your control plane comes down all transit traffic will be impacted. You need to make sure you have the appropriate CoPP and mls rate limiters enabled. If the traffic is hardware switched 'distributed in 'sh int stat' the high cpu on the RP is ok in short spikes....if it's high much you need to figure out why. Rodney > Thanks in advance for the input. > > Bill. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Fri Feb 12 00:42:52 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 11 Feb 2010 23:42:52 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer References: Message-ID: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> >----- Original Message ----- >From: "Livio Zanol Puppim" >To: "Jason Plank" >Cc: "Cisco NSP ((E-mail))'" >Sent: Thursday, February 11, 2010 7:18 PM >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >Brad, > >Can?t I make ?the cloud? with traditional switches (4948 for example)? You can call it what you'd like. >As I?ve said before, my only concern is that I?ll loose A LOT of access >ports >on Nexus 5000 that could be used by servers with 10GE/FCoE. Ok, maybe I missed something. What are you trying to do? High density 1 gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does that. >I?m expecting that 10G(with FCoE) will dominate the servers design, so my >loss will be huge. It will be a large part of the future, no doubt. Your loss? >f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >dfficult to make that works) the deisgn would perfect fit for our needs? As I've stated before, there is no if. Not sure how many more times I have to say it... tv From tvarriale at comcast.net Fri Feb 12 00:47:59 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 11 Feb 2010 23:47:59 -0600 Subject: [c-nsp] Best practice - Core vs Access Router References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net><290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net><4B718596.2050602@imperial.ac.uk><290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net><4B71A1D2.10909@imperial.ac.uk><4B730502.3020700@bromirski.net> Message-ID: <32C080C83F444E96A7DBA952816D4343@flamdt01> ----- Original Message ----- From: "Andy B." To: "Lukasz Bromirski" Cc: "nsp-cisco" Sent: Thursday, February 11, 2010 11:50 AM Subject: Re: [c-nsp] Best practice - Core vs Access Router > I have two 6704s, te8/1-4 and te9/1-4. Some OSPFs are on one card, > some on the others. The busy VLAN with a few thousand servers is also > channeled on both cards. Would it be better to regroup the vlan to > let's say te8/1-4 and everything that is backbone related (OSPF/IBGP) > to te9/1-4. I am not sure if I am hitting any fabric limitations. > > I really do not know where else to look at... > > Andy ----- Original Message ----- From: "Tony Varriale" To: "nsp-cisco" Sent: Wednesday, February 10, 2010 1:51 PM Subject: Re: [c-nsp] Best practice - Core vs Access Router > show ip traffic? Anything incrementing in there by a significant amount? > How fast do your drops/flushes increment? > > I assume these are 6704s without DFCs? If not, what are those ports? > > tv ? From p.mayers at imperial.ac.uk Fri Feb 12 04:56:44 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 09:56:44 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <20100211194447.M88975@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com> <20100211194447.M88975@fast-serv.com> Message-ID: <4B7525DC.5020105@imperial.ac.uk> On 02/11/2010 07:48 PM, Randy McAnally wrote: > Thanks for that information. > > What is the 'least problematic' method, step by step, to upgrade from SXF to > SXI since I have dual sups? I can handle a single reboot but don't want to > whack any config or cause the sups to lose redundancy or need multiple or > extended downtimes. Load the firmware onto both sup, change the boot statement, reload the standby sup and it will come up in RPR mode. Force a switchover, the new sup will finish booting & reload the linecards. We do this for almost all our software upgrades, and the outage it typically in the region of 90 seconds. There's nothing special in this regard about going to SXI - this is how we did it. It's worth noting that AFAICT ISSU requires the linecards to have sufficient RAM to pre-load the new IOS image, and many standard linecards e.g. 6748-SFP/DFC-3B do not, and will therefore not do a "fast" ISSU. It's also relevant that for ISSU the old and new images have to be "compatible" and I have my doubts how often that will be the case... From jshearer at amedisys.com Fri Feb 12 07:20:50 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 06:20:50 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B7525DC.5020105@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> Message-ID: It is my understanding that ISSU will be supported for the same feature set in the same dev line. IE - Will work going from SXI to SXI3 but will not work going from SXI to SXJ. (I know J doesn't exist yet). Is this how everyone else understands ISSU? Any other known restrictions? Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, February 12, 2010 3:57 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI On 02/11/2010 07:48 PM, Randy McAnally wrote: > Thanks for that information. > > What is the 'least problematic' method, step by step, to upgrade from SXF to > SXI since I have dual sups? I can handle a single reboot but don't want to > whack any config or cause the sups to lose redundancy or need multiple or > extended downtimes. Load the firmware onto both sup, change the boot statement, reload the standby sup and it will come up in RPR mode. Force a switchover, the new sup will finish booting & reload the linecards. We do this for almost all our software upgrades, and the outage it typically in the region of 90 seconds. There's nothing special in this regard about going to SXI - this is how we did it. It's worth noting that AFAICT ISSU requires the linecards to have sufficient RAM to pre-load the new IOS image, and many standard linecards e.g. 6748-SFP/DFC-3B do not, and will therefore not do a "fast" ISSU. It's also relevant that for ISSU the old and new images have to be "compatible" and I have my doubts how often that will be the case... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From p.mayers at imperial.ac.uk Fri Feb 12 07:29:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 12:29:50 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> Message-ID: <4B7549BE.3010700@imperial.ac.uk> On 12/02/10 12:20, Jason Shearer wrote: > It is my understanding that ISSU will be supported for the same feature set in the same dev line. > > IE - Will work going from SXI to SXI3 but will not work going from SXI to SXJ. (I know J doesn't exist yet). > > Is this how everyone else understands ISSU? Any other known restrictions? Sorry, yes - I'm confusing things. There are 3 scenarios: * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) I think that's about right? From Kevin.Hatem at pgs.com Fri Feb 12 09:07:59 2010 From: Kevin.Hatem at pgs.com (Kevin Hatem) Date: Fri, 12 Feb 2010 08:07:59 -0600 Subject: [c-nsp] per-port price for 10G on c3750E Message-ID: <15D5002F61F31A45A82A153D2F739067B174799F75@HOUMS26.onshore.pgs.com> What would be the cost per 10G port on a 3750E-48? It's simplified on a platform/line card with all 10G ports, but the 3750E has 48 1G ports and only 2 10G ports. Thanks. -kevin hatem This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author. From arne.svennevik at met.no Fri Feb 12 09:28:34 2010 From: arne.svennevik at met.no (Arne Svennevik) Date: Fri, 12 Feb 2010 14:28:34 +0000 (UTC) Subject: [c-nsp] per-port price for 10G on c3750E In-Reply-To: <194792043.326972.1265984807691.JavaMail.root@imap1b> Message-ID: <1092136464.327007.1265984914413.JavaMail.root@imap1b> I'd compare 3750G-48 to 3750E-48 to get an idea of the additional cost of the 10G ports. Currently the difference is $5k in the global price list, but the actual price depends on a lot of factors. Check with your Cisco account team for accurate figures. Arne ----- Original Message ----- Fra: "Kevin Hatem" Til: "cisco-nsp at puck.nether.net" Sendt: 12. februar 2010 15:07:59 Emne: [c-nsp] per-port price for 10G on c3750E What would be the cost per 10G port on a 3750E-48? It's simplified on a platform/line card with all 10G ports, but the 3750E has 48 1G ports and only 2 10G ports. Thanks. -kevin hatem This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rjs at eng.gxn.net Fri Feb 12 09:47:58 2010 From: rjs at eng.gxn.net (Rob Shakir) Date: Fri, 12 Feb 2010 14:47:58 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B7549BE.3010700@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> Message-ID: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> On 12 Feb 2010, at 12:29, Phil Mayers wrote: > * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. > > * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. > > * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) > > I think that's about right? This seems quite accurate to me. Our experience of ISSU has been terrible. We've found multiple bugs related to it, and have found that -- in general -- we're much better off in terms of service disruption with a "classic" upgrade (upgrade secondary, reload peer, force failover, etc). Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet our requirements, and hence we are better off doing classic upgrades. We've taken their advice, and will not be trying it again. I think it's suited for deployments where you have 30+ boxes that are identical in terms of configuration, and hardware, but in the SP environment (like us), the variance of boxes means that it's just not worthwhile. Kind regards, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html From jshearer at amedisys.com Fri Feb 12 09:55:02 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 08:55:02 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4 B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: I haven't tried ISSU with our VSS pairs but this is about what I expected. Too many caveats to risk it, eh? Jason -----Original Message----- From: Rob Shakir [mailto:rjs at eng.gxn.net] Sent: Friday, February 12, 2010 8:48 AM To: Phil Mayers Cc: Jason Shearer; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ISSU on SXF -> SXI On 12 Feb 2010, at 12:29, Phil Mayers wrote: > * The old and new image are not ISSU-compatible (different major releases or feature sets) - in which case an RPR upgrade is the best you can do. > > * The old and new images are ISSU compatible, and the linecard software has not changed. In this case, the linecards do not need to be restarted, and downtimes of 0-3 seconds can be achieved because it's basically just an SSO switchover. > > * The old and new images are ISSU compatible but the linecard software is different, so the linecards need to be restarted into the new image - this can be a faster, warm boot (if the linecard has enough RAM) or a slower, cold boot (if not) > > I think that's about right? This seems quite accurate to me. Our experience of ISSU has been terrible. We've found multiple bugs related to it, and have found that -- in general -- we're much better off in terms of service disruption with a "classic" upgrade (upgrade secondary, reload peer, force failover, etc). Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet our requirements, and hence we are better off doing classic upgrades. We've taken their advice, and will not be trying it again. I think it's suited for deployments where you have 30+ boxes that are identical in terms of configuration, and hardware, but in the SP environment (like us), the variance of boxes means that it's just not worthwhile. Kind regards, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From p.mayers at imperial.ac.uk Fri Feb 12 10:06:36 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 12 Feb 2010 15:06:36 +0000 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: <4B756E7C.9060506@imperial.ac.uk> On 12/02/10 14:47, Rob Shakir wrote: > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think As it happens I just did a "half-test" on one of our boxes where I did the "issu loadversion" so that I could see what it told me about outage times - and all kinds of horrific messages started spraying onto the console about missing ifindex values, IDB failures and so forth. I quickly did an "issu abortversion" Bah. Thanks a lot Cisco... From livio.zanol.puppim at gmail.com Fri Feb 12 10:37:43 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 13:37:43 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Ok... Let's try again, more simplyfied. Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G ports from Nexus 5000 for access. That's my only problem, loosing ports com 5000... Is it clear enought? Can you give me a good reason to use the first design? 2010/2/12 Tony Varriale > ----- Original Message ----- From: "Livio Zanol Puppim" < >> livio.zanol.puppim at gmail.com> >> To: "Jason Plank" >> Cc: "Cisco NSP ((E-mail))'" >> Sent: Thursday, February 11, 2010 7:18 PM >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> > Brad, >> >> Can?t I make ?the cloud? with traditional switches (4948 for example)? >> > > You can call it what you'd like. > > > As I?ve said before, my only concern is that I?ll loose A LOT of access >> ports >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> > > Ok, maybe I missed something. What are you trying to do? High density 1 > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does > that. > > > I?m expecting that 10G(with FCoE) will dominate the servers design, so my >> loss will be huge. >> > > It will be a large part of the future, no doubt. Your loss? > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >> dfficult to make that works) the deisgn would perfect fit for our needs? >> > > As I've stated before, there is no if. Not sure how many more times I have > to say it... > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From rsm at fast-serv.com Fri Feb 12 10:41:51 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 12 Feb 2010 10:41:51 -0500 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <4B756E7C.9060506@imperial.ac.uk> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> <4B756E7C.9060506@imperial.ac.uk> Message-ID: <20100212154114.M76226@fast-serv.com> Thanks for verifying my suspicions... ISSU just seemed 'too good to be true'. RPR mode upgrade it is... -- Randy ---------- Original Message ----------- From: Phil Mayers To: N/A Cc: "cisco-nsp at puck.nether.net" Sent: Fri, 12 Feb 2010 15:06:36 +0000 Subject: Re: [c-nsp] ISSU on SXF -> SXI > On 12/02/10 14:47, Rob Shakir wrote: > > > > This seems quite accurate to me. > > > > Our experience of ISSU has been terrible. We've found multiple bugs > > related to it, and have found that -- in general -- we're much better > > off in terms of service disruption with a "classic" upgrade (upgrade > > secondary, reload peer, force failover, etc). > > > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > > our requirements, and hence we are better off doing classic upgrades. > > We've taken their advice, and will not be trying it again. I think > > As it happens I just did a "half-test" on one of our boxes where I > did the "issu loadversion" so that I could see what it told me about > outage times - and all kinds of horrific messages started spraying > onto the console about missing ifindex values, IDB failures and so forth. > > I quickly did an "issu abortversion" > > Bah. Thanks a lot Cisco... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From jshearer at amedisys.com Fri Feb 12 10:53:58 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 09:53:58 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64A AFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Don't really need the 7K.....you can run your 10G trunks to and existing 6500 or something else to do L3. In the future you will supposedly be able to run your FEXs to the 7K and supposedly the next gen 5Ks will be able to do "more". I see the current topology good for very large datacenters. Pair of 7Ks at the core, pairs of 5Ks at the end of the row and pairs of 2Ks in each rack. Very scalable design. Currently the Nexus is not for everyone. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim Sent: Friday, February 12, 2010 9:38 AM To: Tony Varriale Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer Ok... Let's try again, more simplyfied. Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G ports from Nexus 5000 for access. That's my only problem, loosing ports com 5000... Is it clear enought? Can you give me a good reason to use the first design? 2010/2/12 Tony Varriale > ----- Original Message ----- From: "Livio Zanol Puppim" < >> livio.zanol.puppim at gmail.com> >> To: "Jason Plank" >> Cc: "Cisco NSP ((E-mail))'" >> Sent: Thursday, February 11, 2010 7:18 PM >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> > Brad, >> >> Can't I make "the cloud" with traditional switches (4948 for example)? >> > > You can call it what you'd like. > > > As I've said before, my only concern is that I'll loose A LOT of access >> ports >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> > > Ok, maybe I missed something. What are you trying to do? High density 1 > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k does > that. > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so my >> loss will be huge. >> > > It will be a large part of the future, no doubt. Your loss? > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not quite >> dfficult to make that works) the deisgn would perfect fit for our needs... >> > > As I've stated before, there is no if. Not sure how many more times I have > to say it... > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From samuelmenon at yahoo.com.br Fri Feb 12 11:04:18 2010 From: samuelmenon at yahoo.com.br (SAMUEL MENON) Date: Fri, 12 Feb 2010 08:04:18 -0800 (PST) Subject: [c-nsp] Res: ISSU on SXF -> SXI In-Reply-To: <20100212154114.M76226@fast-serv.com> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk> <7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> <4B756E7C.9060506@imperial.ac.uk> <20100212154114.M76226@fast-serv.com> Message-ID: <244047.94442.qm@web112618.mail.gq1.yahoo.com> Hi I have good experiences with ISSU to upgrade IOS to SRB4 to SRD1 or SRD3. I have made the procedure a few times without problems. The messages about missing ifindex values, IDB failures and other is normal while the procedure. I just found a BUG ID when I some problems while upgrade from IOS SRD3 to SRE version. The workaround for the BUG ID does not work too, the bug will be fixed in IOS SRD4 that will be avaliable in next month. I have a doubt for other people that make this procedure. We need in the begining of the procedure to remove the efsu: no service image-version efsu Do we need to add again the command "service image-version efsu" ? In the procedure does not show if we need to add again the command line or not. Regards, ________________________________ De: Randy McAnally Para: Phil Mayers Cc: "cisco-nsp at puck.nether.net" Enviadas: Sexta-feira, 12 de Fevereiro de 2010 13:41:51 Assunto: Re: [c-nsp] ISSU on SXF -> SXI Thanks for verifying my suspicions... ISSU just seemed 'too good to be true'. RPR mode upgrade it is... -- Randy ---------- Original Message ----------- From: Phil Mayers To: N/A Cc: "cisco-nsp at puck.nether.net" Sent: Fri, 12 Feb 2010 15:06:36 +0000 Subject: Re: [c-nsp] ISSU on SXF -> SXI > On 12/02/10 14:47, Rob Shakir wrote: > > > > This seems quite accurate to me. > > > > Our experience of ISSU has been terrible. We've found multiple bugs > > related to it, and have found that -- in general -- we're much better > > off in terms of service disruption with a "classic" upgrade (upgrade > > secondary, reload peer, force failover, etc). > > > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > > our requirements, and hence we are better off doing classic upgrades. > > We've taken their advice, and will not be trying it again. I think > > As it happens I just did a "half-test" on one of our boxes where I > did the "issu loadversion" so that I could see what it told me about > outage times - and all kinds of horrific messages started spraying > onto the console about missing ifindex values, IDB failures and so forth. > > I quickly did an "issu abortversion" > > Bah. Thanks a lot Cisco... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ____________________________________________________________________________________ Veja quais s?o os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com From linux.yahoo at gmail.com Fri Feb 12 11:04:32 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Fri, 12 Feb 2010 17:04:32 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> Is it a new Datacenter? On Fri, Feb 12, 2010 at 4:37 PM, Livio Zanol Puppim < livio.zanol.puppim at gmail.com> wrote: > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can?t I make ?the cloud? with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I?ve said before, my only concern is that I?ll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I?m expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs? > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Fri Feb 12 11:13:16 2010 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Fri, 12 Feb 2010 17:13:16 +0100 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: <9avan5d6alsvcs919nmugogsdu6ct3mv89@hojmark.net> On Fri, 12 Feb 2010 13:37:43 -0200, you wrote: > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? Well, the 10G ports on the N7K are more than twice as expensive as the 10G ports on the N5K. -A From livio.zanol.puppim at gmail.com Fri Feb 12 11:32:44 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 14:32:44 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Now we're talking. Replies later 2010/2/12 > Given the pricing, I'd be more concerned about "losing ports" on the Nexus > 7000 than on the 5000. > > > A modest Nexus 7010 (two sups, four 32-port cards, two power supplies, LAN > software license) lists for just under US$400,000 using bundle pricing. > > That gets you 128 10Gb/s ports, oversubscribed 4:1. > > So, US$3125 per port (US$12,500 per non-blocking port). > > Those ports don't support the inexpensive twinax cables, so add another > US$3,600 to put SR optics on both ends of each link. > > The Nexus 5000 OTOH lists for about US$40,000 (dual power 5020 with 40 > ports and base license). US$1,000 per non-blocking port. And these ports > support the twinax cables ($150-$250 / cable) > > With optics (on both ends), N7K: $6,700 to $15,100 per port. > With twinax cables, N5K: $1,200 per port. > > And the N5K pricing gets even better when you price the bundle option with > 6 2148Ts, optics and twinax cables. > > If you have a requirement for several hundred 1Gb/s ports with no > oversubscription through the core, then the 5K might not be any help. > > /chris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim > Sent: Friday, February 12, 2010 10:38 AM > To: Tony Varriale > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can't I make "the cloud" with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I've said before, my only concern is that I'll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs. > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From tvarriale at comcast.net Fri Feb 12 12:11:58 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 12 Feb 2010 11:11:58 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer Message-ID: <7B1755456FCF43F08085463918FDE845@flamdt01> >----- Original Message ----- >From: Livio Zanol Puppim >To: Tony Varriale >Cc: cisco-nsp at puck.nether.net >Sent: Friday, February 12, 2010 9:37 AM >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >Ok... > >Let's try again, more simplyfied. > >Using a DC topology with Nexus family, I must have, for gigabit connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. Why not just plug directly into the 7k? It has 48 port 1g blades...tx and fiber. tv From livio.zanol.puppim at gmail.com Fri Feb 12 12:37:11 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:37:11 -0200 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7B1755456FCF43F08085463918FDE845@flamdt01> References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE 2010/2/12 Tony Varriale > > >----- Original Message ----- > >From: Livio Zanol Puppim > >To: Tony Varriale > >Cc: cisco-nsp at puck.nether.net > >Sent: Friday, February 12, 2010 9:37 AM > >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > > > >Ok... > > > >Let's try again, more simplyfied. > > > >Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Why not just plug directly into the 7k? It has 48 port 1g blades...tx and > fiber. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From livio.zanol.puppim at gmail.com Fri Feb 12 12:43:44 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:43:44 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> <7100ed371002120804s7b2c65bv8abe6d1a1bb4745@mail.gmail.com> Message-ID: Yes. 2010/2/12 Manu Chao > Is it a new Datacenter? > > On Fri, Feb 12, 2010 at 4:37 PM, Livio Zanol Puppim < > livio.zanol.puppim at gmail.com> wrote: > >> Ok... >> >> Let's try again, more simplyfied. >> >> Using a DC topology with Nexus family, I must have, for gigabit >> connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. >> >> Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G >> ports from Nexus 5000 for access. >> >> That's my only problem, loosing ports com 5000... Is it clear enought? >> >> Can you give me a good reason to use the first design? >> >> 2010/2/12 Tony Varriale >> >> > ----- Original Message ----- From: "Livio Zanol Puppim" < >> >> livio.zanol.puppim at gmail.com> >> >> To: "Jason Plank" >> >> Cc: "Cisco NSP ((E-mail))'" >> >> Sent: Thursday, February 11, 2010 7:18 PM >> >> >> >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer >> >> >> >> >> > Brad, >> >> >> >> Can?t I make ?the cloud? with traditional switches (4948 for example)? >> >> >> > >> > You can call it what you'd like. >> > >> > >> > As I?ve said before, my only concern is that I?ll loose A LOT of access >> >> ports >> >> on Nexus 5000 that could be used by servers with 10GE/FCoE. >> >> >> > >> > Ok, maybe I missed something. What are you trying to do? High density >> 1 >> > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k >> does >> > that. >> > >> > >> > I?m expecting that 10G(with FCoE) will dominate the servers design, so >> my >> >> loss will be huge. >> >> >> > >> > It will be a large part of the future, no doubt. Your loss? >> > >> > >> > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not >> quite >> >> dfficult to make that works) the deisgn would perfect fit for our >> needs? >> >> >> > >> > As I've stated before, there is no if. Not sure how many more times I >> have >> > to say it... >> > >> > tv >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> >> >> -- >> []'s >> >> L?vio Zanol Puppim >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- []'s L?vio Zanol Puppim From paul at paulstewart.org Fri Feb 12 12:11:32 2010 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 12 Feb 2010 12:11:32 -0500 Subject: [c-nsp] LAG Problem Cisco/Juniper Message-ID: <001901caac06$6d57eae0$4807c0a0$@org> Hey folks. I'm cross posting this so apologies if you are both lists. Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco 7606 using a pair of GigE's - rush job etc.. can't get the group to come up and missing something obvious ;) Cisco: interface GigabitEthernet3/25 description ---------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface GigabitEthernet3/37 description -------------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface Port-channel2 description -------------- switchport switchport access vlan 56 switchport mode access end Juniper Side: ge-0/0/35 { description xxxxx-1; ether-options { 802.3ad ae0; } ge-0/0/47 { description xxxxxx-2; ether-options { 802.3ad ae0; } ae0 { aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { passive; } } unit 0 { family ethernet-switching { port-mode access; vlan { members xxxxxx; } } } From livio.zanol.puppim at gmail.com Fri Feb 12 12:54:26 2010 From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim) Date: Fri, 12 Feb 2010 15:54:26 -0200 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <8565F64AAFCD406093D2E67941CBB3E3@flamdt01> Message-ID: Correcting my last e-mail: Actually, It's a new datacenter for existing servers and at the same time it must support new applications. Christopher, We are planning to use only Fiber Optics, no twinax cables. Also, I can't use 10G/FCoE at Nexus 7000. But you have a good argument. 2010/2/12 > Given the pricing, I'd be more concerned about "losing ports" on the Nexus > 7000 than on the 5000. > > > A modest Nexus 7010 (two sups, four 32-port cards, two power supplies, LAN > software license) lists for just under US$400,000 using bundle pricing. > > That gets you 128 10Gb/s ports, oversubscribed 4:1. > > So, US$3125 per port (US$12,500 per non-blocking port). > > Those ports don't support the inexpensive twinax cables, so add another > US$3,600 to put SR optics on both ends of each link. > > The Nexus 5000 OTOH lists for about US$40,000 (dual power 5020 with 40 > ports and base license). US$1,000 per non-blocking port. And these ports > support the twinax cables ($150-$250 / cable) > > With optics (on both ends), N7K: $6,700 to $15,100 per port. > With twinax cables, N5K: $1,200 per port. > > And the N5K pricing gets even better when you price the bundle option with > 6 2148Ts, optics and twinax cables. > > If you have a requirement for several hundred 1Gb/s ports with no > oversubscription through the core, then the 5K might not be any help. > > /chris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim > Sent: Friday, February 12, 2010 10:38 AM > To: Tony Varriale > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > Ok... > > Let's try again, more simplyfied. > > Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Using traditional way I can have Catalyst 4948 -> Nexus 7000, saving 10G > ports from Nexus 5000 for access. > > That's my only problem, loosing ports com 5000... Is it clear enought? > > Can you give me a good reason to use the first design? > > 2010/2/12 Tony Varriale > > > ----- Original Message ----- From: "Livio Zanol Puppim" < > >> livio.zanol.puppim at gmail.com> > >> To: "Jason Plank" > >> Cc: "Cisco NSP ((E-mail))'" > >> Sent: Thursday, February 11, 2010 7:18 PM > >> > >> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > >> > >> > > Brad, > >> > >> Can't I make "the cloud" with traditional switches (4948 for example)? > >> > > > > You can call it what you'd like. > > > > > > As I've said before, my only concern is that I'll loose A LOT of access > >> ports > >> on Nexus 5000 that could be used by servers with 10GE/FCoE. > >> > > > > Ok, maybe I missed something. What are you trying to do? High density 1 > > gig? 5k does that (with 2k). Cheap and layer 2 high density 10g? 5k > does > > that. > > > > > > I'm expecting that 10G(with FCoE) will dominate the servers design, so > my > >> loss will be huge. > >> > > > > It will be a large part of the future, no doubt. Your loss? > > > > > > f Nexux 2000 could be attached directly to an Nexus 7000 (it is not > quite > >> dfficult to make that works) the deisgn would perfect fit for our needs. > >> > > > > As I've stated before, there is no if. Not sure how many more times I > have > > to say it... > > > > tv > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > []'s > > L?vio Zanol Puppim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim From BBlackford at nwresd.k12.or.us Fri Feb 12 13:03:19 2010 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 12 Feb 2010 10:03:19 -0800 Subject: [c-nsp] LAG Problem Cisco/Juniper In-Reply-To: <001901caac06$6d57eae0$4807c0a0$@org> References: <001901caac06$6d57eae0$4807c0a0$@org> Message-ID: <6069A203FD01884885C037F81DD750801742DA1274@wsc-mail-01.intra.nwresd.k12.or.us> I'm not an expert on this subject, but I do notice you don't have a 'chassis' stanza. Also, each physical interface should probably have the spped forced as well. The flowing works for my LAGs. Obviously, I'm using port-mode trunk on mine chassis { aggregated-devices { ethernet { device-count 2; ge-0/0/46 { ether-options { speed { 1g; } 802.3ad ae0; } } ge-0/0/47 { ether-options { speed { 1g; } 802.3ad ae0; ae0 { aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } native-vlan-id 1; -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Friday, February 12, 2010 9:12 AM To: cisco-nsp at puck.nether.net Cc: juniper-nsp at puck.nether.net Subject: [c-nsp] LAG Problem Cisco/Juniper Hey folks. I'm cross posting this so apologies if you are both lists. Trying to get a LAG group up between a Juniper EX4200 switch and a Cisco 7606 using a pair of GigE's - rush job etc.. can't get the group to come up and missing something obvious ;) Cisco: interface GigabitEthernet3/25 description ---------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface GigabitEthernet3/37 description -------------- switchport switchport access vlan 56 switchport mode access no cdp enable channel-protocol lacp channel-group 2 mode active interface Port-channel2 description -------------- switchport switchport access vlan 56 switchport mode access end Juniper Side: ge-0/0/35 { description xxxxx-1; ether-options { 802.3ad ae0; } ge-0/0/47 { description xxxxxx-2; ether-options { 802.3ad ae0; } ae0 { aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { passive; } } unit 0 { family ethernet-switching { port-mode access; vlan { members xxxxxx; } } } _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jshearer at amedisys.com Fri Feb 12 13:17:01 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 12:17:01 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: Sounds like you need to wait a bit. Talk to you Cisco account team regarding the support for FEXs landing on the 7K. I know it was a rumored feature as many customers have been requesting it. Jason -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Livio Zanol Puppim Sent: Friday, February 12, 2010 11:37 AM To: Tony Varriale Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE 2010/2/12 Tony Varriale > > >----- Original Message ----- > >From: Livio Zanol Puppim > >To: Tony Varriale > >Cc: cisco-nsp at puck.nether.net > >Sent: Friday, February 12, 2010 9:37 AM > >Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer > > > > >Ok... > > > >Let's try again, more simplyfied. > > > >Using a DC topology with Nexus family, I must have, for gigabit > connectivity, Nexus 2000 -> Nexus 5000 -> Nexus 7000. > > Why not just plug directly into the 7k? It has 48 port 1g blades...tx and > fiber. > > tv > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- []'s L?vio Zanol Puppim _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From tvarriale at comcast.net Fri Feb 12 16:05:53 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 12 Feb 2010 15:05:53 -0600 Subject: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer References: <7B1755456FCF43F08085463918FDE845@flamdt01> Message-ID: <2ED12D8009DC41579933CDD0C958C667@flamdt01> ----- Original Message ----- From: Livio Zanol Puppim To: Tony Varriale Cc: cisco-nsp at puck.nether.net Sent: Friday, February 12, 2010 11:37 AM Subject: Re: [c-nsp] Fw: Nexus 2000 vs Catalyst 4948 for access layer I need 8 x 48 ports, and I do not want to use 4 modules at my Distribution/Core switches for this purpose. Also, this will bring a lot of cable complexity My planned core/distribution line cards: 2 supervisors, X fabrics, 2 10GbE Ok, so use another switch(es) (6500 or something) or wait until the 2k is supported on the 7k. You don't have to use the 2ks. You have 5 different options here. Pick one. tv From cisco-nsp at slepicka.net Fri Feb 12 16:12:25 2010 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 12 Feb 2010 15:12:25 -0600 Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer In-Reply-To: <4B62229D.1080002@inex.ie> References: <4B62229D.1080002@inex.ie> Message-ID: <4B75C439.4060202@slepicka.net> >>- does not support 10/100, only 1000 sigh... I just got bit by this one again trying to install a vendor-provided server with 10/100 interfaces only. Nick Hilliard wrote: > On 28/01/2010 20:54, Livio Zanol Puppim wrote: > >> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst >> 4948 as access layers switches? >> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that >> could be used by servers with 10GbE/FCoE servers. >> > > the current generation of n2k: > > - does not support 10/100, only 1000 > - has serious etherchannel limitations > - no netflow > - no rspan / erspan > > It's an interesting switch which should improve lots in the next generation > of hardware. But right now, it is very specifically aimed at a particular > niche. For that niche, it will perform very well indeed, but it's not > really a general purpose access switch. > > wrt NX-OS vs. IOS, they are two different systems. NX-OS is very young in > its development cycle; IOS is much more mature and has many more features. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jshearer at amedisys.com Fri Feb 12 16:59:46 2010 From: jshearer at amedisys.com (Jason Shearer) Date: Fri, 12 Feb 2010 15:59:46 -0600 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f3 23sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B 7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE -4AE3-9345-456D41768947@eng.gxn.net> <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> Message-ID: Cool. I might have to try SXI to SXI3 on a sacrificial chassis. Jason -----Original Message----- From: Daniska, Tomas [mailto:tomas at soitron.com] Sent: Friday, February 12, 2010 3:57 PM To: Jason Shearer; Rob Shakir; Phil Mayers Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] ISSU on SXF -> SXI I have experienced ISSU SXI2 to SXI2a on four VSSs, worked liked a charm, two times a second or so blackout. But then, 2->2a is nothing major... -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jason Shearer > Sent: Friday, February 12, 2010 3:55 PM > To: Rob Shakir; Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > I haven't tried ISSU with our VSS pairs but this is about what I > expected. Too many caveats to risk it, eh? > > Jason > > -----Original Message----- > From: Rob Shakir [mailto:rjs at eng.gxn.net] > Sent: Friday, February 12, 2010 8:48 AM > To: Phil Mayers > Cc: Jason Shearer; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > > On 12 Feb 2010, at 12:29, Phil Mayers wrote: > > > * The old and new image are not ISSU-compatible (different major > releases or feature sets) - in which case an RPR upgrade is the best > you can do. > > > > * The old and new images are ISSU compatible, and the linecard > software has not changed. In this case, the linecards do not need to be > restarted, and downtimes of 0-3 seconds can be achieved because it's > basically just an SSO switchover. > > > > * The old and new images are ISSU compatible but the linecard > software is different, so the linecards need to be restarted into the > new image - this can be a faster, warm boot (if the linecard has enough > RAM) or a slower, cold boot (if not) > > > > I think that's about right? > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think it's > suited for deployments where you have 30+ boxes that are identical in > terms of configuration, and hardware, but in the SP environment (like > us), the variance of boxes means that it's just not worthwhile. > > > Kind regards, > Rob > > -- > Rob Shakir > Network Development Engineer GX Networks/Vialtus Solutions > ddi: +44208 587 6077 mob: +44797 155 4098 > pgp: 0xc07e6deb nic-hdl: RJS-RIPE > > This email is subject to: http://www.vialtus.com/disclaimer.html > > > *** NOTICE--The attached communication contains privileged and > confidential information. If you are not the intended recipient, DO NOT > read, copy, or disseminate this communication. Non-intended recipients > are hereby placed on notice that any unauthorized disclosure, > duplication, distribution, or taking of any action in reliance on the > contents of these materials is expressly prohibited. If you have > received this communication in error, please delete this information in > its entirety and contact the Amedisys Privacy Hotline at 1-866-518- > 6684. Also, please immediately notify the sender via e-mail that you > have received this communication in error. *** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. *** From tomas at soitron.com Fri Feb 12 16:57:29 2010 From: tomas at soitron.com (Daniska, Tomas) Date: Fri, 12 Feb 2010 22:57:29 +0100 Subject: [c-nsp] ISSU on SXF -> SXI In-Reply-To: References: <20100211160934.M57476@fast-serv.com> <323aca891002110901k6206f323sd72ae70a2a1b4344@mail.gmail.com><20100211194447.M88975@fast-serv.com><4B7525DC.5020105@imperial.ac.uk> <4B7549BE.3010700@imperial.ac.uk><7DE10E64-A4BE-4AE3-9345-456D41768947@eng.gxn.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD302B98245@kenya.tronet.as> I have experienced ISSU SXI2 to SXI2a on four VSSs, worked liked a charm, two times a second or so blackout. But then, 2->2a is nothing major... -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jason Shearer > Sent: Friday, February 12, 2010 3:55 PM > To: Rob Shakir; Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > I haven't tried ISSU with our VSS pairs but this is about what I > expected. Too many caveats to risk it, eh? > > Jason > > -----Original Message----- > From: Rob Shakir [mailto:rjs at eng.gxn.net] > Sent: Friday, February 12, 2010 8:48 AM > To: Phil Mayers > Cc: Jason Shearer; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ISSU on SXF -> SXI > > > On 12 Feb 2010, at 12:29, Phil Mayers wrote: > > > * The old and new image are not ISSU-compatible (different major > releases or feature sets) - in which case an RPR upgrade is the best > you can do. > > > > * The old and new images are ISSU compatible, and the linecard > software has not changed. In this case, the linecards do not need to be > restarted, and downtimes of 0-3 seconds can be achieved because it's > basically just an SSO switchover. > > > > * The old and new images are ISSU compatible but the linecard > software is different, so the linecards need to be restarted into the > new image - this can be a faster, warm boot (if the linecard has enough > RAM) or a slower, cold boot (if not) > > > > I think that's about right? > > This seems quite accurate to me. > > Our experience of ISSU has been terrible. We've found multiple bugs > related to it, and have found that -- in general -- we're much better > off in terms of service disruption with a "classic" upgrade (upgrade > secondary, reload peer, force failover, etc). > > Cisco advised us that it is unlikely that ISSU on 7600/6500 will meet > our requirements, and hence we are better off doing classic upgrades. > We've taken their advice, and will not be trying it again. I think it's > suited for deployments where you have 30+ boxes that are identical in > terms of configuration, and hardware, but in the SP environment (like > us), the variance of boxes means that it's just not worthwhile. > > > Kind regards, > Rob > > -- > Rob Shakir > Network Development Engineer GX Networks/Vialtus Solutions > ddi: +44208 587 6077 mob: +44797 155 4098 > pgp: 0xc07e6deb nic-hdl: RJS-RIPE > > This email is subject to: http://www.vialtus.com/disclaimer.html > > > *** NOTICE--The attached communication contains privileged and > confidential information. If you are not the intended recipient, DO NOT > read, copy, or disseminate this communication. Non-intended recipients > are hereby placed on notice that any unauthorized disclosure, > duplication, distribution, or taking of any action in reliance on the > contents of these materials is expressly prohibited. If you have > received this communication in error, please delete this information in > its entirety and contact the Amedisys Privacy Hotline at 1-866-518- > 6684. Also, please immediately notify the sender via e-mail that you > have received this communication in error. *** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From m_attia100100 at hotmail.com Fri Feb 12 23:17:31 2010 From: m_attia100100 at hotmail.com (mohamed attia) Date: Sat, 13 Feb 2010 04:17:31 +0000 Subject: [c-nsp] SNMP process 45% Message-ID: Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ From randy_94108 at yahoo.com Fri Feb 12 23:29:03 2010 From: randy_94108 at yahoo.com (Randy) Date: Fri, 12 Feb 2010 20:29:03 -0800 (PST) Subject: [c-nsp] SNMP process 45% In-Reply-To: Message-ID: <547525.60704.qm@web80508.mail.mud.yahoo.com> "sh proc cpu sorted" is your friend. ? output will be *sorted* from most-snmp in this case to least. Add up the utils of the first few and you will be able to account for the remaining 55% --- On Fri, 2/12/10, mohamed attia wrote: From: mohamed attia Subject: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net Date: Friday, February 12, 2010, 8:17 PM Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms)???Invoked? ? ? uSecs???5Sec???1Min???5Min TTY Process 231? ???4428660???3798727? ? ???1165 46.12% 45.46% 44.28%???0 SNMP ENGINE? ? ? ? 73???198346604 837505469? ? ? ? 236? 0.55%? 0.52%? 0.56%???0 IP Input? ? ? ??? 245???278646264 832638396? ? ? ? 334? 0.47%? 0.40%? 0.40%???0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 ? ??? ???????? ?????? ??? ? _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From m_attia100100 at hotmail.com Fri Feb 12 23:39:34 2010 From: m_attia100100 at hotmail.com (mohamed attia) Date: Sat, 13 Feb 2010 04:39:34 +0000 Subject: [c-nsp] SNMP process 45% In-Reply-To: <547525.60704.qm@web80508.mail.mud.yahoo.com> References: , <547525.60704.qm@web80508.mail.mud.yahoo.com> Message-ID: hi randy, thanks or your help but the show below is show process cpu sorted as you mentioned. but i still facing the same problem. Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 Date: Fri, 12 Feb 2010 20:29:03 -0800 From: randy_94108 at yahoo.com Subject: Re: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net; m_attia100100 at hotmail.com "sh proc cpu sorted" is your friend. output will be *sorted* from most-snmp in this case to least. Add up the utils of the first few and you will be able to account for the remaining 55% --- On Fri, 2/12/10, mohamed attia wrote: From: mohamed attia Subject: [c-nsp] SNMP process 45% To: cisco-nsp at puck.nether.net Date: Friday, February 12, 2010, 8:17 PM Hi, can any one help me as i noticed that our cisco VXR 7200 have process 100% and after checking i detect that SNMP ENGINE only reach to 45%. CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router Best Regards, ----------------------------------- Eng. : Mohamed Attia Tel: +2 010 2039799 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/ From sethm at rollernet.us Sat Feb 13 01:05:29 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 12 Feb 2010 22:05:29 -0800 Subject: [c-nsp] SNMP process 45% In-Reply-To: References: , <547525.60704.qm@web80508.mail.mud.yahoo.com> Message-ID: <4B764129.9030203@rollernet.us> On 2/12/10 8:39 PM, mohamed attia wrote: > > hi randy, > > > > thanks or your help but the show below is show process cpu sorted as you mentioned. > > > > but i still facing the same problem. > Is someone flooding your SNMP? Do you have an ACL on SNMP? ~Seth From illcritikz at gmail.com Sat Feb 13 06:20:50 2010 From: illcritikz at gmail.com (bjs) Date: Sat, 13 Feb 2010 22:20:50 +1100 Subject: [c-nsp] SNMP process 45% In-Reply-To: References: Message-ID: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> Is it that you don't understand why your cpu is at 100% when SNMP is only chewing 45% and the other processes don't make up the difference? Just to clear it up in case that is your question... Your "sh proc cpu sort" looks like: *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99%* So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of which 49% is at interrupt(ie your normal cef switched traffic), you have a remaining 50% being used by processes as seen in the list: PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router So i'm sure if you added up all your processes there you would find it equals that 50% Now given your 1 and 5 minute CPU utilization is at 99% and more specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real problem here(as other people have mentioned) is SNMP, you need to check out what devices are polling your router and sort it out. Once you resolve the snmp issue you can expect the cpu to drop to around 50-55% bjs On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia wrote: > > > > Hi, > > > > can any one help me as i noticed that our cisco VXR 7200 have process 100% > and after checking i detect that SNMP ENGINE only reach to 45%. > > > > > CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > > > > > > Best Regards, > ----------------------------------- > Eng. : Mohamed Attia > Tel: +2 010 2039799 > > > > > > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > http://clk.atdmt.com/GBL/go/201469230/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From BBlackford at nwresd.k12.or.us Sat Feb 13 10:29:48 2010 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Sat, 13 Feb 2010 07:29:48 -0800 Subject: [c-nsp] SNMP process 45% In-Reply-To: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> References: , <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> Message-ID: <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> What is being polled is something to look at. I had an SNMP poller getting the route table and at a couple of full feeds, that seemed to be enough to add a high CPU load. (C7600/RSP720) I can second the ACL to limit who can poll. -b ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of bjs [illcritikz at gmail.com] Sent: Saturday, February 13, 2010 3:20 AM To: mohamed attia Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SNMP process 45% Is it that you don't understand why your cpu is at 100% when SNMP is only chewing 45% and the other processes don't make up the difference? Just to clear it up in case that is your question... Your "sh proc cpu sort" looks like: *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: 99%* So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of which 49% is at interrupt(ie your normal cef switched traffic), you have a remaining 50% being used by processes as seen in the list: PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router So i'm sure if you added up all your processes there you would find it equals that 50% Now given your 1 and 5 minute CPU utilization is at 99% and more specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real problem here(as other people have mentioned) is SNMP, you need to check out what devices are polling your router and sort it out. Once you resolve the snmp issue you can expect the cpu to drop to around 50-55% bjs On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia wrote: > > > > Hi, > > > > can any one help me as i noticed that our cisco VXR 7200 have process 100% > and after checking i detect that SNMP ENGINE only reach to 45%. > > > > > CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > > > > > > Best Regards, > ----------------------------------- > Eng. : Mohamed Attia > Tel: +2 010 2039799 > > > > > > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > http://clk.atdmt.com/GBL/go/201469230/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ler762 at gmail.com Sat Feb 13 11:09:22 2010 From: ler762 at gmail.com (Lee) Date: Sat, 13 Feb 2010 11:09:22 -0500 Subject: [c-nsp] SNMP process 45% In-Reply-To: <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> References: <4422cf661002130320g243ebc5ax51161ba3f7ba0dd8@mail.gmail.com> <6069A203FD01884885C037F81DD750801742DCDDB7@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: On 2/13/10, Bill Blackford wrote: > What is being polled is something to look at. I had an SNMP poller getting > the route table and at a couple of full feeds, that seemed to be enough to > add a high CPU load. (C7600/RSP720) > > I can second the ACL to limit who can poll. In addition to limiting who can poll you can also limit what they can poll. eg snmp-server view noload internet included snmp-server view noload internet.6.3.16 excluded snmp-server view noload atEntry excluded snmp-server view noload ipRouteEntry excluded snmp-server view noload ipNetToMediaEntry excluded snmp-server community public view noload RO 2 Regards, Lee > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of bjs [illcritikz at gmail.com] > Sent: Saturday, February 13, 2010 3:20 AM > To: mohamed attia > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SNMP process 45% > > Is it that you don't understand why your cpu is at 100% when SNMP is only > chewing 45% and the other processes don't make up the difference? > > Just to clear it up in case that is your question... > > Your "sh proc cpu sort" looks like: > > *CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: > 99%* > > So the 5 second interval "99%/49%" is saying you are using 99% of the CPU of > which 49% is at interrupt(ie your normal cef switched traffic), you have a > remaining 50% being used by processes as seen in the list: > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE > 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input > 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router > > So i'm sure if you added up all your processes there you would find it > equals that 50% > > Now given your 1 and 5 minute CPU utilization is at 99% and more > specifically your "SNMP ENGINE" process is at ~45% for 5 min avg your real > problem here(as other people have mentioned) is SNMP, you need to check out > what devices are polling your router and sort it out. > > Once you resolve the snmp issue you can expect the cpu to drop to around > 50-55% > > bjs > > On Sat, Feb 13, 2010 at 3:17 PM, mohamed attia > wrote: > >> >> >> >> Hi, >> >> >> >> can any one help me as i noticed that our cisco VXR 7200 have process 100% >> and after checking i detect that SNMP ENGINE only reach to 45%. >> >> >> >> >> CPU utilization for five seconds: 99%/49%; one minute: 99%; five minutes: >> 99% >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 231 4428660 3798727 1165 46.12% 45.46% 44.28% 0 SNMP ENGINE >> 73 198346604 837505469 236 0.55% 0.52% 0.56% 0 IP Input >> 245 278646264 832638396 334 0.47% 0.40% 0.40% 0 BGP Router >> >> >> >> >> >> >> Best Regards, >> ----------------------------------- >> Eng. : Mohamed Attia >> Tel: +2 010 2039799 >> >> >> >> >> >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> http://clk.atdmt.com/GBL/go/201469230/direct/01/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From daveyjatin at gmail.com Sun Feb 14 12:33:00 2010 From: daveyjatin at gmail.com (Jatin) Date: Sun, 14 Feb 2010 23:03:00 +0530 Subject: [c-nsp] Mailing lists for SMB Market (Cisco or Non-Cisco) Message-ID: <4B7833CC.9070706@gmail.com> Hi Is there any mailing lists like this one catering to SMB market space ? Thanks Jatin From me at falz.net Sun Feb 14 20:25:54 2010 From: me at falz.net (Chris Wopat) Date: Sun, 14 Feb 2010 19:25:54 -0600 Subject: [c-nsp] 2811 login issues Message-ID: > Date: Tue, 9 Feb 2010 11:36:21 -0600 > From: Chris Wopat > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 2811 login issues > > I have a 2811 that stopped accepting logins from its FastEthernet > interface last week out of the blue. When this happened there were no > config changes, router reboots, etc. It has a Multilink bundle > unnumbered via that FastEthernet interface and it *does* accept logins > from this direction. Config is simple, a default route via FA and a > /24 via MU. Although no one replied I'd like to post the solution to this for the to potentially help anyone reading this in the future. The first few minutes the router is booted (all interfaces are up during this period): # sh ip route | inc 3.88 C 10.170.3.88/29 is directly connected, FastEthernet0/0 Then for some reason 5-10 minutes later it would change to: # sh ip route | inc 3.88 C 10.170.3.88/32 is directly connected, FastEthernet0/0 Numbering Mu1 fixed it. I still have no clue why this was happening but am content with it being fixed. I have even less of a clue as to why this just started happening out of the blue one day after being up for many months with no config changes, interface flaps or even user logins but am happy that it's working. --Chris From arl at nordicom.tele.dk Mon Feb 15 03:27:38 2010 From: arl at nordicom.tele.dk (Arne Larsen) Date: Mon, 15 Feb 2010 09:27:38 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss Message-ID: <4B79057A.3090207@nordicom.tele.dk> Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on From pavel.skovajsa at gmail.com Mon Feb 15 03:50:06 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 15 Feb 2010 09:50:06 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <4B79057A.3090207@nordicom.tele.dk> References: <4B79057A.3090207@nordicom.tele.dk> Message-ID: <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> Hi Arne, according to http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf you need to run at least SXI on the VSS and A2(1.2) on ACE. -pavel On Mon, Feb 15, 2010 at 9:27 AM, Arne Larsen wrote: > Hi all. > > > Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on > a vss environment > It seems that that two boxes can?t see each other via the trunks. > I have used one interface for management only and bundled the others in to 1 > etherchannel. > I have the following configured on the channel. > I made a test setup on a 3750 switch to test, before deploying this on the > 6500, and that seemed to work fine. > Is there something that is pulling my legs. > I attented a session on Networkers in Barcelona, an the guy that teached > there would make the documentation available on the web, but I can?t find > it. Have anyone of you seen this doc. I?ve also seached the web for a book > about ace, but again I can?t find anything. Is there some of you that know > where I can get my hand one this > > /Arne > > interface port-channel 1 > ft-port vlan 3085 > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > port-channel load-balance src-dst-port > no shutdown > > and this configured on the physical interfaces > > speed 1000M > duplex FULL > carrier-delay 30 > qos trust cos > channel-group 1 > no shutdown > > on the vss environment I have this on the etherchannel > > interface Port-channel30 > description B: portchannel for ACE4710 load balancer > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > > and this configured on the physical interfaces > > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > spanning-tree portfast edge > channel-group 30 mode on > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From arl at nordicom.tele.dk Mon Feb 15 04:29:44 2010 From: arl at nordicom.tele.dk (Arne Larsen) Date: Mon, 15 Feb 2010 10:29:44 +0100 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> References: <4B79057A.3090207@nordicom.tele.dk> <323aca891002150050o26e92072gd6837f0e1e14af32@mail.gmail.com> Message-ID: <4B791408.3080308@nordicom.tele.dk> Pavel Skovajsa wrote: >Hi Arne, > >according to http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf >you need to run at least SXI on the VSS and A2(1.2) on ACE. > >-pavel > >On Mon, Feb 15, 2010 at 9:27 AM, Arne Larsen wrote: > > >>Hi all. >> >> >>Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on >>a vss environment >>It seems that that two boxes can?t see each other via the trunks. >>I have used one interface for management only and bundled the others in to 1 >>etherchannel. >>I have the following configured on the channel. >>I made a test setup on a 3750 switch to test, before deploying this on the >>6500, and that seemed to work fine. >>Is there something that is pulling my legs. >>I attented a session on Networkers in Barcelona, an the guy that teached >>there would make the documentation available on the web, but I can?t find >>it. Have anyone of you seen this doc. I?ve also seached the web for a book >>about ace, but again I can?t find anything. Is there some of you that know >>where I can get my hand one this >> >>/Arne >> >>interface port-channel 1 >>ft-port vlan 3085 >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>port-channel load-balance src-dst-port >>no shutdown >> >>and this configured on the physical interfaces >> >>speed 1000M >>duplex FULL >>carrier-delay 30 >>qos trust cos >>channel-group 1 >>no shutdown >> >>on the vss environment I have this on the etherchannel >> >>interface Port-channel30 >>description B: portchannel for ACE4710 load balancer >>switchport >>switchport trunk encapsulation dot1q >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>switchport mode trunk >>switchport nonegotiate >>mls qos trust cos >> >>and this configured on the physical interfaces >> >>switchport >>switchport trunk encapsulation dot1q >>switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 >>switchport mode trunk >>switchport nonegotiate >>mls qos trust cos >>spanning-tree portfast edge >>channel-group 30 mode on >> >> >>_______________________________________________ >>cisco-nsp mailing list cisco-nsp at puck.nether.net >>https://puck.nether.net/mailman/listinfo/cisco-nsp >>archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > > > I'm running 122-33.SXI3 on the vss and A3(2.0) on the ace /Arne From tsands at rackspace.com Mon Feb 15 08:19:37 2010 From: tsands at rackspace.com (Tom Sands) Date: Mon, 15 Feb 2010 07:19:37 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <4B730551.9070608@uk.clara.net> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA728@MLBMXUS2.cs.myharris.net> <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> Message-ID: <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> David Freedman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andy B. wrote: >> On Wed, Feb 10, 2010 at 7:48 PM, David Freedman >> wrote: >>> So, are you checking your interfaces for incrementing drop/error counters? >>> >>> Are you seeing any of this when there is the problem occuring? >>> (clear counters , sh int summ etc..) >>> >> I am having input drops all the time, no matter how high or low I set >> the incoming hold-queue. >> >> The OSPF and IBGP interfaces approx. 30 minutes after I cleared the counters: >> >> TenGigabitEthernet8/1 is up, line protocol is up (connected) >> Input queue: 0/2000/622/622 (size/max/drops/flushes); Total output drops: 0 >> >> TenGigabitEthernet9/1 is up, line protocol is up (connected) >> Input queue: 0/4096/1664/1664 (size/max/drops/flushes); Total output drops: 0 >> >> TenGigabitEthernet9/2 is up, line protocol is up (connected) >> Input queue: 0/4096/1916/1916 (size/max/drops/flushes); Total output drops: 0 >> >> >> These links are not congested! Te9/1 is the busiest with maybe 6.5 out >> of 10 Gig. The other two are below 5 Gig. > > Are these supervisor ports or on a card (i.e 6704/6708?) > > Things I would check: > > - - That I understand 6704 has pathetically small per port buffers The 6704 looks like the biggest problem in this setup. We avoid them at all cost. > - - Hold queue input appropriate (for punt to MSFC), usually set to 4096 > for these > - - No IGP hello padding (if you have large MTU and pad then you must punt > these big things > - - Check SPD headroom (show ip spd) > - - The drops are not being reported on input due to lack of transmit > buffer on output (i.e to lower speed card), check traffic flows/pps to > low speed interfaces and adjust buffers appropriately > > Dave. -------------------------------------------------------------------------------- Tom Sands Chief Network Engineer Rackspace (210)312-4391 -------------------------------------------------------------------------------- Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com, and delete the original message. Your cooperation is appreciated. From tvarriale at comcast.net Mon Feb 15 09:25:45 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 15 Feb 2010 08:25:45 -0600 Subject: [c-nsp] vs ace4710 and cisco 6500-vss References: <4B79057A.3090207@nordicom.tele.dk> Message-ID: <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> What do you mean they cant see each other? tv ----- Original Message ----- From: "Arne Larsen" To: Sent: Monday, February 15, 2010 2:27 AM Subject: [c-nsp] vs ace4710 and cisco 6500-vss Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben at net-satori.ca Mon Feb 15 10:22:48 2010 From: ben at net-satori.ca (Benjamin Lauziere) Date: Mon, 15 Feb 2010 10:22:48 -0500 Subject: [c-nsp] vs ace4710 and cisco 6500-vss In-Reply-To: <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> References: <4B79057A.3090207@nordicom.tele.dk>, <553CDD5939EC46AE9BCD6858C3CD9CDF@flamdt01> Message-ID: <27303227E96E6E4C891127103483861239F8CEC750@VMBX101.ihostexchange.net> It seems that your FT vlan is not allowed on the trunk: ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 samething on the switch: switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 Ben ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale [tvarriale at comcast.net] Sent: February 15, 2010 9:25 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] vs ace4710 and cisco 6500-vss What do you mean they cant see each other? tv ----- Original Message ----- From: "Arne Larsen" To: Sent: Monday, February 15, 2010 2:27 AM Subject: [c-nsp] vs ace4710 and cisco 6500-vss Hi all. Can someone give me a hint. I?m trying to install a ha-setup with ace4710 on a vss environment It seems that that two boxes can?t see each other via the trunks. I have used one interface for management only and bundled the others in to 1 etherchannel. I have the following configured on the channel. I made a test setup on a 3750 switch to test, before deploying this on the 6500, and that seemed to work fine. Is there something that is pulling my legs. I attented a session on Networkers in Barcelona, an the guy that teached there would make the documentation available on the web, but I can?t find it. Have anyone of you seen this doc. I?ve also seached the web for a book about ace, but again I can?t find anything. Is there some of you that know where I can get my hand one this /Arne interface port-channel 1 ft-port vlan 3085 switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 port-channel load-balance src-dst-port no shutdown and this configured on the physical interfaces speed 1000M duplex FULL carrier-delay 30 qos trust cos channel-group 1 no shutdown on the vss environment I have this on the etherchannel interface Port-channel30 description B: portchannel for ACE4710 load balancer switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos and this configured on the physical interfaces switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 797-803,3000,3080-3084,3086-3090 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast edge channel-group 30 mode on _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From linux.yahoo at gmail.com Mon Feb 15 12:05:22 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 15 Feb 2010 18:05:22 +0100 Subject: [c-nsp] BGP to OSPF redistribution In-Reply-To: <20100114131600.GA7162@eagle.aitken.com> References: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com> <20100113212044.GI75640@gerbil.cluepon.net> <20100114131600.GA7162@eagle.aitken.com> Message-ID: <7100ed371002150905g31f3ecc3xb24ee3ce44f64743@mail.gmail.com> may be better option here: using stub area without BGP to OSPF redistribution R/ Manu On Thu, Jan 14, 2010 at 2:16 PM, Jeff Aitken wrote: > On Wed, Jan 13, 2010 at 04:25:04PM -0500, null zeroroute wrote: > > Very good suggestion, however the provider is not sending the internet > > routing table, only our own internal network's routes. Or are you > > suggesting some providers make mistakes and send full internet tables to > a > > private VRF customer? > > What he's saying is that any time you redistribute BGP into $IGP, you are > playing with fire. The likelihood of a mistake may be low but the cost of > a mistake is high. > > One thing you'll definitely want to use is the 'redistribute > maximum-prefix' > command: > > router ospf $PID > redistribute maximum-prefix $LIMIT > > This should help limit the damage if there's a redistribution "accident". > > > --Jeff > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lsawyer at gci.com Mon Feb 15 16:25:26 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Mon, 15 Feb 2010 12:25:26 -0900 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <7100ed371002150905g31f3ecc3xb24ee3ce44f64743@mail.gmail.com> Message-ID: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> Having trouble finding an IOS that works on the ME-C3750-24TE with IPv6 and IS-IS. http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html seems to say that 12.2(25)SEA has the support, but that is nowhere to be found, and none of the future releases show it. Does anybody have an idea of the actual roadmap, or is using it and can provide a working image name? Thanks. Leif From mtinka at globaltransit.net Mon Feb 15 16:46:11 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 16 Feb 2010 05:46:11 +0800 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC51EF31E150@fnb1mbx01.gci.com> Message-ID: <201002160546.16435.mtinka@globaltransit.net> On Tuesday 16 February 2010 05:25:26 am Leif Sawyer wrote: > Does anybody have an idea of the actual roadmap, or is > using it and can provide a working image name? IS-IS was introduced to the Catalyst family in IOS 12.2(50)SE. 12.2(52)SE brought IPv6 to the Cisco Catalyst 3750ME switch. Current support for IS-IS on this platform is IPv4. IPv6 support is not yet here. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From lsawyer at gci.com Mon Feb 15 17:02:58 2010 From: lsawyer at gci.com (Leif Sawyer) Date: Mon, 15 Feb 2010 13:02:58 -0900 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <201002160546.16435.mtinka@globaltransit.net> Message-ID: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> Erm, I've running 12.2(46)SE with IS-ISv4 very successfully. Previously, we ran 12.2(25)EY4 and 12.2(25)SEG3 -- which I believe also had IS-IS capability. Since we're an IS-IS network, I'm pretty sure v4 support would have been an issue prior. But v6 support is the actual question, thanks. > -----Original Message----- > From: Mark Tinka [mailto:mtinka at globaltransit.net] > Sent: Monday, February 15, 2010 12:46 PM > To: cisco-nsp at puck.nether.net > Cc: Leif Sawyer > Subject: Re: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS > > On Tuesday 16 February 2010 05:25:26 am Leif Sawyer wrote: > > > Does anybody have an idea of the actual roadmap, or is > using it and > > can provide a working image name? > > IS-IS was introduced to the Catalyst family in IOS 12.2(50)SE. > > 12.2(52)SE brought IPv6 to the Cisco Catalyst 3750ME switch. > > Current support for IS-IS on this platform is IPv4. IPv6 > support is not yet here. > > Cheers, > > Mark. > From aaron.glenn at gmail.com Mon Feb 15 19:41:54 2010 From: aaron.glenn at gmail.com (Aaron Glenn) Date: Tue, 16 Feb 2010 00:41:54 +0000 Subject: [c-nsp] SUP720-3BXL "Warning: NVRAM size is 0" Message-ID: <18f601941002151641n6152701bx9a0287a7c9eda08c@mail.gmail.com> Greets, In what's unfortunately become a common theme, I'm staring down a SUP720-3BXL that will not boot. After copying an up-to-date SXH IOS image to sup-bootdisk ("The Kid" didn't ship pc cards) and a reload, I am getting a "Warning: NVRAM size is 0" and subsequent TLB exceptions on boot. The only real scrap of information I've been able to find is a relatively old CSC[1] explaining some early versions of WS-SUP720 suffer from a busted crystal oscillator. I've confirmed that this board's serial numbers and hw revisions do not fall under this field notice, yet I'm getting exactly the same behavior as described. I would appreciate any suggestions on how to resuscitate this thing or additional steps to verify it is indeed a faulty hardware issue. Thanks, Aaron [1] http://www.ciscosystems.com/en/US/ts/fn/200/fn27595.html From frnkblk at iname.com Mon Feb 15 22:51:17 2010 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 15 Feb 2010 21:51:17 -0600 Subject: [c-nsp] Dynamic IP VPN clients on a dual-ISP ASA 5505 Message-ID: We have a customer that recently added a second ISP uplink to their ASA 5505 at the hub (headquarters) and would like to migrate some of their spokes (IPSec) sites to terminate on the new uplink at the hub. Secondly, they would like the new uplink to be their hub's primary internet link (using PAT). Their spokes are predominately using SOHO gear on different ISP services that have dynamic IP addresses, and behind each spoke is a unique private subnet. What Cisco is telling us that if we want to use dual-ISP interfaces that the spokes cannot use a dynamic WAN IP addresses. If the spokes have static WAN IP address it will work -- something with how the VPN session gets setup and the fact that the default router is for the new uplink, we're told. But the client wants to avoid the $10/month charge for a static for each spoke, if at all possible. With all the knobs and buttons that the ASA has, I find this a little surprising. Does anyone have a similar setup for which they would be willing to share a configuration snippet? Here's an abbreviated configuration: headquarters 192.168.x.0/24 | ASA 5505 / \ ISP #1 ISP #2 | | INTERNET | | | | dynamic IP dynamic IP Remote A Remote B 192.168.a.0/24 192.168.b.0/24 A bonus would be if HQ could automatically fail over to the other ISP link, Thanks in advance for any assistance. Regards, Frank Bulk From mtinka at globaltransit.net Mon Feb 15 23:58:46 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 16 Feb 2010 12:58:46 +0800 Subject: [c-nsp] c3750ME, IPv6, and IS-IS -- can't find the IOS In-Reply-To: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> References: <18B2C6E38A3A324986B392B2D18ABC51EF31E155@fnb1mbx01.gci.com> Message-ID: <201002161258.52687.mtinka@globaltransit.net> On Tuesday 16 February 2010 06:02:58 am Leif Sawyer wrote: > Erm, I've running 12.2(46)SE with IS-ISv4 very > successfully. You're right, I was mixing up platforms (the 3560/3750, to be exact, since I asked Cisco for IS-IS support on this more than 2 years ago). The 3750ME has had IS-IS support for a long time (I think as far back as IOS 12.1AX). > But v6 support is the actual question, thanks. The last time I asked my SE, Cisco's plan was to make v6 support or IS-IS for the 3750ME available at the end of 2010, since we also have a couple of these boxes in the network. Given previous Cisco schedules, this could easily be 2011. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From zeusdadog at gmail.com Tue Feb 16 00:30:47 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Tue, 16 Feb 2010 00:30:47 -0500 Subject: [c-nsp] VRF aware IPSec for remote access without xauth In-Reply-To: <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> References: <9418aca71002022020g2e7ab037g3177cb76a1181bdc@mail.gmail.com> <9418aca71002091141y73d134edkc50cc38c9d0b069a@mail.gmail.com> Message-ID: <9418aca71002152130x6310c623v1ebeff45b84feb6b@mail.gmail.com> I have fixed this issue with TAC help. To help those that may encounter this issue later, here is the changes, crypto isakmp profile CustomerVPN ! Remove this line for Authentication. You have to keep authorization line. no client authentication list CustomerVPNCliAuth Then, I forgot to add crypto-map on the two interfaces that the traffic actually came in on. (I was under the mistaken understanding that you can only put crypto-map on one interface.) On Tue, Feb 9, 2010 at 2:41 PM, Jay Nakamura wrote: > I have not explained my situation very well so let me restart. > > VPN is client VPN, not LAN to LAN. ?The old style IPsec Cisco VPN > client, not Anyconnect client. > > Internet access on the router is on one VRF. ?Network we want to > access via VPN is on another VRF. ?See below config. > > I have gotten it to work so far where it will connect, do Xauth, and > establish connection. ?You can see the VPN client IP in the routing > table of the Customer VRF. ?Traffic gets sent to the VPN from the > client but nothing from the Customer VRF comes back out to the VPN. > > I do want to do this without XAuth if possible. ?Also, I used the > loopback interface as the destination of the VPN so it could fail over > if one link goes down. > > > > aaa new-model > ! > aaa authentication login CustomerVPNCliAuth local > aaa authorization network CustomerVPNNetAuth local > ! > ip cef > ! > ip vrf Customer > ?rd 12345:1100 > ?import map internetVRFDefaultMap > ?route-target export 12345:1100 > ?route-target import 12345:1100 > ?route-target import 12345:1 > ! > ip vrf internet > ?rd 12345:1 > ?route-target export 12345:1 > ?route-target import 12345:1 > ! > crypto keyring CustomerVPNKey vrf internet > ?local-address Loopback1 > ?pre-shared-key address 0.0.0.0 0.0.0.0 key testtest > no crypto xauth Loopback1 > ! > crypto isakmp policy 1 > ?encr aes 256 > ?authentication pre-share > ?group 2 > ! > crypto isakmp client configuration group CustomerVPNGroup > ?key testtest > ?pool CustomerVPNPool > ?acl CustomerVPNSplitTunnel > crypto isakmp profile CustomerVPN > ? vrf Customer > ? keyring CustomerVPNKey > ? self-identity address > ? match identity group CustomerVPNGroup > ? client authentication list CustomerVPNCliAuth > ? isakmp authorization list CustomerVPNNetAuth > ? client configuration address initiate > ? client configuration address respond > ? client configuration group CustomerVPNGroup > ? local-address Loopback1 > ! > ! > crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac > ! > crypto dynamic-map CustomerVPNDynMap 1 > ?set transform-set AES256 > ?set isakmp-profile CustomerVPN > ?reverse-route > ! > ! > crypto map CustomerVPN local-address Loopback1 > crypto map CustomerVPN 10 ipsec-isakmp dynamic CustomerVPNDynMap > ! > ! > ! > ! > ! > ! > interface Loopback0 > ?ip vrf forwarding internet > ?ip address a.a.a.1 255.255.255.255 > ?! > ! > interface Loopback1 > ?ip vrf forwarding internet > ?ip address a.a.a.2 255.255.255.255 > ?crypto map CustomerVPN > ?! > ! > interface Loopback2 > ?ip vrf forwarding internet > ?ip address a.a.a.3 255.255.255.255 > ?ip nat outside > ?ip virtual-reassembly > ?! > ! > interface GigabitEthernet0/0 > ?ip address m.m.m.x 255.255.255.0 > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/0.802 > ?encapsulation dot1Q 802 > ?ip vrf forwarding internet > ?ip address b.b.b.b 255.255.255.240 > ?ip nat outside > ?ip virtual-reassembly > ! > interface GigabitEthernet0/1 > ?no ip address > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/1.803 > ?encapsulation dot1Q 803 > ?ip vrf forwarding internet > ?ip address c.c.c.c 255.255.255.240 > ?ip nat outside > ?ip virtual-reassembly > ?ip ospf cost 15 > ! > interface GigabitEthernet0/1.811 > ?encapsulation dot1Q 811 > ?ip address n.n.n.n.x 255.255.255.0 > ! > interface GigabitEthernet0/2 > ?no ip address > ?duplex auto > ?speed auto > ?! > ! > interface GigabitEthernet0/2.1100 > ?encapsulation dot1Q 1100 > ?ip vrf forwarding Customer > ?ip address 10.0.244.1 255.255.255.0 > ?ip nat inside > ?ip virtual-reassembly > ! > interface GigabitEthernet0/2.1101 > ?encapsulation dot1Q 1101 > ?ip vrf forwarding Customer > ?ip address 10.0.245.1 255.255.255.0 > ?ip nat inside > ?ip virtual-reassembly > ! > router ospf 1 vrf internet > ?log-adjacency-changes > ?redistribute static metric-type 1 subnets > ?passive-interface default > ?no passive-interface GigabitEthernet0/0.802 > ?no passive-interface GigabitEthernet0/1.803 > ?network a.a.a.1 0.0.0.0 area 0 > ?network b.b.b.b 0.0.0.15 area 0 > ?network c.c.c.c 0.0.0.15 area 0 > ! > router bgp 12345 > ?no synchronization > ?bgp log-neighbor-changes > ?no auto-summary > ?! > ?address-family ipv4 vrf Customer > ?no synchronization > ?redistribute static > ?default-information originate > ?exit-address-family > ?! > ?address-family ipv4 vrf internet > ?no synchronization > ?redistribute ospf 1 vrf internet match internal external 1 external 2 > ?default-information originate > ?exit-address-family > ! > ip local pool CustomerVPNPool 192.168.254.1 192.168.254.254 recycle delay 10 > ip forward-protocol nd > ! > ip extcommunity-list 1 permit rt 12345:1 > ip nat inside source list CustomerNATACL interface Loopback2 vrf > Customer overload > ! > ip access-list extended CustomerNATACL > ?deny ? ip 10.0.244.0 0.0.1.255 192.168.254.0 0.0.0.255 > ?permit ip 10.0.244.0 0.0.1.255 any > ip access-list extended CustomerVPNSplitTunnel > ?permit ip 10.0.244.0 0.0.0.255 192.168.254.0 0.0.0.255 > ?permit ip 10.0.245.0 0.0.0.255 192.168.254.0 0.0.0.255 > ! > ! > ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 > ip prefix-list DefaultOnly seq 10 permit 192.168.254.0/24 > ! > route-map internetVRFDefaultMap permit 10 > ?match ip address prefix-list DefaultOnly > ?match extcommunity 1 > > > > On Wed, Feb 3, 2010 at 4:01 PM, Ryan Goldberg wrote: >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Jay Nakamura >>> Sent: Tuesday, February 02, 2010 10:20 PM >>> To: cisco-nsp >>> Subject: [c-nsp] VRF aware IPSec for remote access without xauth >>> >>> I am trying to configure vrf aware IPSec VPN for remote access, coming >>> into one VRF and tunneling into another VRF. ?Can I do that without >>> XAUTH? ?I can't seem to find any reference to doing it without xauth. >>> If it's possible and someone has done this, can you please post a >>> sample config? >> >> I believe the following tidbits should get you going. ?This is from an 2801 running 12.4.24T1. ?Tunnels lands on vrf ISP2 and pops out into vrf LAN. >> >> ip vrf ISP2 >> ?rd 1:2 >> >> ip vrf LAN >> ?rd 1:3 >> >> crypto keyring ISP2 vrf ISP2 >> ?pre-shared-key address a.b.c.d key blahblahblah >> >> crypto isakmp policy 2 >> ?encr 3des >> ?authentication pre-share >> ?group 2 >> >> crypto isakmp profile ProfileForNuttyVendor >> ? vrf LAN >> ? keyring ISP2 >> ? match identity address a.b.c.d 255.255.255.255 ISP2 >> >> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac >> >> crypto map AwesomeMap 3 ipsec-isakmp >> ?description tunnel for Nutty Vendor >> ?set peer a.b.c.d >> ?set transform-set ESP-3DES-SHA >> ?set isakmp-profile ProfileForNuttyVendor >> ?match address 111 >> ?reverse-route >> >> interface FastEthernet0/1 >> ?ip vrf forwarding LAN >> ?ip address 10.1.19.250 255.255.255.0 >> >> nterface FastEthernet0/0 >> ?ip vrf forwarding ISP2 >> ?ip address w.x.y.z 255.255.255.248 >> >> >> access-list 111 remark Nutty Vendor tunnel >> access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255 >> >> - >> >> Ryan >> > From marco.regini at ascotlc.it Tue Feb 16 06:29:19 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 12:29:19 +0100 Subject: [c-nsp] multicast on transit LAN Message-ID: Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini From Jon.Harald.Bovre at hafslund.no Tue Feb 16 07:47:04 2010 From: Jon.Harald.Bovre at hafslund.no (=?iso-8859-1?Q?B=F8vre_Jon_Harald?=) Date: Tue, 16 Feb 2010 13:47:04 +0100 Subject: [c-nsp] multicast on transit LAN In-Reply-To: Message-ID: Might not solve your problem but have a look at a MVR vlan. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swigmp.html#wp1035931 Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Marco Regini Sendt: 16. februar 2010 12:29 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] multicast on transit LAN Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 16 10:36:50 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 16 Feb 2010 15:36:50 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: Message-ID: <4B7ABB92.1040801@imperial.ac.uk> On 02/16/2010 11:29 AM, Marco Regini wrote: > My last chance is to proxy the IGMP, let me explain: > > > > Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 So the 3560 and 3750 are routing the multicast? In that case you probably need PIM snooping on the layer2 equipment between them. If you don't have that, then yes - IGMP proxy is an option. From marco.regini at ascotlc.it Tue Feb 16 11:45:01 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 17:45:01 +0100 Subject: [c-nsp] multicast on transit LAN References: <4B7ABB92.1040801@imperial.ac.uk> Message-ID: Hi Phil, all my cisco are routing the multicast, the problem is that the l3 link between them are not point-to-point. I tried to enable rgmp,cgmp ... but seems they assumes the apparatus being a router or a switch ( if the cisco has a svi on the vlan 100 it is a router, if not is a switch). I'am not sure if proxing the IGMP will works, because IGMP snooping probably has the same limitation, but I want to tray; do you know how to enable it? This is a pseudo configuration of apparatus, what lines I need to proxy the IGMP arriving to the access interface Fa0/30? ! interface Vlan 100 description L3 DAESY-CHAIN-NUMBER-100 ip address 172.16.100.1 255.255.255.0 ip pim sparse-dense-mode ! interface range Gi 0/1 - 4 description L2 DAESY-CHAIN-NUMBER-100 switchport mode trunk switchport trunk allowed vlan 100 ! On the access apparatus there are the Customers interface. ! interface Fa0/30 description L2 Customer Smith switchport access vlan 30 ! ! interface Vlan 30 description L3 Customer Smith ip address 10.0.30.1 255.255.255.240 ! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: marted? 16 febbraio 2010 16:37 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] multicast on transit LAN On 02/16/2010 11:29 AM, Marco Regini wrote: > My last chance is to proxy the IGMP, let me explain: > > > > Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 So the 3560 and 3750 are routing the multicast? In that case you probably need PIM snooping on the layer2 equipment between them. If you don't have that, then yes - IGMP proxy is an option. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From marco.regini at ascotlc.it Tue Feb 16 11:21:02 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 17:21:02 +0100 Subject: [c-nsp] multicast on transit LAN References: Message-ID: Hi Jon, MVR is a very interesting feauture, thanks. I need some time to reflect, may be I'am not going to use it this time but knowing i can do multicast in this way is important. One question: how I use MVR with PIM? On my 3570 ( my distribution router) I configure a svi 101 ! int Vlan 101 description L3 FOR MVR MULTICAST ip address 172.16.101.1 255.255.255.0 ip pim sparse-dense-mode ! On my Catalyst 3560 ( my access apparatus) I do not create a svi 101 but simply put mvr on the access interface: ! interface Fa0/30 description L2 Customer Smith switchport access vlan 30 mvr type receiver mvr vlan 101 group 228.1.23.4 ! ! interface Vlan 30 description L3 Customer Smith ip address 10.0.30.1 255.255.255.240 ! -----Original Message----- From: B?vre Jon Harald [mailto:Jon.Harald.Bovre at hafslund.no] Sent: marted? 16 febbraio 2010 13:47 To: Marco Regini; cisco-nsp at puck.nether.net Subject: SV: multicast on transit LAN Might not solve your problem but have a look at a MVR vlan. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swigmp.html#wp1035931 Jon -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Marco Regini Sendt: 16. februar 2010 12:29 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] multicast on transit LAN Hi, I 'am in a serious problem with multicast because my distribution ( Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560) see each over via a common network ( build on the common vlan 100). Physically they are in daisy-chain with the gigabit interface, the gigabit are in trunk, all the L3 interface are SVI. The problem is to limit the multicast traffic on this vlan because at L2 it is like a broadcast. Have you any suggestions? I read documentation about CGMP,RGMP but on the notes there is written that this stuff works only when multicast routers are connected via a L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi ) and switch. Another idea is to use IGMP snooping but my multicast receivers/sources are not in this vlan: so no IGMP traffic pass in this vlan. My last chance is to proxy the IGMP, let me explain: Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750 If a configure the Catalyst3560 to proxy the igmp join/leave to upstream Catalyst3750 perhaps I give a chance to IGMP snooping to start working on Vlan100. Marco Regini _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Tue Feb 16 12:19:27 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 16 Feb 2010 17:19:27 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: <4B7ABB92.1040801@imperial.ac.uk> Message-ID: <4B7AD39F.1040500@imperial.ac.uk> On 02/16/2010 04:45 PM, Marco Regini wrote: > Hi Phil, all my cisco are routing the multicast, the problem is that > the l3 link between them are not point-to-point. Understood. You have the config: layer3 -- layer2 -- (...) -- layer2 -- layer3 ...and the multicast needs to pass between the layer3 devices. The layer3 devices are using PIM to speak to each other, yes? In which case, you need PIM snooping on the layer2 devices. What are the layer2 devices? How many are there? Who runs them? > > I tried to enable rgmp,cgmp ... but seems they assumes the apparatus > being a router or a switch ( if the cisco has a svi on the vlan 100 > it is a router, if not is a switch). I'am not sure if proxing the I'm sorry, I don't understand you. RGMP and CGMP are different things, which serve different purposes. > IGMP will works, because IGMP snooping probably has the same > limitation, but I want to tray; do you know how to enable it? > > > > This is a pseudo configuration of apparatus, what lines I need to > proxy the IGMP arriving to the access interface Fa0/30? I'm sorry, I don't understand. That configuration cannot possibly work. Can you give a more detailed configuration? I've never used IGMP proxy on a cisco, and upon examination it looks like it might be a different feature than I thought - the docs seem to link it to unidirectional tunnels. You really need PIM snooping. From globichen at gmail.com Tue Feb 16 14:52:55 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 16 Feb 2010 20:52:55 +0100 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> Message-ID: On Mon, Feb 15, 2010 at 2:19 PM, Tom Sands wrote: > The 6704 looks like the biggest problem in this setup. ?We avoid them at all > cost. What would be your recommendation then? 6708? sidenote: I may have narrowed down the issue. There is a port-channel on te9/4 and te8/4. When I shut down one of these two interfaces, the box is becoming very responsive again: BCS#sh etherchannel 66 detail Group state = L2 Ports: 2 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol: PAgP Minimum Links: 0 Ports in the group: ------------------- Port: Te8/4 ------------ Port state = Down Not-in-Bndl Channel group = 66 Mode = Desirable-Sl Gcchange = 0 Port-channel = null GC = 0x00000000 Pseudo port-channel = Po66 Port index = 0 Load = 0x00 Protocol = PAgP Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down. Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running. Local information: Hello Partner PAgP Learning Group Port Flags State Timers Interval Count Priority Method Ifindex Te8/4 d U1/S1 1s 0 128 Any 0 Age of the port in the current state: 5d:11h:50m:10s Port: Te9/4 ------------ Port state = Up Mstr In-Bndl Channel group = 66 Mode = Desirable-Sl Gcchange = 0 Port-channel = Po66 GC = 0x00420001 Pseudo port-channel = Po66 Port index = 1 Load = 0xFF Protocol = PAgP Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down. Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running. Local information: Hello Partner PAgP Learning Group Port Flags State Timers Interval Count Priority Method Ifindex Te9/4 SC U6/S7 30s 1 128 Any 122 Partner's information: Partner Partner Partner Partner Group Port Name Device ID Port Age Flags Cap. Te9/4 XXXX 0021.a050.d600 Te4/2 18s SC 420001 Age of the port in the current state: 0d:00h:05m:49s Port-channels in the group: ---------------------- Port-channel: Po66 ------------ Age of the Port-channel = 5d:11h:52m:22s Logical slot/port = 14/4 Number of ports = 1 GC = 0x00420001 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = PAgP Fast-switchover = disabled Load share deferral = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------------+------------------+----------- 1 FF Te9/4 Desirable-Sl 8 Time since last port bundled: 0d:00h:05m:49s Te9/4 Time since last port Un-bundled: 0d:00h:05m:06s Te8/4 Last applied Hash Distribution Algorithm: Fixed This is while Te8/4 is shut down. The other end of the channel is also a 6509 box with 1x 6704. Andy From marco.regini at ascotlc.it Tue Feb 16 15:19:59 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Tue, 16 Feb 2010 21:19:59 +0100 Subject: [c-nsp] multicast on transit LAN References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> Message-ID: Hi Phil, I apologize if I'm obscure, and thanks a lot :-) for your patience. I have Layer3/Layer2--Layer3/Layer2 --Layer3/Layer2-- ... The vlan 100 span the entire chain (the cisco are interconnected via the fc gigabit interface with 802.1q trunk), each node on the chain has a "interface vlan 100" with address on the same network. The customer, the multicast sender/receiver are on the FastEthernet interfaces, in their dedicated vlan and network. Regarding Pim Snooping my poor 3560,3750 do not support it, but in the documentation I found again that you need the cisco be or a router or a switch, not both. But I'm not an expert so do not trust very much what I say. Cheers -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: marted? 16 febbraio 2010 18:19 To: Marco Regini Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] multicast on transit LAN On 02/16/2010 04:45 PM, Marco Regini wrote: > Hi Phil, all my cisco are routing the multicast, the problem is that > the l3 link between them are not point-to-point. Understood. You have the config: layer3 -- layer2 -- (...) -- layer2 -- layer3 ...and the multicast needs to pass between the layer3 devices. The layer3 devices are using PIM to speak to each other, yes? In which case, you need PIM snooping on the layer2 devices. What are the layer2 devices? How many are there? Who runs them? > > I tried to enable rgmp,cgmp ... but seems they assumes the apparatus > being a router or a switch ( if the cisco has a svi on the vlan 100 > it is a router, if not is a switch). I'am not sure if proxing the I'm sorry, I don't understand you. RGMP and CGMP are different things, which serve different purposes. > IGMP will works, because IGMP snooping probably has the same > limitation, but I want to tray; do you know how to enable it? > > > > This is a pseudo configuration of apparatus, what lines I need to > proxy the IGMP arriving to the access interface Fa0/30? I'm sorry, I don't understand. That configuration cannot possibly work. Can you give a more detailed configuration? I've never used IGMP proxy on a cisco, and upon examination it looks like it might be a different feature than I thought - the docs seem to link it to unidirectional tunnels. You really need PIM snooping. From gert at greenie.muc.de Tue Feb 16 15:33:36 2010 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 16 Feb 2010 21:33:36 +0100 Subject: [c-nsp] ip source guard in the switch layer without DHCP In-Reply-To: <1265802854.11279.3.camel@hal9000> References: <1265802854.11279.3.camel@hal9000> Message-ID: <20100216203336.GI9556@greenie.muc.de> Hi, On Wed, Feb 10, 2010 at 12:54:14PM +0100, luismi wrote: > What about if the server connected to that port is sending multicast > traffic? Multicast traffic is sent from the normal unicast MAC and IP address. Since the switch is checking the packet *source*, it should not interfere. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Tue Feb 16 15:57:40 2010 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 16 Feb 2010 20:57:40 +0000 Subject: [c-nsp] multicast on transit LAN In-Reply-To: References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> Message-ID: <20100216205740.GC1822@lboro.ac.uk> Hi, > Regarding Pim Snooping my poor 3560,3750 do not support it, but in the documentation I found again that you need the cisco > be or a router or a switch, not both. ip igmp snooping should be available global or per physical/logical interface the pim features are how the traffic is dealt with - eg ip pim spare-mode alan From rsm at fast-serv.com Tue Feb 16 17:05:16 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 16 Feb 2010 17:05:16 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216205740.GC1822@lboro.ac.uk> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> Message-ID: <20100216215941.M18122@fast-serv.com> Is there a simpler way to add/remove VLANs from a trunk port without having to redefine the allowed list each time? I'm trying to script the adding and removing of allowed VLANs and I would rather simple add/remove commands to add or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in Foundry) instead of redefining every VLAN each on the trunk port every time the script runs. But I don't think it's possible? -- Randy From jackson.tim at gmail.com Tue Feb 16 17:15:17 2010 From: jackson.tim at gmail.com (Tim Jackson) Date: Tue, 16 Feb 2010 16:15:17 -0600 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216215941.M18122@fast-serv.com> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> Message-ID: <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> switchport trunk vlan allowed add/remove: nsvltnit-office-3560(config-if)#switchport trunk allowed vlan ? ?WORD ? ?VLAN IDs of the allowed VLANs when this port is in trunking mode ?add ? ? add VLANs to the current list ?all ? ? all VLANs ?except ?all VLANs except the following ?none ? ?no VLANs ?remove ?remove VLANs from the current list On Tue, Feb 16, 2010 at 4:05 PM, Randy McAnally wrote: > Is there a simpler way to add/remove VLANs from a trunk port without having to > redefine the allowed list each time? ?I'm trying to script the adding and > removing of allowed VLANs and I would rather simple add/remove commands to add > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > Foundry) instead of redefining every VLAN each on the trunk port every time > the script runs. ?But I don't think it's possible? > > -- > Randy > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Tue Feb 16 17:17:28 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 16 Feb 2010 23:17:28 +0100 (CET) Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216215941.M18122@fast-serv.com> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> Message-ID: <20100216.231728.41663379.sthaug@nethelp.no> > Is there a simpler way to add/remove VLANs from a trunk port without having to > redefine the allowed list each time? I'm trying to script the adding and > removing of allowed VLANs and I would rather simple add/remove commands to add > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > Foundry) instead of redefining every VLAN each on the trunk port every time > the script runs. But I don't think it's possible? What is wrong with "switchport trunk allowed vlan add ..." and the corresponding "switchport trunk allowed vlan rem ..." ? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From rsm at fast-serv.com Tue Feb 16 17:21:02 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 16 Feb 2010 17:21:02 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216.231728.41663379.sthaug@nethelp.no> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> Message-ID: <20100216221910.M53040@fast-serv.com> Nothing wrong...it's exactly what I needed. Long hours of coding makes me overlook these kinds of things and I really appreciate the added eyes of the community :) -- Randy ---------- Original Message ----------- From: sthaug at nethelp.no To: rsm at fast-serv.com Cc: cisco-nsp at puck.nether.net Sent: Tue, 16 Feb 2010 23:17:28 +0100 (CET) Subject: Re: [c-nsp] Controlling allowed VLANs, alternatives? > > Is there a simpler way to add/remove VLANs from a trunk port without having to > > redefine the allowed list each time? I'm trying to script the adding and > > removing of allowed VLANs and I would rather simple add/remove commands to add > > or remove a single vlan (like 'tagged' or 'no tagged' on a per-VLAN basis in > > Foundry) instead of redefining every VLAN each on the trunk port every time > > the script runs. But I don't think it's possible? > > What is wrong with "switchport trunk allowed vlan add ..." and the > corresponding "switchport trunk allowed vlan rem ..." ? > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no ------- End of Original Message ------- From jeff-kell at utc.edu Tue Feb 16 17:28:16 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 16 Feb 2010 17:28:16 -0500 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> References: <4B7ABB92.1040801@imperial.ac.uk> <4B7AD39F.1040500@imperial.ac.uk> <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <4407932e1002161415y5751213bye54792f9681766f0@mail.gmail.com> Message-ID: <4B7B1C00.1040808@utc.edu> On 2/16/2010 5:15 PM, Tim Jackson wrote: > switchport trunk vlan allowed add/remove: > > nsvltnit-office-3560(config-if)#switchport trunk allowed vlan ? > WORD VLAN IDs of the allowed VLANs when this port is in trunking mode > add add VLANs to the current list > all all VLANs > except all VLANs except the following > none no VLANs > remove remove VLANs from the current list > And if changing a group of them, do "interface range ..." first. Jeff From Dhanalakshmi.Mohanasundaram at in.lafarge.com Tue Feb 16 17:31:02 2010 From: Dhanalakshmi.Mohanasundaram at in.lafarge.com (Dhanalakshmi.Mohanasundaram at in.lafarge.com) Date: Wed, 17 Feb 2010 04:01:02 +0530 Subject: [c-nsp] Dhanalakshmi Mohanasundaram is out of the office. Message-ID: I will be out of the office starting 02/17/2010 and will not return until 02/19/2010. I will respond to your message when I return. In case of any issues Pls contact Mr. Periyasamy Nattar ( Periyasamy.nattar at in.lafareg.com ) "This e-mail is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains. Please e-mail the sender immediately and delete this message from your system. E-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware, that the company may monitor your emails and their content" From mailers at oranged.to Tue Feb 16 22:03:50 2010 From: mailers at oranged.to (Jimmy Stewpot) Date: Wed, 17 Feb 2010 03:03:50 +0000 (UTC) Subject: [c-nsp] ASA5510 with SIP dropping intermittent In-Reply-To: <194215044.28.1266375622378.JavaMail.root@poops.oranged.to> Message-ID: <831641327.30.1266375830692.JavaMail.root@poops.oranged.to> Hello, I am currently running a Cisco ASA 5510 device running software version 8.0(3)6. The configuration is very simple, we have a group of voice servers behind the system talking to an upstream Voice service provider using SIP. Outbound calls work 100% of the time, however we have a policy in place with permits inbound connections. Most of the time it works however in an apparently random fashion it drops incoming calls. There have been no changes to the device in months and its only started to occur over the last week. I have been ripping my hair out trying to resolve this issue with little to no luck. When I check what is going on I see the following messages in the log. Feb 16 10:48:10 %ASA-6-106015: Deny TCP (no connection) from /57345 to /5060 flags PSH ACK on interface Outside The configuration is as follows. Voice Server (192.168.1.20/24) -> ASA internal (192.168.1.254) || ASA External (Public Address) -> Internet. We have an inbound policy permitting any inbound SIP udp and tcp to the Public Address. We then have a one to one mapping static (inside,Outside) 192.168.1.20 netmask 255.255.255.255 Everything seems fine, and I don't understand why its dropping the connections on a very intermittent basis. It seems that its probably something to do with the inspect. If we disable inspect it breaks all phone connections. I found the following bug reference number in the release notes for 8.2. CSCtb23281 but I don't have Cisco Logins which provide me with the bugs db any more... Any advice or assistance would be greatly appreciated. Regards, Jimmy Stewpot. From kris at amy.id.au Tue Feb 16 23:33:16 2010 From: kris at amy.id.au (Kris Amy) Date: Wed, 17 Feb 2010 14:33:16 +1000 Subject: [c-nsp] VLAN Tagging/Untagging overhead Message-ID: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> Hi All, Is there any cpu impact by packets being de/encapsulated onto a VLAN rather than going as native on a software based platform (7200/7300)? If so would this be a big impact at 50k pps? Regards, Kris From tvarriale at comcast.net Tue Feb 16 23:43:45 2010 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 16 Feb 2010 22:43:45 -0600 Subject: [c-nsp] ASA5510 with SIP dropping intermittent References: <831641327.30.1266375830692.JavaMail.root@poops.oranged.to> Message-ID: That bug was supposedly first found in 8.2(1). My first thought is that the control channel is staying up on the voice SP, but is timing out in the translation table. Do you log your set ups and tear downs to a syslog server? If so, go back and try and chase that source port to see if there's a timeout/teardown prior to that timestamp. You need the SIP inspection since you are NATing. No way around it and I don't think that's the issue at this point. Or, better said, at this point in the data collection phase. tv ----- Original Message ----- From: "Jimmy Stewpot" To: Sent: Tuesday, February 16, 2010 9:03 PM Subject: [c-nsp] ASA5510 with SIP dropping intermittent > Hello, > > I am currently running a Cisco ASA 5510 device running software version > 8.0(3)6. The configuration is very simple, we have a group of voice > servers behind the system talking to an upstream Voice service provider > using SIP. Outbound calls work 100% of the time, however we have a policy > in place with permits inbound connections. Most of the time it works > however in an apparently random fashion it drops incoming calls. There > have been no changes to the device in months and its only started to occur > over the last week. I have been ripping my hair out trying to resolve this > issue with little to no luck. > > When I check what is going on I see the following messages in the log. > > Feb 16 10:48:10 %ASA-6-106015: Deny TCP (no connection) from /57345 > to /5060 flags PSH ACK on interface Outside > > The configuration is as follows. > > Voice Server (192.168.1.20/24) -> ASA internal (192.168.1.254) || ASA > External (Public Address) -> Internet. > > We have an inbound policy permitting any inbound SIP udp and tcp to the > Public Address. We then have a one to one mapping > > static (inside,Outside) 192.168.1.20 netmask 255.255.255.255 > > Everything seems fine, and I don't understand why its dropping the > connections on a very intermittent basis. It seems that its probably > something to do with the inspect. If we disable inspect it breaks all > phone connections. I found the following bug reference number in the > release notes for 8.2. CSCtb23281 but I don't have Cisco Logins which > provide me with the bugs db any more... > > Any advice or assistance would be greatly appreciated. > > Regards, > > Jimmy Stewpot. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ramet at ramet7.net Wed Feb 17 00:31:35 2010 From: ramet at ramet7.net (Ramet Khalili) Date: Wed, 17 Feb 2010 09:01:35 +0330 Subject: [c-nsp] Active Directory User shaping Message-ID: <000301caaf92$8ede9bc0$ac9bd340$@net> Hey there, Does anyone know how can I shape my active directory users with their domains username and passwords? Something like the UTMs do, I really wonder why they didn't put this on ASAs! Ramet From ioan.branet at gmail.com Wed Feb 17 03:10:36 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 10:10:36 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 Message-ID: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> Hello group, I try to creaty an EOMPLS VLAN mode circuit betweet one 10G subinterface and GE interface between two 7600 as PE. Here is my config: PE1: sh running-config interface TenGigabitEthernet7/3.999 Building configuration... Current configuration : 141 bytes ! interface TenGigabitEthernet7/3.999 description TEST_EOMPLS encapsulation dot1Q 999 xconnect 172.25.231.68 9999 encapsulation mpls end show mpls l2transport vc 9999 detail Local interface: Te7/3.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.231.68, VC ID: 9999, VC status: up Output interface: Te4/2, imposed label stack {5673 54} Preferred path: not configured Default path: active Next hop: 95.77.36.45 Create time: 00:04:21, last status change time: 00:04:21 Signaling protocol: LDP, peer 172.25.231.68:0 up Targeted Hello: 172.25.224.1(LDP Id) -> 172.25.231.68 MPLS VC labels: local 1244, remote 54 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: EOMPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 PE2: sh running-config interface Gi2/2.999 Building configuration... Current configuration : 137 bytes ! interface GigabitEthernet2/2.999 description EOMPLS TEST encapsulation dot1Q 999 xconnect 172.25.224.1 9999 encapsulation mpls end #show mpls l2transport vc 9999 detail Local interface: Gi2/2.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.224.1, VC ID: 9999, VC status: up Output interface: Vl894, imposed label stack {2488 1244} Preferred path: not configured Default path: active Next hop: 85.186.212.133 Create time: 00:10:07, last status change time: 00:03:49 Signaling protocol: LDP, peer 172.25.224.1:0 up Targeted Hello: 172.25.231.68(LDP Id) -> 172.25.224.1 MPLS VC labels: local 54, remote 1244 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: TEST_EOMPLS Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 9 byte totals: receive 0, send 576 packet drops: receive 0, send 0 It seems that on PE1 side I only receive but not send any VCs frames: VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 CE1 is a Juniper and it is learnig ARP from other CE: show configuration interfaces xe-3/1/0 enable; flexible-vlan-tagging; link-mode full-duplex; encapsulation flexible-ethernet-services; gigether-options { no-auto-negotiation; } unit 999 { vlan-id 999; family inet { address 150.1.1.2/30; } } ping 150.1.1.1 source 150.1.1.2 PING 150.1.1.1 (150.1.1.1): 56 data bytes ^C --- 150.1.1.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss {master} show arp no-resolve | match xe-3/1/0 00:25:45:a5:fe:a2 150.1.1.1 xe-3/1/0.999 none CE2 is not learning arp from CE1 CE2: interface GigabitEthernet2/2 description Link to PE2-EOMPLS switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 999 switchport mode trunk sh running-config interface vlan 999 Building configuration... Current configuration : 63 bytes ! interface Vlan999 ip address 150.1.1.1 255.255.255.252 end #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) #sh ip arp Vlan999 Protocol Address Age (min) Hardware Addr Type Interface Internet 150.1.1.1 - 0016.9c6d.4280 ARPA Vlan999 Internet 150.1.1.2 0 Incomplete ARPA Have you tried such a setup? Could you send me an example? Thank you, John From ioan.branet at gmail.com Wed Feb 17 03:49:48 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 10:49:48 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> Message-ID: <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson wrote: > On Wed, 17 Feb 2010, Ioan Branet wrote: > > You should answer to the list, answering just to me doesn't make much > sense. > > SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't > remember), or go SRD3 or later. > > > Hello, >> >> We are running on both PEs the following: >> sh ver | i IOS >> Cisco IOS Software, c7600s72033_rp Software >> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE >> (fc3) >> >> 10G card on PE1 is: >> show module 7 >> Mod Ports Card Type Model Serial >> No. >> --- ----- -------------------------------------- ------------------ >> ----------- >> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >> SAL1337YN4W >> >> and 1G on PE2 is: >> >> >> ro-sv01a-rd2#show module 2 >> Mod Ports Card Type Model Serial >> No. >> --- ----- -------------------------------------- ------------------ >> ----------- >> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >> SAL1005CBXG >> >> Mod MAC addresses Hw Fw Sw >> Status >> --- ---------------------------------- ------ ------------ ------------ >> ------- >> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok >> >> Mod Sub-Module Model Serial Hw >> Status >> ---- --------------------------- ------------------ ----------- ------- >> ------- >> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok >> >> Mod Online Diag Status >> ---- ------------------- >> 2 Pass >> >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson > >wrote: >> >> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> GE interface between two 7600 as PE. >>> >>>> >>>> >>> You forgot to include what software you're running. >>> >>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >> > -- > Mikael Abrahamsson email: swmike at swm.pp.se > From swmike at swm.pp.se Wed Feb 17 03:53:49 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 17 Feb 2010 09:53:49 +0100 (CET) Subject: [c-nsp] netiquette Message-ID: Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: "Never post private (off-list) correspondence to the list without the permission of the sender." -- Mikael Abrahamsson email: swmike at swm.pp.se From achatz at forthnet.gr Wed Feb 17 04:05:45 2010 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 17 Feb 2010 11:05:45 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> Message-ID: <4B7BB169.1090306@forthnet.gr> I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-a>sh mpls l2 vc 3601 Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP 7600-b>sh mpls l2 vc 3601 Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: > Hello, > > We run EOMPLS on port and vlan mode on GE interfaces but we did not run > EOMPLS Vlan mode between 10G and 1G subinterfaces until now. > > Any feedback is appreciated. > Thank you, > John > > On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson wrote: > > >> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >> You should answer to the list, answering just to me doesn't make much >> sense. >> >> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >> remember), or go SRD3 or later. >> >> >> Hello, >> >>> We are running on both PEs the following: >>> sh ver | i IOS >>> Cisco IOS Software, c7600s72033_rp Software >>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE >>> (fc3) >>> >>> 10G card on PE1 is: >>> show module 7 >>> Mod Ports Card Type Model Serial >>> No. >>> --- ----- -------------------------------------- ------------------ >>> ----------- >>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>> SAL1337YN4W >>> >>> and 1G on PE2 is: >>> >>> >>> ro-sv01a-rd2#show module 2 >>> Mod Ports Card Type Model Serial >>> No. >>> --- ----- -------------------------------------- ------------------ >>> ----------- >>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>> SAL1005CBXG >>> >>> Mod MAC addresses Hw Fw Sw >>> Status >>> --- ---------------------------------- ------ ------------ ------------ >>> ------- >>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok >>> >>> Mod Sub-Module Model Serial Hw >>> Status >>> ---- --------------------------- ------------------ ----------- ------- >>> ------- >>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok >>> >>> Mod Online Diag Status >>> ---- ------------------- >>> 2 Pass >>> >>> Thank you, >>> John >>> >>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >> >>>> wrote: >>>> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>>> GE interface between two 7600 as PE. >>>> >>>> >>>>> >>>> You forgot to include what software you're running. >>>> >>>> -- >>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>> >>>> >>>> >> -- >> Mikael Abrahamsson email: swmike at swm.pp.se >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From p.mayers at imperial.ac.uk Wed Feb 17 04:33:36 2010 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 17 Feb 2010 09:33:36 +0000 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <20100216221910.M53040@fast-serv.com> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> <20100216221910.M53040@fast-serv.com> Message-ID: <4B7BB7F0.8060203@imperial.ac.uk> On 02/16/2010 10:21 PM, Randy McAnally wrote: > Nothing wrong...it's exactly what I needed. > > Long hours of coding makes me overlook these kinds of things and I really > appreciate the added eyes of the community :) FWIW we define an alias: alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...and use: int Gi1/1 tagvlan 100 detagvlan 200-299,310 ...because forgetting that "add" and "remove" can do really really really bad things... From marco.regini at ascotlc.it Wed Feb 17 04:37:18 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Wed, 17 Feb 2010 10:37:18 +0100 Subject: [c-nsp] netiquette References: Message-ID: Thanks. So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com answer to me directly, I can't replay to the mailing list but only to tom? Even if the message is only about technical stuff? Marco -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: mercoled? 17 febbraio 2010 09:54 To: cisco-nsp at puck.nether.net Subject: [c-nsp] netiquette Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: "Never post private (off-list) correspondence to the list without the permission of the sender." -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ioan.branet at gmail.com Wed Feb 17 04:44:16 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 11:44:16 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <4B7BB169.1090306@forthnet.gr> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> Message-ID: <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < achatz at forthnet.gr> wrote: > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > 7600-a>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > 7600-b>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > Both 7600s are running SRD3. > > -- > Tassos > > Ioan Branet wrote on 17/02/2010 10:49: > >> Hello, >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> Any feedback is appreciated. >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >wrote: >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> You should answer to the list, answering just to me doesn't make much >>> sense. >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >>> remember), or go SRD3 or later. >>> >>> >>> Hello, >>> >>> >>>> We are running on both PEs the following: >>>> sh ver | i IOS >>>> Cisco IOS Software, c7600s72033_rp Software >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >>>> SOFTWARE >>>> (fc3) >>>> >>>> 10G card on PE1 is: >>>> show module 7 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>>> SAL1337YN4W >>>> >>>> and 1G on PE2 is: >>>> >>>> >>>> ro-sv01a-rd2#show module 2 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>>> SAL1005CBXG >>>> >>>> Mod MAC addresses Hw Fw Sw >>>> Status >>>> --- ---------------------------------- ------ ------------ ------------ >>>> ------- >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 >>>> Ok >>>> >>>> Mod Sub-Module Model Serial Hw >>>> Status >>>> ---- --------------------------- ------------------ ----------- ------- >>>> ------- >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >>>> Ok >>>> >>>> Mod Online Diag Status >>>> ---- ------------------- >>>> 2 Pass >>>> >>>> Thank you, >>>> John >>>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >>> >>>> >>>>> wrote: >>>>> >>>>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>>> >>>> >>>>> GE interface between two 7600 as PE. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>> You forgot to include what software you're running. >>>>> >>>>> -- >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>>> >>>>> >>>>> >>>>> >>>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku at ytti.fi Wed Feb 17 05:07:25 2010 From: saku at ytti.fi (Saku Ytti) Date: Wed, 17 Feb 2010 12:07:25 +0200 Subject: [c-nsp] Controlling allowed VLANs, alternatives? In-Reply-To: <4B7BB7F0.8060203@imperial.ac.uk> References: <20100216205740.GC1822@lboro.ac.uk> <20100216215941.M18122@fast-serv.com> <20100216.231728.41663379.sthaug@nethelp.no> <20100216221910.M53040@fast-serv.com> <4B7BB7F0.8060203@imperial.ac.uk> Message-ID: <20100217100725.GA6481@mx.ytti.net> On (2010-02-17 09:33 +0000), Phil Mayers wrote: > alias interface tagvlan switchport trunk allowed vlan add > alias interface detagvlan switchport trunk allowed vlan remove > ...because forgetting that "add" and "remove" can do really really > really bad things... Agreed. Alternatives are using EEM or TACACS to deny execution of dangerous commands. It is hard to find people who've worked with Cisco switches for few years who haven't made this mistake. Also very common mistake we've denied in TACACS is 'no router isis', people sometimes type that in interface, forgetting the 'ip'. While Cisco does provide rather poor quality software it is still the operator who breaks the network most typically. Hardware faults are far distant 3rd. Yet when we design networks, we concentrate on avoiding downtime from hardware faults. -- ++ytti From swmike at swm.pp.se Wed Feb 17 05:54:33 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 17 Feb 2010 11:54:33 +0100 (CET) Subject: [c-nsp] netiquette In-Reply-To: References: Message-ID: On Wed, 17 Feb 2010, Marco Regini wrote: > Thanks. > > So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com > answer to me directly, I can't replay to the mailing list but only to tom? > > Even if the message is only about technical stuff? That is correct. Unless you KNOW for sure that Tom is ok with you posting his reply to the list, you shouldn't do it. What Tom is telling you might be for your eyes only and he doesn't want to share it with the rest of the world, and you might not realise it. The correct way of handling this is to reply to your own email to the list and supply the new information (if you feel it's not a secret). Then at least the world won't know who said it to you. -- Mikael Abrahamsson email: swmike at swm.pp.se From psirt at cisco.com Wed Feb 17 11:00:00 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: wed, 17 Feb 2010 11:00:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Message-ID: <201002171100.csa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products ================= Vulnerable Products +------------------ Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Note: Only the Management Center for Cisco Security Agents is affected by the directory traversal and SQL injection vulnerabilities. The agents installed on user end-points are not affected. Only Cisco Security Agent release 5.2 for Windows and Linux, either managed or standalone, are affected by the DoS vulnerability. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- The Sun Solaris version of Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center. The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Management Center for Cisco Security Agents Directory Traversal Vulnerability +---------------------------------------------------------------------------- The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73275 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0146. Management Center for Cisco Security Agents SQL Injection Vulnerability +---------------------------------------------------------------------- The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73290 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0147. Cisco Security Agent Denial of Service Vulnerability +--------------------------------------------------- Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets. Note: Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. This vulnerability is documented in Cisco Bug ID CSCtb89870 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0148. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd73275 - Directory Traversal in the Management Center for Cisco Security Agents CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd73290 - Management Center for Cisco Security Agents: SQL Injection CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtb89870 - Kernel Panic When Receiving Certain TCP Packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. Successful exploitation of the Cisco Security Agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | | Cisco | First | | | Vulnerability | Security | Fixed | Recommended | | | Agent | Version | Release | | | Release | | | |---------------+----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | |Directory |----------+------------+-------------| | Traversal | 5.2 | Not | Not | | Vulnerability | | vulnerable | vulnerable | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | 5.1.0.117 | 5.1.0.117 | |SQL Injection |----------+------------+-------------| | Vulnerability | 5.2 | 5.2.0.296 | 5.2.0.296 | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | Not | 5.1.0.117 | | | | vulnerable | | |Denial of |----------+------------+-------------| | Service | 5.2 | 5.2.0.285 | 5.2.0.296 | |Vulnerability |----------+------------+-------------| | | 6.0 | Not | 6.0.1.132 | | | | vulnerable | | +-----------------------------------------------------+ Cisco CSA software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The directory traversal and SQL injection vulnerabilities were discovered and reported to Cisco by Gabriele Giuseppini from Cigital. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. The DoS vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-February-17 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLew9U86n/Gc8U/uARAifvAJ9oLuXJY6iy962givBVY7701k4ktACfa3wK O9O+Q4F1alHxm6CIbUIXkUs= =+hka -----END PGP SIGNATURE----- From ioan.branet at gmail.com Wed Feb 17 11:01:42 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 18:01:42 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> Message-ID: <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> Hello, I tried with Cisco 7600 as CE instead of Juniper and it works, I have to find out what is wrong there. Thank you for your help, Regards, John ---------- Forwarded message ---------- From: Ioan Branet Date: Wed, Feb 17, 2010 at 11:44 AM Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 To: Tassos Chatzithomaoglou Cc: cisco-nsp at puck.nether.net Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -----original packet----- 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < achatz at forthnet.gr> wrote: > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > 7600-a>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > 7600-b>sh mpls l2 vc 3601 > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > Both 7600s are running SRD3. > > -- > Tassos > > Ioan Branet wrote on 17/02/2010 10:49: > >> Hello, >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> Any feedback is appreciated. >> Thank you, >> John >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >wrote: >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>> >>> You should answer to the list, answering just to me doesn't make much >>> sense. >>> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >>> remember), or go SRD3 or later. >>> >>> >>> Hello, >>> >>> >>>> We are running on both PEs the following: >>>> sh ver | i IOS >>>> Cisco IOS Software, c7600s72033_rp Software >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >>>> SOFTWARE >>>> (fc3) >>>> >>>> 10G card on PE1 is: >>>> show module 7 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >>>> SAL1337YN4W >>>> >>>> and 1G on PE2 is: >>>> >>>> >>>> ro-sv01a-rd2#show module 2 >>>> Mod Ports Card Type Model >>>> Serial >>>> No. >>>> --- ----- -------------------------------------- ------------------ >>>> ----------- >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >>>> SAL1005CBXG >>>> >>>> Mod MAC addresses Hw Fw Sw >>>> Status >>>> --- ---------------------------------- ------ ------------ ------------ >>>> ------- >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 >>>> Ok >>>> >>>> Mod Sub-Module Model Serial Hw >>>> Status >>>> ---- --------------------------- ------------------ ----------- ------- >>>> ------- >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >>>> Ok >>>> >>>> Mod Online Diag Status >>>> ---- ------------------- >>>> 2 Pass >>>> >>>> Thank you, >>>> John >>>> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson >>> >>>> >>>>> wrote: >>>>> >>>>> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >>>> >>>> >>>>> GE interface between two 7600 as PE. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>> You forgot to include what software you're running. >>>>> >>>>> -- >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >>>>> >>>>> >>>>> >>>>> >>>> -- >>> Mikael Abrahamsson email: swmike at swm.pp.se >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From psirt at cisco.com Wed Feb 17 11:33:35 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 17 Feb 2010 11:33:35 -0500 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Message-ID: <201002171134.asa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Affected Products ================= Vulnerable Products +------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable " command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy internal group-policy attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that can be triggered by a malformed TCP segment that transits the appliance. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Cisco ASA 5500 Series Adaptive Security Appliances that are running software versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A crafted IKE message that is sent through an IPsec tunnel that terminates on a Cisco ASA 5500 Series Adaptive Security Appliance could cause all IPsec tunnels that terminate on the same device to be torn down. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable " command appears in the configuration. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- An authentication bypass vulnerability affects Cisco ASA 5500 Series Adaptive Security Appliances when NTLMv1 authentication is configured. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. Sample output is displayed in the following example: ciscoasa#show aaa-server protocol nt Server Group: test Server Protocol: nt Server Address: 192.168.10.11 Server port: 139 Server status: ACTIVE, Last transaction (success) at 11:10:08 UTC Fri Jan 29 Cisco PIX 500 Series Security Appliance Vulnerability Status +----------------------------------------------------------- Cisco PIX 500 Series Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * SIP Inspection Denial of Service Vulnerabilities * SCCP Inspection Denial of Service Vulnerability * Crafted IKE Message Denial of Service Vulnerability * NTLMv1 Authentication Bypass Vulnerability Because the Cisco PIX 500 Series Security Appliances reached End of Software Maintenance Releases on July 28, 2009, no further software releases will be available for the Cisco PIX 500 Series Security Appliances. Cisco PIX 500 Series Security Appliances customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances or to implement any applicable workarounds that are listed in the "Workarounds" section of this advisory. Fixed software is available for the Cisco ASA 5500 Series Adaptive Security Appliances. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) when specific TCP segments are received during the TCP connection termination phase. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. This vulnerability is documented in Cisco bug ID CSCsz77717 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0149. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by two denial of service vulnerabilities that may cause an appliance to reload during the processing of SIP messages. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities are documented in Cisco bug IDs CSCsy91157, and CSCtc96018, and have been assigned CVE IDs CVE-2010-0150, and CVE-2010-0569 respectively. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause the appliance to reload during the processing of malformed skinny control message. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. This vulnerability is documented in Cisco bug ID CSCsz79757 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0151. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause the appliance to reload when a malformed DTLS message is sent to the DTLS port (by default UDP port 443). Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. This vulnerability is documented in Cisco bug ID CSCtb64913 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0565. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause an appliance to reload when all of the following conditions are met: 1. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. This vulnerability is documented in Cisco bug ID CSCtb37219 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0566. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that may cause all IPsec tunnels terminating on the appliance to be torn down and prevent new tunnels from being established. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The vulnerability is triggered when the appliance processes a malformed IKE message on port UDP 4500 that traverses an existing IPsec tunnel. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. This vulnerability is documented in Cisco bug ID CSCtc47782 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0567. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that could result in authentication bypass when the affected appliance is configured to authenticate users against Microsoft Windows servers using the NTLMv1 protocol. Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Affected services include: * Telnet access to the security appliance * SSH access to the security appliance * HTTPS access to the security appliance (including Cisco ASDM access) * Serial console access * Privileged (enable) mode access * Cut-through proxy for network access * VPN access This vulnerability is documented in Cisco bug ID CSCte21953 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0568. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. +---------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |TCP Connection |---------+-----------| | Exhaustion | 7.2 | 7.2(4.46) | |Denial of |---------+-----------| | Service | 8.0 | 8.0(4.38) | |Vulnerability ( |---------+-----------| | CSCsz77717) | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.5) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | |SIP Inspection |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerabilities | 8.0 | 8.0(5.2) | |(CSCsy91157 and |---------+-----------| | CSCtc96018) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.16) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | | |---------+-----------| | SCCP Inspection | 7.2 | Not | | Denial of | | affected | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.38) | |CSCsz79757) |---------+-----------| | | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.2) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |WebVPN DTLS |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.44) | |CSCtb64913) |---------+-----------| | | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted TCP | 7.2 | 7.2(4.45) | |Segment Denial |---------+-----------| | of Service | 8.0 | 8.0(4.44) | |Vulnerability ( |---------+-----------| | CSCtb37219) | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted IKE | 7.2 | 7.2(4.45) | |Message Denial |---------+-----------| | of Service | 8.0 | 8.0(5.1) | |Vulnerability ( |---------+-----------| | CSCtc47782) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.15) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | | 7.2 | 7.2(4.45) | | |---------+-----------| | NTLMv1 | 8.0 | 8.0(5.7) | |Authentication |---------+-----------| | Bypass | | 8.1 | | Vulnerability ( | | (2.40), | | CSCte21953) | 8.1 | available | | | | early | | | | March | | | | 2010 | | |---------+-----------| | | 8.2 | 8.2(2.1) | +---------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workarounds =========== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A workaround for this vulnerability is to prevent UDP port 4500 traffic from ever traversing IPsec tunnels terminating on the Cisco ASA 5500 Series Adaptive Security Appliance. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable " command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- This vulnerability was discovered during the resolution of a customer service request. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- From psirt at cisco.com Wed Feb 17 11:51:25 2010 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 17 Feb 2010 11:51:25 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Message-ID: <201002171200.fwsm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Advisory ID: cisco-sa-20100217-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Affected Products ================= Vulnerable Products +------------------ All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global To determine the version of Cisco FWSM Software that is running, issue the "show module" command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 4.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the "show module " command to identify the software version that is running. Example output follows: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under "Sw." Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module " command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module " but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the "show version" command. Example output follows: FWSM> show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. FWSM Version: 3.2(2)10 Products Confirmed Not Vulnerable +-------------------------------- The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml With the exception of Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. The Cisco FWSM is affected by a vulnerability that may cause the device to reload during the processing of a malformed SCCP message when SCCP inspection is enabled. This vulnerability is only triggered by transit traffic; traffic that is destined to the device does not trigger this vulnerability. This issue is documented in Cisco bug ID CSCtb60485 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0151. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtb60485 ("Traceback in 'skinny' Thread with Skinny Inspection Enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco FWSM Software table below describes a major Cisco FWSM Software train and the earliest possible release within that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---------------------------------------+ | Major Release | First Fixed Release | |----------------+----------------------| | 3.1 | Not affected | |----------------+----------------------| | 3.2 | Not affected | |----------------+----------------------| | 4.0 | 4.0(8) | +---------------------------------------+ Fixed Cisco FWSM Software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/web/download/index.html and navigating to "Security > Cisco Catalyst 6500 Series Firewall Services Module > Firewall Services Module (FWSM) Software". Workarounds =========== If SCCP inspection is not required, this vulnerability can be mitigated by disabling it. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy map configuration. If SCCP inspection is required, there are no workarounds. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111553 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8HcEACgkQ86n/Gc8U/uAt9ACfeg3ofsbaZw8dqiX9pZFit0+4 WJcAnRFpRBRrWxegerkKeCPXESTSRpdZ =RifX -----END PGP SIGNATURE----- From linux.yahoo at gmail.com Wed Feb 17 12:06:00 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Wed, 17 Feb 2010 18:06:00 +0100 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> Message-ID: <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> Hello, It is just a config problem on your J CE1: You needn't flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) R/ Manu On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet wrote: > Hello, > > I tried with Cisco 7600 as CE instead of Juniper and it works, I have to > find out what is wrong there. > > Thank you for your help, > Regards, > John > > ---------- Forwarded message ---------- > From: Ioan Branet > Date: Wed, Feb 17, 2010 at 11:44 AM > Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface > between two 7600 > To: Tassos Chatzithomaoglou > Cc: cisco-nsp at puck.nether.net > > > Hello, > > Maybe there is a bug with SRB IOS. > I still have VC up on both ends but I cant ping between CE1 and CE2. > > On CE1 (Juniper side) I learn arp address of remote CE2 device and receive > arp request and send arp reply: > > > show arp no-resolve | match xe-3/1/0 > 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none > > > Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 > Device Media Type Extension TLV #3, length 1, value: Ethernet (1) > Logical Interface Encapsulation Extension TLV #6, length 1, value: > Ethernet (14) > Device Interface Index Extension TLV #1, length 2, value: 193 > Logical Interface Index Extension TLV #4, length 4, value: 126 > Logical Unit Number Extension TLV #5, length 4, value: 32767 > -----original packet----- > 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: > vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 > 11:34:01.878596 Out > Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 > Device Media Type Extension TLV #3, length 1, value: Ethernet (1) > Logical Interface Encapsulation Extension TLV #6, length 1, value: > Ethernet (14) > Device Interface Index Extension TLV #1, length 2, value: 193 > Logical Interface Index Extension TLV #4, length 4, value: 126 > Logical Unit Number Extension TLV #5, length 4, value: 32767 > -----original packet----- > 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), > length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at > 0:21:59:a7:c4:30. > > The issue is that I can't upgrade to SRD IOS. > > thank you, > John > > > > On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < > achatz at forthnet.gr> wrote: > > > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. > > > > 7600-a>sh mpls l2 vc 3601 > > > > Local intf Local circuit Dest address VC ID > Status > > ------------- -------------------------- --------------- ---------- > > ---------- > > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > > > > 7600-b>sh mpls l2 vc 3601 > > > > Local intf Local circuit Dest address VC ID > Status > > ------------- -------------------------- --------------- ---------- > > ---------- > > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP > > > > > > Both 7600s are running SRD3. > > > > -- > > Tassos > > > > Ioan Branet wrote on 17/02/2010 10:49: > > > >> Hello, > >> > >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run > >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. > >> > >> Any feedback is appreciated. > >> Thank you, > >> John > >> > >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson >> >wrote: > >> > >> > >> > >>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>> > >>> You should answer to the list, answering just to me doesn't make much > >>> sense. > >>> > >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't > >>> remember), or go SRD3 or later. > >>> > >>> > >>> Hello, > >>> > >>> > >>>> We are running on both PEs the following: > >>>> sh ver | i IOS > >>>> Cisco IOS Software, c7600s72033_rp Software > >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE > >>>> SOFTWARE > >>>> (fc3) > >>>> > >>>> 10G card on PE1 is: > >>>> show module 7 > >>>> Mod Ports Card Type Model > >>>> Serial > >>>> No. > >>>> --- ----- -------------------------------------- ------------------ > >>>> ----------- > >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE > >>>> SAL1337YN4W > >>>> > >>>> and 1G on PE2 is: > >>>> > >>>> > >>>> ro-sv01a-rd2#show module 2 > >>>> Mod Ports Card Type Model > >>>> Serial > >>>> No. > >>>> --- ----- -------------------------------------- ------------------ > >>>> ----------- > >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP > >>>> SAL1005CBXG > >>>> > >>>> Mod MAC addresses Hw Fw Sw > >>>> Status > >>>> --- ---------------------------------- ------ ------------ > ------------ > >>>> ------- > >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 > >>>> Ok > >>>> > >>>> Mod Sub-Module Model Serial Hw > >>>> Status > >>>> ---- --------------------------- ------------------ ----------- > ------- > >>>> ------- > >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 > >>>> Ok > >>>> > >>>> Mod Online Diag Status > >>>> ---- ------------------- > >>>> 2 Pass > >>>> > >>>> Thank you, > >>>> John > >>>> > >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < > swmike at swm.pp.se > >>>> > >>>> > >>>>> wrote: > >>>>> > >>>>> > >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: > >>>> > >>>> > >>>>> GE interface between two 7600 as PE. > >>>>> > >>>>> > >>>>> > >>>>>> > >>>>>> > >>>>> You forgot to include what software you're running. > >>>>> > >>>>> -- > >>>>> Mikael Abrahamsson email: swmike at swm.pp.se > >>>>> > >>>>> > >>>>> > >>>>> > >>>> -- > >>> Mikael Abrahamsson email: swmike at swm.pp.se > >>> > >>> > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > >> > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From avayner at cisco.com Wed Feb 17 13:02:43 2010 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 17 Feb 2010 19:02:43 +0100 Subject: [c-nsp] VLAN Tagging/Untagging overhead In-Reply-To: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> References: <79167dd71002162033o2c338b7fle66b9f9d381395fa@mail.gmail.com> Message-ID: Kris, There should not be a big impact as if you are doing CEF switching the layer 2 adjacency header is pre-computed and is just reused. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy Sent: Wednesday, February 17, 2010 06:33 To: cisco-nsp Subject: [c-nsp] VLAN Tagging/Untagging overhead Hi All, Is there any cpu impact by packets being de/encapsulated onto a VLAN rather than going as native on a software based platform (7200/7300)? If so would this be a big impact at 50k pps? Regards, Kris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists.james.edwards at gmail.com Wed Feb 17 13:19:31 2010 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 17 Feb 2010 11:19:31 -0700 Subject: [c-nsp] Renumbering serial interfaces Message-ID: I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From deadheadblues at gmail.com Wed Feb 17 13:21:53 2010 From: deadheadblues at gmail.com (B) Date: Wed, 17 Feb 2010 11:21:53 -0700 Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP Message-ID: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> What's the best way to monitor an IPSec tunnel via SNMP on an ASA (v8)? I just want to know if it is up or down. I did an snmpwalk but can't find anything related to the tunnels. From paul at paulstewart.org Wed Feb 17 13:25:27 2010 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 17 Feb 2010 13:25:27 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <001f01caaffe$93eeb890$bbcc29b0$@org> Test this ahead of time with a lab box if you can ;) What I've done in this scenarios is to build the snippets of config I need to apply and put them into a plain text file. Then do a "copy tftp://blahblah/filename running-config" which merges the changes. Before I do the copy I do a "reload in 15" in case it fails so that I know I can get back into the box in 15 minutes.... YMMV... Please test this though as I haven't done it in a while but did work for my needs at the time... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of james edwards Sent: Wednesday, February 17, 2010 1:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From thirdfrl.nsp at gmail.com Wed Feb 17 13:35:21 2010 From: thirdfrl.nsp at gmail.com (Ryan Lambert) Date: Wed, 17 Feb 2010 13:35:21 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <56665ca71002171035x21afc6cchd1caf9049c873e53@mail.gmail.com> You can renumber serial links with one person. Standard disclaimer of paying attention to detail, being careful, etc. If you can tolerate a few minutes downtime worst-case (which, I'm making the assumption this is being done in a window that can), you can also use the 'reload in x' command, where x = minutes. If you botch it and cannot get back in, the device will reload with the saved startup configuration (ie: not with your most current changes). You can roll back the near side and be back up. If all changes are successful, don't forget to reload cancel and write your changes. Obviously there are some other things you probably need to consider like routing protocol adjacencies, or static default routes... so telnet/ssh'ing in from a directly connected interface may be necessary depending on the setup. The only time something like this is a bit more tricky is when multiple changes are required (encapsulation, etc.) HTH, -Ryan On Wed, Feb 17, 2010 at 1:19 PM, james edwards < lists.james.edwards at gmail.com> wrote: > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > > LALMR_2620(config)#interface ATM0/0.32 point-to-point > LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 > LALMR_2620(config-subif)#^Z > > > -- > James H. Edwards > Senior Network Systems Administrator > Judicial Information Division > jedwards at nmcourts.gov > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rwest at zyedge.com Wed Feb 17 14:22:37 2010 From: rwest at zyedge.com (Ryan West) Date: Wed, 17 Feb 2010 19:22:37 +0000 Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP In-Reply-To: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> References: <6de7e5461002171021j44d7dba1n37353ab374bfef69@mail.gmail.com> Message-ID: <5DC4853C6CC3EE4788779E0726E034DD10B43C@zy-ex1.zyedge.local> B, > -----Original Message----- > Sent: Wednesday, February 17, 2010 1:22 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP > > What's the best way to monitor an IPSec tunnel via SNMP on an ASA (v8)? > I > just want to know if it is up or down. > I did an snmpwalk but can't find anything related to the tunnels. Check out this MIB, CISCO-IPSEC-FLOW-MONITOR-MIB. .1.3.6.1.4.1.9.9.171.1.3.1.1.0 will retrieve the number of active tunnels. .1.3.6.1.4.1.9.9.171.1.2.1.1.0 will retrieve the number of active IKE peers. -ryan From gert at greenie.muc.de Wed Feb 17 15:30:57 2010 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 17 Feb 2010 21:30:57 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <20100217203057.GW9556@greenie.muc.de> Hi, On Wed, Feb 17, 2010 at 11:19:31AM -0700, james edwards wrote: > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > > LALMR_2620(config)#interface ATM0/0.32 point-to-point > LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 > LALMR_2620(config-subif)#^Z Should work. (At that point, the connection will lock up, and then you need to connect to the new address and continue) Always remember to put in "reload in 5" before you do anything that might lock you out, and "reload cancel" afterwards... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From nicholas.hatch at gmail.com Wed Feb 17 16:51:34 2010 From: nicholas.hatch at gmail.com (nick hatch) Date: Wed, 17 Feb 2010 13:51:34 -0800 Subject: [c-nsp] netiquette In-Reply-To: References: Message-ID: On Wed, Feb 17, 2010 at 2:54 AM, Mikael Abrahamsson wrote: > On Wed, 17 Feb 2010, Marco Regini wrote: > > Thanks. >> >> So if I post a question to cisco-nsp at puck.nether.net and tom at gmail.com >> answer to me directly, I can't replay to the mailing list but only to tom? >> >> Even if the message is only about technical stuff? >> > > That is correct. Unless you KNOW for sure that Tom is ok with you posting > his reply to the list, you shouldn't do it. > > A good example of this is someone going out on a limb to provide information that isn't under NDA, but that their PR department might not want to see on a public list. I've asked questions before ("Anyone know why $FOO_COMPANY is doing this?") and received subtle but helpful answers that make the reply button seem like a dangerous weapon if used incorrectly. ... there tends to be a lot of trust in these parts. -Nick From ioan.branet at gmail.com Wed Feb 17 16:58:13 2010 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 17 Feb 2010 23:58:13 +0200 Subject: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 In-Reply-To: <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> References: <257d19981002170010lf6aada6ldd21371045d47d53@mail.gmail.com> <257d19981002170039j50e92e2cra1611a34d4b62e72@mail.gmail.com> <257d19981002170049s60e11a1fk1184954ebea6faec@mail.gmail.com> <4B7BB169.1090306@forthnet.gr> <257d19981002170144q1d0f7754o4d3ee5b32773ab1a@mail.gmail.com> <257d19981002170801w4103aebdxa93ec641d247af25@mail.gmail.com> <7100ed371002170906x38f34ea4t36f5cf0d77a4fe83@mail.gmail.com> Message-ID: <257d19981002171358r79714ab5o461b1f01567b82a3@mail.gmail.com> Hello, I used also vlan-tagging but with same result: show configuration interfaces xe-3/1/0 description "** Link To PE1 **"; vlan-tagging; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 999 { bandwidth 10g; vlan-id 999; family inet { accounting { source-class-usage { input; } } no-redirects; sampling { input; } address 150.1.1.2/30 { primary; preferred; } } } #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) On Wed, Feb 17, 2010 at 7:06 PM, Manu Chao wrote: > Hello, > > It is just a config problem on your J CE1: You needn't > flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) > > R/ > Manu > On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet wrote: > >> Hello, >> >> I tried with Cisco 7600 as CE instead of Juniper and it works, I have to >> find out what is wrong there. >> >> Thank you for your help, >> Regards, >> John >> >> ---------- Forwarded message ---------- >> From: Ioan Branet >> Date: Wed, Feb 17, 2010 at 11:44 AM >> Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface >> between two 7600 >> To: Tassos Chatzithomaoglou >> Cc: cisco-nsp at puck.nether.net >> >> >> Hello, >> >> Maybe there is a bug with SRB IOS. >> I still have VC up on both ends but I cant ping between CE1 and CE2. >> >> On CE1 (Juniper side) I learn arp address of remote CE2 device and receive >> arp request and send arp reply: >> >> >> show arp no-resolve | match xe-3/1/0 >> 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none >> >> >> Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 >> Device Media Type Extension TLV #3, length 1, value: Ethernet (1) >> Logical Interface Encapsulation Extension TLV #6, length 1, >> value: >> Ethernet (14) >> Device Interface Index Extension TLV #1, length 2, value: 193 >> Logical Interface Index Extension TLV #4, length 4, value: 126 >> Logical Unit Number Extension TLV #5, length 4, value: 32767 >> -----original packet----- >> 0:16:9c:6d:42:80 > Broadcast, ethertype 802.1Q (0x8100), length 64: >> vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 >> 11:34:01.878596 Out >> Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 >> Device Media Type Extension TLV #3, length 1, value: Ethernet (1) >> Logical Interface Encapsulation Extension TLV #6, length 1, >> value: >> Ethernet (14) >> Device Interface Index Extension TLV #1, length 2, value: 193 >> Logical Interface Index Extension TLV #4, length 4, value: 126 >> Logical Unit Number Extension TLV #5, length 4, value: 32767 >> -----original packet----- >> 0:21:59:a7:c4:30 > 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), >> length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at >> 0:21:59:a7:c4:30. >> >> The issue is that I can't upgrade to SRD IOS. >> >> thank you, >> John >> >> >> >> On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou < >> achatz at forthnet.gr> wrote: >> >> > I'm running EoMPLS between 10GE subif and 1GE subif without any problem. >> > >> > 7600-a>sh mpls l2 vc 3601 >> > >> > Local intf Local circuit Dest address VC ID >> Status >> > ------------- -------------------------- --------------- ---------- >> > ---------- >> > Gi4/20.3601 Eth VLAN 3601 x.x.x.x 3601 UP >> > >> > >> > 7600-b>sh mpls l2 vc 3601 >> > >> > Local intf Local circuit Dest address VC ID >> Status >> > ------------- -------------------------- --------------- ---------- >> > ---------- >> > Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP >> > >> > >> > Both 7600s are running SRD3. >> > >> > -- >> > Tassos >> > >> > Ioan Branet wrote on 17/02/2010 10:49: >> > >> >> Hello, >> >> >> >> We run EOMPLS on port and vlan mode on GE interfaces but we did not run >> >> EOMPLS Vlan mode between 10G and 1G subinterfaces until now. >> >> >> >> Any feedback is appreciated. >> >> Thank you, >> >> John >> >> >> >> On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson > >> >wrote: >> >> >> >> >> >> >> >>> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >>> >> >>> You should answer to the list, answering just to me doesn't make much >> >>> sense. >> >>> >> >>> SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't >> >>> remember), or go SRD3 or later. >> >>> >> >>> >> >>> Hello, >> >>> >> >>> >> >>>> We are running on both PEs the following: >> >>>> sh ver | i IOS >> >>>> Cisco IOS Software, c7600s72033_rp Software >> >>>> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE >> >>>> SOFTWARE >> >>>> (fc3) >> >>>> >> >>>> 10G card on PE1 is: >> >>>> show module 7 >> >>>> Mod Ports Card Type Model >> >>>> Serial >> >>>> No. >> >>>> --- ----- -------------------------------------- ------------------ >> >>>> ----------- >> >>>> 7 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE >> >>>> SAL1337YN4W >> >>>> >> >>>> and 1G on PE2 is: >> >>>> >> >>>> >> >>>> ro-sv01a-rd2#show module 2 >> >>>> Mod Ports Card Type Model >> >>>> Serial >> >>>> No. >> >>>> --- ----- -------------------------------------- ------------------ >> >>>> ----------- >> >>>> 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP >> >>>> SAL1005CBXG >> >>>> >> >>>> Mod MAC addresses Hw Fw Sw >> >>>> Status >> >>>> --- ---------------------------------- ------ ------------ >> ------------ >> >>>> ------- >> >>>> 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 >> 12.2(33)SRB4 >> >>>> Ok >> >>>> >> >>>> Mod Sub-Module Model Serial Hw >> >>>> Status >> >>>> ---- --------------------------- ------------------ ----------- >> ------- >> >>>> ------- >> >>>> 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 >> >>>> Ok >> >>>> >> >>>> Mod Online Diag Status >> >>>> ---- ------------------- >> >>>> 2 Pass >> >>>> >> >>>> Thank you, >> >>>> John >> >>>> >> >>>> On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson < >> swmike at swm.pp.se >> >>>> >> >>>> >> >>>>> wrote: >> >>>>> >> >>>>> >> >>>> On Wed, 17 Feb 2010, Ioan Branet wrote: >> >>>> >> >>>> >> >>>>> GE interface between two 7600 as PE. >> >>>>> >> >>>>> >> >>>>> >> >>>>>> >> >>>>>> >> >>>>> You forgot to include what software you're running. >> >>>>> >> >>>>> -- >> >>>>> Mikael Abrahamsson email: swmike at swm.pp.se >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> -- >> >>> Mikael Abrahamsson email: swmike at swm.pp.se >> >>> >> >>> >> >>> >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- Ioan Branet CCIE #23474 R&S From b.turnbow at twt.it Thu Feb 18 03:22:07 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 18 Feb 2010 09:22:07 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: Besides the reload in xx that several have mentioned you can also put secondary Ips on the link Nad then cancel the primary. I.e. interface ATM0/0.32 point-to-point Ip add 2.2.2.2 255.255.255.252 secondary Telnet/ssh to this address using source address 2.2.2.1 Then no ip add 1.1.1.1 255.255.255.252 The 2.2.2.2 address becomes the priamry and you should not loose the management session. Don't forget to cancell the reload.... Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of james edwards Sent: mercoled? 17 febbraio 2010 19.20 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From marco.regini at ascotlc.it Thu Feb 18 05:29:34 2010 From: marco.regini at ascotlc.it (Marco Regini) Date: Thu, 18 Feb 2010 11:29:34 +0100 Subject: [c-nsp] multicast on transit LAN Message-ID: Hi, i did some progress on this topic, with the help of "ip igmp helper address". At L3 my network lab is like this, the vlan/network between 3560 and 3750 is the vlan 100. Customers_cpe--Cisco3560-| Customers_cpe--Cisco3560-| Customers_cpe--Cisco3560-| ........................-|-----------Cisco3750---Core Customers_cpe--Cisco3560-| Al L1 is simply a daisy-chain on the gigabit interface with a trunk that carry only the vlan100. Well, "IGMP snooping, CGMP, RGMP" do not limit the multicast packet on the vlan 100, I do not know why. Perhaps this is because all apparatus are routing and switching the vlan 100: on cisco doc I see dedicated L2 only switch connecting customers cpe and provider router. But this is only an ipotesis, I need to capture some traffic to understand. The workaround I have found is to put on the customer interface "ip igmp helper address 151.1.1.1", in this way the multicast join/leave of the customers cpe "are forwarded" by the 3560 to the Cisco3750. This has 2 nice effect: 1) IGMP snooping start working on Vlan100. 2) "show ip igmp groups" on the 4006 show me multicast group registration on all the 3560. Questions: Why a need "igmp helper address" hack? Is anyone of you using "igmp helper address" in a production environment? From tsands at rackspace.com Thu Feb 18 07:47:56 2010 From: tsands at rackspace.com (Tom Sands) Date: Thu, 18 Feb 2010 06:47:56 -0600 Subject: [c-nsp] Best practice - Core vs Access Router In-Reply-To: References: <290EF89F13F04F4E924BB235A46D18F109FE2BA79E@MLBMXUS2.cs.myharris.net> <4B718596.2050602@imperial.ac.uk> <290EF89F13F04F4E924BB235A46D18F109FE2BA880@MLBMXUS2.cs.myharris.net> <4B71A1D2.10909@imperial.ac.uk> <4B72FF79.3030502@uk.clara.net> <4B730551.9070608@uk.clara.net> <940_1266239987_o1FDJg21030975_4B7949E9.1080601@rackspace.com> Message-ID: <22291_1266497286_o1ICm14D024310_4B7D36FC.6090200@rackspace.com> Andy B. wrote: > On Mon, Feb 15, 2010 at 2:19 PM, Tom Sands wrote: >> The 6704 looks like the biggest problem in this setup. We avoid them at all >> cost. > > > What would be your recommendation then? 6708? Absolutely, while a 2:1 card the buffers are far greater. Also, depending on your use of it, having a DFC/DFCXL can be of great benefit. > > sidenote: I may have narrowed down the issue. There is a port-channel > on te9/4 and te8/4. When I shut down one of these two interfaces, the > box is becoming very responsive again: I would be very interested in knowing if this problem is truly resolved and what the suspected problem/resolution was by breaking this port channel. Since these are 6704 cards they use CFC's vs DFC's, where a problem such as above would of made more sense if it were actually using DFC's and the ingress of the traffic was on the same line card as the egress of only one of the ports in the channel. > > BCS#sh etherchannel 66 detail > Group state = L2 > Ports: 2 Maxports = 8 > Port-channels: 1 Max Port-channels = 1 > Protocol: PAgP > Minimum Links: 0 > Ports in the group: > ------------------- > Port: Te8/4 > ------------ > > Port state = Down Not-in-Bndl > Channel group = 66 Mode = Desirable-Sl Gcchange = 0 > Port-channel = null GC = 0x00000000 Pseudo > port-channel = Po66 > Port index = 0 Load = 0x00 Protocol = PAgP > > Flags: S - Device is sending Slow hello. C - Device is in Consistent state. > A - Device is in Auto mode. P - Device learns on physical port. > d - PAgP is down. > Timers: H - Hello timer is running. Q - Quit timer is running. > S - Switching timer is running. I - Interface timer is running. > > Local information: > Hello Partner PAgP Learning Group > Port Flags State Timers Interval Count Priority Method Ifindex > Te8/4 d U1/S1 1s 0 128 Any 0 > > Age of the port in the current state: 5d:11h:50m:10s > > Port: Te9/4 > ------------ > > Port state = Up Mstr In-Bndl > Channel group = 66 Mode = Desirable-Sl Gcchange = 0 > Port-channel = Po66 GC = 0x00420001 Pseudo > port-channel = Po66 > Port index = 1 Load = 0xFF Protocol = PAgP > > Flags: S - Device is sending Slow hello. C - Device is in Consistent state. > A - Device is in Auto mode. P - Device learns on physical port. > d - PAgP is down. > Timers: H - Hello timer is running. Q - Quit timer is running. > S - Switching timer is running. I - Interface timer is running. > > Local information: > Hello Partner PAgP Learning Group > Port Flags State Timers Interval Count Priority Method Ifindex > Te9/4 SC U6/S7 30s 1 128 Any 122 > > Partner's information: > > Partner Partner Partner Partner Group > Port Name Device ID Port Age Flags Cap. > Te9/4 XXXX 0021.a050.d600 Te4/2 18s SC 420001 > > Age of the port in the current state: 0d:00h:05m:49s > > Port-channels in the group: > ---------------------- > > Port-channel: Po66 > ------------ > > Age of the Port-channel = 5d:11h:52m:22s > Logical slot/port = 14/4 Number of ports = 1 > GC = 0x00420001 HotStandBy port = null > Port state = Port-channel Ag-Inuse > Protocol = PAgP > Fast-switchover = disabled > Load share deferral = disabled > > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------------+------------------+----------- > 1 FF Te9/4 Desirable-Sl 8 > > Time since last port bundled: 0d:00h:05m:49s Te9/4 > Time since last port Un-bundled: 0d:00h:05m:06s Te8/4 > > Last applied Hash Distribution Algorithm: Fixed > > > This is while Te8/4 is shut down. > > The other end of the channel is also a 6509 box with 1x 6704. > > > Andy > . > Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com, and delete the original message. Your cooperation is appreciated. From steve at ibctech.ca Thu Feb 18 08:22:26 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 18 Feb 2010 08:22:26 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <4B7D3F12.4000100@ibctech.ca> On 2010.02.18 03:22, Brian Turnbow wrote: > Besides the reload in xx that several have mentioned you can also put secondary Ips on the link > Nad then cancel the primary. > > I.e. > interface ATM0/0.32 point-to-point > Ip add 2.2.2.2 255.255.255.252 secondary > > Telnet/ssh to this address using source address 2.2.2.1 > Then no ip add 1.1.1.1 255.255.255.252 > The 2.2.2.2 address becomes the priamry and you should not loose the management session. Does this work differently on a serial interface? On an fa int: route-server1(config)#int lo75 route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 Must delete secondary before deleting primary Steve From jlewis at lewis.org Thu Feb 18 08:56:00 2010 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 18 Feb 2010 08:56:00 -0500 (EST) Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D3F12.4000100@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> Message-ID: On Thu, 18 Feb 2010, Steve Bertrand wrote: >> I.e. >> interface ATM0/0.32 point-to-point >> Ip add 2.2.2.2 255.255.255.252 secondary >> >> Telnet/ssh to this address using source address 2.2.2.1 >> Then no ip add 1.1.1.1 255.255.255.252 >> The 2.2.2.2 address becomes the priamry and you should not loose the management session. > > Does this work differently on a serial interface? On an fa int: > > route-server1(config)#int lo75 > route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 > route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec > route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 > > Must delete secondary before deleting primary Instead of removing the primary IP of the interface, try just changing it. It'll let you do that. I've seen people break things by doing that by accident when they meant to add another secondary address. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From steve at ibctech.ca Thu Feb 18 08:58:56 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 18 Feb 2010 08:58:56 -0500 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: <4B7D3F12.4000100@ibctech.ca> Message-ID: <4B7D47A0.4090809@ibctech.ca> On 2010.02.18 08:56, Jon Lewis wrote: > On Thu, 18 Feb 2010, Steve Bertrand wrote: > >>> I.e. >>> interface ATM0/0.32 point-to-point >>> Ip add 2.2.2.2 255.255.255.252 secondary >>> >>> Telnet/ssh to this address using source address 2.2.2.1 >>> Then no ip add 1.1.1.1 255.255.255.252 >>> The 2.2.2.2 address becomes the priamry and you should not loose the >>> management session. >> >> Does this work differently on a serial interface? On an fa int: >> >> route-server1(config)#int lo75 >> route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 >> route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec >> route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 >> >> Must delete secondary before deleting primary > > Instead of removing the primary IP of the interface, try just changing > it. It'll let you do that. I've seen people break things by doing that > by accident when they meant to add another secondary address. I suppose that considering that this is a PtP link, the OP could apply an IPv6 address to each end, verify reachability, and temporarily remove all v4 addresses and still maintain a connection until the work is complete :) ...I'd still use the "reload in..." just to be safe though. Steve From craig at askings.com.au Thu Feb 18 08:45:52 2010 From: craig at askings.com.au (craig at askings.com.au) Date: Thu, 18 Feb 2010 23:45:52 +1000 (EST) Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: References: Message-ID: <8ac323eb49ca5d37441d591e4d1d92c5.squirrel@smtp.askings.com.au> > I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have > always done this with 2 people, one on each end. Is it possible for one > person to do this, from one end ? > If I am on the near side, I log into the far sides serial IP and do this: > You could setup ipv6 between the two routers and ssh/telnet over that while you are changing the ipv4 settings. Craig. From b.turnbow at twt.it Thu Feb 18 09:32:50 2010 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 18 Feb 2010 15:32:50 +0100 Subject: [c-nsp] Renumbering serial interfaces In-Reply-To: <4B7D3F12.4000100@ibctech.ca> References: <4B7D3F12.4000100@ibctech.ca> Message-ID: Sorry the last line should be ip address 208.70.109.156 255.255.255.255 Making the secondary primary, and removing the primary. I remember doing it with no ip address x.x.x.x.... but I just tried and it gives me the same error. Too much lunch I think. Brian -----Original Message----- From: Steve Bertrand [mailto:steve at ibctech.ca] Sent: gioved? 18 febbraio 2010 14.22 To: Brian Turnbow Cc: james edwards; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Renumbering serial interfaces On 2010.02.18 03:22, Brian Turnbow wrote: > Besides the reload in xx that several have mentioned you can also put secondary Ips on the link > Nad then cancel the primary. > > I.e. > interface ATM0/0.32 point-to-point > Ip add 2.2.2.2 255.255.255.252 secondary > > Telnet/ssh to this address using source address 2.2.2.1 > Then no ip add 1.1.1.1 255.255.255.252 > The 2.2.2.2 address becomes the priamry and you should not loose the management session. Does this work differently on a serial interface? On an fa int: route-server1(config)#int lo75 route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 Must delete secondary before deleting primary Steve From jeff-kell at utc.edu Thu Feb 18 10:52:18 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 18 Feb 2010 10:52:18 -0500 Subject: [c-nsp] Small Catalysts with odd "no buffer" errors Message-ID: <4B7D6232.4000109@utc.edu> I have a 2950 switch we just provisioned to deploy, and in checking it out beforehand, have run into an unusual "no buffers" condition. I've seen this before but never been able to resolve what is causing it. See if this rings any bells... Doctors-Temp#sho int f0/1 FastEthernet0/1 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0007.8436.5041 (bia 0007.8436.5041) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 100BaseTX input flow-control is unsupported output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 10000 bits/sec, 13 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 36881 packets input, 3921937 bytes, *2443 no buffer* Received 33638 broadcasts (10590 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, *2443 ignored* 0 watchdog, 10585 multicast, 0 pause input 0 input packets with dribble condition detected 15496 packets output, 1222739 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out There are no traditional buffer exceptions: Doctors-Temp#show buffers Buffer elements: 499 in free list (500 max allowed) 43707 hits, 0 misses, 0 created Public buffer pools: Small buffers, 104 bytes (total 60, permanent 25, peak 103 @ 01:33:34): 60 in free list (20 min, 60 max allowed) 19032 hits, 26 misses, 43 trims, 78 created 0 failures (0 no memory) Middle buffers, 600 bytes (total 30, permanent 15, peak 36 @ 01:33:35): 28 in free list (10 min, 30 max allowed) 8082 hits, 7 misses, 6 trims, 21 created 0 failures (0 no memory) Big buffers, 1524 bytes (total 7, permanent 5, peak 7 @ 01:33:19): 7 in free list (5 min, 10 max allowed) 182 hits, 1 misses, 0 trims, 2 created 0 failures (0 no memory) VeryBig buffers, 4520 bytes (total 2, permanent 0, peak 2 @ 00:44:36): 2 in free list (0 min, 10 max allowed) 143 hits, 1 misses, 0 trims, 2 created 0 failures (0 no memory) Large buffers, 5024 bytes (total 0, permanent 0): 0 in free list (0 min, 5 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 2 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Interface buffer pools: Calhoun Packet Receive Pool buffers, 1560 bytes (total 256, permanent 256): 222 in free list (0 min, 256 max allowed) 14323 hits, 0 misses Controller reports no significant errors other than discards: Doctors-Temp#show controller ethernet f0/1 Transmit Receive 1333345 Bytes 4501690 Bytes 17091 Frames 42219 Frames 10227 Multicast frames 0 FCS errors 1019 Broadcast frames 12253 Multicast frames 0 Pause frames 25775 Broadcast frames 0 Single defer frames 0 Control frames 0 Multiple defer frames 0 Pause frames 0 1 collision frames 0 Unknown opcode frames 0 2-15 collisions 0 Alignment errors 0 Late collisions 0 Length out of range 0 Excessive collisions 1 Symbol error frames 0 Total collisions 2 False carrier errors 0 Control frames 0 Valid frames, too small 0 VLAN discard frames 0 Valid frames, too large 0 Too old frames 1 Invalid frames, too small 8961 Tagged frames 0 Invalid frames, too large 0 Aborted Tx frames 2871 Discarded frames Transmit and Receive 11113 Minimum size frames 41525 65 to 127 byte frames 3359 128 to 255 byte frames 2951 256 to 511 byte frames 269 512 to 1023 byte frames 91 1024 to 1518 byte frames 1 1519 to 1522 byte frames If you do the commands quickly in s