From oogali at gmail.com  Fri Jan  1 23:09:07 2010
From: oogali at gmail.com (Omachonu Ogali)
Date: Fri, 1 Jan 2010 23:09:07 -0500
Subject: [c-nsp] RESOLVED: Port 1720 & 1863
In-Reply-To: <512FA3E0D3874060AF00D7BAF13B9E6A@flamdt01>
References: <649021.33824.qm@web53707.mail.re2.yahoo.com>
	<512FA3E0D3874060AF00D7BAF13B9E6A@flamdt01>
Message-ID: <e399ee81001012009o3608e6cfq8dafbd748d350a1@mail.gmail.com>

I have TWC Residential in NYC, and I can fling packets back and forth no
problem.

from TWC to remote host:{1720, 1863}: works fine.
from remote host to TWC:{1720, 1863}: works fine.

Both TCP and UDP.

oo

On Thu, Dec 24, 2009 at 3:35 PM, Tony Varriale <tvarriale at comcast.net>wrote:

> Residental or business service?
>
> tv
> ----- Original Message ----- From: "abs" <abhishake00 at yahoo.com>
> To: "Ziv Leyes" <zivl at gilat.net>; "Jared Mauch" <jared at puck.nether.net>
>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, December 24, 2009 2:07 PM
>
> Subject: Re: [c-nsp] RESOLVED: Port 1720 & 1863
>
>
> Seems like everyone is interested in knowing the ISP.
> And the winner is..... Time Warner Cable. They are also doing the same for
> port 1863.
>
> --- On Thu, 12/24/09, Jared Mauch <jared at puck.nether.net> wrote:
>
> From: Jared Mauch <jared at puck.nether.net>
> Subject: Re: [c-nsp] RESOLVED:  Port 1720 & 1863
> To: "Ziv Leyes" <zivl at gilat.net>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Thursday, December 24, 2009, 9:37 AM
>
> It may be worthwhile to name & shame the provider for intercepting your
> h.323 directed traffic.
>
> (Unless of course you're in one of those countries that uses high telecom
> rates to justify blocking VoIP).
>
> - Jared
>
> On Dec 24, 2009, at 3:20 AM, Ziv Leyes wrote:
>
>  Oh, man, that's dirty, why would they do that??
>> Just when it started to get interesting...
>> But I'm glad for you that the issue is resolved
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
>> Sent: Thursday, December 24, 2009 3:01 AM
>> To: Steve Bertrand
>> Cc: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] RESOLVED: Port 1720 & 1863
>>
>> thank you all for your help. for the folks interested the issue was that
>> the two ports are being intercepted by my ISP. once again thank you all for
>> you help
>>
>> cheers,
>> abs
>>
>> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
>>
>> From: Steve Bertrand <steve at ibctech.ca>
>> Subject: Re: [c-nsp] Port 1720 & 1863
>> To: "abs" <abhishake00 at yahoo.com>
>> Date: Wednesday, December 23, 2009, 7:49 PM
>>
>> abs wrote:
>>
>>> Now this makes a lot more sense. i was going crazy trying to figure
>>> this out. I think they are doing the same for port 1863.
>>>
>>> It would be greatly appreciated if you could setup a vm for me to run
>>> some scans off of.
>>>
>>
>> No problem.
>>
>> I've got to finish up writing some code right now, so I'll get the vm
>> set up first thing tomorrow before I'm done for the week.
>>
>> Hopefully you're familiar with FreeBSD, as that is what the host will be.
>>
>> All I ask is that you *only* probe hosts that are your own. I'm an ISP,
>> and I've been burned before after being taken advantage of after doing
>> favours like this.
>>
>> Believe it or not, I'm not generally a trusting person, but that is
>> generally outweighed my desire to help others.
>>
>> So, with that understanding, and the understanding that you can do
>> whatever you want within the vm so long as there is no network abuse,
>> I'll get things configured, and send you the detail in the morning so
>> that you can SSH into the box via IPv4 and IPv6.
>>
>> Cheers!
>>
>> Steve
>>
>> ps. it would likely be kind to reply your original post to the cisco-nsp
>> list with [RESOLVED] in the subject, just so the others who were
>> following the thread can rest assured that all is well and good with you
>> ;)
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
>> viruses.
>>
>> ************************************************************************************
>>
>>
>>
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
>> viruses.
>>
>> ************************************************************************************
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mtinka at globaltransit.net  Sat Jan  2 02:31:02 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sat, 2 Jan 2010 15:31:02 +0800
Subject: [c-nsp] 3750ME L2/MPLS combined scenario - "Thread Resurrection"
In-Reply-To: <6bb5f5b10802010836u58f055ddnf78ac79f26fc92d7@mail.gmail.com>
References: <6B43981C32F8464CB24CEE209DA32BD3011AB2C5@kenya.tronet.as>
	<6bb5f5b10802010836u58f055ddnf78ac79f26fc92d7@mail.gmail.com>
Message-ID: <201001021531.07359.mtinka@globaltransit.net>

On Saturday 02 February 2008 12:36:08 am Rubens Kuhl Jr. 
wrote:

Hello all.

Apologies for resurrecting this very old thread, but...

> We've tried that with 3750ME, and the half a million bugs
>  and architectural flaws made us drop that line of
>  devices out of MPLS altogether. Keeping the PW with L2
>  on 3750ME will make your customer happier.

... we're in a situation where extending MPLS into the 
access may make a bit of sense.

The platform currently in the field is as described in this 
thread, the Cisco 3750ME, albeit it's working in Layer 2-
only mode, today. In the spirit of not wanting to replace 
these boxes with something else more capable as yet, do the 
comments from Rubens, above, still hold true as of IOS 
12.2(52)SE?

Keeping in mind the various hardware/software restrictions 
associated with this class of platforms, we'd be looking to 
run the following on the system (some are advertised as 
supported by Cisco, others are implied as such):

	* MPLS upstream to the core
	* IPv4 forwarding for customers
	* IPv4 forwarding over MPLS (upstream to core)
	* IPv6 forwarding for customers
	* IPv4, IPv6, MPLS ECMP
	* Locally-significant VLAN's for customers
	* EoMPLS for customers
	* l3vpn's for customers (BGP-based)
	* IS-IS (Loopbacks + Infrastructure)
	* BGP (default route importation only)

Since all our Layer 2 features are used to "wire" customers 
to the nearest Layer 3/MPLS-capable box, we have no need to 
implement Layer 2 features beyond local VLAN support, 
provided the ones mentioned above can work without issue.

We haven't had a chance to run anything as remotely advanced 
as the features highlighted above, so any useful operational 
feedback (especially the negatives) from folk who have would 
be much appreciated, as we begin our own tests as well.

Operator feedback in this case is initially far more useful 
than input from Cisco themselves. The 3750ME really only 
makes sense if those features can be reliably supported 
beyond paper; else, the case for Layer 2-only Ethernet 
switches becomes far more compelling, e.g., Cisco 2960, 
e.t.c.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100102/5ac9e8e4/attachment.bin>

From domintefamily at yahoo.co.uk  Sat Jan  2 12:09:52 2010
From: domintefamily at yahoo.co.uk (C and C Dominte)
Date: Sat, 2 Jan 2010 17:09:52 +0000 (GMT)
Subject: [c-nsp] CIsco 6509-E issues
In-Reply-To: <dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
References: <16e2ac180912290541n6cfcb6b2yb4de7a88f40bd7f7@mail.gmail.com>
	<dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
Message-ID: <535857.93381.qm@web27904.mail.ukl.yahoo.com>

Hi,

Is there any chance of overlapping subnets configured on two different routers?

I saw similar issues caused by this, but traceroute and show ip route commands should help diagnosing that.

Catalin



________________________________
From: Lee <ler762 at gmail.com>
To: Renelson Panosky <panocisco77 at gmail.com>
Cc: cisco-nsp at puck.nether.net
Sent: Tue, 29 December, 2009 21:53:57
Subject: Re: [c-nsp] CIsco 6509-E issues

On Tue, Dec 29, 2009 at 8:41 AM, Renelson Panosky <panocisco77 at gmail.com>wrote:

> I am experiencing a small problem with one of my Cisco 6509-E on my
> network,  My management device (SNMP) showing one of my switch is down but
> i
> am able to log in to the switch, ping it from my PC, ping it from other
> cisco devices on the network.  A couple computer on my network is not able
> to ping it or telnet however every user who is directly connected to that
> switch is able to get online.  I have not received any complaints yet from
> any of my users.   I just want to make sure this doesn't turn to abigger
> issue.  Any advice.
>

I've seen the same type of thing - traceroute <whatever> to find where it
breaks and 'clear ip route *' on that box or the next hop cleared it up.

Regards,
Lee



>
> Happy Holidays
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From jasonleblanc at gmail.com  Sun Jan  3 01:11:48 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Sat, 2 Jan 2010 23:11:48 -0700
Subject: [c-nsp]  IOS Code Recommendations
Message-ID: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>

All,

Cisco only does safe harbor on a few select devices.  Being as how this group is made up of a lot of service providers and enterprise networks, does anyone know the latest stable version of code for any or all of the following:

2651XM
WS-C3550-24-PWR
WS-C3560-24PS-S
Catalyst 3560-48TS

Thanks,

//LeBlanc


From listensammler at gmx.de  Sun Jan  3 14:22:34 2010
From: listensammler at gmx.de (listensammler at gmx.de)
Date: Sun, 03 Jan 2010 20:22:34 +0100
Subject: [c-nsp] understanding ping ipv6 output
Message-ID: <4B40EE7A.8060200@gmx.de>

Hi List,

i have some problems with understanding the output of "ping ipv6" 
command and can't find any documentation on cisco website.

Ping in IPv4-mode uses these characters:
!	Each exclamation point indicates receipt of a reply.	
.	Each period indicates the network server timed out while waiting for 
a reply.	
U	A destination unreachable error PDU was received.	
Q	Source quench (destination too busy).	
M	Could not fragment.
?	Unknown packet type.
&	Packet lifetime exceeded

Can someone give me an overview of the ipv6 output characters or an 
explanation of the following output?

ipv6#ping 2A00:1450:8001::6A size 900

Type escape sequence to abort.
Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
CCCCC
Success rate is 0 percent (0/5)
ipv6#ping 2A00:1450:8001::6A size 1600

Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
AAAAA
Success rate is 0 percent (0/5)
ipv6#ping 2A00:1450:8001::6A size 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Thanks in advance...

Regards,
Alex

From achatz at forthnet.gr  Sun Jan  3 15:37:54 2010
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Sun, 03 Jan 2010 22:37:54 +0200
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B40EE7A.8060200@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
Message-ID: <4B410022.8040508@forthnet.gr>

http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2269378

Although "C" doesn't seem to be there.


-- 
Tassos

listensammler at gmx.de wrote on 03/01/2010 21:22:
> Hi List,
> 
> i have some problems with understanding the output of "ping ipv6" 
> command and can't find any documentation on cisco website.
> 
> Ping in IPv4-mode uses these characters:
> !    Each exclamation point indicates receipt of a reply.   
> .    Each period indicates the network server timed out while waiting 
> for a reply.   
> U    A destination unreachable error PDU was received.   
> Q    Source quench (destination too busy).   
> M    Could not fragment.
> ?    Unknown packet type.
> &    Packet lifetime exceeded
> 
> Can someone give me an overview of the ipv6 output characters or an 
> explanation of the following output?
> 
> ipv6#ping 2A00:1450:8001::6A size 900
> 
> Type escape sequence to abort.
> Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
> CCCCC
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 1600
> 
> Type escape sequence to abort.
> Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 
> seconds:
> AAAAA
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 100
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
> 
> Thanks in advance...
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From kiyoshi.suzuki at kvh.co.jp  Sun Jan  3 19:31:44 2010
From: kiyoshi.suzuki at kvh.co.jp (Suzuki,
	Kiyoshi (Network Service Development))
Date: Mon, 4 Jan 2010 09:31:44 +0900
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B40EE7A.8060200@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
Message-ID: <E36743E818B4BD459AD226DE75F6D1FC083797A4@CLSMS309.tel.kvh.co.jp>


http://www.cisco.com/en/US/customer/docs/ios/fundamentals/command/reference/cf_m1.html#wp1013837

C for congestion?

-Yoshi 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> listensammler at gmx.de
> Sent: Monday, January 04, 2010 4:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] understanding ping ipv6 output
> 
> Hi List,
> 
> i have some problems with understanding the output of "ping ipv6" 
> command and can't find any documentation on cisco website.
> 
> Ping in IPv4-mode uses these characters:
> !	Each exclamation point indicates receipt of a reply.	
> .	Each period indicates the network server timed out 
> while waiting for 
> a reply.	
> U	A destination unreachable error PDU was received.	
> Q	Source quench (destination too busy).	
> M	Could not fragment.
> ?	Unknown packet type.
> &	Packet lifetime exceeded
> 
> Can someone give me an overview of the ipv6 output characters or an 
> explanation of the following output?
> 
> ipv6#ping 2A00:1450:8001::6A size 900
> 
> Type escape sequence to abort.
> Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout 
> is 2 seconds:
> CCCCC
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 1600
> 
> Type escape sequence to abort.
> Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, 
> timeout is 2 seconds:
> AAAAA
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 100
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout 
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 
> 20/20/20 ms
> 
> Thanks in advance...
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
****************************************************************
"PLEASE NOTE:  This email,  and  any  attachments  hereto,  are
intended only  for use  by the specified addressee(s)  and  may
contain legally privileged and/or confidential and/or proprietary
information of KVH Co., Ltd.  and/or its affiliates  (including
personal information).  If you are not the intended recipient of
this email, please immediately notify the sender by email,  and
please permanently  delete the original,  any print out and any
copies of the foregoing. "
****************************************************************

From jlewis at lewis.org  Mon Jan  4 14:51:35 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 4 Jan 2010 14:51:35 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
Message-ID: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>

We had a recent network event during which all of our 3550 access layer 
switches started logging things like:

%SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48, 
alignment 0
Pool: I/O  Free: 5936  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool

-Process= "Pool Manager", ipl= 0, pid= 5
-Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC

A few minutes later, all was back to normal, though one 3550 did a 
software forced crash / reload.

Under normal circumstances, these switches have 4.5-5mb of free IO memory.

This looks very similar to what was posted several years ago at

http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html

Searching bug toolkit, I didn't find anything that looked relevant.  Has 
anyone else run into this sort of thing with 12.1EA software or have an 
idea what the cause/solutions might be?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From david.freedman at uk.clara.net  Mon Jan  4 15:10:18 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 04 Jan 2010 20:10:18 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <4B424B2A.3060406@uk.clara.net>

What release are you running? could it be CSCdz51522?

Dave.


Jon Lewis wrote:
> We had a recent network event during which all of our 3550 access layer
> switches started logging things like:
> 
> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
> alignment 0
> Pool: I/O  Free: 5936  Cause: Memory fragmentation
> Alternate Pool: None  Free: 0  Cause: No Alternate pool
> 
> -Process= "Pool Manager", ipl= 0, pid= 5
> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
> 
> A few minutes later, all was back to normal, though one 3550 did a
> software forced crash / reload.
> 
> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
> 
> This looks very similar to what was posted several years ago at
> 
> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
> 
> Searching bug toolkit, I didn't find anything that looked relevant.  Has
> anyone else run into this sort of thing with 12.1EA software or have an
> idea what the cause/solutions might be?
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From david.freedman at uk.clara.net  Mon Jan  4 15:10:18 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 04 Jan 2010 20:10:18 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <4B424B2A.3060406@uk.clara.net>

What release are you running? could it be CSCdz51522?

Dave.


Jon Lewis wrote:
> We had a recent network event during which all of our 3550 access layer
> switches started logging things like:
> 
> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
> alignment 0
> Pool: I/O  Free: 5936  Cause: Memory fragmentation
> Alternate Pool: None  Free: 0  Cause: No Alternate pool
> 
> -Process= "Pool Manager", ipl= 0, pid= 5
> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
> 
> A few minutes later, all was back to normal, though one 3550 did a
> software forced crash / reload.
> 
> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
> 
> This looks very similar to what was posted several years ago at
> 
> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
> 
> Searching bug toolkit, I didn't find anything that looked relevant.  Has
> anyone else run into this sort of thing with 12.1EA software or have an
> idea what the cause/solutions might be?
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From drew.weaver at thenap.com  Mon Jan  4 15:35:20 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 4 Jan 2010 15:35:20 -0500
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>

Howdy,

I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.

It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.

Does anyone know of a seemingly more sensible way of doing this?

-Drew




From jared at puck.nether.net  Mon Jan  4 15:42:08 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Mon, 4 Jan 2010 15:42:08 -0500
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <72814585-3C40-4FD9-8F6F-0A682E689DA4@puck.nether.net>


On Jan 4, 2010, at 3:35 PM, Drew Weaver wrote:

> Howdy,
> 
> I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.
> 
> It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.
> 
> Does anyone know of a seemingly more sensible way of doing this?


You could always tag these hold-down routes with a community, then when someone sends a packet to them, the next-hop could be rewritten to a local discard/null0 instance.

This should allow you to distribute the load instead of backhauling the traffic to the final destination/aggregation location.

- Jared


From jlewis at lewis.org  Mon Jan  4 16:01:00 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 4 Jan 2010 16:01:00 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <4B424B2A.3060406@uk.clara.net>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<4B424B2A.3060406@uk.clara.net>
Message-ID: <Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>

Most of the 3550s, including the one that crashed, are running 
121-22.EA10b.  CSCdz51522 seems unlikely as there was nobody logged in 
making changes and nobody should have been making (and there are no logged 
signs of) physical changes to the network at the time of the event.

On Mon, 4 Jan 2010, David Freedman wrote:

> What release are you running? could it be CSCdz51522?
>
> Dave.
>
>
> Jon Lewis wrote:
>> We had a recent network event during which all of our 3550 access layer
>> switches started logging things like:
>>
>> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
>> alignment 0
>> Pool: I/O  Free: 5936  Cause: Memory fragmentation
>> Alternate Pool: None  Free: 0  Cause: No Alternate pool
>>
>> -Process= "Pool Manager", ipl= 0, pid= 5
>> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
>>
>> A few minutes later, all was back to normal, though one 3550 did a
>> software forced crash / reload.
>>
>> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
>>
>> This looks very similar to what was posted several years ago at
>>
>> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
>>
>> Searching bug toolkit, I didn't find anything that looked relevant.  Has
>> anyone else run into this sort of thing with 12.1EA software or have an
>> idea what the cause/solutions might be?
>>
>> ----------------------------------------------------------------------
>>  Jon Lewis                   |  I route
>>  Senior Network Engineer     |  therefore you are
>>  Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From gsgranados at comcast.net  Mon Jan  4 16:02:40 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 4 Jan 2010 13:02:40 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <013901ca8d81$4694e0a0$2408120a@am.thmulti.com>

Drew, network statements are for the weak.:)
(I'm kidding of course) but there is a better way.
You should use community tagging in combination with prefix lists and route 
maps.  The idea is that you announce routes according to a tag and the 
behavior of the announcements depends on the specific tag applied.  For 
example, you could tag routes as peers, transits, global announce, etc and 
formulate the type of feeds you give your customers by filtering against 
communities so a customer wants peers and customers only you could match the 
two appropriate community tags.  This also allows you to tag the communities 
you globally announce uniquely and make the announcements in a unified way 
at your edges.  If you accompany this method with the appropriate 
redistribute static, redistribute connected, etc and use route maps to 
control this behavior you can remove the need for network statements 
completely and greatly decrease the things you need to modify and as a 
result the possible mistakes.  The other upside here is you can mark your 
more specifics as do not export and better control traffic internally better 
directing the traffic in your example.  It also allows you to accept 
communities from your customers and have automatic actions taken based on 
the tags they apply.  Let me know if you need some configuration examples.



----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, January 04, 2010 12:35 PM
Subject: [c-nsp] BGP - Announcing routes to Internet providers.


> Howdy,
>
> I am trying to figure out if there is a different/newer/better(?) way to 
> announce our public IP ranges to our Internet providers, currently we are 
> declaring our subnets in 'network statements' in the BGP configuration, we 
> have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and 
> then we have a extended access-list applied to each peer with our net 
> blocks listed in them.
>
> It appears that because of the network statements, the supernet routes 
> (/18s, /19s, etc) are being distributed via BGP to the rest of the network 
> which is by design(I assume). This doesn't seem ideal because if traffic 
> is sent to an IP address that doesn't have a more specific route than say 
> /18, or /19 it travels all the way through the network to the edge before 
> stopping. I might be blowing the impact of this out of proportion, but it 
> just seems like a waste of resources.
>
> Does anyone know of a seemingly more sensible way of doing this?
>
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From MatlockK at exempla.org  Mon Jan  4 16:07:07 2010
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 4 Jan 2010 14:07:07 -0700
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org><4B424B2A.3060406@uk.clara.net>
	<Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>

Do you have traffic graphs during this timeframe? Maybe a DDOS at or
through these boxes tied up the available memory. Especially since 'I/O'
was the pool it was trying to grab from at the time?

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
Sent: Monday, January 04, 2010 2:01 PM
To: David Freedman
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 3550 IO memory fragmentation

Most of the 3550s, including the one that crashed, are running 
121-22.EA10b.  CSCdz51522 seems unlikely as there was nobody logged in 
making changes and nobody should have been making (and there are no
logged 
signs of) physical changes to the network at the time of the event.

On Mon, 4 Jan 2010, David Freedman wrote:

> What release are you running? could it be CSCdz51522?
>
> Dave.
>
>
> Jon Lewis wrote:
>> We had a recent network event during which all of our 3550 access
layer
>> switches started logging things like:
>>
>> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from
0x17FC48,
>> alignment 0
>> Pool: I/O  Free: 5936  Cause: Memory fragmentation
>> Alternate Pool: None  Free: 0  Cause: No Alternate pool
>>
>> -Process= "Pool Manager", ipl= 0, pid= 5
>> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
>>
>> A few minutes later, all was back to normal, though one 3550 did a
>> software forced crash / reload.
>>
>> Under normal circumstances, these switches have 4.5-5mb of free IO
memory.
>>
>> This looks very similar to what was posted several years ago at
>>
>> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
>>
>> Searching bug toolkit, I didn't find anything that looked relevant.
Has
>> anyone else run into this sort of thing with 12.1EA software or have
an
>> idea what the cause/solutions might be?
>>
>>
----------------------------------------------------------------------
>>  Jon Lewis                   |  I route
>>  Senior Network Engineer     |  therefore you are
>>  Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public
key_________
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.garzon at gmail.com  Tue Jan  5 02:05:12 2010
From: chris.garzon at gmail.com (Dracul)
Date: Tue, 5 Jan 2010 15:05:12 +0800
Subject: [c-nsp] BGP ip addresses re-route to specific link
Message-ID: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>

Hi there,

I was wondering if you could do a segregate route, for specfic ip addresses
under BGP going only to a specific link.
for example if I have /24 default route BGP pool and I want only /28 ip
addresses using upstream1 and not by any
account go through upstream2. The rest would still be using the usual BGP
routing behavior. THanks!

regards,
Chris

From ip at ioshints.info  Tue Jan  5 02:30:27 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 08:30:27 +0100
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
Message-ID: <00a501ca8dd8$f4eb15a0$dec140e0$@info>

Let's back a step and ask the questions we should have been asking in the first place:

* Are you an end-user or a Service Provider (somewhat reliable answer could be gleaned from Drew's e-mail address)?
* What's the size of your network?
* How many uplinks do you have?
* How far apart are your uplinks?

If it turns out Drew's uplinks are close together, all the beautiful design ideas presented here are a huge overkill.

And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D

Ivan

> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Monday, January 04, 2010 10:03 PM
> To: Drew Weaver; Cisco-nsp
> Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.
> 
> Drew, network statements are for the weak.:)
> (I'm kidding of course) but there is a better way.
> You should use community tagging in combination with prefix lists and
> route
> maps.  The idea is that you announce routes according to a tag and the
> behavior of the announcements depends on the specific tag applied.  For
> example, you could tag routes as peers, transits, global announce, etc and
> formulate the type of feeds you give your customers by filtering against
> communities so a customer wants peers and customers only you could match
> the
> two appropriate community tags.  This also allows you to tag the
> communities
> you globally announce uniquely and make the announcements in a unified way
> at your edges.  If you accompany this method with the appropriate
> redistribute static, redistribute connected, etc and use route maps to
> control this behavior you can remove the need for network statements
> completely and greatly decrease the things you need to modify and as a
> result the possible mistakes.  The other upside here is you can mark your
> more specifics as do not export and better control traffic internally
> better
> directing the traffic in your example.  It also allows you to accept
> communities from your customers and have automatic actions taken based on
> the tags they apply.  Let me know if you need some configuration examples.
> 
> 
> 
> ----- Original Message -----
> From: "Drew Weaver" <drew.weaver at thenap.com>
> To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 04, 2010 12:35 PM
> Subject: [c-nsp] BGP - Announcing routes to Internet providers.
> 
> 
> > Howdy,
> >
> > I am trying to figure out if there is a different/newer/better(?) way to
> > announce our public IP ranges to our Internet providers, currently we
> are
> > declaring our subnets in 'network statements' in the BGP configuration,
> we
> > have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254
> and
> > then we have a extended access-list applied to each peer with our net
> > blocks listed in them.
> >
> > It appears that because of the network statements, the supernet routes
> > (/18s, /19s, etc) are being distributed via BGP to the rest of the
> network
> > which is by design(I assume). This doesn't seem ideal because if traffic
> > is sent to an IP address that doesn't have a more specific route than
> say
> > /18, or /19 it travels all the way through the network to the edge
> before
> > stopping. I might be blowing the impact of this out of proportion, but
> it
> > just seems like a waste of resources.
> >
> > Does anyone know of a seemingly more sensible way of doing this?
> >
> > -Drew
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



From s.ganschow at buelow-masiak.de  Tue Jan  5 02:34:56 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 08:34:56 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7AA@XMB-AMS-101.cisco.com>
Message-ID: <H000008400894c0a.1262676895.bohr.dbmg.de@MHS>

Hi,

Output of show vpdn history failure 

#sh vpdn history failure 
User: xyz, MID = 902
NAS: lac, IP address = 1.2.3.4, CLID = 63366
Gateway: lns, IP address = 5.6.7.8, CLID = 1417
Log time: Jan 4 10:55:24.390, Error repeat count: 3
Failure type: The remote server closed this session
Failure reason: Result 2, Error 6

As I found out, the failure reason could be interpreted as the 
following:

Result 2 	- General error (Error code indicates problem)
Error 2  	- Invalid destination

What is the meaning of invalid destination? As the tunnel is established 
and gets only dropped, if you exceed your bandwith, I can't get the 
meaning of the error message from the context.

Regards,
Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Mittwoch, 23. Dezember 2009 17:23
> An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> Betreff: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> You can try looking at the output of "show vpdn history".
> I think the error you get means that the remote side requested a
> disconnect, but I also see some cases this appears by mistake...
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> Ganschow
> Sent: Wednesday, December 23, 2009 12:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPDN Problem
> 
> Hi all,
> 
> we've got a little problem with our vpdn where we're stuck. Could
> anyone
> explain the following debugging messages from our 7206 to me:
> 
> VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> Host Close
> VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> syslog_error_code=23, syslog_key_type=1
> %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> Result
> 2, Error 6, Locally generated disconnect
> 
> 
> What is the meaning of:
>  - 8/port-error Ascend: 41/TCP
>  - Result 2, Error 6, Locally generated disconnect
> 
> On CCO there is no information about those messages.
> 
> The session gets disconnected, if the upstream bandwith is exceeded.
> There
> are two providers, who are delivering those vpdn sessions to us. We've
> tried with users of them, but the disconnect only happens on our own
> LNS.
> If the user is connected two the LNS of one of the two providers, the
> session won't be disconnected.
> 
> Any Ideas?
> 
> Regards
> Sebastian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From ccie19804 at gmail.com  Tue Jan  5 03:02:09 2010
From: ccie19804 at gmail.com (swap m)
Date: Tue, 5 Jan 2010 12:02:09 +0400
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
Message-ID: <b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>

you can use "BGP Conditional Route Injection" to generate the /28. (it shud
be a child subnet out of the parent /24). then filter the prefixes so select
which all upstreams shud receive this injected subnet.

cheers


On Tue, Jan 5, 2010 at 11:05 AM, Dracul <chris.garzon at gmail.com> wrote:

> Hi there,
>
> I was wondering if you could do a segregate route, for specfic ip addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28 ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual BGP
> routing behavior. THanks!
>
> regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From avayner at cisco.com  Tue Jan  5 03:10:46 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:10:46 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <H000008400894c0a.1262676895.bohr.dbmg.de@MHS>
References: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7AA@XMB-AMS-101.cisco.com>
	<H000008400894c0a.1262676895.bohr.dbmg.de@MHS>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>

Sebastian,

What do you mean by "if you exceed your bandwidth"?

You could try the following debugs for more info:
debug ppp nego
debug vpdn l2x event
debug vpdn l2x error
debug radius

Arie

-----Original Message-----
From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de] 
Sent: Tuesday, January 05, 2010 09:35
To: Arie Vayner (avayner); cisco-nsp
Subject: AW: RE: [c-nsp] VPDN Problem

Hi,

Output of show vpdn history failure 

#sh vpdn history failure 
User: xyz, MID = 902
NAS: lac, IP address = 1.2.3.4, CLID = 63366
Gateway: lns, IP address = 5.6.7.8, CLID = 1417
Log time: Jan 4 10:55:24.390, Error repeat count: 3
Failure type: The remote server closed this session
Failure reason: Result 2, Error 6

As I found out, the failure reason could be interpreted as the 
following:

Result 2 	- General error (Error code indicates problem)
Error 2  	- Invalid destination

What is the meaning of invalid destination? As the tunnel is established 
and gets only dropped, if you exceed your bandwith, I can't get the 
meaning of the error message from the context.

Regards,
Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Mittwoch, 23. Dezember 2009 17:23
> An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> Betreff: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> You can try looking at the output of "show vpdn history".
> I think the error you get means that the remote side requested a
> disconnect, but I also see some cases this appears by mistake...
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> Ganschow
> Sent: Wednesday, December 23, 2009 12:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPDN Problem
> 
> Hi all,
> 
> we've got a little problem with our vpdn where we're stuck. Could
> anyone
> explain the following debugging messages from our 7206 to me:
> 
> VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> Host Close
> VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> syslog_error_code=23, syslog_key_type=1
> %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> Result
> 2, Error 6, Locally generated disconnect
> 
> 
> What is the meaning of:
>  - 8/port-error Ascend: 41/TCP
>  - Result 2, Error 6, Locally generated disconnect
> 
> On CCO there is no information about those messages.
> 
> The session gets disconnected, if the upstream bandwith is exceeded.
> There
> are two providers, who are delivering those vpdn sessions to us. We've
> tried with users of them, but the disconnect only happens on our own
> LNS.
> If the user is connected two the LNS of one of the two providers, the
> session won't be disconnected.
> 
> Any Ideas?
> 
> Regards
> Sebastian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From avayner at cisco.com  Tue Jan  5 03:12:18 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:12:18 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
	<b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F15498@XMB-AMS-101.cisco.com>

Dracul,

Be aware that many (most) ISPs would filter subnets longer than /24, so
your /28 would be most likely filtered (even if you direct upstream
would send it through).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of swap m
Sent: Tuesday, January 05, 2010 10:02
To: Dracul
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP ip addresses re-route to specific link

you can use "BGP Conditional Route Injection" to generate the /28. (it
shud
be a child subnet out of the parent /24). then filter the prefixes so
select
which all upstreams shud receive this injected subnet.

cheers


On Tue, Jan 5, 2010 at 11:05 AM, Dracul <chris.garzon at gmail.com> wrote:

> Hi there,
>
> I was wondering if you could do a segregate route, for specfic ip
addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28
ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual
BGP
> routing behavior. THanks!
>
> regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From s.ganschow at buelow-masiak.de  Tue Jan  5 03:48:20 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 09:48:20 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>
Message-ID: <H0000084008963c5.1262681286.bohr.dbmg.de@MHS>

Hi Arie,

I mean, that if you've got a DSL-line with 160kbit upstream and you use 
it all.

The main thing I don't understand, is the error message "invalid 
destination". Do I understand it right, that the message I see in sh 
vpdn hist fail is send by the LAC to our LNS?

Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:11
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> What do you mean by "if you exceed your bandwidth"?
> 
> You could try the following debugs for more info:
> debug ppp nego
> debug vpdn l2x event
> debug vpdn l2x error
> debug radius
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 09:35
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: [c-nsp] VPDN Problem
> 
> Hi,
> 
> Output of show vpdn history failure
> 
> #sh vpdn history failure
> User: xyz, MID = 902
> NAS: lac, IP address = 1.2.3.4, CLID = 63366
> Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> Log time: Jan 4 10:55:24.390, Error repeat count: 3
> Failure type: The remote server closed this session
> Failure reason: Result 2, Error 6
> 
> As I found out, the failure reason could be interpreted as the
> following:
> 
> Result 2 	- General error (Error code indicates problem)
> Error 2  	- Invalid destination
> 
> What is the meaning of invalid destination? As the tunnel is
> established
> and gets only dropped, if you exceed your bandwith, I can't get the
> meaning of the error message from the context.
> 
> Regards,
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > Betreff: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > You can try looking at the output of "show vpdn history".
> > I think the error you get means that the remote side requested a
> > disconnect, but I also see some cases this appears by mistake...
> >
> > Arie
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > Ganschow
> > Sent: Wednesday, December 23, 2009 12:17
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] VPDN Problem
> >
> > Hi all,
> >
> > we've got a little problem with our vpdn where we're stuck. Could
> > anyone
> > explain the following debugging messages from our 7206 to me:
> >
> > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> > Host Close
> > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > syslog_error_code=23, syslog_key_type=1
> > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > Result
> > 2, Error 6, Locally generated disconnect
> >
> >
> > What is the meaning of:
> >  - 8/port-error Ascend: 41/TCP
> >  - Result 2, Error 6, Locally generated disconnect
> >
> > On CCO there is no information about those messages.
> >
> > The session gets disconnected, if the upstream bandwith is exceeded.
> > There
> > are two providers, who are delivering those vpdn sessions to us.
> We've
> > tried with users of them, but the disconnect only happens on our own
> > LNS.
> > If the user is connected two the LNS of one of the two providers, 
the
> > session won't be disconnected.
> >
> > Any Ideas?
> >
> > Regards
> > Sebastian
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



From avayner at cisco.com  Tue Jan  5 03:53:58 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:53:58 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <H0000084008963c5.1262681286.bohr.dbmg.de@MHS>
References: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>
	<H0000084008963c5.1262681286.bohr.dbmg.de@MHS>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F154D1@XMB-AMS-101.cisco.com>

Yes, it is sent from the LAC.
This is a message from the RFC, but I would assume it has something to do with the PPP/L2TP negotiation between the LAC and LNS, and the LAC not agreeing to something sent from the LNS...

The debugs below should help.

Arie

-----Original Message-----
From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de] 
Sent: Tuesday, January 05, 2010 10:48
To: Arie Vayner (avayner); cisco-nsp
Subject: AW: RE: RE: [c-nsp] VPDN Problem

Hi Arie,

I mean, that if you've got a DSL-line with 160kbit upstream and you use 
it all.

The main thing I don't understand, is the error message "invalid 
destination". Do I understand it right, that the message I see in sh 
vpdn hist fail is send by the LAC to our LNS?

Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:11
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> What do you mean by "if you exceed your bandwidth"?
> 
> You could try the following debugs for more info:
> debug ppp nego
> debug vpdn l2x event
> debug vpdn l2x error
> debug radius
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 09:35
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: [c-nsp] VPDN Problem
> 
> Hi,
> 
> Output of show vpdn history failure
> 
> #sh vpdn history failure
> User: xyz, MID = 902
> NAS: lac, IP address = 1.2.3.4, CLID = 63366
> Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> Log time: Jan 4 10:55:24.390, Error repeat count: 3
> Failure type: The remote server closed this session
> Failure reason: Result 2, Error 6
> 
> As I found out, the failure reason could be interpreted as the
> following:
> 
> Result 2 	- General error (Error code indicates problem)
> Error 2  	- Invalid destination
> 
> What is the meaning of invalid destination? As the tunnel is
> established
> and gets only dropped, if you exceed your bandwith, I can't get the
> meaning of the error message from the context.
> 
> Regards,
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > Betreff: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > You can try looking at the output of "show vpdn history".
> > I think the error you get means that the remote side requested a
> > disconnect, but I also see some cases this appears by mistake...
> >
> > Arie
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > Ganschow
> > Sent: Wednesday, December 23, 2009 12:17
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] VPDN Problem
> >
> > Hi all,
> >
> > we've got a little problem with our vpdn where we're stuck. Could
> > anyone
> > explain the following debugging messages from our 7206 to me:
> >
> > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> > Host Close
> > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > syslog_error_code=23, syslog_key_type=1
> > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > Result
> > 2, Error 6, Locally generated disconnect
> >
> >
> > What is the meaning of:
> >  - 8/port-error Ascend: 41/TCP
> >  - Result 2, Error 6, Locally generated disconnect
> >
> > On CCO there is no information about those messages.
> >
> > The session gets disconnected, if the upstream bandwith is exceeded.
> > There
> > are two providers, who are delivering those vpdn sessions to us.
> We've
> > tried with users of them, but the disconnect only happens on our own
> > LNS.
> > If the user is connected two the LNS of one of the two providers, 
the
> > session won't be disconnected.
> >
> > Any Ideas?
> >
> > Regards
> > Sebastian
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



From peter.haag at switch.ch  Tue Jan  5 03:55:08 2010
From: peter.haag at switch.ch (Peter Haag)
Date: Tue, 05 Jan 2010 09:55:08 +0100
Subject: [c-nsp] nfdump-1.6 available
Message-ID: <4B42FE6C.3070500@switch.ch>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,
I'm happy to announce, that nfdump-1.6 is available for downloading
@ Sourceforge. Several new features have been added ( see list below )
nfdump-1.6 is mostly compatible with nfdump-1.5.x.
nfdump-1.6 works with current NfSen 1.3.2, however, the new features are not
accessible using the interface.
*** Please note: *** PortTracker from NfSen 1.3.2 does *NOT* work with nfdump-1.6.
An updated version for NfSen/PortTracker will be released later.

	- Peter

NEW in 1.6 since 1.5.8 ( latest on top )
- ----------------------
o Add router IP extension.
o Add router ID extension (engine type/ID)
o Add srcmask and dstmask aggregation
o Aggregated ( -a, -A, -b, -B ) or sorted flows ( -m ) can be written back
  to binary files ( -w )
  Note: This results in a behaviour change for -w in combination
  with aggregation
o Extend -N ( do not scale numbers ) to all text output not just summary
o Remove header lines of -s stat, when using -q ( quiet )
  Note: This results in a behaviour change for -N
o Remove legacy v1.4 file compatibility
o Remove -S option from nfdump ( legacy 1.4 compatibility )
o Make use of log (syslog) functions for nfprofile.
o Move log functions to util.c
o Update sflow collector.
o Add parse_csv.pl script as an example to parse csv output
o Add csv output format ( -o cvs ) as replacement for -o pipe - keep -o pipe for now.
o Flow-tools converter updated - supports all common elements.
o Sflow collector updated. Supports more common elements.
o Add sampling to nfdump. Sampling is automatically recognised
  in undocumented v5 header fields and in v9 option templates.
  see nfcapd(1)
o Add @include option for filter to include more filter files.
o Add bidirectional aggregation ( -b, -B ) - experimental feature
o Add flexible aggregation comparable to Flexible Netflow (FNF)
  over all available v9 tags
o All new tags can be selected in -o fmt:... see nfdump(1)
o topN stat for all new tags is implemented
o Integrate developer code to read from pcap files into stable branch
o Update filter syntax for new tags
o Add flexible storage option for nfcapd. To save disk space, the
  data extensions to be stored in the data file are user selectable.
o Added more v9 tags for netflow v9.
  The detailed tags are listed in nfcapd(1) Beside of MAC addresses
  and VLAN labels, also MPLS labels and many more v9 tags are now
  supported. AS numbers and interface numbers are now 32bit clean.
  Adding new tags also extended the binary file format with
  data block type 2, which is extension based. File format
  for version <= 1.5.* ( Data block format type 1 ) is read
  transparently. ( --enable-compat15 ) Data block type 2 are skipped
  by nfdump 1.5.8.
o Added option for multiple netflow stream to same port.
  -n <Ident,IP,base_directory>
  Example: -n router1,192.168.100.1,/var/nfdump/router1
  So multiple -n options may be given at the command line
  Old style syntax still works for compatibility, ( -I .. -l ... )
  but then only one source is supported.
o Move to automake for building nfdump
o Make nfdump fully 64bit compliant. ( 32/64bit data alignments and access )
  Compiles and runs cleanly on 32/64bit systems
o Switch scaling factor ( k, M, G ) from 1024 to 1000.


- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag at switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBS0L+a/5AbZRALNr/AQLe+wP8DWmHQ5KtEUDiDDDp/MsQo2FJYEawQD+c
eotuBTSi8Pz8XoLysWBFxYYtey1WdiaAGdbJZylltJa0To1iT92nejqOXaVJtl3u
Uo6tMIEV6R7hDPNqJ/hK5xfkVqVPBT72hGUOsvwxKJ6mosq3Ef7VkFDLzWmF9NOz
rkW9Rz0sF4k=
=jTuj
-----END PGP SIGNATURE-----

From ip at ioshints.info  Tue Jan  5 04:00:29 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 10:00:29 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
Message-ID: <002c01ca8de5$88bd6060$9a382120$@info>

Are you trying to do destination-based routing (packet TO specific address should go over specific link) or source-based routing (packet FROM specific /28 should go over specific upstream link)?

> -----Original Message-----
> From: Dracul [mailto:chris.garzon at gmail.com]
> Sent: Tuesday, January 05, 2010 8:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] BGP ip addresses re-route to specific link
> 
> Hi there,
> 
> I was wondering if you could do a segregate route, for specfic ip
> addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28 ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual BGP
> routing behavior. THanks!
> 
> regards,
> Chris



From geert.nijs at gmail.com  Tue Jan  5 04:09:26 2010
From: geert.nijs at gmail.com (Geert Nijs)
Date: Tue, 5 Jan 2010 10:09:26 +0100
Subject: [c-nsp] Cisco N5000 vPC to connect HP c7000 with VC
Message-ID: <d79a45fa1001050109x3a50f425t8c4a1cf7fe0e77fa@mail.gmail.com>

Hi all,

- Does anyone have experience connecting an HP c7000 enclosure with 2 HP
VirtualConnect switches to a pair of Nexus 5000 switches using a vPC
configuration ?
- Other general vPC experience is also appreciated.


regards,
Geert

From x.illusi0n at gmail.com  Tue Jan  5 04:16:39 2010
From: x.illusi0n at gmail.com (ioluz)
Date: Tue, 5 Jan 2010 10:16:39 +0100
Subject: [c-nsp] Cisco 2600 ISDN
Message-ID: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>

Hello,

I actually have problem with my cisco 2600 configuration.

I have a cisco 2600 in a datacenter which is connected to a "Numeris"
connexion

In my office , i have a windows xp computer which is able to use a "Numeris"
connexion.

My goal is to be able to use the windows XP computer to connect to my cisco
2600 by using our "Numeris" connexion" (in case of rescue)

When i try to contatc my cisco by using my windows xp computer i get the
following error:

*Mar 15 20:33:37.911: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 1 state is 3
*Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old State
= 4
*Mar 15 20:33:37.915: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 6 state is 1
*Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
*Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
*Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 65
changed to up
*Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
*Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
Bearer Capability i = 0x9090A3
Standard = CCITT
Transfer Capability = 3.1kHz Audio
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0x89
Progress Ind i = 0x8483 - Origination address is non-ISDN
Calling Party Number i = 0x2083, '*********'
Plan:Unknown, Type:National
Called Party Number i = 0x81, '****'
Plan:ISDN, Type:Unknown
Sending Complete
*Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 0 tei 127 ces 0 ev 0x3
*Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 2 HOST_INCOMING_CALL
*Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
*Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0
*Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
ACCEPT_CALL (0x13)
*Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
up
*Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
to ********* N/A
*Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=0
nr=0
*Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref = 0xE6
Shift to Codeset 6
Codeset 6 IE 0x24 i = 0x80
*Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
*Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
*Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session id[106]
*Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
*Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
*Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
*Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=0
nr=1
*Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref =
0x66
*Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
*Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
*Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 63 tei 127 ces 0 ev 0x3
*Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 63 tei 127 ces 0 ev 0x650
*Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
*Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
*Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
*Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
trivially
*Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
*Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
*Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
*Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
*Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
*Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
*Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
*Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
*Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
*Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
*Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
*Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
*Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
ISDN_HANGUP (0x1)
*Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
from ********* , call lasted 22 seconds
*Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=1
nr=1
*Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
0xE6
Cause i = 0x8790 - Normal call clearing
*Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
*Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=1
nr=2
*Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref = 0x66
*Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
*Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 1 HOST_DISCONNECT_ACK
*Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
down
*Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
*Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
profile Di0
*Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 1 HOST_DISCONNECT_ACK
*Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=2
nr=2
*Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref =
0xE6
Shift to Codeset 6
Codeset 6 IE 0x24 i = 0x80
*Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
*Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
*Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
*Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
*Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
*Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI
65 changed to down
*Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
*Mar 15 20:34:34.523: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 5 state is 1
*Mar 15 20:34:34.947: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 3 state is 2
*Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old State
= 4
*Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN Layer
3


here is my cisco's show run:

Building configuration...

Current configuration : 2191 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-adm.**********
!
boot-start-marker
boot-end-marker
!
enable secret 5 <secret>
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip dhcp pool secret
network 10.1.76.0 255.255.255.240
default-router 10.1.76.1
!
isdn switch-type vn3
!
username username privilege 0 secret 5 <secret>
username user privilege 0 secret 5 <secret>
username username2 password 0 <secret>
!
!
!
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
no ip mroute-cache
!
interface FastEthernet0/0
ip address 10.1.75.19 255.255.255.0
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface BRI0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type vn3
isdn incoming-voice data 64
no peer default ip address
ppp authentication chap
!
interface Serial0/0
no ip address
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer remote-name username2
!
no ip http server
ip classless
!
!
access-list 12 permit 10.1.75.20
access-list 100 permit tcp host 10.1.75.20 any eq telnet log
access-list 100 deny ip any any log
dialer-list 1 protocol ip permit
banner login ^Cc
Good luck^C
!
line con 0
privilege level 0
login local
line 33 64
session-timeout 20
exec-timeout 0 0
no exec
transport input all
line aux 0
session-timeout 20
exec-timeout 0 0
no exec
transport input all
line vty 0 4
access-class 100 in
exec-timeout 0 0
privilege level 0
login local
transport input telnet
line vty 5 15
login local
!
!
end

From s.ganschow at buelow-masiak.de  Tue Jan  5 04:48:17 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 10:48:17 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F154D1@XMB-AMS-101.cisco.com>
Message-ID: <H000008400899501.1262684895.bohr.dbmg.de@MHS>

Okay, probably the first line will tell us, where the problem is. But 
why are keepalives suddenly get lost?

Jan  5 10:41:51 mrl01cor01 35245: 035250: 1w0d: Vi26 PPP: Missed 5 
keepalives, taking LCP down
Jan  5 10:41:51 mrl01cor01 35246: 035251: 1w0d: Vi26 PPP: Sending Acct 
Event[Down] id[667]
Jan  5 10:41:51 mrl01cor01 35247: 035252: 1w0d: Vi26 LCP: State is 
Closed
Jan  5 10:41:51 mrl01cor01 35248: 035253: 1w0d: Vi26 PPP: Phase is DOWN
Jan  5 10:41:51 mrl01cor01 35249: 035254: 1w0d: Vi26 IPCP: State is 
Closed
Jan  5 10:41:51 mrl01cor01 35250: 035255: 1w0d: Vi26 PPP: Send 
Message[Disconnect]
Jan  5 10:41:51 mrl01cor01 35251: 035256: 1w0d: Vi26 IPCP: Remove route 
to 1.2.3.4
Jan  5 10:41:51 mrl01cor01 35252: 035257: 1w0d: Vi26 Tnl/Sn 21483/1151 
L2TP: disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign Host 
Close
Jan  5 10:41:51 mrl01cor01 35253: 035258: Jan  5 10:41:42.127 met: 
%VPDN-6-CLOSED: L2TP LNS lns closed Vi26 user dsluser; Result 2, Error 6
Jan  5 10:41:51 mrl01cor01 35254: 035259: 1w0d: Vi26 Tnl/Sn 21483/1151 
L2TP: O CDN to lac 37514/6429
Jan  5 10:41:52 mrl01cor01 35255: 035260: Jan  5 10:41:42.131 met: 
%LINK-3-UPDOWN: Interface Virtual-Access26, changed state to down
Jan  5 10:41:52 mrl01cor01 35256: 035261: 1w0d:  Tnl 21483 L2TP: Control 
channel retransmit delay set to 1 seconds
Jan  5 10:41:53 mrl01cor01 35257: 035262: Jan  5 10:41:43.127 met: 
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access26, 
changed state to down
Jan  5 10:42:12 mrl01cor01 35258: 035263: 1w0d:  Tnl 63366 L2TP: I ICRQ 
from lac tnl 1417
Jan  5 10:42:12 mrl01cor01 35259: 035264: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
Session FS enabled
Jan  5 10:42:12 mrl01cor01 35260: 035265: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
Session state change from idle to wait-connect
Jan  5 10:42:12 mrl01cor01 35261: 035266: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
New session created
Jan  5 10:42:12 mrl01cor01 35262: 035267: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
O ICRP to lac 1417/49006

Sebastian

> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:54
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: RE: [c-nsp] VPDN Problem
> 
> Yes, it is sent from the LAC.
> This is a message from the RFC, but I would assume it has something to
> do with the PPP/L2TP negotiation between the LAC and LNS, and the LAC
> not agreeing to something sent from the LNS...
> 
> The debugs below should help.
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 10:48
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: RE: [c-nsp] VPDN Problem
> 
> Hi Arie,
> 
> I mean, that if you've got a DSL-line with 160kbit upstream and you 
use
> it all.
> 
> The main thing I don't understand, is the error message "invalid
> destination". Do I understand it right, that the message I see in sh
> vpdn hist fail is send by the LAC to our LNS?
> 
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Dienstag, 5. Januar 2010 09:11
> > An: Sebastian Ganschow; cisco-nsp
> > Betreff: RE: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > What do you mean by "if you exceed your bandwidth"?
> >
> > You could try the following debugs for more info:
> > debug ppp nego
> > debug vpdn l2x event
> > debug vpdn l2x error
> > debug radius
> >
> > Arie
> >
> > -----Original Message-----
> > From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> > Sent: Tuesday, January 05, 2010 09:35
> > To: Arie Vayner (avayner); cisco-nsp
> > Subject: AW: RE: [c-nsp] VPDN Problem
> >
> > Hi,
> >
> > Output of show vpdn history failure
> >
> > #sh vpdn history failure
> > User: xyz, MID = 902
> > NAS: lac, IP address = 1.2.3.4, CLID = 63366
> > Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> > Log time: Jan 4 10:55:24.390, Error repeat count: 3
> > Failure type: The remote server closed this session
> > Failure reason: Result 2, Error 6
> >
> > As I found out, the failure reason could be interpreted as the
> > following:
> >
> > Result 2 	- General error (Error code indicates problem)
> > Error 2  	- Invalid destination
> >
> > What is the meaning of invalid destination? As the tunnel is
> > established
> > and gets only dropped, if you exceed your bandwith, I can't get the
> > meaning of the error message from the context.
> >
> > Regards,
> > Sebastian
> >
> >
> > > -----Urspr?ngliche Nachricht-----
> > > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > > Betreff: RE: [c-nsp] VPDN Problem
> > >
> > > Sebastian,
> > >
> > > You can try looking at the output of "show vpdn history".
> > > I think the error you get means that the remote side requested a
> > > disconnect, but I also see some cases this appears by mistake...
> > >
> > > Arie
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > > Ganschow
> > > Sent: Wednesday, December 23, 2009 12:17
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] VPDN Problem
> > >
> > > Hi all,
> > >
> > > we've got a little problem with our vpdn where we're stuck. Could
> > > anyone
> > > explain the following debugging messages from our 7206 to me:
> > >
> > > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP
> Foreign
> > > Host Close
> > > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > > syslog_error_code=23, syslog_key_type=1
> > > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > > Result
> > > 2, Error 6, Locally generated disconnect
> > >
> > >
> > > What is the meaning of:
> > >  - 8/port-error Ascend: 41/TCP
> > >  - Result 2, Error 6, Locally generated disconnect
> > >
> > > On CCO there is no information about those messages.
> > >
> > > The session gets disconnected, if the upstream bandwith is
> exceeded.
> > > There
> > > are two providers, who are delivering those vpdn sessions to us.
> > We've
> > > tried with users of them, but the disconnect only happens on our
> own
> > > LNS.
> > > If the user is connected two the LNS of one of the two providers,
> the
> > > session won't be disconnected.
> > >
> > > Any Ideas?
> > >
> > > Regards
> > > Sebastian
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> 



From A.L.M.Buxey at lboro.ac.uk  Tue Jan  5 05:26:08 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 5 Jan 2010 10:26:08 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <20100105102608.GC5984@lboro.ac.uk>

hi,

we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
platform.

note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
seems to only be relevant for the 3550-24td or such specific version - dont
run it on any other one as , though it appears to work, you egt some interesting
results! ;-)

alan

> Searching bug toolkit, I didn't find anything that looked relevant.  Has 
> anyone else run into this sort of thing with 12.1EA software or have an 
> idea what the cause/solutions might be?

any reason for lurking down in the 12.1EA release train?


From jared at puck.nether.net  Tue Jan  5 08:11:38 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 5 Jan 2010 08:11:38 -0500
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
Message-ID: <6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>

So there's a few things that I see missing here.

You need to have an IP that you will assign to the dial-in user.  (Unless you intend to use this as a bridge, which I don't know if XP will support).

You should define some local pool of IP(s) that you will hand out.

eg:

ip local pool mypool 192.168.0.1 192.168.0.2

 interface Group-Async1
  ip unnumbered FastEthernet0/0
  ip tcp header-compression passive
  ip pim border
  encapsulation ppp
  no ip mroute-cache
  async default routing
  async mode interactive
  peer default ip address pool mypool
  no fair-queue
  no cdp enable
  ppp max-bad-auth 3
  ppp authentication pap chap
  group-range 1 

This is taken from an old archive of configs that I have from doing dial in the good-old-days...

Hope it helps.

- Jared


On Jan 5, 2010, at 4:16 AM, ioluz wrote:

> Hello,
> 
> I actually have problem with my cisco 2600 configuration.
> 
> I have a cisco 2600 in a datacenter which is connected to a "Numeris"
> connexion
> 
> In my office , i have a windows xp computer which is able to use a "Numeris"
> connexion.
> 
> My goal is to be able to use the windows XP computer to connect to my cisco
> 2600 by using our "Numeris" connexion" (in case of rescue)
> 
> When i try to contatc my cisco by using my windows xp computer i get the
> following error:
> 
> *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 1 state is 3
> *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old State
> = 4
> *Mar 15 20:33:37.915: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 6 state is 1
> *Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
> *Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
> *Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 65
> changed to up
> *Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
> *Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
> Bearer Capability i = 0x9090A3
> Standard = CCITT
> Transfer Capability = 3.1kHz Audio
> Transfer Mode = Circuit
> Transfer Rate = 64 kbit/s
> Channel ID i = 0x89
> Progress Ind i = 0x8483 - Origination address is non-ISDN
> Calling Party Number i = 0x2083, '*********'
> Plan:Unknown, Type:National
> Called Party Number i = 0x81, '****'
> Plan:ISDN, Type:Unknown
> Sending Complete
> *Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 0 tei 127 ces 0 ev 0x3
> *Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 2 HOST_INCOMING_CALL
> *Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
> *Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0
> *Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> ACCEPT_CALL (0x13)
> *Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> *Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
> to ********* N/A
> *Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=0
> nr=0
> *Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref = 0xE6
> Shift to Codeset 6
> Codeset 6 IE 0x24 i = 0x80
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session id[106]
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
> *Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
> *Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
> *Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=0
> nr=1
> *Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref =
> 0x66
> *Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
> *Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
> *Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 63 tei 127 ces 0 ev 0x3
> *Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 63 tei 127 ces 0 ev 0x650
> *Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
> *Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
> *Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
> *Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
> trivially
> *Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
> *Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
> *Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
> *Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
> *Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
> *Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
> *Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
> *Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
> *Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
> *Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
> *Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
> *Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
> *Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> ISDN_HANGUP (0x1)
> *Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
> from ********* , call lasted 22 seconds
> *Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=1
> nr=1
> *Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
> 0xE6
> Cause i = 0x8790 - Normal call clearing
> *Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
> *Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=1
> nr=2
> *Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref = 0x66
> *Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
> *Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 1 HOST_DISCONNECT_ACK
> *Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> down
> *Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
> *Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> profile Di0
> *Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 1 HOST_DISCONNECT_ACK
> *Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=2
> nr=2
> *Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref =
> 0xE6
> Shift to Codeset 6
> Codeset 6 IE 0x24 i = 0x80
> *Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
> *Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
> *Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
> *Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
> *Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
> *Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI
> 65 changed to down
> *Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
> *Mar 15 20:34:34.523: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 5 state is 1
> *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 3 state is 2
> *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old State
> = 4
> *Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN Layer
> 3
> 
> 
> here is my cisco's show run:
> 
> Building configuration...
> 
> Current configuration : 2191 bytes
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname sw-adm.**********
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 <secret>
> !
> no aaa new-model
> ip subnet-zero
> ip cef
> !
> !
> no ip domain lookup
> !
> ip dhcp pool secret
> network 10.1.76.0 255.255.255.240
> default-router 10.1.76.1
> !
> isdn switch-type vn3
> !
> username username privilege 0 secret 5 <secret>
> username user privilege 0 secret 5 <secret>
> username username2 password 0 <secret>
> !
> !
> !
> !
> interface Loopback1
> ip address 172.16.1.1 255.255.255.0
> no ip mroute-cache
> !
> interface FastEthernet0/0
> ip address 10.1.75.19 255.255.255.0
> no ip route-cache cef
> no ip route-cache
> duplex auto
> speed auto
> !
> interface BRI0/0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type vn3
> isdn incoming-voice data 64
> no peer default ip address
> ppp authentication chap
> !
> interface Serial0/0
> no ip address
> !
> interface Dialer0
> ip address negotiated
> encapsulation ppp
> dialer pool 1
> dialer remote-name username2
> !
> no ip http server
> ip classless
> !
> !
> access-list 12 permit 10.1.75.20
> access-list 100 permit tcp host 10.1.75.20 any eq telnet log
> access-list 100 deny ip any any log
> dialer-list 1 protocol ip permit
> banner login ^Cc
> Good luck^C
> !
> line con 0
> privilege level 0
> login local
> line 33 64
> session-timeout 20
> exec-timeout 0 0
> no exec
> transport input all
> line aux 0
> session-timeout 20
> exec-timeout 0 0
> no exec
> transport input all
> line vty 0 4
> access-class 100 in
> exec-timeout 0 0
> privilege level 0
> login local
> transport input telnet
> line vty 5 15
> login local
> !
> !
> end
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From x.illusi0n at gmail.com  Tue Jan  5 08:51:05 2010
From: x.illusi0n at gmail.com (ioluz)
Date: Tue, 5 Jan 2010 14:51:05 +0100
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
	<6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
Message-ID: <97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>

Thanks for your help.

I try your configuration and i have the same debug output.

The very strange point is the fact that i didn't see any I CONFREQ in the
debug output, isn't it ?

On Tue, Jan 5, 2010 at 2:11 PM, Jared Mauch <jared at puck.nether.net> wrote:

> So there's a few things that I see missing here.
>
> You need to have an IP that you will assign to the dial-in user.  (Unless
> you intend to use this as a bridge, which I don't know if XP will support).
>
> You should define some local pool of IP(s) that you will hand out.
>
> eg:
>
> ip local pool mypool 192.168.0.1 192.168.0.2
>
>  interface Group-Async1
>  ip unnumbered FastEthernet0/0
>  ip tcp header-compression passive
>  ip pim border
>  encapsulation ppp
>  no ip mroute-cache
>  async default routing
>  async mode interactive
>  peer default ip address pool mypool
>  no fair-queue
>  no cdp enable
>  ppp max-bad-auth 3
>  ppp authentication pap chap
>  group-range 1
>
> This is taken from an old archive of configs that I have from doing dial in
> the good-old-days...
>
> Hope it helps.
>
> - Jared
>
>
> On Jan 5, 2010, at 4:16 AM, ioluz wrote:
>
> > Hello,
> >
> > I actually have problem with my cisco 2600 configuration.
> >
> > I have a cisco 2600 in a datacenter which is connected to a "Numeris"
> > connexion
> >
> > In my office , i have a windows xp computer which is able to use a
> "Numeris"
> > connexion.
> >
> > My goal is to be able to use the windows XP computer to connect to my
> cisco
> > 2600 by using our "Numeris" connexion" (in case of rescue)
> >
> > When i try to contatc my cisco by using my windows xp computer i get the
> > following error:
> >
> > *Mar 15 20:33:37.911: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 1 state is 3
> > *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old
> State
> > = 4
> > *Mar 15 20:33:37.915: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 6 state is 1
> > *Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
> > *Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
> > *Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI
> 65
> > changed to up
> > *Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
> > *Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
> > Bearer Capability i = 0x9090A3
> > Standard = CCITT
> > Transfer Capability = 3.1kHz Audio
> > Transfer Mode = Circuit
> > Transfer Rate = 64 kbit/s
> > Channel ID i = 0x89
> > Progress Ind i = 0x8483 - Origination address is non-ISDN
> > Calling Party Number i = 0x2083, '*********'
> > Plan:Unknown, Type:National
> > Called Party Number i = 0x81, '****'
> > Plan:ISDN, Type:Unknown
> > Sending Complete
> > *Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 0 tei 127 ces 0 ev 0x3
> > *Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 2 HOST_INCOMING_CALL
> > *Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
> > *Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile
> Di0
> > *Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> > ACCEPT_CALL (0x13)
> > *Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state
> to
> > up
> > *Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now
> connected
> > to ********* N/A
> > *Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=0
> > nr=0
> > *Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref =
> 0xE6
> > Shift to Codeset 6
> > Codeset 6 IE 0x24 i = 0x80
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session
> id[106]
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
> > *Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
> > *Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
> > *Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65,
> ns=0
> > nr=1
> > *Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref
> =
> > 0x66
> > *Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
> > *Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
> > *Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 63 tei 127 ces 0 ev 0x3
> > *Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 63 tei 127 ces 0 ev 0x650
> > *Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
> > *Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
> > *Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
> > *Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
> > trivially
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
> > *Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
> > *Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> > ISDN_HANGUP (0x1)
> > *Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
> > from ********* , call lasted 22 seconds
> > *Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=1
> > nr=1
> > *Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
> > 0xE6
> > Cause i = 0x8790 - Normal call clearing
> > *Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
> > *Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65,
> ns=1
> > nr=2
> > *Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref =
> 0x66
> > *Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
> > *Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 1 HOST_DISCONNECT_ACK
> > *Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state
> to
> > down
> > *Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in
> 0
> > *Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> > profile Di0
> > *Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 1 HOST_DISCONNECT_ACK
> > *Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=2
> > nr=2
> > *Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref
> =
> > 0xE6
> > Shift to Codeset 6
> > Codeset 6 IE 0x24 i = 0x80
> > *Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
> > *Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
> > *Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
> > *Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
> > *Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
> > *Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0,
> TEI
> > 65 changed to down
> > *Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
> > *Mar 15 20:34:34.523: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 5 state is 1
> > *Mar 15 20:34:34.947: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 3 state is 2
> > *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old
> State
> > = 4
> > *Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN
> Layer
> > 3
> >
> >
> > here is my cisco's show run:
> >
> > Building configuration...
> >
> > Current configuration : 2191 bytes
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname sw-adm.**********
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > enable secret 5 <secret>
> > !
> > no aaa new-model
> > ip subnet-zero
> > ip cef
> > !
> > !
> > no ip domain lookup
> > !
> > ip dhcp pool secret
> > network 10.1.76.0 255.255.255.240
> > default-router 10.1.76.1
> > !
> > isdn switch-type vn3
> > !
> > username username privilege 0 secret 5 <secret>
> > username user privilege 0 secret 5 <secret>
> > username username2 password 0 <secret>
> > !
> > !
> > !
> > !
> > interface Loopback1
> > ip address 172.16.1.1 255.255.255.0
> > no ip mroute-cache
> > !
> > interface FastEthernet0/0
> > ip address 10.1.75.19 255.255.255.0
> > no ip route-cache cef
> > no ip route-cache
> > duplex auto
> > speed auto
> > !
> > interface BRI0/0
> > no ip address
> > encapsulation ppp
> > dialer pool-member 1
> > isdn switch-type vn3
> > isdn incoming-voice data 64
> > no peer default ip address
> > ppp authentication chap
> > !
> > interface Serial0/0
> > no ip address
> > !
> > interface Dialer0
> > ip address negotiated
> > encapsulation ppp
> > dialer pool 1
> > dialer remote-name username2
> > !
> > no ip http server
> > ip classless
> > !
> > !
> > access-list 12 permit 10.1.75.20
> > access-list 100 permit tcp host 10.1.75.20 any eq telnet log
> > access-list 100 deny ip any any log
> > dialer-list 1 protocol ip permit
> > banner login ^Cc
> > Good luck^C
> > !
> > line con 0
> > privilege level 0
> > login local
> > line 33 64
> > session-timeout 20
> > exec-timeout 0 0
> > no exec
> > transport input all
> > line aux 0
> > session-timeout 20
> > exec-timeout 0 0
> > no exec
> > transport input all
> > line vty 0 4
> > access-class 100 in
> > exec-timeout 0 0
> > privilege level 0
> > login local
> > transport input telnet
> > line vty 5 15
> > login local
> > !
> > !
> > end
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From eng_mssk at hotmail.com  Tue Jan  5 08:55:14 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Tue, 5 Jan 2010 15:55:14 +0200
Subject: [c-nsp] Load Balancing
Message-ID: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>


hi all 


i have 2 web servers connecting to one of the LAN switches 
i am thinking of implement HSRP for outgoing traffic thats right ??
the 2 servers are connected via cross cable as well for making data transfer as fast as possible
now the what i want to do from my routers is that when requsting web page hosted on the 2 sites can i make load balancer using normal router ??
if one of the 2 we servers are down can i redirect the request to the other one in case of failure ?
 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010

From jeff-kell at utc.edu  Tue Jan  5 09:46:18 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Tue, 05 Jan 2010 09:46:18 -0500
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <4B4350BA.3010604@utc.edu>

On 1/5/2010 5:26 AM, Alan Buxey wrote:
> hi,
>
> we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
> platform.
>   

Yes, 12.2(44)SE6 is the last "officially supported" release for all but
the DC-powered 3550 (the only one not EOS/EOL).

I've heard of others running later versions, but this is the first I've
heard of "interesting results", only compounding my paranoia :-)

Jeff

From jshearer at amedisys.com  Tue Jan  5 09:46:09 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 5 Jan 2010 08:46:09 -0600
Subject: [c-nsp] Load Balancing
In-Reply-To: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>
References: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B316A@SVR-AMED-MAIL01.amedisys.com>

What switching platform are you using?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Tuesday, January 05, 2010 7:55 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Load Balancing


hi all


i have 2 web servers connecting to one of the LAN switches
i am thinking of implement HSRP for outgoing traffic thats right ??
the 2 servers are connected via cross cable as well for making data transfer as fast as possible
now the what i want to do from my routers is that when requsting web page hosted on the 2 sites can i make load balancer using normal router ??
if one of the 2 we servers are down can i redirect the request to the other one in case of failure ?

_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From gsgranados at comcast.net  Tue Jan  5 10:02:03 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Tue, 5 Jan 2010 07:02:03 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
Message-ID: <FC1F5105D6794F67B17420E40A07791F@scottnetbook>

The memory impact isn't that bad and one person's over kill is another 
person's good planning ahead of time.  Why not do something right the first 
time and prevent the redesign / reconfiguration down the road which makes 
things that much more tricky in the long term.  I can't tell you how many 
messes I get dragged in to that need cleaning up because someone took the up 
front short cuts.  We're not talking about rocket science here, from the 
atlantic.net address and from Drew's long history on the list I assumed (and 
I think correctly) that there was the required clue there and justified 
need.


----- Original Message ----- 
From: "Ivan Pepelnjak" <ip at ioshints.info>
To: "'Scott Granados'" <gsgranados at comcast.net>; "'Drew Weaver'" 
<drew.weaver at thenap.com>; "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
Sent: Monday, January 04, 2010 11:30 PM
Subject: RE: [c-nsp] BGP - Announcing routes to Internet providers.


Let's back a step and ask the questions we should have been asking in the 
first place:

* Are you an end-user or a Service Provider (somewhat reliable answer could 
be gleaned from Drew's e-mail address)?
* What's the size of your network?
* How many uplinks do you have?
* How far apart are your uplinks?

If it turns out Drew's uplinks are close together, all the beautiful design 
ideas presented here are a huge overkill.

And, BTW, I wish those of you that propose redistributing connected and 
static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of 
your routers/switches when everyone decides (after reading this mailing list 
:) that following your recommendations unconditionally is a good idea :D

Ivan

> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Monday, January 04, 2010 10:03 PM
> To: Drew Weaver; Cisco-nsp
> Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.
>
> Drew, network statements are for the weak.:)
> (I'm kidding of course) but there is a better way.
> You should use community tagging in combination with prefix lists and
> route
> maps.  The idea is that you announce routes according to a tag and the
> behavior of the announcements depends on the specific tag applied.  For
> example, you could tag routes as peers, transits, global announce, etc and
> formulate the type of feeds you give your customers by filtering against
> communities so a customer wants peers and customers only you could match
> the
> two appropriate community tags.  This also allows you to tag the
> communities
> you globally announce uniquely and make the announcements in a unified way
> at your edges.  If you accompany this method with the appropriate
> redistribute static, redistribute connected, etc and use route maps to
> control this behavior you can remove the need for network statements
> completely and greatly decrease the things you need to modify and as a
> result the possible mistakes.  The other upside here is you can mark your
> more specifics as do not export and better control traffic internally
> better
> directing the traffic in your example.  It also allows you to accept
> communities from your customers and have automatic actions taken based on
> the tags they apply.  Let me know if you need some configuration examples.
>
>
>
> ----- Original Message -----
> From: "Drew Weaver" <drew.weaver at thenap.com>
> To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 04, 2010 12:35 PM
> Subject: [c-nsp] BGP - Announcing routes to Internet providers.
>
>
> > Howdy,
> >
> > I am trying to figure out if there is a different/newer/better(?) way to
> > announce our public IP ranges to our Internet providers, currently we
> are
> > declaring our subnets in 'network statements' in the BGP configuration,
> we
> > have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254
> and
> > then we have a extended access-list applied to each peer with our net
> > blocks listed in them.
> >
> > It appears that because of the network statements, the supernet routes
> > (/18s, /19s, etc) are being distributed via BGP to the rest of the
> network
> > which is by design(I assume). This doesn't seem ideal because if traffic
> > is sent to an IP address that doesn't have a more specific route than
> say
> > /18, or /19 it travels all the way through the network to the edge
> before
> > stopping. I might be blowing the impact of this out of proportion, but
> it
> > just seems like a waste of resources.
> >
> > Does anyone know of a seemingly more sensible way of doing this?
> >
> > -Drew
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From chris.garzon at gmail.com  Tue Jan  5 11:17:02 2010
From: chris.garzon at gmail.com (Dracul)
Date: Wed, 6 Jan 2010 00:17:02 +0800
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <002c01ca8de5$88bd6060$9a382120$@info>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
	<002c01ca8de5$88bd6060$9a382120$@info>
Message-ID: <876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>

> you can use "BGP Conditional Route Injection" to generate the /28. (it
shud be a child subnet out of the parent /24). then filter the prefixes so
select which all upstreams shud receive this injected
> subnet.

thanks swap will explore your suggestion.


>Be aware that many (most) ISPs would filter subnets longer than /24, so
>your /28 would be most likely filtered (even if you direct upstream
>would send it through).
>Arie

Thanks arie, will keep it in mind.

On Tue, Jan 5, 2010 at 5:00 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:

> Are you trying to do destination-based routing (packet TO specific address
> should go over specific link) or source-based routing (packet FROM specific
> /28 should go over specific upstream link)?
>
>
Hi Ivan, I guess both. i just want to have a specific ip block traffic
contained to a specific link ( the ip addresses are broadcast under BGP)

regards,
Chris

> -----Original Message-----
> > From: Dracul [mailto:chris.garzon at gmail.com]
> > Sent: Tuesday, January 05, 2010 8:05 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] BGP ip addresses re-route to specific link
> >
> > Hi there,
> >
> > I was wondering if you could do a segregate route, for specfic ip
> > addresses
> > under BGP going only to a specific link.
> > for example if I have /24 default route BGP pool and I want only /28 ip
> > addresses using upstream1 and not by any
> > account go through upstream2. The rest would still be using the usual BGP
> > routing behavior. THanks!
> >
> > regards,
> > Chris
>
>
>

From justin at justinshore.com  Tue Jan  5 11:49:41 2010
From: justin at justinshore.com (Justin Shore)
Date: Tue, 05 Jan 2010 10:49:41 -0600
Subject: [c-nsp] IS-IS Ethertype
Message-ID: <4B436DA5.9000007@justinshore.com>

Hey guys.  I hope you all had a good holiday break.

Does anyone know for sure what the Ethertype is for the CLNS packets? 
I've found a couple IEFT drafts that talk about it it to a degree:

http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01

They imply that for packet sizes under 1500 that CLNS uses the standard 
IEEE 802.3 ethertypes.  The drafts specifically address packets over 
1500 bytes though.  One suggests 0x8872 and the other suggests 0x8870. 
I can't find anything definitive though.

I'm trying to think what all could affect the Ethertype for IS-IS.  MPLS 
won't.  LAGs might (I can't find anything about Ethertype for PAgP or 
LACP either).  Nothing else comes to mind though.

Can anyone tell me for sure what the Ethertype is on IS-IS packets?

Thanks
  Justin

From gsgranados at comcast.net  Tue Jan  5 12:12:09 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Tue, 5 Jan 2010 09:12:09 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
	<20100105170333.GA12729@radiological.warningg.com>
Message-ID: <011d01ca8e2a$3f2d1450$2408120a@am.thmulti.com>

Brandon, you nailed it exactly and much better put.

----- Original Message ----- 
From: "Brandon Ewing" <nicotine at warningg.com>
To: "Ivan Pepelnjak" <ip at ioshints.info>
Cc: "'Scott Granados'" <gsgranados at comcast.net>; "'Drew Weaver'" 
<drew.weaver at thenap.com>; "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 05, 2010 9:03 AM
Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.



From ip at ioshints.info  Tue Jan  5 12:47:40 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 18:47:40 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>	<002c01ca8de5$88bd6060$9a382120$@info>
	<876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>
Message-ID: <004201ca8e2f$2e800770$8b801650$@info>

Inbound traffic: advertise /28 to upstream2. It will not get very far, though, so it's questionable whether it will leak over to upstream1 and influence the return traffic coming from upstream1.

Outbound traffic: policy routing seems to be the quickest (and the dirtiest ;) solution. Getting it to work if the exit points are too far apart is a nightmare. If you're OK with the /28 being very tightly bound to the specific uplink (i.e. no connectivity when the uplink is down), there are a few MPLS VPN tricks you could use.

Ivan

> -----Original Message-----
> From: Dracul [mailto:chris.garzon at gmail.com]
> Sent: Tuesday, January 05, 2010 5:17 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP ip addresses re-route to specific link
> 
> > you can use "BGP Conditional Route Injection" to generate the /28. (it
> shud be a child subnet out of the parent /24). then filter the prefixes so
> select which all upstreams shud receive this injected
> > subnet.
> 
> thanks swap will explore your suggestion.
> 
> 
> >Be aware that many (most) ISPs would filter subnets longer than /24, so
> >your /28 would be most likely filtered (even if you direct upstream
> >would send it through).
> >Arie
> 
> Thanks arie, will keep it in mind.
> 
> On Tue, Jan 5, 2010 at 5:00 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:
> 
> > Are you trying to do destination-based routing (packet TO specific
> address
> > should go over specific link) or source-based routing (packet FROM
> specific
> > /28 should go over specific upstream link)?
> >
> >
> Hi Ivan, I guess both. i just want to have a specific ip block traffic
> contained to a specific link ( the ip addresses are broadcast under BGP)
> 
> regards,
> Chris
> 
> > -----Original Message-----
> > > From: Dracul [mailto:chris.garzon at gmail.com]
> > > Sent: Tuesday, January 05, 2010 8:05 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] BGP ip addresses re-route to specific link
> > >
> > > Hi there,
> > >
> > > I was wondering if you could do a segregate route, for specfic ip
> > > addresses
> > > under BGP going only to a specific link.
> > > for example if I have /24 default route BGP pool and I want only /28
> ip
> > > addresses using upstream1 and not by any
> > > account go through upstream2. The rest would still be using the usual
> BGP
> > > routing behavior. THanks!
> > >
> > > regards,
> > > Chris
> >
> >
> >



From jlewis at lewis.org  Tue Jan  5 12:58:45 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Tue, 5 Jan 2010 12:58:45 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>

On Tue, 5 Jan 2010, Alan Buxey wrote:

> we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
> platform.
>
> note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
> seems to only be relevant for the 3550-24td or such specific version - dont
> run it on any other one as , though it appears to work, you egt some interesting
> results! ;-)

I noticed that one when looking at newer IOS's not too long ago.  I 
assumed it was only released "for" a specific version of the 3550-24 
because that's the only model left of the 3550 family that's not reached 
EOL.  I saw that it would boot on a 3550-48, but didn't go any further 
with it than watching it boot.  What goes wrong with it?

> any reason for lurking down in the 12.1EA release train?

Have you looked at the difference in RAM usage between 12.1EA and 12.2SE?
I suppose most of the RAM on a 3550 doesn't get used / won't get used...so 
15MB or 20MB free vs 40MB free really doesn't matter.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From jlewis at lewis.org  Tue Jan  5 13:00:58 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Tue, 5 Jan 2010 13:00:58 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org><4B424B2A.3060406@uk.clara.net>
	<Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
	<4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>
Message-ID: <Pine.LNX.4.61.1001051259060.22812@soloth.lewis.org>

On Mon, 4 Jan 2010, Matlock, Kenneth L wrote:

> Do you have traffic graphs during this timeframe? Maybe a DDOS at or
> through these boxes tied up the available memory. Especially since 'I/O'
> was the pool it was trying to grab from at the time?

Actually, after studying more of the graphs, I think this may have been a 
very brief failure in STP.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From nicotine at warningg.com  Tue Jan  5 12:03:33 2010
From: nicotine at warningg.com (Brandon Ewing)
Date: Tue, 5 Jan 2010 11:03:33 -0600
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <00a501ca8dd8$f4eb15a0$dec140e0$@info>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
Message-ID: <20100105170333.GA12729@radiological.warningg.com>

On Tue, Jan 05, 2010 at 08:30:27AM +0100, Ivan Pepelnjak wrote:
> 
> And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D
> 
> Ivan
> 

I believe Scott was advocating using redistribution with route-maps to
community tag internal-only routes as no-export or similar to prevent
sending them to their upstreams.  This is a way to keep customer
prefixes in iBGP instead of your IGP.  Your actual global announcements can
be tagged with communities when generated (either by redistribution, or
network statements with route-maps) to be matched by per-eBGP peer
route-maps to influence (prepend, block, allow, change MED, tag with
provider community) their behavior.

This provides more control over your actual global announcements, and
provides much more information regarding your actual customer prefixes as
Scott stated when announcing to peers or other customers, especially if you
publish a BGP community document for them to reference. (See extremely long
NANOG thread from Oct/Nov regarding upstream community support)

Regarding Drew's initial question -- unless you are seeing significant
enough traffic to your unassigned address space to cause actual congestion
or network issues, there really isn't a performance problem.  If it is, the
suggestion of setting next-hop for your static hold-down routes to an IP
that is routed to Null0 on all your edge routers (192.0.2.1 is what I
commonly see listed in remote-blackholing documents) would cause the traffic
to be dropped at the ingress edge instead of transiting the network would
cause the traffic to be dropped at the ingress edge instead of crossing your
network from ingress to where the annoucement is sourced.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100105/fdeef85b/attachment.bin>

From ip at ioshints.info  Tue Jan  5 13:23:02 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 19:23:02 +0100
Subject: [c-nsp] IS-IS Ethertype
In-Reply-To: <4B436DA5.9000007@justinshore.com>
References: <4B436DA5.9000007@justinshore.com>
Message-ID: <004601ca8e34$1efcd490$5cf67db0$@info>

This might help:

http://wiki.nil.com/IS-IS_in_OSI_protocol_stack

The drafts you've found deal with the fact that LLC1 packets (those that don't use Ethertypes) cannot use the "length" field higher than 1500 (otherwise the differentiation between LLC1 and Ethernet-II breaks down).

Ivan

> -----Original Message-----
> From: Justin Shore [mailto:justin at justinshore.com]
> Sent: Tuesday, January 05, 2010 5:50 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IS-IS Ethertype
> 
> Hey guys.  I hope you all had a good holiday break.
> 
> Does anyone know for sure what the Ethertype is for the CLNS packets?
> I've found a couple IEFT drafts that talk about it it to a degree:
> 
> http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
> http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
> 
> They imply that for packet sizes under 1500 that CLNS uses the standard
> IEEE 802.3 ethertypes.  The drafts specifically address packets over
> 1500 bytes though.  One suggests 0x8872 and the other suggests 0x8870.
> I can't find anything definitive though.
> 
> I'm trying to think what all could affect the Ethertype for IS-IS.  MPLS
> won't.  LAGs might (I can't find anything about Ethertype for PAgP or
> LACP either).  Nothing else comes to mind though.
> 
> Can anyone tell me for sure what the Ethertype is on IS-IS packets?
> 
> Thanks
>   Justin



From A.L.M.Buxey at lboro.ac.uk  Tue Jan  5 14:46:04 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 5 Jan 2010 19:46:04 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
	<Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>
Message-ID: <20100105194604.GC7545@lboro.ac.uk>

Hi,

> EOL.  I saw that it would boot on a 3550-48, but didn't go any further 
> with it than watching it boot.  What goes wrong with it?

loss of access to management interface, failure of spanning-tree
calculations, memory leak with SNMP polling - these are the basic
things I noted before a quick change - some of these things take a
few days to happen though so first off all seems well.

> > any reason for lurking down in the 12.1EA release train?
> 
> Have you looked at the difference in RAM usage between 12.1EA and 12.2SE?
> I suppose most of the RAM on a 3550 doesn't get used / won't get used...so 
> 15MB or 20MB free vs 40MB free really doesn't matter.

ah - yes - some of the functions chew up more memory but thats a given..at
least they have the memory for that (and not much more if you do more
than basic L3 stuff on them!) ;-)

alan

From jared.a.gillis at gmail.com  Tue Jan  5 17:26:25 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Tue, 05 Jan 2010 14:26:25 -0800
Subject: [c-nsp] Fiber SFPs generating voltage threshold violation errors
Message-ID: <4B43BC91.9020502@gmail.com>

Hi all,

I've got some ME3400Gs with CWDM SFPs, and some of them are causing errors to be logged:

Jan  5 14:21:30.087 PST: %SFF8472-5-THRESHOLD_VIOLATION: Gi0/1: Voltage high warning; Operating value: 3.56 V, Threshold value: 3.50 V.

These SFPs are not Cisco official, which I think is the source of the errors. Is this a serious problem? The SFPs appear to work just fine.
If this is purely cosmetic, does anyone know how to suppress these log messages?

Thanks!

-- Jared

From lukasz at bromirski.net  Tue Jan  5 17:40:01 2010
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Tue, 05 Jan 2010 23:40:01 +0100
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <4B43BFC1.5030106@bromirski.net>

On 2010-01-05 11:26, Alan Buxey wrote:

> note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
> seems to only be relevant for the 3550-24td or such specific version - dont
> run it on any other one as , though it appears to work, you egt some interesting
> results! ;-)

What kind of results? Any strange results would be a bug both for
the non-supported versions and the only supported -DC version, but
yes, if it's not supported, one way or another Cisco won't support
the box.

The 3550 pieces apart from 3550-12T and 3550-12G are build using the
same ASICs and architecture, the DC differs only in the power supply
mounted.

Just FYI:

c3550-sw1#sh ver | i IOS|WS-C3550
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version
12.2(52)SE, RELEASE SOFTWARE (fc3)
Cisco WS-C3550-48 (PowerPC) processor (revision L0) with 65526K/8192K bytes
of memory.
Model number: WS-C3550-48-EMI

This is one of my lab Cats (I have 8 of them) that went through a
various services tests, including preparing a content for CCIE R&S and
SP bootcamp, and it did behave correctly.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
 If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From mcaudill at cisco.com  Tue Jan  5 19:10:40 2010
From: mcaudill at cisco.com (Mike Caudill)
Date: Tue, 05 Jan 2010 19:10:40 -0500
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B410022.8040508@forthnet.gr>
References: <4B40EE7A.8060200@gmx.de> <4B410022.8040508@forthnet.gr>
Message-ID: <4B43D500.3050306@cisco.com>

On 1/3/10 3:37 PM, Tassos Chatzithomaoglou wrote:
> http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2269378
> 
> 
> Although "C" doesn't seem to be there.
> 
> 

I believe that the C is for Corrupted.  Bad checksum on the ping reply
or some other corruption to it.

-Mike-

-- 

Mike Caudill  <mcaudill at cisco.com>
PSIRT Incident Manager
DSS PGP: 0xEBBD5271
+1.919.392.2855 / +1.919.522.4931 (cell)
http://www.cisco.com/go/psirt


From gert at greenie.muc.de  Wed Jan  6 07:34:38 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 6 Jan 2010 13:34:38 +0100
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
	<6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
	<97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>
Message-ID: <20100106123438.GT857@greenie.muc.de>

Hi,

On Tue, Jan 05, 2010 at 02:51:05PM +0100, ioluz wrote:
> The very strange point is the fact that i didn't see any I CONFREQ in the
> debug output, isn't it ?

Indeed.  Seems as if the windows side doesn't know that it should do PPP.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/644893f9/attachment.bin>

From dmitry at dmitry.net  Wed Jan  6 07:56:36 2010
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Wed, 6 Jan 2010 14:56:36 +0200
Subject: [c-nsp] mac-address-table flags on 7600/6500
Message-ID: <20100106125636.GH9397@f17.dmitry.net>

Hello!

Could anybody explain me flags shown on "show mac-address-table detail"
SP output. I see traffic lose for host with MAC address marked "Trp=Yes".
I already found quick fix "clear mac-address-table dynamic", but
situation repeating time to time, which starts to bother me...
Looking for root cause and finally - the solution. :)

P.S. C7600/RSP720-3CXL under 12.2(33)SRC4. Mod.3,4,7 - 6708-3CXL


Router#remote command switch sh mac add 00e0.4cd0.a35c detail

Displaying entries from SP:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x7F 0      No  No  Yes  Yes Yes No  No  No  0

Router#remote command module 3 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 3:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x85 0      No  No  Yes  No  No  Yes No  No  0

Router#remote command module 4 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 4:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x5F 0      No  No  Yes  Yes Yes No  No  No  0

Router#remote command module 7 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 7:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x5F 0      No  No  Yes  Yes Yes No  No  No  0


-- 
Dmitry Kiselev

From ross at kallisti.us  Wed Jan  6 09:28:06 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 09:28:06 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
Message-ID: <20100106142806.GA16336@kallisti.us>

Hi everyone,

I have a multi-VRF CE setup that is used to provide a different
forwarding path for two groups of VLANs (one group has a layer 2
firewall in front of it, the other does not).

Each VRF has a physical interface uplinking to the global table and a
default pointing out of that interface.  The global table uplinks to
the rest of the network and carries a full BGP view.  All three tables
have an OSPF instance.  I'm trying to move these routes out of OSPF
into iBGP, and IOS seems intent on foiling me.

1) There doesn't appear to be any BGP way to get a VRF route into the
global table as an IPv4 route.  This makes some sense, as that's
basically asking to redistribute between address families - which
doesn't make any sense in most cases.

2) I've tried redistributing from a VRF OSPF instance into ipv4
BGP, but IOS says no:
	lab-6506.dc3(config)#router bgp 65000
	lab-6506.dc3(config-router)#redistribute ospf 2 
	%VRF specified does not match this router
	lab-6506.dc3(config-router)#redistribute ospf 2 vrf shared
	%VRF specified does not match this router
Similar for other cross-VRF redistributions.

3) I've lab'd a config where I move everything into a VRF from the
global table, and then use PE-CEish eBGP to get the routes to the rest
of the network.  This works, but the AS_PATH is wrong.  I could use
as-override to fix this, but that isn't supported on the 6500 core
routers.

4) I tried to come up with a way to get the global table's OSPF
instance cut down appropriately, but most of the LSAs are type 5 since
we redistribute static routes.  This prevents the goal of getting the
routes out of OSPF.

5) Manually duplicate every VRF static/connected route in the global
table and just do the usual redistribution of statics.  This seems
like a very difficult config to keep in sync - about 3k prefixes with
occasional additions or updates.  But it does actually work.

Have I missed any options?  #5 seems like the only thing that has any
hope of being correct, but man, that's a pain.  I might be able to
live with #3, but I need to make sure that all of our tools will live
with the incorrect AS_PATH.

Thanks,
Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/17cea66b/attachment.bin>

From hnyhus at gmail.com  Wed Jan  6 09:44:29 2010
From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Staub_Nyhus?=)
Date: Wed, 6 Jan 2010 15:44:29 +0100
Subject: [c-nsp] Fiber SFPs generating voltage threshold violation errors
In-Reply-To: <4B43BC91.9020502@gmail.com>
References: <4B43BC91.9020502@gmail.com>
Message-ID: <6bc4a241001060644p6b3b92e8i763194bb65e1e88e@mail.gmail.com>

> If this is purely cosmetic, does anyone know how to suppress these log messages?

You could create a message discriminator:

logging discriminator LOGFILTER mnemonics drops SFF8472-5-THRESHOLD_VIOLATION
logging buffered discriminator LOGFILTER 4096
logging console discriminator LOGFILTER
logging monitor discriminator LOGFILTER
logging host (IP) discriminator LOGFILTER


--
H?vard Staub Nyhus
+47 41 88 00 99

From pavel.skovajsa at gmail.com  Wed Jan  6 10:05:15 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 6 Jan 2010 16:05:15 +0100
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106142806.GA16336@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
Message-ID: <323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>

Hi Ross,
The VRF route leaking is somehow complex stuff - there appears to be
scattered documentation about it around CIsco site - see for example
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html

What we do to dynamicly leak routing from one VRF to another is to do
it with eBGP. Simply make a eBGP session between the VRFs (f.e. create
a Loopback for each VRF) and send the routes across - see
http://forum.nil.com/viewtopic.php?f=10&t=59&sid=9c8b6a132bfdbfd0794b69b573b1914c&start=10

Another alternative is to put the routes into VRF BGP table and leak
them with "route-target import" - see
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

To take somewhat intelligent approach I suggest to read about the
"Common services VRF" in?"MPLS and VPN Architectures" -?~?Ivan
Pepelnjak,?Jim Guichard - a great set of  books not only about MPLS.

Hope it helps,
-pavel

On Wed, Jan 6, 2010 at 3:28 PM, Ross Vandegrift <ross at kallisti.us> wrote:
>
> Hi everyone,
>
> I have a multi-VRF CE setup that is used to provide a different
> forwarding path for two groups of VLANs (one group has a layer 2
> firewall in front of it, the other does not).
>
> Each VRF has a physical interface uplinking to the global table and a
> default pointing out of that interface. ?The global table uplinks to
> the rest of the network and carries a full BGP view. ?All three tables
> have an OSPF instance. ?I'm trying to move these routes out of OSPF
> into iBGP, and IOS seems intent on foiling me.
>
> 1) There doesn't appear to be any BGP way to get a VRF route into the
> global table as an IPv4 route. ?This makes some sense, as that's
> basically asking to redistribute between address families - which
> doesn't make any sense in most cases.
>
> 2) I've tried redistributing from a VRF OSPF instance into ipv4
> BGP, but IOS says no:
> ? ? ? ?lab-6506.dc3(config)#router bgp 65000
> ? ? ? ?lab-6506.dc3(config-router)#redistribute ospf 2
> ? ? ? ?%VRF specified does not match this router
> ? ? ? ?lab-6506.dc3(config-router)#redistribute ospf 2 vrf shared
> ? ? ? ?%VRF specified does not match this router
> Similar for other cross-VRF redistributions.
>
> 3) I've lab'd a config where I move everything into a VRF from the
> global table, and then use PE-CEish eBGP to get the routes to the rest
> of the network. ?This works, but the AS_PATH is wrong. ?I could use
> as-override to fix this, but that isn't supported on the 6500 core
> routers.
>
> 4) I tried to come up with a way to get the global table's OSPF
> instance cut down appropriately, but most of the LSAs are type 5 since
> we redistribute static routes. ?This prevents the goal of getting the
> routes out of OSPF.
>
> 5) Manually duplicate every VRF static/connected route in the global
> table and just do the usual redistribution of statics. ?This seems
> like a very difficult config to keep in sync - about 3k prefixes with
> occasional additions or updates. ?But it does actually work.
>
> Have I missed any options? ?#5 seems like the only thing that has any
> hope of being correct, but man, that's a pain. ?I might be able to
> live with #3, but I need to make sure that all of our tools will live
> with the incorrect AS_PATH.
>
> Thanks,
> Ross
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "If the fight gets hot, the songs get hotter. ?If the going gets tough,
> the songs get tougher."
> ? ? ? ?--Woody Guthrie
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAktEnfYACgkQMlMoONfO+HDNIgCgt3fTLm6coNVhSI3yxXpGB/b0
> fkAAn0z6IJEJbg6KxRI/XV4jBb+mkgwp
> =TMwu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From ross at kallisti.us  Wed Jan  6 10:32:57 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 10:32:57 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>
References: <20100106142806.GA16336@kallisti.us>
	<323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>
Message-ID: <20100106153257.GB16336@kallisti.us>

On Wed, Jan 06, 2010 at 04:05:15PM +0100, Pavel Skovajsa wrote:
> Hi Ross,
> The VRF route leaking is somehow complex stuff - there appears to be
> scattered documentation about it around CIsco site - see for example
> http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html
> 
> What we do to dynamicly leak routing from one VRF to another is to do
> it with eBGP. Simply make a eBGP session between the VRFs (f.e. create
> a Loopback for each VRF) and send the routes across - see
> http://forum.nil.com/viewtopic.php?f=10&t=59&sid=9c8b6a132bfdbfd0794b69b573b1914c&start=10
> 
> Another alternative is to put the routes into VRF BGP table and leak
> them with "route-target import" - see
> http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

Unfortunately, BGP doesn't work in my case since I'm trying to leak
VRF routes into the global table.  BGP requires that all routes be
leaked between VRFs, since the BGP routes need to be matching types of
NLRIs - a route from a VRF has a different SAFI than an IPv4 route
from the global table.  If there is a way to do this without
duplicating the static routes as in your third link above, I'd love to
know about it!

If I move the global table into a VRF, I then have the problem that I
can't fix the AS path since my platform doesn't support as-override.

> To take somewhat intelligent approach I suggest to read about the
> "Common services VRF" in?"MPLS and VPN Architectures" -?~?Ivan
> Pepelnjak,?Jim Guichard - a great set of  books not only about
> MPLS.

That's the weird thing about this installation - there is no MPLS or
VPN here.  No interfaces even have MPLS enabled.  I'm strictly using
the multi-VRF CE functionality to provide separate routing tables.
This is installation should really be solved with a virtual router,
but it's stuck on IOS for the time being and the VRFs do the job
nicely.  But I'm finding that it's really hard to get the routes into
BGP.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/dfda1a3a/attachment.bin>

From bgalvez at gmail.com  Wed Jan  6 11:03:00 2010
From: bgalvez at gmail.com (=?ISO-8859-1?Q?Benjam=EDn_G=E1lvez?=)
Date: Wed, 6 Jan 2010 13:03:00 -0300
Subject: [c-nsp] Cisco 2801 full bgp multihome
Message-ID: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>

*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*

From sethm at rollernet.us  Wed Jan  6 11:10:28 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 08:10:28 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <4B44B5F4.1040103@rollernet.us>

Benjam?n G?lvez wrote:
> *Hi,
> 
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
> 

>From a 2811:

                Head    Total(b)     Used(b)     Free(b)   Lowest(b)
Largest(b)
Processor   44D83EB0   711442768   276400392   435042376   419450504
411444364
      I/O   3F400000    12582912     5747024     6835888     6489104
 6812348

So, probably not.

~Seth

From jshearer at amedisys.com  Wed Jan  6 11:13:45 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 10:13:45 -0600
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>

No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.

Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?

What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 10:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 2801 full bgp multihome

*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From bgalvez at gmail.com  Wed Jan  6 11:36:09 2010
From: bgalvez at gmail.com (=?ISO-8859-1?Q?Benjam=EDn_G=E1lvez?=)
Date: Wed, 6 Jan 2010 13:36:09 -0300
Subject: [c-nsp] Fwd:  Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
Message-ID: <a01aaeac1001060836n79f26bcby578d925c0f461309@mail.gmail.com>

Hi,

In Spanish

La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp
en modo full para tener Balanceo de carga de salida y entrada.
Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar
y su propio ASN.
La idea es lograr redundancia de salida a Internet y tambien de entrada para
acceso de clientes.

La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo
pasivo (standbye)

Ambos ISP pondran router Cisco 2801  pero con 256Mb.

La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo
por otro router con mejores prestaciones?
Ambos ISP me hablan de un router serie  7000 como "minimo".

In English

Pending traslate....
Sorry

Best regards
Saludos cordiales

Benjam?n


2010/1/6 Jason Shearer <jshearer at amedisys.com>

No way Jose.  You will start fragging.  I would recommend no less than 512
> to receive full tables.
>
> Outside of memory the 2801 is not going to be a very good platform to
> accept full tables on.  Any major routing updates is going to choke the
> platform.  How big are the circuits you are landing from each provider?
>
> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How
> many /24 prefixes to you have to advertise?
>
> Jason
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
> Sent: Wednesday, January 06, 2010 10:03 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 2801 full bgp multihome
>
> *Hi,
>
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
>
> Best regards
> Benjam?n
>
> *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> *** NOTICE--The attached communication contains privileged and confidential
> information. If you are not the intended recipient, DO NOT read, copy, or
> disseminate this communication. Non-intended recipients are hereby placed on
> notice that any unauthorized disclosure, duplication, distribution, or
> taking of any action in reliance on the contents of these materials is
> expressly prohibited. If you have received this communication in error,
> please delete this information in its entirety and contact the Amedisys
> Privacy Hotline at 1-866-518-6684. Also, please immediately notify the
> sender via e-mail that you have received this communication in error. ***
>

From jshearer at amedisys.com  Wed Jan  6 11:50:15 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 10:50:15 -0600
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>	<A
	FD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com><a01aa
	eac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>

Ben,

Not going to be able to load balance inbound as you only have a single /24 to advertise (this is the minimum prefix that will make it to the NAP).  Outbound you should be good....just note that you will experience asymmetric routing (in one out the other).

I have used 28xx routers for full tables before and it will be good when the going is good but very bad when the going gets bad.  If you are going to use an ISR I would recommend a 3825 at a minimum (two would be better).  Convergence will be much faster.

A better alternative if you are strapped for cash may be to just accept defaults.  Make your backup connection smaller but have it contracted to grow or burst if you experience problems with the primary.

Jason

>>>Tranlation<<<

No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia de enrutamiento asim?trico (en uno el otro).

He utilizado 28xx routers para mesas completas antes y que ser? bueno cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos ser?a mejor). Convergencia ser? mucho m?s r?pido.

Una mejor alternativa si est? atado por dinero en efectivo puede ser simplemente aceptar valores por defecto. Hacer la conexi?n de copia de seguridad m?s peque?a, pero que han contratado para crecer o explotar si tiene problemas con la primaria.


From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
Sent: Wednesday, January 06, 2010 10:35 AM
To: Jason Shearer
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome

Jason,

In Spanish

La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp en modo full para tener Balanceo de carga de salida y entrada.
Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar y su propio ASN.
La idea es lograr redundancia de salida a Internet y tambien de entrada para acceso de clientes.

La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo pasivo (standbye)

Ambos ISP pondran router Cisco 2801  pero con 256Mb.

La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo por otro router con mejores prestaciones?
Ambos ISP me hablan de un router serie  7000 como "minimo".

In English

Pending traslate....
Sorry

Benjam?n
2010/1/6 Jason Shearer <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.

Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?

What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 10:03 AM
To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: [c-nsp] Cisco 2801 full bgp multihome
*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n
*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***


________________________________
*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From cayers at ena.com  Wed Jan  6 11:57:39 2010
From: cayers at ena.com (Cory Ayers)
Date: Wed, 6 Jan 2010 10:57:39 -0600
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106142806.GA16336@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>

Hi Ross,

> Hi everyone,
> 
> I have a multi-VRF CE setup that is used to provide a different
> forwarding path for two groups of VLANs (one group has a layer 2
> firewall in front of it, the other does not).
> 
> Each VRF has a physical interface uplinking to the global table and a
> default pointing out of that interface.  The global table uplinks to
> the rest of the network and carries a full BGP view.  All three tables
> have an OSPF instance.  I'm trying to move these routes out of OSPF
> into iBGP, and IOS seems intent on foiling me.
> 

Have you looked at using two interfaces to loop traffic with one interface in the global table and one in the VRF?  You could run two different OSPF processes to transport routes between assuming you only need a default inside the VRF.  I haven't needed to get this to work with iBGP, but if that is a requirement you will need an IOS capable of per-VRF Router ID to peer on the same router.  (http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html)

Off the cuff configuration example.  These two interfaces would need to be crossed-over, but I'm assuming you have plenty of port density on a 6500.

interface GigabitEthernet2/15
 description Loop entering VRF 
 mac-address 020x.xxxx.xx0e
 ip address 172.23.254.1 255.255.255.252

interface GigabitEthernet2/16
 description Loop leaving VRF 
 mac-address 020x.xxxx.xx0f
 ip vrf forwarding VRFname
 ip address 172.23.254.2 255.255.255.252

router ospf 215
 network 172.23.254.1 0.0.0.0 area 0
 default-information originate

router ospf 216 vrf VRFname
 network 172.23.254.1 0.0.0.0 area 0


From Charles.Church at harris.com  Wed Jan  6 11:12:56 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Wed, 6 Jan 2010 11:12:56 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C64936B3@MLBMXUS2.cs.myharris.net>

No.  My 2821 running 12.4 mainline has 2 peers, has about 350 MB in use for everything.  512 really should be the minimum.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 11:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 2801 full bgp multihome


*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ross at kallisti.us  Wed Jan  6 12:05:53 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 12:05:53 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
Message-ID: <20100106170553.GA17269@kallisti.us>

On Wed, Jan 06, 2010 at 10:57:39AM -0600, Cory Ayers wrote:
> Have you looked at using two interfaces to loop traffic with one
> interface in the global table and one in the VRF?  You could run two
> different OSPF processes to transport routes between assuming you
> only need a default inside the VRF.

Yep that's the key - it just hit me that if I run two OSPF processes
in the global table.  Use one just for redistribution of routes into
iBGP and use the other for my actual IGP.

Thanks,
Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/866ed414/attachment.bin>

From kenny.sallee at gmail.com  Wed Jan  6 13:04:37 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 6 Jan 2010 10:04:37 -0800
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106170553.GA17269@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
	<20100106170553.GA17269@kallisti.us>
Message-ID: <4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>

On Wed, Jan 6, 2010 at 9:05 AM, Ross Vandegrift <ross at kallisti.us> wrote:

> On Wed, Jan 06, 2010 at 10:57:39AM -0600, Cory Ayers wrote:
> > Have you looked at using two interfaces to loop traffic with one
> > interface in the global table and one in the VRF?  You could run two
> > different OSPF processes to transport routes between assuming you
> > only need a default inside the VRF.
>
> Yep that's the key - it just hit me that if I run two OSPF processes
> in the global table.  Use one just for redistribution of routes into
> iBGP and use the other for my actual IGP.
>
> Thanks,
> Ross
>
>

My .02 is that you should put everything in VRF's (even the global table)
and use route-target import/export and import maps (if required) to control
routing domains.

Question - can you use 'neighbor allowas-in' instead of as-override?  I'm
not sure why your BGP AS-PATH was wrong in scenario #3 above - but I'm using
that in a very similar scenario in my lab to solve the problem of having the
same eBGP AS used at 2 different sites connected to 2 different PE routers.
 BGP won't advertise a path it receives w/ it's own ASN in the path

http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_n5gt.html#wp1007547



Kenny

From v.jones at networkingunlimited.com  Wed Jan  6 14:57:39 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 06 Jan 2010 14:57:39 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com> <"A
	FD31EAF2DD7F346AA17E164615555B0321B333B"@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>

One trick I've used where resources are tight is to "take" full routes,
but filter them so that I only accept "local" (short AS path) and a few
key indicator prefixes (typically out of country root DNS server
subnets). The indicator prefixes are used to drive a conditional default
route (use this ISP as default only if it appears to be well connected)
while the number of ASN's allowed in "local" prefixes can be adjusted to
control the number accepted. 

Note that this only impacts traffic going out from you. Inbound traffic
is a separate issue. With only a single /24, your inbound load balancing
options are limited. Depending on the connectivity of your upstreams and
who your users are talking to, you may also see lots of asymmetric
routing.

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> Ben,
> 
> Not going to be able to load balance inbound as you only have a single /24 to advertise (this is the minimum prefix that will make it to the NAP).  Outbound you should be good....just note that you will experience asymmetric routing (in one out the other).
> 
> I have used 28xx routers for full tables before and it will be good when the going is good but very bad when the going gets bad.  If you are going to use an ISR I would recommend a 3825 at a minimum (two would be better).  Convergence will be much faster.
> 
> A better alternative if you are strapped for cash may be to just accept defaults.  Make your backup connection smaller but have it contracted to grow or burst if you experience problems with the primary.
> 
> Jason
> 
> >>>Tranlation<<<
> 
> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia de enrutamiento asim?trico (en uno el otro).
> 
> He utilizado 28xx routers para mesas completas antes y que ser? bueno cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos ser?a mejor). Convergencia ser? mucho m?s r?pido.
> 
> Una mejor alternativa si est? atado por dinero en efectivo puede ser simplemente aceptar valores por defecto. Hacer la conexi?n de copia de seguridad m?s peque?a, pero que han contratado para crecer o explotar si tiene problemas con la primaria.
> 
> 
> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> Sent: Wednesday, January 06, 2010 10:35 AM
> To: Jason Shearer
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> 
> Jason,
> 
> In Spanish
> 
> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp en modo full para tener Balanceo de carga de salida y entrada.
> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar y su propio ASN.
> La idea es lograr redundancia de salida a Internet y tambien de entrada para acceso de clientes.
> 
> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo pasivo (standbye)
> 
> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> 
> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo por otro router con mejores prestaciones?
> Ambos ISP me hablan de un router serie  7000 como "minimo".
> 
> In English
> 
> Pending traslate....
> Sorry
> 
> Benjam?n
> 2010/1/6 Jason Shearer <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.
> 
> Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?
> 
> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?
> 
> Jason
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of Benjam?n G?lvez
> Sent: Wednesday, January 06, 2010 10:03 AM
> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Cisco 2801 full bgp multihome
> *Hi,
> 
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
> 
> Best regards
> Benjam?n
> *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> 
> 
> ________________________________
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 15:20:47 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:20:47 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<"AFD31EAF2DD7F346AA17E164615555B0321B333B"@SVR-AMED-MAIL01.amedisys.com><"a01aa
	eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com><AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
Message-ID: <019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>

This is a good approach, another is to filter the length of prefixes you 
install and set up some floating static defaults.

You could filter against a prefix list for something like

ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends 
on how finely you wish to filter.  In most full feeds you'd take a /24 or 
shorter but in your case you can't do this do to memory concerns.  You could 
try /20 or shorter, /19 etc until you meet your memory requirements.  Simply 
by filtering shorter than /24 you'll gain a lot of milage.  Of course your 
ability to control outbound traffic deteriorates the more heavily you filter 
but them's the breaks when memory is a concern.

On the inbound side with a single /24 you won't have a lot of flexability. 
You'll hit issues for example if upstream carriers filter shorter than /24 
and only pick up your provider's parent block.  If your upstreams have good 
community options you can control announcments of your block a bit more. 
For example, in the case of XO you can trigger prepends to specific major 
peers allowing you to pad say AS 701 more heavily but leave other networks 
untouched.  Depends on what knobs your carrier gives you to twittle. 
There's also local pref but that's non transative.



----- Original Message ----- 
From: "Vincent C Jones" <v.jones at networkingunlimited.com>
To: "Jason Shearer" <jshearer at amedisys.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 11:57 AM
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome


> One trick I've used where resources are tight is to "take" full routes,
> but filter them so that I only accept "local" (short AS path) and a few
> key indicator prefixes (typically out of country root DNS server
> subnets). The indicator prefixes are used to drive a conditional default
> route (use this ISP as default only if it appears to be well connected)
> while the number of ASN's allowed in "local" prefixes can be adjusted to
> control the number accepted.
>
> Note that this only impacts traffic going out from you. Inbound traffic
> is a separate issue. With only a single /24, your inbound load balancing
> options are limited. Depending on the connectivity of your upstreams and
> who your users are talking to, you may also see lots of asymmetric
> routing.
>
> Good luck and have fun!
> -- 
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
> On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
>> Ben,
>>
>> Not going to be able to load balance inbound as you only have a single 
>> /24 to advertise (this is the minimum prefix that will make it to the 
>> NAP).  Outbound you should be good....just note that you will experience 
>> asymmetric routing (in one out the other).
>>
>> I have used 28xx routers for full tables before and it will be good when 
>> the going is good but very bad when the going gets bad.  If you are going 
>> to use an ISR I would recommend a 3825 at a minimum (two would be 
>> better).  Convergence will be much faster.
>>
>> A better alternative if you are strapped for cash may be to just accept 
>> defaults.  Make your backup connection smaller but have it contracted to 
>> grow or burst if you experience problems with the primary.
>>
>> Jason
>>
>> >>>Tranlation<<<
>>
>> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen 
>> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el 
>> PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia 
>> de enrutamiento asim?trico (en uno el otro).
>>
>> He utilizado 28xx routers para mesas completas antes y que ser? bueno 
>> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. 
>> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos 
>> ser?a mejor). Convergencia ser? mucho m?s r?pido.
>>
>> Una mejor alternativa si est? atado por dinero en efectivo puede ser 
>> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de 
>> seguridad m?s peque?a, pero que han contratado para crecer o explotar si 
>> tiene problemas con la primaria.
>>
>>
>> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
>> Sent: Wednesday, January 06, 2010 10:35 AM
>> To: Jason Shearer
>> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
>>
>> Jason,
>>
>> In Spanish
>>
>> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a 
>> bgp en modo full para tener Balanceo de carga de salida y entrada.
>> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a 
>> publicar y su propio ASN.
>> La idea es lograr redundancia de salida a Internet y tambien de entrada 
>> para acceso de clientes.
>>
>> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo 
>> pasivo (standbye)
>>
>> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
>>
>> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito 
>> cambiarlo por otro router con mejores prestaciones?
>> Ambos ISP me hablan de un router serie  7000 como "minimo".
>>
>> In English
>>
>> Pending traslate....
>> Sorry
>>
>> Benjam?n
>> 2010/1/6 Jason Shearer 
>> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
>> No way Jose.  You will start fragging.  I would recommend no less than 
>> 512 to receive full tables.
>>
>> Outside of memory the 2801 is not going to be a very good platform to 
>> accept full tables on.  Any major routing updates is going to choke the 
>> platform.  How big are the circuits you are landing from each provider?
>>
>> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How 
>> many /24 prefixes to you have to advertise?
>>
>> Jason
>>
>> -----Original Message-----
>> From: 
>> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> 
>> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] 
>> On Behalf Of Benjam?n G?lvez
>> Sent: Wednesday, January 06, 2010 10:03 AM
>> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
>> Subject: [c-nsp] Cisco 2801 full bgp multihome
>> *Hi,
>>
>> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
>> multihome) ?
>>
>> Best regards
>> Benjam?n
>> *
>> _______________________________________________
>> cisco-nsp mailing list 
>> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> *** NOTICE--The attached communication contains privileged and 
>> confidential information. If you are not the intended recipient, DO NOT 
>> read, copy, or disseminate this communication. Non-intended recipients 
>> are hereby placed on notice that any unauthorized disclosure, 
>> duplication, distribution, or taking of any action in reliance on the 
>> contents of these materials is expressly prohibited. If you have received 
>> this communication in error, please delete this information in its 
>> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
>> Also, please immediately notify the sender via e-mail that you have 
>> received this communication in error. ***
>>
>>
>> ________________________________
>> *** NOTICE--The attached communication contains privileged and 
>> confidential information. If you are not the intended recipient, DO NOT 
>> read, copy, or disseminate this communication. Non-intended recipients 
>> are hereby placed on notice that any unauthorized disclosure, 
>> duplication, distribution, or taking of any action in reliance on the 
>> contents of these materials is expressly prohibited. If you have received 
>> this communication in error, please delete this information in its 
>> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
>> Also, please immediately notify the sender via e-mail that you have 
>> received this communication in error. ***
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From v.jones at networkingunlimited.com  Wed Jan  6 15:31:58 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 06 Jan 2010 15:31:58 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
	<019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
Message-ID: <1262809919.17745.37.camel@X61.NetworkingUnlimited.nul>

Scott,

Careful... filtering on prefix length will block the very "local"
prefixes you are probably most interested in--the prefixes of the
upstreams' other customers who may be advertising a /24 not in that
upstream's address space. 

Vince
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 12:20 -0800, Scott Granados wrote:
> This is a good approach, another is to filter the length of prefixes you 
> install and set up some floating static defaults.
> 
> You could filter against a prefix list for something like
> 
> ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends 
> on how finely you wish to filter.  In most full feeds you'd take a /24 or 
> shorter but in your case you can't do this do to memory concerns.  You could 
> try /20 or shorter, /19 etc until you meet your memory requirements.  Simply 
> by filtering shorter than /24 you'll gain a lot of milage.  Of course your 
> ability to control outbound traffic deteriorates the more heavily you filter 
> but them's the breaks when memory is a concern.
> 
> On the inbound side with a single /24 you won't have a lot of flexability. 
> You'll hit issues for example if upstream carriers filter shorter than /24 
> and only pick up your provider's parent block.  If your upstreams have good 
> community options you can control announcments of your block a bit more. 
> For example, in the case of XO you can trigger prepends to specific major 
> peers allowing you to pad say AS 701 more heavily but leave other networks 
> untouched.  Depends on what knobs your carrier gives you to twittle. 
> There's also local pref but that's non transative.
> 
> 
> 
> ----- Original Message ----- 
> From: "Vincent C Jones" <v.jones at networkingunlimited.com>
> To: "Jason Shearer" <jshearer at amedisys.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, January 06, 2010 11:57 AM
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> 
> 
> > One trick I've used where resources are tight is to "take" full routes,
> > but filter them so that I only accept "local" (short AS path) and a few
> > key indicator prefixes (typically out of country root DNS server
> > subnets). The indicator prefixes are used to drive a conditional default
> > route (use this ISP as default only if it appears to be well connected)
> > while the number of ASN's allowed in "local" prefixes can be adjusted to
> > control the number accepted.
> >
> > Note that this only impacts traffic going out from you. Inbound traffic
> > is a separate issue. With only a single /24, your inbound load balancing
> > options are limited. Depending on the connectivity of your upstreams and
> > who your users are talking to, you may also see lots of asymmetric
> > routing.
> >
> > Good luck and have fun!
> > -- 
> > Vincent C. Jones
> > Networking Unlimited, Inc.
> > Phone: +1 201 568-7810
> > V.Jones at NetworkingUnlimited.com
> >
> > On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> >> Ben,
> >>
> >> Not going to be able to load balance inbound as you only have a single 
> >> /24 to advertise (this is the minimum prefix that will make it to the 
> >> NAP).  Outbound you should be good....just note that you will experience 
> >> asymmetric routing (in one out the other).
> >>
> >> I have used 28xx routers for full tables before and it will be good when 
> >> the going is good but very bad when the going gets bad.  If you are going 
> >> to use an ISR I would recommend a 3825 at a minimum (two would be 
> >> better).  Convergence will be much faster.
> >>
> >> A better alternative if you are strapped for cash may be to just accept 
> >> defaults.  Make your backup connection smaller but have it contracted to 
> >> grow or burst if you experience problems with the primary.
> >>
> >> Jason
> >>
> >> >>>Tranlation<<<
> >>
> >> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen 
> >> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el 
> >> PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia 
> >> de enrutamiento asim?trico (en uno el otro).
> >>
> >> He utilizado 28xx routers para mesas completas antes y que ser? bueno 
> >> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. 
> >> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos 
> >> ser?a mejor). Convergencia ser? mucho m?s r?pido.
> >>
> >> Una mejor alternativa si est? atado por dinero en efectivo puede ser 
> >> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de 
> >> seguridad m?s peque?a, pero que han contratado para crecer o explotar si 
> >> tiene problemas con la primaria.
> >>
> >>
> >> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> >> Sent: Wednesday, January 06, 2010 10:35 AM
> >> To: Jason Shearer
> >> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> >>
> >> Jason,
> >>
> >> In Spanish
> >>
> >> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a 
> >> bgp en modo full para tener Balanceo de carga de salida y entrada.
> >> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a 
> >> publicar y su propio ASN.
> >> La idea es lograr redundancia de salida a Internet y tambien de entrada 
> >> para acceso de clientes.
> >>
> >> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo 
> >> pasivo (standbye)
> >>
> >> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> >>
> >> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito 
> >> cambiarlo por otro router con mejores prestaciones?
> >> Ambos ISP me hablan de un router serie  7000 como "minimo".
> >>
> >> In English
> >>
> >> Pending traslate....
> >> Sorry
> >>
> >> Benjam?n
> >> 2010/1/6 Jason Shearer 
> >> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> >> No way Jose.  You will start fragging.  I would recommend no less than 
> >> 512 to receive full tables.
> >>
> >> Outside of memory the 2801 is not going to be a very good platform to 
> >> accept full tables on.  Any major routing updates is going to choke the 
> >> platform.  How big are the circuits you are landing from each provider?
> >>
> >> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How 
> >> many /24 prefixes to you have to advertise?
> >>
> >> Jason
> >>
> >> -----Original Message-----
> >> From: 
> >> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> 
> >> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] 
> >> On Behalf Of Benjam?n G?lvez
> >> Sent: Wednesday, January 06, 2010 10:03 AM
> >> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> Subject: [c-nsp] Cisco 2801 full bgp multihome
> >> *Hi,
> >>
> >> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> >> multihome) ?
> >>
> >> Best regards
> >> Benjam?n
> >> *
> >> _______________________________________________
> >> cisco-nsp mailing list 
> >> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> *** NOTICE--The attached communication contains privileged and 
> >> confidential information. If you are not the intended recipient, DO NOT 
> >> read, copy, or disseminate this communication. Non-intended recipients 
> >> are hereby placed on notice that any unauthorized disclosure, 
> >> duplication, distribution, or taking of any action in reliance on the 
> >> contents of these materials is expressly prohibited. If you have received 
> >> this communication in error, please delete this information in its 
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
> >> Also, please immediately notify the sender via e-mail that you have 
> >> received this communication in error. ***
> >>
> >>
> >> ________________________________
> >> *** NOTICE--The attached communication contains privileged and 
> >> confidential information. If you are not the intended recipient, DO NOT 
> >> read, copy, or disseminate this communication. Non-intended recipients 
> >> are hereby placed on notice that any unauthorized disclosure, 
> >> duplication, distribution, or taking of any action in reliance on the 
> >> contents of these materials is expressly prohibited. If you have received 
> >> this communication in error, please delete this information in its 
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
> >> Also, please immediately notify the sender via e-mail that you have 
> >> received this communication in error. ***
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 

From razor at meganet.net  Wed Jan  6 14:41:21 2010
From: razor at meganet.net (P.A)
Date: Wed, 6 Jan 2010 14:41:21 -0500
Subject: [c-nsp] cisco frame-relay termination without a frame switch
Message-ID: <017f01ca8f08$398a3670$ac9ea350$@net>

Hi, we have a frame-relay switch that is no longer working. we have 28 t1s
on a channelized T3. I was wondering if anyone knows how and if it's
possible to terminate frame lines on a cisco, either a 7200 or 6500 without
a frame switch.

I followed the example here, 

http://www.ciscopress.com/articles/article.asp?p=170741
<http://www.ciscopress.com/articles/article.asp?p=170741&seqNum=7>
&amp;seqNum=7

but this will not work for me as it assumes you have 2 different frame-relay
circuits on two different t1 ports. I'm using a PA MC T# canrd and I also
tried creating sub interfaces off the t1 channel, but when I use the
frame-relay route command I gives me an error that both DLCIs are on the
same interface L.



All I'm trying to do is terminate a frame-relay on a cisco without a
frame-relay switch. if this possible could someone give me an example or
point me in that direction.

thanks! paul


From gsgranados at comcast.net  Wed Jan  6 15:36:26 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:36:26 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
	<019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
	<1262809919.17745.37.camel@X61.NetworkingUnlimited.nul>
Message-ID: <01ae01ca8f0f$f1fd9650$2408120a@am.thmulti.com>

Right, which is why you'd need your floating default statics and why you 
should tag internal prefixes differently.  Tagging customer routes with one 
community say and your learned transit routes as another is a good idea. 
Your internal more specifics could be tagged and marked no-export so you're 
able to engineer as needed inside your network.


----- Original Message ----- 
From: "Vincent C Jones" <v.jones at networkingunlimited.com>
To: "Scott Granados" <gsgranados at comcast.net>
Cc: "Jason Shearer" <jshearer at amedisys.com>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 12:31 PM
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome


Scott,

Careful... filtering on prefix length will block the very "local"
prefixes you are probably most interested in--the prefixes of the
upstreams' other customers who may be advertising a /24 not in that
upstream's address space.

Vince
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 12:20 -0800, Scott Granados wrote:
> This is a good approach, another is to filter the length of prefixes you
> install and set up some floating static defaults.
>
> You could filter against a prefix list for something like
>
> ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends
> on how finely you wish to filter.  In most full feeds you'd take a /24 or
> shorter but in your case you can't do this do to memory concerns.  You 
> could
> try /20 or shorter, /19 etc until you meet your memory requirements. 
> Simply
> by filtering shorter than /24 you'll gain a lot of milage.  Of course your
> ability to control outbound traffic deteriorates the more heavily you 
> filter
> but them's the breaks when memory is a concern.
>
> On the inbound side with a single /24 you won't have a lot of flexability.
> You'll hit issues for example if upstream carriers filter shorter than /24
> and only pick up your provider's parent block.  If your upstreams have 
> good
> community options you can control announcments of your block a bit more.
> For example, in the case of XO you can trigger prepends to specific major
> peers allowing you to pad say AS 701 more heavily but leave other networks
> untouched.  Depends on what knobs your carrier gives you to twittle.
> There's also local pref but that's non transative.
>
>
>
> ----- Original Message ----- 
> From: "Vincent C Jones" <v.jones at networkingunlimited.com>
> To: "Jason Shearer" <jshearer at amedisys.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, January 06, 2010 11:57 AM
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
>
>
> > One trick I've used where resources are tight is to "take" full routes,
> > but filter them so that I only accept "local" (short AS path) and a few
> > key indicator prefixes (typically out of country root DNS server
> > subnets). The indicator prefixes are used to drive a conditional default
> > route (use this ISP as default only if it appears to be well connected)
> > while the number of ASN's allowed in "local" prefixes can be adjusted to
> > control the number accepted.
> >
> > Note that this only impacts traffic going out from you. Inbound traffic
> > is a separate issue. With only a single /24, your inbound load balancing
> > options are limited. Depending on the connectivity of your upstreams and
> > who your users are talking to, you may also see lots of asymmetric
> > routing.
> >
> > Good luck and have fun!
> > -- 
> > Vincent C. Jones
> > Networking Unlimited, Inc.
> > Phone: +1 201 568-7810
> > V.Jones at NetworkingUnlimited.com
> >
> > On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> >> Ben,
> >>
> >> Not going to be able to load balance inbound as you only have a single
> >> /24 to advertise (this is the minimum prefix that will make it to the
> >> NAP).  Outbound you should be good....just note that you will 
> >> experience
> >> asymmetric routing (in one out the other).
> >>
> >> I have used 28xx routers for full tables before and it will be good 
> >> when
> >> the going is good but very bad when the going gets bad.  If you are 
> >> going
> >> to use an ISR I would recommend a 3825 at a minimum (two would be
> >> better).  Convergence will be much faster.
> >>
> >> A better alternative if you are strapped for cash may be to just accept
> >> defaults.  Make your backup connection smaller but have it contracted 
> >> to
> >> grow or burst if you experience problems with the primary.
> >>
> >> Jason
> >>
> >> >>>Tranlation<<<
> >>
> >> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen
> >> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el
> >> PNA). De salida debe ser bueno .... Solo ten en cuenta que la 
> >> experiencia
> >> de enrutamiento asim?trico (en uno el otro).
> >>
> >> He utilizado 28xx routers para mesas completas antes y que ser? bueno
> >> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen 
> >> malas.
> >> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos
> >> ser?a mejor). Convergencia ser? mucho m?s r?pido.
> >>
> >> Una mejor alternativa si est? atado por dinero en efectivo puede ser
> >> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de
> >> seguridad m?s peque?a, pero que han contratado para crecer o explotar 
> >> si
> >> tiene problemas con la primaria.
> >>
> >>
> >> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> >> Sent: Wednesday, January 06, 2010 10:35 AM
> >> To: Jason Shearer
> >> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> >>
> >> Jason,
> >>
> >> In Spanish
> >>
> >> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a
> >> bgp en modo full para tener Balanceo de carga de salida y entrada.
> >> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a
> >> publicar y su propio ASN.
> >> La idea es lograr redundancia de salida a Internet y tambien de entrada
> >> para acceso de clientes.
> >>
> >> La opcion "ruta default" me obliga a utilizar un enlace y el otro 
> >> dejarlo
> >> pasivo (standbye)
> >>
> >> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> >>
> >> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito
> >> cambiarlo por otro router con mejores prestaciones?
> >> Ambos ISP me hablan de un router serie  7000 como "minimo".
> >>
> >> In English
> >>
> >> Pending traslate....
> >> Sorry
> >>
> >> Benjam?n
> >> 2010/1/6 Jason Shearer
> >> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> >> No way Jose.  You will start fragging.  I would recommend no less than
> >> 512 to receive full tables.
> >>
> >> Outside of memory the 2801 is not going to be a very good platform to
> >> accept full tables on.  Any major routing updates is going to choke the
> >> platform.  How big are the circuits you are landing from each provider?
> >>
> >> What are you trying to accomplish?  Outbound load sharing?  Inbound? 
> >> How
> >> many /24 prefixes to you have to advertise?
> >>
> >> Jason
> >>
> >> -----Original Message-----
> >> From:
> >> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>
> >> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>]
> >> On Behalf Of Benjam?n G?lvez
> >> Sent: Wednesday, January 06, 2010 10:03 AM
> >> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> Subject: [c-nsp] Cisco 2801 full bgp multihome
> >> *Hi,
> >>
> >> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> >> multihome) ?
> >>
> >> Best regards
> >> Benjam?n
> >> *
> >> _______________________________________________
> >> cisco-nsp mailing list
> >> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> *** NOTICE--The attached communication contains privileged and
> >> confidential information. If you are not the intended recipient, DO NOT
> >> read, copy, or disseminate this communication. Non-intended recipients
> >> are hereby placed on notice that any unauthorized disclosure,
> >> duplication, distribution, or taking of any action in reliance on the
> >> contents of these materials is expressly prohibited. If you have 
> >> received
> >> this communication in error, please delete this information in its
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684.
> >> Also, please immediately notify the sender via e-mail that you have
> >> received this communication in error. ***
> >>
> >>
> >> ________________________________
> >> *** NOTICE--The attached communication contains privileged and
> >> confidential information. If you are not the intended recipient, DO NOT
> >> read, copy, or disseminate this communication. Non-intended recipients
> >> are hereby placed on notice that any unauthorized disclosure,
> >> duplication, distribution, or taking of any action in reliance on the
> >> contents of these materials is expressly prohibited. If you have 
> >> received
> >> this communication in error, please delete this information in its
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684.
> >> Also, please immediately notify the sender via e-mail that you have
> >> received this communication in error. ***
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From gsgranados at comcast.net  Wed Jan  6 15:46:25 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:46:25 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
Message-ID: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>

Hi,

I have an old Pix 501 with a 50 host limit.  I'd like to buy the unlimited 
host option and have a new key generated to unlock that feature but the 
product is of course EOL.  Is there any way to obtain / pay for these 
licenses or am I just out of luck and should just buy newer hardware?  What 
are my options if any?

Thank you
Scott


From mail4hh at pobox.com  Wed Jan  6 15:55:16 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Wed, 6 Jan 2010 12:55:16 -0800
Subject: [c-nsp] Bug ID CSCsv50653
Message-ID: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>

I don't have access to the bug toolkit.  Could someone please send the
details on this bug:  CSCsv50653  I want to know if it is affecting my
load-balancing setup.

Thank you

-- 
Hector

From mksmith at adhost.com  Wed Jan  6 15:58:43 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Wed, 6 Jan 2010 12:58:43 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
Message-ID: <17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>

Absolutely.... not.  I've got about 100 of them deployed and wanted to
do the same.  The VAR's aren't allowed to sell any more PAK's for those
devices.  However, by amazing coincidence, they *do* have 5500's for
sale to replace your gear.

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 16:24:05 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 13:24:05 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
Message-ID: <01eb01ca8f16$988dc200$2408120a@am.thmulti.com>

That's exactly what happened to me, tried to unload an ASA 5505 on me.

----- Original Message ----- 
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 12:58 PM
Subject: RE: [c-nsp] Question about EOL Pix licenses?


Absolutely.... not.  I've got about 100 of them deployed and wanted to
do the same.  The VAR's aren't allowed to sell any more PAK's for those
devices.  However, by amazing coincidence, they *do* have 5500's for
sale to replace your gear.

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Wed Jan  6 16:32:50 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 13:32:50 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <01eb01ca8f16$988dc200$2408120a@am.thmulti.com>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
	<01eb01ca8f16$988dc200$2408120a@am.thmulti.com>
Message-ID: <4B450182.5080506@rollernet.us>

Scott Granados wrote:
> That's exactly what happened to me, tried to unload an ASA 5505 on me.
> 

Ah, the joys of licensing. This is why I get paranoid about IOS 
licensing. I have some rather old hardware that's still in production 
because it keeps on working just fine.

~Seth

From jshearer at amedisys.com  Wed Jan  6 16:55:00 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 15:55:00 -0600
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>

After reload, 3550 does not load share
Symptom:

A 3550 was reloaded. After it came back online, it was no longer load-sharing correctly out of its two uplinks (g0/1 + g0/2). All of the traffic was only going out one uplink.


Workaround:

Performed "shut" and "no shut" on the interface. Load sharing would come back on these two links.


Status
Fixed
(Verified)
Severity
3 - moderate


Product
Cisco IOS software

Technology


1st Found-In
12.2(35)SE
Known Affected Versions


Fixed-In
12.2(50)SE
12.2(50)SE1

Component(s)
ospf




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hector Herrera
Sent: Wednesday, January 06, 2010 2:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Bug ID CSCsv50653

I don't have access to the bug toolkit.  Could someone please send the
details on this bug:  CSCsv50653  I want to know if it is affecting my
load-balancing setup.

Thank you

--
Hector
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From jeff-kell at utc.edu  Wed Jan  6 17:03:05 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 06 Jan 2010 17:03:05 -0500
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <4B450899.4030801@utc.edu>

On 1/6/2010 4:55 PM, Jason Shearer wrote:
> After reload, 3550 does not load share
>
> 1st Found-In
> 12.2(35)SE
> Known Affected Versions
>
>
> Fixed-In
> 12.2(50)SE
> 12.2(50)SE1
>   

Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
officially supported/provided IOS release for that platform (other than
the DC version).

Jeff

From sgranger at randfinancial.com  Wed Jan  6 16:27:43 2010
From: sgranger at randfinancial.com (Sean Granger)
Date: Wed, 06 Jan 2010 15:27:43 -0600
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
Message-ID: <4B44ABEF020000D900006072@mail.randfinancial.com>

If you reeeeeally want to do it on the cheap.
You could see what the trade value might be worth with a grey market vendor for a 501 w/ unlimited.
Or, you could just get a 506E w/ unlimited for around 200 in the open market ...

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 17:14:27 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 14:14:27 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com><17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
	<4B44ABEF020000D900006072@mail.randfinancial.com>
Message-ID: <02ef01ca8f1d$a24bf170$2408120a@am.thmulti.com>

Now that's a good idea.

Thanks

----- Original Message ----- 
From: "Sean Granger" <sgranger at randfinancial.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 1:27 PM
Subject: Re: [c-nsp] Question about EOL Pix licenses?


> If you reeeeeally want to do it on the cheap.
> You could see what the trade value might be worth with a grey market 
> vendor for a 501 w/ unlimited.
> Or, you could just get a 506E w/ unlimited for around 200 in the open 
> market ...
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Wednesday, January 06, 2010 12:46 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Question about EOL Pix licenses?
>>
>> Hi,
>>
>> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
>> unlimited
>> host option and have a new key generated to unlock that feature but
> the
>> product is of course EOL.  Is there any way to obtain / pay for these
>> licenses or am I just out of luck and should just buy newer hardware?
>> What
>> are my options if any?
>>
>> Thank you
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mail4hh at pobox.com  Wed Jan  6 17:47:15 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Wed, 6 Jan 2010 14:47:15 -0800
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <4B450899.4030801@utc.edu>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
Message-ID: <c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>

On Wed, Jan 6, 2010 at 2:03 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>> After reload, 3550 does not load share
>>
>> 1st Found-In
>> 12.2(35)SE
>> Known Affected Versions
>>
>>
>> Fixed-In
>> 12.2(50)SE
>> 12.2(50)SE1
>>
>
> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
> officially supported/provided IOS release for that platform (other than
> the DC version).
>
> Jeff

Yes, that is quite ugly.  I'm currently using 12.2(50)SE3 on a
3550-12T and the only difficulties that I have run into is a high (
>90% cpu load when total throughput on the load-balanced links reaches
200 Mbps ).

I am curious to find out if the high cpu load is caused by some
incompatibility between 12.2(50)SE3 and the 3550-12T (since the
version is not officially supported on the platform).  However, this
bug (no load sharing after reload) is making me think twice about
testing 12.2(46)SE6.

On the other hand, the bug fix for this issue could be the reason for
the high cpu load ....

Out of curiosity, is anybody here using a 3550 to route more than
200Mbps ( at about 40,000 packets per second forwarding rate ), I
would be interested in comparing cpu loads with or without
load-sharing.

Thank you for all the copies of the bug that I received (both to the
list and privately).

-- 
Hector Herrera

From listensammler at gmx.de  Wed Jan  6 18:42:29 2010
From: listensammler at gmx.de (listensammler at gmx.de)
Date: Thu, 07 Jan 2010 00:42:29 +0100
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B43D500.3050306@cisco.com>
References: <4B40EE7A.8060200@gmx.de> <4B410022.8040508@forthnet.gr>
	<4B43D500.3050306@cisco.com>
Message-ID: <4B451FE5.1080708@gmx.de>

Thanks for your replies.
Okay, C stands for congestion.
But unfortunately, I didn't find any informations about "A".

Regards,
Alex

From kenny.sallee at gmail.com  Wed Jan  6 19:49:07 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 6 Jan 2010 16:49:07 -0800
Subject: [c-nsp] ASR1002
Message-ID: <4a80ecce1001061649j71005d4i19e172fae2a35ac1@mail.gmail.com>

Anyone have recommendations on solid IOS XE code for ASR 1002 that's just
doing:

- BGP
- VRF's
- Many sub-interfaces and ACL's

It shipped with 02.04.02.122-33.XND2.bin

Thanks,
Kenny

From jasonleblanc at gmail.com  Wed Jan  6 20:10:42 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Wed, 6 Jan 2010 18:10:42 -0700
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <4B450899.4030801@utc.edu>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
Message-ID: <441F7ED6-D0A3-432E-B6BC-432E0C568812@gmail.com>

Jeff or all,

What is the most stable current release available?  Would it be the same 12.2(46)SE6? (non-DC)

Thanks,

//LeBlanc

On Jan 6, 2010, at 3:03 PM, Jeff Kell wrote:

> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>> After reload, 3550 does not load share
>> 
>> 1st Found-In
>> 12.2(35)SE
>> Known Affected Versions
>> 
>> 
>> Fixed-In
>> 12.2(50)SE
>> 12.2(50)SE1
>> 
> 
> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
> officially supported/provided IOS release for that platform (other than
> the DC version).
> 
> Jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From andy.saykao at staff.netspace.net.au  Wed Jan  6 20:02:48 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 7 Jan 2010 12:02:48 +1100
Subject: [c-nsp] Strange SSH lag with ACL applied
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I have what seems like a trivial problem but can't figure out what's
causing it.
 
I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
from accessing it.
 
What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
VLAN2, it takes a very long time for the SSH login promtp to appear. If
I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
on with my ACL??? Why the lag for the SSH prompt to appear?
 
interface Vlan2
 ip address 203.12.53.aaa 255.255.255.224
 ip access-group VLAN2-FILTER-OUT out
 no ip redirects
 no ip mroute-cache
 ip ospf priority 15
 load-interval 30
 tag-switching ip
!
ip access-list extended VLAN1-FILTER-OUT
 permit ip host 203.10.110.x host 203.12.53.x
 permit ip host 203.10.110.y host 203.12.53.x
 permit ip host 203.10.110.z host 203.12.53.x
 permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
 permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
 permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
 permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
 deny   ip any host 203.12.53.x
 permit ip any any

 
Interestingly enough when I "permit ip any" to access Host B as the very
first line in the ACL, the SSH prompt is instantaneous. 
 
permit ip any host 203.12.53.x log
 
I even tried permiting Host A as the very first line in the ACL like so,
but no joy.
 
permit ip host 210.15.210.x host 203.12.53.x log
 
Any ideas???
 
Thanks.
 
Andy

From James.Baker at chelmer.co.nz  Wed Jan  6 20:45:03 2010
From: James.Baker at chelmer.co.nz (James Baker)
Date: Thu, 7 Jan 2010 14:45:03 +1300
Subject: [c-nsp] icmp breaks ipsec tunnel
Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>

 

Has anyone seen an issue where ICMP on the  external interface or to an
IP address which would go across a IPSec tunnel on a Cisco 877 router
would cause the IPSec tunnel to reset?

 

i.e.: 

 

ping external IP = tunnel drops

ping protected IP = tunnel drops

 

however RDP works fine across the link

 

ICMP is allow both to the router and across the tunnel, I can see the
ICMP hitting the router and a reply being sent

 

This is a 877 running 12.4-15T11 (ADVIPSERVICESK9) running ADSL (PPPoA @
MTU 1492 & MTU 1500)

 

Thanks

 

 

 

 

 


----------

The information contained in this e-mail and any attachments is confidential
and is intended for the attention and use of the named addressee(s) only.
Any views expressed in this message are those of the individual sender and
may not necessarily reflect the views of Chelmer Limited.

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################

From sethm at rollernet.us  Wed Jan  6 20:57:37 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 17:57:37 -0800
Subject: [c-nsp] icmp breaks ipsec tunnel
In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>
References: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>
Message-ID: <4B453F91.3080009@rollernet.us>

James Baker wrote:
>  
> 
> Has anyone seen an issue where ICMP on the  external interface or to an
> IP address which would go across a IPSec tunnel on a Cisco 877 router
> would cause the IPSec tunnel to reset?
> 

> 
> This is a 877 running 12.4-15T11 (ADVIPSERVICESK9) running ADSL (PPPoA @
> MTU 1492 & MTU 1500)
> 

No; I'm using my 877's for DMVPN with 12.4(24)T2.

~Seth

From lesmith at ecsis.net  Wed Jan  6 21:18:20 2010
From: lesmith at ecsis.net (Larry Smith)
Date: Wed, 6 Jan 2010 20:18:20 -0600
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <201001062018.20825.lesmith@ecsis.net>

On Wed January 6 2010 19:02, Andy Saykao wrote:
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224
>  ip access-group VLAN2-FILTER-OUT out
>  no ip redirects
>  no ip mroute-cache
>  ip ospf priority 15
>  load-interval 30
>  tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
>  permit ip host 203.10.110.x host 203.12.53.x
>  permit ip host 203.10.110.y host 203.12.53.x
>  permit ip host 203.10.110.z host 203.12.53.x
>  permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
>  permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy

Possibly a "typo" but your ACL says it is named VLAN1-FILTER-OUT
(note VLAN1) and you are applying an ACL named VLAN2-FILTER-OUT

In your second try (permit ip host 210.15.210.x host 203.12.53.x log)
what did the log entries say??

-- 
Larry Smith
lesmith at ecsis.net

From andy.saykao at staff.netspace.net.au  Wed Jan  6 22:20:00 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 7 Jan 2010 14:20:00 +1100
Subject: [c-nsp] [Resolved] Strange SSH lag with ACL applied
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<E9C7C856673F6B4A9F8004DD1A7BF24F29FAC42602@suwmail01.XIOCOM.LOCAL>
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB090@vic-cr-ex1.staff.netspace.net.au>

Thanks to all those that replied.

It was exactly a reverse dns issue. I didn't know that SSH performed a
reverse dns on the incoming IP.

And silly me did not have our dns servers in the ACL.

Cheers.

Andy 

-----Original Message-----
From: Andrew Hoyos [mailto:ahoyos at xiocom.com] 
Sent: Thursday, 7 January 2010 2:16 PM
To: Andy Saykao; cisco-nsp at puck.nether.net
Subject: RE: Strange SSH lag with ACL applied

>From Host A, is traffic allowed to your DNS servers in your ACL?

If not, the delay might be a reverse DNS lookup timing out.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's 
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external 
> IP's from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to 
> VLAN2, it takes a very long time for the SSH login promtp to appear. 
> If I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's 
> going on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224  ip access-group 
> VLAN2-FILTER-OUT out  no ip redirects  no ip mroute-cache  ip ospf 
> priority 15  load-interval 30  tag-switching ip !
> ip access-list extended VLAN1-FILTER-OUT  permit ip host 203.10.110.x 
> host 203.12.53.x  permit ip host 203.10.110.y host 203.12.53.x  permit

> ip host 203.10.110.z host 203.12.53.x  permit ip 172.16.50.0 0.0.0.255

> host 203.12.53.x  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x  
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x  permit ip 
> 203.17.101.0 0.0.0.255 host 203.12.53.x  permit ip 210.15.210.0 
> 0.0.0.255 host 203.12.53.x  permit ip 203.17.96.0 0.0.0.255 host 
> 203.12.53.x  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x  permit

> ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the 
> very first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like 
> so, but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From brandon at burn.net  Wed Jan  6 21:53:14 2010
From: brandon at burn.net (Brandon Applegate)
Date: Wed, 6 Jan 2010 21:53:14 -0500 (EST)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <alpine.DEB.1.00.1001062150460.6142@orbital.burn.net>

Sounds like your SSH server is trying to reverse resolve your IP (for 
logging).  You can either fix your ACL to allow this DNS traffic, or there 
is a global config (UseDNS no) you can put in sshd_config.  Worth a shot 
to test at least.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


On Thu, 7 Jan 2010, Andy Saykao wrote:

> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
> ip address 203.12.53.aaa 255.255.255.224
> ip access-group VLAN2-FILTER-OUT out
> no ip redirects
> no ip mroute-cache
> ip ospf priority 15
> load-interval 30
> tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
> permit ip host 203.10.110.x host 203.12.53.x
> permit ip host 203.10.110.y host 203.12.53.x
> permit ip host 203.10.110.z host 203.12.53.x
> permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
> permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
> deny   ip any host 203.12.53.x
> permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ahoyos at xiocom.com  Wed Jan  6 22:15:34 2010
From: ahoyos at xiocom.com (Andrew Hoyos)
Date: Wed, 6 Jan 2010 22:15:34 -0500
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <E9C7C856673F6B4A9F8004DD1A7BF24F29FAC42602@suwmail01.XIOCOM.LOCAL>

>From Host A, is traffic allowed to your DNS servers in your ACL?

If not, the delay might be a reverse DNS lookup timing out.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224
>  ip access-group VLAN2-FILTER-OUT out
>  no ip redirects
>  no ip mroute-cache
>  ip ospf priority 15
>  load-interval 30
>  tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
>  permit ip host 203.10.110.x host 203.12.53.x
>  permit ip host 203.10.110.y host 203.12.53.x
>  permit ip host 203.10.110.z host 203.12.53.x
>  permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
>  permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mcaudill at cisco.com  Wed Jan  6 23:17:11 2010
From: mcaudill at cisco.com (Mike Caudill)
Date: Wed, 06 Jan 2010 23:17:11 -0500
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B451FE5.1080708@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
	<4B410022.8040508@forthnet.gr>	<4B43D500.3050306@cisco.com>
	<4B451FE5.1080708@gmx.de>
Message-ID: <4B456047.9080801@cisco.com>

On 1/6/10 6:42 PM, listensammler at gmx.de wrote:
> Thanks for your replies.
> Okay, C stands for congestion.
> But unfortunately, I didn't find any informations about "A".
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Destination unreachable, (A)dministratively prohibited.

-Mike-


-- 

Mike Caudill  <mcaudill at cisco.com>
PSIRT Incident Manager
DSS PGP: 0xEBBD5271
+1.919.392.2855 / +1.919.522.4931 (cell)
http://www.cisco.com/go/psirt


From savage at savage.za.org  Thu Jan  7 01:17:49 2010
From: savage at savage.za.org (Chris Knipe)
Date: Thu, 7 Jan 2010 08:17:49 +0200
Subject: [c-nsp] Cisco 3620 and WIC-1ADSL
Message-ID: <052c01ca8f61$261b1830$72514890$@za.org>

Hi,

 

I have a C3620 with 2 ADSL WICs inside a NM-1FE2W (which is supposed to be
confirmed working).  After lots of googling, I read much controversy about
what is supposed to work and what not, both in terms of hardware, as well as
software versions.  From my understanding, I am running a IOS which is
supposed to be supported.

 

Before I upgraded (old IOS), the WIC-1ADSL cards was not detected.  Now,
both cards are detected, but I still do not have any ATM interfaces
available.  I would appreciate it if anyone can point me in the right
direction please - or, do I have a oversized paper weight here?

 

sh ver and sh diag below.

 

Many thanks,

Chris.

 

 

 

cpt-cc-core01#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3620-I-M), Version 12.3(21), RELEASE SOFTWARE (fc2)

 

cpt-cc-core01#sh diag

Slot 0:

        NM-1FE2W Port adapter, 1 port

        Port adapter is analyzed

        Port adapter insertion time unknown

        EEPROM contents at hardware discovery:

        Hardware Revision        : 1.0

        Top Assy. Part Number    : 800-04796-01

        Board Revision           : F0

        Deviation Number         : 0-8707

        Fab Version              : 05

        PCB Serial Number        : JAD05350Y3U

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : NM-1FE2W=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 D7 41 01 00 C0 46 03 20 00 12 BC 01

          0x10: 42 46 30 80 00 00 22 03 02 05 C1 8B 4A 41 44 30

          0x20: 35 33 35 30 59 33 55 03 00 81 00 00 00 00 04 00

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 

        WIC Slot 0:

        DSL SAR (ADSL)

 

        Hardware Revision        : 2.3

        Part Number              : 73-4771-09

        Board Revision           : C0

        Deviation Number         : 0-0

        Fab Version              : 05

        PCB Serial Number        : FOC10161M3C

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : PA-1C-P=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 09 42 43 30

          0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 31 30 31 36

          0x20: 31 4D 33 43 03 00 81 00 00 00 00 04 00 FF FF FF

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 

        WIC Slot 1:

        DSL SAR (ADSL)

 

        Hardware Revision        : 2.3

        Part Number              : 73-4771-08

        Board Revision           : B0

        Deviation Number         : 0-0

        Fab Version              : 05

        PCB Serial Number        : FOC07330WL9

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : PA-1C-P=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 08 42 42 30

          0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 30 37 33 33

          0x20: 30 57 4C 39 03 00 81 00 00 00 00 04 00 FF FF FF

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 


From swmike at swm.pp.se  Thu Jan  7 01:35:40 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 7 Jan 2010 07:35:40 +0100 (CET)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>

On Thu, 7 Jan 2010, Andy Saykao wrote:

> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?

The server is most likely doing an ident lookup, if you want to speed this 
up, make sure you don't silent-drop packets to 113/TCP to avoid this.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From gert at greenie.muc.de  Thu Jan  7 02:30:06 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 08:30:06 +0100
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <20100107073006.GX857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 12:02:48PM +1100, Andy Saykao wrote:
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>  
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>  
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?

Seems you've killed DNS from Host B.

Rule #1 with ACLs: if you can't figure out why it's affecting stuff, put
a "deny ip any any log" at the end, and look at the log to see what is
being dropped.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/de055440/attachment.bin>

From steve at ibctech.ca  Thu Jan  7 02:45:41 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 07 Jan 2010 02:45:41 -0500
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
Message-ID: <4B459125.8000701@ibctech.ca>

Mikael Abrahamsson wrote:
> On Thu, 7 Jan 2010, Andy Saykao wrote:
> 
>> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
>> VLAN2, it takes a very long time for the SSH login promtp to appear. If
>> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
>> on with my ACL??? Why the lag for the SSH prompt to appear?
> 
> The server is most likely doing an ident lookup, if you want to speed
> this up, make sure you don't silent-drop packets to 113/TCP to avoid this.

What SSH server software does this?

I was going to state that in all recent versions of OpenSSH (at least on
FreeBSD) one could change:

#UseDNS yes

...to:

UseDNS no

...in the /etc/ssh/sshd_config file.

Even though I've never done this change before, I have notified others
that the option is available.

My whole-hearted recommendation would be to configure forward and rDNS
for all hosts attempting to connect to the box. IPv6 inclusive.

Otherwise, the huge disheartening lag time is a non-subtle reminder that
the connecting host's DNS is fscked up.

If you are connecting from within RFC1918 space, it's internal, so fix it.

If it's v6, fix it, or contact your ISP to fix it (if you are an SSH
client trying to reach an SSH server on a remote network as an IPv6
client, in today's early v6 day-and-age, you *will* be able to find an
engineer that is v6-clueful).

If it is an IPv6 DNS resolution issue with your ISP-assigned addresses,
I will pretty much guarantee that they will be interested to learn about
the problem. They already have v6 deployed, and nobody has done so yet
without wanting and desiring feedback. If you feel that I am wrong in
the statements regarding IPv6, contact me privately.

It very well could be that the SSH server is trying to do a reverse
lookup on a residential client of an ISP that doesn't configure any rDNS
for its resi IP blocks whatsoever. In this case, contact your ISP, and
ask if they can  at least generate automated reverse entries for their
known 'dynamic' blocks. If they say no, ask why. If you get nothing, ask
for a static IP with an rDNS entry (some ISPs will only assign statics
at the /29 boundary. In cases of rDNS requirement, it may be worth
paying for it).

Port 113/TCP has nothing to do with this imho. This is a DNS issue that
can be resolved by the IP address supplier of the client, or at worst,
be fixed at server application level as specified above. I'm starting to
feel the dpi/hijacking anger sensation for some reason.

Perhaps someone will eventually create a global qinq (or its
technological equivalent) specifically for the revitalization of what
the Internet was meant to be ;)

...can we get back into ACL/firewall discussion now, I was thoroughly
enjoying what Roland has been saying. What he says is like very
expensive advise to the small net-ops who have never seen his hardware
in practice ;)

Steve

From swmike at swm.pp.se  Thu Jan  7 02:55:37 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 7 Jan 2010 08:55:37 +0100 (CET)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <4B459125.8000701@ibctech.ca>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
	<4B459125.8000701@ibctech.ca>
Message-ID: <alpine.DEB.1.10.1001070853520.15329@uplift.swm.pp.se>

On Thu, 7 Jan 2010, Steve Bertrand wrote:

> What SSH server software does this?

I don't know, but it seemed to fit the profile. I checked and at least my 
OpenSSH doesn't use this.

> UseDNS no

In this case I think your DNS proposal is the more probable diagnosis, it 
didn't occur to me that someone would make DNS not work on a machine by 
means of access list.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From p_ambedkar at rediffmail.com  Thu Jan  7 04:07:23 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 7 Jan 2010 09:07:23 -0000
Subject: [c-nsp] =?utf-8?q?Finding_the_serial_numbers_of_cisco_devices?=
Message-ID: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>

	 
Hi, please help me. I am having approximately hundreds of cisco routers
and switches. i want to find out the serial numbers for AMC. can anybody
help me how to find out in a single stretch.

Thanks, bye.

From nick at inex.ie  Thu Jan  7 05:26:30 2010
From: nick at inex.ie (Nick Hilliard)
Date: Thu, 07 Jan 2010 10:26:30 +0000
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <4B45B6D6.6040802@inex.ie>

On 07/01/2010 09:07, ambedkar wrote:
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.

install RANCID, then grep the configuration files.

Or manually / auto log into each and execute "show inventory".

Nick

From jviadzishchau at gmail.com  Thu Jan  7 05:31:39 2010
From: jviadzishchau at gmail.com (Jauhen Viadzishchau)
Date: Thu, 07 Jan 2010 12:31:39 +0200
Subject: [c-nsp] Cisco 3620 and WIC-1ADSL
In-Reply-To: <052c01ca8f61$261b1830$72514890$@za.org>
References: <052c01ca8f61$261b1830$72514890$@za.org>
Message-ID: <4B45B80B.3070703@gmail.com>

Hello,

you are running IP feature set (I-M), but according FN you need IP PLUS 
(IS-M) minimum feature set to support ADSL cards.
IP PLUS will also require 64MB dram and 16MB flash memory.
Also, your ios recognize wic-adsl as pa-1c-p which is strange.

Jauhen.

Chris Knipe wrote:
> Hi,
>
>  
>
> I have a C3620 with 2 ADSL WICs inside a NM-1FE2W (which is supposed to be
> confirmed working).  After lots of googling, I read much controversy about
> what is supposed to work and what not, both in terms of hardware, as well as
> software versions.  From my understanding, I am running a IOS which is
> supposed to be supported.
>
>  
>
> Before I upgraded (old IOS), the WIC-1ADSL cards was not detected.  Now,
> both cards are detected, but I still do not have any ATM interfaces
> available.  I would appreciate it if anyone can point me in the right
> direction please - or, do I have a oversized paper weight here?
>
>  
>
> sh ver and sh diag below.
>
>  
>
> Many thanks,
>
> Chris.
>
>  
>
>  
>
>  
>
> cpt-cc-core01#sh ver
>
> Cisco Internetwork Operating System Software
>
> IOS (tm) 3600 Software (C3620-I-M), Version 12.3(21), RELEASE SOFTWARE (fc2)
>
>  
>
> cpt-cc-core01#sh diag
>
> Slot 0:
>
>         NM-1FE2W Port adapter, 1 port
>
>         Port adapter is analyzed
>
>         Port adapter insertion time unknown
>
>         EEPROM contents at hardware discovery:
>
>         Hardware Revision        : 1.0
>
>         Top Assy. Part Number    : 800-04796-01
>
>         Board Revision           : F0
>
>         Deviation Number         : 0-8707
>
>         Fab Version              : 05
>
>         PCB Serial Number        : JAD05350Y3U
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : NM-1FE2W=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 D7 41 01 00 C0 46 03 20 00 12 BC 01
>
>           0x10: 42 46 30 80 00 00 22 03 02 05 C1 8B 4A 41 44 30
>
>           0x20: 35 33 35 30 59 33 55 03 00 81 00 00 00 00 04 00
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
>         WIC Slot 0:
>
>         DSL SAR (ADSL)
>
>  
>
>         Hardware Revision        : 2.3
>
>         Part Number              : 73-4771-09
>
>         Board Revision           : C0
>
>         Deviation Number         : 0-0
>
>         Fab Version              : 05
>
>         PCB Serial Number        : FOC10161M3C
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : PA-1C-P=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 09 42 43 30
>
>           0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 31 30 31 36
>
>           0x20: 31 4D 33 43 03 00 81 00 00 00 00 04 00 FF FF FF
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
>         WIC Slot 1:
>
>         DSL SAR (ADSL)
>
>  
>
>         Hardware Revision        : 2.3
>
>         Part Number              : 73-4771-08
>
>         Board Revision           : B0
>
>         Deviation Number         : 0-0
>
>         Fab Version              : 05
>
>         PCB Serial Number        : FOC07330WL9
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : PA-1C-P=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 08 42 42 30
>
>           0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 30 37 33 33
>
>           0x20: 30 57 4C 39 03 00 81 00 00 00 00 04 00 FF FF FF
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From lists at hojmark.org  Thu Jan  7 05:40:58 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 07 Jan 2010 11:40:58 +0100
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <tfebk5hacklck8sverpqfene4at781t0fi@hojmark.net>

On 7 Jan 2010 09:07:23 -0000, you wrote:

> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.

Look at Pari Network Assessment Tool (PNAT)
http://www.parinetworks.com/products/pari_network_assessment_tool.htm

It's very easy to use and works well.

-A
PS: You could of cause get the same thing manually with telnet, show
version, show inventory, etc., cut-and-paste, a bit of scripting, a
spreadsheet etc.

From amolsapkal at gmail.com  Thu Jan  7 05:42:20 2010
From: amolsapkal at gmail.com (Amol Sapkal)
Date: Thu, 7 Jan 2010 14:42:20 +0400
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <4B45B6D6.6040802@inex.ie>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
	<4B45B6D6.6040802@inex.ie>
Message-ID: <ef4028ae1001070242o60f7f9edlc6968c1c8b1b7c75@mail.gmail.com>

If you have a linux box that has SNMP access to all devices, this task would
become very easy and fast with a simple Perl script and SNMP. I had written
a similar script few years back; let me know if you need it!



On Thu, Jan 7, 2010 at 2:26 PM, Nick Hilliard <nick at inex.ie> wrote:

> On 07/01/2010 09:07, ambedkar wrote:
> > Hi, please help me. I am having approximately hundreds of cisco routers
> > and switches. i want to find out the serial numbers for AMC. can anybody
> > help me how to find out in a single stretch.
>
> install RANCID, then grep the configuration files.
>
> Or manually / auto log into each and execute "show inventory".
>
> Nick
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

From gkg at gmx.de  Thu Jan  7 05:29:43 2010
From: gkg at gmx.de (Garry)
Date: Thu, 07 Jan 2010 11:29:43 +0100
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <4B45B797.3020505@gmx.de>

ambedkar wrote:
> 	 
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.
>   
If you are doing SNMP management, and have a DB of all IPs and 
SNMP-Communities, you could hack a little script to query the serial# 
via SNMP ... e.g.:

SNMPv2-SMI::mib-2.47.1.1.1.1.11.1

is the serial# for an 800 series router ... of course, this will only 
cover the base system in the case of modular routers ... not sure if/how 
you could query modules inserted into those ...

-garry

From A.L.M.Buxey at lboro.ac.uk  Thu Jan  7 06:08:45 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Thu, 7 Jan 2010 11:08:45 +0000
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <20100107110845.GA13227@lboro.ac.uk>

hi,

use eg RANCID, hiome scripts (with SNMP, telnet/ssh etc)
or a package such as NetDISCO

alan

From thegameiam at yahoo.com  Thu Jan  7 06:29:50 2010
From: thegameiam at yahoo.com (David Barak)
Date: Thu, 7 Jan 2010 03:29:50 -0800 (PST)
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <501910.28023.qm@web31806.mail.mud.yahoo.com>

Hi, please help me. I am having approximately hundreds of cisco routers
and switches. i want to find out the serial numbers for AMC. can anybody
help me how to find out in a single stretch.

+1 for using an SNMP tool to automatically gather this.? Rancid, Netbrain, or the other tool of your choice.

One note: if you have a 7200 router, the SN that the router will report is NOT the one you want - you want a number that starts with a 7, and is on a sticky label on the back of the router.? To the best of my knowledge there isn't a way to pull that from the router remotely if you didn't add it in (using snmp-server chassis-id or the like).? Other than that, the automated tools are definitely the way to go.

David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com


      

From david.freedman at uk.clara.net  Thu Jan  7 09:09:20 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 07 Jan 2010 14:09:20 +0000
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <hi4pug$apk$1@ger.gmane.org>

Prior to MPLS We null routed *all* our "supernets" (public aggregated
announcements) on *all* core routers such that unknown traffic only made
it as far as the nearest core (of which there are at least two in each
PoP), of course if your ASN becomes partitioned then you have to be
prepared to deal with this, our solution being never to allow the AS to
be partitioned by building a highly resilient topology :)

More specific customer networks in BGP were tagged by route-map and had
our "internal" communities applied plus "no-export" to ensure that they
couldn't be leaked by accident (say if border community filtering failed
somehow)

When you add MPLS into the mix (for internet routing, not just VPN) your
border router becomes an LER and as such you can't take advantage of the
core routers and have them MPLS only LSRs at the same time.
One solution may be to inject your supernets from your sources (i.e
reflectors), perhaps with a bogus next hop (i.e with enough validity to
be announced but not forwarding if it ever became a valid route for
traffic to follow at the edge)

Hope this helps

Dave./

Drew Weaver wrote:
> Howdy,
> 
> I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.
> 
> It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.
> 
> Does anyone know of a seemingly more sensible way of doing this?
> 
> -Drew
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From scottowens12 at gmail.com  Thu Jan  7 10:15:30 2010
From: scottowens12 at gmail.com (scott owens)
Date: Thu, 7 Jan 2010 09:15:30 -0600
Subject: [c-nsp] Data Center cooling
Message-ID: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>

Hello,

   Has anyone looked at using outside air to provide data center cooling
during the winter season ?  I am aware of Google and Intel research into
this area but how about on a smaller scale ?  How about raising ambient
temperatures as well - do you keep your data centers at 65 or 80 ?

Thank you,
Scott

From gert at greenie.muc.de  Thu Jan  7 10:51:46 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 16:51:46 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <20100107155146.GD857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> temperatures as well - do you keep your data centers at 65 or 80 ?

We try to stay below 22.  But 80 is good for green tea.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/cfe34bab/attachment.bin>

From jshearer at amedisys.com  Thu Jan  7 11:05:16 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 7 Jan 2010 10:05:16 -0600
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107155146.GD857@greenie.muc.de>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com><20100107155146.GD857@greenie.muc.de>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>

I am hoping you mean 22C? :)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Thursday, January 07, 2010 9:52 AM
To: scott owens
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Data Center cooling

Hi,

On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> temperatures as well - do you keep your data centers at 65 or 80 ?

We try to stay below 22.  But 80 is good for green tea.

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From jens.neu at biotronik.com  Thu Jan  7 10:37:29 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Thu, 7 Jan 2010 16:37:29 +0100
Subject: [c-nsp] ACLs and 2948G-L3
Message-ID: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>

Dear all,

I've come across a lot of people complaining about the 2948G-L3 and 
access-lists. I defined two extended access-lists which are bound to 
FastEthernet35 (in and out). The switch complains nowhere, but when the 
ACLs should trigger, this appears in the log:


Jan  6 16:03:57 172.16.15.250 13651: Jan  6 15:03:56.983 UTC: ACL card not 
present for interface FastEthernet35
Jan  6 16:04:05 172.16.15.250 13652: Jan  6 15:04:04.296 UTC: ACL card not 
present for interface FastEthernet35

I'm running SW 12.0(25)W5(27d) on the device, while 
http://www.cisco.com/cgi-bin/tablebuild.pl/cat2948g-l3 tells me this is 
the most recent one. Can anyone enlighten me what this "ACL card" is 
about? Is there a way to use ACLs on the device at all?

thanks and best regards!

Jens Neu



www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From justin at justinshore.com  Thu Jan  7 11:10:55 2010
From: justin at justinshore.com (Justin Shore)
Date: Thu, 07 Jan 2010 10:10:55 -0600
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <4B46078F.4040709@justinshore.com>

scott owens wrote:
> Hello,
> 
>    Has anyone looked at using outside air to provide data center cooling
> during the winter season ?  I am aware of Google and Intel research into
> this area but how about on a smaller scale ?  How about raising ambient
> temperatures as well - do you keep your data centers at 65 or 80 ?

The topic came up on NANOG several times in the past.  I seem to recall 
someone saying that they used outside air as well since they were in 
very high latitudes.  You might try searching those list archives.

Justin


From chip.gwyn at gmail.com  Thu Jan  7 11:15:57 2010
From: chip.gwyn at gmail.com (chip)
Date: Thu, 7 Jan 2010 11:15:57 -0500
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <64a8ad981001070815l31700d46ta6e1c9c5c9ad5456@mail.gmail.com>

On Thu, Jan 7, 2010 at 4:07 AM, ambedkar <p_ambedkar at rediffmail.com> wrote:

>
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.
>
> Thanks, bye.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


As you work through your gear you'll notice different versions of IOS can
give slightly different answers to the same questions, whether you use 'show
inventory' or snmp poll for entPhysicalDescr, entPhysicalSerialNum, or
entPhysicalModelName.  You're also going to have a difficult time with the
old AS-2511rj console servers and the smaller 1900/2900 style switches.

If you have an all Cisco shop, you can download an eval version of their
tool to automate this:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/index.html
Requires a CCO account and a win2008 or solaris server.

--chip


-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

From jasonleblanc at gmail.com  Thu Jan  7 11:19:04 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 7 Jan 2010 09:19:04 -0700
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
	<c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>
Message-ID: <86AB693B-23FF-4380-AB7D-2FAD96D4DBF5@gmail.com>

Is 12.2(46)SE6 the recommended most stable version then since it was the last supported version?

On Jan 6, 2010, at 3:47 PM, Hector Herrera wrote:

> On Wed, Jan 6, 2010 at 2:03 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
>> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>>> After reload, 3550 does not load share
>>> 
>>> 1st Found-In
>>> 12.2(35)SE
>>> Known Affected Versions
>>> 
>>> 
>>> Fixed-In
>>> 12.2(50)SE
>>> 12.2(50)SE1
>>> 
>> 
>> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
>> officially supported/provided IOS release for that platform (other than
>> the DC version).
>> 
>> Jeff
> 
> Yes, that is quite ugly.  I'm currently using 12.2(50)SE3 on a
> 3550-12T and the only difficulties that I have run into is a high (
>> 90% cpu load when total throughput on the load-balanced links reaches
> 200 Mbps ).
> 
> I am curious to find out if the high cpu load is caused by some
> incompatibility between 12.2(50)SE3 and the 3550-12T (since the
> version is not officially supported on the platform).  However, this
> bug (no load sharing after reload) is making me think twice about
> testing 12.2(46)SE6.
> 
> On the other hand, the bug fix for this issue could be the reason for
> the high cpu load ....
> 
> Out of curiosity, is anybody here using a 3550 to route more than
> 200Mbps ( at about 40,000 packets per second forwarding rate ), I
> would be interested in comparing cpu loads with or without
> load-sharing.
> 
> Thank you for all the copies of the bug that I received (both to the
> list and privately).
> 
> -- 
> Hector Herrera
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Thu Jan  7 11:19:34 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 17:19:34 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
References: <20100107155146.GD857@greenie.muc.de>
	<AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <20100107161934.GE857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)

Yes. 22K would be a bit too cold, indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/760f6456/attachment.bin>

From bmanning at vacation.karoshi.com  Thu Jan  7 11:25:16 2010
From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
Date: Thu, 7 Jan 2010 16:25:16 +0000
Subject: [c-nsp] Data Center cooling
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
References: <20100107155146.GD857@greenie.muc.de>
	<AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <20100107162516.GA1886@vacation.karoshi.com.>


 better than 22K

--bill

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Thursday, January 07, 2010 9:52 AM
> To: scott owens
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Data Center cooling
> 
> Hi,
> 
> On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> > temperatures as well - do you keep your data centers at 65 or 80 ?
> 
> We try to stay below 22.  But 80 is good for green tea.
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> 
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From lists at hojmark.org  Thu Jan  7 11:43:59 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 07 Jan 2010 17:43:59 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
Message-ID: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>

On Thu, 7 Jan 2010 16:37:29 +0100, you wrote:

> I've come across a lot of people complaining about the 2948G-L3 and 
> access-lists. I defined two extended access-lists which are bound to 
> FastEthernet35 (in and out). The switch complains nowhere, but when the 
> ACLs should trigger, this appears in the log:

ACLs are only supported on the GE interfaces, not FE.

-A

From SPfister at dps.k12.oh.us  Thu Jan  7 12:12:11 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 07 Jan 2010 12:12:11 -0500
Subject: [c-nsp] IRB and channel-group help needed
Message-ID: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>

I've got a 8540 switch running 12.1(20)E set up with IRB and I've got two interfaces I'm looking at:

interface GigabitEthernet0/0/3
 no ip address
 no ip redirects
!
interface GigabitEthernet0/0/3.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
!
interface GigabitEthernet0/0/3.99
 encapsulation dot1Q 99
 no ip redirects
 no cdp enable
 bridge-group 99

The other interface is Gigabit0/0/4 and is set up the exact same way. I'd like to be able to set up a channel group for those two interfaces. I set up the port channel like:

interface Port-channel1
 no ip address
 hold-queue 300 in
!
interface Port-channel1.1
 encapsulation dot1Q 1 native
 no ip redirects
!
interface Port-channel1.99
 encapsulation dot1Q 99
 no ip redirects
 bridge-group 99

But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From rob.mengert at pipelinefinancial.com  Thu Jan  7 11:40:26 2010
From: rob.mengert at pipelinefinancial.com (Robert Mengert)
Date: Thu, 7 Jan 2010 11:40:26 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107161934.GE857@greenie.muc.de>
References: <20100107155146.GD857@greenie.muc.de><AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
	<20100107161934.GE857@greenie.muc.de>
Message-ID: <BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>

Has the Fahrenheit scale been eradicated?  If so, this is an odd place
to first be hearing about it :)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Thursday, January 07, 2010 11:20 AM
To: Jason Shearer
Cc: scott owens; Gert Doering; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Data Center cooling

Hi,

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)

Yes. 22K would be a bit too cold, indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de


Disclaimer: Any references to Pipeline performance contained herein are based on internal testing and / or historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee.  Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. Pipeline is a member of FINRA and SIPC.

From gsgranados at comcast.net  Thu Jan  7 12:33:21 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 09:33:21 -0800
Subject: [c-nsp] Data Center cooling
References: <20100107155146.GD857@greenie.muc.de><AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com><20100107161934.GE857@greenie.muc.de>
	<BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>
Message-ID: <009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>

Well, in the rest of the world outside the US definitely, remember there is 
a larger world out there.  We're the last (I think) not to go metric.


----- Original Message ----- 
From: "Robert Mengert" <rob.mengert at pipelinefinancial.com>
To: "Gert Doering" <gert at greenie.muc.de>; "Jason Shearer" 
<jshearer at amedisys.com>
Cc: "scott owens" <scottowens12 at gmail.com>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 8:40 AM
Subject: Re: [c-nsp] Data Center cooling


> Has the Fahrenheit scale been eradicated?  If so, this is an odd place
> to first be hearing about it :)
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Thursday, January 07, 2010 11:20 AM
> To: Jason Shearer
> Cc: scott owens; Gert Doering; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Data Center cooling
>
> Hi,
>
> On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
>> I am hoping you mean 22C? :)
>
> Yes. 22K would be a bit too cold, indeed.
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
>
> Disclaimer: Any references to Pipeline performance contained herein are 
> based on internal testing and / or historic performance levels which 
> Pipeline expects to maintain or exceed but nevertheless does not 
> guarantee.  Congested networks, price volatility, or other extraordinary 
> events may impede future trading activities and degrade performance 
> statistics. Pipeline is a member of FINRA and SIPC.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mksmith at adhost.com  Thu Jan  7 13:08:36 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Thu, 7 Jan 2010 10:08:36 -0800
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>

Hello Scott:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of scott owens
> Sent: Thursday, January 07, 2010 7:16 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Data Center cooling
> 
> Hello,
> 
>    Has anyone looked at using outside air to provide data center
> cooling
> during the winter season ?  I am aware of Google and Intel research
> into
> this area but how about on a smaller scale ?  How about raising
ambient
> temperatures as well - do you keep your data centers at 65 or 80 ?
> 
> Thank you,
> Scott

We are in Seattle and use an air-exchanger system that relies on outside
air as much as possible, and then blends in chilled water as necessary
up to 100% chilled.  It's fairly common here because of the nature of
our climate, and the psychrometric scale
(http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.

We've also looked at increasing our data center temps from 68F/20C to
closer to 78F/25.56C (hi Gert), but our marketing folks have been the
most resistant because of the prevailing expectation that colder is
better.  There is some good research and testing being done by
Microsoft, Intel and Google in this arena, but I don't think enough has
been published yet to give that calming feeling to the marketing folks.
I would imagine, however, that we will see increasing data center
temperatures more and more in the coming years.

Regards,

Mike

From gert at greenie.muc.de  Thu Jan  7 13:32:08 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 19:32:08 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
Message-ID: <20100107183208.GN857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 05:43:59PM +0100, Asbjorn Hojmark - Lists wrote:
> > I've come across a lot of people complaining about the 2948G-L3 and 
> ACLs are only supported on the GE interfaces, not FE.

And even there, there are nasty surprises lurking if the ACLs get too
long (they won't be installed, and the accompanying error message is
ONLY logged to the console).

The 2948G-L3 is not even a good door stop.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/48f5fb53/attachment.bin>

From sethm at rollernet.us  Thu Jan  7 13:47:40 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 07 Jan 2010 10:47:40 -0800
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <4B462C4C.50807@rollernet.us>

Michael K. Smith - Adhost wrote:
> 
> We are in Seattle and use an air-exchanger system that relies on outside
> air as much as possible, and then blends in chilled water as necessary
> up to 100% chilled.  It's fairly common here because of the nature of
> our climate, and the psychrometric scale
> (http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.
> 
> We've also looked at increasing our data center temps from 68F/20C to
> closer to 78F/25.56C (hi Gert), but our marketing folks have been the
> most resistant because of the prevailing expectation that colder is
> better.  There is some good research and testing being done by
> Microsoft, Intel and Google in this arena, but I don't think enough has
> been published yet to give that calming feeling to the marketing folks.
> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.
> 

Cooler temperatures can give you some headroom in the event of a
malfunction or hiccup that results in cooling capacity reduction. That
may or may not be an issue depending on your location. I don't have the
article handy, but I recall Google mentioning that they can just "turn
off" and redistribute load to other datacenters if one gets too hot.

~Seth

From oles at ovh.net  Thu Jan  7 13:59:28 2010
From: oles at ovh.net (oles at ovh.net)
Date: Thu, 7 Jan 2010 19:59:28 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <20100107185927.GA31395@ovh.net>

> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.

In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
we use only the water & outside air for the cooling on our 70 000 
dedicated servers that we host. We are #1 in Europe. Our PUE = 1.12. 
it means we don't waste the power for the cooling. That is why our 
prices are cheaper and our customers love it. It's our marketing. 
Some videos:
   http://www.youtube.com/user/OvhComOnVousHeberge


From sthaug at nethelp.no  Thu Jan  7 13:59:33 2010
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Thu, 07 Jan 2010 19:59:33 +0100 (CET)
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <20100107183208.GN857@greenie.muc.de>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
	<20100107183208.GN857@greenie.muc.de>
Message-ID: <20100107.195933.78793254.sthaug@nethelp.no>

> > > I've come across a lot of people complaining about the 2948G-L3 and 
> > ACLs are only supported on the GE interfaces, not FE.
> 
> And even there, there are nasty surprises lurking if the ACLs get too
> long (they won't be installed, and the accompanying error message is
> ONLY logged to the console).
> 
> The 2948G-L3 is not even a good door stop.

And hasn't been for quite a few years. I'm *very* glad we got rid of
our last 2948G-L3 around the 2003 time frame.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From peter at rathlev.dk  Thu Jan  7 14:08:28 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 07 Jan 2010 20:08:28 +0100
Subject: [c-nsp] IOS Code Recommendations
In-Reply-To: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
References: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
Message-ID: <1262891308.3649.31.camel@localhost>

Hi Jason,

On Sat, 2010-01-02 at 23:11 -0700, Jason LeBlanc wrote:
> Cisco only does safe harbor on a few select devices.  Being as how
> this group is made up of a lot of service providers and enterprise
> networks, does anyone know the latest stable version of code for any
> or all of the following:
> 
> 2651XM
> WS-C3550-24-PWR
> WS-C3560-24PS-S
> Catalyst 3560-48TS

I think the reason people are unwilling to give any advice on this (also
cf. your later questions) might be because the question is hard to
answer precisely for even low grades of precision.

For the 2651XM you have a huge lot of possibilities for different
versions (depending on amount of RAM), and which one suits your needs
would vary with what features you want to use. Without any information
regarding the latter your question is incomplete.

We have been using 12.2(40) mainline with several 2600s with no problems
for a long time, though not with XM models. They're primarily 2610s used
as RTR queriers and responders, and the a few devices for DLSw+
termination.

Regarding the L3 switches: I was once told an expert I respect a lot
(non Cisco employee) to generally use the newest supported version and
hope for the best. We currently use (as the customer) a few hundreds of
3560s running 12.2(35)SE5 IP Services as multi VRF-Lite CPE devices in
"branch offices". The only bug that has bitten us so far is that
interface counters don't show drops (e.g. OutDiscards).

We use lots of 3560s currently running 12.2(50)SE1 and SE3 IP Base and
only doing L2. No problems so far. (And OutDiscard counters work.)

We also have a handful of 3550s running 12.2(50)SE3 IP Base; this is not
supported, but we haven't had any problems so far. We replace them with
3560s on occasion. (The 3550 was IMHO a better platform though.)

Remember that if you are using the 3550s for anything critical you
really should use a supported release.

-- 
Peter




From panocisco77 at gmail.com  Thu Jan  7 14:08:38 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Thu, 7 Jan 2010 14:08:38 -0500
Subject: [c-nsp] CIsco 6509-E issues
In-Reply-To: <535857.93381.qm@web27904.mail.ukl.yahoo.com>
References: <16e2ac180912290541n6cfcb6b2yb4de7a88f40bd7f7@mail.gmail.com>
	<dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
	<535857.93381.qm@web27904.mail.ukl.yahoo.com>
Message-ID: <16e2ac181001071108gd875460r3ff0a0e5460ccd21@mail.gmail.com>

Thank you for all the responses i've received on this issue but i figured it
out.
It was a native vlan issue, i kind have the wrong native vlan number once i
fixed everything went back to normal

On Sat, Jan 2, 2010 at 12:09 PM, C and C Dominte
<domintefamily at yahoo.co.uk>wrote:

>  Hi,
>
> Is there any chance of overlapping subnets configured on two different
> routers?
>
> I saw similar issues caused by this, but traceroute and show ip route
> commands should help diagnosing that.
>
> Catalin
>
>  ------------------------------
> *From:* Lee <ler762 at gmail.com>
> *To:* Renelson Panosky <panocisco77 at gmail.com>
> *Cc:* cisco-nsp at puck.nether.net
> *Sent:* Tue, 29 December, 2009 21:53:57
> *Subject:* Re: [c-nsp] CIsco 6509-E issues
>
> On Tue, Dec 29, 2009 at 8:41 AM, Renelson Panosky <panocisco77 at gmail.com
> >wrote:
>
> > I am experiencing a small problem with one of my Cisco 6509-E on my
> > network,  My management device (SNMP) showing one of my switch is down
> but
> > i
> > am able to log in to the switch, ping it from my PC, ping it from other
> > cisco devices on the network.  A couple computer on my network is not
> able
> > to ping it or telnet however every user who is directly connected to that
> > switch is able to get online.  I have not received any complaints yet
> from
> > any of my users.  I just want to make sure this doesn't turn to abigger
> > issue.  Any advice.
> >
>
> I've seen the same type of thing - traceroute <whatever> to find where it
> breaks and 'clear ip route *' on that box or the next hop cleared it up.
>
> Regards,
> Lee
>
>
>
> >
> > Happy Holidays
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From Joel.Snyder at Opus1.COM  Thu Jan  7 11:33:13 2010
From: Joel.Snyder at Opus1.COM (Joel Snyder)
Date: Thu, 07 Jan 2010 09:33:13 -0700
Subject: [c-nsp] Data Center cooling
Message-ID: <4B460CC9.5010503@opus1.com>

 >   Has anyone looked at using outside air to provide data center
 > cooling during the winter season ?
 > I am aware of Google and Intel research into
 > this area but how about on a smaller scale ?
 > How about raising ambient
 > temperatures as well - do you keep your data centers at 65 or 80 ?

We do this and we have had mixed success.  We have Liebert A/C units 
which have something they call an "economizer."  Essentially, when the 
outside temperature falls below a certain point as measured by a simple 
thermostat, the A/C unit moves a damper and instead of sucking hot air 
from the room to cool, it sucks cold air from the outside, filters it, 
and blows it in.  At the same time, it turns off the compressor (because 
the air is, in theory, already cold).

In the sales presentations and talking to A/C gurus, it all sounded very 
smart and economical, but we've found that the actual management of the 
damper and the temperature that it shifts are very delicate settings. 
Depending on the time of the day (i.e., is there sunlight on that side 
of the building or not?) and the season of the year (i.e., is this just 
a little cold snap or an extended period?), as well as the outside 
humidity level (is it very different from the humidity in the room or 
not?), the temperature has to be adjusted a bit in each direction.  Our 
units don't have a computer control for that, so that means someone goes 
out every few weeks with a screwdriver and manually fiddles the 
economizer thermostat settings.

We can compensate a bit on the computer control side by changing the the 
system thermostat around a few degrees, but there is no direct linkage 
between the economizer part of the system--it's completely independent, 
essentially an add-on--and the rest of the cooling system.

I honestly can't tell whether we are saving any money on this or not, 
but for our latitude and climate, I would not recommend it to anyone 
else.  We have had to replace the thermostats and damper controllers, 
and that eats up $300 to $500 for every service call.  Plus, while we 
were learning about it, we had some midnight room-got-too-hot moments, 
which also cost us.

I think that if you lived someplace where it was in the 5C/40F range or 
below day-round for weeks at a time, this would probably work (assuming 
that you have physical ability to install this kind of unit).  In our 
climate, where it is 5C/40F for 8 hours at night and 20C/70F the rest of 
the day, for our 3 month winter, it was probably not the right decision.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

From mulitskiy at acedsl.com  Thu Jan  7 14:29:57 2010
From: mulitskiy at acedsl.com (Michael Ulitskiy)
Date: Thu, 7 Jan 2010 14:29:57 -0500
Subject: [c-nsp] IRB and channel-group help needed
In-Reply-To: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
References: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <201001071429.57202.mulitskiy@acedsl.com>

I have it working exactly this way. my IOS is 12.1(26)E7
the only special thing I remember about it is that if you want to spread port-channels across the
different cards then those cards must be the same (or compatible). For example you can't have port-channel
over ports on GE card and Enhanced GE card or between card with ACL daughter card and without it.

Michael

On Thursday 07 January 2010 12:12:11 pm Steven Pfister wrote:
> I've got a 8540 switch running 12.1(20)E set up with IRB and I've got two interfaces I'm looking at:
> 
> interface GigabitEthernet0/0/3
>  no ip address
>  no ip redirects
> !
> interface GigabitEthernet0/0/3.1
>  description Native VLAN
>  encapsulation dot1Q 1 native
>  no ip redirects
> !
> interface GigabitEthernet0/0/3.99
>  encapsulation dot1Q 99
>  no ip redirects
>  no cdp enable
>  bridge-group 99
> 
> The other interface is Gigabit0/0/4 and is set up the exact same way. I'd like to be able to set up a channel group for those two interfaces. I set up the port channel like:
> 
> interface Port-channel1
>  no ip address
>  hold-queue 300 in
> !
> interface Port-channel1.1
>  encapsulation dot1Q 1 native
>  no ip redirects
> !
> interface Port-channel1.99
>  encapsulation dot1Q 99
>  no ip redirects
>  bridge-group 99
> 
> But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?
> 
> 
> Steve Pfister
> Technical Coordinator, 
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St. 
> Dayton, OH 45402
>  
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



From jasonleblanc at gmail.com  Thu Jan  7 15:12:56 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 7 Jan 2010 13:12:56 -0700
Subject: [c-nsp] IOS Code Recommendations
In-Reply-To: <1262891308.3649.31.camel@localhost>
References: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
	<1262891308.3649.31.camel@localhost>
Message-ID: <D749E7F5-6E0C-441E-A593-1F35375D23F7@gmail.com>

Peter,

I understand the hesitation.  I wont hold anyone accountable.  We generally max out memory when we purchase devices so the XMs are stacked.  I cannot find a lot of definitive answers online so I figured I would ping the community in hopes to find caveats like the OuDiscards not working.  Thank you very much for you time I can definitely build off of this.

Regards,

//LeBlanc 

On Jan 7, 2010, at 12:08 PM, Peter Rathlev wrote:

> Hi Jason,
> 
> On Sat, 2010-01-02 at 23:11 -0700, Jason LeBlanc wrote:
>> Cisco only does safe harbor on a few select devices.  Being as how
>> this group is made up of a lot of service providers and enterprise
>> networks, does anyone know the latest stable version of code for any
>> or all of the following:
>> 
>> 2651XM
>> WS-C3550-24-PWR
>> WS-C3560-24PS-S
>> Catalyst 3560-48TS
> 
> I think the reason people are unwilling to give any advice on this (also
> cf. your later questions) might be because the question is hard to
> answer precisely for even low grades of precision.
> 
> For the 2651XM you have a huge lot of possibilities for different
> versions (depending on amount of RAM), and which one suits your needs
> would vary with what features you want to use. Without any information
> regarding the latter your question is incomplete.
> 
> We have been using 12.2(40) mainline with several 2600s with no problems
> for a long time, though not with XM models. They're primarily 2610s used
> as RTR queriers and responders, and the a few devices for DLSw+
> termination.
> 
> Regarding the L3 switches: I was once told an expert I respect a lot
> (non Cisco employee) to generally use the newest supported version and
> hope for the best. We currently use (as the customer) a few hundreds of
> 3560s running 12.2(35)SE5 IP Services as multi VRF-Lite CPE devices in
> "branch offices". The only bug that has bitten us so far is that
> interface counters don't show drops (e.g. OutDiscards).
> 
> We use lots of 3560s currently running 12.2(50)SE1 and SE3 IP Base and
> only doing L2. No problems so far. (And OutDiscard counters work.)
> 
> We also have a handful of 3550s running 12.2(50)SE3 IP Base; this is not
> supported, but we haven't had any problems so far. We replace them with
> 3560s on occasion. (The 3550 was IMHO a better platform though.)
> 
> Remember that if you are using the 3550s for anything critical you
> really should use a supported release.
> 
> -- 
> Peter
> 
> 
> 


From jared.a.gillis at gmail.com  Thu Jan  7 15:23:17 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 12:23:17 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to
	flap
Message-ID: <4B4642B5.70501@gmail.com>

Hi all,

I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:

interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
end

When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up

This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
Any thoughts on what I should be checking?

--Jared

From buz.dale at usg.edu  Thu Jan  7 15:32:23 2010
From: buz.dale at usg.edu (Harold 'Buz' Dale)
Date: Thu, 7 Jan 2010 15:32:23 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>

Check the other end to make the the LACP config is correct and maybe a "sh etherchannel" variation to look at what is going on. If the LACP is wrong maybe the trunk was carried over gi1/0/1.

Luck,
Buz

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Gillis
Sent: Thursday, January 07, 2010 3:23 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap

Hi all,

I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:

interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
end

When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up

This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
Any thoughts on what I should be checking?

--Jared
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Thu Jan  7 16:52:51 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 7 Jan 2010 15:52:51 -0600
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
	toflap
References: <4B4642B5.70501@gmail.com>
Message-ID: <8488320260324948B0C8ADF39F982C6E@flamdt01>

What was the command and where did you add it?

tv
----- Original Message ----- 
From: "Jared Gillis" <jared.a.gillis at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 2:23 PM
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel 
toflap


> Hi all,
>
> I just ran into a strange problem on a 3750ME. I've got two gig ports in 
> an active LACP port-channel looking like this:
>
> interface GigabitEthernet1/0/1
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> speed 1000
> duplex full
> channel-group 1 mode active
> end
>
> interface GigabitEthernet1/0/2
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> speed 1000
> duplex full
> channel-group 1 mode active
> end
>
> interface Port-channel1
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> end
>
> When I added vlan 400 to the trunk allowed vlan list, one of the 
> underlying gig ports flapped, which caused the port-channel to flap as 
> well.
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed 
> state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed 
> state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Vlan400, changed state to up
>
> This definitely seems like something that should not happen. I'm running 
> Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 
> 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
>
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Thu Jan  7 16:59:12 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 7 Jan 2010 15:59:12 -0600
Subject: [c-nsp] ACLs and 2948G-L3
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com><lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
	<20100107183208.GN857@greenie.muc.de>
Message-ID: <CA394F29787A411E8880668224A6154F@flamdt01>

Yup.  One of the worst C mistakes (top 5?).

tv
----- Original Message ----- 
From: "Gert Doering" <gert at greenie.muc.de>
To: "Asbjorn Hojmark - Lists" <lists at hojmark.org>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 12:32 PM
Subject: Re: [c-nsp] ACLs and 2948G-L3


> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jared.a.gillis at gmail.com  Thu Jan  7 17:28:23 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 14:28:23 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 toflap
In-Reply-To: <8488320260324948B0C8ADF39F982C6E@flamdt01>
References: <4B4642B5.70501@gmail.com>
	<8488320260324948B0C8ADF39F982C6E@flamdt01>
Message-ID: <4B466007.2050109@gmail.com>

"switchport trunk allowed vlan add 400" and I ran it under interface Port-Channel1.

Tony Varriale wrote:
> What was the command and where did you add it?
> 
> tv
> ----- Original Message ----- From: "Jared Gillis"
> <jared.a.gillis at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Thursday, January 07, 2010 2:23 PM
> Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
> toflap
> 
> 
>> Hi all,
>>
>> I just ran into a strange problem on a 3750ME. I've got two gig ports
>> in an active LACP port-channel looking like this:
>>
>> interface GigabitEthernet1/0/1
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> speed 1000
>> duplex full
>> channel-group 1 mode active
>> end
>>
>> interface GigabitEthernet1/0/2
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> speed 1000
>> duplex full
>> channel-group 1 mode active
>> end
>>
>> interface Port-channel1
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> end
>>
>> When I added vlan 400 to the trunk allowed vlan list, one of the
>> underlying gig ports flapped, which caused the port-channel to flap as
>> well.
>> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface GigabitEthernet1/0/1, changed state to down
>> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Port-channel1, changed state to down
>> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1,
>> changed state to down
>> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface GigabitEthernet1/0/1, changed state to up
>> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1,
>> changed state to up
>> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Port-channel1, changed state to up
>> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Vlan400, changed state to up
>>
>> This definitely seems like something that should not happen. I'm
>> running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M),
>> Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
>> Any thoughts on what I should be checking?
>>
>> --Jared
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jared.a.gillis at gmail.com  Thu Jan  7 17:30:06 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 14:30:06 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>
References: <4B4642B5.70501@gmail.com>
	<E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>
Message-ID: <4B46606E.4010200@gmail.com>

I see what you're thinking here, but I'm still not sure why adding a vlan to an existing trunk should ever cause a physical link to flap, or affect the underlying LACP session.

Harold 'Buz' Dale wrote:
> Check the other end to make the the LACP config is correct and maybe a "sh etherchannel" variation to look at what is going on. If the LACP is wrong maybe the trunk was carried over gi1/0/1.
> 
> Luck,
> Buz
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Gillis
> Sent: Thursday, January 07, 2010 3:23 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap
> 
> Hi all,
> 
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
> 
> interface GigabitEthernet1/0/1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
> 
> interface GigabitEthernet1/0/2
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
> 
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
> end
> 
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up
> 
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
> 
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gsgranados at comcast.net  Thu Jan  7 18:26:16 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 15:26:16 -0800
Subject: [c-nsp] =?iso-8859-1?q?am_I_being_bitten_by_this_bug_=2ECSCsw3741?=
	=?iso-8859-1?q?9_=28can=27t_connect_using_certificates_with_VPN_cl?=
	=?iso-8859-1?q?ient=29?=
Message-ID: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>

Hi,
I am using a pair of ASA5520s and the Cisco VPN client (latest release 
5.x.160)
When I connect on the client side I see the following log entries.

25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.

26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 0.

27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
Failed to RSA sign the hash for IKE phase 1 negotiation using my 
certificate.

28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)

29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)

30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)

31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main 
Mode) negotiator:(Navigator:2263)

32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075 
R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED

When I googled I found mention of issues if a cert uses a 4096 bit key.  My 
ca server has a root cert 4096 bits in length.  Have I Identified the 
problem or are there other things I should test before I have our windows 
admin revoke the main root cert and start creating from scratch?  We're in a 
testing phase for both the CA and ASA so starting over is not a big deal but 
before I create extra work I want to have some evidence.  Any pointers would 
be appreciated.

Thank you
Scott


From gsgranados at comcast.net  Thu Jan  7 19:06:14 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 16:06:14 -0800
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
	<006301ca8ff5$bc9dfb30$35d9f190$@com>
Message-ID: <01b001ca8ff6$69796290$2408120a@am.thmulti.com>

The version I'm using is
5.0.06.0160-k9
which is the most recent version available in the download manager.

Thanks
Scott

----- Original Message ----- 
From: "David Prall" <dcp at dcptech.com>
To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 4:01 PM
Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't 
connect using certificates with VPN client)


> CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, 
> don't
> know exactly what you are running with 5.x.160
>
>
> --
> http://dcp.dcptech.com
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Thursday, January 07, 2010 6:26 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
>> connect using certificates with VPN client)
>>
>> Hi,
>> I am using a pair of ASA5520s and the Cisco VPN client (latest release
>> 5.x.160)
>> When I connect on the client side I see the following log entries.
>>
>> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
>> Attempting to sign the hash for Windows XP or higher.
>>
>> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
>> Done with the hash signing with signature length of 0.
>>
>> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
>> Failed to RSA sign the hash for IKE phase 1 negotiation using my
>> certificate.
>>
>> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to generate signature: Signature generation failed (SigUtil:97)
>>
>> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to build Signature payload (MsgHandlerMM:489)
>>
>> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to build MM msg5 (NavigatorMM:312)
>>
>> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
>> Unexpected SW error occurred while processing Identity Protection (Main
>> Mode) negotiator:(Navigator:2263)
>>
>> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
>> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
>> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
>>
>> When I googled I found mention of issues if a cert uses a 4096 bit key.
>> My
>> ca server has a root cert 4096 bits in length.  Have I Identified the
>> problem or are there other things I should test before I have our
>> windows
>> admin revoke the main root cert and start creating from scratch?  We're
>> in a
>> testing phase for both the CA and ASA so starting over is not a big
>> deal but
>> before I create extra work I want to have some evidence.  Any pointers
>> would
>> be appreciated.
>>
>> Thank you
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From tom at netspot.com.au  Thu Jan  7 19:06:28 2010
From: tom at netspot.com.au (Tom Lanyon)
Date: Fri, 8 Jan 2010 10:36:28 +1030
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
	to flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>

On 08/01/2010, at 6:53 AM, Jared Gillis wrote:

> Hi all,
> 
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
> <snip>
> 
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> <snip>
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?

Hi Jared,

I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.

The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
	conf t
	int ran gi1/0/1, gi1/0/2, po1
	sw trunk allowed vlan add 400
	end

... but this didn't seem to help.

This has been a constant problem with earlier IOS releases too so I don't believe it's just 12.2(46) to blame. I assumed there was a simple solution, but hadn't had enough impetus to search for it yet.

Tom

From walter.keen at RainierConnect.net  Thu Jan  7 19:43:28 2010
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Thu, 07 Jan 2010 16:43:28 -0800
Subject: [c-nsp] customizing snmp-traps (interface description as well as
 physical name)
Message-ID: <4B467FB0.4000904@rainierconnect.net>

Is customizing snmp-traps possible through rmon or some other means so 
that the delivered message not only has the physical name (gi0/1, etc) 
but also the description of that port as named in the interface config?  
Dealing mostly with 2960's and 7600's, and trying to figure out if this 
is possible.
Even if I have to specify an rmon entry per physical interface, I'm 
dealing with small enough numbers that would work.
Something like '<int-name> <int-descr> is <down/up>' or similar would be 
ideal.

Going to want to have this for link up/down initially, and then also 
setup some traps for taking on interface errors, etc.

-- 


Walter Keen
Network Technician
Rainier Connect



From dcp at dcptech.com  Thu Jan  7 19:15:17 2010
From: dcp at dcptech.com (David Prall)
Date: Thu, 7 Jan 2010 19:15:17 -0500
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
In-Reply-To: <01b001ca8ff6$69796290$2408120a@am.thmulti.com>
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
	<006301ca8ff5$bc9dfb30$35d9f190$@com>
	<01b001ca8ff6$69796290$2408120a@am.thmulti.com>
Message-ID: <006401ca8ff7$b99675a0$2cc360e0$@com>

Both bugs show as Verified. The ASA bug shows as Integrated. The Client does
not. Open a TAC case and have them link it to the bug, and verify if it is
in the release you have. Per the bug it should be since they verified with
5.0.6.110. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Thursday, January 07, 2010 7:06 PM
> To: David Prall; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> The version I'm using is
> 5.0.06.0160-k9
> which is the most recent version available in the download manager.
> 
> Thanks
> Scott
> 
> ----- Original Message -----
> From: "David Prall" <dcp at dcptech.com>
> To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-
> nsp at puck.nether.net>
> Sent: Thursday, January 07, 2010 4:01 PM
> Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> 
> > CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> > CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110,
> > don't
> > know exactly what you are running with 5.x.160
> >
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Scott Granados
> >> Sent: Thursday, January 07, 2010 6:26 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> >> connect using certificates with VPN client)
> >>
> >> Hi,
> >> I am using a pair of ASA5520s and the Cisco VPN client (latest
> release
> >> 5.x.160)
> >> When I connect on the client side I see the following log entries.
> >>
> >> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> >> Attempting to sign the hash for Windows XP or higher.
> >>
> >> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> >> Done with the hash signing with signature length of 0.
> >>
> >> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> >> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> >> certificate.
> >>
> >> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to generate signature: Signature generation failed
> (SigUtil:97)
> >>
> >> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build Signature payload (MsgHandlerMM:489)
> >>
> >> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build MM msg5 (NavigatorMM:312)
> >>
> >> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> >> Unexpected SW error occurred while processing Identity Protection
> (Main
> >> Mode) negotiator:(Navigator:2263)
> >>
> >> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> >> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> >> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> >>
> >> When I googled I found mention of issues if a cert uses a 4096 bit
> key.
> >> My
> >> ca server has a root cert 4096 bits in length.  Have I Identified
> the
> >> problem or are there other things I should test before I have our
> >> windows
> >> admin revoke the main root cert and start creating from scratch?
> We're
> >> in a
> >> testing phase for both the CA and ASA so starting over is not a big
> >> deal but
> >> before I create extra work I want to have some evidence.  Any
> pointers
> >> would
> >> be appreciated.
> >>
> >> Thank you
> >> Scott
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From dcp at dcptech.com  Thu Jan  7 19:01:03 2010
From: dcp at dcptech.com (David Prall)
Date: Thu, 7 Jan 2010 19:01:03 -0500
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
In-Reply-To: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
Message-ID: <006301ca8ff5$bc9dfb30$35d9f190$@com>

CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, don't
know exactly what you are running with 5.x.160


--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Thursday, January 07, 2010 6:26 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> Hi,
> I am using a pair of ASA5520s and the Cisco VPN client (latest release
> 5.x.160)
> When I connect on the client side I see the following log entries.
> 
> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> Attempting to sign the hash for Windows XP or higher.
> 
> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> Done with the hash signing with signature length of 0.
> 
> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> certificate.
> 
> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to generate signature: Signature generation failed (SigUtil:97)
> 
> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build Signature payload (MsgHandlerMM:489)
> 
> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build MM msg5 (NavigatorMM:312)
> 
> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> Unexpected SW error occurred while processing Identity Protection (Main
> Mode) negotiator:(Navigator:2263)
> 
> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> 
> When I googled I found mention of issues if a cert uses a 4096 bit key.
> My
> ca server has a root cert 4096 bits in length.  Have I Identified the
> problem or are there other things I should test before I have our
> windows
> admin revoke the main root cert and start creating from scratch?  We're
> in a
> testing phase for both the CA and ASA so starting over is not a big
> deal but
> before I create extra work I want to have some evidence.  Any pointers
> would
> be appreciated.
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From sethm at rollernet.us  Thu Jan  7 20:39:37 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 07 Jan 2010 17:39:37 -0800
Subject: [c-nsp] customizing snmp-traps (interface description as well
 as physical name)
In-Reply-To: <4B467FB0.4000904@rainierconnect.net>
References: <4B467FB0.4000904@rainierconnect.net>
Message-ID: <4B468CD9.5060400@rollernet.us>

Walter Keen wrote:
> Is customizing snmp-traps possible through rmon or some other means so 
> that the delivered message not only has the physical name (gi0/1, etc) 
> but also the description of that port as named in the interface config?  
> Dealing mostly with 2960's and 7600's, and trying to figure out if this 
> is possible.
> Even if I have to specify an rmon entry per physical interface, I'm 
> dealing with small enough numbers that would work.
> Something like '<int-name> <int-descr> is <down/up>' or similar would be 
> ideal.
> 
> Going to want to have this for link up/down initially, and then also 
> setup some traps for taking on interface errors, etc.
> 


Have your trap receiver do a query on the ifIndex that gets sent with 
the trap. Example with snmpget where $1 is the ifIndex value:

snmpget -v1 -Oqv -c public host ifAlias.$1 ifName.$1

This will return the "description" of that interface and its name i.e. 
Fa0/0.

~Seth

From jmaimon at ttec.com  Thu Jan  7 22:00:07 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Thu, 07 Jan 2010 22:00:07 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
Message-ID: <4B469FB7.6050208@ttec.com>

Apparently, bpdufilter leaks sometimes on some switches, and I have the 
packet traces to prove it. The switches are probably not supported, so 
replacements are likely in order.

Anyone have an opinion of which cisco switches/IOS are guaranteed not to 
leak through bpdufilter?

From BBlackford at nwresd.k12.or.us  Thu Jan  7 22:09:59 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Thu, 7 Jan 2010 19:09:59 -0800
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B469FB7.6050208@ttec.com>
References: <4B469FB7.6050208@ttec.com>
Message-ID: <6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>

Do you have any details?
Models? Code vers?

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon
Sent: Thursday, January 07, 2010 7:00 PM
To: 'Cisco-nsp'
Subject: [c-nsp] spanning-tree bpdufilter leaks

Apparently, bpdufilter leaks sometimes on some switches, and I have the 
packet traces to prove it. The switches are probably not supported, so 
replacements are likely in order.

Anyone have an opinion of which cisco switches/IOS are guaranteed not to 
leak through bpdufilter?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From markom at ipexpert.com  Fri Jan  8 00:13:26 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Fri, 8 Jan 2010 06:13:26 +0100
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B469FB7.6050208@ttec.com>
References: <4B469FB7.6050208@ttec.com>
Message-ID: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>

On Fri, Jan 8, 2010 at 04:00, Joe Maimon <jmaimon at ttec.com> wrote:
>
> Apparently, bpdufilter leaks sometimes on some switches, and I have
> the packet traces to prove it. The switches are probably not supported,
> so replacements are likely in order.

Did you have it enabled globally for portfast enabled interfaces or
individually on each interface? If it was the first option, did you
have portfast enabled globally, or again, per interface?

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From andrew.gabriel at sanmina-sci.com  Fri Jan  8 03:55:27 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Fri, 8 Jan 2010 14:25:27 +0530
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
Message-ID: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>

Hi,

We have servers at two of our large locations in a single country that need
to be reached from the Internet. Both locations each have a single 45 M ISP
link, and also have internal connectivity with each other through multiple
private links. The private WAN connecting the two locations has plenty of
bandwidth and the latency is less than 40 ms between the two sites.

We have our own registered ASN and public IP ranges. We have multi-homed ISP
links at several other locations but not at these two locations. Also, both
locations are partly ready for multi-homing in that they already use our own
IP range and run BGP to the provider using our ASN.

We have been asked to implement failover, for both the locations. The
options we are considering are:

   1. Traditional multi-homing  by adding a second ISP at each location.
   2. Buying a leased line to connect the CER at both locations and letting
   the incoming traffic for either location transit over that line to provide
   failover when one site's ISP goes down. This link would terminate on the
   'dirty' side of our firewall and not have anything to do with the internal
   WAN.
   3. Setting up a VPN-type tunnel between the ISP routers at both sites
   that would be routed over our internal WAN. This is similar to option 2 but
   doesn't involve any extra cost.

Obviously we would prefer option 1 as it is simplest and safest to set up,
and we already have experience with that type of setup, however we have been
asked to look at cheaper options due to budget constaints, hence wanted some
advice on the other options, do you think they could work well, any
potential issues we should look out for, or should we even be considering
them?

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From marty at supine.com  Fri Jan  8 04:45:37 2010
From: marty at supine.com (Martin Barry)
Date: Fri, 8 Jan 2010 20:45:37 +1100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>
References: <BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>
	<009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>
Message-ID: <20100108094537.GA29141@tigger.mamista.net>

$quoted_author = "Scott Granados" ;
> 
> Well, in the rest of the world outside the US definitely, remember there 
> is a larger world out there.  We're the last (I think) not to go metric.

Not the last, but for company you only have Burma (Myanmar) and Liberia!

http://en.wikipedia.org/wiki/Metric_system

cheers
Marty

From avayner at cisco.com  Fri Jan  8 05:07:08 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 8 Jan 2010 11:07:08 +0100
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F160FE@XMB-AMS-101.cisco.com>

Andrew,

You should also look at another option where you can use your IPS's
addresses, and collocate a GSLB device (look at Cisco GSS, but not the
only one on the market), which would allow you to do some intelligent
selection for client/server connections.

Actually with BGP you would have issues with granularity, as BGP usually
can propagate only /24 routes (longer subnets usually get filtered by
upstreams).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel
Sent: Friday, January 08, 2010 10:55
To: Cisco-nsp
Subject: [c-nsp] Need some advice on ISP failover for an enterprise

Hi,

We have servers at two of our large locations in a single country that
need
to be reached from the Internet. Both locations each have a single 45 M
ISP
link, and also have internal connectivity with each other through
multiple
private links. The private WAN connecting the two locations has plenty
of
bandwidth and the latency is less than 40 ms between the two sites.

We have our own registered ASN and public IP ranges. We have multi-homed
ISP
links at several other locations but not at these two locations. Also,
both
locations are partly ready for multi-homing in that they already use our
own
IP range and run BGP to the provider using our ASN.

We have been asked to implement failover, for both the locations. The
options we are considering are:

   1. Traditional multi-homing  by adding a second ISP at each location.
   2. Buying a leased line to connect the CER at both locations and
letting
   the incoming traffic for either location transit over that line to
provide
   failover when one site's ISP goes down. This link would terminate on
the
   'dirty' side of our firewall and not have anything to do with the
internal
   WAN.
   3. Setting up a VPN-type tunnel between the ISP routers at both sites
   that would be routed over our internal WAN. This is similar to option
2 but
   doesn't involve any extra cost.

Obviously we would prefer option 1 as it is simplest and safest to set
up,
and we already have experience with that type of setup, however we have
been
asked to look at cheaper options due to budget constaints, hence wanted
some
advice on the other options, do you think they could work well, any
potential issues we should look out for, or should we even be
considering
them?

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail message, you are hereby notified that any dissemination,
distribution or copying of this e-mail message, and any attachments
thereto, is strictly prohibited.  If you have received this e-mail
message in error, please immediately notify the sender and permanently
delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS
NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
Electronic Transactions Act or the applicability of any other law of
similar substance and effect, absent an express statement to the
contrary hereinabove, this e-mail message its contents, and any
attachments hereto are not intended to represent an offer or acceptance
to enter into a contract and are not otherwise intended to bind the
sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gkg at gmx.de  Fri Jan  8 05:25:38 2010
From: gkg at gmx.de (Garry)
Date: Fri, 08 Jan 2010 11:25:38 +0100
Subject: [c-nsp] SA 520 - Virus filter?
Message-ID: <4B470822.70900@gmx.de>

Hi,

we just picked up an SA520 box for a customer, seems like a nice SOHO 
box ... anyway, while I got most everything working easily (after going 
through all kinds of hassle with the TrendMicro website registration for 
the filtering license), including web site filtering based on 
classification, but somehow filtering of virus files doesn't seem to be 
working - I've enabled all "Content Filter" options on the firewall 
page, but can still download the EICAR test signature without any 
intervention by the SA ...

Any idea what I might be missing here?

Tnx, Garry

From jens.neu at biotronik.com  Fri Jan  8 05:32:08 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 11:32:08 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
Message-ID: <OF6951FC6C.CD6EBBC4-ONC12576A5.0039A317-C12576A5.00398AEC@biotronik.com>

Hm thanks,
I think I'm going to need two GBICs then.

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de



Asbjorn Hojmark - Lists <lists at hojmark.org> 
01/07/2010 05:44 PM

To
Jens Neu <jens.neu at biotronik.com>
cc
<cisco-nsp at puck.nether.net>
Subject
Re: [c-nsp] ACLs and 2948G-L3






On Thu, 7 Jan 2010 16:37:29 +0100, you wrote:

> I've come across a lot of people complaining about the 2948G-L3 and 
> access-lists. I defined two extended access-lists which are bound to 
> FastEthernet35 (in and out). The switch complains nowhere, but when the 
> ACLs should trigger, this appears in the log:

ACLs are only supported on the GE interfaces, not FE.

-A




www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From vijaygore27 at gmail.com  Fri Jan  8 06:45:01 2010
From: vijaygore27 at gmail.com (vijay gore)
Date: Fri, 8 Jan 2010 17:15:01 +0530
Subject: [c-nsp] Subnetting Issue --- help
Message-ID: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>

Dear All,

i have one question regarding subneting,

in my network i have given ip for FastEthernet1 192.168.9.65/27

this interface is connected to local LAN - in the local machine ip i have
given 192.168.9.66 TO 192.168.9.75 using subnet /24

my question is that if there is any problem in using /24 subneting in LOCAL
LAN, i mean problem link speed issue or any bandwidth issue will happen ??

please help.

From paul at paulstewart.org  Fri Jan  8 06:48:31 2010
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 8 Jan 2010 06:48:31 -0500
Subject: [c-nsp] QOS - Multilink Question
Message-ID: <004301ca9058$7ffd02d0$7ff70870$@org>

Hey folks...  I haven't run across this before so hoping someone can suggest
a quick fix..;)

 

Cisco 6500 - off this box feeding three T1's out to customer prem using
multilink PPP. These are full rate T1:

 

dis1-rtr-pt#sh interfaces Serial 5/0/2:21

Serial5/0/2:21 is up, line protocol is up

  Hardware is Multichannel T1

  Description: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation PPP, crc 16, Data non-inverted

  Keepalive set (10 sec)

  LCP Open, multilink Open

  Last input 00:00:05, output 00:00:05, output hang never

  Last clearing of "show interface" counters 00:00:01

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     8 packets input, 630 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     7 packets output, 594 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

     0 carrier transitions no alarm present

  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags

 

I have a very basis QOS profile to apply on the multilink interface but it
keeps telling me there isn't enough bandwidth available - the QOS config
does a match on DSCP=EF and then strict priority of 2000.  Can you not
exceed a strict priority higher than one of the physical interfaces in a
multilink bundle??

 

class-map match-any KCU-Mapleridge-MAP

  match  dscp ef

 

policy-map KCU-Mapleridge

  class KCU-Mapleridge-MAP

    priority 2000

 

interface Multilink21

 description xxxxxxxxxxxxxxxxxxxxxx

 bandwidth 4608

 ip address xx.xx.xx.217 255.255.255.248

 ppp multilink

 ppp multilink interleave

 multilink-group 21

end

 

dis1-rtr-pt#conf t

dis1-rtr-pt(config)#interface Multilink 21

dis1-rtr-pt(config-if)#service-policy output KCU-Mapleridge

bandwidth of 2000 kbps is not available (1536).

 

Appreciate any input...

 

Paul

 


From jens.neu at biotronik.com  Fri Jan  8 08:04:05 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 14:04:05 +0100
Subject: [c-nsp] PXE not working on Cat2948
Message-ID: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>

Der all,

I have a Catalyst 2948G which seems to keep PXE boot from working 
properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
boot server and the PXE client - both are directly connected and share a 
/24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
using the onboard GBit interfaces.
Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
and the PXE client, it is magically working.
Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
Client == works. In fact, any additional Layer 2 device that appears 
between PXE Client and the Cat 2948 scares the problem away.

Anyone seen this before? Any hints where to start looking? The switch 
looks as follows:

WS-C2948 Software, Version NmpSW: 8.4(11)GLX
Copyright (c) 1995-2006 by Cisco Systems, Inc.
NMP S/W compiled on Apr 27 2006, 12:46:44
GSP S/W compiled on Apr 27 2006, 11:47:52

System Bootstrap Version: 6.1(4)

Hardware Version: 2.5  Model: WS-C2948  Serial #: JAE061500JB

Mod Port Model              Serial #              Versions
--- ---- ------------------ -------------------- 
---------------------------------
1   0    WS-X2948           JAE061500JB          Hw : 2.5
                                                 Gsp: 8.4(11.0)
                                                 Nmp: 8.4(11)GLX
2   50   WS-C2948G          JAE061500JB          Hw : 2.5

       DRAM                    FLASH                   NVRAM
Module Total   Used    Free    Total   Used    Free    Total Used  Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
1       65536K  37349K  28187K  12288K  10648K   1640K  480K   85K  395K

best regards!

Jens Neu

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de


www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From ianh at ianh.net.au  Fri Jan  8 08:24:14 2010
From: ianh at ianh.net.au (Ian Henderson)
Date: Fri, 8 Jan 2010 21:24:14 +0800 (WST)
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <alpine.DEB.2.00.1001082121460.18996@highball.ianh.net.au>

On Fri, 8 Jan 2010, Jens Neu wrote:

> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:

Sounds like you need to enable spanning-tree portfast on the interfaces 
towards the PXE clients. This reduces the link up delay from 50 seconds to 
about 3. If the switch doesn't forward traffic quickly enough, the NIC may 
time out and decide PXE is unavailable.

Rgds,



- I.

From gert at greenie.muc.de  Fri Jan  8 08:26:19 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 8 Jan 2010 14:26:19 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <20100108132619.GY857@greenie.muc.de>

Hi,

On Fri, Jan 08, 2010 at 02:04:05PM +0100, Jens Neu wrote:
> Anyone seen this before? Any hints where to start looking? 

spanning-tree portfast

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100108/561072b5/attachment.bin>

From steve at ibctech.ca  Fri Jan  8 08:30:27 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 08 Jan 2010 08:30:27 -0500
Subject: [c-nsp] Subnetting Issue --- help
In-Reply-To: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
References: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
Message-ID: <4B473373.4050806@ibctech.ca>

vijay gore wrote:
> Dear All,
> 
> i have one question regarding subneting,
> 
> in my network i have given ip for FastEthernet1 192.168.9.65/27
> 
> this interface is connected to local LAN - in the local machine ip i have
> given 192.168.9.66 TO 192.168.9.75 using subnet /24
> 
> my question is that if there is any problem in using /24 subneting in LOCAL
> LAN, i mean problem link speed issue or any bandwidth issue will happen ??

No link speed or bandwidth issues, but your network will not be able to
see anything within the 192.168.9/24 prefix (other than what is within
your /27).

All devices within your network will never go to the default gateway to
route externally like they should, as all devices will think that the
rest of the /24 is internal, rendering the subnet unreachable.

Either render a /24 prefix on the router's fast Ethernet interface, or
change the internal hosts to /27 as well.

Steve

From v.jones at networkingunlimited.com  Fri Jan  8 08:32:22 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Fri, 08 Jan 2010 08:32:22 -0500
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
Message-ID: <1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>

Given that the majority of your failures will be in the "last mile," if
you do not have physical link diversity, adding a second link will
typically only provide a small improvement in availability. Beyond that,
your key concerns are complexity, cost and future growth.

If you pick option 3 and you need to tunnel for security purposes, think
through how you plan to deal with the reduced MTU of the tunnel.
Depending on your server requirements, the cleanest approach is often to
just reduce the MTU used by the server to match the tunnel, even though
it is smaller than what you could use under normal circumstances. Also
keep track of traffic so that when the backup link is put to use, you
don't discover the hard way that traffic has grown to the point where it
won't fit!

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


On Fri, 2010-01-08 at 14:25 +0530, Andrew Gabriel wrote:
> Hi,
> 
> We have servers at two of our large locations in a single country that need
> to be reached from the Internet. Both locations each have a single 45 M ISP
> link, and also have internal connectivity with each other through multiple
> private links. The private WAN connecting the two locations has plenty of
> bandwidth and the latency is less than 40 ms between the two sites.
> 
> We have our own registered ASN and public IP ranges. We have multi-homed ISP
> links at several other locations but not at these two locations. Also, both
> locations are partly ready for multi-homing in that they already use our own
> IP range and run BGP to the provider using our ASN.
> 
> We have been asked to implement failover, for both the locations. The
> options we are considering are:
> 
>    1. Traditional multi-homing  by adding a second ISP at each location.
>    2. Buying a leased line to connect the CER at both locations and letting
>    the incoming traffic for either location transit over that line to provide
>    failover when one site's ISP goes down. This link would terminate on the
>    'dirty' side of our firewall and not have anything to do with the internal
>    WAN.
>    3. Setting up a VPN-type tunnel between the ISP routers at both sites
>    that would be routed over our internal WAN. This is similar to option 2 but
>    doesn't involve any extra cost.
> 
> Obviously we would prefer option 1 as it is simplest and safest to set up,
> and we already have experience with that type of setup, however we have been
> asked to look at cheaper options due to budget constaints, hence wanted some
> advice on the other options, do you think they could work well, any
> potential issues we should look out for, or should we even be considering
> them?
> 
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
> 
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From v.jones at networkingunlimited.com  Fri Jan  8 08:37:11 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Fri, 08 Jan 2010 08:37:11 -0500
Subject: [c-nsp] Subnetting Issue --- help
In-Reply-To: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
References: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
Message-ID: <1262957831.11618.13.camel@X61.NetworkingUnlimited.nul>

This reads like a homework assignment. Look up the use of the "all
zeroes" and "all ones" subnets.


On Fri, 2010-01-08 at 17:15 +0530, vijay gore wrote:
> Dear All,
> 
> i have one question regarding subneting,
> 
> in my network i have given ip for FastEthernet1 192.168.9.65/27
> 
> this interface is connected to local LAN - in the local machine ip i have
> given 192.168.9.66 TO 192.168.9.75 using subnet /24
> 
> my question is that if there is any problem in using /24 subneting in LOCAL
> LAN, i mean problem link speed issue or any bandwidth issue will happen ??
> 
> please help.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jens.neu at biotronik.com  Fri Jan  8 08:49:29 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 14:49:29 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <20100108132619.GY857@greenie.muc.de>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
	<20100108132619.GY857@greenie.muc.de>
Message-ID: <OF52FA5456.86DEB7F7-ONC12576A5.004B8F75-C12576A5.004BA15D@biotronik.com>

> spanning-tree portfast

Thank you all, I'm going to update my STP knowledge :)

regards
Jens Neu

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de



Gert Doering <gert at greenie.muc.de> 
01/08/2010 02:26 PM

To
Jens Neu <jens.neu at biotronik.com>
cc
cisco-nsp at puck.nether.net
Subject
Re: [c-nsp] PXE not working on Cat2948






Hi,

On Fri, Jan 08, 2010 at 02:04:05PM +0100, Jens Neu wrote:
> Anyone seen this before? Any hints where to start looking? 

spanning-tree portfast

gert
-- 
USENET is *not* the non-clickable part of WWW!
 //www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de




www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From rbf+cisco-nsp at panix.com  Fri Jan  8 08:59:36 2010
From: rbf+cisco-nsp at panix.com (Brett Frankenberger)
Date: Fri, 8 Jan 2010 07:59:36 -0600
Subject: [c-nsp] IRB and channel-group help needed
In-Reply-To: <201001071429.57202.mulitskiy@acedsl.com>
References: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
	<201001071429.57202.mulitskiy@acedsl.com>
Message-ID: <20100108135936.GA20328@panix.com>

On Thu, Jan 07, 2010 at 02:29:57PM -0500, Michael Ulitskiy wrote:
> I have it working exactly this way. my IOS is 12.1(26)E7
> the only special thing I remember about it is that if you want to spread port-channels across the
> different cards then those cards must be the same (or compatible). For example you can't have port-channel
> over ports on GE card and Enhanced GE card or between card with ACL daughter card and without it.
> 
> Michael
> 
> On Thursday 07 January 2010 12:12:11 pm Steven Pfister wrote:
> > I've got a 8540 switch running 12.1(20)E set up with IRB and I've
> > got two interfaces I'm looking at:
> > 
> > interface GigabitEthernet0/0/3
> >  no ip address
> >  no ip redirects
> > !
> > interface GigabitEthernet0/0/3.1
> >  description Native VLAN
> >  encapsulation dot1Q 1 native
> >  no ip redirects
> > !
> > interface GigabitEthernet0/0/3.99
> >  encapsulation dot1Q 99
> >  no ip redirects
> >  no cdp enable
> >  bridge-group 99
> > 
> > The other interface is Gigabit0/0/4 and is set up the exact same
> > way. I'd like to be able to set up a channel group for those two
> > interfaces. I set up the port channel like:
> > 
> > interface Port-channel1
> >  no ip address
> >  hold-queue 300 in
> > !
> > interface Port-channel1.1
> >  encapsulation dot1Q 1 native
> >  no ip redirects
> > !
> > interface Port-channel1.99
> >  encapsulation dot1Q 99
> >  no ip redirects
> >  bridge-group 99
> > 
> > But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?

I'm not completely clear on what is being attempted here, but if the
goal is just to have a portchannel with 802.1q subinterfaces, you don't
configure the subinterfaces on the physical interface, just the
port-channel.  So in the config, the following interfaces should exist:
   Gi0/0/3
   Gi0/0/4
   Po1
   Po1.1
   Po1.99

     -- Brett

From erik at infopact.nl  Fri Jan  8 08:23:37 2010
From: erik at infopact.nl (E. Versaevel)
Date: Fri, 08 Jan 2010 14:23:37 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <4B4731D9.7030907@infopact.nl>


Sounds like spanning-tree port enable delay, issue try using spanning-tree portfast on the PXE client port


Op 8-1-2010 14:04, Jens Neu schreef:
> Der all,
> 
> I have a Catalyst 2948G which seems to keep PXE boot from working 
> properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
> boot server and the PXE client - both are directly connected and share a 
> /24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
> apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
> using the onboard GBit interfaces.
> Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
> and the PXE client, it is magically working.
> Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
> Client == works. In fact, any additional Layer 2 device that appears 
> between PXE Client and the Cat 2948 scares the problem away.
> 
> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:
> 
> WS-C2948 Software, Version NmpSW: 8.4(11)GLX
> Copyright (c) 1995-2006 by Cisco Systems, Inc.
> NMP S/W compiled on Apr 27 2006, 12:46:44
> GSP S/W compiled on Apr 27 2006, 11:47:52
> 
> System Bootstrap Version: 6.1(4)
> 
> Hardware Version: 2.5  Model: WS-C2948  Serial #: JAE061500JB
> 
> Mod Port Model              Serial #              Versions
> --- ---- ------------------ -------------------- 
> ---------------------------------
> 1   0    WS-X2948           JAE061500JB          Hw : 2.5
>                                                  Gsp: 8.4(11.0)
>                                                  Nmp: 8.4(11)GLX
> 2   50   WS-C2948G          JAE061500JB          Hw : 2.5
> 
>        DRAM                    FLASH                   NVRAM
> Module Total   Used    Free    Total   Used    Free    Total Used  Free
> ------ ------- ------- ------- ------- ------- ------- ----- ----- -----
> 1       65536K  37349K  28187K  12288K  10648K   1640K  480K   85K  395K
> 
> best regards!
> 
> Jens Neu
> 
> Phone: +49 (0) 30 68905-2412
> Mail: jens.neu at biotronik.de
> 
> 
> www.biotronik.com
> 
> BIOTRONIK SE & Co. KG
> Woermannkehre 1, 12359 Berlin, Germany
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
> 
> Vertreten durch ihre Komplement?rin:
> BIOTRONIK MT SE
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
> Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
> Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
> Lothar Krings
> 
> BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
> systems and Vascular Intervention devices. Quality, innovation, and 
> reliability define BIOTRONIK and our growing success. We are innovators of 
> technologies like the first wireless remote monitoring system - Home 
> Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
> state-of-the-art stents, balloons and guide wires for coronary and 
> peripheral indications. We highly invest in the development of drug 
> eluting devices and are leading the industry with our bioabsorbable metal 
> stent program.
> 
> This e-mail and the information it contains including attachments are 
> confidential and meant only for use by the intended recipient(s); 
> disclosure or copying is strictly prohibited. If you are not addressed, 
> but in the possession of this e-mail, please notify the sender immediately 
> and delete the document.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From alex at digriz.org.uk  Fri Jan  8 08:50:38 2010
From: alex at digriz.org.uk (Alexander Clouter)
Date: Fri, 8 Jan 2010 13:50:38 +0000
Subject: [c-nsp] PXE not working on Cat2948
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <eqpj17-dr8.ln1@chipmunk.wormnet.eu>

Jens Neu <jens.neu at biotronik.com> wrote:
> 
> I have a Catalyst 2948G which seems to keep PXE boot from working 
> properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
> boot server and the PXE client - both are directly connected and share a 
> /24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
> apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
> using the onboard GBit interfaces.
> Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
> and the PXE client, it is magically working.
> Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
> Client == works. In fact, any additional Layer 2 device that appears 
> between PXE Client and the Cat 2948 scares the problem away.
> 
> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:
>
.....'spanning-tree portfast default'?

The PXE times out before the STP action has finished and the port is in 
blocking mode for the duration.  You should also consider 'spanning-tree 
portfast bpduguard/filter default' too.

Cheers

-- 
Alexander Clouter
.sigmonster says: That's what she said.


From mcgrath at fas.harvard.edu  Fri Jan  8 09:17:02 2010
From: mcgrath at fas.harvard.edu (Scott McGrath)
Date: Fri, 8 Jan 2010 09:17:02 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B339C0D.5060906@ttec.com>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com>
Message-ID: <4B473E5E.3000309@fas.harvard.edu>

Cisco on the older boxes used a non-FAT flash file system the key is 
whether the flash is referred to as slotX or diskX.   if the 
nomenclature is slotX it uses a proprietary disk format which cannot be 
read by an external reader. 


 to format CF card for use with older system

format slot0:



Joe Maimon wrote:
> ML wrote:
>
>   
>> Are the alternate CF cards formatted correctly for your platform?
>>     
>
> Probably. However, IOS doesnt seem to think there is any card there or 
> worse, it hangs upon insert.
>
>   
>> The original CF card may have gone bad but if you're sure the other CF
>> cards are OK then they may be formatted wrong.
>>     
>
> The card is fine, tested in external reader. They are all fine.
>
> Thanks.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From jmaimon at ttec.com  Fri Jan  8 11:37:51 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 11:37:51 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B473E5E.3000309@fas.harvard.edu>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com> <4B473E5E.3000309@fas.harvard.edu>
Message-ID: <4B475F5F.30108@ttec.com>

http://en.wikipedia.org/wiki/Linear_Flash

To workaround the original issue, an IO Controller was installed, which 
works very nicely. Only downside is having different serial/aux ports.

nvram stays the same.
bootflash stays the same.
slot[01]/disk[01] become available
more ethernet ports become available
No bandwidth points are consumed so nothing needs to change slots.

Not a bad arrangement.

Interestingly enough, we did see an issue with a variant of CF flash 
that caused the boothelper, an older 12.3 image, to crash while booting 
with that CF in the IO controller, even as a fully booted IOS had no 
issue reading,writing,formatting it.

A slightly older CF worked fine. An upgraded boothelper probably would 
have also solved the issue.

The CF slot on the NPE-G1 (disk2:) seems to be toast.

Joe


Scott McGrath wrote:
> Cisco on the older boxes used a non-FAT flash file system the key is
> whether the flash is referred to as slotX or diskX. if the nomenclature
> is slotX it uses a proprietary disk format which cannot be read by an
> external reader.
>
> to format CF card for use with older system
>
> format slot0:
>
>
>
> Joe Maimon wrote:
>> ML wrote:
>>
>>> Are the alternate CF cards formatted correctly for your platform?
>>
>> Probably. However, IOS doesnt seem to think there is any card there or
>> worse, it hangs upon insert.
>>
>>> The original CF card may have gone bad but if you're sure the other CF
>>> cards are OK then they may be formatted wrong.
>>
>> The card is fine, tested in external reader. They are all fine.
>>
>> Thanks.
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From coloccia at geneseo.edu  Fri Jan  8 10:52:25 2010
From: coloccia at geneseo.edu (Rick Coloccia)
Date: Fri, 08 Jan 2010 10:52:25 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <4B4754B9.3050000@geneseo.edu>

I've run into flapping issues when adding a vlan if the vlan wasn't 
present upstream.  I don't know if this is your case, but in my case, I 
had two 6500 cores each attached to the same 3750.  port channels and 
spanning tree in place.  When I added a vlan to an interface on one 
core, the spanning tree went nuts because the vlan wasn't present 
everywhere it should have been.  My suggestion, then, is be sure the 
vlan you're adding is everywhere it needs to me.  I would have sworn I 
had my vlan everywhere, but I didn't, I'd missed in 1 place, so give it 
a look......

-Rick

Jared Gillis wrote:
> Hi all,
>
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
>
> interface GigabitEthernet1/0/1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
>
> interface GigabitEthernet1/0/2
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
>
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
> end
>
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up
>
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
>
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

-- 
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

CIT will never ask for your password or other confidential information via email. 


From zoe-nsp at complicity.co.uk  Fri Jan  8 11:58:01 2010
From: zoe-nsp at complicity.co.uk (Zoe O'Connell)
Date: Fri, 08 Jan 2010 16:58:01 +0000
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <4B476419.5040609@complicity.co.uk>

Michael K. Smith - Adhost wrote:
> We are in Seattle and use an air-exchanger system that relies on outside
> air as much as possible, and then blends in chilled water as necessary
> up to 100% chilled.  It's fairly common here because of the nature of
> our climate, and the psychrometric scale
> (http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.
>
> We've also looked at increasing our data center temps from 68F/20C to
> closer to 78F/25.56C (hi Gert), but our marketing folks have been the
> most resistant because of the prevailing expectation that colder is
> better.  There is some good research and testing being done by
> Microsoft, Intel and Google in this arena, but I don't think enough has
> been published yet to give that calming feeling to the marketing folks.
> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.

This also depends on how well you're circulating the air within your
data centre - having air at 25?C is fine as long as all that air
actually reaches the things it needs to cool. If it's been mixed in with
enough hot air by the time it's got to the top of the rack at the far
end of each row however, you're going to run into trouble.

Closer to the original topic, I do recall seeing a TV programme some
time in the last few years that mentioned cooling the computer room at
some Antarctic science base and they did still have to use compressors
etc as it was easier than trying to make the outside air suitable,
although I forget the details. (I suppose, at least, you could dump the
warm air into the rest of the base but I seem to recall the computers
were in a separate hut/building)

From jmaimon at ttec.com  Fri Jan  8 12:15:38 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:15:38 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
References: <4B469FB7.6050208@ttec.com>
	<4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
Message-ID: <4B47683A.6000405@ttec.com>



Marko Milivojevic wrote:
> On Fri, Jan 8, 2010 at 04:00, Joe Maimon<jmaimon at ttec.com>  wrote:
>>
>> Apparently, bpdufilter leaks sometimes on some switches, and I have
>> the packet traces to prove it. The switches are probably not supported,
>> so replacements are likely in order.
>
> Did you have it enabled globally for portfast enabled interfaces or

No

> individually on each interface?

Yes

> If it was the first option, did you
> have portfast enabled globally,

No

> or again, per interface?

Yes, but not on the same interfaces.

Thanks for the reply.

Joe

From jmaimon at ttec.com  Fri Jan  8 12:16:41 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:16:41 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
References: <4B469FB7.6050208@ttec.com>
	<6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <4B476879.2070802@ttec.com>



Bill Blackford wrote:
> Do you have any details?
> Models? Code vers?
>
> -b

3524XL, 12.0(5)WC17


From jeff-kell at utc.edu  Fri Jan  8 12:18:39 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Fri, 08 Jan 2010 12:18:39 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
References: <4B4642B5.70501@gmail.com>
	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
Message-ID: <4B4768EF.9020909@utc.edu>

On 1/7/2010 7:06 PM, Tom Lanyon wrote:
> I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.
>
> The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
> 	conf t
> 	int ran gi1/0/1, gi1/0/2, po1
> 	sw trunk allowed vlan add 400
>    

For vlan changes on port channels, I've always used just the 
port-channel configuration (e.g., int portch1) and applying vlan 
adjustments there, which IOS appears to propagate to the active member 
configurations, provided of course the port channel is up.  We do this 
"a lot" across a broad range of Catalysts (no MEs though) with no issues.

If you change an individual member characteristic, it will indeed break 
the interfaces out of the port-channel and bounce.

Jeff

From BBlackford at nwresd.k12.or.us  Fri Jan  8 12:35:56 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Fri, 8 Jan 2010 09:35:56 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <4B4768EF.9020909@utc.edu>
References: <4B4642B5.70501@gmail.com>
	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
	<4B4768EF.9020909@utc.edu>
Message-ID: <6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>

It does this on cat6.5k/sup720 for sure. I don't recollect if the propagation occurs the same on 3560/3750's.
-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell
Sent: Friday, January 08, 2010 9:19 AM
To: Tom Lanyon
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap

On 1/7/2010 7:06 PM, Tom Lanyon wrote:
> I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.
>
> The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
> 	conf t
> 	int ran gi1/0/1, gi1/0/2, po1
> 	sw trunk allowed vlan add 400
>    

For vlan changes on port channels, I've always used just the 
port-channel configuration (e.g., int portch1) and applying vlan 
adjustments there, which IOS appears to propagate to the active member 
configurations, provided of course the port channel is up.  We do this 
"a lot" across a broad range of Catalysts (no MEs though) with no issues.

If you change an individual member characteristic, it will indeed break 
the interfaces out of the port-channel and bounce.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jmaimon at ttec.com  Fri Jan  8 12:59:13 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:59:13 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
References: <4B469FB7.6050208@ttec.com>
	<4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
Message-ID: <4B477271.9060408@ttec.com>



Marko Milivojevic wrote:
> On Fri, Jan 8, 2010 at 04:00, Joe Maimon<jmaimon at ttec.com>  wrote:
>>
>> Apparently, bpdufilter leaks sometimes on some switches, and I have
>> the packet traces to prove it. The switches are probably not supported,
>> so replacements are likely in order.

To clarify, it only leaks occasionally, the capture suggests once per 
reload or otherwise perhaps every couple days.

From jeff-kell at utc.edu  Fri Jan  8 13:00:45 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Fri, 08 Jan 2010 13:00:45 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>
References: <4B4642B5.70501@gmail.com>	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
	<4B4768EF.9020909@utc.edu>
	<6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <4B4772CD.2050409@utc.edu>

On 1/8/2010 12:35 PM, Bill Blackford wrote:
> It does this on cat6.5k/sup720 for sure. I don't recollect if the propagation occurs the same on 3560/3750's.
>    

I can verify that 3550, 3560, 3750, 3750E, 4500 SupIV, 6500 Sup2/Sup720 
all propagate to the members when the associated port-channel is 
changed.  Interface specific characteristics (e.g., channel-group x 
mode) are not and can't be used in the port-channel configuration context.

Jeff

From ip at ioshints.info  Fri Jan  8 13:26:12 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Fri, 8 Jan 2010 19:26:12 +0100
Subject: [c-nsp] customizing snmp-traps (interface description as well
	as physical name)
In-Reply-To: <4B467FB0.4000904@rainierconnect.net>
References: <4B467FB0.4000904@rainierconnect.net>
Message-ID: <00d101ca9090$0f321030$2d963090$@info>

Solution#1 (ugly): syslog messages can be sent as SNMP traps. You'll get the whole syslog message on your NMS.

Solution#2: use EEM to match syslog UP/DOWN messages, extract interface description and generate a custom SNMP trap. You can do it with EEM applets if your IOS supports EEM 3.0 (12.4(late)T, 12.5, 12.2SRE), otherwise you have to use a Tcl EEM policy (pre-EEM 3.0 applets are too dumb). These posts could be useful:

http://blog.ioshints.info/2009/12/send-snmp-trap-from-eem-applet.html
http://blog.ioshints.info/2009/10/report-interface-loss-based-on-ospf.html

You can generate custom SNMP trap from an EEM applet with "action snmp-trap" command (I haven't covered that one yet in my blog).

Hope it helps

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Walter Keen [mailto:walter.keen at RainierConnect.net]
> Sent: Friday, January 08, 2010 1:43 AM
> To: 'Cisco-nsp'
> Subject: [c-nsp] customizing snmp-traps (interface description as well as
> physical name)
> 
> Is customizing snmp-traps possible through rmon or some other means so
> that the delivered message not only has the physical name (gi0/1, etc)
> but also the description of that port as named in the interface config?
> Dealing mostly with 2960's and 7600's, and trying to figure out if this
> is possible.
> Even if I have to specify an rmon entry per physical interface, I'm
> dealing with small enough numbers that would work.
> Something like '<int-name> <int-descr> is <down/up>' or similar would be
> ideal.
> 
> Going to want to have this for link up/down initially, and then also
> setup some traps for taking on interface errors, etc.
> 
> --
> 
> 
> Walter Keen
> Network Technician
> Rainier Connect
> 
> 



From andrew.gabriel at sanmina-sci.com  Fri Jan  8 14:42:04 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Sat, 9 Jan 2010 01:12:04 +0530
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com> 
	<1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>
Message-ID: <d06fb6b31001081142u131fb7e4m71075c4693be4a1c@mail.gmail.com>

Good points, thanks for sharing.

Regards,
Andrew Gabriel.




On Fri, Jan 8, 2010 at 7:02 PM, Vincent C Jones <
v.jones at networkingunlimited.com> wrote:

> Given that the majority of your failures will be in the "last mile," if
> you do not have physical link diversity, adding a second link will
> typically only provide a small improvement in availability. Beyond that,
> your key concerns are complexity, cost and future growth.
>
> If you pick option 3 and you need to tunnel for security purposes, think
> through how you plan to deal with the reduced MTU of the tunnel.
> Depending on your server requirements, the cleanest approach is often to
> just reduce the MTU used by the server to match the tunnel, even though
> it is smaller than what you could use under normal circumstances. Also
> keep track of traffic so that when the backup link is put to use, you
> don't discover the hard way that traffic has grown to the point where it
> won't fit!
>
> Good luck and have fun!
> --
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
>
> On Fri, 2010-01-08 at 14:25 +0530, Andrew Gabriel wrote:
> > Hi,
> >
> > We have servers at two of our large locations in a single country that
> need
> > to be reached from the Internet. Both locations each have a single 45 M
> ISP
> > link, and also have internal connectivity with each other through
> multiple
> > private links. The private WAN connecting the two locations has plenty of
> > bandwidth and the latency is less than 40 ms between the two sites.
> >
> > We have our own registered ASN and public IP ranges. We have multi-homed
> ISP
> > links at several other locations but not at these two locations. Also,
> both
> > locations are partly ready for multi-homing in that they already use our
> own
> > IP range and run BGP to the provider using our ASN.
> >
> > We have been asked to implement failover, for both the locations. The
> > options we are considering are:
> >
> >    1. Traditional multi-homing  by adding a second ISP at each location.
> >    2. Buying a leased line to connect the CER at both locations and
> letting
> >    the incoming traffic for either location transit over that line to
> provide
> >    failover when one site's ISP goes down. This link would terminate on
> the
> >    'dirty' side of our firewall and not have anything to do with the
> internal
> >    WAN.
> >    3. Setting up a VPN-type tunnel between the ISP routers at both sites
> >    that would be routed over our internal WAN. This is similar to option
> 2 but
> >    doesn't involve any extra cost.
> >
> > Obviously we would prefer option 1 as it is simplest and safest to set
> up,
> > and we already have experience with that type of setup, however we have
> been
> > asked to look at cheaper options due to budget constaints, hence wanted
> some
> > advice on the other options, do you think they could work well, any
> > potential issues we should look out for, or should we even be considering
> > them?
> >
> > Regards,
> > Andrew Gabriel.
> > Network Engineer,
> > Enterprise Data Services.
> > +91 44 42 22 88 75 (Direct)
> > +91 98 41 41 40 19 (Mobile)
> > www.sanmina-sci.com
> > Sanmina-SCI India Pvt. Ltd.
> > A51, 2nd Avenue, Anna Nagar,
> > Chennai - 600 102, INDIA.
> >
> > CONFIDENTIALITY
> > This e-mail message and any attachments thereto, is intended only for use
> by the addressee(s) named herein and may contain legally privileged and/or
> confidential information. If you are not the intended recipient of this
> e-mail message, you are hereby notified that any dissemination, distribution
> or copying of this e-mail message, and any attachments thereto, is strictly
> prohibited.  If you have received this e-mail message in error, please
> immediately notify the sender and permanently delete the original and any
> copies of this email and any prints thereof.
> > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS
> NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
> Electronic Transactions Act or the applicability of any other law of similar
> substance and effect, absent an express statement to the contrary
> hereinabove, this e-mail message its contents, and any attachments hereto
> are not intended to represent an offer or acceptance to enter into a
> contract and are not otherwise intended to bind the sender, Sanmina-SCI
> Corporation (or any of its subsidiaries), or any other person or entity.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From jp at saucer.midcoast.com  Fri Jan  8 14:49:05 2010
From: jp at saucer.midcoast.com (jp)
Date: Fri, 8 Jan 2010 14:49:05 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <4B460CC9.5010503@opus1.com>
References: <4B460CC9.5010503@opus1.com>
Message-ID: <20100108194903.GA25109@saucer.midcoast.com>

On Thu, Jan 07, 2010 at 09:33:13AM -0700, Joel Snyder wrote:
> >   Has anyone looked at using outside air to provide data center
> > cooling during the winter season ?
> > I am aware of Google and Intel research into
> > this area but how about on a smaller scale ?
> > How about raising ambient
> > temperatures as well - do you keep your data centers at 65 or 80 ?
>
> We do this and we have had mixed success.  We have Liebert A/C units which 
> have something they call an "economizer."  Essentially, when the outside 
> temperature falls below a certain point as measured by a simple thermostat, 
> the A/C unit moves a damper and instead of sucking hot air from the room to 
> cool, it sucks cold air from the outside, filters it, and blows it in.  At 
> the same time, it turns off the compressor (because the air is, in theory, 
> already cold).

That's a good description of it. The compressor goes off so it will not 
ice up. If the coils are compressor-cooled AND taking in fresh damp air, 
it can ice up really good. We had the damper get stuck once and cause 
that. We have more than one A/C unit, so one damper failing and messing 
up the A/C isn't the end of the world. We have 2 A/C systems. The 
addition of the economizers meant two good sized insulated ducts going 
from the air handlers to vent grates on the end of the building about 
10' off the ground. There is also an exit louver in the hot section to 
allow efficient pumping of air without over-pressurization.

We use an economizer. 44N latitude in Maine. Saves us good cooling money 
from mid november till april by not running the compressors. We see it 
looking at the power bills year round. Your climate description doesn't 
sound like an ideal place to really see the benefits of it.

If you adjust the switchover temperature conservatively for the low 
side, you don't really have to worry about fiddling with it. It will of 
course vary for different locations, loads, building insulation, etc.. 
We have ours to switch at 48f, but could switch at a higher temp if we 
had a lesser load. We keep the space at 72f. We use 1-wire sensors to 
monitor temperature.

> In the sales presentations and talking to A/C gurus, it all sounded very 
> smart and economical, but we've found that the actual management of the 
> damper and the temperature that it shifts are very delicate settings. 
> Depending on the time of the day (i.e., is there sunlight on that side of 
> the building or not?) and the season of the year (i.e., is this just a 
> little cold snap or an extended period?), as well as the outside humidity 
> level (is it very different from the humidity in the room or not?), the 
> temperature has to be adjusted a bit in each direction.  Our units don't 
> have a computer control for that, so that means someone goes out every few 
> weeks with a screwdriver and manually fiddles the economizer thermostat 
> settings.
>
> We can compensate a bit on the computer control side by changing the the 
> system thermostat around a few degrees, but there is no direct linkage 
> between the economizer part of the system--it's completely independent, 
> essentially an add-on--and the rest of the cooling system.
>
> I honestly can't tell whether we are saving any money on this or not, but 
> for our latitude and climate, I would not recommend it to anyone else.  We 
> have had to replace the thermostats and damper controllers, and that eats 
> up $300 to $500 for every service call.  Plus, while we were learning about 
> it, we had some midnight room-got-too-hot moments, which also cost us.
>
> I think that if you lived someplace where it was in the 5C/40F range or 
> below day-round for weeks at a time, this would probably work (assuming 
> that you have physical ability to install this kind of unit).  In our 
> climate, where it is 5C/40F for 8 hours at night and 20C/70F the rest of 
> the day, for our 3 month winter, it was probably not the right decision.
>
> jms
>
> -- 
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Senior Partner, Opus One       Phone: +1 520 324 0494
> jms at Opus1.COM                http://www.opus1.com/jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/

From cnsp at shreddedmail.com  Fri Jan  8 15:44:55 2010
From: cnsp at shreddedmail.com (Rick Ernst)
Date: Fri, 8 Jan 2010 12:44:55 -0800
Subject: [c-nsp] Difference in OSPF maximum-paths - operational problem?
Message-ID: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>

I have several generations of Cisco equipment in my network, and am in the
middle of a rolling upgrade.  There are currently 3 core routers and all
routers in the network use OSPF maximum-paths 6.  With an A/B network and 3
cores, this works fine.  Some of the equipment is limited to 6 paths, some
can handle 8.


If I add the 4th router, I'll have 7 paths (the new cores will be either "A"
or "B", not both).  Will OSPF just pick 6 of the 7 possible paths, or is
something horrible going to happen?

Thanks,
Rick

From ross at kallisti.us  Fri Jan  8 15:47:21 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Fri, 8 Jan 2010 15:47:21 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
	<20100106170553.GA17269@kallisti.us>
	<4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>
Message-ID: <20100108204721.GC1917@kallisti.us>

On Wed, Jan 06, 2010 at 10:04:37AM -0800, Kenny Sallee wrote:
> My .02 is that you should put everything in VRF's (even the global table)
> and use route-target import/export and import maps (if required) to control
> routing domains.
> 
> Question - can you use 'neighbor allowas-in' instead of as-override?  I'm
> not sure why your BGP AS-PATH was wrong in scenario #3 above - but I'm using
> that in a very similar scenario in my lab to solve the problem of having the
> same eBGP AS used at 2 different sites connected to 2 different PE routers.
>  BGP won't advertise a path it receives w/ it's own ASN in the path
> 
> http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_n5gt.html#wp1007547

I don't see how allowas-in would help - my ASN doesn't even appear in
those routes yet.  They come out the other side as eBGP routes with
whatever private ASN I used to make the session to eBGP.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100108/133374bd/attachment.bin>

From jp at saucer.midcoast.com  Fri Jan  8 15:16:18 2010
From: jp at saucer.midcoast.com (jp)
Date: Fri, 8 Jan 2010 15:16:18 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107185927.GA31395@ovh.net>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
	<20100107185927.GA31395@ovh.net>
Message-ID: <20100108201607.GA29833@saucer.midcoast.com>

Nice set of youtube videos! I like 4 generator startup "Test de 
groupes" and the hard drive dominoes.

On Thu, Jan 07, 2010 at 07:59:28PM +0100, oles at ovh.net wrote:
> > I would imagine, however, that we will see increasing data center
> > temperatures more and more in the coming years.
> 
> In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
> we use only the water & outside air for the cooling on our 70 000 
> dedicated servers that we host. We are #1 in Europe. Our PUE = 1.12. 
> it means we don't waste the power for the cooling. That is why our 
> prices are cheaper and our customers love it. It's our marketing. 
> Some videos:
>    http://www.youtube.com/user/OvhComOnVousHeberge
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/

From devon at noved.org  Fri Jan  8 15:01:59 2010
From: devon at noved.org (Devon True)
Date: Fri, 08 Jan 2010 15:01:59 -0500
Subject: [c-nsp] Using Advanced IP vs Advanced Enterprise IOS Image
Message-ID: <4B478F37.9060403@noved.org>

All:

I am looking at upgrading our Cat6500s (Sup720/MSFC3) and we currently
run an Advanced Enterprise image. Since we are an IP-only shop, I am
looking at using Advanced IP instead, but I didn't know if it brought
any advantages or disadvantages. Does it offer any savings in memory or
other resources? We have 512MB of flash space, so that is not a concern.

Thanks for any input!

--
Devon

From dcp at dcptech.com  Fri Jan  8 16:02:33 2010
From: dcp at dcptech.com (David Prall)
Date: Fri, 8 Jan 2010 16:02:33 -0500
Subject: [c-nsp] Difference in OSPF maximum-paths - operational problem?
In-Reply-To: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>
References: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>
Message-ID: <003a01ca90a5$f7a01eb0$e6e05c10$@com>

It is my experience that 6 of the 7 will randomly be chosen, each time an
SPF run is done a different 6th could be installed. With enough CPU power it
shouldn't cause issues, but in the past I've seen routers running close to
the limit that cause traffic loss. This was with the default configuration
of 4 and having the possibility of 8 though, so we may have been removing
all 4 active and replacing them at times. We upped the maximum to 8 and
never had the issue again.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Rick Ernst
> Sent: Friday, January 08, 2010 3:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Difference in OSPF maximum-paths - operational
> problem?
> 
> I have several generations of Cisco equipment in my network, and am in
> the
> middle of a rolling upgrade.  There are currently 3 core routers and
> all
> routers in the network use OSPF maximum-paths 6.  With an A/B network
> and 3
> cores, this works fine.  Some of the equipment is limited to 6 paths,
> some
> can handle 8.
> 
> 
> If I add the 4th router, I'll have 7 paths (the new cores will be
> either "A"
> or "B", not both).  Will OSPF just pick 6 of the 7 possible paths, or
> is
> something horrible going to happen?
> 
> Thanks,
> Rick
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter at rathlev.dk  Fri Jan  8 16:44:59 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 08 Jan 2010 22:44:59 +0100
Subject: [c-nsp] MPLS TTL exceeded "problems"
Message-ID: <1262987099.20208.27.camel@localhost>

Hi,

We have a (probably common) cosmetic problem regarding MPLS LSRs sending
ICMP TTL exceeded along the LSP that carries the traffic.

The "problem" is that when the exit PE receives the packet it doesn't do
a RIB lookup (to send the traffic back to the correct recipient) but
instead it just uses the "adjacency" from the MPLS forwarding table to
send it to the next (non MPLS) device.

Is there any (easy-ish) way to force the exit PE to do a RIB lookup
(e.g. using the allocated aggregate label) and send the packet the right
way by itself? If so, would there be any significant performance penalty
from this on a Sup720/PFC3B?

The reason why it doesn't work now is that the device after the exit PE
is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
stating "no matching session" as the reason. When the trace probes have
got to the point (TTL wise) where they pass the firewall, all TTL
expired replies are accepted and in the end received by the originating
client. If there's a way to make a FWSM accept TTL expired like this I'd
love to know. (I tried "same-security-traffic permit intra-interface" to
defeat the "no xlate" but then the reverse path check fails. I even
tested with no reverse path checking, but still couldn't make it pass
(=return) the ICMP TTL expired packets.)

An example:

 +--------+
 | Host X |
 +--------+
     |
     | IP
   +---+      +---+        +---+        +---+
   | A |------| B |--------| C |--------| D |
   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
                                          |
                                          | IP
                                    +----------+
                                    | Firewall |
                                    +----------+
                                          | IP
                                          |
   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
   | H |------| G |--------| F |--------| E |
   +---+      +---+        +---+        +---+
     | IP
     |
 +--------+
 | Host Y |
 +--------+

 A is a "regular" IP router (CPE).
 B is a PE/LER doing tag imposition
 C is a P/LSR doing tag switching
 D is a PE/LER doing tag disposition
 The firewall is a FWSM v3.1
 E is a PE/LER doing tag imposition
 F is a P/LSR doing tag switching
 G is a PE/LER doing tag disposition
 H is a "regular" IP router (CPE)


An example traceroute gives:

 1  [A]
 2  [B]
 3  *
 4  [D]
 5  [E]
 6  [F]
 7  [G]
 8  [H]
 9  [Y] Done

Since the the path A -> D is often many hops some people tend to get
confused and report this as an error. Or even worse: Use this as "proof"
of the network being the cause of some badly configured server. :-|

-- 
Peter



From kilobit at gmail.com  Fri Jan  8 18:14:11 2010
From: kilobit at gmail.com (bas)
Date: Sat, 9 Jan 2010 00:14:11 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107185927.GA31395@ovh.net>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
	<20100107185927.GA31395@ovh.net>
Message-ID: <ba6c08fd1001081514o1db30ddn813943331381fc81@mail.gmail.com>

Hi,

On Thu, Jan 7, 2010 at 7:59 PM,  <oles at ovh.net> wrote:
> In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
> we use only the water & outside air for the cooling on our 70 000
> dedicated servers that we host.

But aren't those airco compressors I see in this movie?
http://www.youtube.com/user/OvhComOnVousHeberge#p/u/6/xtmkS1-4WTY
( at approx 2:03)

Bas

From pshem.k at gmail.com  Fri Jan  8 18:14:18 2010
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Sat, 9 Jan 2010 12:14:18 +1300
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <1262987099.20208.27.camel@localhost>
References: <1262987099.20208.27.camel@localhost>
Message-ID: <20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>

Hi,

You're right, it's quite common. We hit it on the sup720 (3bxl). The
simple answer is what you're asking for can't be done. According to
some Cisco guys we spoke to the hardware is not capable of doing that
lookup if there is a forwarding adjacency.
We tried various tricks (creating aggregates, pseudo-aggregates (like
0.0.0.0/1 ;-) ) none of that worked - in the best case scenario the
control plane showed the correct information, but the packet wasn't
processed correctly.

kind regards
Pshem

2010/1/9 Peter Rathlev <peter at rathlev.dk>:
> Hi,
>
> We have a (probably common) cosmetic problem regarding MPLS LSRs sending
> ICMP TTL exceeded along the LSP that carries the traffic.
>
> The "problem" is that when the exit PE receives the packet it doesn't do
> a RIB lookup (to send the traffic back to the correct recipient) but
> instead it just uses the "adjacency" from the MPLS forwarding table to
> send it to the next (non MPLS) device.
>
> Is there any (easy-ish) way to force the exit PE to do a RIB lookup
> (e.g. using the allocated aggregate label) and send the packet the right
> way by itself? If so, would there be any significant performance penalty
> from this on a Sup720/PFC3B?
>
> The reason why it doesn't work now is that the device after the exit PE
> is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
> stating "no matching session" as the reason. When the trace probes have
> got to the point (TTL wise) where they pass the firewall, all TTL
> expired replies are accepted and in the end received by the originating
> client. If there's a way to make a FWSM accept TTL expired like this I'd
> love to know. (I tried "same-security-traffic permit intra-interface" to
> defeat the "no xlate" but then the reverse path check fails. I even
> tested with no reverse path checking, but still couldn't make it pass
> (=return) the ICMP TTL expired packets.)
>
> An example:
>
> ?+--------+
> ?| Host X |
> ?+--------+
> ? ? |
> ? ? | IP
> ? +---+ ? ? ?+---+ ? ? ? ?+---+ ? ? ? ?+---+
> ? | A |------| B |--------| C |--------| D |
> ? +---+ ?IP ?+---+ ?MPLS ?+---+ ?MPLS ?+---+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?|
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| IP
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?+----------+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| Firewall |
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?+----------+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| IP
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?|
> ? +---+ ?IP ?+---+ ?MPLS ?+---+ ?MPLS ?+---+
> ? | H |------| G |--------| F |--------| E |
> ? +---+ ? ? ?+---+ ? ? ? ?+---+ ? ? ? ?+---+
> ? ? | IP
> ? ? |
> ?+--------+
> ?| Host Y |
> ?+--------+
>
> ?A is a "regular" IP router (CPE).
> ?B is a PE/LER doing tag imposition
> ?C is a P/LSR doing tag switching
> ?D is a PE/LER doing tag disposition
> ?The firewall is a FWSM v3.1
> ?E is a PE/LER doing tag imposition
> ?F is a P/LSR doing tag switching
> ?G is a PE/LER doing tag disposition
> ?H is a "regular" IP router (CPE)
>
>
> An example traceroute gives:
>
> ?1 ?[A]
> ?2 ?[B]
> ?3 ?*
> ?4 ?[D]
> ?5 ?[E]
> ?6 ?[F]
> ?7 ?[G]
> ?8 ?[H]
> ?9 ?[Y] Done
>
> Since the the path A -> D is often many hops some people tend to get
> confused and report this as an error. Or even worse: Use this as "proof"
> of the network being the cause of some badly configured server. :-|
>
> --
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ler762 at gmail.com  Fri Jan  8 18:27:10 2010
From: ler762 at gmail.com (Lee)
Date: Fri, 8 Jan 2010 18:27:10 -0500
Subject: [c-nsp] Using Advanced IP vs Advanced Enterprise IOS Image
In-Reply-To: <4B478F37.9060403@noved.org>
References: <4B478F37.9060403@noved.org>
Message-ID: <dd5f2deb1001081527i7e5f064cp42b59f3a203ca492@mail.gmail.com>

On Fri, Jan 8, 2010 at 3:01 PM, Devon True <devon at noved.org> wrote:

> All:
>
> I am looking at upgrading our Cat6500s (Sup720/MSFC3) and we currently
> run an Advanced Enterprise image. Since we are an IP-only shop, I am
> looking at using Advanced IP instead, but I didn't know if it brought
> any advantages or disadvantages. Does it offer any savings in memory or
> other resources? We have 512MB of flash space, so that is not a concern.
>

I used feature navigator to compare the enterprise version to the advanced
ip version.  I didn't see anything we wanted that was only in Enterprise, so
went with advanced IP.  I don't know if it has any savings in memory or
other resources, but not having all those features that aren't going to be
used seems a plus.  As well as not having to put a "no mop ena" on every
interface :)

It just occurred to me that 'ttcp' used to be only in the Enterprise
version.. no idea if it's in advanced IP now [not being at work] or if
there's any other "goodies" that are only in Enterprise.

Regards,
Lee

From markom at ipexpert.com  Fri Jan  8 18:39:28 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Sat, 9 Jan 2010 00:39:28 +0100
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B476879.2070802@ttec.com>
References: <4B469FB7.6050208@ttec.com>
	<6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
	<4B476879.2070802@ttec.com>
Message-ID: <4a15acd91001081539x20bb08c3ia31fc69778a617c3@mail.gmail.com>

On Fri, Jan 8, 2010 at 18:16, Joe Maimon <jmaimon at ttec.com> wrote:
>
>
> Bill Blackford wrote:
>>
>> Do you have any details?
>> Models? Code vers?
>>
>> -b
>
> 3524XL, 12.0(5)WC17

Oh. You should perhaps look for something newer... This model has been
end-of-life since 2002.

I am curious though - when do leaks occur?

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From jckdaniels12 at gmail.com  Sat Jan  9 07:47:41 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Sat, 9 Jan 2010 18:17:41 +0530
Subject: [c-nsp] Service Provider products
Message-ID: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>

Hi,

please help me with any link or book which can help enhace knowledge in SP
(MPLS/ISP) products/cards/design BASICALLY for a Solution architect guy.

Thanks

From bob at tink.com  Sat Jan  9 09:33:17 2010
From: bob at tink.com (Bob Tinkelman)
Date: Sat, 09 Jan 2010 09:33:17 -0500 (EST)
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: "Your message dated Mon, 04 Jan 2010 15:42:08 -0500"
	<72814585-3C40-4FD9-8F6F-0A682E689DA4@puck.nether.net>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <01NI92P8ZICK8XIT3D@queens.tink.com>

I know I'm replying to an email from the beginning of the thread, but...

>> I am trying to figure out if there is a
>> different/newer/better(?) way to announce our public IP
>> ranges to our Internet providers, currently we are declaring
>> our subnets in 'network statements' in the BGP
>> configuration, we have static routes setup like ip route
>> x.x.x.x 255.255.224.0 Null0 254 and then we have a extended
>> access-list applied to each peer with our net blocks listed
>> in them.

>> It appears that because of the network statements, the
>> supernet routes (/18s, /19s, etc) are being distributed via
>> BGP to the rest of the network which is by design(I assume).
>> This doesn't seem ideal because if traffic is sent to an IP
>> address that doesn't have a more specific route than say
>> /18, or /19 it travels all the way through the network to
>> the edge before stopping. I might be blowing the impact of
>> this out of proportion, but it just seems like a waste of
>> resources.

>> Does anyone know of a seemingly more sensible way of doing
>> this?

> You could always tag these hold-down routes with a
> community, then when someone sends a packet to them, the
> next-hop could be rewritten to a local discard/null0
> instance.

> This should allow you to distribute the load instead of
> backhauling the traffic to the final destination/aggregation
> location.

> - Jared

I can think of one possible trap here when implementing this
on a network where

  o  Some routers have only partial routing tables.

  o  Jared's suggestion to black-hole the hold-down routes
     is implemented on these routers (and not just on edge
     routers, as was suggested elsewhere in the thread).

  o  Subnets of an aggregate are allocated to dual-homed
     customers.

Unless you arrange that upstream-heard bgp-announcements of
these subnets are propagated to your partial-routing-table
routers, those routers will be unable to reach the dual-
homed customers when its link is down to you, even if its
link to another upstream is working.


The above may seem like a very unusual combination of
circumstances, but Cogent has been known to commit a very
similar sin on the edge portions of their net between their
"A-peers" and "B-peers".


- Bob

From jared at puck.nether.net  Sat Jan  9 15:00:17 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Sat, 9 Jan 2010 15:00:17 -0500
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
References: <1262987099.20208.27.camel@localhost>
	<20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
Message-ID: <AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>

Just curious, did you try to enable "mls mpls tunnel-recir"?


- Jared

On Jan 8, 2010, at 6:14 PM, Pshem Kowalczyk wrote:

> Hi,
> 
> You're right, it's quite common. We hit it on the sup720 (3bxl). The
> simple answer is what you're asking for can't be done. According to
> some Cisco guys we spoke to the hardware is not capable of doing that
> lookup if there is a forwarding adjacency.
> We tried various tricks (creating aggregates, pseudo-aggregates (like
> 0.0.0.0/1 ;-) ) none of that worked - in the best case scenario the
> control plane showed the correct information, but the packet wasn't
> processed correctly.
> 
> kind regards
> Pshem
> 
> 2010/1/9 Peter Rathlev <peter at rathlev.dk>:
>> Hi,
>> 
>> We have a (probably common) cosmetic problem regarding MPLS LSRs sending
>> ICMP TTL exceeded along the LSP that carries the traffic.
>> 
>> The "problem" is that when the exit PE receives the packet it doesn't do
>> a RIB lookup (to send the traffic back to the correct recipient) but
>> instead it just uses the "adjacency" from the MPLS forwarding table to
>> send it to the next (non MPLS) device.
>> 
>> Is there any (easy-ish) way to force the exit PE to do a RIB lookup
>> (e.g. using the allocated aggregate label) and send the packet the right
>> way by itself? If so, would there be any significant performance penalty
>> from this on a Sup720/PFC3B?
>> 
>> The reason why it doesn't work now is that the device after the exit PE
>> is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
>> stating "no matching session" as the reason. When the trace probes have
>> got to the point (TTL wise) where they pass the firewall, all TTL
>> expired replies are accepted and in the end received by the originating
>> client. If there's a way to make a FWSM accept TTL expired like this I'd
>> love to know. (I tried "same-security-traffic permit intra-interface" to
>> defeat the "no xlate" but then the reverse path check fails. I even
>> tested with no reverse path checking, but still couldn't make it pass
>> (=return) the ICMP TTL expired packets.)
>> 
>> An example:
>> 
>>  +--------+
>>  | Host X |
>>  +--------+
>>     |
>>     | IP
>>   +---+      +---+        +---+        +---+
>>   | A |------| B |--------| C |--------| D |
>>   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
>>                                          |
>>                                          | IP
>>                                    +----------+
>>                                    | Firewall |
>>                                    +----------+
>>                                          | IP
>>                                          |
>>   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
>>   | H |------| G |--------| F |--------| E |
>>   +---+      +---+        +---+        +---+
>>     | IP
>>     |
>>  +--------+
>>  | Host Y |
>>  +--------+
>> 
>>  A is a "regular" IP router (CPE).
>>  B is a PE/LER doing tag imposition
>>  C is a P/LSR doing tag switching
>>  D is a PE/LER doing tag disposition
>>  The firewall is a FWSM v3.1
>>  E is a PE/LER doing tag imposition
>>  F is a P/LSR doing tag switching
>>  G is a PE/LER doing tag disposition
>>  H is a "regular" IP router (CPE)
>> 
>> 
>> An example traceroute gives:
>> 
>>  1  [A]
>>  2  [B]
>>  3  *
>>  4  [D]
>>  5  [E]
>>  6  [F]
>>  7  [G]
>>  8  [H]
>>  9  [Y] Done
>> 
>> Since the the path A -> D is often many hops some people tend to get
>> confused and report this as an error. Or even worse: Use this as "proof"
>> of the network being the cause of some badly configured server. :-|
>> 
>> --
>> Peter
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter at rathlev.dk  Sat Jan  9 16:03:55 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 09 Jan 2010 22:03:55 +0100
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>
References: <1262987099.20208.27.camel@localhost>
	<20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
	<AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>
Message-ID: <1263071035.27504.2.camel@localhost>

On Sat, 2010-01-09 at 15:00 -0500, Jared Mauch wrote:
> Just curious, did you try to enable "mls mpls tunnel-recir"?

Yup, tried with it enabled. Actually, only tried it with recirculation
enabled. I guess if it were to make a difference it would surely be in
favor of enabling it.

-- 
Peter



From bob_arthurs at hotmail.co.uk  Sat Jan  9 18:31:47 2010
From: bob_arthurs at hotmail.co.uk (Bob Arthurs)
Date: Sat, 9 Jan 2010 23:31:47 +0000
Subject: [c-nsp] BGP Peer Group drawbacks???
Message-ID: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>


Hi all,

A colleague recently told me not to use BGP peer groups because he insists that there a drawbacks to using them.

Does anyone know of any drawbacks to peer groups????



I dug the following up on the Cisco website:

"Cisco IOS Software Releases earlier than 11.1(18)CC have the
	 limitations described in this section. Failure to adhere to these rules can
	 result in inconsistent routing.

 
	 If you use peer groups for clients of a route reflector, all the
		clients must be fully meshed.

 
	 If you use an eBGP peer group, transit cannot be provided among the
		peer group members.

 
	 All eBGP peer group members must be from the same subnet to avoid
		non-connected next hop announcements.

 
  However, these limitations were removed starting with Cisco IOS
	 Software Releases 11.1(18)CC, 11.3(4), and 12.0. Only the router on which the
	 peer groups are defined needs to be upgraded to the new code."






But the above limitations have now gone, so I can't think of what drawbacks he might be refering to. 



Anyone know??


THanks in advance!







 		 	   		  
_________________________________________________________________
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/

From ras at e-gerbil.net  Sat Jan  9 18:44:22 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Sat, 9 Jan 2010 17:44:22 -0600
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
Message-ID: <20100109234422.GJ75640@gerbil.cluepon.net>

On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
> 
> Hi all,
> 
> A colleague recently told me not to use BGP peer groups because he
> insists that there a drawbacks to using them.
> 
> Does anyone know of any drawbacks to peer groups????
> 
> I dug the following up on the Cisco website:
> 
> "Cisco IOS Software Releases earlier than 11.1(18)CC have the

1998 called, it wants its release notes back. The modern version you 
should be using instead of peer groups is bgp templates:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From steve at ibctech.ca  Sat Jan  9 21:53:51 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Sat, 09 Jan 2010 21:53:51 -0500
Subject: [c-nsp] Service Provider products
In-Reply-To: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>
References: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>
Message-ID: <4B49413F.3090108@ibctech.ca>

jack daniels wrote:
> Hi,
> 
> please help me with any link or book which can help enhace knowledge in SP
> (MPLS/ISP) products/cards/design BASICALLY for a Solution architect guy.

....google.ca?

I was going to name books, but your question is pretty undefined. The
mentioned link will get you started.

Steve

From steve at ibctech.ca  Sat Jan  9 22:04:39 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Sat, 09 Jan 2010 22:04:39 -0500
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <20100109234422.GJ75640@gerbil.cluepon.net>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
Message-ID: <4B4943C7.1060102@ibctech.ca>

Richard A Steenbergen wrote:
> On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
>> Hi all,
>>
>> A colleague recently told me not to use BGP peer groups because he
>> insists that there a drawbacks to using them.
>>
>> Does anyone know of any drawbacks to peer groups????
>>
>> I dug the following up on the Cisco website:
>>
>> "Cisco IOS Software Releases earlier than 11.1(18)CC have the
> 
> 1998 called, it wants its release notes back. The modern version you 
> should be using instead of peer groups is bgp templates:

...What...? ...Why?

At what scale should one consider dumping peer-group? When should one
switch to templates? How about a mix of groups AND templates?

Please have 1998 call me and let me know that my peer groups aren't
working for me.

Unless 1998 can provide many valid reasons and an automated strategy,
why are you recommending such a blind fix?

imho, this is NOT what the OP needed to hear. You don't even know what
IOS ver he's using.

Steve

From kenny.sallee at gmail.com  Sun Jan 10 00:42:01 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Sat, 9 Jan 2010 21:42:01 -0800
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4B4943C7.1060102@ibctech.ca>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
Message-ID: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>

>
> > 1998 called, it wants its release notes back. The modern version you
> > should be using instead of peer groups is bgp templates:
>
> ...What...? ...Why?
>
> At what scale should one consider dumping peer-group? When should one
> switch to templates? How about a mix of groups AND templates?
>
>
Seems to me that peer/session templates would allow you to get more granular
with your BGP configuration then peer-groups due to
their inheritance feature.  So it makes sense to me.

I don't think scale is the only deciding factor between peer group and
templates.  I think it also depends on the complexity of your routing policy
and # of prefix's etc...I guess a question could be - why wouldn't you use
templates - even for a simple BGP config?  Any ISP ops on the list - do you
use templates, peer-groups - or both?

To the original poster - perhaps you can decide for yourself?  See here:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
and
a good explanation here with configurations
http://cciethebeginning.wordpress.com/2009/01/09/358/

From markom at ipexpert.com  Sun Jan 10 01:05:01 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Sun, 10 Jan 2010 07:05:01 +0100
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net> 
	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
Message-ID: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>

> Seems to me that peer/session templates would allow you to get more granular
> with your BGP configuration then peer-groups due to
> their inheritance feature. ?So it makes sense to me.
>
> I don't think scale is the only deciding factor between peer group and
> templates. ?I think it also depends on the complexity of your routing policy
> and # of prefix's etc...I guess a question could be - why wouldn't you use
> templates - even for a simple BGP config? ?Any ISP ops on the list - do you
> use templates, peer-groups - or both?
>
> To the original poster - perhaps you can decide for yourself? ?See here:
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
> and
> a good explanation here with configurations
> http://cciethebeginning.wordpress.com/2009/01/09/358/

Well... comparing peer-groups and templates is just a little bit like
comparing apples and oranges. They were meant to solve different
problems.

When they were introduced, peer-groups were used to optimize the
updates sent to neighbors. I.e. using peer-groups had impact on your
CPU in such a way that members of the same peer group shared the same
update that was only replicated. Non-peer-group peers had to have
their updates built separately, even though it may end up being the
same. The fact that the peer-groups had this nice side effect of being
able to group configuration and make deployments somewhat easier, was
never their primary purpose in life... and that shows, as they look
unnatural and are not very flexible.

Naturally, over the years, Cisco found the way to optimize updates
automatically (using update-groups) and the only purpose of
peer-groups was to group commands together. Since they were not doing
that as well as one would hope (whoever configured peer-groups in
multiple address-families probably knows how ... "intuitive" that is),
another solution needed to be made. This is how we got templates,
whose only purpose is to group configurations and they do pretty good
job at that.

All that said, for all new deployments, I would suggest using
templates and not peer-groups... they could disappear at any time.

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From p.mayers at imperial.ac.uk  Sun Jan 10 08:19:01 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 10 Jan 2010 13:19:01 +0000
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>	<20100109234422.GJ75640@gerbil.cluepon.net>	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
Message-ID: <4B49D3C5.5050709@imperial.ac.uk>

> and # of prefix's etc...I guess a question could be - why wouldn't you use
> templates - even for a simple BGP config?  Any ISP ops on the list - do you
> use templates, peer-groups - or both?

We use templates, including inheritance. They're very handy.

 From memory however, some things don't quite work with them - the only 
specific example I can think of is using a "bgp listen" e.g. on a 
route-reflector, which will allow any BGP router from a particular 
subnet range to connect. IIRC on 12.2SX, when I tried it, it didn't 
support templates, just peer-groups.

We see some oddities with VPNv4 AFs too; the send-community commands 
seem to not get inherited, but are automatically added to the neighbour 
statements, and soft-reconfig refuses to apply, but AFAICT these are 
cosmetic.

That said, we use a peer-group in one or two places where the config is 
very simple and confined to one router (anycast DNS via eBGP, specifically)

I would use templates in a new deployment, and recommend against 
peer-groups - Marko's email has an excellent summary of the background.

From arturnrm at gmail.com  Sun Jan 10 08:42:34 2010
From: arturnrm at gmail.com (Artur)
Date: Sun, 10 Jan 2010 11:42:34 -0200
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
	<4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
Message-ID: <4B49D94A.5080705@gmail.com>

Great point Marko,

just adding to that, in the most recent IOS versions update-groups are 
built automatically when you have neighbors with an equal policy 
configuration.

That means, peers belonging to the same peer-group, or with the same 
peer-policy template or even without peer-groups or templates configured 
but with the same policy applied.

The optimization brought by update-groups is obtained because as all the 
neighbors have an equal policy IOS knows that it needs to calculate a 
single set of updates to all of them, in older versions it used to 
calculate updates for each neighbor, even though they had equal policies.

Artur

On 1/10/2010 4:05 AM, Marko Milivojevic wrote:
>> Seems to me that peer/session templates would allow you to get more granular
>> with your BGP configuration then peer-groups due to
>> their inheritance feature.  So it makes sense to me.
>>
>> I don't think scale is the only deciding factor between peer group and
>> templates.  I think it also depends on the complexity of your routing policy
>> and # of prefix's etc...I guess a question could be - why wouldn't you use
>> templates - even for a simple BGP config?  Any ISP ops on the list - do you
>> use templates, peer-groups - or both?
>>
>> To the original poster - perhaps you can decide for yourself?  See here:
>> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
>> and
>> a good explanation here with configurations
>> http://cciethebeginning.wordpress.com/2009/01/09/358/
>>      
> Well... comparing peer-groups and templates is just a little bit like
> comparing apples and oranges. They were meant to solve different
> problems.
>
> When they were introduced, peer-groups were used to optimize the
> updates sent to neighbors. I.e. using peer-groups had impact on your
> CPU in such a way that members of the same peer group shared the same
> update that was only replicated. Non-peer-group peers had to have
> their updates built separately, even though it may end up being the
> same. The fact that the peer-groups had this nice side effect of being
> able to group configuration and make deployments somewhat easier, was
> never their primary purpose in life... and that shows, as they look
> unnatural and are not very flexible.
>
> Naturally, over the years, Cisco found the way to optimize updates
> automatically (using update-groups) and the only purpose of
> peer-groups was to group commands together. Since they were not doing
> that as well as one would hope (whoever configured peer-groups in
> multiple address-families probably knows how ... "intuitive" that is),
> another solution needed to be made. This is how we got templates,
> whose only purpose is to group configurations and they do pretty good
> job at that.
>
> All that said, for all new deployments, I would suggest using
> templates and not peer-groups... they could disappear at any time.
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> Mailto: markom at ipexpert.com
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Community: http://www.ipexpert.com/communities
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From kenny.sallee at gmail.com  Sun Jan 10 14:28:03 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Sun, 10 Jan 2010 11:28:03 -0800
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
	<4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
Message-ID: <4a80ecce1001101128i2ef66c67h5d43b98fa76ec54@mail.gmail.com>

On Sat, Jan 9, 2010 at 10:05 PM, Marko Milivojevic <markom at ipexpert.com>wrote:

> > Seems to me that peer/session templates would allow you to get more
> granular
> > with your BGP configuration then peer-groups due to
> > their inheritance feature.  So it makes sense to me.
>


> >Well... comparing peer-groups and templates is just a little bit like
> >comparing apples and oranges. They were meant to solve different
> >problems.
>
>
I wouldn't say it's quite like apple and oranges for where they stand today
though - both are used to group configuration commands and both help to
solve BGP table scanning and update resource utilization issues..and they
both do it via BGP Dynamic Updates 'in the background' as Artur stated.
 However, templates allow you to get much more granular with your routing
policies.  It's more like comparing red apples to green apples - green are
more sour (peer groups).  I do get the rest of your point and history - it's
well stated.

Thanks,
Kenny

From arla at rn.dk  Sun Jan 10 15:16:04 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 10 Jan 2010 21:16:04 +0100
Subject: [c-nsp] software advice for sup720 on Cisoc 6500 and 7600
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>

Hi all.

Can someone give me an advice about what software to use.
We are current using TDP and would like to migrate to LDP in our MPLS network.
Which release off software does support enabling off both at the same time. 
I've tried 5 or 6 different that supports both, but can't enable both at the same time.
We have some different types off Sup720.: WS-SUP720-3BXL, RSP720-3C-GE, WS-SUP720-3CXL, WS-SUP720-3C

/Arne

From udiamond at gmail.com  Sun Jan 10 16:25:38 2010
From: udiamond at gmail.com (Marco)
Date: Sun, 10 Jan 2010 22:25:38 +0100
Subject: [c-nsp] VPN Tunnel Question
In-Reply-To: <63cd55240912281958i78e7dbeqc56486210a924ba1@mail.gmail.com>
References: <63cd55240912231944q7ce895ebxaf829eea861bedb@mail.gmail.com>	<b48b7d090912232350q7b2ef021tf7d80f7f5cb98f77@mail.gmail.com>
	<63cd55240912281958i78e7dbeqc56486210a924ba1@mail.gmail.com>
Message-ID: <4B4A45D2.6060708@gmail.com>

Il 29/12/09 04.58, O n i ha scritto:
> thanks!
>
<CUT>
>
> i can post the partial config after i edite out some details
>
> On Thu, Dec 24, 2009 at 15:50, swap m<ccie19804 at gmail.com>  wrote:
>

Well, post your config pls ....

Bye.

From markom at ipexpert.com  Sun Jan 10 18:15:23 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Mon, 11 Jan 2010 00:15:23 +0100
Subject: [c-nsp] software advice for sup720 on Cisoc 6500 and 7600
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>
Message-ID: <4a15acd91001101515s3cb37c61k88b948ed611b095f@mail.gmail.com>

On Sun, Jan 10, 2010 at 21:16, Arne Larsen / Region Nordjylland
<arla at rn.dk> wrote:
> Hi all.
>
> Can someone give me an advice about what software to use.
> We are current using TDP and would like to migrate to LDP in our MPLS network.
> Which release off software does support enabling off both at the same time.
> I've tried 5 or 6 different that supports both, but can't enable both at the same time.
> We have some different types off Sup720.: WS-SUP720-3BXL, RSP720-3C-GE,
> WS-SUP720-3CXL, WS-SUP720-3C

Silly question, but I have to ask it... Have you tried enabling "mpls
label protocol both", either globally or on interfaces that you want
to run both LDP and TDP?

I believe that pretty much every IOS supports running both. I'm yet to
see one that supports both, but can't run them concurrently.

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From andy.saykao at staff.netspace.net.au  Sun Jan 10 18:57:31 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 11 Jan 2010 10:57:31 +1100
Subject: [c-nsp] Service Provider products
References: <mailman.1.1263056410.33446.cisco-nsp@puck.nether.net>
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB09E@vic-cr-ex1.staff.netspace.net.au>

Hi Jack,

I used a multitue of books and online tutorials/labs when designing our
MPLS network.

I found this an excellent introduction into the basics of MPLS:

MPLS Fundamentals
By Luc De Ghein

This hands on lab really helped me put everything together.

Human Modem's MPLS Series - Vol. 2 - MPLS VPN
http://blog.humanmodem.com/?p=121

These are some other books I touched on looking for information specific
to what I needed to roll out (L2 VPN, QoS, etc..)

Building MPLS-Based Broadband Access VPN
By Kumar Reddy

Selecting MPLS VPN Services
By Chris Lewis, Steve Pickavance, Monique Morrow, John Monaghan, Craig
Huegen

MPLS and VPN Architectures
By Jim Guichard, Ivan Pepelnjak, Jeff Apcar

Hope that helps.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From ras at e-gerbil.net  Mon Jan 11 00:18:50 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Sun, 10 Jan 2010 23:18:50 -0600
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4B4943C7.1060102@ibctech.ca>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
Message-ID: <20100111051850.GO75640@gerbil.cluepon.net>

On Sat, Jan 09, 2010 at 10:04:39PM -0500, Steve Bertrand wrote:
> Richard A Steenbergen wrote:
> > On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
> >> Hi all,
> >>
> >> A colleague recently told me not to use BGP peer groups because he
> >> insists that there a drawbacks to using them.
> >>
> >> Does anyone know of any drawbacks to peer groups????
> >>
> >> I dug the following up on the Cisco website:
> >>
> >> "Cisco IOS Software Releases earlier than 11.1(18)CC have the
> > 
> > 1998 called, it wants its release notes back. The modern version you 
> > should be using instead of peer groups is bgp templates:
> 
> ...What...? ...Why?
> 
> At what scale should one consider dumping peer-group? When should one
> switch to templates? How about a mix of groups AND templates?
> 
> Please have 1998 call me and let me know that my peer groups aren't
> working for me.
> 
> Unless 1998 can provide many valid reasons and an automated strategy,
> why are you recommending such a blind fix?
> 
> imho, this is NOT what the OP needed to hear. You don't even know what
> IOS ver he's using.

Are you retarded? The release notes he is quoting are from 1998, anyone
who is still running 11.1(18)CC probably has bigger problems than their
peer groups. As for BGP templates, it has nothing to do with scale. BGP
templates are simply the newer and better replacement for the peer group
functionality, that adds more features and is less restrictive. Anyone
doing a new deployment should probably use the new system instead,
unless there is some specific reason not to (e.g. a noc which isn't
capable of learning new things, etc).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From avayner at cisco.com  Mon Jan 11 04:29:09 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 11 Jan 2010 10:29:09 +0100
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F82A47@XMB-AMS-101.cisco.com>

I think this would provide a comprehensive overview:

Peer-Groups are a relatively old feature which was introduced to provide
two functions:
- Reduce BGP configuration by creating a "template" which can be
reapplied to multiple peers
- Reduce CPU workload for BGP updates, as all members in a peer-group
had the same egress policy, so an update had to be computed only once

As combining both functionalities into a single feature is a bit
restrictive (you have to have (mostly) the same config for all peers)
then this was basically split up:
- Dynamic Update Groups are built on the fly for BGP peers with similar
update (output) policies. This allows for CPU load reduction.
- Templates are used to build config templates to reduce configuration
complexity/clutter.

Arie


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Arthurs
Sent: Sunday, January 10, 2010 01:32
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP Peer Group drawbacks???


Hi all,

A colleague recently told me not to use BGP peer groups because he
insists that there a drawbacks to using them.

Does anyone know of any drawbacks to peer groups????



I dug the following up on the Cisco website:

"Cisco IOS Software Releases earlier than 11.1(18)CC have the
	 limitations described in this section. Failure to adhere to
these rules can
	 result in inconsistent routing.

 
	 If you use peer groups for clients of a route reflector, all
the
		clients must be fully meshed.

 
	 If you use an eBGP peer group, transit cannot be provided among
the
		peer group members.

 
	 All eBGP peer group members must be from the same subnet to
avoid
		non-connected next hop announcements.

 
  However, these limitations were removed starting with Cisco IOS
	 Software Releases 11.1(18)CC, 11.3(4), and 12.0. Only the
router on which the
	 peer groups are defined needs to be upgraded to the new code."






But the above limitations have now gone, so I can't think of what
drawbacks he might be refering to. 



Anyone know??


THanks in advance!







 		 	   		  
_________________________________________________________________
We want to hear all your funny, exciting and crazy Hotmail stories. Tell
us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rasheed_ak at yahoo.com  Mon Jan 11 06:14:48 2010
From: rasheed_ak at yahoo.com (Rasheed Khan)
Date: Mon, 11 Jan 2010 03:14:48 -0800 (PST)
Subject: [c-nsp] recommended router for following specs
Message-ID: <102327.73473.qm@web36205.mail.mud.yahoo.com>

hi,

could anybody recommend core router and modules required for below specs

core router
 -  Wire speed throughput 
-  Chassis based technology (HW Redundancy ? 2 pcs.) 
-  Passive Backplane 
-  Scalable bandwidth  
-  Redundant power supplies (n + 1) 
-  Hot swappable hardware elements 
-  Redundant control plane/ CPUs/ switching fabrics 
-  Sub-Second Fail over of Chassis Hardware 
-  Every Core Router has to have at minimum two Gigabit Uplinks to 
each IDF (total no idf or switches 14) 
-  These two Uplinks have to run as a trunk based on LACP IEEE 
802.3ad or similar proprietary protocols. (Aggregation of several 
physical uplinks) Please describe if it is a variant technology. 
-  The link aggregation path routing (path routing decision) between 
the two pairs have to be on Layer 2 and Layer 3 base. 
-  Fail Over and load balancing between the 2 pairs of aggregated 
Uplinks to a IDF 
-  Each 1 Gbps Uplink have to support multi mode fibre 
-  Hardware-based support for IP multicast  
-  Dynamic Routing Protocols (RIP, OSPF, e.g. in compliance with 
network concept) 
-  Router Redundancy Technologies 
-  Multicast Routing compliance ? IGMP, DVMRP, PIM 
-  Standard Access Lists -
 ACL 
-  DHCP Relay RFC 2131 
-  IEEE 802.1Q  VLAN compliance 
-  Comprehensive Management 
-  Syslog 
-  SNMP V1,V2,V3 
-  Multi-configuration file support 
-  Quality of Service ?  minimal requirements 
?  IEEE 802.1p Prioritization 
?  IETF DiffServ / DSCP  
?  Policy based QoS by IP, Subnet,  Protocol, Ethertype, VLAN 
ID and Flow based traffic shaping 



      

From rolf-web at internet.ao  Mon Jan 11 09:36:30 2010
From: rolf-web at internet.ao (Rolf Mendelsohn)
Date: Mon, 11 Jan 2010 15:36:30 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
Message-ID: <201001111536.30292.rolf-web@internet.ao>

Hi Guys,

We have a number of Cisco 3550's doing QinQ on a Metro-E network.

I was wondering whether anybody is succesfully copying the 802.1P info from 
the Inner Tag, to the Outer Tag.

From the following doc:
http://www.cisco.mn/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swtunnel.html

The priority field on the metro tag is set to the interface class of service 
(CoS) priority configured on the tunnel port (the default is zero if none is 
configured).

IEEE 802.1Q Tunneling and Other Features 
 Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there 
are incompatibilities between some Layer 2 features and Layer 3 switching. 
 ?Tunnel ports do not support IP access control lists (ACLs). 
 ?Layer 3 quality of service (QoS) ACLs and other QoS features related to 
Layer 3 information are not supported on tunnel ports. MAC-based QoS is 
supported on tunnel ports. 

What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches? 
Cisco 3750's?

Thanks,
Rolf

From eng_mssk at hotmail.com  Mon Jan 11 10:21:33 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Mon, 11 Jan 2010 17:21:33 +0200
Subject: [c-nsp] Ethernet Network
Message-ID: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>


hi all
we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524 ME , Cisco 3750 ME
and we enabled MPLS in our network in order to provide MPLS service to our customers (VPLS , L3VPN , EoMPLS)
what is the best MTU value that i can enable on my network either on interface basis or on system basis

Thanks in advance
 		 	   		  
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

From felixnkansah at gmail.com  Mon Jan 11 10:27:00 2010
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 11 Jan 2010 15:27:00 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
Message-ID: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>

Hi All,

A telco (fixed line/mobile carrier) is looking to deploy a centralized
syslog solution for their environment for storing, viewing
and analyzing logs.

The plan is to have about 1,000+ server and network nodes configured to send
logs at all levels to the syslog server 24/7.

Among other things, the solution would need to be scalable, easy to use with
web access, allow granular logs searches and retrieval, events notifications
capabilities, and allow different levels of user access.

A linux-based platform / commercial offering is preferred.

Do you have any such product in mind? Thanks.

Felix

From nasir.shaikh at bt.com  Mon Jan 11 10:59:50 2010
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Mon, 11 Jan 2010 15:59:50 -0000
Subject: [c-nsp] 3550 as CE
Message-ID: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 


From rdobbins at arbor.net  Mon Jan 11 11:23:35 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Mon, 11 Jan 2010 16:23:35 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>


On Jan 11, 2010, at 10:27 PM, Felix Nkansah wrote:

> A linux-based platform / commercial offering is preferred.

<http://www.splunk.com/>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From BBlackford at nwresd.k12.or.us  Mon Jan 11 11:27:08 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Mon, 11 Jan 2010 08:27:08 -0800
Subject: [c-nsp] Finisar Optics | Cisco Equiv.
Message-ID: <6069A203FD01884885C037F81DD750801742DA1093@wsc-mail-01.intra.nwresd.k12.or.us>

I believe that Finisar makes many of the Cisco optics. I'm looking for the Finisar part number that is essentially the same as the Cisco GLC-SX-MM

Thanks

-b

From justin at justinshore.com  Mon Jan 11 11:44:40 2010
From: justin at justinshore.com (Justin Shore)
Date: Mon, 11 Jan 2010 10:44:40 -0600
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <4b8f66d70912091207j39a4adb4td5c2ea9287dd51c3@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>	<4B1C48D4.9080905@poggs.co.uk>	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>	<4B1D0AAD.50406@imperial.ac.uk>	<F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>	<fa672eef0912070642l295f392ar35c0a2423c30049b@mail.gmail.com>
	<4b8f66d70912091207j39a4adb4td5c2ea9287dd51c3@mail.gmail.com>
Message-ID: <4B4B5578.6060906@justinshore.com>

joshua sahala wrote:
> drew,
> 
> it may or may not be related, but...check the output of 'sh counter
> int <int> [delta]' and look at the qos[1-21][In|Out]lost counters.
> 
> i was experiencing various drops due to the default interface (qos)
> buffer allocation:  basically, all of my traffic was hitting the 76xx
> swouter in the q0 buffer and overrunning it (there were no drops in
> any of the other qos queues because no traffic was ever hitting them).
>  i ended up having to rewrite the buffer mapping to allocate
> everything to q0 and the random discards stopped (at least the ones
> caused by this issue).

I want to revive an old thread if I can.  I'm facing a similar issue 
now.  Gi1/1 on my 6724s in my core 7600s (3BXL) connect to one of my 
border routers, a 7206 G1.  Both interfaces on both 6724s show large 
volumes of input drops and flushes.  Gi1/2 on the same 6724s connect to 
a 3845 which is my other border and it shows significantly lower drops 
and flushes (4 digits instead of 7 or 8).  All 4 links are SX.  'sh 
counters' didn't yield anything terribly interesting either.

7613-1.clr#sh counters interface gi1/1 delta | e = 0
Time since last clear
---------------------
never

64 bit counters:
  0.                      rxHCTotalPkts = 123760873738
  1.                      txHCTotalPkts = 45947101814
  2.                    rxHCUnicastPkts = 123747989684
  3.                    txHCUnicastPkts = 45941233718
  4.                  rxHCMulticastPkts = 12883997
  5.                  txHCMulticastPkts = 5868073
  6.                  rxHCBroadcastPkts = 57
  7.                  txHCBroadcastPkts = 23
  8.                         rxHCOctets = 101377579108374
  9.                         txHCOctets = 16976124978053
10.                 rxTxHCPkts64Octets = 8893600878
11.            rxTxHCPkts65to127Octets = 57698604883
12.           rxTxHCPkts128to255Octets = 20633513794
13.           rxTxHCPkts256to511Octets = 7123204457
14.          rxTxHCpkts512to1023Octets = 6652027912
15.         rxTxHCpkts1024to1518Octets = 26440990980

32 bit counters:
  2.                    rxOversizedPkts = 2492150694
13.                         linkChange = 2
All Port Counters
  1.                          InPackets = 123760839646
  2.                           InOctets = 101377556782449
  3.                        InUcastPkts = 123747955595
  4.                        InMcastPkts = 12883994
  5.                        InBcastPkts = 57
  6.                         OutPackets = 45947087810
  7.                          OutOctets = 16976121260975
  8.                       OutUcastPkts = 45941219715
  9.                       OutMcastPkts = 5868072
10.                       OutBcastPkts = 23
22.                             Giants = 2492143293
35.                 rxTxHCPkts64Octets = 8893600875
36.            rxTxHCPkts65to127Octets = 57698582793
37.           rxTxHCPkts128to255Octets = 20633505929
38.           rxTxHCPkts256to511Octets = 7123201908
39.          rxTxHCpkts512to1023Octets = 6652026348
40.         rxTxHCpkts1024to1518Octets = 26440984821
44.                      OversizedPkts = 2492143293


The giants are explained by the MTU I have on those links.  I run 9000 
on all infrastructure links.  Other than that I don't see anything else 
wrong.  All the QoS Lost lines were 0.  All infrastructure interfaces 
are also MPLS enabled.  The 7206 carries the bulk of the Internet 
traffic as does 7600 #1 so it's not a big surprise to see its links 
affected much more so than the 3845 links.

I'm graphing interface errors/discards with Cacti.  I have to question 
the numbers it's giving me though.  They have never seemed to be 
accurate to me on any of my interfaces.

Are my queues not deep enough to carry the traffic flow?  Peak Mbps on 
through the 7206 is about 120Mbps and if Cacti is right then we're also 
only talking about 17,000 pps on the upstream-facing interface of the 
7206, most of which would come from 7600 #1.  Thoughts?

Thanks
  Justin

From simon at slimey.org  Mon Jan 11 11:47:46 2010
From: simon at slimey.org (Simon Lockhart)
Date: Mon, 11 Jan 2010 16:47:46 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <20100111164746.GG23204@virtual.bogons.net>

> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.

Isn't Splunk the defacto answer to that question?

Simon
-- 
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
   Director    |    * Domain & Web Hosting * Internet Consultancy * 
  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 

From jtrooney at nexdlevel.com  Mon Jan 11 12:09:44 2010
From: jtrooney at nexdlevel.com (Jeff Rooney)
Date: Mon, 11 Jan 2010 11:09:44 -0600
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>
Message-ID: <e9109f2e1001110909k5be4ffdtd85e0257af26d501@mail.gmail.com>

+1 for splunk

Jeff Rooney
jtrooney at nexdlevel.com



On Mon, Jan 11, 2010 at 10:23 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Jan 11, 2010, at 10:27 PM, Felix Nkansah wrote:
>
>> A linux-based platform / commercial offering is preferred.
>
> <http://www.splunk.com/>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> ? ?Injustice is relatively easy to bear; what stings is justice.
>
> ? ? ? ? ? ? ? ? ? ? ? ?-- H.L. Mencken
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeff-kell at utc.edu  Mon Jan 11 12:16:03 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Mon, 11 Jan 2010 12:16:03 -0500
Subject: [c-nsp] 3550 as CE
In-Reply-To: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
References: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <4B4B5CD3.5080006@utc.edu>

On 1/11/2010 10:59 AM, nasir.shaikh at bt.com wrote:
> Hi,
> Due to the global shortage of 73xx routers I am contemplating to use
> some old 3550-12Ts as CE routers on a stie where a connection is
> required urgently.
>   

It's fine as long as you don't need MPLS to the PE.  If you run VRFs
point-to-point over an 802.1Q trunk you'll be fine. 

There's no MPLS except in the MEs, and no hardware GRE support on the
3550s. 

Jeff

From jasonleblanc at gmail.com  Mon Jan 11 12:16:42 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Mon, 11 Jan 2010 10:16:42 -0700
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <27D2D991-9C8A-4DA9-8B55-8D751A09A96C@gmail.com>

Splunk for sure!

On Jan 11, 2010, at 8:27 AM, Felix Nkansah wrote:

> Hi All,
> 
> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> The plan is to have about 1,000+ server and network nodes configured to send
> logs at all levels to the syslog server 24/7.
> 
> Among other things, the solution would need to be scalable, easy to use with
> web access, allow granular logs searches and retrieval, events notifications
> capabilities, and allow different levels of user access.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.
> 
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From list-only at dnz.se  Mon Jan 11 12:37:11 2010
From: list-only at dnz.se (=?iso-8859-1?Q?Anders_Lindb=E4ck?=)
Date: Mon, 11 Jan 2010 18:37:11 +0100
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <9444E0FD-D642-4D3F-BFA6-8A676CF24898@dnz.se>

Hi

I would second the recomendation of splunk for most of your needs, however depending on your definition of "events notifications capabilities" I would read the fine print about the notification support since I have found it somewhat lacking.

But of you for instance use it for its strengths, webgui, report builds and user handling and then using something like SEC (http://simple-evcorr.sourceforge.net/) for the event notifications then I think you will be happy.

/Anders.

On Jan 11, 2010, at 4:27 PM, Felix Nkansah wrote:

> Hi All,
> 
> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> The plan is to have about 1,000+ server and network nodes configured to send
> logs at all levels to the syslog server 24/7.
> 
> Among other things, the solution would need to be scalable, easy to use with
> web access, allow granular logs searches and retrieval, events notifications
> capabilities, and allow different levels of user access.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.
> 
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jasonleblanc at gmail.com  Mon Jan 11 12:52:05 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Mon, 11 Jan 2010 10:52:05 -0700
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <20100111164746.GG23204@virtual.bogons.net>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<20100111164746.GG23204@virtual.bogons.net>
Message-ID: <FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>

As it should be :) Its earned it!

On Jan 11, 2010, at 9:47 AM, Simon Lockhart wrote:

>> A telco (fixed line/mobile carrier) is looking to deploy a centralized
>> syslog solution for their environment for storing, viewing
>> and analyzing logs.
>> 
>> A linux-based platform / commercial offering is preferred.
>> 
>> Do you have any such product in mind? Thanks.
> 
> Isn't Splunk the defacto answer to that question?
> 
> Simon
> -- 
> Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
>   Director    |    * Domain & Web Hosting * Internet Consultancy * 
>  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From felixnkansah at gmail.com  Mon Jan 11 13:13:54 2010
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 11 Jan 2010 18:13:54 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<20100111164746.GG23204@virtual.bogons.net>
	<FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>
Message-ID: <18dba4e51001111013i5d9c206au41b1a65b8233f648@mail.gmail.com>

Hi Guys.

Thanks so much for the jury's unanimous verdict.

Splunk you voted, and Splunk it is.


On Mon, Jan 11, 2010 at 5:52 PM, Jason LeBlanc <jasonleblanc at gmail.com>wrote:

> As it should be :) Its earned it!
>
> On Jan 11, 2010, at 9:47 AM, Simon Lockhart wrote:
>
> >> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> >> syslog solution for their environment for storing, viewing
> >> and analyzing logs.
> >>
> >> A linux-based platform / commercial offering is preferred.
> >>
> >> Do you have any such product in mind? Thanks.
> >
> > Isn't Splunk the defacto answer to that question?
> >
> > Simon
> > --
> > Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
> >   Director    |    * Domain & Web Hosting * Internet Consultancy *
> >  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  *
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From avayner at cisco.com  Mon Jan 11 13:15:27 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 11 Jan 2010 19:15:27 +0100
Subject: [c-nsp] 3550 as CE
In-Reply-To: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
References: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F82DCB@XMB-AMS-101.cisco.com>

Nasir,

Be careful about QOS requirements. If your WAN uplink is a subrate link
(i.e. a 1GigE port with an SLAN of <1GigE) you need to perform egress
shaping on that interface, which is not supported on 3550 (or most LAN
switches).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nasir.shaikh at bt.com
Sent: Monday, January 11, 2010 18:00
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3550 as CE

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From brandon at burn.net  Mon Jan 11 14:41:19 2010
From: brandon at burn.net (Brandon Applegate)
Date: Mon, 11 Jan 2010 14:41:19 -0500 (EST)
Subject: [c-nsp] ASA ipv6 + icmp types
Message-ID: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>

So I'm playing around with ipv6 on the ASA.  I'm running the latest code 
(8.2(1)).  And in trying to get traceroutes and pings 'through' the ASA, 
I've found that icmp-types are translated to 'english' but using the ipv4 
codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config as 
unreachable (because unreachable == 3 in ipv4).

I'm guessing I should open a TAC case and complain ?  You could call it a 
cosmetic issue, but I see myself making mistakes because the burden is on 
me to translate the icmp types as I enter config :(

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


From kwoody at citytel.net  Mon Jan 11 14:37:35 2010
From: kwoody at citytel.net (Keith)
Date: Mon, 11 Jan 2010 11:37:35 -0800 (PST)
Subject: [c-nsp] Renumber of DSL.
Message-ID: <20100111111415.M28334@pop.citytel.net>


We have a 6260 Dslam which terminates its ATM interface on a 7204 ATM for
customers.

One the Dslam we configure a customer like this:

interface ATM1/2
 no ip address
 dsl subscriber xxxxx
 dsl profile standard
 no atm ilmi-keepalive
 atm pvc 0 35  interface  ATM0/1 1 36
!

Then on the 7204 the customer is terminated as so:

interface ATM4/0.3 point-to-point
 description xxxxx
 ip address 64.114.226.13 255.255.255.252
 atm route-bridged ip
 pvc 1/36
  oam-pvc 10
  encapsulation aal5snap
 !

We have a /23 and one /24 that we use for this DSL and we would
like to renumber out of them.

One the Dslam I was thinking of changing

atm pvc 0 35  interface  ATM0/1 1 36
to
atm pvc 0 35  interface  ATM0/1 1 <new pvc>

Then on the 7204 creating a new ATM p2p sub-interface with the new pvc and
new IP's and get the customer to renumber then delete the old sub
interface.

But now I just realized just change the IP address on the ATM
sub-interface on the router and get the customer to renumber to the new
IP. No changing of PVC's needed.

There is another faste interface on the 7204 that would connect to a new
switch which goes out to a new upstream that the new block of IP's would
route and would allow customers to use the old IP blocks until we get them
to renumber.

This is all just off the top of my head but it seems either should work.
Anyone see a problem with this renumber?

Thanks,
Keith




From lists at hojmark.org  Mon Jan 11 15:37:17 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Mon, 11 Jan 2010 21:37:17 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
In-Reply-To: <201001111536.30292.rolf-web@internet.ao>
References: <201001111536.30292.rolf-web@internet.ao>
Message-ID: <5v2nk5lgg8fttdg0ui5ndpnhjooogetfk2@hojmark.net>

On Mon, 11 Jan 2010 15:36:30 +0100, you wrote:

> What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches? 
> Cisco 3750's?

ME-3400E supports copying inner CoS to outer CoS.

-A

From perc69 at gmail.com  Mon Jan 11 15:46:54 2010
From: perc69 at gmail.com (Per Carlson)
Date: Mon, 11 Jan 2010 21:46:54 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
In-Reply-To: <201001111536.30292.rolf-web@internet.ao>
References: <201001111536.30292.rolf-web@internet.ao>
Message-ID: <746ca6da1001111246gc701716vc75425e363c19e23@mail.gmail.com>

Hi.

> We have a number of Cisco 3550's doing QinQ on a Metro-E network.
>
> I was wondering whether anybody is succesfully copying the 802.1P info from
> the Inner Tag, to the Outer Tag.

Sorry, but that's not possible on a 3550-class of switch. Only
standard Catalyst (that I'm aware of) supporting it are 6500 with
WS-X67xx LC's using CoS-mutation
(http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1727443).

> What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches?
> Cisco 3750's?

A ME3400E (notice the E in the end) will do the trick
(http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_44_ey/configuration/guide/swqos.html#wp1643001).

-- 
Pelle

From tony at lava.net  Mon Jan 11 15:55:50 2010
From: tony at lava.net (Antonio Querubin)
Date: Mon, 11 Jan 2010 10:55:50 -1000 (HST)
Subject: [c-nsp] Renumber of DSL.
In-Reply-To: <20100111111415.M28334@pop.citytel.net>
References: <20100111111415.M28334@pop.citytel.net>
Message-ID: <alpine.OSX.1.00.1001111054160.1090@cust11794.lava.net>

On Mon, 11 Jan 2010, Keith wrote:

> But now I just realized just change the IP address on the ATM
> sub-interface on the router and get the customer to renumber to the new
> IP. No changing of PVC's needed.
>
> There is another faste interface on the 7204 that would connect to a new
> switch which goes out to a new upstream that the new block of IP's would
> route and would allow customers to use the old IP blocks until we get them
> to renumber.

Just add the new address as a primary and make the old address secondary. 
Then when the customer is done renumbering just delete the secondary 
address.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From dale.shaw+cisco-nsp at gmail.com  Mon Jan 11 16:13:50 2010
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 12 Jan 2010 08:13:50 +1100
Subject: [c-nsp] recommended router for following specs
In-Reply-To: <102327.73473.qm@web36205.mail.mud.yahoo.com>
References: <102327.73473.qm@web36205.mail.mud.yahoo.com>
Message-ID: <3329cbb41001111313mc5bb1e7ue5e23085f029da18@mail.gmail.com>

Hi,

On Mon, Jan 11, 2010 at 10:14 PM, Rasheed Khan <rasheed_ak at yahoo.com> wrote:
>
> could anybody recommend core router and modules required for below specs
>
<snip>

Yeah, sure, send us all a copy of the Request For Tender / Request For
Quote you're responding to, and we'll all have a go.

I mean, that's the only fair way, right? Unless you're offering some
kind of commission if you win the deal? ;-)

cheers,
Dale

From david at hughes.com.au  Mon Jan 11 18:17:35 2010
From: david at hughes.com.au (David Hughes)
Date: Tue, 12 Jan 2010 09:17:35 +1000
Subject: [c-nsp] Port channel bug in SXI3 - CSCtd93384
In-Reply-To: <E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
References: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>
	<E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
Message-ID: <7B899B02-8375-4DA2-87E6-B60604D7CA42@hughes.com.au>


Further follow-up on this for those running SXI3 :

Turns out to be a problem with the parser cache.  If you are running "parser config cache interface" then the "real" running config can get  out of sync with what the box thinks is the running config.  If you then do a "copy run start" things can get interesting.

Might be worth turning that feature off if you are running it.


David
...

On 18/12/2009, at 5:00 PM, David Hughes wrote:

> 
> This now has a bug ID associated with it.  We've got the same problem on SXI2 and SXI3.  For anyone interested, the Bug ID is CSCtd93384.
> 
> 
> David
> ...
> 
> 
> On 15/12/2009, at 11:59 AM, David Hughes wrote:
> 
>> Hi
>> 
>> Since moving to SXI3 we've seen issues with port channels.  Problems such as the physical interfaces and port channel config getting out of sync.  A "sh run int" on a member of the Po will say it's shutdown but a "sh run int" on the Po itself shows it's up (and a "sh int" does too).  It's not impacting on the operation of the box but it's confusing the hell out of some of the engineers having to work on them.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From lists.james.edwards at gmail.com  Mon Jan 11 19:50:06 2010
From: lists.james.edwards at gmail.com (james edwards)
Date: Mon, 11 Jan 2010 17:50:06 -0700
Subject: [c-nsp] Timing slips on an 2811
Message-ID: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>

I am getting timing slips on a ATM T-1 when the clocking is set to line.
Setting it to internal is of course no better.
I am using a VWIC2-1MFT-T1/E1 on IOS c2800nm-spservicesk9-mz.124-21a.bin.
Links to troubleshooting docs
about slips or suggestions on what is wrong with the config will be
appreciated.


#sho controllers t1 0/0/0
T1 0/0/0 is up.
  Applique type is Channelized T1
  Cablelength is short 330
  No alarms detected.
  alarm-trigger is not set
  Soaking time: 3, Clearance time: 10
  AIS State:Clear  LOS State:Clear  LOF State:Clear
  Version info Firmware: 20071011, FPGA: 13, spm_count = 0
  Framing is ESF, Line Code is B8ZS, Clock Source is Line. <----------------
  CRC Threshold is 320. Reported from firmware  is 320.
//////
Total Data (last 12 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     1512 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     1512 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail
Secs


Here is the config:

card type t1 0 0

network-clock-participate wic 0
network-clock-participate aim 0

controller T1 0/0/0
 mode atm aim 0
 framing esf
 linecode b8zs
 cablelength short 330
clock source line

interface ATM0/0/0
 description Circuit ID xxxxxx
 no ip address
 no scrambling-payload
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 description ATM T-1 to xxx
 ip address x.x.x.x x.x.x.x
 ip access-group 100 out
 snmp trap link-status
 pvc 1/32
  cbr 1536
  encapsulation aal5snap


-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From andy.petrenko at gmail.com  Tue Jan 12 06:55:32 2010
From: andy.petrenko at gmail.com (Andrey 'sshd' Petrenko)
Date: Tue, 12 Jan 2010 13:55:32 +0200
Subject: [c-nsp] Ethernet Network
In-Reply-To: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
Message-ID: <6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>

Sorry, in mpls interfaces use mtu 1546

2010/1/11 Mohammad Khalil <eng_mssk at hotmail.com>

>
> hi all
> we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524
> ME , Cisco 3750 ME
> and we enabled MPLS in our network in order to provide MPLS service to our
> customers (VPLS , L3VPN , EoMPLS)
> what is the best MTU value that i can enable on my network either on
> interface basis or on system basis
>
> Thanks in advance
>
> _________________________________________________________________
> Windows Live: Keep your friends up to date with what you do online.
>
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
With best regards,
     Andrey 'sshd' Petrenko
     xmmp: sshd at jabber.org
     gtalk: andy.petrenko at gmail.com
     skype: andy.petrenko
     web: http://sshd.by

From denaccie at gmail.com  Tue Jan 12 09:27:05 2010
From: denaccie at gmail.com (My Name)
Date: Tue, 12 Jan 2010 09:27:05 -0500
Subject: [c-nsp] Ethernet Network
In-Reply-To: <6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
	<6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
Message-ID: <c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>

Andrey,

Is there a break down or analysis on why you are choosing 1546?
I assume the following;

1500 bytes max data + 22 max header + 4 CRC trailer + 4 byte 802.1q tag
+16 up to 4 labels = 1546?

Why not just enable jumbos and set it as high as possible?

mike

On Tue, Jan 12, 2010 at 6:55 AM, Andrey 'sshd' Petrenko <
andy.petrenko at gmail.com> wrote:

> Sorry, in mpls interfaces use mtu 1546
>
> 2010/1/11 Mohammad Khalil <eng_mssk at hotmail.com>
>
> >
> > hi all
> > we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524
> > ME , Cisco 3750 ME
> > and we enabled MPLS in our network in order to provide MPLS service to
> our
> > customers (VPLS , L3VPN , EoMPLS)
> > what is the best MTU value that i can enable on my network either on
> > interface basis or on system basis
> >
> > Thanks in advance
> >
> > _________________________________________________________________
> > Windows Live: Keep your friends up to date with what you do online.
> >
> >
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> With best regards,
>     Andrey 'sshd' Petrenko
>     xmmp: sshd at jabber.org
>     gtalk: andy.petrenko at gmail.com
>     skype: andy.petrenko
>     web: http://sshd.by
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From cisco-nsp at slepicka.net  Tue Jan 12 09:41:15 2010
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Tue, 12 Jan 2010 08:41:15 -0600
Subject: [c-nsp] Timing slips on an 2811
In-Reply-To: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
References: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
Message-ID: <4B4C8A0B.7020803@slepicka.net>

try 'network-clock-select 1 T1 0/0/0'

if you run a sh network-clocks, your output should be similar to this:

#sh network-clocks
  Network Clock Configuration
  ---------------------------
  Priority      Clock Source    Clock State     Clock Type

     1          T1 0/0/0        GOOD            T1
    10          Backplane       GOOD            PLL

  Current Primary Clock Source
  ---------------------------
  Priority      Clock Source    Clock State     Clock Type

     1          T1 0/0/0        GOOD            T1



james edwards wrote:
> I am getting timing slips on a ATM T-1 when the clocking is set to line.
> Setting it to internal is of course no better.
> I am using a VWIC2-1MFT-T1/E1 on IOS c2800nm-spservicesk9-mz.124-21a.bin.
> Links to troubleshooting docs
> about slips or suggestions on what is wrong with the config will be
> appreciated.
>
>
> #sho controllers t1 0/0/0
> T1 0/0/0 is up.
>   Applique type is Channelized T1
>   Cablelength is short 330
>   No alarms detected.
>   alarm-trigger is not set
>   Soaking time: 3, Clearance time: 10
>   AIS State:Clear  LOS State:Clear  LOF State:Clear
>   Version info Firmware: 20071011, FPGA: 13, spm_count = 0
>   Framing is ESF, Line Code is B8ZS, Clock Source is Line. <----------------
>   CRC Threshold is 320. Reported from firmware  is 320.
> //////
> Total Data (last 12 15 minute intervals):
>      0 Line Code Violations, 0 Path Code Violations,
>      1512 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
>      1512 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail
> Secs
>
>
> Here is the config:
>
> card type t1 0 0
>
> network-clock-participate wic 0
> network-clock-participate aim 0
>
> controller T1 0/0/0
>  mode atm aim 0
>  framing esf
>  linecode b8zs
>  cablelength short 330
> clock source line
>
> interface ATM0/0/0
>  description Circuit ID xxxxxx
>  no ip address
>  no scrambling-payload
>  no atm ilmi-keepalive
> !
> interface ATM0/0/0.1 point-to-point
>  description ATM T-1 to xxx
>  ip address x.x.x.x x.x.x.x
>  ip access-group 100 out
>  snmp trap link-status
>  pvc 1/32
>   cbr 1536
>   encapsulation aal5snap
>
>
>   

From drew.weaver at thenap.com  Tue Jan 12 09:47:53 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Tue, 12 Jan 2010 09:47:53 -0500
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>

Hi,

We've been struggling with an issue on one of our 6500s about a week or so. It started out where the system would run on the supervisor in slot 8 for about 16-24 hours, then fail over to the secondary supervisor on slot 7 for "no" reason, then this error would be presented, and then it would immediately flip back to slot 8.

Originally the error message was:

Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 4

We re-seated the card in slot 4, and eventually replaced it and everything seemed to finally stabilize. This morning, as a test I forced it to switchover to the card in slot 7 to see if it would immediately switch back to the card in slot 8 it did not, and I was fairly pleased, however we now got this error: 

Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 13

We went to re-seat the completely unused 6548 card in slot 13 (this is a 6513) and it caused a failover again.

Jan 12 09:35:10.353 EST: %OIR-SP-6-REMCARD: Card removed from slot 13, interfaces disabled
Jan 12 09:36:03.144 EST: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output.
Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 13
Jan 12 09:36:03.144 EST: %OIR-SP-3-PWRCYCLE: Card in module 7, is being power-cycled off (Fabric channel errors)

Anyone have any thoughts as to what might be occurring here? We can replace the card in slot 13 as well but we are concerned about the exciting game of musical fabric errors the switch is playing.

-Drew


From nasir.shaikh at bt.com  Tue Jan 12 10:07:27 2010
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Tue, 12 Jan 2010 15:07:27 -0000
Subject: [c-nsp] 3550 as CE
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F82DCB@XMB-AMS-101.cisco.com>
Message-ID: <D312CD05C8083447B01F57DCDECCF60003BFBA22@E03MVZ4-UKDY.domain1.systemhost.net>

Arie,
Thanks. No I don't have a subrate link although I do intend to use (an
aggregate) policer on the !G link.
I am currently happily running 12.1(22)EA8 do you think I should upgrade
to 12.2(44)SE? I only need to be able to do QoS marking based on IP
acls.

tia


Nasir Shaikh 



-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: 11 January 2010 19:15
To: Shaikh,NM,Nasir,JBFQ R; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 3550 as CE

Nasir,

Be careful about QOS requirements. If your WAN uplink is a subrate link
(i.e. a 1GigE port with an SLAN of <1GigE) you need to perform egress
shaping on that interface, which is not supported on 3550 (or most LAN
switches).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nasir.shaikh at bt.com
Sent: Monday, January 11, 2010 18:00
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3550 as CE

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ianh at ianh.net.au  Tue Jan 12 10:15:10 2010
From: ianh at ianh.net.au (Ian Henderson)
Date: Tue, 12 Jan 2010 23:15:10 +0800 (WST)
Subject: [c-nsp] DS3 over STM1
Message-ID: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>


Hi all,

I'm in the process of moving one of our remote offices from one carrier to 
another. At the moment we have an L3VPN terminating GigE at the remote 
end on a 7301 and DS3 on a G1 with PA-2T3 at the head office. Link does 
10Mbit about half split between voice and data.

The new carrier has provisioned a 45Mbit clear channel service with a DS3 
at the remote site, and a channelised STM1 at the head office. I can't 
seem to find a combination of router/card/mux to make this work.

- Cisco 7200 with PA-MC-STM1 can't channelise larger than E1.

- Cisco 7600 with SPA-1XCHSTM1/OC3 can do it according to the spec sheet 
for the SPA, but is incredibly over-speced and pricey.

- Adtran Opti-3 is SONET/OC3 only (but I can't find confirmation of this).

- Juniper M7i with STM1 IQ PIC can't channelise larger than E1.

- Juniper M7i with OC3 IQ PIC can channelise DS3, but doesn't do SDH 
framing for STM1.

- The carrier suggested re-engineering the service to deliver 21 E1s and 
run MLPPP over them. The data sheet for the PA-MC-T3-EC indicates MLPPP is 
only possible in hardware up to 12 T1s. I doubt MLPPP in software would 
perform at all, let alone perform well.

I've never worked with channelised services more complicated than DS0s in 
an E1, so I've got a few questions:

- Has anyone ever done this? What config/hardware did you use?

- Are there any muxes/converters/router interfaces that can do this at the 
~20Mbit end of the market?

- Does the Adtran support intermixing of SONET and SDH (DS3 over STM1)?

Many thanks,




- I.

From asturluismi at gmail.com  Tue Jan 12 11:20:37 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 12 Jan 2010 17:20:37 +0100
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
Message-ID: <1263313237.30768.2.camel@hal9000>

Hi all,

We take a Cisco IP/VC 3526 from one of our racks.
We tried to access to it over the serial port with 9600 8N1 -as the
documentation says- and it didn't work.
We also have an alarm in the from but we were not able to find the
relation with it in the documentation.

As far as we read the product is EoL/EoS but it will have support until
2011 or 2012, so what is the natural alternative to replace it?

Any comment is welcome, not neccesary should be Cisco.


From p.mayers at imperial.ac.uk  Tue Jan 12 11:40:05 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 12 Jan 2010 16:40:05 +0000
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
Message-ID: <4B4CA5E5.7080909@imperial.ac.uk>

> 

> Anyone have any thoughts as to what might be occurring here? We can
> replace the card in slot 13 as well but we are concerned about the
> exciting game of musical fabric errors the switch is playing.

This might sound a bit odd, but you might see it go away with a reload. 
We've had funnies with fabric channels that were reliably reproducible, 
until we reloaded the box as a "last try" before RMAing - and it and all 
of its linecards have been fine since.

Not the more reassuring statement I know.

If you have a spare chassis you could try GOLDing the relevant cards one 
by one, using the disruptive tests (standard disclaimer: some of the 
disruptive tests fail if there's *ANY* config on the box at all; some 
fail under certain IOS versions; and so forth). If the cards all pass, 
it's probably fine :o/

From lists.james.edwards at gmail.com  Tue Jan 12 11:44:35 2010
From: lists.james.edwards at gmail.com (james edwards)
Date: Tue, 12 Jan 2010 09:44:35 -0700
Subject: [c-nsp] Timing slips on an 2811
In-Reply-To: <4B4C8A0B.7020803@slepicka.net>
References: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
	<4B4C8A0B.7020803@slepicka.net>
Message-ID: <b7f636a61001120844q1942b8e8s29f7e9ea897c746d@mail.gmail.com>

On Tue, Jan 12, 2010 at 7:41 AM, James Slepicka <cisco-nsp at slepicka.net>wrote:

> try 'network-clock-select 1 T1 0/0/0'
>
> if you run a sh network-clocks, your output should be similar to this:
>
> #sh network-clocks
>  Network Clock Configuration
>  ---------------------------
>  Priority      Clock Source    Clock State     Clock Type
>
>    1          T1 0/0/0        GOOD            T1
>   10          Backplane       GOOD            PLL
>
>  Current Primary Clock Source
>  ---------------------------
>  Priority      Clock Source    Clock State     Clock Type
>
>    1          T1 0/0/0        GOOD            T1



Thanks James, that did the trick. Thanks to everyone who helped out on this
one.


-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From drew.weaver at thenap.com  Tue Jan 12 12:01:06 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Tue, 12 Jan 2010 12:01:06 -0500
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <4B4CA5E5.7080909@imperial.ac.uk>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
	<4B4CA5E5.7080909@imperial.ac.uk>
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>

Hi Phil,

We actually upgraded from SXF13 to SXF17 since this issue began so we have 'reloaded' it, we haven't completely powered it off and back on yet though.

thanks,
-Drew


-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] 
Sent: Tuesday, January 12, 2010 11:40 AM
To: Drew Weaver
Cc: Cisco-nsp
Subject: Re: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB

> 

> Anyone have any thoughts as to what might be occurring here? We can
> replace the card in slot 13 as well but we are concerned about the
> exciting game of musical fabric errors the switch is playing.

This might sound a bit odd, but you might see it go away with a reload. 
We've had funnies with fabric channels that were reliably reproducible, 
until we reloaded the box as a "last try" before RMAing - and it and all 
of its linecards have been fine since.

Not the more reassuring statement I know.

If you have a spare chassis you could try GOLDing the relevant cards one 
by one, using the disruptive tests (standard disclaimer: some of the 
disruptive tests fail if there's *ANY* config on the box at all; some 
fail under certain IOS versions; and so forth). If the cards all pass, 
it's probably fine :o/

From p.mayers at imperial.ac.uk  Tue Jan 12 12:03:17 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 12 Jan 2010 17:03:17 +0000
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
	<4B4CA5E5.7080909@imperial.ac.uk>
	<F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>
Message-ID: <4B4CAB55.2080004@imperial.ac.uk>

Drew Weaver wrote:
> Hi Phil,
> 
> We actually upgraded from SXF13 to SXF17 since this issue began so we
> have 'reloaded' it, we haven't completely powered it off and back on
> yet though.

I'm trying to remember whether we actually cold- or warm-booted ours. I 
think it very likely it was a warm boot.

From DLasher at newedgenetworks.com  Tue Jan 12 12:28:20 2010
From: DLasher at newedgenetworks.com (Lasher, Donn)
Date: Tue, 12 Jan 2010 09:28:20 -0800
Subject: [c-nsp] Ethernet Network
In-Reply-To: <c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl><6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
	<c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>
Message-ID: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>

From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of My Name
Sent: Tuesday, January 12, 2010 9:27 AM
To: Andrey 'sshd' Petrenko
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Ethernet Network

>> SNIP >>
>1500 bytes max data + 22 max header + 4 CRC trailer + 4 byte 802.1q tag
>+16 up to 4 labels = 1546?
>
>Why not just enable jumbos and set it as high as possible?


1546 = largest MTU the 355x/356x switches, PA-FE, etc, will support, as
I recall.


From ibrahim.abozaid at gmail.com  Tue Jan 12 13:08:50 2010
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 12 Jan 2010 20:08:50 +0200
Subject: [c-nsp] MPLS TE and PIM
Message-ID: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>

Hi

I have a question about PIM , is PIM messages can flow across MPLS TE Tunnel
? why PIM neighborship can't be established over the tunnel ?


thanks
--Ibrahim

From dwcarder at wisc.edu  Tue Jan 12 12:20:58 2010
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Tue, 12 Jan 2010 11:20:58 -0600
Subject: [c-nsp] ASA ipv6 + icmp types
In-Reply-To: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
References: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
Message-ID: <22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>

On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:

> So I'm playing around with ipv6 on the ASA.  I'm running the latest code (8.2(1)).  And in trying to get traceroutes and pings 'through' the ASA, I've found that icmp-types are translated to 'english' but using the ipv4 codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config as unreachable (because unreachable == 3 in ipv4).
> 
> I'm guessing I should open a TAC case and complain ?  You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :(


I would certainly open a tac case and insist on getting a bug id.  

C's v6 support across across product lines is pretty craptastic.
I recently got CSCtb29296 filed.  This is very, very, basic broken
functionality that shows their v6 feature support and testing is 
negligible.

Dale




From dpz at berkeley.edu  Tue Jan 12 13:29:06 2010
From: dpz at berkeley.edu (David Paul Zimmerman)
Date: Tue, 12 Jan 2010 10:29:06 -0800
Subject: [c-nsp] ASA Transparent Firewall with Multiple VLANs
In-Reply-To: <000001ca84bf$ff777800$fe666800$@net>
References: <000001ca84bf$ff777800$fe666800$@net>
Message-ID: <BDB26C55-2460-45E2-86D3-56CE0CEC57CC@berkeley.edu>

Sercan,

Did you ever get a response to this privately?  I can rework one of my  
transparent-mode context configurations as a sample configuration if  
not.

	dp

On Dec 24, 2009, at 9:39 AM, Sercan Aktas wrote:

> Hi guys,
>
>
>
> I have a specific customer scenario, where multiple VLANs need to be
> firewalled and due to the environment transparent firewall seems to  
> be the
> best solution. However, this is an SP environment and my customer  
> has the
> concern of having 50 virtual contexts as a serious limitation. I  
> have seen
> in some Cisco documents stating that multiple VLANs in transparent  
> mode were
> allowed either single mode or per virtual context. There is no  
> detailed
> explanation or configuration example though.
>
>
>
> So what I am trying to find out is if I can bridge multiple VLAN pairs
> either through a single transparent firewall or a transparent virtual
> context? If this is doable, do any of you guys have a sample  
> configuration
> as reference?
>
>
>
> Thanks,
>
> Sercan
>
>
>
> Note:The information contained in this message may be privileged and  
> confidential and protected from disclosure . If the reader of this  
> message is not the
> intended recipient, or an employee or agent responsible for  
> delivering this message to the intended recipient, you are hereby  
> notified that any
> dissemination, distribution or copying of this communication is  
> strictly prohibited. If you have received this communication in  
> error, please notify us
> immediately by replying to the message and deleting it from your  
> computer. Thankyou. ThruPoint Ltd.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jshearer at amedisys.com  Tue Jan 12 14:11:14 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 12 Jan 2010 13:11:14 -0600
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
In-Reply-To: <1263313237.30768.2.camel@hal9000>
References: <1263313237.30768.2.camel@hal9000>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>

Have you tried different baud rates?  I have found some 35xx MCUs come from the factory set at 115200.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
Sent: Tuesday, January 12, 2010 10:21 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything

Hi all,

We take a Cisco IP/VC 3526 from one of our racks.
We tried to access to it over the serial port with 9600 8N1 -as the
documentation says- and it didn't work.
We also have an alarm in the from but we were not able to find the
relation with it in the documentation.

As far as we read the product is EoL/EoS but it will have support until
2011 or 2012, so what is the natural alternative to replace it?

Any comment is welcome, not neccesary should be Cisco.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From panocisco77 at gmail.com  Tue Jan 12 14:35:41 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 14:35:41 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
Message-ID: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>

Hello All

How do I fix Minor Errors beside reseating the module, anybody knows

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Minor Error
  5  Pass
  6  Pass
  7  Pass
  8  Pass
  9  Minor Error

From panocisco77 at gmail.com  Tue Jan 12 14:38:02 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 14:38:02 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45AF
Message-ID: <16e2ac181001121138l295b8ee4k44ecddb7485c2df8@mail.gmail.com>

Hello All

How do I fix Minor Errors beside reseating the module, anybody knows

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Minor Error
  5  Pass
  6  Pass
  7  Pass
  8  Pass
  9  Minor Error

From dcp at dcptech.com  Tue Jan 12 14:57:05 2010
From: dcp at dcptech.com (David Prall)
Date: Tue, 12 Jan 2010 14:57:05 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
Message-ID: <001e01ca93c1$6b2071a0$416154e0$@com>

What does "sh diag" give you for the module. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Renelson Panosky
> Sent: Tuesday, January 12, 2010 2:36 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 
> Hello All
> 
> How do I fix Minor Errors beside reseating the module, anybody knows
> 
> Mod  Online Diag Status
> ---- -------------------
>   1  Pass
>   2  Pass
>   3  Pass
>   4  Minor Error
>   5  Pass
>   6  Pass
>   7  Pass
>   8  Pass
>   9  Minor Error
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From panocisco77 at gmail.com  Tue Jan 12 15:03:13 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 15:03:13 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <001e01ca93c1$6b2071a0$416154e0$@com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
	<001e01ca93c1$6b2071a0$416154e0$@com>
Message-ID: <16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>

sho diagnostic status

<BU> - Bootup Diagnostics, <HM> - Health Monitoring Diagnostics,
<OD> - OnDemand Diagnostics, <SCH> - Scheduled Diagnostics

====== ================================= ===============================
======
Card   Description                       Current Running Test            Run
by
------ --------------------------------- -------------------------------
------
1      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

2      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

3      48-port 10/100/1000 RJ45 EtherMod TestNonDisruptiveLoopback
<HM>

4      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

5      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

6      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

7      Supervisor Engine 32 8GE (Active) N/A
N/A

8      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

9      48 port 10/100/1000mb EtherModule N/A
N/A

====== ================================= ===============================
======


On Tue, Jan 12, 2010 at 2:57 PM, David Prall <dcp at dcptech.com> wrote:

> What does "sh diag" give you for the module.
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Renelson Panosky
> > Sent: Tuesday, January 12, 2010 2:36 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> >
> > Hello All
> >
> > How do I fix Minor Errors beside reseating the module, anybody knows
> >
> > Mod  Online Diag Status
> > ---- -------------------
> >   1  Pass
> >   2  Pass
> >   3  Pass
> >   4  Minor Error
> >   5  Pass
> >   6  Pass
> >   7  Pass
> >   8  Pass
> >   9  Minor Error
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From dcp at dcptech.com  Tue Jan 12 15:12:34 2010
From: dcp at dcptech.com (David Prall)
Date: Tue, 12 Jan 2010 15:12:34 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>	
	<001e01ca93c1$6b2071a0$416154e0$@com>
	<16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>
Message-ID: <002501ca93c3$956e9ac0$c04bd040$@com>

That's the status, which shows one is currently running. But what does sh
diag tell us is wrong.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Renelson Panosky [mailto:panocisco77 at gmail.com]
> Sent: Tuesday, January 12, 2010 3:03 PM
> To: David Prall
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 
> sho diagnostic status
> 
> <BU> - Bootup Diagnostics, <HM> - Health Monitoring Diagnostics,
> <OD> - OnDemand Diagnostics, <SCH> - Scheduled Diagnostics
> 
> ====== =================================
> =============================== ======
> Card   Description                       Current Running Test
> Run by
> ------ --------------------------------- ------------------------------
> - ------
> 1      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 2      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 3      48-port 10/100/1000 RJ45 EtherMod TestNonDisruptiveLoopback
> <HM>
> 
> 4      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 5      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 6      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 7      Supervisor Engine 32 8GE (Active) N/A
> N/A
> 
> 8      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 9      48 port 10/100/1000mb EtherModule N/A
> N/A
> 
> ====== =================================
> =============================== ======
> 
> 
> 
> 
> On Tue, Jan 12, 2010 at 2:57 PM, David Prall <dcp at dcptech.com> wrote:
> 
> 
> 	What does "sh diag" give you for the module.
> 
> 	--
> 	http://dcp.dcptech.com <http://dcp.dcptech.com/>
> 
> 
> 
> 	> -----Original Message-----
> 	> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> 	> bounces at puck.nether.net] On Behalf Of Renelson Panosky
> 	> Sent: Tuesday, January 12, 2010 2:36 PM
> 	> To: cisco-nsp at puck.nether.net
> 	> Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 	>
> 	> Hello All
> 	>
> 	> How do I fix Minor Errors beside reseating the module, anybody
> knows
> 	>
> 	> Mod  Online Diag Status
> 	> ---- -------------------
> 	>   1  Pass
> 	>   2  Pass
> 	>   3  Pass
> 	>   4  Minor Error
> 	>   5  Pass
> 	>   6  Pass
> 	>   7  Pass
> 	>   8  Pass
> 	>   9  Minor Error
> 
> 	> _______________________________________________
> 	> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> 	> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 	> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 



From maillist at webjogger.net  Tue Jan 12 16:12:03 2010
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 12 Jan 2010 16:12:03 -0500
Subject: [c-nsp] GRE tunnel optimization
Message-ID: <4B4CE5A3.4040709@webjogger.net>

Hi,

I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with 
mixed results (some packet loss, high latency).

Configs on both ends:

==========
2811, 12.4(21), traffic is sent over bonded DSL lines
==========
interface Tunnel0
 ip address 172.16.16.9 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface Virtual-Template1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface Multilink1
 ip address x.x.x.x z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1

==========
1841, 12.4(24)T2, traffic is sent over Cablevision link
===========
interface Tunnel0
 ip address 172.16.16.10 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source y.y.y.y
 tunnel destination x.x.x.x
!
interface FastEthernet0/0/0
 description *** Cablevision ***
 ip address y.y.y.y z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto

The VPN is being generated by Sonicwalls on both ends. I've set MTU to 
1460 on them as well.

I had originally set MTU to 1400, but it was worse.

Are there any obvious configurations I am missing to optimize this 
traffic?  For example, is  something like the following recommended on 
the Tunnel interfaces?

hold-queue 1024 in
hold-queue 1024 out


Thanks for your help.

Adam





From jshearer at amedisys.com  Tue Jan 12 18:35:52 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 12 Jan 2010 17:35:52 -0600
Subject: [c-nsp] GRE tunnel optimization
In-Reply-To: <4B4CE5A3.4040709@webjogger.net>
References: <4B4CE5A3.4040709@webjogger.net>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B03366433A@SVR-AMED-MAIL01.amedisys.com>

Why the IPSec over GRE?  Typically you see GRE over IPSec to get the benefits of multicast.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Greene
Sent: Tuesday, January 12, 2010 3:12 PM
To: Cisco NSP
Subject: [c-nsp] GRE tunnel optimization

Hi,

I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with
mixed results (some packet loss, high latency).

Configs on both ends:

==========
2811, 12.4(21), traffic is sent over bonded DSL lines
==========
interface Tunnel0
 ip address 172.16.16.9 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface Virtual-Template1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface Multilink1
 ip address x.x.x.x z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1

==========
1841, 12.4(24)T2, traffic is sent over Cablevision link
===========
interface Tunnel0
 ip address 172.16.16.10 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source y.y.y.y
 tunnel destination x.x.x.x
!
interface FastEthernet0/0/0
 description *** Cablevision ***
 ip address y.y.y.y z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto

The VPN is being generated by Sonicwalls on both ends. I've set MTU to
1460 on them as well.

I had originally set MTU to 1400, but it was worse.

Are there any obvious configurations I am missing to optimize this
traffic?  For example, is  something like the following recommended on
the Tunnel interfaces?

hold-queue 1024 in
hold-queue 1024 out


Thanks for your help.

Adam




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From frnkblk at iname.com  Wed Jan 13 01:02:41 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 13 Jan 2010 00:02:41 -0600
Subject: [c-nsp] Unicast flooding?
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>

We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
We have a VLAN (with four /24s) configured on three ports across two
10/100/1000 blades facing some FTTH transport equipment.  

Customers hanging off the FTTH equipment on the third port are complaining
that several times per day they lose internet access.  We've been able to
correlate their complaints with failed ping attempts from our workstations
and the 7609-S to their public IPs.  What's interesting is that it's not all
the traffic, and of the 4 IPs we are tracking, two of which are on separate
/24s, the outages happen within the same /24.  At the same time, while using
Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
traffic that should be going to one of the other two Ethernet interfaces.
This is happening about a dozen times per day for 4 to 6 minutes at a time.


While the event is occurring I have verified the ARP and CAM entry.  The CAM
entry is associated with one of the first two Ethernet interfaces, not the
third.  I can clear the ARP and CAM entry from the CLI and they are
re-learned with the same information, yet the traffic continues to egress
the wrong Ethernet port.

I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
default configuration of 5 minutes, but there was no improvement.  One more
observation -- the errant port is the root of the bridge.

Any ideas why the 7609 would be sending traffic out an Ethernet port to a
device that the CAM table says is on a different Ethernet port?

Frank


interface Vlan10
 description FTTH network
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address 67.22.a.1 255.255.255.0 secondary
 ip address 67.22.b.1 255.255.255.0 secondary
 ip address 67.22.c.1 255.255.255.0 secondary
 ip address 67.22.d.1 255.255.255.0
 ip helper-address e.f.g.h
 no ip redirects
 arp timeout 300
end

interface GigabitEthernet1/29 (and 3/39 and 3/45) 
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 spanning-tree portfast trunk
end


From sven at darkman.de  Wed Jan 13 01:03:32 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Wed, 13 Jan 2010 07:03:32 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any idea?
Message-ID: <4B4D6234.7050101@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

i'd like to use the pvlan feature from Cisco for two networks. I already read
a lot of documentation on the pvlan feature on ciscos page and mayn other blog
posts etc. and already know, that it seems not to be possible to use the pvlan
feature with etherchannel/port groups on any device. A part from no information
*why* this is not possible, i have no idea, how to complete the following setup:

I'd like to have my PVLAN connected to my "core" network in a kind of redundancy
and "more" bandwidth. The PVLAN has GBIT enabled devices, the uplink to the core
should be more than one GBIT (to ensure that no single device is able to fill
the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE Uplink
is not yet possble. As switches we have 3560G and the core is currently a 6509.
At least the redundancy is important, so i could try it with "backup-interface" on
the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
want.
Another problem is, that i currently plan to deploy two isolated pvlans on the
3560 switches, which "should" be no problem if i use two different primary vlans
(a primary may only carry one isolated pvlan at a time), but it seems to be not
possible to use one uplink/trunk port for two different isolated pvlan setups?
If thats true, i would need at least four ports (two for each isolated pvlan) just
to get the redundancy and would not have any uplink >1GigE...

Did i miss anything? is there a way to get the redundancy and the bandwidth? may
i use two isolated pvlans on the same uplink? Is there some way to use something
"like" etherchannel with pvlans? Or is there a way to change the setup in a way
i would get pvlan + more bandwidth + redundancy without all of these problems or
limitations? ;)

Thanks and regards,
Sven

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
=3btI
-----END PGP SIGNATURE-----

From td_miles at yahoo.com  Wed Jan 13 02:10:06 2010
From: td_miles at yahoo.com (Tony)
Date: Tue, 12 Jan 2010 23:10:06 -0800 (PST)
Subject: [c-nsp] Ethernet Network
In-Reply-To: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>
Message-ID: <499475.32176.qm@web110115.mail.gq1.yahoo.com>



--- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:

> 
> >> SNIP >>
> >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> byte 802.1q tag
> >+16 up to 4 labels = 1546?
> >
> >Why not just enable jumbos and set it as high as
> possible?
> 
> 
> 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> support, as
> I recall.
> 

PA-FE are limited to 1530. You're correct about 1546 for the switches though.

7204(config)#int fa4/0
7204(config-if)#mtu ?
  <1500-1530>  MTU size in bytes



      __________________________________________________________________________________
See what's on at the movies in your area. Find out now: http://au.movies.yahoo.com/session-times/


From ip at ioshints.info  Wed Jan 13 02:36:33 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Wed, 13 Jan 2010 08:36:33 +0100
Subject: [c-nsp] Ethernet Network
In-Reply-To: <499475.32176.qm@web110115.mail.gq1.yahoo.com>
References: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>
	<499475.32176.qm@web110115.mail.gq1.yahoo.com>
Message-ID: <001a01ca9423$226f34c0$674d9e40$@info>

The MTU on PA-FE (probably) does not include MAC header and definitely does not include CRC trailer. Otherwise the minimum value of 1500 wouldn't make sense.

> -----Original Message-----
> From: Tony [mailto:td_miles at yahoo.com]
> Sent: Wednesday, January 13, 2010 8:10 AM
> To: cisco-nsp at puck.nether.net; DonnLasher
> Subject: Re: [c-nsp] Ethernet Network
> 
> 
> 
> --- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:
> 
> >
> > >> SNIP >>
> > >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> > byte 802.1q tag
> > >+16 up to 4 labels = 1546?
> > >
> > >Why not just enable jumbos and set it as high as
> > possible?
> >
> >
> > 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> > support, as
> > I recall.
> >
> 
> PA-FE are limited to 1530. You're correct about 1546 for the switches
> though.
> 
> 7204(config)#int fa4/0
> 7204(config-if)#mtu ?
>   <1500-1530>  MTU size in bytes
> 
> 
> 
> 
> __________________________________________________________________________
> ________
> See what's on at the movies in your area. Find out now:
> http://au.movies.yahoo.com/session-times/
> 



From p.mayers at imperial.ac.uk  Wed Jan 13 04:18:21 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 13 Jan 2010 09:18:21 +0000
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <4B4D8FDD.2080708@imperial.ac.uk>

> While the event is occurring I have verified the ARP and CAM entry.  The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third.  I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.

Ugh.

>  
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement.  One more
> observation -- the errant port is the root of the bridge.
> 
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?

What module is the traffic coming in via? Which of the modules have DFCs?

Have you looked at:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00807347ab.shtml#dfc

...specifically the 1st item "Loss of Dynamic MAC Addresses with 
Distributed Switching" which could possibly be related, though that is a 
wild guess.

How long has this been happening for?

From gert at greenie.muc.de  Wed Jan 13 04:19:15 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 13 Jan 2010 10:19:15 +0100
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
Message-ID: <20100113091915.GX857@greenie.muc.de>

Hi,

On Tue, Jan 12, 2010 at 11:15:10PM +0800, Ian Henderson wrote:
> The new carrier has provisioned a 45Mbit clear channel service with a DS3 
> at the remote site, and a channelised STM1 at the head office. I can't 
> seem to find a combination of router/card/mux to make this work.

I'd ask the carrier to deliver clear channel DS3 on both ends.

After all, that's what you ordered ("give us a DS3!"), no?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100113/90ae8ee2/attachment.bin>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:27:03 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:27:03 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B4D6234.7050101@darkman.de>
References: <4B4D6234.7050101@darkman.de>
Message-ID: <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>

Hello Sven,

If I understood you correctly you can get around these limitations by
using the PVLAN feature on the end-user ports only and not on the
internal switch-to-switch links. On those links you can use normal
"trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
VLAN int.

Access layer example for end-user port somewhere in the deeps of the
switched fabric:
interface FastEthernet0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 10 100

Access layer trunk port:
interface GigabitEthernet0/1
 switchport mode trunk

On your distribution (6509) you configure:

interface Vlan10
 ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
gets sticky arp by default (for some unknown reason)
 no ip proxy-arp
 private-vlan mapping 100

and normal trunk port towards the switch fabric:
interface GigabitEthernet6/1
 switchport mode trunk

Yes this is probably suboptimal to what you would like to accoplish
however the end effect is that the end-user ports cannot communicate
with each other - which is probably what you want.

Another alternative is the "private-vlan trunk" feature which is
described over here
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
- the trouble is that AFAIK currently it works only on C4500.

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:03 AM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> i'd like to use the pvlan feature from Cisco for two networks. I already read
> a lot of documentation on the pvlan feature on ciscos page and mayn other blog
> posts etc. and already know, that it seems not to be possible to use the pvlan
> feature with etherchannel/port groups on any device. A part from no information
> *why* this is not possible, i have no idea, how to complete the following setup:
>
> I'd like to have my PVLAN connected to my "core" network in a kind of redundancy
> and "more" bandwidth. The PVLAN has GBIT enabled devices, the uplink to the core
> should be more than one GBIT (to ensure that no single device is able to fill
> the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE Uplink
> is not yet possble. As switches we have 3560G and the core is currently a 6509.
> At least the redundancy is important, so i could try it with "backup-interface" on
> the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
> want.
> Another problem is, that i currently plan to deploy two isolated pvlans on the
> 3560 switches, which "should" be no problem if i use two different primary vlans
> (a primary may only carry one isolated pvlan at a time), but it seems to be not
> possible to use one uplink/trunk port for two different isolated pvlan setups?
> If thats true, i would need at least four ports (two for each isolated pvlan) just
> to get the redundancy and would not have any uplink >1GigE...
>
> Did i miss anything? is there a way to get the redundancy and the bandwidth? may
> i use two isolated pvlans on the same uplink? Is there some way to use something
> "like" etherchannel with pvlans? Or is there a way to change the setup in a way
> i would get pvlan + more bandwidth + redundancy without all of these problems or
> limitations? ;)
>
> Thanks and regards,
> Sven
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
> rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
> =3btI
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:37:20 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:37:20 +0100
Subject: [c-nsp] GRE tunnel optimization
In-Reply-To: <4B4CE5A3.4040709@webjogger.net>
References: <4B4CE5A3.4040709@webjogger.net>
Message-ID: <323aca891001130137n1d3e1926gb09c5c4c3535dc54@mail.gmail.com>

Hi Adam,

The " ip tcp adjust-mss 1460" adjusts TCP traffic which IPsec is not,
so you can safely remove it.
Try to change the TCP MSS on the Sonicwalls - I suggest to something
conservative - 1390 for example.

If it won't help (or there is no knob for this on Sonicwalls) try to:
- ping across GRE tunnel on clear without IPSEC
- determine whether this is MTU size issue - by pinging with larger
and larger packets.

-pavel

On Tue, Jan 12, 2010 at 10:12 PM, Adam Greene <maillist at webjogger.net> wrote:
> Hi,
>
> I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with mixed
> results (some packet loss, high latency).
>
> Configs on both ends:
>
> ==========
> 2811, 12.4(21), traffic is sent over bonded DSL lines
> ==========
> interface Tunnel0
> ip address 172.16.16.9 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source x.x.x.x
> tunnel destination y.y.y.y
> !
> interface ATM0/0/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
> ?protocol ppp Virtual-Template1
> !
> interface ATM0/1/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
> ?protocol ppp Virtual-Template1
> !
> interface Virtual-Template1
> no ip address
> ppp multilink
> ppp multilink group 1
> !
> interface Multilink1
> ip address x.x.x.x z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ppp multilink
> ppp multilink group 1
>
> ==========
> 1841, 12.4(24)T2, traffic is sent over Cablevision link
> ===========
> interface Tunnel0
> ip address 172.16.16.10 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source y.y.y.y
> tunnel destination x.x.x.x
> !
> interface FastEthernet0/0/0
> description *** Cablevision ***
> ip address y.y.y.y z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ip tcp adjust-mss 1460
> duplex auto
> speed auto
>
> The VPN is being generated by Sonicwalls on both ends. I've set MTU to 1460
> on them as well.
>
> I had originally set MTU to 1400, but it was worse.
>
> Are there any obvious configurations I am missing to optimize this traffic?
> ?For example, is ?something like the following recommended on the Tunnel
> interfaces?
>
> hold-queue 1024 in
> hold-queue 1024 out
>
>
> Thanks for your help.
>
> Adam
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:43:02 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:43:02 +0100
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>

Hello Frank,

Does not sound really healthy - if you have gathered good evidence
this is a good candidate for TAC. Anyway - you should probably upgrade
to something other then SRB4 as TAC will tell you probably the same
thing....

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:02 AM, Frank Bulk <frnkblk at iname.com> wrote:
> We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
> We have a VLAN (with four /24s) configured on three ports across two
> 10/100/1000 blades facing some FTTH transport equipment.
>
> Customers hanging off the FTTH equipment on the third port are complaining
> that several times per day they lose internet access. ?We've been able to
> correlate their complaints with failed ping attempts from our workstations
> and the 7609-S to their public IPs. ?What's interesting is that it's not all
> the traffic, and of the 4 IPs we are tracking, two of which are on separate
> /24s, the outages happen within the same /24. ?At the same time, while using
> Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
> traffic that should be going to one of the other two Ethernet interfaces.
> This is happening about a dozen times per day for 4 to 6 minutes at a time.
>
>
> While the event is occurring I have verified the ARP and CAM entry. ?The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third. ?I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.
>
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement. ?One more
> observation -- the errant port is the root of the bridge.
>
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?
>
> Frank
>
>
> interface Vlan10
> ?description FTTH network
> ?ip dhcp relay information trusted
> ?ip dhcp relay information option-insert none
> ?ip dhcp relay information policy-action keep
> ?ip address 67.22.a.1 255.255.255.0 secondary
> ?ip address 67.22.b.1 255.255.255.0 secondary
> ?ip address 67.22.c.1 255.255.255.0 secondary
> ?ip address 67.22.d.1 255.255.255.0
> ?ip helper-address e.f.g.h
> ?no ip redirects
> ?arp timeout 300
> end
>
> interface GigabitEthernet1/29 (and 3/39 and 3/45)
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 10
> ?switchport mode trunk
> ?switchport nonegotiate
> ?load-interval 30
> ?spanning-tree portfast trunk
> end
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From noc at phibee.net  Wed Jan 13 06:14:48 2010
From: noc at phibee.net (Phibee Network Operation Center)
Date: Wed, 13 Jan 2010 12:14:48 +0100
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID: <4B4DAB28.7030500@phibee.net>

Hi

anyone know if it's possible :

     When a user connect to my Cisco ASA in VPN IPSec, the ASA see the 
version
of the IPSec Client Software, i thinks.

     If this software are too old, the asa can sent a update automatiquely ?


Thanks
Jerome


From ziliomarcelo at gmail.com  Wed Jan 13 06:39:56 2010
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Wed, 13 Jan 2010 09:39:56 -0200
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <4B4DAB28.7030500@phibee.net>
References: <4B4DAB28.7030500@phibee.net>
Message-ID: <62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>

I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
(Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
Client Software Update.

I remember see this in older versions too. I never used it, but I think this
is you are looking for.

On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
noc at phibee.net> wrote:

> Hi
>
> anyone know if it's possible :
>
>    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> version
> of the IPSec Client Software, i thinks.
>
>    If this software are too old, the asa can sent a update automatiquely ?
>
>
> Thanks
> Jerome
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ayourtch at cisco.com  Wed Jan 13 08:11:07 2010
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Wed, 13 Jan 2010 14:11:07 +0100 (CET)
Subject: [c-nsp] ASA ipv6 + icmp types
In-Reply-To: <22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>
References: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
	<22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>
Message-ID: <alpine.DEB.2.00.1001131345250.20667@ayourtch-lnx.stdio.be>



On Tue, 12 Jan 2010, Dale W. Carder wrote:

> On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:
>
>> So I'm playing around with ipv6 on the ASA.  I'm running the latest 
>>code (8.2(1)).  And in trying to get traceroutes and pings 'through' the 
>>ASA, I've found that icmp-types are translated to 'english' but using 
>>the ipv4 codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config 
>>as unreachable (because unreachable == 3 in ipv4).
>>
>> I'm guessing I should open a TAC case and complain ?  You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :(
>
>
> I would certainly open a tac case and insist on getting a bug id.

Yeah I asked Brandon unicast to open a new case and get me the #.

However: The issue comes from the icmp-type object group being a separate 
entity from an ACL, that is not context-aware ("www" is always 80), and 
it can not really be "fixed": if you were to use the same icmp-type OG in 
the IPv4 and IPv6 ACL- what should the type "3" correspond to in the 
running config within that object group ? There's not always 1:1 mapping 
between ICMPv4 and ICMPv6.

So it is not as black and white as printing IPv4 instead of IPv6, 
unfortunately...

Looks like the only approach might be creating a new object-group kind 
"icmp6-type" - and make the CLI not accept the "icmp-type" object group 
for the IPv6 ACLs.

cheers,
andrew

From timothy.arnold at uksolutions.co.uk  Wed Jan 13 07:31:56 2010
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Wed, 13 Jan 2010 12:31:56 +0000
Subject: [c-nsp] IPv6 ns-interval & 12.2(33)SRE & ASA 8.2(2)
Message-ID: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>

Hi Guys,
I'm hoping there is someone out there who knows a bit more about IPv6 that I do :)

Enabled ipv6 between the Cisco 7600 running 12.2(33)SRE and a pair of Cisco ASA firewalls running 8.2(2) (in HA). I get the following from the 7600

%IPV6-3-CONFLICT: Router FE80::21A:E2FF:FE68:50AA on Vlan2008 has conflicting ND settings

"show ipv6 routers" show the only real difference is the retransmit time. On the 7600, it is 0ms (which I understand to be "unspecified" rather than 0) and on the ASA the default is 1000.

cr1-sdf2.uk#show ipv6 routers vlan2008
Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min, CONFLICT
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

colofw1/act# show ipv6 routers
Router fe80::21b:dff:fee5:ae00 on outside, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  Reachable time 0 msec, Retransmit time 0 msec
  Prefix 2a02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

Adding the following configuration to the 7600 corrects the issue:

ipv6 nd ns-interval 1000

cr1-sdf2.uk(config-if)#do show ipv6 routers vlan2008
Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

Both ends are now the same and no conflict occurs. Any ideas why it's complaining? I thought that the unspecified nature of ns-interval means that it would accept the 1000 milliseconds from the other end?

Thanks
Tim



Timothy Arnold
Senior Engineer, Operations (Network, Security & Facilities Group), UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: www.uksolutions.co.uk<http://www.uksolutions.co.uk/>
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer.html

From harbor235 at gmail.com  Wed Jan 13 08:45:44 2010
From: harbor235 at gmail.com (harbor235)
Date: Wed, 13 Jan 2010 08:45:44 -0500
Subject: [c-nsp] IPv6 ns-interval & 12.2(33)SRE & ASA 8.2(2)
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>
References: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>
Message-ID: <836bf1f91001130545h56dec6b3v38be6a5ddff1c073@mail.gmail.com>

Tim,

I got the following of from Cisco pertaining to your error message;


Explanation    Another router on the link has sent router advertisements
with parameters that conflict with this router.

Recommended Action    Verify that all IPv6 routers on the link have the same
parameters in the router advertisement for hop-limit, managed-config-flag,
other-config-flag, reachable-time and ns-interval. Also verify that
preferred and valid lifetimes for the same prefix advertised by several
routers are the same. Enter the *show ipv6 interface* command to list the
parameters per interface.
mike

On Wed, Jan 13, 2010 at 7:31 AM, Timothy Arnold <
timothy.arnold at uksolutions.co.uk> wrote:

> Hi Guys,
> I'm hoping there is someone out there who knows a bit more about IPv6 that
> I do :)
>
> Enabled ipv6 between the Cisco 7600 running 12.2(33)SRE and a pair of Cisco
> ASA firewalls running 8.2(2) (in HA). I get the following from the 7600
>
> %IPV6-3-CONFLICT: Router FE80::21A:E2FF:FE68:50AA on Vlan2008 has
> conflicting ND settings
>
> "show ipv6 routers" show the only real difference is the retransmit time.
> On the 7600, it is 0ms (which I understand to be "unspecified" rather than
> 0) and on the ASA the default is 1000.
>
> cr1-sdf2.uk#show <http://cr1-sdf2.uk/#show> ipv6 routers vlan2008
> Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min, CONFLICT
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  HomeAgentFlag=0, Preference=Medium
>  Reachable time 0 msec, Retransmit time 1000 msec
>  Prefix 2A02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> colofw1/act# show ipv6 routers
> Router fe80::21b:dff:fee5:ae00 on outside, last update 0 min
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  Reachable time 0 msec, Retransmit time 0 msec
>  Prefix 2a02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> Adding the following configuration to the 7600 corrects the issue:
>
> ipv6 nd ns-interval 1000
>
> cr1-sdf2.uk(config-if)#do show ipv6 routers vlan2008
> Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  HomeAgentFlag=0, Preference=Medium
>  Reachable time 0 msec, Retransmit time 1000 msec
>  Prefix 2A02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> Both ends are now the same and no conflict occurs. Any ideas why it's
> complaining? I thought that the unspecified nature of ns-interval means that
> it would accept the 1000 milliseconds from the other end?
>
> Thanks
> Tim
>
>
>
> Timothy Arnold
> Senior Engineer, Operations (Network, Security & Facilities Group),
> UKSolutions
>
> Telephone: 0845 004 1333, option 2
> Email: timothy.arnold at uksolutions.co.uk
> Web: www.uksolutions.co.uk<http://www.uksolutions.co.uk/>
> UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in
> England Number 3036806
> This email must be read in conjunction with the legal & service notices on
> http://www.uksolutions.co.uk/disclaimer.html
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From frnkblk at iname.com  Wed Jan 13 09:48:18 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 08:48:18 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAw4JOZZuvGSqdj5eX8XLyoAQAAAAA=@iname.com>

I agree, I have some good evidence.  I'm not against upgrading if that will
resolve the issue.

Frank

> -----Original Message-----
> From: Pavel Skovajsa [mailto:pavel.skovajsa at gmail.com]
> Sent: Wednesday, January 13, 2010 3:43 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> Hello Frank,
> 
> Does not sound really healthy - if you have gathered good evidence
> this is a good candidate for TAC. Anyway - you should probably upgrade
> to something other then SRB4 as TAC will tell you probably the same
> thing....
> 
> -pavel skovajsa
> 
> On Wed, Jan 13, 2010 at 7:02 AM, Frank Bulk <frnkblk at iname.com> wrote:
> > We've been seeing some strange behavior on our 7609-S running
> 12.2(33r)SRB4.
> > We have a VLAN (with four /24s) configured on three ports across two
> > 10/100/1000 blades facing some FTTH transport equipment.
> >
> > Customers hanging off the FTTH equipment on the third port are
> complaining
> > that several times per day they lose internet access. ?We've been
> able to
> > correlate their complaints with failed ping attempts from our
> workstations
> > and the 7609-S to their public IPs. ?What's interesting is that it's
> not all
> > the traffic, and of the 4 IPs we are tracking, two of which are on
> separate
> > /24s, the outages happen within the same /24. ?At the same time,
> while using
> > Wireshark, I can see one of the Cisco interfaces sending out 1 to 2
> Mbps of
> > traffic that should be going to one of the other two Ethernet
> interfaces.
> > This is happening about a dozen times per day for 4 to 6 minutes at a
> time.
> >
> >
> > While the event is occurring I have verified the ARP and CAM entry.
> ?The CAM
> > entry is associated with one of the first two Ethernet interfaces,
> not the
> > third. ?I can clear the ARP and CAM entry from the CLI and they are
> > re-learned with the same information, yet the traffic continues to
> egress
> > the wrong Ethernet port.
> >
> > I've set the ARP timeout to 4 minutes so that it's less than the CAM
> table's
> > default configuration of 5 minutes, but there was no improvement.
> ?One more
> > observation -- the errant port is the root of the bridge.
> >
> > Any ideas why the 7609 would be sending traffic out an Ethernet port
> to a
> > device that the CAM table says is on a different Ethernet port?
> >
> > Frank
> >
> >
> > interface Vlan10
> > ?description FTTH network
> > ?ip dhcp relay information trusted
> > ?ip dhcp relay information option-insert none
> > ?ip dhcp relay information policy-action keep
> > ?ip address 67.22.a.1 255.255.255.0 secondary
> > ?ip address 67.22.b.1 255.255.255.0 secondary
> > ?ip address 67.22.c.1 255.255.255.0 secondary
> > ?ip address 67.22.d.1 255.255.255.0
> > ?ip helper-address e.f.g.h
> > ?no ip redirects
> > ?arp timeout 300
> > end
> >
> > interface GigabitEthernet1/29 (and 3/39 and 3/45)
> > ?switchport
> > ?switchport trunk encapsulation dot1q
> > ?switchport trunk allowed vlan 10
> > ?switchport mode trunk
> > ?switchport nonegotiate
> > ?load-interval 30
> > ?spanning-tree portfast trunk
> > end
> >
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From ewitkop at gmail.com  Wed Jan 13 10:01:54 2010
From: ewitkop at gmail.com (Erik Witkop)
Date: Wed, 13 Jan 2010 10:01:54 -0500
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <4B4DE062.30504@gmail.com>

Hi Frank,

It sounds like you have already done a bit of research.

I thought I might pass on this link as future reference, or for anyone 
else that is interested.


http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

p.s. I know you are not on a 6000, but most of it should apply.


Frank Bulk wrote:
> We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
> We have a VLAN (with four /24s) configured on three ports across two
> 10/100/1000 blades facing some FTTH transport equipment.  
>
> Customers hanging off the FTTH equipment on the third port are complaining
> that several times per day they lose internet access.  We've been able to
> correlate their complaints with failed ping attempts from our workstations
> and the 7609-S to their public IPs.  What's interesting is that it's not all
> the traffic, and of the 4 IPs we are tracking, two of which are on separate
> /24s, the outages happen within the same /24.  At the same time, while using
> Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
> traffic that should be going to one of the other two Ethernet interfaces.
> This is happening about a dozen times per day for 4 to 6 minutes at a time.
>
>
> While the event is occurring I have verified the ARP and CAM entry.  The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third.  I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.
>
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement.  One more
> observation -- the errant port is the root of the bridge.
>
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?
>
> Frank
>
>
> interface Vlan10
>  description FTTH network
>  ip dhcp relay information trusted
>  ip dhcp relay information option-insert none
>  ip dhcp relay information policy-action keep
>  ip address 67.22.a.1 255.255.255.0 secondary
>  ip address 67.22.b.1 255.255.255.0 secondary
>  ip address 67.22.c.1 255.255.255.0 secondary
>  ip address 67.22.d.1 255.255.255.0
>  ip helper-address e.f.g.h
>  no ip redirects
>  arp timeout 300
> end
>
> interface GigabitEthernet1/29 (and 3/39 and 3/45) 
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 10
>  switchport mode trunk
>  switchport nonegotiate
>  load-interval 30
>  spanning-tree portfast trunk
> end
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   

From frnkblk at iname.com  Wed Jan 13 09:48:51 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 08:48:51 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <4B4D8FDD.2080708@imperial.ac.uk>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>



> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: Wednesday, January 13, 2010 3:18 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> > While the event is occurring I have verified the ARP and CAM entry.
> The CAM
> > entry is associated with one of the first two Ethernet interfaces,
> not the
> > third.  I can clear the ARP and CAM entry from the CLI and they are
> > re-learned with the same information, yet the traffic continues to
> egress
> > the wrong Ethernet port.
> 
> Ugh.

Agreed.

> > I've set the ARP timeout to 4 minutes so that it's less than the CAM
> table's
> > default configuration of 5 minutes, but there was no improvement.
> One more
> > observation -- the errant port is the root of the bridge.
> >
> > Any ideas why the 7609 would be sending traffic out an Ethernet port
> to a
> > device that the CAM table says is on a different Ethernet port?
> 
> What module is the traffic coming in via? Which of the modules have
> DFCs?
> 
> Have you looked at:
> 
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
> e09186a00807347ab.shtml#dfc
> 
> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
> Distributed Switching" which could possibly be related, though that is
> a
> wild guess.

Thanks for reminding me about this article.  When I do a "sh
mac-address-table", am I looking at what's on the Supervisor or line card's
DFC?

When I turn it on, I get this message:

	Mutual_7609(config)#mac-address-table synchronize
	 % Current activity time is [160] seconds
	 % Recommended aging time for all vlans is at least three times the
activity interval

The aging time of the CAM?  By default it's 300 seconds, so working
backwards, I would want a "Current activity time" of 100 seconds, but that
doesn't appear to be an option.  So I've now increased the mac address-table
aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout also
to 480 seconds.

> How long has this been happening for?

We've had the first two interfaces in production for several months. We just
turned up this third interface two or three weeks, and started moving
customers on there and they started complaining last week, so extrapolating
from that I'm pretty confident it's been doing this the whole time.

Frank



From eng_mssk at hotmail.com  Wed Jan 13 10:33:13 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 13 Jan 2010 17:33:13 +0200
Subject: [c-nsp] Ethernet Network
In-Reply-To: <001a01ca9423$226f34c0$674d9e40$@info>
References: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>,
	<499475.32176.qm@web110115.mail.gq1.yahoo.com>,
	<001a01ca9423$226f34c0$674d9e40$@info>
Message-ID: <SNT134-w52EFD5E83CC313B3EA3746FA6B0@phx.gbl>


hi all 

thanks all for ur response

i checked where i can deploy MTU on my network
on the Cisco ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin
it has 4 G interfaces , 2 of them are MPLS enabled 
there is no command under the interface mode mtu 
but there is 
on the FE port
switch(config-if)#mpls mtu ?
  <64-1500>  MTU (bytes)
  override   Override mpls mtu maximum of interface mtu
on the GE port
ar6.HS-AMM-017(config-if)#mpls mtu ?
  <64-1512>  MTU (bytes)
  override   Override mpls mtu maximum of interface mtu

on the global mode:
switch(config)#system mtu ?
  <1500-1998>  MTU size in bytes
  jumbo        Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet interfaces
  routing      Set the Routing MTU for the system
on the cisco ME-C6524GT-8S
switch(config)#system jumbomtu ?
  <1500-9216>  Jumbo mtu size in Bytes, default is 9216





> From: ip at ioshints.info
> To: td_miles at yahoo.com; cisco-nsp at puck.nether.net; DLasher at newedgenetworks.com
> Date: Wed, 13 Jan 2010 08:36:33 +0100
> Subject: Re: [c-nsp] Ethernet Network
> 
> The MTU on PA-FE (probably) does not include MAC header and definitely does not include CRC trailer. Otherwise the minimum value of 1500 wouldn't make sense.
> 
> > -----Original Message-----
> > From: Tony [mailto:td_miles at yahoo.com]
> > Sent: Wednesday, January 13, 2010 8:10 AM
> > To: cisco-nsp at puck.nether.net; DonnLasher
> > Subject: Re: [c-nsp] Ethernet Network
> > 
> > 
> > 
> > --- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:
> > 
> > >
> > > >> SNIP >>
> > > >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> > > byte 802.1q tag
> > > >+16 up to 4 labels = 1546?
> > > >
> > > >Why not just enable jumbos and set it as high as
> > > possible?
> > >
> > >
> > > 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> > > support, as
> > > I recall.
> > >
> > 
> > PA-FE are limited to 1530. You're correct about 1546 for the switches
> > though.
> > 
> > 7204(config)#int fa4/0
> > 7204(config-if)#mtu ?
> >   <1500-1530>  MTU size in bytes
> > 
> > 
> > 
> > 
> > __________________________________________________________________________
> > ________
> > See what's on at the movies in your area. Find out now:
> > http://au.movies.yahoo.com/session-times/
> > 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

From p.mayers at imperial.ac.uk  Wed Jan 13 11:18:34 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 13 Jan 2010 16:18:34 +0000
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
Message-ID: <4B4DF25A.5030008@imperial.ac.uk>

Frank Bulk - iName.com wrote:
>> Have you looked at:
>>
>> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
>> e09186a00807347ab.shtml#dfc
>>
>> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
>> Distributed Switching" which could possibly be related, though that is
>> a
>> wild guess.
> 
> Thanks for reminding me about this article.  When I do a "sh
> mac-address-table", am I looking at what's on the Supervisor or line card's
> DFC?

Well, on a 6500 under SXI, it shows me things like:

Module 1:
* 1740  0000.0c07.ac00   dynamic  Yes        160   Po1
* 1740  001e.2a6f.5c37   dynamic  Yes        220   Po1
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1
Module 2[FE 1]:
* 1740  0000.0c07.ac00   dynamic  Yes          0   Po1
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1
Module 2[FE 2]:
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1

...leading me to believe it's querying all the forwarding engines on all 
the modules but NOT the PFC on the sup (module 5 in our case) - possibly 
because we've got DFCs in all slots? As the example shows, the module 
and even FE tables within a module can differ.

You can get the raw module local tables (and the PFC one) using:

remote command module N sh mac-address-table [dynamic] [vlan N]

If the active sup is in slot 5, these are equivalent:

remote command module 5
remote command switch

...and on the sup I see, using the above example:

Displaying entries from SP:
RM  PI_E RMA  Vlan   Destination Address   Address Type XTag LTL Index
---+----+---+------+---------------------+-------------+----+-------------
No  Yes  No   1740   3333.0000.0016        static          0   0x802 

No  Yes  No   1740   3333.0000.0001        static          0   0x802 

No  Yes  No   1740   3333.0000.000d        static          0   0x7FF8 

No   No  No   1740   0000.0c07.ac00        dynamic         0   0x340 

No  Yes  No   1740   0015.c70b.9000        static          1   0x380 

No   No  No   1740   001e.2a6f.5c37        dynamic         0   0x340 

No   No  No   1740   0015.c706.8c00        dynamic         0   0x340 


...which looks like an amalgam of the module MAC tables. We're not 
running mac sync or anything odd.

You can "remote command [switch|module N]" (or "attach N") and run

sh mac-address-table detail

...but based on the deafening silence in response to a query the other 
week, no-one knows what those flags mean - maybe you can see a pattern 
in your problematic entries though (yay I just love reverse engineering 
the 6500 forwarding architecture - thanks cisco!)

> 
> When I turn it on, I get this message:
> 
> 	Mutual_7609(config)#mac-address-table synchronize
> 	 % Current activity time is [160] seconds
> 	 % Recommended aging time for all vlans is at least three times the
> activity interval
> 
> The aging time of the CAM?  By default it's 300 seconds, so working
> backwards, I would want a "Current activity time" of 100 seconds, but that
> doesn't appear to be an option.  So I've now increased the mac address-table
> aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout also
> to 480 seconds.

Interestingly, at some point when I was testing either SXH or SXI, I 
recall this very time (480 seconds) magically popped into the nvgen 
without any input from me. I can't remember when, and it seems to not be 
there now. I've seen hints that VSS systems use the mac sync / move 
notify stuff behind the scenes to sync up MAC tables across chassis - of 
course since you're on a 7600 that should not be relevant.

sh mac- sync stat

...might be illuminating now that you've got it running, but I'm afraid 
the output baffles me...

From muyal at renater.fr  Wed Jan 13 11:05:59 2010
From: muyal at renater.fr (Simon Muyal)
Date: Wed, 13 Jan 2010 17:05:59 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
Message-ID: <4B4DEF67.5070008@renater.fr>

Hello all,

We have a network composed by Cisco equipment running IOS and IOS-XR.
We run RANCID to manage/backup our configurations.

Is anybody has experience on this software with both versions (IOS and 
IOS-XR)? We have difficulties to integrate both versions simultaneously 
in the same RANCID process (problem of "user" and "admin" mode execution)

Thanks,
Simon

From frnkblk at iname.com  Wed Jan 13 12:07:53 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 11:07:53 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <4B4DF25A.5030008@imperial.ac.uk>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
	<4B4DF25A.5030008@imperial.ac.uk>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACJd/VrzTKiRrKlnBxi1P+3AQAAAAA=@iname.com>

Good news is that with the mac-address-table synchronize command things have
been stable for 2 hours, a new record.  More below.

Frank

> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: Wednesday, January 13, 2010 10:19 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> Frank Bulk - iName.com wrote:
> >> Have you looked at:
> >>
> >>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
> >> e09186a00807347ab.shtml#dfc
> >>
> >> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
> >> Distributed Switching" which could possibly be related, though that
> is
> >> a
> >> wild guess.
> >
> > Thanks for reminding me about this article.  When I do a "sh
> > mac-address-table", am I looking at what's on the Supervisor or line
> card's
> > DFC?
> 
> Well, on a 6500 under SXI, it shows me things like:
> 
> Module 1:
> * 1740  0000.0c07.ac00   dynamic  Yes        160   Po1
> * 1740  001e.2a6f.5c37   dynamic  Yes        220   Po1
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1
> Module 2[FE 1]:
> * 1740  0000.0c07.ac00   dynamic  Yes          0   Po1
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1
> Module 2[FE 2]:
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1

The output under SRB is a bit different:

Mutual_7609#sh mac-address-table
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
   280  0007.e96b.06fb   dynamic  Yes        295   Gi1/32
   150  0030.d700.1afe   dynamic  Yes        295   Gi3/35
   293  001e.e573.ee2e   dynamic  Yes          5   Gi1/39
   293  0023.69c4.d0a7   dynamic  Yes        295   Gi1/39
   572  0021.29d9.2dbb   dynamic  Yes        295   Gi3/47
   280  001e.e573.edda   dynamic  Yes        295   Gi1/32


> ...leading me to believe it's querying all the forwarding engines on all
> the modules but NOT the PFC on the sup (module 5 in our case) - possibly
> because we've got DFCs in all slots? 

Perhaps.

> As the example shows, the module
> and even FE tables within a module can differ.

There's times where I've seen nothing for "sh mac-address-table", but when I
specify a port, I do see it listed (notice that it mentions "Line card 3"):

Mutual_7609#sh mac-address-table int gi3/45
Displaying entries from Line card 3:

Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+----------------
*   10  0023.69c4.d0da   dynamic  Yes          5   Gi3/45
Etc.

> 
> You can get the raw module local tables (and the PFC one) using:
> 
> remote command module N sh mac-address-table [dynamic] [vlan N]
> 
> If the active sup is in slot 5, these are equivalent:
> 
> remote command module 5
> remote command switch
> 
> ...and on the sup I see, using the above example:
> 
> Displaying entries from SP:
> RM  PI_E RMA  Vlan   Destination Address   Address Type XTag LTL Index
> ---+----+---+------+---------------------+-------------+----+----------
> ---
> No  Yes  No   1740   3333.0000.0016        static          0   0x802
> 
> No  Yes  No   1740   3333.0000.0001        static          0   0x802
> 
> No  Yes  No   1740   3333.0000.000d        static          0   0x7FF8
> 
> No   No  No   1740   0000.0c07.ac00        dynamic         0   0x340
> 
> No  Yes  No   1740   0015.c70b.9000        static          1   0x380
> 
> No   No  No   1740   001e.2a6f.5c37        dynamic         0   0x340
> 
> No   No  No   1740   0015.c706.8c00        dynamic         0   0x340
> 
> 
> ...which looks like an amalgam of the module MAC tables. We're not
> running mac sync or anything odd.
> 
> You can "remote command [switch|module N]" (or "attach N") and run
> 
> sh mac-address-table detail
> 
> ...but based on the deafening silence in response to a query the other
> week, no-one knows what those flags mean - maybe you can see a pattern
> in your problematic entries though (yay I just love reverse engineering
> the 6500 forwarding architecture - thanks cisco!)

Those remote commands work for me here, but as you said, who knows what
those flags mean.
 
> >
> > When I turn it on, I get this message:
> >
> >   Mutual_7609(config)#mac-address-table synchronize
> >    % Current activity time is [160] seconds
> >    % Recommended aging time for all vlans is at least three times the
> > activity interval
> >
> > The aging time of the CAM?  By default it's 300 seconds, so working
> > backwards, I would want a "Current activity time" of 100 seconds, but
> that
> > doesn't appear to be an option.  So I've now increased the mac
> address-table
> > aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout
> also
> > to 480 seconds.
> 
> Interestingly, at some point when I was testing either SXH or SXI, I
> recall this very time (480 seconds) magically popped into the nvgen
> without any input from me. I can't remember when, and it seems to not
> be
> there now. I've seen hints that VSS systems use the mac sync / move
> notify stuff behind the scenes to sync up MAC tables across chassis -
> of
> course since you're on a 7600 that should not be relevant.
> 
> sh mac- sync stat
> 
> ...might be illuminating now that you've got it running, but I'm afraid
> the output baffles me...


From ccie19804 at gmail.com  Wed Jan 13 12:21:58 2010
From: ccie19804 at gmail.com (swap m)
Date: Wed, 13 Jan 2010 22:51:58 +0530
Subject: [c-nsp] MPLS TE and PIM
In-Reply-To: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
References: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
Message-ID: <b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>

ask yourself this way -
1. are TE tunnels bi-directional? answer is no
2. can a TE tunnel receive traffic? again the answer is no.

A TE tunnel is for sending traffic, not for receiving. PIM neighborship
hence is established on physical interface, not on the TE interface coz you
need bidirectional flow between the neighbors.
RPF failures may happen when you receive multicast traffic via physical
interface while the routing table has a route via TE interface. Either "mpls
traffic-eng multicast-intact" or static mroutes can be used to solve these
RPF issues. Forwarding adj doesnt work with multicast-intact feature.

HTH

Swap
#19804

On Tue, Jan 12, 2010 at 11:38 PM, Ibrahim Abo Zaid <
ibrahim.abozaid at gmail.com> wrote:

> Hi
>
> I have a question about PIM , is PIM messages can flow across MPLS TE
> Tunnel
> ? why PIM neighborship can't be established over the tunnel ?
>
>
> thanks
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From sven at darkman.de  Wed Jan 13 14:41:03 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Wed, 13 Jan 2010 20:41:03 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
Message-ID: <4B4E21CF.10803@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Pavel,

first of all, thanks for your fast response!

Pavel Skovajsa schrieb:
> If I understood you correctly you can get around these limitations by
> using the PVLAN feature on the end-user ports only and not on the
> internal switch-to-switch links. On those links you can use normal
> "trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
> VLAN int.

Ah, okay, i thought i need the private-vlan trunk mode, and when i enabled
it, it just "crashed" my port channel (as in removed the port from it, which
was not what i wanted..).


> On your distribution (6509) you configure:
> 
> interface Vlan10
>  ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
> gets sticky arp by default (for some unknown reason)
>  no ip proxy-arp
>  private-vlan mapping 100
> 
> and normal trunk port towards the switch fabric:
> interface GigabitEthernet6/1
>  switchport mode trunk

Ah okay, then i'll try that one, i just limited the vlans a bit, of course ;)


> Yes this is probably suboptimal to what you would like to accoplish
> however the end effect is that the end-user ports cannot communicate
> with each other - which is probably what you want.

Why is that suboptimal? From what you described and what i unterstood, it
works like i want: having a etherchannel to my core and protected ports on
my edge. If the SVI is reachable from my edge, and other hosts are not, than
i have what i want. But maybe i missed something...?


> Another alternative is the "private-vlan trunk" feature which is
> described over here
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
> - the trouble is that AFAIK currently it works only on C4500.

That was what i thought i need, its available on the 3560 but it killed the
etherchannel... and pvlan documentation says "you cannot enable pvlans on
an etherchannel", which is "right" as if you enable any of the pvlan commands
on a etherchannel port, it gets removed from the etherchannel... but it seems
that normal trunks just work for that - great ;)

So, from what i know now, it should work like i want... just need to test if
it works with more than one switches etc. but at the moment it think it will
do so far.

Thanks again for your help :)

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktOIc8ACgkQQoCguWUBzBz48ACgjX54FYRh9fpzRmobTElDvXvv
8S8An1fyaboYKoWPuZErysZ6c9OH5Kyi
=O52n
-----END PGP SIGNATURE-----

From nullzero.route at gmail.com  Wed Jan 13 15:19:44 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:19:44 -0500
Subject: [c-nsp] BGP to OSPF redistribution
Message-ID: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>

I'm having a problem trying to figure out a way to get eBGP learned routes
(from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
routes learned via the provider are preffered over the internally learned
OSPF routes.

No matter where the BGP-->OSPF redistribution point is, if it's the PE or
CE, the routes will still show up (by default) as OSPF external, and will
never be prefferred.

The provider who's path we prefer will only run BGP.  We would like to use
OSPF everywhere if possible, for several reasons.

WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
Provider B's network is inferior at times and we use it as a backup.

The equipment where the eBGP peering relationsips exist is a mix of 7600,
3800, 2800, 1800, 6500, 3750, 3550.

We considered GRE over the providers network however we then wind up with
25+ tunnels at each location, and that just grows as each new site is added,
not to mention some potential issues regarding throughput with a GRE tunnel
in the path.

Is there a way to redistribute BGP into OSPF so that the routes can be
anything but OSPF external?

I have not found a way to do this yet, and was wondering if it's even
possible, or if I'm missing something obvious.  Any suggestions appreciated.

From cordmacleod at gmail.com  Wed Jan 13 15:31:41 2010
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Wed, 13 Jan 2010 12:31:41 -0800
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>


On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:

> I'm having a problem trying to figure out a way to get eBGP learned routes
> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
> routes learned via the provider are preffered over the internally learned
> OSPF routes.

> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?

I think you are looking for redistribution.  Make sure you have plenty of filters in the way of this, but that's what you are looking for.

router ospf xxx
redistribute bgp xxxx route-map blah

From saxon.jones at gmail.com  Wed Jan 13 15:34:29 2010
From: saxon.jones at gmail.com (Saxon Jones)
Date: Wed, 13 Jan 2010 13:34:29 -0700
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>

If I understand your question properly, why not just change the
administrative distance of the eBGP routes to something less than 110.
______________________________
Saxon Jones

Email: saxon.jones at gmail.com


2010/1/13 null zeroroute <nullzero.route at gmail.com>

> I'm having a problem trying to figure out a way to get eBGP learned routes
> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
> routes learned via the provider are preffered over the internally learned
> OSPF routes.
>
> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
> CE, the routes will still show up (by default) as OSPF external, and will
> never be prefferred.
>
> The provider who's path we prefer will only run BGP.  We would like to use
> OSPF everywhere if possible, for several reasons.
>
> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> Provider B's network is inferior at times and we use it as a backup.
>
> The equipment where the eBGP peering relationsips exist is a mix of 7600,
> 3800, 2800, 1800, 6500, 3750, 3550.
>
> We considered GRE over the providers network however we then wind up with
> 25+ tunnels at each location, and that just grows as each new site is
> added,
> not to mention some potential issues regarding throughput with a GRE tunnel
> in the path.
>
> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?
>
> I have not found a way to do this yet, and was wondering if it's even
> possible, or if I'm missing something obvious.  Any suggestions
> appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nullzero.route at gmail.com  Wed Jan 13 15:36:57 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:36:57 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
Message-ID: <bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>

I understand redistribution.  The problem is that when routes pass through a
BGP AS and then get redistributed into OSPF, they show up as OSPF external.
I'm looking for a way to make those internal, or prefferred, over the OSPF
routes learned via the rest of the network.

On Wed, Jan 13, 2010 at 3:31 PM, Cord MacLeod <cordmacleod at gmail.com> wrote:

>
> On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:
>
> > I'm having a problem trying to figure out a way to get eBGP learned
> routes
> > (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> > routes learned via the provider are preffered over the internally learned
> > OSPF routes.
>
> > Is there a way to redistribute BGP into OSPF so that the routes can be
> > anything but OSPF external?
>
> I think you are looking for redistribution.  Make sure you have plenty of
> filters in the way of this, but that's what you are looking for.
>
> router ospf xxx
> redistribute bgp xxxx route-map blah

From asturluismi at gmail.com  Wed Jan 13 15:37:12 2010
From: asturluismi at gmail.com (luismi)
Date: Wed, 13 Jan 2010 21:37:12 +0100
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>
References: <1263313237.30768.2.camel@hal9000>
	<AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <1263415032.31592.1.camel@hal9000>

Yes, as well, different connectors.
We were able to enter over IP but we didn't see any configuration
related with the serial port console :-P

El mar, 12-01-2010 a las 13:11 -0600, Jason Shearer escribi?:
> Have you tried different baud rates?  I have found some 35xx MCUs come from the factory set at 115200.
> 
> Jason
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
> Sent: Tuesday, January 12, 2010 10:21 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
> 
> Hi all,
> 
> We take a Cisco IP/VC 3526 from one of our racks.
> We tried to access to it over the serial port with 9600 8N1 -as the
> documentation says- and it didn't work.
> We also have an alarm in the from but we were not able to find the
> relation with it in the documentation.
> 
> As far as we read the product is EoL/EoS but it will have support until
> 2011 or 2012, so what is the natural alternative to replace it?
> 
> Any comment is welcome, not neccesary should be Cisco.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***



From nullzero.route at gmail.com  Wed Jan 13 15:39:00 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:39:00 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
Message-ID: <bd2721bb1001131239m899aa56ucaa603d8f6a91a3d@mail.gmail.com>

That's what we currently do, however the problem is that we have other
routers and firewalls in our network which are only running OSPF, and they
need to know about the routes which pass through the eBGP network,  Since
those routes would become OSPF external, they would only be used if the
internal routes went away.

On Wed, Jan 13, 2010 at 3:34 PM, Saxon Jones <saxon.jones at gmail.com> wrote:

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>>  I'm having a problem trying to figure out a way to get eBGP learned
>> routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From saxon.jones at gmail.com  Wed Jan 13 15:39:08 2010
From: saxon.jones at gmail.com (Saxon Jones)
Date: Wed, 13 Jan 2010 13:39:08 -0700
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
Message-ID: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>

Actually I re-read your problem. Sham links may be a solution to look at, if
you control the right pieces of equipment. You can also mess with the AD of
OSPF external routes versus OSPF internal routes but this is probably a Bad
Idea(TM) (and my testing of this a few years ago showed it didn't have the
desired result).

______________________________
Saxon Jones

Email: saxon.jones at gmail.com
Telephone: (780) 669-0899
Toll-free: (866) 701-8022
United Kingdom: 0(1315)168664



2010/1/13 Saxon Jones <saxon.jones at gmail.com>

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>> I'm having a problem trying to figure out a way to get eBGP learned routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From swmike at swm.pp.se  Wed Jan 13 15:50:02 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Wed, 13 Jan 2010 21:50:02 +0100 (CET)
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>

On Wed, 13 Jan 2010, null zeroroute wrote:

> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?

Change in what order routing protocols are selected (administrative 
distance):

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From nullzero.route at gmail.com  Wed Jan 13 16:03:29 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:03:29 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
Message-ID: <bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>

We only manage the CE devices, not the PE's.  I just reviewed the sham-link
documentation, and my understanding is that the provider needs to configure
sham links between each PE over their backbone.  I don't think they'll
support this.  I'm rather certain that they will only support BGP or
standard redistribution.

On Wed, Jan 13, 2010 at 3:39 PM, Saxon Jones <saxon.jones at gmail.com> wrote:

> Actually I re-read your problem. Sham links may be a solution to look at,
> if you control the right pieces of equipment. You can also mess with the AD
> of OSPF external routes versus OSPF internal routes but this is probably a
> Bad Idea(TM) (and my testing of this a few years ago showed it didn't have
> the desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> If I understand your question properly, why not just change the
>> administrative distance of the eBGP routes to something less than 110.
>> ______________________________
>> Saxon Jones
>>
>> Email: saxon.jones at gmail.com
>>
>>
>> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>>
>>> I'm having a problem trying to figure out a way to get eBGP learned
>>> routes
>>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
>>> the
>>> routes learned via the provider are preffered over the internally learned
>>> OSPF routes.
>>>
>>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>>> CE, the routes will still show up (by default) as OSPF external, and will
>>> never be prefferred.
>>>
>>> The provider who's path we prefer will only run BGP.  We would like to
>>> use
>>> OSPF everywhere if possible, for several reasons.
>>>
>>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>>> Provider B's network is inferior at times and we use it as a backup.
>>>
>>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>>> 3800, 2800, 1800, 6500, 3750, 3550.
>>>
>>> We considered GRE over the providers network however we then wind up with
>>> 25+ tunnels at each location, and that just grows as each new site is
>>> added,
>>> not to mention some potential issues regarding throughput with a GRE
>>> tunnel
>>> in the path.
>>>
>>> Is there a way to redistribute BGP into OSPF so that the routes can be
>>> anything but OSPF external?
>>>
>>> I have not found a way to do this yet, and was wondering if it's even
>>> possible, or if I'm missing something obvious.  Any suggestions
>>> appreciated.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>

From ccie19804 at gmail.com  Wed Jan 13 16:03:48 2010
From: ccie19804 at gmail.com (swap m)
Date: Thu, 14 Jan 2010 02:33:48 +0530
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>
Message-ID: <b48b7d091001131303r1115e2bdl7b0d2419712d28b9@mail.gmail.com>

you need to use OSPF Sham links. Tht'll make the other-CE's routes route as
internal on your local-CE crossing MP-BGP backbone.

Swap
#19804

On Thu, Jan 14, 2010 at 2:06 AM, null zeroroute <nullzero.route at gmail.com>wrote:

> I understand redistribution.  The problem is that when routes pass through
> a
> BGP AS and then get redistributed into OSPF, they show up as OSPF external.
> I'm looking for a way to make those internal, or prefferred, over the OSPF
> routes learned via the rest of the network.
>
> On Wed, Jan 13, 2010 at 3:31 PM, Cord MacLeod <cordmacleod at gmail.com>
> wrote:
>
> >
> > On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:
> >
> > > I'm having a problem trying to figure out a way to get eBGP learned
> > routes
> > > (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> > the
> > > routes learned via the provider are preffered over the internally
> learned
> > > OSPF routes.
> >
> > > Is there a way to redistribute BGP into OSPF so that the routes can be
> > > anything but OSPF external?
> >
> > I think you are looking for redistribution.  Make sure you have plenty of
> > filters in the way of this, but that's what you are looking for.
> >
> > router ospf xxx
> > redistribute bgp xxxx route-map blah
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ATolstykh at integrysgroup.com  Wed Jan 13 15:40:08 2010
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Wed, 13 Jan 2010 14:40:08 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <3F3802329EC1534FBCEAB6DDC0BD807C01E675ED@DOB-BXVS3.integrysgroup.net>

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ospfshmk.
html

Using a Sham-Link to Correct OSPF Backdoor Routing

Although OSPF PE-CE connections assume that the only path between two
client sites is across the MPLS VPN backbone, backdoor paths between VPN
sites (shown in grey in Figure 2) may exist. If these sites belong to
the same OSPF area, the path over a backdoor link will always be
selected because OSPF prefers intraarea paths to interarea paths. (PE
routers advertise OSPF routes learned over the VPN backbone as interarea
paths.) For this reason, OSPF backdoor links between VPN sites must be
taken into account so that routing is performed based on policy.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of null zeroroute
Sent: Wednesday, January 13, 2010 2:20 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP to OSPF redistribution

I'm having a problem trying to figure out a way to get eBGP learned
routes
(from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
the
routes learned via the provider are preffered over the internally
learned
OSPF routes.

No matter where the BGP-->OSPF redistribution point is, if it's the PE
or
CE, the routes will still show up (by default) as OSPF external, and
will
never be prefferred.

The provider who's path we prefer will only run BGP.  We would like to
use
OSPF everywhere if possible, for several reasons.

WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
path.
WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
Provider B's network is inferior at times and we use it as a backup.

The equipment where the eBGP peering relationsips exist is a mix of
7600,
3800, 2800, 1800, 6500, 3750, 3550.

We considered GRE over the providers network however we then wind up
with
25+ tunnels at each location, and that just grows as each new site is
added,
not to mention some potential issues regarding throughput with a GRE
tunnel
in the path.

Is there a way to redistribute BGP into OSPF so that the routes can be
anything but OSPF external?

I have not found a way to do this yet, and was wondering if it's even
possible, or if I'm missing something obvious.  Any suggestions
appreciated.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From buz.dale at usg.edu  Wed Jan 13 16:19:38 2010
From: buz.dale at usg.edu (Harold 'Buz' Dale)
Date: Wed, 13 Jan 2010 16:19:38 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
Message-ID: <E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>

Can you stop learning routes from 'provider b' and add it back as a default?  Then everything should go to the more specific route and if 'provider a' goes down things will then go through 'provider b'?

Luck,
Buz

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
Sent: Wednesday, January 13, 2010 3:39 PM
To: null zeroroute
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP to OSPF redistribution

Actually I re-read your problem. Sham links may be a solution to look at, if
you control the right pieces of equipment. You can also mess with the AD of
OSPF external routes versus OSPF internal routes but this is probably a Bad
Idea(TM) (and my testing of this a few years ago showed it didn't have the
desired result).

______________________________
Saxon Jones

Email: saxon.jones at gmail.com
Telephone: (780) 669-0899
Toll-free: (866) 701-8022
United Kingdom: 0(1315)168664



2010/1/13 Saxon Jones <saxon.jones at gmail.com>

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>> I'm having a problem trying to figure out a way to get eBGP learned routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ras at e-gerbil.net  Wed Jan 13 16:20:44 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Wed, 13 Jan 2010 15:20:44 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
Message-ID: <20100113212044.GI75640@gerbil.cluepon.net>

On Wed, Jan 13, 2010 at 12:31:41PM -0800, Cord MacLeod wrote:
> 
> I think you are looking for redistribution.  Make sure you have plenty
> of filters in the way of this, but that's what you are looking for.
> 
> router ospf xxx
> redistribute bgp xxxx route-map blah

Don't forget to double check your out of band and remote reboot power
strips for the day someone types "no redistribute bgp xxxx route-map
blah" thinking it will remote the entire line instead of just the 
route-map, 'cause that router will be going down in flames. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From nullzero.route at gmail.com  Wed Jan 13 16:21:07 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:21:07 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
	<E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>
Message-ID: <bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>

We need provider A to carry the default.  Provider B is actually a layer-2
VPN MPLS provider, so the OSPF neighbors are our own routers.

On Wed, Jan 13, 2010 at 4:19 PM, Harold 'Buz' Dale <buz.dale at usg.edu> wrote:

> Can you stop learning routes from 'provider b' and add it back as a
> default?  Then everything should go to the more specific route and if
> 'provider a' goes down things will then go through 'provider b'?
>
> Luck,
> Buz
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
> Sent: Wednesday, January 13, 2010 3:39 PM
> To: null zeroroute
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP to OSPF redistribution
>
>  Actually I re-read your problem. Sham links may be a solution to look at,
> if
> you control the right pieces of equipment. You can also mess with the AD of
> OSPF external routes versus OSPF internal routes but this is probably a Bad
> Idea(TM) (and my testing of this a few years ago showed it didn't have the
> desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> > If I understand your question properly, why not just change the
> > administrative distance of the eBGP routes to something less than 110.
> > ______________________________
> > Saxon Jones
> >
> > Email: saxon.jones at gmail.com
> >
> >
> > 2010/1/13 null zeroroute <nullzero.route at gmail.com>
> >
> >> I'm having a problem trying to figure out a way to get eBGP learned
> routes
> >> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> >> routes learned via the provider are preffered over the internally
> learned
> >> OSPF routes.
> >>
> >> No matter where the BGP-->OSPF redistribution point is, if it's the PE
> or
> >> CE, the routes will still show up (by default) as OSPF external, and
> will
> >> never be prefferred.
> >>
> >> The provider who's path we prefer will only run BGP.  We would like to
> use
> >> OSPF everywhere if possible, for several reasons.
> >>
> >> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
> path.
> >> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> >> Provider B's network is inferior at times and we use it as a backup.
> >>
> >> The equipment where the eBGP peering relationsips exist is a mix of
> 7600,
> >> 3800, 2800, 1800, 6500, 3750, 3550.
> >>
> >> We considered GRE over the providers network however we then wind up
> with
> >> 25+ tunnels at each location, and that just grows as each new site is
> >> added,
> >> not to mention some potential issues regarding throughput with a GRE
> >> tunnel
> >> in the path.
> >>
> >> Is there a way to redistribute BGP into OSPF so that the routes can be
> >> anything but OSPF external?
> >>
> >> I have not found a way to do this yet, and was wondering if it's even
> >> possible, or if I'm missing something obvious.  Any suggestions
> >> appreciated.
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nullzero.route at gmail.com  Wed Jan 13 16:25:04 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:25:04 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <20100113212044.GI75640@gerbil.cluepon.net>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
Message-ID: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>

Very good suggestion, however the provider is not sending the internet
routing table, only our own internal network's routes.  Or are you
suggesting some providers make mistakes and send full internet tables to a
private VRF customer?  We already had our layer-2 VPN MPLS provider join our
network with someone else's, and we learned the hard way why you should
never ever ever connect a layer-2 switch to that provider, especically one
that doesn't support turning off VTP on an interface.  Oh yeah and using VTP
passwords doens't hurt either :)

On Wed, Jan 13, 2010 at 4:20 PM, Richard A Steenbergen <ras at e-gerbil.net>wrote:

> On Wed, Jan 13, 2010 at 12:31:41PM -0800, Cord MacLeod wrote:
> >
> > I think you are looking for redistribution.  Make sure you have plenty
> > of filters in the way of this, but that's what you are looking for.
> >
> > router ospf xxx
> > redistribute bgp xxxx route-map blah
>
> Don't forget to double check your out of band and remote reboot power
> strips for the day someone types "no redistribute bgp xxxx route-map
> blah" thinking it will remote the entire line instead of just the
> route-map, 'cause that router will be going down in flames. :)
>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>

From schilling2006 at gmail.com  Wed Jan 13 16:40:29 2010
From: schilling2006 at gmail.com (schilling)
Date: Wed, 13 Jan 2010 16:40:29 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
	<bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>
Message-ID: <bd3771a61001131340n7b2bdf4bl8b15b743e0186f3c@mail.gmail.com>

I don't think sham link will work in this case either.

You are running ebgp with provider A? You are only concerned that your
ibgp routes from other sites, right? change the ibgp administrative
distance to be lower than 110  might work for you.

Schilling

On Wed, Jan 13, 2010 at 4:03 PM, null zeroroute
<nullzero.route at gmail.com> wrote:
> We only manage the CE devices, not the PE's. ?I just reviewed the sham-link
> documentation, and my understanding is that the provider needs to configure
> sham links between each PE over their backbone. ?I don't think they'll
> support this. ?I'm rather certain that they will only support BGP or
> standard redistribution.
>
> On Wed, Jan 13, 2010 at 3:39 PM, Saxon Jones <saxon.jones at gmail.com> wrote:
>
>> Actually I re-read your problem. Sham links may be a solution to look at,
>> if you control the right pieces of equipment. You can also mess with the AD
>> of OSPF external routes versus OSPF internal routes but this is probably a
>> Bad Idea(TM) (and my testing of this a few years ago showed it didn't have
>> the desired result).
>>
>> ______________________________
>> Saxon Jones
>>
>> Email: saxon.jones at gmail.com
>> Telephone: (780) 669-0899
>> Toll-free: (866) 701-8022
>> United Kingdom: 0(1315)168664
>>
>>
>>
>> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>>
>> If I understand your question properly, why not just change the
>>> administrative distance of the eBGP routes to something less than 110.
>>> ______________________________
>>> Saxon Jones
>>>
>>> Email: saxon.jones at gmail.com
>>>
>>>
>>> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>>>
>>>> I'm having a problem trying to figure out a way to get eBGP learned
>>>> routes
>>>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
>>>> the
>>>> routes learned via the provider are preffered over the internally learned
>>>> OSPF routes.
>>>>
>>>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>>>> CE, the routes will still show up (by default) as OSPF external, and will
>>>> never be prefferred.
>>>>
>>>> The provider who's path we prefer will only run BGP. ?We would like to
>>>> use
>>>> OSPF everywhere if possible, for several reasons.
>>>>
>>>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>>>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>>>> Provider B's network is inferior at times and we use it as a backup.
>>>>
>>>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>>>> 3800, 2800, 1800, 6500, 3750, 3550.
>>>>
>>>> We considered GRE over the providers network however we then wind up with
>>>> 25+ tunnels at each location, and that just grows as each new site is
>>>> added,
>>>> not to mention some potential issues regarding throughput with a GRE
>>>> tunnel
>>>> in the path.
>>>>
>>>> Is there a way to redistribute BGP into OSPF so that the routes can be
>>>> anything but OSPF external?
>>>>
>>>> I have not found a way to do this yet, and was wondering if it's even
>>>> possible, or if I'm missing something obvious. ?Any suggestions
>>>> appreciated.
>>>> _______________________________________________
>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>>
>>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From v.jones at networkingunlimited.com  Wed Jan 13 16:43:56 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 13 Jan 2010 16:43:56 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
Message-ID: <1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>

On Wed, 2010-01-13 at 21:50 +0100, Mikael Abrahamsson wrote:
> On Wed, 13 Jan 2010, null zeroroute wrote:
> 
> > Is there a way to redistribute BGP into OSPF so that the routes can be
> > anything but OSPF external?
> 
> Change in what order routing protocols are selected (administrative 
> distance):
> 
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml
> 

Have you considered converting your current WAN OSPF links to BGP so you
can use standard BGP route preference controls to select the best route?

If that is not possible, another approach (albeit painful) is to use
route summarization/fragmentation so that the BGP routes are longer
prefixes than the remote OSPF routes. 

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


From nullzero.route at gmail.com  Wed Jan 13 16:52:02 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:52:02 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
	<1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
Message-ID: <bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>

Thanks for your suggestion.  We want to use OSPF because it will scale more
easily in our network.  For example, if we ran BGP over the layer-2
providers network, we would need (today) 25 neighbors at every site, every
time a new site is added new neighbors need to be created everywhere, etc to
keep the one hop away design.  Route-reflectors got too complicated.  It's
also very helpful to have firewalls running OSPF when there are multiple
egress points to extranet partner locations or the internet etc.

On Wed, Jan 13, 2010 at 4:43 PM, Vincent C Jones <
v.jones at networkingunlimited.com> wrote:

> On Wed, 2010-01-13 at 21:50 +0100, Mikael Abrahamsson wrote:
> > On Wed, 13 Jan 2010, null zeroroute wrote:
> >
> > > Is there a way to redistribute BGP into OSPF so that the routes can be
> > > anything but OSPF external?
> >
> > Change in what order routing protocols are selected (administrative
> > distance):
> >
> >
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml
> >
>
> Have you considered converting your current WAN OSPF links to BGP so you
> can use standard BGP route preference controls to select the best route?
>
> If that is not possible, another approach (albeit painful) is to use
> route summarization/fragmentation so that the BGP routes are longer
> prefixes than the remote OSPF routes.
>
> Good luck and have fun!
> --
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
>

From nullzero.route at gmail.com  Wed Jan 13 17:03:34 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 17:03:34 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
	<1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
	<bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>
Message-ID: <bd2721bb1001131403g17bf84f0vffb66b93b2cfc1@mail.gmail.com>

So far I like the idea of modifying the AD for ospf external routes under
the ospf config, or under the ospf config modify the AD for routes learned
only from the CE BGP->OSPF redistribution point router, with an ACL matching
specific (or all) routes.  That would probably give us quite a bit of
control.  I recall having mixed experiences with a similar config related to
BGP->EIGRP redistribution though,  I'll definitely need to lab it up because
it seems the metrics are calculated a bit differently based on what type of
OSPF route it becomes.  I need to brush up on my OSPF.

For example:

At the bgp->ospf redist border router...
router ospf 1
redistribute bgp <provider private ASN> blah
distance ospf external 19

Or...
access-list 100 permit <whatever prefixes we want to prefer>
router ospf 1
redistribute bgp <provider private ASN> blah
distance 19 <CE router ip> 0.0.0.0 100

Thanks to all for your suggestions!

From jshearer at amedisys.com  Wed Jan 13 17:20:35 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 13 Jan 2010 16:20:35 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com><86
	b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com><86b512c310011312
	39g2a1d28depb66f8898790929e3@mail.gmail.com><E85B28C18298B947A2A5804647D74F
	390341D34CBA@exchmb-prod.uso.bor.usg.edu><bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664482@SVR-AMED-MAIL01.amedisys.com>

How about running a separate OSPF AS over the WAN and distributing it and your BGP into a "core" OSPF AS.  You could metric the "WAN" OSPF AS in with different values/tags.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of null zeroroute
Sent: Wednesday, January 13, 2010 3:21 PM
To: Harold 'Buz' Dale
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP to OSPF redistribution

We need provider A to carry the default.  Provider B is actually a layer-2
VPN MPLS provider, so the OSPF neighbors are our own routers.

On Wed, Jan 13, 2010 at 4:19 PM, Harold 'Buz' Dale <buz.dale at usg.edu> wrote:

> Can you stop learning routes from 'provider b' and add it back as a
> default?  Then everything should go to the more specific route and if
> 'provider a' goes down things will then go through 'provider b'?
>
> Luck,
> Buz
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
> Sent: Wednesday, January 13, 2010 3:39 PM
> To: null zeroroute
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP to OSPF redistribution
>
>  Actually I re-read your problem. Sham links may be a solution to look at,
> if
> you control the right pieces of equipment. You can also mess with the AD of
> OSPF external routes versus OSPF internal routes but this is probably a Bad
> Idea(TM) (and my testing of this a few years ago showed it didn't have the
> desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> > If I understand your question properly, why not just change the
> > administrative distance of the eBGP routes to something less than 110.
> > ______________________________
> > Saxon Jones
> >
> > Email: saxon.jones at gmail.com
> >
> >
> > 2010/1/13 null zeroroute <nullzero.route at gmail.com>
> >
> >> I'm having a problem trying to figure out a way to get eBGP learned
> routes
> >> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> >> routes learned via the provider are preffered over the internally
> learned
> >> OSPF routes.
> >>
> >> No matter where the BGP-->OSPF redistribution point is, if it's the PE
> or
> >> CE, the routes will still show up (by default) as OSPF external, and
> will
> >> never be prefferred.
> >>
> >> The provider who's path we prefer will only run BGP.  We would like to
> use
> >> OSPF everywhere if possible, for several reasons.
> >>
> >> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
> path.
> >> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> >> Provider B's network is inferior at times and we use it as a backup.
> >>
> >> The equipment where the eBGP peering relationsips exist is a mix of
> 7600,
> >> 3800, 2800, 1800, 6500, 3750, 3550.
> >>
> >> We considered GRE over the providers network however we then wind up
> with
> >> 25+ tunnels at each location, and that just grows as each new site is
> >> added,
> >> not to mention some potential issues regarding throughput with a GRE
> >> tunnel
> >> in the path.
> >>
> >> Is there a way to redistribute BGP into OSPF so that the routes can be
> >> anything but OSPF external?
> >>
> >> I have not found a way to do this yet, and was wondering if it's even
> >> possible, or if I'm missing something obvious.  Any suggestions
> >> appreciated.
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From thegameiam at yahoo.com  Wed Jan 13 17:32:15 2010
From: thegameiam at yahoo.com (David Barak)
Date: Wed, 13 Jan 2010 14:32:15 -0800 (PST)
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
	<bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
Message-ID: <180124.98877.qm@web31802.mail.mud.yahoo.com>

----- Original Message ----
From: null zeroroute nullzero.route at gmail.com

> Very good suggestion, however the provider is not sending the internet
> routing table, only our own internal network's routes.? Or are you
> suggesting some providers make mistakes and send full internet tables to a
> private VRF customer?? We already had our layer-2 VPN MPLS provider join our
> network with someone else's, and we learned the hard way why you should
> never ever ever connect a layer-2 switch to that provider, especically one
> that doesn't support turning off VTP on an interface.? Oh yeah and using VTP
> passwords doens't hurt either :)



Why not just use site-to-site BGP across the VPLS provider instead of OSPF?? A simple prepend will make sure that the AS_PATHs work out right, and then?all of the ickiness which is redistribution?can be avoided.
?
David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com


      

From marklah at gmail.com  Wed Jan 13 18:08:53 2010
From: marklah at gmail.com (Mark Lah)
Date: Wed, 13 Jan 2010 18:08:53 -0500
Subject: [c-nsp] BGP to OSPF redistribution
Message-ID: <fbb6e2171001131508s1a1317bey69ff62d12e96cc2c@mail.gmail.com>

Well on the BGP-side network, the router/switch that connects the OSPF
networks, you could create 2 separate OSPF processes.  1 process for the
remote network that will neighbor up across the L2VPN, and the other process
for the OSPF network that has BGP redistributing into it (the local network
from this devices perspective).  On this router/switch, then redistribute
the OSPF networks between the two processes (as noted earlier, be sure to
prevent loops with route-maps).

Now all the OSPF routes are seen as External (not necessarily ideal, but it
works), and you can then set the OSPF metric (cost) higher on the neighbor
adjacency(s) than taking routes learned from the BGP redistro.  You could
also do some summarization here too, which would prefer the more specific
route from BGP (may or may not be possible with your design).

-Mark


Date: Wed, 13 Jan 2010 16:52:02 -0500
> From: null zeroroute <nullzero.route at gmail.com>
> To: Vincent C Jones <v.jones at networkingunlimited.com>
> Cc: cisco-nsp at puck.nether.net, Mikael Abrahamsson <swmike at swm.pp.se>
> Subject: Re: [c-nsp] BGP to OSPF redistribution
> Message-ID:
>        <bd2721bb1001131352w474e7e8ew222e9182e1f8d458 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanks for your suggestion.  We want to use OSPF because it will scale more
> easily in our network.  For example, if we ran BGP over the layer-2
> providers network, we would need (today) 25 neighbors at every site, every
> time a new site is added new neighbors need to be created everywhere, etc
> to
> keep the one hop away design.  Route-reflectors got too complicated.  It's
> also very helpful to have firewalls running OSPF when there are multiple
> egress points to extranet partner locations or the internet etc.
>

From ibrahim.abozaid at gmail.com  Wed Jan 13 19:33:52 2010
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 14 Jan 2010 02:33:52 +0200
Subject: [c-nsp] MPLS TE and PIM
In-Reply-To: <b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>
References: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
	<b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>
Message-ID: <a48927f71001131633j3a60784aqace0557f2ece2ea7@mail.gmail.com>

sorry if my question wasn't clear enough

i tried it with 2 tunnels between two PEs and enabled sparse-mode under
tunnels

so in this case , should traffic flows over the tunnel ?


thanks
swap


On Wed, Jan 13, 2010 at 7:21 PM, swap m <ccie19804 at gmail.com> wrote:

>  ask yourself this way -
> 1. are TE tunnels bi-directional? answer is no
> 2. can a TE tunnel receive traffic? again the answer is no.
>
> A TE tunnel is for sending traffic, not for receiving. PIM neighborship
> hence is established on physical interface, not on the TE interface coz you
> need bidirectional flow between the neighbors.
> RPF failures may happen when you receive multicast traffic via physical
> interface while the routing table has a route via TE interface. Either "mpls
> traffic-eng multicast-intact" or static mroutes can be used to solve these
> RPF issues. Forwarding adj doesnt work with multicast-intact feature.
>
> HTH
>
> Swap
> #19804
>
>   On Tue, Jan 12, 2010 at 11:38 PM, Ibrahim Abo Zaid <
> ibrahim.abozaid at gmail.com> wrote:
>
>>  Hi
>>
>> I have a question about PIM , is PIM messages can flow across MPLS TE
>> Tunnel
>> ? why PIM neighborship can't be established over the tunnel ?
>>
>>
>> thanks
>> --Ibrahim
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From kenny.sallee at gmail.com  Wed Jan 13 20:11:19 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 13 Jan 2010 17:11:19 -0800
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <4a80ecce1001131711y124e350dw7d2e0c20df07f29c@mail.gmail.com>

>
>
> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?
>
>
I thought (tho it's been a while and I don't have time to research) that you
could use a route-map to match external OSPF routes and set them to internal
BGP.  I think it would look something like this:

route-map bgp-to-ospf permit 10
 match route-type external type-1
 set metric-type internal

asr-egv(config-route-map)#match route-type ?
  external       external route (BGP, EIGRP and OSPF type 1/2)
  internal       internal route (including OSPF intra/inter area)
  level-1        IS-IS level-1 route
  level-2        IS-IS level-2 route
  local          locally generated route
  nssa-external  nssa-external route (OSPF type 1/2)

asr-egv(config-route-map)#match route-type external ?
  type-1  OSPF external type 1 route
  type-2  OSPF external type 2 route
  <cr>


asr-egv(config-route-map)#set metric-type internal

But I've not tested and memory is failing me on this right now but I swear I
did this in a lab once upon a time...

Kenny

From p.caci at seabone.net  Thu Jan 14 02:09:35 2010
From: p.caci at seabone.net (Pierfrancesco Caci)
Date: Thu, 14 Jan 2010 08:09:35 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
In-Reply-To: <4B4DEF67.5070008@renater.fr> (Simon Muyal's message of "Wed, 13
	Jan 2010 17:05:59 +0100")
References: <4B4DEF67.5070008@renater.fr>
Message-ID: <87iqb5p3gw.fsf@clarabella.noc.seabone.net>

:-> "Simon" == Simon Muyal <muyal at renater.fr> writes:

    > Hello all,
    > We have a network composed by Cisco equipment running IOS and IOS-XR.
    > We run RANCID to manage/backup our configurations.

    > Is anybody has experience on this software with both versions (IOS and
    > IOS-XR)? We have difficulties to integrate both versions
    > simultaneously in the same RANCID process (problem of "user" and
    > "admin" mode execution)


if you refer to rancid not being able to look at full show diag
because it requires admin mode, you can apply the following patch, the trick
being that you can use admin mode commands by using "run" and calling
the real executable (in this case "run show_diag admin"). The rest of
the patch quenches some constantly changing disk size output. 

--- rancid-original	2006-06-06 14:23:42.000000000 +0200
+++ rancid	2008-06-20 08:47:09.000000000 +0200
@@ -665,6 +665,8 @@
 	return(-1) if /(: device being squeezed|ATA_Status time out)/i; # busy
 	return(-1) if (/command authorization failed/i);
 	return(1) if /(Open device \S+ failed|Error opening \S+:)/;
+	s/\d+ bytes total \(\d+ bytes free\)/ <CRS harddisks sizes skipped> / if ($type =~ /CRS/ and $cmd =~ /(harddisk|bootflash|disk0)/);
+	s/.*(uptime|temp)_cont/! <CRS constantly changing $1_cont skipped> / if ($type =~ /CRS/ and $cmd =~ /(harddisk|bootflash|disk0)/);
 	# the pager can not be disabled per-session on the PIX
 	if (/^(<-+ More -+>)/) {
 	    my($len) = length($1);
@@ -1610,7 +1612,7 @@
 	    if (defined($ENV{'NOCOMMSTR'})) {
 		my($ip) = $1;
 		my($line) = "snmp-server host $ip";
-		my(@tokens) = split(' ', $');
+		my(@tokens) = split(' ', $');  #' (This comment fixes emacs fontification)
 		my($token);
 		while ($token = shift(@tokens)) {
 		    if ($token eq 'version') {
@@ -1753,7 +1755,7 @@
 	{'show controllers'		=> 'ShowContAll'},
 	{'show controllers cbus'	=> 'ShowContCbus'},
 	{'show diagbus'			=> 'ShowDiagbus'},
-	{'admin show diag'		=> 'ShowDiag'},
+	{'run show_diag admin'		=> 'ShowDiag'},
 	{'show diag'			=> 'ShowDiag'},
 	{'show module'			=> 'ShowModule'},	# cat 6500-ios
 	{'show spe version'		=> 'ShowSpeVersion'},



-- 


-------------------------------------------------------------------------------
 Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC
 p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/

From perc69 at gmail.com  Thu Jan 14 03:32:16 2010
From: perc69 at gmail.com (Per Carlson)
Date: Thu, 14 Jan 2010 09:32:16 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
In-Reply-To: <4B4DEF67.5070008@renater.fr>
References: <4B4DEF67.5070008@renater.fr>
Message-ID: <746ca6da1001140032l312a16dcl973810160091b8c7@mail.gmail.com>

Hi.

> We have a network composed by Cisco equipment running IOS and IOS-XR.
> We run RANCID to manage/backup our configurations.
>
> Is anybody has experience on this software with both versions (IOS and
> IOS-XR)? We have difficulties to integrate both versions simultaneously in
> the same RANCID process (problem of "user" and "admin" mode execution)

Instead of trying to fix the existing IOS module, I created a new one
specific for IOS XR. The patch is avaliable through the RANCID
mailinglist, see:
http://www.shrubbery.net/pipermail/rancid-discuss/2009-November/004385.html

Features in this module are:
* Auto-enabled is default on XR devices (no more tweaking of the .clogin file)
* Time-stamps are disabled before extracting data (times-stamps are
default on since 3.8)
* Commands are run both from user and admin modes

-- 
Pelle

From tim at haitabu.net  Thu Jan 14 06:25:22 2010
From: tim at haitabu.net (tim)
Date: Thu, 14 Jan 2010 12:25:22 +0100
Subject: [c-nsp] Experiences with STM-16 to GE multiplexers/converters?
Message-ID: <20100114112522.GA20074@samstag.members.selfnet.de>

Hi all,

Does somebody has experiences with STM-16 to GE multiplexers/converters?

We have several links from a fiber distributor which expects STM-16
framing (there are some active WDMs etc.).  At the moment we have an SDH
overlay and SDH components at each POP.  They divide the STM-16 to at
least one time STM-4 (and the router handles the STM-4).

We want to get rid of the SDH components, and use GE at the router side.
Therefore, we want to split the STM-16 (2.5GBit/s) in 2x or 4x GE lines
(yes, 4x is oversubscribed, but for backup links ok).

We have found, for example, this SDH multiplexer:
http://www.pandacomdirekt.com/de/produkte/netztopologie/sdh/speed-dualmux-sfp-25.html

Does somebody has experiences and/or other verdors?

Thanks in anticipation,
Tim


From pavel.skovajsa at gmail.com  Thu Jan 14 07:50:47 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Thu, 14 Jan 2010 13:50:47 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B4E21CF.10803@darkman.de>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
	<4B4E21CF.10803@darkman.de>
Message-ID: <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>

Hi,

Glad it helped.

by suboptimal I meant the fact it is possible (simply by sending to
ffff.ffff.ffff) to flood the traffic from one isolated access switch
port through distribution layer, into the rest of the switching fabric
infra simply due to the fact that all uplink/downlink ports are
"switchport mode trunks". Obviously the traffic does not get into the
end-user ports, but still the trunk are utilized -> hence the
functionality is little different then the expected "pseudowire"
functionality.

One would expect to have some kind of feature configured on the
distribution layer that would not forward the traffic to the rest of
the switching fabric, just to the uplink port into the core layer ->
this is probably what the "private-vlan trunk" is trying to do.....

-pavel skovajsa

On Wed, Jan 13, 2010 at 8:41 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Pavel,
>
> first of all, thanks for your fast response!
>
> Pavel Skovajsa schrieb:
>> If I understood you correctly you can get around these limitations by
>> using the PVLAN feature on the end-user ports only and not on the
>> internal switch-to-switch links. On those links you can use normal
>> "trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
>> VLAN int.
>
> Ah, okay, i thought i need the private-vlan trunk mode, and when i enabled
> it, it just "crashed" my port channel (as in removed the port from it, which
> was not what i wanted..).
>
>
>> On your distribution (6509) you configure:
>>
>> interface Vlan10
>> ?ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
>> gets sticky arp by default (for some unknown reason)
>> ?no ip proxy-arp
>> ?private-vlan mapping 100
>>
>> and normal trunk port towards the switch fabric:
>> interface GigabitEthernet6/1
>> ?switchport mode trunk
>
> Ah okay, then i'll try that one, i just limited the vlans a bit, of course ;)
>
>
>> Yes this is probably suboptimal to what you would like to accoplish
>> however the end effect is that the end-user ports cannot communicate
>> with each other - which is probably what you want.
>
> Why is that suboptimal? From what you described and what i unterstood, it
> works like i want: having a etherchannel to my core and protected ports on
> my edge. If the SVI is reachable from my edge, and other hosts are not, than
> i have what i want. But maybe i missed something...?
>
>
>> Another alternative is the "private-vlan trunk" feature which is
>> described over here
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
>> - the trouble is that AFAIK currently it works only on C4500.
>
> That was what i thought i need, its available on the 3560 but it killed the
> etherchannel... and pvlan documentation says "you cannot enable pvlans on
> an etherchannel", which is "right" as if you enable any of the pvlan commands
> on a etherchannel port, it gets removed from the etherchannel... but it seems
> that normal trunks just work for that - great ;)
>
> So, from what i know now, it should work like i want... just need to test if
> it works with more than one switches etc. but at the moment it think it will
> do so far.
>
> Thanks again for your help :)
>
> Regards,
> Sven
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktOIc8ACgkQQoCguWUBzBz48ACgjX54FYRh9fpzRmobTElDvXvv
> 8S8An1fyaboYKoWPuZErysZ6c9OH5Kyi
> =O52n
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From sven at darkman.de  Thu Jan 14 08:15:00 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Thu, 14 Jan 2010 14:15:00 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>	
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>	
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
Message-ID: <4B4F18D4.4030808@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

Pavel Skovajsa schrieb:
> by suboptimal I meant the fact it is possible (simply by sending to
> ffff.ffff.ffff) to flood the traffic from one isolated access switch
> port through distribution layer, into the rest of the switching fabric
> infra simply due to the fact that all uplink/downlink ports are
> "switchport mode trunks". Obviously the traffic does not get into the
> end-user ports, but still the trunk are utilized -> hence the
> functionality is little different then the expected "pseudowire"
> functionality.

Ah, okay. But that i try to limit with other features (things like limited
broadcast for a port etc.) so this should not be a big deal, should it?
The main goal is to prevent "local" attacks from one server to another,
like having a compromised host sniffing the rest after flooding the mac
table, or do some arp spoofing... or what so ever ;)

This should be still the case, even with the trunks, right?

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktPGNQACgkQQoCguWUBzBwD/ACeNDAYcSG91XlsE9cCRnW7ZQK1
2GkAnitdSGedsjhj+u+lBkTEKznPULqe
=/mF3
-----END PGP SIGNATURE-----

From jaitken at aitken.com  Thu Jan 14 08:16:00 2010
From: jaitken at aitken.com (Jeff Aitken)
Date: Thu, 14 Jan 2010 13:16:00 +0000
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
	<bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
Message-ID: <20100114131600.GA7162@eagle.aitken.com>

On Wed, Jan 13, 2010 at 04:25:04PM -0500, null zeroroute wrote:
> Very good suggestion, however the provider is not sending the internet
> routing table, only our own internal network's routes.  Or are you
> suggesting some providers make mistakes and send full internet tables to a
> private VRF customer?  

What he's saying is that any time you redistribute BGP into $IGP, you are
playing with fire.  The likelihood of a mistake may be low but the cost of
a mistake is high.

One thing you'll definitely want to use is the 'redistribute maximum-prefix'
command:

    router ospf $PID
     redistribute maximum-prefix $LIMIT

This should help limit the damage if there's a redistribution "accident".


--Jeff


From mksmith at adhost.com  Thu Jan 14 12:16:06 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Thu, 14 Jan 2010 09:16:06 -0800
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <20100113091915.GX857@greenie.muc.de>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
	<20100113091915.GX857@greenie.muc.de>
Message-ID: <17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>

Hello Ian:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Wednesday, January 13, 2010 1:19 AM
> To: Ian Henderson
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] DS3 over STM1
> 
> Hi,
> 
> On Tue, Jan 12, 2010 at 11:15:10PM +0800, Ian Henderson wrote:
> > The new carrier has provisioned a 45Mbit clear channel service with
a
> DS3
> > at the remote site, and a channelised STM1 at the head office. I
> can't
> > seem to find a combination of router/card/mux to make this work.
> 
> I'd ask the carrier to deliver clear channel DS3 on both ends.
> 
> After all, that's what you ordered ("give us a DS3!"), no?
> 
> gert
> --

I'm not sure what platform you have, but there are channelized STM-1
cards for the 7200, 7500 and the 1000 series routers.  You should be
able to peel off a single DS-3 on the STM-1 and get the right framing
and signaling to carry it through to your other location.

Google "channelized stm-1 cisco"

Regards,

Mike

From ecables at gmail.com  Thu Jan 14 12:31:55 2010
From: ecables at gmail.com (Eric Cables)
Date: Thu, 14 Jan 2010 09:31:55 -0800
Subject: [c-nsp] Cisco UCS
Message-ID: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>

Our local sales team has really been bombarding us with material on Cisco's
UCS (Unified Compute System) as of late, and I was wondering who on this
list has begun deployment of UCS.  If you have decided to deploy, how has
your experience been?  Also, I'd like to hear how you were able to convince
your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
hardware platform.

Thanks,

-- Eric Cables

From gert at greenie.muc.de  Thu Jan 14 12:40:41 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 14 Jan 2010 18:40:41 +0100
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
	<20100113091915.GX857@greenie.muc.de>
	<17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>
Message-ID: <20100114174041.GM857@greenie.muc.de>

Hi,

On Thu, Jan 14, 2010 at 09:16:06AM -0800, Michael K. Smith - Adhost wrote:
> I'm not sure what platform you have, but there are channelized STM-1
> cards for the 7200, 7500 and the 1000 series routers.  You should be
> able to peel off a single DS-3 on the STM-1 and get the right framing
> and signaling to carry it through to your other location.
> 
> Google "channelized stm-1 cisco"

If I understood the original poster correctly, none of them did "STM-1 and
DS3" - it's either "all the way down to E1" or "E3".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100114/d423efdd/attachment.bin>

From razor at meganet.net  Thu Jan 14 15:09:17 2010
From: razor at meganet.net (P.A)
Date: Thu, 14 Jan 2010 15:09:17 -0500
Subject: [c-nsp] cisco frame-relay termination without a frame switch
	-update
Message-ID: <01c001ca9555$735b1bf0$5a1153d0$@net>

Just putting this out there in case it helps someone.

 

This example shows a 7200 with two connected routers. I also got fram-relay
termination working with a 6500 but that platform does not seems to support
the command needed to create frame-relay PVC's the frame-relay route
command.

 

Another thing I found for some reason on the 7200 I had to disable
frame-relay inverse arp with the frame-relay map command for it to work. On
the 6500 this was not an issue. I also noticed on the 7200 that on some
interfaces for whatever reason, int ser5/0:1  I needed to have the
frame-relay map statement for 1.1.1.1 to be able to ping it. This again was
not an issue on the 6500. Also remember you will need frame-relay switching
command in global config mode for the router to be turned into a
frame-switch. Hope this helps someone.

 

Thanks, Paul

 

 

 

7200: config - c7200-p-mz.122-17a.bin

 

interface Serial5/0:1

 ip address 1.1.1.1 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay map ip 1.1.1.1 500

 frame-relay map ip 1.1.1.2 500

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay route 40 interface Serial5/1:1 40

!

interface Serial5/0:1.30 point-to-point

 ip address 1.1.1.9 255.255.255.252

 frame-relay interface-dlci 30

!

interface Serial5/1:1

 ip address 1.1.1.5 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay map ip 1.1.1.5 500

 frame-relay map ip 1.1.1.6 500

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay route 40 interface Serial5/0:1 40

 

site A:

 

interface Serial0

 ip address 1.1.1.2 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay interface-dlci 500

 frame-relay lmi-type ansi

!

interface Serial0.30 point-to-point

 ip address 1.1.1.10 255.255.255.252

 frame-relay interface-dlci 30

!

interface Serial0.40 point-to-point

 ip address 1.1.1.13 255.255.255.252

 frame-relay interface-dlci 40 IETF

!

 

Site B:

 

interface Serial0

 ip address 1.1.1.6 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay interface-dlci 500

 frame-relay lmi-type ansi

!

interface Serial0.40 point-to-point

 description PRIVATE PVC back to 1st t1.

 ip address 1.1.1.14 255.255.255.252

 frame-relay interface-dlci 40 IETF

 

 

From: P.A [mailto:razor at meganet.net] 
Sent: Wednesday, January 06, 2010 2:41 PM
To: 'cisco-nsp at puck.nether.net'
Subject: cisco frame-relay termination without a frame switch

 

Hi, we have a frame-relay switch that is no longer working. we have 28 t1s
on a channelized T3. I was wondering if anyone knows how and if it's
possible to terminate frame lines on a cisco, either a 7200 or 6500 without
a frame switch.

I followed the example here, 

http://www.ciscopress.com/articles/article.asp?p=170741
<http://www.ciscopress.com/articles/article.asp?p=170741&seqNum=7>
&amp;seqNum=7

but this will not work for me as it assumes you have 2 different frame-relay
circuits on two different t1 ports. I'm using a PA MC T# canrd and I also
tried creating sub interfaces off the t1 channel, but when I use the
frame-relay route command I gives me an error that both DLCIs are on the
same interface L.



All I'm trying to do is terminate a frame-relay on a cisco without a
frame-relay switch. if this possible could someone give me an example or
point me in that direction.

thanks! paul


From gregpclark at gmail.com  Thu Jan 14 20:47:07 2010
From: gregpclark at gmail.com (Greg Clark)
Date: Thu, 14 Jan 2010 19:47:07 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>

We're considering running OSPF on handful of core ASA 5580 but our routing
table is somewhat large (roughly 10,000 routes).  Does anyone have any
experience running OSPF on an ASA platform with a large number of routes on
a production network.  Did you run into any limitations or issues.  We don't
plan on running mutiple context and will not have a large number of
peers/neighbors just a large routing table.

Thanks,

Greg

From jshearer at amedisys.com  Thu Jan 14 21:03:01 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 14 Jan 2010 20:03:01 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
In-Reply-To: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>
References: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664614@SVR-AMED-MAIL01.amedisys.com>

We run a 5540 with about 8500 routes with no real problems.  I do plan on doing some filtering just to minimize the size of its table for efficiency.

FYI - ASA in multicontext doesn't support dynamic routing protocols.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Greg Clark
Sent: Thursday, January 14, 2010 7:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF on ASA with large routing tables

We're considering running OSPF on handful of core ASA 5580 but our routing
table is somewhat large (roughly 10,000 routes).  Does anyone have any
experience running OSPF on an ASA platform with a large number of routes on
a production network.  Did you run into any limitations or issues.  We don't
plan on running mutiple context and will not have a large number of
peers/neighbors just a large routing table.

Thanks,

Greg
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From lists at nexus6.co.za  Thu Jan 14 21:32:30 2010
From: lists at nexus6.co.za (Andy Ashley)
Date: Fri, 15 Jan 2010 03:32:30 +0100
Subject: [c-nsp] RIB failure : Higher admin distance
Message-ID: <4B4FD3BE.3090803@nexus6.co.za>

Hi all,

We have two routers at site A and one at site B, both routers at site A 
have an uplink each to a transit provider. There are two Layer 3 core 
switches below the two routers.
The router at site B has an uplink to another transit provider and there 
is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link 
between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session 
runs over a GRE tunnel between site A and B so that if the private link 
breaks,
the traffic will go out over the transit providers and they will still 
talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 
longer prefixes (/21, /22 and /24). We want to use the /24 for site B 
and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a 
static in for the /24, it is not announced to our transit providers at 
site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network            Next Hop                      
RIB-failure                              RIB-NH Matches
X.X.X.X/20       (Layer 3 Core Switch)   Higher admin 
distance              n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP 
peer, RIB-failure(17))
  Not advertised to any peer
  (65003)
    (Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) 
(X.X.X.X)
      Origin IGP, metric 0, localpref 100, valid,  confed-internal, best
      Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
  Known via "ospf 100", distance 110, metric 20, type extern 2, forward 
metric 2
  Last update from (Site A Router Private Link Interface) on 
GigabitEthernet0/1.8, 5w5d ago
  Routing Descriptor Blocks:
  * (Site A Router Private Link Interface), from (Site B Router), 5w5d 
ago, via GigabitEthernet0/1.8
      Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From jasonleblanc at gmail.com  Thu Jan 14 22:57:16 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 14 Jan 2010 20:57:16 -0700
Subject: [c-nsp] OSPF Campus Design : Excessive SPF Runs
Message-ID: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>

Hello,

We currently have Layer 3 Routed Access configured at all of our Metro Campus locations.  There are a few obvious deviations from the best practice design guides.   The current setup is:

Core --> 	Datacenter Distribution --> | (fiber connect) | --> 	Building Distribution --> 	Access
(backbone)	(ABR)										(ASBR)					(OSPF enabled access switch)

The Cisco best practice is:

Core --> 	Distribution --> 	Access
(backbone)	(ABR)			(OSPF enabled access switch)

We are running NSSA with no-summary and the range command on the Datacenter Distribution routers.  Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router.  Vlans on each box on each floor are mutually exclusive.

Symptoms: 
Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives. 

router-a#sh ip ospf stat   
  Area 0.0.0.0: SPF algorithm executed 7865 times
  Area 192.8.208.0: SPF algorithm executed 386 times
  Area 192.70.0.0: SPF algorithm executed 563 times
  Area 192.100.0.0: SPF algorithm executed 93076 times


Questions:
Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
Should we be doing Totally NSSA's instead of NSSA's?
	If not is there a way to get the DR in NSSA to advertise a single route back as default route?
Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?


Any help advise is greatly appreciated!

Regards,

//LeBlanc

From randy_94108 at yahoo.com  Fri Jan 15 00:49:44 2010
From: randy_94108 at yahoo.com (Randy)
Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
Subject: [c-nsp] RIB failure : Higher admin distance
In-Reply-To: <4B4FD3BE.3090803@nexus6.co.za>
Message-ID: <34888.80577.qm@web80505.mail.mud.yahoo.com>

..sorry for the top posting..
Hi Andy,
You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
Regards
./Randy


--- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:


From: Andy Ashley <lists at nexus6.co.za>
Subject: [c-nsp] RIB failure : Higher admin distance
To: cisco-nsp at puck.nether.net
Date: Thursday, January 14, 2010, 6:32 PM


Hi all,

We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
Not advertised to any peer
(65003)
???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
? ???Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
Routing Descriptor Blocks:
* (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
? ???Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From stmagconsulting at gmail.com  Fri Jan 15 00:55:00 2010
From: stmagconsulting at gmail.com (Stephane MAGAND)
Date: Fri, 15 Jan 2010 06:55:00 +0100
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
References: <4B4DAB28.7030500@phibee.net>
	<62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
Message-ID: <c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mehdi.badreddine at fr.clara.net  Fri Jan 15 04:23:47 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Fri, 15 Jan 2010 09:23:47 -0000
Subject: [c-nsp] cisco users accounting and logging
Message-ID: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>

Hi, 

I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
Thanks in advance for your help.


Mehdi BADREDDINE

System&Network Admin
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS



From pavel.skovajsa at gmail.com  Fri Jan 15 04:32:32 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Fri, 15 Jan 2010 10:32:32 +0100
Subject: [c-nsp] OSPF Campus Design : Excessive SPF Runs
In-Reply-To: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>
References: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>
Message-ID: <323aca891001150132t303f9a45l1e1c2870835f9069@mail.gmail.com>

Hi Jason,

see below

-pavel skovajsa

On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Hello,
>
> We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
>
> Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
>
> The Cisco best practice is:
>
> Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
>

The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true:  not following best practices -> bad design -> network
melts

> We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
>
> Symptoms:
> Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
>
> router-a#sh ip ospf stat
> ?Area 0.0.0.0: SPF algorithm executed 7865 times
> ?Area 192.8.208.0: SPF algorithm executed 386 times
> ?Area 192.70.0.0: SPF algorithm executed 563 times
> ?Area 192.100.0.0: SPF algorithm executed 93076 times

Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above "show ip ospf stat" and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
and "show ip ospf database database-sum" will help you.


>
>
> Questions:
> Should we be advertising (passively or non-passively) L3 Vlans into OSPF?

Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?

> Should we be doing Totally NSSA's instead of NSSA's?

Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.

> ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> Should we be sending each campus distribution router directly to the Core so that its the 3 hops?

As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs....

> Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?

Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.

>
>
> Any help advise is greatly appreciated!
>
> Regards,
>
> //LeBlanc
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Fri Jan 15 05:47:33 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 15 Jan 2010 11:47:33 +0100
Subject: [c-nsp] cisco users accounting and logging
In-Reply-To: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>
References: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>
Message-ID: <1263552453.28844.4.camel@localhost>

On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> I've already installed tac_plus on BSD, though it doesn't provide
> users accounting, just authentication.

We use tac_plus with accounting, no problems there. The relevant
configuration is:

accounting file = /var/log/tacacs-accounting.log

or similar in the tac_plus.conf file, and then:

aaa accounting exec [method] start-stop group tacacs+
aaa accounting commands 0 [method] start-stop group tacacs+
aaa accounting commands 15 [method] start-stop group tacacs+
aaa accounting connection [method] start-stop group tacacs+

besides you normal AAA config on the Cisco devices.

I wouldn't know about Juniper or HP.

-- 
Peter




From scottowens12 at gmail.com  Fri Jan 15 08:24:56 2010
From: scottowens12 at gmail.com (scott owens)
Date: Fri, 15 Jan 2010 07:24:56 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID: <c0c598d51001150524n3f34a9b3l76da8abb9c3ae271@mail.gmail.com>

>
> Message: 5
> Date: Thu, 14 Jan 2010 19:47:07 -0600
> From: Greg Clark <gregpclark at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
>        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We're considering running OSPF on handful of core ASA 5580 but our routing
> table is somewhat large (roughly 10,000 routes).  Does anyone have any
> experience running OSPF on an ASA platform with a large number of routes on
> a production network.  Did you run into any limitations or issues.  We
> don't
> plan on running mutiple context and will not have a large number of
> peers/neighbors just a large routing table.
>
> Thanks,
>
> Greg
>
>
>
> I am certainly sure I do not know your network topology - but having 10,000
routes going to a firewall seems like you may want another pair or more of
eyes to check out that route summarization problem.  Ditto with the guy with
8,000+ routes.


I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
connectivity and I don't think we have more than 100 or 200 routes present.

From NMaio at guesswho.com  Fri Jan 15 08:29:00 2010
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Fri, 15 Jan 2010 08:29:00 -0500
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>
References: <4B4DAB28.7030500@phibee.net>
	<62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
	<c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>
Message-ID: <2AA600764E54964491083B1E0EC81A3033D742DEB2@EXCLUS.nationala-1advertising.com>

I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.

client-access-rule 1 permit type WinNT version 5.0.0*
client-access-rule 2 permit type "Mac OS X" version 4.9.01*
client-access-rule 3 permit type Linux version "4.8.02 (0030)"
client-access-rule 4 deny type * version *

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Friday, January 15, 2010 12:55 AM
To: Marcelo Zilio
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Charles.Church at harris.com  Fri Jan 15 10:09:55 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Fri, 15 Jan 2010 10:09:55 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>

I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck


From moua0100 at umn.edu  Fri Jan 15 10:13:29 2010
From: moua0100 at umn.edu (Ge Moua)
Date: Fri, 15 Jan 2010 09:13:29 -0600
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <4B508619.8070500@umn.edu>

We are using infoblox over here; works pretty well.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
>
> Thanks in advance,
>
> Chuck
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From Michael.Robson at manchester.ac.uk  Fri Jan 15 11:32:06 2010
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 15 Jan 2010 16:32:06 +0000
Subject: [c-nsp] 2800s and L2TPv3
Message-ID: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>

I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?

Ta.

Michael.


From Bryan at bryanfields.net  Fri Jan 15 10:59:56 2010
From: Bryan at bryanfields.net (Bryan Fields)
Date: Fri, 15 Jan 2010 10:59:56 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <4B5090FC.5070607@bryanfields.net>

Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured
> someone on here has touched some DNS gear before.  Anyone work with
> Infoblox and Bluecat, and run across a significant reason to choose
> one over another?  I've googled, but most articles are 5 years or
> more old.  Off-line responses encouraged.  The planned use is for
> govt, so full access to the kernel is nice for
> hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
> which they both claim to have, as they're both based on recent bind.
> Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Can we keep it onlist? I'm interested to know as well.  Just had a sales
presentation from Info Blox yesterday, and would like some real world
experiences from users.


-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

From jared at puck.nether.net  Fri Jan 15 12:37:49 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Fri, 15 Jan 2010 12:37:49 -0500
Subject: [c-nsp] 2800s and L2TPv3
In-Reply-To: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
References: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
Message-ID: <6220ECDA-9F09-4C96-906A-6369DA20D475@puck.nether.net>

I believe you need advipservices for this capability.

- Jared

On Jan 15, 2010, at 11:32 AM, Michael Robson wrote:

> I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?
> 
> Ta.
> 
> Michael.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From alasdairm at gmail.com  Fri Jan 15 14:10:57 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Fri, 15 Jan 2010 19:10:57 +0000
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>

We use InfoBlox and it's pretty good.
We have a grid containing several pairs of HA nodes at various DCs, used for DNS, DHCP and IP Management. We're not using IPv6 though.


On 15 Jan 2010, at 15:09, Church, Charles wrote:

> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
> 
> Thanks in advance,
> 
> Chuck
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From A.L.M.Buxey at lboro.ac.uk  Fri Jan 15 15:41:21 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Fri, 15 Jan 2010 20:41:21 +0000
Subject: [c-nsp] cisco energywise 'feature'
Message-ID: <20100115204121.GF7558@lboro.ac.uk>

hi,

just a quick heads-up on this - see if anyone else has fallen foul
of it or got a registered bug ID before I chase this one further.

we have noted that with IOS 12.2(52)SE on both 2960 and 3750 platforms,
whenever you do a show running-config, the encrypted password (shared-secret)
for energywise (which is a method 7 encryption and not method 5 - natch)
that gets displayed changes. 

of course...this means that any software tools that check for changes to keep
revisions and alert our change system believe that there has been a change.
we use rancid and some home-brew stuff too....so we get a notice for every switch
which we have deployed energywise on.  which is nice.  :-(

those with ASA experience will see the similarities with an ASA 8.x bug that was 
fixed recently - we had the same sort of issue with that :-(

so - just a heads up for those who dont want to find this out themselves

PS there is a 'work around' - insert the shared-secret as plain text (method 0)
- but thats a nice way of letting casual eyes see the shared-secret - and that shared-secret
gives you access to some of the new energywise features - turn ports off/on etc.

alan

From Jason.Mishka at UToledo.Edu  Fri Jan 15 16:38:29 2010
From: Jason.Mishka at UToledo.Edu (Mishka, Jason)
Date: Fri, 15 Jan 2010 16:38:29 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
	<0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>
Message-ID: <A3E7037859B34541B7271243CA11EF804E8208@MSG01CV02.utad.utoledo.edu>

We inherited a cluster of Bluecat Adonis boxes a few years ago during a
merger.  They were terrible.  I've never seen an application so poorly
written that ran something as simple and dns and dhcp.  

I'll can tell three stores....

On one particular occasion we were applying updates to apply new tz
information as DST was changing by a few weeks.  I called for support
since everything was running slow and basically got blamed for waiting
too long to apply the patches.  Apparently they didn't have enough
capacity to handle the load since the patches were time sensitive.  

We also had a number problems with dynamic DNS.  The machines were
configured in a cluster which would fail from time to time for no
reason.  When this happened the DHCPID or txt records for the dynamic
client would get lost and the clients wouldn't be able to update their
own record later.

Lastly, if the client and appliances were running different version of
code the client could corrupt the config while applying changes.  A
number of time, we had other admins update to the latest client without
knowing that the server had to match.  Unfortunately, the thing wasn't
smart enough to check the client version and throw an error.

We moved back to a few redhat boxes and haven't had any trouble since.
I'd recommend against a bluecat appliance based on our experience.

Jason Mishka

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alasdair
McWilliam
Sent: Friday, January 15, 2010 2:11 PM
To: Church, Charles
Cc: nsp-cisco
Subject: Re: [c-nsp] OT - Infoblox vs. Bluecat

We use InfoBlox and it's pretty good.
We have a grid containing several pairs of HA nodes at various DCs, used
for DNS, DHCP and IP Management. We're not using IPv6 though.


On 15 Jan 2010, at 15:09, Church, Charles wrote:

> I apologize for this being fairly OT for a Cisco list, but I figured
someone on here has touched some DNS gear before.  Anyone work with
Infoblox and Bluecat, and run across a significant reason to choose one
over another?  I've googled, but most articles are 5 years or more old.
Off-line responses encouraged.  The planned use is for govt, so full
access to the kernel is nice for hardening/verification.  Also need
TSIG, DNSSEC, and IPv6 support, which they both claim to have, as
they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2,
and SSL would be nice.
> 
> Thanks in advance,
> 
> Chuck
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From brhedlun at cisco.com  Fri Jan 15 22:49:27 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 15 Jan 2010 21:49:27 -0600
Subject: [c-nsp] Cisco UCS
In-Reply-To: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
References: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
Message-ID: <95E6CE3F-C5F8-4A4B-AFC3-B5C70FEF1181@cisco.com>

Eric,

FWIW, here is a customer who has been blogging about his experience with implementing Cisco UCS:

http://healthitguy.wordpress.com/category/cisco-ucs/


--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org



On Jan 14, 2010, at 11:31 AM, Eric Cables wrote:

> Our local sales team has really been bombarding us with material on Cisco's
> UCS (Unified Compute System) as of late, and I was wondering who on this
> list has begun deployment of UCS.  If you have decided to deploy, how has
> your experience been?  Also, I'd like to hear how you were able to convince
> your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
> hardware platform.
> 
> Thanks,
> 
> -- Eric Cables
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From brhedlun at cisco.com  Fri Jan 15 23:11:02 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 15 Jan 2010 22:11:02 -0600
Subject: [c-nsp] Cisco UCS
In-Reply-To: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
References: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
Message-ID: <64981BDC-520B-442B-B62C-062EC8761734@cisco.com>

One other thing-

In my position at Cisco I have been involved in many Cisco UCS deals, and in all of these engagements I have yet to see where the Network team needs to convince the Server team to buy Cisco UCS.
In every deal I have been involved in it has been the Server team deciding to move forward with UCS purely on its merits as a Data Center virtualization platform.  Rather, its usually the Network team that comes in towards the end and gives their stamp of approval with respect to how the system interconnects to the Data Center core.

In other words, if your Cisco account team is putting the pressure on you (the Network team) to convince the Server team to buy UCS, I can tell you from experience they are going about it all wrong :) 

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 14, 2010, at 11:31 AM, Eric Cables wrote:

> Our local sales team has really been bombarding us with material on Cisco's
> UCS (Unified Compute System) as of late, and I was wondering who on this
> list has begun deployment of UCS.  If you have decided to deploy, how has
> your experience been?  Also, I'd like to hear how you were able to convince
> your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
> hardware platform.
> 
> Thanks,
> 
> -- Eric Cables
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From randy_94108 at yahoo.com  Fri Jan 15 23:56:15 2010
From: randy_94108 at yahoo.com (Randy)
Date: Fri, 15 Jan 2010 20:56:15 -0800 (PST)
Subject: [c-nsp] Fw: Re: [Disarmed] Re: RIB failure : Higher admin distance
Message-ID: <70283.54674.qm@web80506.mail.mud.yahoo.com>



--- On Fri, 1/15/10, Randy <randy_94108 at yahoo.com> wrote:


From: Randy <randy_94108 at yahoo.com>
Subject: Re: [Disarmed] Re: [c-nsp] RIB failure : Higher admin distance
To: "Andy Ashley" <lists at nexus6.co.za>
Date: Friday, January 15, 2010, 8:47 PM







Hi Andy:
...I am taking a closer look at your first post and going *wait a second..*
What you are seeing is what one would expect to see in Router A site A:
?
>From the "show commands" in your first post:
?
Router A learns site B's /24 via the gre tunnel as an iBGP route with an AD?of 200.(as shown int your "sh ip bgp x.x.x.x/24" in question). Router A puts this route in it's BGP route table but does not advertise this route to any eBGP peer because iBGP routes are not injected into eBGP unless "redistribute internal" is explicitly configured.
Router A also learns site B's /24 via the private link as an OSPF route with an AD of 110(as shown in your?"sh ip route x.x.x.x/24)?and puts the route learned via ospf in this IP routing table and FIB since it has a better AD : 110 as opposed to 200.
As a result, the??same-/24 ?learned via iBGP that is in A's BGP route table; for obvious reasons suffers a RIB-failure because the same-route learned by A via OSPF with a better AD ?is already installed in A's ip route tabel and FIB.
?
Having explained the *normal-behavior* you are seeing in router A, my question is:
?
1) Are you trying to announce site B's /24 from site A to your upstreams
OR
2) You are trying to announce your site-B /24 *from site B and that is failing.
?
If your are trying to announce site B's /24 from site A to it's upstreams you already have the "answer" to make that work! (deploy a lot of outbound filters before you redistribute iBGP into eBGP)
?
If on the otherhand siteB's /24 is not being announced *By-SiteB* to it's eBGP peer, I would have to look at the config in site B's rtr.
?
Regards,
./Randy

From frnkblk at iname.com  Sat Jan 16 00:52:01 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Fri, 15 Jan 2010 23:52:01 -0600
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>

We've been using Bluecat for several years in a SP environment primarily for
DHCP and we've had a tough go of it, with the product, people, and support
(contact me off-list for more detail).  Based on our experience, I think
it's a better fit in an enterprise environment with a single DHCP/DNS
administrator.  A few months ago I had a web-based presentation and demo of
the Infoblox product and would probably buy their product the next time.

In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release
notes:
- DNS Service is not supported on XHA in IPv6 networks.
- Cannot configure an IPv6 address on an NIC.
When I asked about DHCPv6, this was the tech support person's response:
"What do you mean by DHCPv6?"  And this coming from a DHCP/DNS appliance
vendor.  When I pointed them to the Wikipedia article, they came back and
said they don't support it.  When I asked for an ETA, they wrote back "I am
sorry, but I don't have any ETA."  I then asked if the support DNS over
IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, January 15, 2010 9:10 AM
To: nsp-cisco
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone
on here has touched some DNS gear before.  Anyone work with Infoblox and
Bluecat, and run across a significant reason to choose one over another?
I've googled, but most articles are 5 years or more old.  Off-line responses
encouraged.  The planned use is for govt, so full access to the kernel is
nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
which they both claim to have, as they're both based on recent bind.  Secure
mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From Charles.Church at harris.com  Sat Jan 16 08:44:20 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Sat, 16 Jan 2010 08:44:20 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C660EC2C@MLBMXUS2.cs.myharris.net>

Thank you all for your responses.  Doesn't seem like a real consensus, but at least I've got a few issues to bounce off the two vendors.

Chuck 

-----Original Message-----
From: Frank Bulk [mailto:frnkblk at iname.com] 
Sent: Saturday, January 16, 2010 12:52 AM
To: Church, Charles; nsp-cisco
Subject: RE: OT - Infoblox vs. Bluecat


We've been using Bluecat for several years in a SP environment primarily for
DHCP and we've had a tough go of it, with the product, people, and support
(contact me off-list for more detail).  Based on our experience, I think
it's a better fit in an enterprise environment with a single DHCP/DNS
administrator.  A few months ago I had a web-based presentation and demo of
the Infoblox product and would probably buy their product the next time.

In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release
notes:
- DNS Service is not supported on XHA in IPv6 networks.
- Cannot configure an IPv6 address on an NIC.
When I asked about DHCPv6, this was the tech support person's response:
"What do you mean by DHCPv6?"  And this coming from a DHCP/DNS appliance
vendor.  When I pointed them to the Wikipedia article, they came back and
said they don't support it.  When I asked for an ETA, they wrote back "I am
sorry, but I don't have any ETA."  I then asked if the support DNS over
IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, January 15, 2010 9:10 AM
To: nsp-cisco
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone
on here has touched some DNS gear before.  Anyone work with Infoblox and
Bluecat, and run across a significant reason to choose one over another?
I've googled, but most articles are 5 years or more old.  Off-line responses
encouraged.  The planned use is for govt, so full access to the kernel is
nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
which they both claim to have, as they're both based on recent bind.  Secure
mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From arla at rn.dk  Sat Jan 16 10:31:08 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sat, 16 Jan 2010 16:31:08 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup?s with out using direct fibers on layer 2
I would like the to sites to connect via our mpls cloud, so that vlan?s configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3  using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only useable on layer2.

/Arne


From lists at nexus6.co.za  Sat Jan 16 14:48:08 2010
From: lists at nexus6.co.za (Andy Ashley)
Date: Sat, 16 Jan 2010 19:48:08 +0000
Subject: [c-nsp] Fw: Re: [Disarmed] Re: RIB failure : Higher admin
	distance
In-Reply-To: <70283.54674.qm@web80506.mail.mud.yahoo.com>
References: <70283.54674.qm@web80506.mail.mud.yahoo.com>
Message-ID: <4B5217F8.4060702@nexus6.co.za>

>
>
> --- On *Fri, 1/15/10, Randy /<randy_94108 at yahoo.com>/* wrote:
>
>
>     Hi Andy:
>     ...I am taking a closer look at your first post and going *wait a
>     second..*
>     What you are seeing is what one would expect to see in Router A
>     site A:
>     From the "show commands" in your first post:
>     Router A learns site B's /24 via the gre tunnel as an iBGP route
>     with an AD of 200.(as shown int your "sh ip bgp x.x.x.x/24" in
>     question). Router A puts this route in it's BGP route table but
>     does not advertise this route to any eBGP peer because iBGP routes
>     are not injected into eBGP unless "redistribute internal" is
>     explicitly configured.
>
Correct, it wont advertise this route to our upstreams.We dont have 
"redistribute internal" configured.

>     Router A also learns site B's /24 via the private link as an OSPF
>     route with an AD of 110(as shown in your "sh ip route
>     x.x.x.x/24) and puts the route learned via ospf in this IP routing
>     table and FIB since it has a better AD : 110 as opposed to 200.
>     As a result, the  same-/24  learned via iBGP that is in A's BGP
>     route table; for obvious reasons suffers a RIB-failure because the
>     same-route learned by A via OSPF with a better AD  is already
>     installed in A's ip route tabel and FIB.
>
Yes, that is correct and I believe this is exactly what is happening - 
so it is in fact normal due to the AD rules.

>     Having explained the *normal-behavior* you are seeing in router A,
>     my question is:
>     1) Are you trying to announce site B's /24 from site A to your
>     upstreams
>
Yes, we want to announce site B's /24 from site A and B. We want site A 
to learn site B's /24 route via either OSPF or iBGP (over the tunnel or 
private link) and should the private link break, site A will withdraw 
the announcement to our upstreams there because it will no longer learn 
this route via OSPF or iBGP.
That should mean that site B stays online as the /24 is still announced 
via the transit provider there (and to exchange peers).
>
>     OR
>     2) You are trying to announce your site-B /24 *from site B and
>     that is failing.
>
We are trying to do this. When we withdraw the present /20 route at site 
A (keeping the /24 static in on the router at site B), the route isnt 
announced from site B, by site B.
I have made sure that the transit provider is accepting the longer 
prefix, etc but the rib failure prevents it even getting to the stage of 
trying to announce to the transit provider over the eBGP session.
>
>     If your are trying to announce site B's /24 from site A to it's
>     upstreams you already have the "answer" to make that work! (deploy
>     a lot of outbound filters before you redistribute iBGP into eBGP)
>
OK, so we should filter announcements of the /24 via the (tunnelled) 
iBGP session between sites, so that the route is learned only by OSPF 
over the private link and upstream transit?
(hopefully meaning if the private link breaks that the tunnel will 
re-establish over transit)
>
>     If on the otherhand siteB's /24 is not being announced *By-SiteB*
>     to it's eBGP peer, I would have to look at the config in site B's rtr.
>
Which bits of the config? It's quite long =)
>
>     Regards,
>     ./Randy
>
>
Thanks,
Regards,
Andy

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From avayner at cisco.com  Sat Jan 16 15:08:23 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 16 Jan 2010 21:08:23 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access
switches connected to both VSS nodes, which would require links from DC1
to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you
want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common
design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the
whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few
sessions about this, and a number of people in Meet the Engineer venue
which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen /
Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on
layer 2
I would like the to sites to connect via our mpls cloud, so that vlan's
configured on the boxes can reach each other on layer2 and be able top
announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to
connect these 2, and make them active/stanby to each other on layer3
using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only
useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From arla at rn.dk  Sun Jan 17 02:40:41 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 17 Jan 2010 08:40:41 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>

 Hi Arie.

Sorry for not explaining the setup in detail. But anyway this is the case.

layer2 sw  ---6500			6500 --- layer2 sw
 |        > vss1   - (MPLS-Core) -  vss2 < 
layer2 sw ----6500 			6500 --  layer2 sw


Each site has a full vss environment with it's own local layer 2 switches.
What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain. 
Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers. 
How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .

Arne

-----Oprindelig meddelelse-----
Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sendt: 16. januar 2010 21:08
Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
Emne: RE: [c-nsp] how to connect vss-setup via mpls core

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Sun Jan 17 05:06:22 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 17 Jan 2010 11:06:22 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD352@XMB-AMS-101.cisco.com>

Arne,

In this case you would have a local VSS pair in each local site, and you
just wish to interconnect the different sites together with an end to
end Layer 2 support.

The most trivial solution would be to get a redundant point to point
Layer 2 service (2 layer 2 circuits) which would be used to connect the
6500 devices. As you are running VSS, the two links can be bundled into
a MEC (Multichassis EtherChannel), and then you can allow the specific
VLANs to be bridged across (and another VLAN for Layer 3 connectivity).

The disadvantage of this solution is that you carry the Spanning Tree
state across this link. If a link fails inside DC1, the TCN would be
carried to the other side as well, causing a MAC relearning event.
As you are on VSS, this is less critical, as you would most likely be
running MEC to the access layer switches as well.
You can also filter STP on the WAN link, but then you run into a
(slight) risk of a look due to some crazy failure scenario.

This option is described here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_p
aper_c11_493718.html#wp9000207

Be aware that this design is strictly proposed for dual DC designs. If
you need to introduce a 3rd DC into the topology, you can't just connect
it to other pair using the same solution. This would create a layer 2
loop across the DCs.
We have other (slightly more complex) solutions for >2 DC designs.

Arie

-----Original Message-----
From: Arne Larsen / Region Nordjylland [mailto:arla at rn.dk] 
Sent: Sunday, January 17, 2010 09:41
To: cisco-nsp at puck.nether.net
Cc: Arie Vayner (avayner)
Subject: SV: [c-nsp] how to connect vss-setup via mpls core


 Hi Arie.

Sorry for not explaining the setup in detail. But anyway this is the
case.

layer2 sw  ---6500			6500 --- layer2 sw
 |        > vss1   - (MPLS-Core) -  vss2 < 
layer2 sw ----6500 			6500 --  layer2 sw


Each site has a full vss environment with it's own local layer 2
switches.
What I'll like to able to do is, setup a few Vlan's on both sites that
can host servers on the same broadcast domain. 
Further more I'll like to able to announce the layer3 connection on the
Vlan via bgp to our costumers. 
How is it possible to enable a layer3 interface on the Vlan in each
local site and run eompls or vpls between the 2 sites on layer2 .

Arne

-----Oprindelig meddelelse-----
Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sendt: 16. januar 2010 21:08
Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
Emne: RE: [c-nsp] how to connect vss-setup via mpls core

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access
switches connected to both VSS nodes, which would require links from DC1
to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you
want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common
design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the
whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few
sessions about this, and a number of people in Meet the Engineer venue
which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen /
Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on
layer 2 I would like the to sites to connect via our mpls cloud, so that
vlan's configured on the boxes can reach each other on layer2 and be
able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to
connect these 2, and make them active/stanby to each other on layer3
using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only
useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bob_arthurs at hotmail.co.uk  Sun Jan 17 07:53:34 2010
From: bob_arthurs at hotmail.co.uk (Bob Arthurs)
Date: Sun, 17 Jan 2010 12:53:34 +0000
Subject: [c-nsp] HWIC-4ESW (routed ports - basic question??)
Message-ID: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>


hi all,

I'm just about to install some HWIC-4ESW into our 3800s on some customer sites and I have a quick question - couldn't find a clear answer on cco.

Can I configure the Ethernet ports on the HWIC-4ESW as routed ports (no switchport)? Or do I have to configure SVIs and then assign the ports to the SVI associated VLANs?

I want to avoid the extra config with SVIs and keep it simple with routed ports if at all possible.

Thanks for any help in advance.




 		 	   		  
_________________________________________________________________
Send us your Hotmail stories and be featured in our newsletter
http://clk.atdmt.com/UKM/go/195013117/direct/01/

From gkg at gmx.de  Sun Jan 17 10:20:13 2010
From: gkg at gmx.de (Garry)
Date: Sun, 17 Jan 2010 16:20:13 +0100
Subject: [c-nsp] HWIC-4ESW (routed ports - basic question??)
In-Reply-To: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>
References: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>
Message-ID: <4B532AAD.3080301@gmx.de>

Bob Arthurs wrote:
> hi all,
> 
> I'm just about to install some HWIC-4ESW into our 3800s on some customer sites and I have a quick question - couldn't find a clear answer on cco.
> 
> Can I configure the Ethernet ports on the HWIC-4ESW as routed ports (no switchport)? Or do I have to configure SVIs and then assign the ports to the SVI associated VLANs?
> 
> I want to avoid the extra config with SVIs and keep it simple with routed ports if at all possible.

You will need to configure a VLAN access port, for which you can then
configure IP routing:

	int fa0
		switchport access vlan 2

	int vlan 2
		ip address ...

-garry

From brhedlun at cisco.com  Sun Jan 17 12:47:34 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Sun, 17 Jan 2010 11:47:34 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
Message-ID: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>

Arne,

Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.

6500---------EoMPLS---------6500   
vss      (port channel)     vss
6500---------EoMPLS---------6500

Cheers,
Brad
                      
--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:

> 
> Hi Arie.
> 
> Sorry for not explaining the setup in detail. But anyway this is the case.
> 
> layer2 sw  ---6500			6500 --- layer2 sw
> |        > vss1   - (MPLS-Core) -  vss2 < 
> layer2 sw ----6500 			6500 --  layer2 sw
> 
> 
> Each site has a full vss environment with it's own local layer 2 switches.
> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain. 
> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers. 
> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
> 
> Arne
> 
> -----Oprindelig meddelelse-----
> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
> Sendt: 16. januar 2010 21:08
> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
> 
> Arne,
> 
> Why would you want to do that in such a way?
> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
> The same would apply to upstream Layer 3 connectivity...
> 
> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
> 
> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
> I suggest you take a look at this link:
> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
> 
> Also, there is a very good Cisco Press book about this whole subject:
> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
> 
> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
> 
> Arie
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
> Sent: Saturday, January 16, 2010 17:31
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how to connect vss-setup via mpls core
> 
> Hi all.
> 
> I need an advice.
> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
> I been searching the cisco web for doc. But all I can find is only useable on layer2.
> 
> /Arne
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From kevinw at telnetww.com  Sun Jan 17 13:34:35 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sun, 17 Jan 2010 13:34:35 -0500
Subject: [c-nsp] PA-MC-T3-EC
Message-ID: <002501ca97a3$b8333eb0$2899bc10$@com>

Can anyone confirm if the PA-MC-T3-EC card works in a 7206VXR w/NPE-G1 on
15.0M?  All the docs show 12.4T and above so that leaves me to believe it
will work, but using the software advisor I noticed the card isn't even
listed.

 

Thanks,

Kevin

 


From arla at rn.dk  Sun Jan 17 15:25:11 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 17 Jan 2010 21:25:11 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>

Hi Brad.

Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
And yes we are using mpls software.
But I still can?t find out about the layer3 interfaces.
The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.

/Arne

________________________________________
Fra: Brad Hedlund [brhedlun at cisco.com]
Sendt: 17. januar 2010 18:47
Til: Arne Larsen / Region Nordjylland
Cc: cisco-nsp at puck.nether.net
Emne: Re: [c-nsp] how to connect vss-setup via mpls core

Arne,

Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.

6500---------EoMPLS---------6500
vss      (port channel)     vss
6500---------EoMPLS---------6500

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:

>
> Hi Arie.
>
> Sorry for not explaining the setup in detail. But anyway this is the case.
>
> layer2 sw  ---6500                    6500 --- layer2 sw
> |        > vss1   - (MPLS-Core) -  vss2 <
> layer2 sw ----6500                    6500 --  layer2 sw
>
>
> Each site has a full vss environment with it's own local layer 2 switches.
> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>
> Arne
>
> -----Oprindelig meddelelse-----
> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Sendt: 16. januar 2010 21:08
> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>
> Arne,
>
> Why would you want to do that in such a way?
> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
> The same would apply to upstream Layer 3 connectivity...
>
> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>
> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
> I suggest you take a look at this link:
> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>
> Also, there is a very good Cisco Press book about this whole subject:
> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>
> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>
> Arie
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
> Sent: Saturday, January 16, 2010 17:31
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how to connect vss-setup via mpls core
>
> Hi all.
>
> I need an advice.
> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>
> /Arne
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From brhedlun at cisco.com  Sun Jan 17 21:47:52 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Sun, 17 Jan 2010 20:47:52 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>
Message-ID: <BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>

Arne,

The VLANs extended between Data Centers can be configured with Layer 3 interfaces and services no different than any other VLAN.
SVI's can be configured, HSRP groups can be formed (within and between DCs), and the IP network for the VLANs can be announced by BGP (or any other protocol).
As you can imagine, thinking about how flows enter and leave the Data Centers can get quite interesting :-)

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org


On Jan 17, 2010, at 2:25 PM, Arne Larsen / Region Nordjylland wrote:

> Hi Brad.
> 
> Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
> And yes we are using mpls software.
> But I still can?t find out about the layer3 interfaces.
> The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
> Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.
> 
> /Arne
> 
> ________________________________________
> Fra: Brad Hedlund [brhedlun at cisco.com]
> Sendt: 17. januar 2010 18:47
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp at puck.nether.net
> Emne: Re: [c-nsp] how to connect vss-setup via mpls core
> 
> Arne,
> 
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.
> 
> 6500---------EoMPLS---------6500
> vss      (port channel)     vss
> 6500---------EoMPLS---------6500
> 
> Cheers,
> Brad
> 
> --
> Brad Hedlund, CCIE #5530
> Consulting Systems Engineer, Data Center
> bhedlund at cisco.com
> http://www.internetworkexpert.org
> 
> 
> 
> 
> On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:
> 
>> 
>> Hi Arie.
>> 
>> Sorry for not explaining the setup in detail. But anyway this is the case.
>> 
>> layer2 sw  ---6500                    6500 --- layer2 sw
>> |        > vss1   - (MPLS-Core) -  vss2 <
>> layer2 sw ----6500                    6500 --  layer2 sw
>> 
>> 
>> Each site has a full vss environment with it's own local layer 2 switches.
>> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
>> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
>> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>> 
>> Arne
>> 
>> -----Oprindelig meddelelse-----
>> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
>> Sendt: 16. januar 2010 21:08
>> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
>> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>> 
>> Arne,
>> 
>> Why would you want to do that in such a way?
>> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
>> The same would apply to upstream Layer 3 connectivity...
>> 
>> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>> 
>> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
>> I suggest you take a look at this link:
>> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>> 
>> Also, there is a very good Cisco Press book about this whole subject:
>> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>> 
>> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>> 
>> Arie
>> 
>> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
>> Sent: Saturday, January 16, 2010 17:31
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] how to connect vss-setup via mpls core
>> 
>> Hi all.
>> 
>> I need an advice.
>> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
>> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
>> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>> 
>> /Arne
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From robhass at gmail.com  Mon Jan 18 07:14:31 2010
From: robhass at gmail.com (Robert Hass)
Date: Mon, 18 Jan 2010 13:14:31 +0100
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
Message-ID: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>

Hi

I have to implement some Policy-Based Routing (PBR) route-map's on few
Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
route-map's are supported in hardware on PFC3B/DFC3B ?

route-map pbr2 permit 10
 set global
!
route-map pbr permit 10
 match ip address 160
 set vrf r2
!
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000

Thanks
Robert

From Michael.Robson at manchester.ac.uk  Mon Jan 18 08:15:47 2010
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Mon, 18 Jan 2010 13:15:47 +0000
Subject: [c-nsp] 2800s and L2TPv3
In-Reply-To: <4B50A3EE.9000708@whole.net.uk>
References: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
	<4B50A3EE.9000708@whole.net.uk>
Message-ID: <C34A15FA-6695-4BF4-AC47-CD6DF9003DFB@manchester.ac.uk>

On 15 Jan 2010, at 17:20, Pete Barnwell wrote:

> Michael Robson wrote:
>> I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?
>> 
>> Ta.
>> 
>> Michael.
>> 
> 
> According to software advisor it's not in ipbase - it shows Adv Ip
> services, advanced enterprise service, SP and enterprise but not base.
> 
Ah, obviously the Cisco Software Advisor is more reliable than the info. I got via Google ;)

Thanks to all that answered this for me.

Michael.
--

From b.mwlam at gmail.com  Mon Jan 18 08:31:13 2010
From: b.mwlam at gmail.com (b lam)
Date: Mon, 18 Jan 2010 21:31:13 +0800
Subject: [c-nsp] (no subject)
Message-ID: <51ef02931001180531g49e09409o7b91ed9ee369573a@mail.gmail.com>

hi,

did you use the command 'mls qos'?

my question is when i enter the command 'mls qos' there will be an
hardware counter and software counter , which one should I count? or
both?

pls help.

thx

paul

From flokuehn at googlemail.com  Mon Jan 18 10:17:21 2010
From: flokuehn at googlemail.com (=?UTF-8?Q?Florian_K=C3=BChn?=)
Date: Mon, 18 Jan 2010 16:17:21 +0100
Subject: [c-nsp] cisco 2801 and HWIC-2T
Message-ID: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>

Hi.

is there anything special i need to look for, while i want to confiugre an
hwic-2t, controller e1? on an 2801 with ios12.4(25b) iam not able to use,
either the
command controller e1 nor card type ... does anybody have a clue?

Further there are confusing information from cisco.
Following the mentioned link you will find the HWIC-2T supported by 2801.

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/datasheet_c78-491363.html

But, following this link you will find the HWIC-2T not explicitly supported.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_tech_note09186a00800b0858.shtml

Can anybody tell me if it is possible to use the HWIC-2T with the mentioned
IOS version and Hardware?

Thank you in advance

flokuehn

From rwest at zyedge.com  Mon Jan 18 10:39:13 2010
From: rwest at zyedge.com (Ryan West)
Date: Mon, 18 Jan 2010 15:39:13 +0000
Subject: [c-nsp] cisco 2801 and HWIC-2T
In-Reply-To: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
References: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>

Flokuehn,

> -----Original Message-----
> Sent: Monday, January 18, 2010 10:17 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] cisco 2801 and HWIC-2T
> 
> Hi.
> 
> is there anything special i need to look for, while i want to confiugre
> an
> hwic-2t, controller e1? on an 2801 with ios12.4(25b) iam not able to
> use,
> either the
> command controller e1 nor card type ... does anybody have a clue?
> 
> Further there are confusing information from cisco.
> Following the mentioned link you will find the HWIC-2T supported by
> 2801.
> 
> http://www.cisco.com/en/US/prod/collateral/modules/ps5949/datasheet_c78
> -491363.html
> 
> But, following this link you will find the HWIC-2T not explicitly
> supported.
> 
> http://www.cisco.com/en/US/products/hw/routers/ps274/products_tech_note
> 09186a00800b0858.shtml
> 
> Can anybody tell me if it is possible to use the HWIC-2T with the
> mentioned
> IOS version and Hardware?
> 

The card is supported on your platform, but it's a T1 only card, so controller e1 or card type won't work for it.

http://www.cisco.com/en/US/products/ps5854/products_relevant_interfaces_and_modules.html

Thanks,

-ryan

From arla at rn.dk  Mon Jan 18 10:59:03 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Mon, 18 Jan 2010 16:59:03 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>,
	<BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>

Hi Brad 

Exactly my thinking about the announcement of the network on both sites.
But the problem is, I can?t configure eompls on a tagged interface.
If  I put an interface into a vrf  instance the switch won?t accept the eompls statements of the ip addresses.
Is this because that eompls is hard coded to use the global routing table and is there by not able to handle interfaces that are in vpn routing table.
Here is my error.:
aasnxc6-1(config-if)#xconnect 192.160.101.32 3300 encapsulation mpls 
Incompatible with ip address command on Vl3300 - command rejected.

The interface belong to vpn and the ip address in the xconnect statement is the loopback address off the peer vss-router.
I have tried to use addresses that are in the vpn routing table, but I get the same error.


/Arne

________________________________________
Fra: Brad Hedlund [brhedlun at cisco.com]
Sendt: 18. januar 2010 03:47
Til: Arne Larsen / Region Nordjylland
Cc: cisco-nsp at puck.nether.net
Emne: Re: SV: [c-nsp] how to connect vss-setup via mpls core

Arne,

The VLANs extended between Data Centers can be configured with Layer 3 interfaces and services no different than any other VLAN.
SVI's can be configured, HSRP groups can be formed (within and between DCs), and the IP network for the VLANs can be announced by BGP (or any other protocol).
As you can imagine, thinking about how flows enter and leave the Data Centers can get quite interesting :-)

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org


On Jan 17, 2010, at 2:25 PM, Arne Larsen / Region Nordjylland wrote:

> Hi Brad.
>
> Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
> And yes we are using mpls software.
> But I still can?t find out about the layer3 interfaces.
> The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
> Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.
>
> /Arne
>
> ________________________________________
> Fra: Brad Hedlund [brhedlun at cisco.com]
> Sendt: 17. januar 2010 18:47
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp at puck.nether.net
> Emne: Re: [c-nsp] how to connect vss-setup via mpls core
>
> Arne,
>
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.
>
> 6500---------EoMPLS---------6500
> vss      (port channel)     vss
> 6500---------EoMPLS---------6500
>
> Cheers,
> Brad
>
> --
> Brad Hedlund, CCIE #5530
> Consulting Systems Engineer, Data Center
> bhedlund at cisco.com
> http://www.internetworkexpert.org
>
>
>
>
> On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:
>
>>
>> Hi Arie.
>>
>> Sorry for not explaining the setup in detail. But anyway this is the case.
>>
>> layer2 sw  ---6500                    6500 --- layer2 sw
>> |        > vss1   - (MPLS-Core) -  vss2 <
>> layer2 sw ----6500                    6500 --  layer2 sw
>>
>>
>> Each site has a full vss environment with it's own local layer 2 switches.
>> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
>> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
>> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>>
>> Arne
>>
>> -----Oprindelig meddelelse-----
>> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
>> Sendt: 16. januar 2010 21:08
>> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
>> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>>
>> Arne,
>>
>> Why would you want to do that in such a way?
>> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
>> The same would apply to upstream Layer 3 connectivity...
>>
>> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>>
>> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
>> I suggest you take a look at this link:
>> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>>
>> Also, there is a very good Cisco Press book about this whole subject:
>> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>>
>> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>>
>> Arie
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
>> Sent: Saturday, January 16, 2010 17:31
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] how to connect vss-setup via mpls core
>>
>> Hi all.
>>
>> I need an advice.
>> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
>> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
>> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>>
>> /Arne
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From p.mayers at imperial.ac.uk  Mon Jan 18 11:05:15 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 18 Jan 2010 16:05:15 +0000
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>,
	<BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>
Message-ID: <4B5486BB.4010001@imperial.ac.uk>

On 18/01/10 15:59, Arne Larsen / Region Nordjylland wrote:
> Hi Brad
>
> Exactly my thinking about the announcement of the network on both sites.
> But the problem is, I can?t configure eompls on a tagged interface.
> If  I put an interface into a vrf  instance the switch won?t accept the eompls statements of the ip addresses.
> Is this because that eompls is hard coded to use the global routing table and is there by not able to handle interfaces that are in vpn routing table.
> Here is my error.:
> aasnxc6-1(config-if)#xconnect 192.160.101.32 3300 encapsulation mpls
> Incompatible with ip address command on Vl3300 - command rejected.

No, you can't do this.

You will need something like the following:

dc-rt1 == mpls-pe1 --- (mpls clouds) --- mpls-pe2 == dc-rt2
  |                                                    |
vlan3300                                             vlan3300

You cannot xconnect an SVI on plain-old 6500s. You can I believe do this 
on SPA/ES linecards, but it's expensive. You can only xconnect physical 
interfaces or un-routed sub-interfaces.

You could use the "loopback cable into the router itself" trick, that is 
pretty common.

dc-rt1:

int Gi1/1
   description connected back into Gi1/2
   switchport mode trunk
   switchport trunk allowed vlan 3300,xxxx

int Gi1/2
   description received vlans from Gi1/1
   xconnect ... ...

...and similarly on dc-rt2

From jckdaniels12 at gmail.com  Mon Jan 18 11:57:33 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Mon, 18 Jan 2010 22:27:33 +0530
Subject: [c-nsp] MPLS - CE to CE throughput
Message-ID: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards

From amsoares at netcabo.pt  Mon Jan 18 12:06:56 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:06:56 -0000
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
Message-ID: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>

Hello group,

I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:

pixfirewall(config)# show service-policy 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: OUTSIDE
    Class-map: CONNECTIONS
      Set connection policy: conn-max 123 
        current conns 0, drop 0
pixfirewall(config)#

The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
(ciscoUnifiedFirewallMIB) but they don't seem to have what i need.



Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt


From amsoares at netcabo.pt  Mon Jan 18 12:10:04 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:10:04 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
Message-ID: <61653F59D5844000AF55C5528E048F23@int.convex.pt>

Hello group,

I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
like to know if there is something more recent available.


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt


From rwest at zyedge.com  Mon Jan 18 12:20:54 2010
From: rwest at zyedge.com (Ryan West)
Date: Mon, 18 Jan 2010 17:20:54 +0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>

Antonio,


> -----Original Message-----
> Sent: Monday, January 18, 2010 12:10 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 7.2 Interim Releases
> 
> Hello group,
> 
> I see that the latest 7.2 interim release available on CCO is
> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> 

I have a lot of boxes with 7.2.4(33) and that is the latest publicly available interim release.  I expect that a 7.2.5 release is in the works though.  What was the cause for your TAC case?

Thanks,

-ryan

From amsoares at netcabo.pt  Mon Jan 18 12:46:20 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:46:20 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
Message-ID: <E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>

Hello Ryan,

It was because of Bug CSCsv25041. I think you are safe. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: segunda-feira, 18 de Janeiro de 2010 17:21
To: Antonio Soares; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASA 7.2 Interim Releases

Antonio,


> -----Original Message-----
> Sent: Monday, January 18, 2010 12:10 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 7.2 Interim Releases
> 
> Hello group,
> 
> I see that the latest 7.2 interim release available on CCO is
> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> 

I have a lot of boxes with 7.2.4(33) and that is the latest publicly available interim release.  I expect that a 7.2.5 release is in
the works though.  What was the cause for your TAC case?

Thanks,

-ryan


From avayner at cisco.com  Mon Jan 18 12:47:28 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 18 Jan 2010 18:47:28 +0100
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>

Jack,

A very simple and dirty hack to fill a (relatively slow) link with one
way traffic is to run lots of pings with large packet size with timeout
delay  of 0. This would pump the ping requests into the link and would
fill it up...

For 2Mbps links you could also just run an FTP session...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
Sent: Monday, January 18, 2010 18:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS - CE to CE throughput

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From johnps at IowaTelecom.com  Mon Jan 18 13:50:48 2010
From: johnps at IowaTelecom.com (John P. Schneider)
Date: Mon, 18 Jan 2010 12:50:48 -0600
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
Message-ID: <F3BC59C2FF806E4492D24449727CBFA0040F5FF2@mail01.valhalla.iowatelecom.com>

I would suggest looking into iperf/jperf. It can be found at sourceforge.net/projects/iperf/ 


Thank You,
John 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner (avayner)
Sent: Monday, January 18, 2010 11:47 AM
To: jack daniels; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS - CE to CE throughput

Jack,

A very simple and dirty hack to fill a (relatively slow) link with one way traffic is to run lots of pings with large packet size with timeout delay  of 0. This would pump the ping requests into the link and would fill it up...

For 2Mbps links you could also just run an FTP session...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
Sent: Monday, January 18, 2010 18:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS - CE to CE throughput

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From cm at n-home.ru  Mon Jan 18 14:49:37 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Mon, 18 Jan 2010 22:49:37 +0300
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
Message-ID: <9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>

iperf is the perfect solution for both transmit and receive speed checks

On Jan 18, 2010, at 7:57 PM, jack daniels wrote:

> Hi guys,
> 
> I want to check the throughout in scenario
> 
> CE1-----MPLS cloud ----CE2
> 
> 
> CE1 link is 2 Mbps
> CE2 link is 2Mbps
> 
> If CE1 pumps 2Mbps then want to check if CE2 recieves it.
> Is there any s/w to genrate traffic at CE1 ?  OR any other method ?
> 
> 
> Regards
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at Hughes.com.au  Mon Jan 18 16:46:28 2010
From: david at Hughes.com.au (David Hughes)
Date: Tue, 19 Jan 2010 07:46:28 +1000
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
Message-ID: <36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>


On 18/01/2010, at 3:47 AM, Brad Hedlund wrote:

> Arne,
> 
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  

Brad

Is this still just port-based EoMPLS?  i.e do you still need to use "external loopback"  (i.e. a cross-over back to the same box) to present packets to the PW?


Thanks

David
...

From brhedlun at cisco.com  Mon Jan 18 17:16:11 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Mon, 18 Jan 2010 16:16:11 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>
Message-ID: <63E07724-D329-4C8D-9564-BCEF5C467AC9@cisco.com>

David,

It's same PFC port-based or VLAN-based EoMPLS you know and love from the 6500, only now it's also available in a VSS configuration.
Yes, the "external loopback" implementation option still applies.


Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 18, 2010, at 3:46 PM, David Hughes wrote:

> 
> On 18/01/2010, at 3:47 AM, Brad Hedlund wrote:
> 
>> Arne,
>> 
>> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
>> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  
> 
> Brad
> 
> Is this still just port-based EoMPLS?  i.e do you still need to use "external loopback"  (i.e. a cross-over back to the same box) to present packets to the PW?
> 
> 
> Thanks
> 
> David
> ...


From jckdaniels12 at gmail.com  Mon Jan 18 22:53:59 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Tue, 19 Jan 2010 09:23:59 +0530
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>
Message-ID: <8bb137f41001181953q4849983fn6d80ac00b2e7a51f@mail.gmail.com>

Thanks a lot for all replies they were very helpful to me .

Regards



On Tue, Jan 19, 2010 at 1:19 AM, Cyrill Malevanov <cm at n-home.ru> wrote:

> iperf is the perfect solution for both transmit and receive speed checks
>
> On Jan 18, 2010, at 7:57 PM, jack daniels wrote:
>
> > Hi guys,
> >
> > I want to check the throughout in scenario
> >
> > CE1-----MPLS cloud ----CE2
> >
> >
> > CE1 link is 2 Mbps
> > CE2 link is 2Mbps
> >
> > If CE1 pumps 2Mbps then want to check if CE2 recieves it.
> > Is there any s/w to genrate traffic at CE1 ?  OR any other method ?
> >
> >
> > Regards
>  > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From tvarriale at comcast.net  Mon Jan 18 23:08:40 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 18 Jan 2010 22:08:40 -0600
Subject: [c-nsp] ASA 7.2 Interim Releases
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
	<E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
Message-ID: <E312C7DB422A48519760AC8939E7D40E@flamdt01>

Would you clarify why you need something more recent?  There's tons of code 
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly 
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Mon Jan 18 23:13:51 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 18 Jan 2010 22:13:51 -0600
Subject: [c-nsp] PA-MC-T3-EC
References: <002501ca97a3$b8333eb0$2899bc10$@com>
Message-ID: <FBB4CD9517074C16A52FE90D1937E24A@flamdt01>

I would imagine it is as that's where the EC cards got their legs.  Axing 
that card in 15 would probably send serious cash over to J.

But, open a TAC case if you need to be sure (I don't have that load out to 
test).

Note there is a new FPD for 15.

tv
----- Original Message ----- 
From: "Kevin Warwashana" <kevinw at telnetww.com>
To: <cisco-nsp at puck.nether.net>
Sent: Sunday, January 17, 2010 12:34 PM
Subject: [c-nsp] PA-MC-T3-EC


> Can anyone confirm if the PA-MC-T3-EC card works in a 7206VXR w/NPE-G1 on
> 15.0M?  All the docs show 12.4T and above so that leaves me to believe it
> will work, but using the software advisor I noticed the card isn't even
> listed.
>
>
>
> Thanks,
>
> Kevin
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From alex.wilkinson at dsto.defence.gov.au  Mon Jan 18 23:18:57 2010
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Tue, 19 Jan 2010 12:18:57 +0800
Subject: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com> 
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
Message-ID: <20100119041857.GN35418@stlux503.dsto.defence.gov.au>


    0n Mon, Jan 18, 2010 at 06:47:28PM +0100, Arie Vayner (avayner) wrote: 

    >-----Original Message-----
    >From: cisco-nsp-bounces at puck.nether.net
    >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
    >Sent: Monday, January 18, 2010 18:58
    >To: cisco-nsp at puck.nether.net
    >Subject: [c-nsp] MPLS - CE to CE throughput
    >
    >Hi guys,
    >I want to check the throughout in scenario
    >CE1-----MPLS cloud ----CE2

How about using CHARGEN ?
[http://etherealmind.com/the-poor-mans-ios-traffic-generator/]

  -Alex

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.


From perc69 at gmail.com  Tue Jan 19 03:18:02 2010
From: perc69 at gmail.com (Per Carlson)
Date: Tue, 19 Jan 2010 09:18:02 +0100
Subject: [c-nsp] cisco 2801 and HWIC-2T
In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>
References: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
	<5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>
Message-ID: <746ca6da1001190018j5be7a429ycc2e40f5edf62441@mail.gmail.com>

On Mon, Jan 18, 2010 at 16:39, Ryan West <rwest at zyedge.com> wrote:
> The card is supported on your platform, but it's a T1 only card, so controller e1 or card type won't work for it.

No it's not. All "T" (H)WICs are for serial interfaces, which is *not*
the same as a T1/E1. To use this type of (H)WIC you need a serialized
interface from your leased line provider and a suitable cable. The
connector types commonly used on serial interaces are V.35 and X.21.

BTW, on serial interfaces there are no "controller e1" stanzas, see
http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_cfg_ser_if_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1012694

-- 
Pelle

From mehdi.badreddine at fr.clara.net  Tue Jan 19 04:05:09 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Tue, 19 Jan 2010 09:05:09 -0000
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
Message-ID: <70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>

Hi, 

Thanks for your responses.
A colleague of mine gave me this answer : 

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

But I still don't have accounting informations on my tac_plus server. 

What's your opinion ?


Mehdi BADREDDINE

Administrateur Syst?me et R?seaux
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS


-----Message d'origine-----
De?: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
Envoy??: vendredi 15 janvier 2010 14:30
??: cisco-nsp at puck.nether.net
Objet?: cisco-nsp Digest, Vol 86, Issue 48

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. Re: RIB failure : Higher admin distance (Randy)
   2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
   3. cisco users accounting and logging (Mehdi Badreddine)
   4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
   5. Re: cisco users accounting and logging (Peter Rathlev)
   6. OSPF on ASA with large routing tables (scott owens)
   7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)


----------------------------------------------------------------------

Message: 1
Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
From: Randy <randy_94108 at yahoo.com>
To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
Subject: Re: [c-nsp] RIB failure : Higher admin distance
Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

..sorry for the top posting..
Hi Andy,
You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
Regards
./Randy


--- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:


From: Andy Ashley <lists at nexus6.co.za>
Subject: [c-nsp] RIB failure : Higher admin distance
To: cisco-nsp at puck.nether.net
Date: Thursday, January 14, 2010, 6:32 PM


Hi all,

We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
Not advertised to any peer
(65003)
???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
? ???Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
Routing Descriptor Blocks:
* (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
? ???Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------

Message: 2
Date: Fri, 15 Jan 2010 06:55:00 +0100
From: Stephane MAGAND <stmagconsulting at gmail.com>
To: Marcelo Zilio <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
	<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

Message: 3
Date: Fri, 15 Jan 2010 09:23:47 -0000
From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] cisco users accounting and logging
Message-ID:
	<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
Content-Type: text/plain;	charset="iso-8859-1"

Hi, 

I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
Thanks in advance for your help.


Mehdi BADREDDINE

System&Network Admin
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS




------------------------------

Message: 4
Date: Fri, 15 Jan 2010 10:32:32 +0100
From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
To: Jason LeBlanc <jasonleblanc at gmail.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
Message-ID:
	<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi Jason,

see below

-pavel skovajsa

On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Hello,
>
> We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
>
> Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
>
> The Cisco best practice is:
>
> Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
>

The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true:  not following best practices -> bad design -> network
melts

> We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
>
> Symptoms:
> Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
>
> router-a#sh ip ospf stat
> ?Area 0.0.0.0: SPF algorithm executed 7865 times
> ?Area 192.8.208.0: SPF algorithm executed 386 times
> ?Area 192.70.0.0: SPF algorithm executed 563 times
> ?Area 192.100.0.0: SPF algorithm executed 93076 times

Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above "show ip ospf stat" and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
and "show ip ospf database database-sum" will help you.


>
>
> Questions:
> Should we be advertising (passively or non-passively) L3 Vlans into OSPF?

Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?

> Should we be doing Totally NSSA's instead of NSSA's?

Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.

> ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> Should we be sending each campus distribution router directly to the Core so that its the 3 hops?

As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs....

> Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?

Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.

>
>
> Any help advise is greatly appreciated!
>
> Regards,
>
> //LeBlanc
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

Message: 5
Date: Fri, 15 Jan 2010 11:47:33 +0100
From: Peter Rathlev <peter at rathlev.dk>
To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cisco users accounting and logging
Message-ID: <1263552453.28844.4.camel at localhost>
Content-Type: text/plain; charset="UTF-8"

On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> I've already installed tac_plus on BSD, though it doesn't provide
> users accounting, just authentication.

We use tac_plus with accounting, no problems there. The relevant
configuration is:

accounting file = /var/log/tacacs-accounting.log

or similar in the tac_plus.conf file, and then:

aaa accounting exec [method] start-stop group tacacs+
aaa accounting commands 0 [method] start-stop group tacacs+
aaa accounting commands 15 [method] start-stop group tacacs+
aaa accounting connection [method] start-stop group tacacs+

besides you normal AAA config on the Cisco devices.

I wouldn't know about Juniper or HP.

-- 
Peter





------------------------------

Message: 6
Date: Fri, 15 Jan 2010 07:24:56 -0600
From: scott owens <scottowens12 at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID:
	<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

>
> Message: 5
> Date: Thu, 14 Jan 2010 19:47:07 -0600
> From: Greg Clark <gregpclark at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
>        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We're considering running OSPF on handful of core ASA 5580 but our routing
> table is somewhat large (roughly 10,000 routes).  Does anyone have any
> experience running OSPF on an ASA platform with a large number of routes on
> a production network.  Did you run into any limitations or issues.  We
> don't
> plan on running mutiple context and will not have a large number of
> peers/neighbors just a large routing table.
>
> Thanks,
>
> Greg
>
>
>
> I am certainly sure I do not know your network topology - but having 10,000
routes going to a firewall seems like you may want another pair or more of
eyes to check out that route summarization problem.  Ditto with the guy with
8,000+ routes.


I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
connectivity and I don't think we have more than 100 or 200 routes present.


------------------------------

Message: 7
Date: Fri, 15 Jan 2010 08:29:00 -0500
From: <NMaio at guesswho.com>
To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
	<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
	
Content-Type: text/plain; charset="us-ascii"

I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.

client-access-rule 1 permit type WinNT version 5.0.0*
client-access-rule 2 permit type "Mac OS X" version 4.9.01*
client-access-rule 3 permit type Linux version "4.8.02 (0030)"
client-access-rule 4 deny type * version *

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Friday, January 15, 2010 12:55 AM
To: Marcelo Zilio
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

End of cisco-nsp Digest, Vol 86, Issue 48
*****************************************

From asturluismi at gmail.com  Tue Jan 19 05:54:58 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 19 Jan 2010 11:54:58 +0100
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
	<70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
Message-ID: <1263898498.5534.3.camel@hal9000>

I have this and I have accounting:

aaa authentication attempts login 2
aaa authentication login default group tac-plus local-case
aaa authentication login console group tac-plus local-case
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization network default group tac-plus local 
aaa accounting send stop-record authentication failure vrf GestionIP
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting update newinfo periodic 1440
aaa accounting exec default start-stop group tac-plus
aaa accounting commands 0 default start-stop group tac-plus
aaa accounting commands 1 default start-stop group tac-plus
aaa accounting commands 15 default start-stop group tac-plus
aaa accounting network default start-stop group tac-plus
aaa accounting connection default start-stop group tac-plus
aaa accounting system default start-stop group tac-plus



El mar, 19-01-2010 a las 09:05 +0000, Mehdi Badreddine escribi?:
> Hi, 
> 
> Thanks for your responses.
> A colleague of mine gave me this answer : 
> 
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa session-id common
> 
> But I still don't have accounting informations on my tac_plus server. 
> 
> What's your opinion ?
> 
> 
> Mehdi BADREDDINE
> 
> Administrateur Syst?me et R?seaux
> CLARANET Paris
> 68, rue du Faubourg Saint-Honor?
> 75008 PARIS
> 
> 
> -----Message d'origine-----
> De : cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
> Envoy? : vendredi 15 janvier 2010 14:30
> ? : cisco-nsp at puck.nether.net
> Objet : cisco-nsp Digest, Vol 86, Issue 48
> 
> Send cisco-nsp mailing list submissions to
> 	cisco-nsp at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> 	cisco-nsp-request at puck.nether.net
> 
> You can reach the person managing the list at
> 	cisco-nsp-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: RIB failure : Higher admin distance (Randy)
>    2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
>    3. cisco users accounting and logging (Mehdi Badreddine)
>    4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
>    5. Re: cisco users accounting and logging (Peter Rathlev)
>    6. OSPF on ASA with large routing tables (scott owens)
>    7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
> From: Randy <randy_94108 at yahoo.com>
> To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
> Subject: Re: [c-nsp] RIB failure : Higher admin distance
> Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
> 
> ..sorry for the top posting..
> Hi Andy,
> You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
> Regards
> ./Randy
> 
> 
> --- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:
> 
> 
> From: Andy Ashley <lists at nexus6.co.za>
> Subject: [c-nsp] RIB failure : Higher admin distance
> To: cisco-nsp at puck.nether.net
> Date: Thursday, January 14, 2010, 6:32 PM
> 
> 
> Hi all,
> 
> We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
> The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.
> 
> We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
> There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
> the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)
> 
> There is an issue:
> We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
> However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.
> 
> (Site A Router)#sh ip bgp rib-failure
> Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
> X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a
> 
> etc etc (there is a list of all of our static routes here)
> 
> (Site A Router)#show ip bgp (Slash /24 in question)
> BGP routing table entry for (Slash /24 in question)/24, version 4317116
> Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
> Not advertised to any peer
> (65003)
> ???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
> ? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
> ? ???Community: ASN:200 no-export
> 
> (Site A Router)#show ip route (Slash /24 in question)
> Routing entry for (Slash /24 in question)/24
> Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
> Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
> Routing Descriptor Blocks:
> * (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
> ? ???Route metric is 20, traffic share count is 1
> 
> The rib failure condition seems to be persistent.
> 
> Any ideas how to overcome this issue?
> 
> Thanks.
> Andy.
> 
> 
> -- This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 15 Jan 2010 06:55:00 +0100
> From: Stephane MAGAND <stmagconsulting at gmail.com>
> To: Marcelo Zilio <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 15 Jan 2010 09:23:47 -0000
> From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] cisco users accounting and logging
> Message-ID:
> 	<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
> Content-Type: text/plain;	charset="iso-8859-1"
> 
> Hi, 
> 
> I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
> I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
> Thanks in advance for your help.
> 
> 
> Mehdi BADREDDINE
> 
> System&Network Admin
> CLARANET Paris
> 68, rue du Faubourg Saint-Honor?
> 75008 PARIS
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 15 Jan 2010 10:32:32 +0100
> From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
> To: Jason LeBlanc <jasonleblanc at gmail.com>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
> Message-ID:
> 	<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Jason,
> 
> see below
> 
> -pavel skovajsa
> 
> On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> > Hello,
> >
> > We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
> >
> > Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
> >
> > The Cisco best practice is:
> >
> > Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
> >
> 
> The best practices are exactly what it says - best practices - in real
> practice everybody finds hard to actually achieve that, due to
> geopolitical/other reasons. In other words the following implication
> is NOT true:  not following best practices -> bad design -> network
> melts
> 
> > We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
> >
> > Symptoms:
> > Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
> >
> > router-a#sh ip ospf stat
> > ?Area 0.0.0.0: SPF algorithm executed 7865 times
> > ?Area 192.8.208.0: SPF algorithm executed 386 times
> > ?Area 192.70.0.0: SPF algorithm executed 563 times
> > ?Area 192.100.0.0: SPF algorithm executed 93076 times
> 
> Well, that last area 192.100.0.0 seems to be the culprit - what about
> troubleshooting it for a while, instead of redesigning whole network?
> Use commands like above "show ip ospf stat" and looks for Seq# and LSA
> Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
> and "show ip ospf database database-sum" will help you.
> 
> 
> >
> >
> > Questions:
> > Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
> 
> Passively. Why would somebody do that in non-passive way and have
> miriads of neighbors per each vlan?
> 
> > Should we be doing Totally NSSA's instead of NSSA's?
> 
> Totally stubby (or totally not-so-stubby if you need ASBR) should be
> default design, only configure no-summary if you have specific reason.
> Also I don't understand the need for ASBR in your NSSA - but you
> probably have a reason for that.
> 
> > ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> > Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
> 
> As written above, if you have the funding to do this it will certainly
> make your network design nicer, but I don't see how doing this would
> actually massively decrement your SFP runs....
> 
> > Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?
> 
> Scale and speed are contradictory goals. Fast reaction to changes in
> network topology, tends to end up in a network that never converges
> and is unstable.
> 
> >
> >
> > Any help advise is greatly appreciated!
> >
> > Regards,
> >
> > //LeBlanc
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 15 Jan 2010 11:47:33 +0100
> From: Peter Rathlev <peter at rathlev.dk>
> To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] cisco users accounting and logging
> Message-ID: <1263552453.28844.4.camel at localhost>
> Content-Type: text/plain; charset="UTF-8"
> 
> On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> > I've already installed tac_plus on BSD, though it doesn't provide
> > users accounting, just authentication.
> 
> We use tac_plus with accounting, no problems there. The relevant
> configuration is:
> 
> accounting file = /var/log/tacacs-accounting.log
> 
> or similar in the tac_plus.conf file, and then:
> 
> aaa accounting exec [method] start-stop group tacacs+
> aaa accounting commands 0 [method] start-stop group tacacs+
> aaa accounting commands 15 [method] start-stop group tacacs+
> aaa accounting connection [method] start-stop group tacacs+
> 
> besides you normal AAA config on the Cisco devices.
> 
> I wouldn't know about Juniper or HP.
> 
> -- 
> Peter
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Fri, 15 Jan 2010 07:24:56 -0600
> From: scott owens <scottowens12 at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
> 	<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> >
> > Message: 5
> > Date: Thu, 14 Jan 2010 19:47:07 -0600
> > From: Greg Clark <gregpclark at gmail.com>
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] OSPF on ASA with large routing tables
> > Message-ID:
> >        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > We're considering running OSPF on handful of core ASA 5580 but our routing
> > table is somewhat large (roughly 10,000 routes).  Does anyone have any
> > experience running OSPF on an ASA platform with a large number of routes on
> > a production network.  Did you run into any limitations or issues.  We
> > don't
> > plan on running mutiple context and will not have a large number of
> > peers/neighbors just a large routing table.
> >
> > Thanks,
> >
> > Greg
> >
> >
> >
> > I am certainly sure I do not know your network topology - but having 10,000
> routes going to a firewall seems like you may want another pair or more of
> eyes to check out that route summarization problem.  Ditto with the guy with
> 8,000+ routes.
> 
> 
> I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
> connectivity and I don't think we have more than 100 or 200 routes present.
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Fri, 15 Jan 2010 08:29:00 -0500
> From: <NMaio at guesswho.com>
> To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.
> 
> client-access-rule 1 permit type WinNT version 5.0.0*
> client-access-rule 2 permit type "Mac OS X" version 4.9.01*
> client-access-rule 3 permit type Linux version "4.8.02 (0030)"
> client-access-rule 4 deny type * version *
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
> Sent: Friday, January 15, 2010 12:55 AM
> To: Marcelo Zilio
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 
> End of cisco-nsp Digest, Vol 86, Issue 48
> *****************************************
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From mehdi.badreddine at fr.clara.net  Tue Jan 19 06:39:56 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Tue, 19 Jan 2010 11:39:56 -0000
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <1263898498.5534.3.camel@hal9000>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
	<70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
	<1263898498.5534.3.camel@hal9000>
Message-ID: <70F55AD71714494087D3F5CF5ED100830598632A@EXVS02.claranet.local>

Sorry for spamming, thanks for the information, I'll check out soon.

Mehdi


-----Message d'origine-----
De?: luismi [mailto:asturluismi at gmail.com] 
Envoy??: mardi 19 janvier 2010 11:55
??: Mehdi Badreddine
Cc?: cisco-nsp at puck.nether.net
Objet?: Re: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48

I have this and I have accounting:

aaa authentication attempts login 2
aaa authentication login default group tac-plus local-case
aaa authentication login console group tac-plus local-case
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization network default group tac-plus local 
aaa accounting send stop-record authentication failure vrf GestionIP
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting update newinfo periodic 1440
aaa accounting exec default start-stop group tac-plus
aaa accounting commands 0 default start-stop group tac-plus
aaa accounting commands 1 default start-stop group tac-plus
aaa accounting commands 15 default start-stop group tac-plus
aaa accounting network default start-stop group tac-plus
aaa accounting connection default start-stop group tac-plus
aaa accounting system default start-stop group tac-plus



From p_ambedkar at rediffmail.com  Tue Jan 19 05:58:52 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 19 Jan 2010 10:58:52 -0000
Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode?=
Message-ID: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>

Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.


The following is the log:

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
Module 1 reported following ports unusable
port 1 bad
port 2 bad
port 3 bad
port 4 bad
inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete.

---------------------------------------------------------

I tried the following commands:
1.boot
2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.

please help me,
Thanks.bye

From andre.schoppmeier at telefonica.de  Tue Jan 19 06:25:30 2010
From: andre.schoppmeier at telefonica.de (Andre Schoppmeier)
Date: Tue, 19 Jan 2010 12:25:30 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
Message-ID: <20100119122530797.00000002356@wxpmlscop03mo>

Hello 

 

Just have a question regarding FIB errors during packet debugging:

 

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, input feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, input feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

 

Jan 19 12:17:48 MEZ: FIBipv4-packet-proc: route packet from Dialer3 src 172.31.55.194 dst 172.31.55.192

Jan 19 12:17:48 MEZ: FIBfwd-proc: Default:172.31.55.192/32 recieve entry

Jan 19 12:17:48 MEZ: FIBipv4-packet-proc: packet routing failed

 

Jan 19 12:17:48 MEZ: IP: tableid=0, s=172.31.55.194 (Dialer3), d=172.31.55.192 (Loopback13), routed via RIB

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, rcvd 4

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, stop process pak for forus packet

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, enqueue feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, TCP Adjust MSS(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jan 19 12:18:01 MEZ: %HWIC_SHDSL-5-DSLGROUP_UPDOWN: SHDSL 0/0/0 dsl-group(1) state changed to administratively down.

 

What does that mean, can?t find any infos at Cisco pages !!!

If you search for: FIBipv4-packet-proc: packet routing failed

 

Ciao Andre

Andre Schoppmeier

Telef?nica o2 Germany GmbH & Co. OHG


Andre.Schoppmeier at telefonica.de
www.telefonica.de 

Bitte finden Sie hier die handelsrechtlichen Pflichtangaben: www.telefonica.de/pflichtangaben.html <http://www.telefonica.de/pflichtangaben.html>  

 


From rdobbins at arbor.net  Tue Jan 19 07:24:01 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Tue, 19 Jan 2010 12:24:01 +0000
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <20100119122530797.00000002356@wxpmlscop03mo>
References: <20100119122530797.00000002356@wxpmlscop03mo>
Message-ID: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>


On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:

> Just have a question regarding FIB errors during packet debugging:

FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.  

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From andre.schoppmeier at telefonica.de  Tue Jan 19 07:39:51 2010
From: andre.schoppmeier at telefonica.de (Andre Schoppmeier)
Date: Tue, 19 Jan 2010 13:39:51 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
Message-ID: <20100119133951719.00000002356@wxpmlscop03mo>

Hello Roland, 

I know that, we are testing to configure IP-SLA udp-jitter via SNMP with Infovista.

But the ip sls statistic run into a timeout, so I did a debug ip packet with filter and the result was the output I send.

If the packet could not be routed, because of the FIB error, that I will understand the timeout of the udp-jitter.

Regards

Andre


-----Urspr?ngliche Nachricht-----
Von: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Dobbins, Roland
Gesendet: Dienstag, 19. Januar 2010 13:24
An: Cisco-nsp
Betreff: Re: [c-nsp] IP Packet Debug - FIB errors


On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:

> Just have a question regarding FIB errors during packet debugging:

FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From asturluismi at gmail.com  Tue Jan 19 07:41:50 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 19 Jan 2010 13:41:50 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
Message-ID: <1263904910.5534.5.camel@hal9000>

I dont think so, "debug ip packet" is ok if you use a very specific ACL,
IMHO.

I found very dangerous "debug ip nat detailed", I saw 7200 down because
of that command without too many nat :-P

El mar, 19-01-2010 a las 12:24 +0000, Dobbins, Roland escribi?:
> On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:
> 
> > Just have a question regarding FIB errors during packet debugging:
> 
> FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.  
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
>     Injustice is relatively easy to bear; what stings is justice.
> 
>                         -- H.L. Mencken
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From rdobbins at arbor.net  Tue Jan 19 07:51:49 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Tue, 19 Jan 2010 12:51:49 +0000
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <1263904910.5534.5.camel@hal9000>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
	<1263904910.5534.5.camel@hal9000>
Message-ID: <99024FAD-3A38-4FA8-9376-AC8D44B02C3C@arbor.net>


On Jan 19, 2010, at 7:41 PM, luismi wrote:

> I dont think so, "debug ip packet" is ok if you use a very specific ACL,
> IMHO.

I've seen even that send RP CPU to 100%, depending upon pps - YMMV, of course.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From ip at ioshints.info  Tue Jan 19 09:49:06 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 19 Jan 2010 15:49:06 +0100
Subject: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
In-Reply-To: <20100119041857.GN35418@stlux503.dsto.defence.gov.au>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
	<20100119041857.GN35418@stlux503.dsto.defence.gov.au>
Message-ID: <004d01ca9916$8e2c0420$aa840c60$@info>

Not nearly enough traffic. If you have reasonable-speed links, it's almost impossible to saturate them with low-end routers. We tried with several IOS-based options, including TTCP and had to fall back to embedded Linux-based solutions.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info


> -----Original Message-----
> From: Wilkinson, Alex [mailto:alex.wilkinson at dsto.defence.gov.au]
> Sent: Tuesday, January 19, 2010 5:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
> 
> 
>     0n Mon, Jan 18, 2010 at 06:47:28PM +0100, Arie Vayner (avayner) wrote:
> 
>     >-----Original Message-----
>     >From: cisco-nsp-bounces at puck.nether.net
>     >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
>     >Sent: Monday, January 18, 2010 18:58
>     >To: cisco-nsp at puck.nether.net
>     >Subject: [c-nsp] MPLS - CE to CE throughput
>     >
>     >Hi guys,
>     >I want to check the throughout in scenario
>     >CE1-----MPLS cloud ----CE2
> 
> How about using CHARGEN ?
> [http://etherealmind.com/the-poor-mans-ios-traffic-generator/]
> 
>   -Alex
> 
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the
> CRIMES ACT 1914.  If you have received this email in error, you are
> requested to contact the sender and delete the email.
> 



From amsoares at netcabo.pt  Tue Jan 19 10:28:30 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 15:28:30 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <E312C7DB422A48519760AC8939E7D40E@flamdt01>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
	<E312C7DB422A48519760AC8939E7D40E@flamdt01>
Message-ID: <E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>

Basically because i have customers that want to be always up to date. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code 
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly 
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From mtinka at globaltransit.net  Tue Jan 19 12:44:32 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 20 Jan 2010 01:44:32 +0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <hi4pug$apk$1@ger.gmane.org>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<hi4pug$apk$1@ger.gmane.org>
Message-ID: <201001200144.38879.mtinka@globaltransit.net>

On Thursday 07 January 2010 10:09:20 pm David Freedman 
wrote:

> When you add MPLS into the mix (for internet routing, not
>  just VPN) your border router becomes an LER and as such
>  you can't take advantage of the core routers and have
>  them MPLS only LSRs at the same time. One solution may
>  be to inject your supernets from your sources (i.e
>  reflectors), perhaps with a bogus next hop (i.e with
>  enough validity to be announced but not forwarding if it
>  ever became a valid route for traffic to follow at the
>  edge)

I'm guessing this is a pretty standard deployment in most 
(but perhaps not all) parts, regardless of whether MPLS is 
the sole forwarding engine in the core or not.

In our case (which an IPv4 BGP-free core), all aggregates 
are originated by our route reflectors, and they point to 
192.0.2.1 and 2001:db8::1. All our routers are configured to 
be adjacent to Null0 (IOS) or Discard (JUNOS) for those 
next-hop addresses. It works!

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/47b0ec64/attachment.bin>

From dwhitejr at cisco.com  Tue Jan 19 13:21:31 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 13:21:31 -0500
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
In-Reply-To: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
References: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
Message-ID: <4B55F82B.8000002@cisco.com>

Hi Antonio,

The "show service-policy" output is not available via SNMP.

Sorry,

David.

Antonio Soares wrote:
> Hello group,
>
> I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:
>
> pixfirewall(config)# show service-policy 
>
> Global policy: 
>   Service-policy: global_policy
>     Class-map: inspection_default
>       Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
>       Inspect: ftp, packet 0, drop 0, reset-drop 0
>       Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: netbios, packet 0, drop 0, reset-drop 0
>       Inspect: rsh, packet 0, drop 0, reset-drop 0
>       Inspect: rtsp, packet 0, drop 0, reset-drop 0
>       Inspect: skinny , packet 0, drop 0, reset-drop 0
>       Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
>       Inspect: sqlnet, packet 0, drop 0, reset-drop 0
>       Inspect: sunrpc, packet 0, drop 0, reset-drop 0
>       Inspect: tftp, packet 0, drop 0, reset-drop 0
>       Inspect: sip , packet 0, drop 0, reset-drop 0
>       Inspect: xdmcp, packet 0, drop 0, reset-drop 0
>
> Interface outside:
>   Service-policy: OUTSIDE
>     Class-map: CONNECTIONS
>       Set connection policy: conn-max 123 
>         current conns 0, drop 0
> pixfirewall(config)#
>
> The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
> (ciscoUnifiedFirewallMIB) but they don't seem to have what i need.
>
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From dwhitejr at cisco.com  Tue Jan 19 13:23:15 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 13:23:15 -0500
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
Message-ID: <4B55F893.20307@cisco.com>

Hi Antonio,

7.2(4.44) is the latest.  But you need a TAC case to get it, and an
associated bug that you are running into which would be resolved by
running 7.2(4.44).

Sincerely,

David.

Antonio Soares wrote:
> Hello group,
>
> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From amsoares at netcabo.pt  Tue Jan 19 13:34:11 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 18:34:11 -0000
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
In-Reply-To: <4B55F82B.8000002@cisco.com>
References: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
	<4B55F82B.8000002@cisco.com>
Message-ID: <55A465468D8840998A61ED1C04AC03CF@int.convex.pt>

Thank you very much for this information. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
Sent: ter?a-feira, 19 de Janeiro de 2010 18:22
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX/ASA OID for "show service-policy"

Hi Antonio,

The "show service-policy" output is not available via SNMP.

Sorry,

David.

Antonio Soares wrote:
> Hello group,
>
> I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:
>
> pixfirewall(config)# show service-policy 
>
> Global policy: 
>   Service-policy: global_policy
>     Class-map: inspection_default
>       Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
>       Inspect: ftp, packet 0, drop 0, reset-drop 0
>       Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: netbios, packet 0, drop 0, reset-drop 0
>       Inspect: rsh, packet 0, drop 0, reset-drop 0
>       Inspect: rtsp, packet 0, drop 0, reset-drop 0
>       Inspect: skinny , packet 0, drop 0, reset-drop 0
>       Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
>       Inspect: sqlnet, packet 0, drop 0, reset-drop 0
>       Inspect: sunrpc, packet 0, drop 0, reset-drop 0
>       Inspect: tftp, packet 0, drop 0, reset-drop 0
>       Inspect: sip , packet 0, drop 0, reset-drop 0
>       Inspect: xdmcp, packet 0, drop 0, reset-drop 0
>
> Interface outside:
>   Service-policy: OUTSIDE
>     Class-map: CONNECTIONS
>       Set connection policy: conn-max 123 
>         current conns 0, drop 0
> pixfirewall(config)#
>
> The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
> (ciscoUnifiedFirewallMIB) but they don't seem to have what i need.
>
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From amsoares at netcabo.pt  Tue Jan 19 13:38:10 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 18:38:10 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <4B55F893.20307@cisco.com>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<4B55F893.20307@cisco.com>
Message-ID: <C57B6E13DA3E42768540CF96512C0382@int.convex.pt>

I know that 7.2.4(43) is a good release so for me getting the list of bugs corrected in 7.2.4(44) would be enough. Can you provide
that information ? I know that i can open a TAC case but there a thing called Shared Support Metrics... :) 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
Sent: ter?a-feira, 19 de Janeiro de 2010 18:23
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Hi Antonio,

7.2(4.44) is the latest.  But you need a TAC case to get it, and an
associated bug that you are running into which would be resolved by
running 7.2(4.44).

Sincerely,

David.

Antonio Soares wrote:
> Hello group,
>
> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From peter at rathlev.dk  Tue Jan 19 13:39:39 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 19 Jan 2010 19:39:39 +0100
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
In-Reply-To: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
References: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
Message-ID: <1263926379.5037.23.camel@localhost>

Hi Robert,

On Mon, 2010-01-18 at 13:14 +0100, Robert Hass wrote:
> I have to implement some Policy-Based Routing (PBR) route-map's on few
> Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
> 12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
> route-map's are supported in hardware on PFC3B/DFC3B ?
> 
> route-map pbr2 permit 10
>  set global
> !
> route-map pbr permit 10
>  match ip address 160
>  set vrf r2
> !
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000

A Sup720-10G running SXI will at least eat the commands. I'm afraid I
don't have enough of a setup to test throughput, but it doesn't give any
warnings at least.

I'm also no expert in Feature Manager output, but as far as I can see it
should be supported in hardware:

R1(config)#ip vrf r2
R1(config-vrf)#rd 1:1
R1(config-vrf)#exit
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 780
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 782
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 787
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 790
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 796
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 range 50000 51000
R1(config)#route-map pbr2 permit 10
R1(config-route-map)#set global
R1(config-route-map)#exit
R1(config)#route-map pbr permit 10
R1(config-route-map)#match ip address 160
R1(config-route-map)#set vrf r2
R1(config-route-map)#exit
R1(config)#interface Gi4/20
R1(config-if)#no shutdown
00094: Jan 19 19:10:39.653 CET: %LINK-3-UPDOWN: Interface GigabitEthernet4/20, changed state to down
R1(config-if)#
000095: Jan 19 19:10:39.656 CET: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/20, changed state to down
R1(config-if)#
000096: Jan 19 19:10:39.660 CET: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/20, changed state to down
R1(config-if)#ip addr 10.6.7.1 255.255.255.252
R1(config-if)#ip policy route-map pbr
000097: Jan 19 19:10:54.897 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface VRF_2_vlan4076, changed state to up
R1(config-if)#^Z
000098: Jan 19 19:11:54.169 CET: %SYS-5-CONFIG_I: Configured from console by someone on vty0 (x.x.x.x)
R1#
R1#sh fm features  bri | begin ^Interface: Gi.*4/20
Interface: GigabitEthernet4/20 IP is enabled
  hw_state[INGRESS] = not reduced, hw_state[EGRESS] = not reduced
  mcast = 0
  priority = 0
  flags = 0x4
  parent[INGRESS] = none
  inbound label: 36
    Feature PBR - Policy Based Routing:
      Route-Map : pbr
        Sequence 65536 	Result: FM_RESULT_PERMIT
        Sequence 10 	Result: FM_RESULT_ADJREDIRECT
        Sequence 65537 	Result: FM_RESULT_PERMIT
    Feature IPV4 Default Result Feature:

    Feature OTHER Default Result Feature:

[...]
R1#

The full output of "show fm interface Gi4/20" and "show fm fie interface
Gi4/20" also seem to support this being hardware switched.

HTH

-- 
Peter




From TLusty at csnstores.com  Tue Jan 19 13:04:18 2010
From: TLusty at csnstores.com (Tom Lusty)
Date: Tue, 19 Jan 2010 13:04:18 -0500
Subject: [c-nsp] ASA Failover without setting a Standby IP on an Interface
Message-ID: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>

Hey Everyone,

We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.

So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?

For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.

Is this sound?  Did I miss anything?
Thanks!
-Tom Lusty


From jshearer at amedisys.com  Tue Jan 19 14:21:15 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 19 Jan 2010 13:21:15 -0600
Subject: [c-nsp] ASA Failover without setting a Standby IP on an
	Interface
In-Reply-To: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
References: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664947@SVR-AMED-MAIL01.amedisys.com>

Correct.  Just for management.

Jason


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Lusty
Sent: Tuesday, January 19, 2010 12:04 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA Failover without setting a Standby IP on an Interface

Hey Everyone,

We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.

So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?

For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.

Is this sound?  Did I miss anything?
Thanks!
-Tom Lusty

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From cm at n-home.ru  Tue Jan 19 14:24:19 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Tue, 19 Jan 2010 22:24:19 +0300
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
References: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
Message-ID: <4FCE9955-18ED-411D-A8FE-09F69E4280E4@n-home.ru>

Try to remove and reinstall all modules in a switch.

On Jan 19, 2010, at 1:58 PM, ambedkar wrote:

> Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.
> 
> 
> The following is the log:
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
> Module 1 reported following ports unusable
> port 1 bad
> port 2 bad
> port 3 bad
> port 4 bad
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete.
> 
> ---------------------------------------------------------
> 
> I tried the following commands:
> 1.boot
> 2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
> 3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.
> 
> please help me,
> Thanks.bye
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mail4hh at pobox.com  Tue Jan 19 14:30:32 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Tue, 19 Jan 2010 11:30:32 -0800
Subject: [c-nsp] Router recommendation for load balancing setup
Message-ID: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>

Hello,

I'm looking for a router that can:

- handle load-balancing on two 100Mbps links with minimal cpu impact
- must have at least 4 ports, at least 2 of which should be GigE and
the other two must support FE or GigE
- BGP with 25,000 routes

My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.

I'm currently using a 3550-12t for the task, with the only drawback
that the cpu hits 99% load with a 5000 packets per sec./40Mbps
combined throughput on the load-balanced links.  The two 100Mbps
uplinks never reach more than 50% utilization because the router can't
handle the load.

I would like to be able to handle up to 80% utilization on the 100Mbps links.

Thank you for your suggestions,

Hector

From dwhitejr at cisco.com  Tue Jan 19 14:51:38 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 14:51:38 -0500
Subject: [c-nsp] ASA Failover without setting a Standby IP on an
	Interface
In-Reply-To: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
References: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
Message-ID: <4B560D4A.4020803@cisco.com>

Hi Tom,

If a standby IP is not assigned to the Outside interface, then that
interface will not be able to participate in failover monitoring. 
Meaning, the two ASAs will not be able to exchange 'hellos' out that
interface (as the Active unit will not have an IP to send the hello to
on the Standby).  Thus, if connectivity is lost between the two peers -
due to something other than an ASA interface failure - then failover
will not be able to react to it.

If you are only concerned with the ASA's outside interface failing, then
this will still work (assuming the interface failure triggers the
interface to transition to a down state).  As the interface state will
be exchanged with the peer on the failover LAN link.

If you choose to configure the ASAs this way, I would also suggest you
manually disable failover monitoring on the outside interface using the
command:

   no monitor-interface outside

Sincerely,

David.

Tom Lusty wrote:
> Hey Everyone,
>
> We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.
>
> So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?
>
> For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.
>
> Is this sound?  Did I miss anything?
> Thanks!
> -Tom Lusty
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From dwhitejr at cisco.com  Tue Jan 19 15:05:27 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 15:05:27 -0500
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <C57B6E13DA3E42768540CF96512C0382@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<4B55F893.20307@cisco.com>
	<C57B6E13DA3E42768540CF96512C0382@int.convex.pt>
Message-ID: <4B561087.8070203@cisco.com>

Answered off-line.

Sincerely,

David.

Antonio Soares wrote:
> I know that 7.2.4(43) is a good release so for me getting the list of bugs corrected in 7.2.4(44) would be enough. Can you provide
> that information ? I know that i can open a TAC case but there a thing called Shared Support Metrics... :) 
>
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
> Sent: ter?a-feira, 19 de Janeiro de 2010 18:23
> To: Antonio Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA 7.2 Interim Releases
>
> Hi Antonio,
>
> 7.2(4.44) is the latest.  But you need a TAC case to get it, and an
> associated bug that you are running into which would be resolved by
> running 7.2(4.44).
>
> Sincerely,
>
> David.
>
> Antonio Soares wrote:
>   
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>  
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
>
>
>   

From sethm at rollernet.us  Tue Jan 19 15:11:16 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Tue, 19 Jan 2010 12:11:16 -0800
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
Message-ID: <4B5611E4.3010600@rollernet.us>

Is there any way to disable SNMP traps for a subset of BGP neighbors
like there is for interfaces? I have a couple BGP sessions that are of
"don't care" priority and they don't need to send traps when they flap
(although rarely, it's always when I'm sleeping).

~Seth

From mhuff at ox.com  Tue Jan 19 15:17:26 2010
From: mhuff at ox.com (Matthew Huff)
Date: Tue, 19 Jan 2010 15:17:26 -0500
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>

Other than stackwise on the 3750-E, I haven't been able to discern a whole lot of differences between the two switches. Since the 3750-E is about 2 x the price of a similar 3560-E, I want to make sure I'm not missing anything. Does anyone know of any literature that compares the two? Anyone have any war stories?


----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139




From A.L.M.Buxey at lboro.ac.uk  Tue Jan 19 16:47:42 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 19 Jan 2010 21:47:42 +0000
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
References: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
Message-ID: <20100119214742.GB17973@lboro.ac.uk>

hi,

rust, moisture, corrosion, dust?

I'd have a good look at each module and component.

alan

From peter at rathlev.dk  Tue Jan 19 17:01:14 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 19 Jan 2010 23:01:14 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
Message-ID: <1263938474.14083.6.camel@localhost>

On Tue, 2010-01-19 at 15:17 -0500, Matthew Huff wrote:
> Other than stackwise on the 3750-E, I haven't been able to discern a
> whole lot of differences between the two switches. Since the 3750-E is
> about 2 x the price of a similar 3560-E, I want to make sure I'm not
> missing anything. Does anyone know of any literature that compares the
> two? Anyone have any war stories?

I also can't tell the difference. We've been using pairs of 3560E's as
replacement for stacked pairs of 3750G's (non-E) and are very happy
about that.

They have almost the exact same specs according to the data sheets[0]
apart from the stacking thing. And in my eyes it's wrong to pay for
specific "low availability" features. ;-)

-- 
Peter

[0]: Links to data sheets for the two models:

Cisco Catalyst 3560-E Series Switches
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/product_data_sheet0900aecd805bac22.html

Cisco Catalyst 3750-E Series Switches Data Sheet
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7077/product_data_sheet0900aecd805bbe67.html



From tvarriale at comcast.net  Tue Jan 19 17:07:22 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 19 Jan 2010 16:07:22 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<1263938474.14083.6.camel@localhost>
Message-ID: <7170A47732B94D738DBA429264E0F5AA@flamdt01>


----- Original Message ----- 
From: "Peter Rathlev" <peter at rathlev.dk>
To: "Matthew Huff" <mhuff at ox.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 4:01 PM
Subject: Re: [c-nsp] Differences between 3750-E and 3560-E switches


> On Tue, 2010-01-19 at 15:17 -0500, Matthew Huff wrote:
>> Other than stackwise on the 3750-E, I haven't been able to discern a
>> whole lot of differences between the two switches. Since the 3750-E is
>> about 2 x the price of a similar 3560-E, I want to make sure I'm not
>> missing anything. Does anyone know of any literature that compares the
>> two?

I don't but they are the same switches other than the stackwise

>Anyone have any war stories?

Yes, but there are many long stories.  The best advise I could offer is 
understand how stackwise really works and understand packet flow.  This was 
more of an issue for the non-E.  The Es are fine.

tv 


From mhuff at ox.com  Tue Jan 19 17:11:22 2010
From: mhuff at ox.com (Matthew Huff)
Date: Tue, 19 Jan 2010 17:11:22 -0500
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <1263938474.14083.6.camel@localhost>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<1263938474.14083.6.camel@localhost>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F600@PUR-EXCH07.ox.com>

> I also can't tell the difference. We've been using pairs of 3560E's as
> replacement for stacked pairs of 3750G's (non-E) and are very happy
> about that.
> 
> They have almost the exact same specs according to the data sheets[0]
> apart from the stacking thing. And in my eyes it's wrong to pay for
> specific "low availability" features. ;-)
> 
> --
> Peter


I've read through the data sheets, and I also can't see any signficant differences. I was wondering if there was some hardware differences (like CAM table size, ethernet input/output buffer sizes), etc... 

From manisridhar at gmail.com  Tue Jan 19 17:29:50 2010
From: manisridhar at gmail.com (Sridhar)
Date: Tue, 19 Jan 2010 14:29:50 -0800
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?
Message-ID: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>

Hello!

Is OSPFv3 supported as a PE-CE protocol for 6VPE on IOS-XR? The Cisco
IOS-XR MPLS config guide only specifies BGP as the PE-CE protocol, and
I haven't been able to configure a VRF under OSPFv3.

thanks
sridhar

From cwu at ffn.com  Tue Jan 19 17:34:55 2010
From: cwu at ffn.com (Minzhi (Catherine) Wu)
Date: Tue, 19 Jan 2010 14:34:55 -0800
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?
In-Reply-To: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>
References: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>
Message-ID: <30B3DF511CEC5C4DAE4D0D29050475341B1C80A1B1@AAA.pmgi.local>

Only BGP and Static are supported for 6VPE per Cisco.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar
Sent: Tuesday, January 19, 2010 2:30 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?

Hello!

Is OSPFv3 supported as a PE-CE protocol for 6VPE on IOS-XR? The Cisco
IOS-XR MPLS config guide only specifies BGP as the PE-CE protocol, and
I haven't been able to configure a VRF under OSPFv3.

thanks
sridhar
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This message contains confidential information and is intended only for the individual named.  If you are not the named addressee, you are notified that reviewing, disseminating, disclosing, copying or distributing this e-mail is strictly prohibited.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any loss or damage caused by viruses or errors or omissions in the contents of this message, which arise as a result of e-mail transmission. [FriendFinder Networks, Inc., 220 Humbolt court, Sunnyvale, CA 94089, USA, FriendFinder.com

From cm at n-home.ru  Tue Jan 19 18:48:51 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Wed, 20 Jan 2010 02:48:51 +0300
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
Message-ID: <2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>

If you reduce the number of BGP routes to 12000 your 3550-12T will handle two GigE uplinks with no CPU impact. Just use the correct SDM template.

On Jan 19, 2010, at 10:30 PM, Hector Herrera wrote:

> Hello,
> 
> I'm looking for a router that can:
> 
> - handle load-balancing on two 100Mbps links with minimal cpu impact
> - must have at least 4 ports, at least 2 of which should be GigE and
> the other two must support FE or GigE
> - BGP with 25,000 routes
> 
> My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.
> 
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.
> 
> I would like to be able to handle up to 80% utilization on the 100Mbps links.
> 
> Thank you for your suggestions,
> 
> Hector
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From scottowens12 at gmail.com  Tue Jan 19 19:01:52 2010
From: scottowens12 at gmail.com (scott owens)
Date: Tue, 19 Jan 2010 18:01:52 -0600
Subject: [c-nsp] Router recommendation for load balancing setup
Message-ID: <c0c598d51001191601q53fb6329nbf73a989489b8ab3@mail.gmail.com>

>
>
> Message: 2
> Date: Tue, 19 Jan 2010 11:30:32 -0800
> From: Hector Herrera <mail4hh at pobox.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Router recommendation for load balancing setup
> Message-ID:
>        <c7ef7cf71001191130j57e02c75o4af5b004f4d29574 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> I'm looking for a router that can:
>
> - handle load-balancing on two 100Mbps links with minimal cpu impact
> - must have at least 4 ports, at least 2 of which should be GigE and
> the other two must support FE or GigE
> - BGP with 25,000 routes
>
> My budget is small (under $2,000) so I'm probably looking for EOL/EOS
> products.
>
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.
>
> I would like to be able to handle up to 80% utilization on the 100Mbps
> links.
>
> Thank you for your suggestions,
>
> Hector
>
>
> 7206 w/ np400 ?

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf


Platform            Process Switching         Fast/CEF Switching       EOS?
                            PPS    Mbps                PPS     Mbps
7500-RSP8           22,000 11.264              470,000 240.64
15-Dec-07
7500-RSP16         29,000 14.848              530,000 271.36
 15-Dec-07
7200-NPE300       20,000 10.24               353,000 180.74
 31-Dec-01
7200-NPE400       20,000 10.24               420,000 215.04
No

I might have one or two 7206s ( if I can add that ) for a fair price.

From cordmacleod at gmail.com  Tue Jan 19 19:15:40 2010
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Tue, 19 Jan 2010 16:15:40 -0800
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
	<2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>
Message-ID: <5268B0D2-3855-41C0-9D49-B6E9EFF78114@gmail.com>


On Jan 19, 2010, at 3:48 PM, Cyrill Malevanov wrote:

> If you reduce the number of BGP routes to 12000 your 3550-12T will handle two GigE uplinks with no CPU impact. Just use the correct SDM template.

Seconded. I use 3550s in my network.  24k is the maximum unicast route table limit that Cisco publishes, this is why your router is falling over.  If possible aggregate the routes.

> 
> On Jan 19, 2010, at 10:30 PM, Hector Herrera wrote:
> 
>> Hello,
>> 
>> I'm looking for a router that can:
>> 
>> - handle load-balancing on two 100Mbps links with minimal cpu impact
>> - must have at least 4 ports, at least 2 of which should be GigE and
>> the other two must support FE or GigE
>> - BGP with 25,000 routes
>> 
>> My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.
>> 
>> I'm currently using a 3550-12t for the task, with the only drawback
>> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
>> combined throughput on the load-balanced links.  The two 100Mbps
>> uplinks never reach more than 50% utilization because the router can't
>> handle the load.
>> 
>> I would like to be able to handle up to 80% utilization on the 100Mbps links.
>> 
>> Thank you for your suggestions,
>> 
>> Hector
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From dsinn at dsinn.com  Tue Jan 19 19:18:51 2010
From: dsinn at dsinn.com (David Sinn)
Date: Tue, 19 Jan 2010 16:18:51 -0800
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
In-Reply-To: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
References: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
Message-ID: <DC461292-DC30-4A39-9DAF-654C0B3E3E78@dsinn.com>

I've not done VRF Select PBR myself, but it would appear that it was first integrated in 12.2(33)SXH1, so you could be running into a bug, or not totally following the implementation guide as it would appear that you need to give a next hop when using the "set vrf [instance]" term in the route-map:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html

Hope that helps!

David

On Jan 18, 2010, at 4:14 AM, Robert Hass wrote:

> Hi
> 
> I have to implement some Policy-Based Routing (PBR) route-map's on few
> Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
> 12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
> route-map's are supported in hardware on PFC3B/DFC3B ?
> 
> route-map pbr2 permit 10
> set global
> !
> route-map pbr permit 10
> match ip address 160
> set vrf r2
> !
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000
> 
> Thanks
> Robert
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Tue Jan 19 23:10:55 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 19 Jan 2010 22:10:55 -0600
Subject: [c-nsp] ASA 7.2 Interim Releases
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
	<E312C7DB422A48519760AC8939E7D40E@flamdt01>
	<E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>
Message-ID: <CCFC35D943834930BDC37F55A5871789@flamdt01>

With engineering code that hasn't had 1 ounce of regression testing?

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 9:28 AM
Subject: RE: [c-nsp] ASA 7.2 Interim Releases


Basically because i have customers that want to be always up to date.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From lists at hojmark.org  Wed Jan 20 01:13:03 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Wed, 20 Jan 2010 07:13:03 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
Message-ID: <am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>

On Tue, 19 Jan 2010 15:17:26 -0500, you wrote:

> Other than stackwise on the 3750-E, I haven't been able to discern a
> whole lot of differences between the two switches. 

That *is* the only difference.

-A

From chris.garzon at gmail.com  Wed Jan 20 02:22:04 2010
From: chris.garzon at gmail.com (Dracul)
Date: Wed, 20 Jan 2010 15:22:04 +0800
Subject: [c-nsp] on Bogons and default bgp routes
Message-ID: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>

Hi list,

i have several BGP networks that only use default routes from a couple of
ISPs. Is it necessary for us to implement bogon lists or just
leave it up to our upstreams? Although we put the basic martian list, we
don't have fullroutes implemented as we only use bgp for redundancy
purposes.

thanks!
chris

From p_ambedkar at rediffmail.com  Wed Jan 20 02:11:39 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 20 Jan 2010 07:11:39 -0000
Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode?=
Message-ID: <20100120071139.983.qmail@f4mail206.rediffmail.com>


Hi, i cleaned the modules of 6509 and reinstalled, it shows


inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin

System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.

Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot: failed, BOOT string is empty
rommon 1 >
rommon 1 >

After this, if i execute the command BOOT, once again it is showing old log as below.

thanks, bye.





------------------------------------------------------------------------
Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.


The following is the log:

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
Module 1 reported following ports unusable
port 1 bad
port 2 bad
port 3 bad
port 4 bad
inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete.

---------------------------------------------------------

I tried the following commands:
1.boot
2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.

please help me,
Thanks.bye

From soonkian.wong at gmail.com  Wed Jan 20 04:09:16 2010
From: soonkian.wong at gmail.com (Soon Kian)
Date: Wed, 20 Jan 2010 17:09:16 +0800
Subject: [c-nsp] IOS Recommendations for Voice Application
Message-ID: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>

Dear All,

Any recommendations for a stable  *IOS* supporting Voice
application on Cisco2811 and 3845

Thanks in advance!

From simon at pitwood.org  Wed Jan 20 05:18:23 2010
From: simon at pitwood.org (simon at pitwood.org)
Date: Wed, 20 Jan 2010 10:18:23 -0000 (GMT)
Subject: [c-nsp] IOS Recommendations for Voice Application
In-Reply-To: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>
References: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>
Message-ID: <8522.193.42.252.4.1263982703.squirrel@webmail.daily.co.uk>

You can try this, it should answer some questions.
http://www.ciscosystems.com/en/US/products/hw/routers/ps259/products_tech_note09186a00800e73f6.shtml

Regards
Simon

Dear All,

Any recommendations for a stable  *IOS* supporting Voice
application on Cisco2811 and 3845

Thanks in advance!
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




From amsoares at netcabo.pt  Wed Jan 20 06:09:57 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Wed, 20 Jan 2010 11:09:57 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <CCFC35D943834930BDC37F55A5871789@flamdt01>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt><E312C7DB422A48519760AC8939E7D40E@flamdt01><E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>
	<CCFC35D943834930BDC37F55A5871789@flamdt01>
Message-ID: <0EC3BC41F5BB4B858067E811C4F29A57@int.convex.pt>

Some prefer to take that risk instead of being exposed to some security holes. Sometimes the only alternative is to make a major
upgrade what is not necessarily a good thing.


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: quarta-feira, 20 de Janeiro de 2010 4:11
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

With engineering code that hasn't had 1 ounce of regression testing?

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 9:28 AM
Subject: RE: [c-nsp] ASA 7.2 Interim Releases


Basically because i have customers that want to be always up to date.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From vijaygore27 at gmail.com  Wed Jan 20 06:30:59 2010
From: vijaygore27 at gmail.com (vijay gore)
Date: Wed, 20 Jan 2010 17:00:59 +0530
Subject: [c-nsp] Fiber converter
Message-ID: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>

dear all.

types of fiber converters ????

From gert at greenie.muc.de  Wed Jan 20 07:38:36 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 20 Jan 2010 13:38:36 +0100
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
Message-ID: <20100120123836.GK857@greenie.muc.de>

Hi,

On Tue, Jan 19, 2010 at 11:30:32AM -0800, Hector Herrera wrote:
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.

"something is seriously wrong there" - a 3550 should never see CPU load,
even with all ports running at full speed, as the packets are forwarded
in hardware (nb: don't call a 3550 a "router"...).

Now, there are situations where the CPU needs to touch the packets, and
then the performance goes seriously down the drain...

As for "why is it CPU-switching the packets", I don't have much expertise
with the 3550s - usually it's some feature (ICMP redirects, packets going
in and out over the same interface, too many routes for TCAM, ...) that
kills hardware forwarding.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/49172d6f/attachment.bin>

From scottowens12 at gmail.com  Wed Jan 20 08:19:27 2010
From: scottowens12 at gmail.com (scott owens)
Date: Wed, 20 Jan 2010 07:19:27 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
Message-ID: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>

>
> Message: 1
> Date: Tue, 19 Jan 2010 17:11:22 -0500
> From: Matthew Huff <mhuff at ox.com>
> To: "'Peter Rathlev'" <peter at rathlev.dk>
> Cc: "'cisco-nsp at puck.nether.net'" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Differences between 3750-E and 3560-E switches
> Message-ID:
>        <483E6B0272B0284BA86D7596C40D29F9E2BC79F600 at PUR-EXCH07.ox.com>
> Content-Type: text/plain; charset="utf-8"
>
> > I also can't tell the difference. We've been using pairs of 3560E's as
> > replacement for stacked pairs of 3750G's (non-E) and are very happy
> > about that.
> >
> > They have almost the exact same specs according to the data sheets[0]
> > apart from the stacking thing. And in my eyes it's wrong to pay for
> > specific "low availability" features. ;-)
> >
> > --
> > Peter
>
>
> I've read through the data sheets, and I also can't see any signficant
> differences. I was wondering if there was some hardware differences (like
> CAM table size, ethernet input/output buffer sizes), etc...
>
> That stacking feature IS the cool thing.  If you don't need it; skip it,
maybe even look at the 295x or 296x platform unless you possibly need POE as
well - the "2"s don't support it.  But the ability to team/etherchannel
servers via LACP and use BOTH teamed links at the same time instead of
single links due to spanning-tree blocking is a great thing.  It is one
reason GLBP is not available on the 3750s - its not needed to get load
balanced routing either.

Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

From steve at ibctech.ca  Wed Jan 20 08:22:10 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 20 Jan 2010 08:22:10 -0500
Subject: [c-nsp] on Bogons and default bgp routes
In-Reply-To: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>
References: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>
Message-ID: <4B570382.9090502@ibctech.ca>

Dracul wrote:
> Hi list,
> 
> i have several BGP networks that only use default routes from a couple of
> ISPs. Is it necessary for us to implement bogon lists or just
> leave it up to our upstreams? Although we put the basic martian list, we
> don't have fullroutes implemented as we only use bgp for redundancy
> purposes.

Don't trust what your upstreams may or may not be doing.

If you configure your network with BOGON lists, you can block that
traffic inbound at your edge, and more importantly, rest assured that
you won't expend resources on other networks if they don't happen to filter.

Team Cymru has an easy-to-set-up BGP peering route-server to keep up to
date automatically:

http://www.team-cymru.org/Services/Bogons/routeserver.html

Steve

From rwest at zyedge.com  Wed Jan 20 08:31:31 2010
From: rwest at zyedge.com (Ryan West)
Date: Wed, 20 Jan 2010 13:31:31 +0000
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
References: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0ACE7C@zy-ex1.zyedge.local>

Scott,

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Differences between 3750-E and 3560-E switches
> 
> maybe even look at the 295x or 296x platform unless you possibly need
> POE as
> well - the "2"s don't support it.  

Maybe you were thinking of routing capabilities?  Several of the 2 series lines have PoE models. 

http://www.cisco.com/en/US/products/ps6406/prod_models_comparison.html

-ryan



From eng_mssk at hotmail.com  Wed Jan 20 09:19:09 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 20 Jan 2010 16:19:09 +0200
Subject: [c-nsp] ip route cache flow
Message-ID: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>


hi all i have metro ethernet 3750 
i want to enable cache flow in order to monitor some traffic on our leased line customers


i enabled under the vlan interface
ip route-cache flow

but nothing appeard even when i enabled ip cef accounting non-recursive
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From rdobbins at arbor.net  Wed Jan 20 09:19:17 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 14:19:17 +0000
Subject: [c-nsp] 2009 Worldwide Infrastructure Security Report available for
 download.
Message-ID: <4B52BF03-CB71-4C59-A50B-B4117CB7B53F@arbor.net>



[Apologies for any duplication if you've seen this notification on other lists.]

We've just posted the 2009 Worldwide Infrastructure Security Report for download at this URL:

<http://www.arbornetworks.com/report>

This year's WWISR is based upon the broadest set of survey data collected by Arbor to date, with the number of respondents doubling from 66 to 132, and much greater input from non-USA/non-EMEA, regional providers.  The WWISR is based upon input from the global operational community, and as such, is unique in its focus on the operational security aspects of public-facing networks.

Many of you contributed to the survey which forms the foundation of the report; as always, we're grateful for your insight and participation, and welcome your feedback and comments.

Thanks much!

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From rdobbins at arbor.net  Wed Jan 20 09:31:25 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 14:31:25 +0000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
Message-ID: <560C86A5-E14D-4964-A951-3993D2B8C0E0@arbor.net>


On Jan 20, 2010, at 9:19 PM, Mohammad Khalil wrote:

> but nothing appeard even when i enabled ip cef accounting non-recursive

I don't think 3750s support NetFlow.

Also, that's the old syntax; the new syntax is ip flow ingress/egress on newer platforms/trains/revisions, FYI.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From dwcarder at wisc.edu  Wed Jan 20 10:13:48 2010
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Wed, 20 Jan 2010 09:13:48 -0600
Subject: [c-nsp] Fiber converter
In-Reply-To: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>
References: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>
Message-ID: <CAA94F29-7B5E-4B36-A1D3-DAD27CE83D3A@wisc.edu>



On Jan 20, 2010, at 5:30 AM, vijay gore wrote:
> dear all.
> 
> types of fiber converters ????

Hi Vijay,

Here are some links that describe common 1G modules:

http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet09186a008014cb5e.html

Dale

From Jeff.Wojciechowski at midlandpaper.com  Wed Jan 20 10:37:42 2010
From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski)
Date: Wed, 20 Jan 2010 09:37:42 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
Message-ID: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>

Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).

-Jeff

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 8:19 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ip route cache flow


hi all i have metro ethernet 3750 
i want to enable cache flow in order to monitor some traffic on our leased line customers


i enabled under the vlan interface
ip route-cache flow

but nothing appeard even when i enabled ip cef accounting non-recursive
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From geoff at pendery.net  Wed Jan 20 10:47:00 2010
From: geoff at pendery.net (Geoffrey Pendery)
Date: Wed, 20 Jan 2010 09:47:00 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
Message-ID: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>

That's correct.  I believe that NONE of the fixed switches support
Netflow, even the 4900s, which are basically fixed form 4500's.
Amongst the 4500's, only the Sup V 10 GE supports it natively, though
there is a daughter card you can buy to support it on the regular Sup
V (IIRC).  Sup 6E does not.

On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
routers" (ISR, ASR, etc)

-Geoff

On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
<Jeff.Wojciechowski at midlandpaper.com> wrote:
> Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
>
> -Jeff
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, January 20, 2010 8:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ip route cache flow
>
>
> hi all i have metro ethernet 3750
> i want to enable cache flow in order to monitor some traffic on our leased line customers
>
>
> i enabled under the vlan interface
> ip route-cache flow
>
> but nothing appeard even when i enabled ip cef accounting non-recursive
>
> _________________________________________________________________
> Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andrew.gabriel at sanmina-sci.com  Wed Jan 20 10:51:40 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Wed, 20 Jan 2010 21:21:40 +0530
Subject: [c-nsp] ip route cache flow
In-Reply-To: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
Message-ID: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>

Netflow is on only supported on the 4500 with the newer Supervisor Engines,
and on the 6500 platform.

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.




On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
Jeff.Wojciechowski at midlandpaper.com> wrote:

> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
> that we can monitor NetFlow are at router interfaces and I am pretty sure
> that you need a chassis based switch before NetFlow is supported (someone
> please correct me if I am wrong).
>
> -Jeff
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, January 20, 2010 8:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ip route cache flow
>
>
> hi all i have metro ethernet 3750
> i want to enable cache flow in order to monitor some traffic on our leased
> line customers
>
>
> i enabled under the vlan interface
> ip route-cache flow
>
> but nothing appeard even when i enabled ip cef accounting non-recursive
>
> _________________________________________________________________
> Windows Live: Make it easier for your friends to see what you're up to on
> Facebook.
>
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From eng_mssk at hotmail.com  Wed Jan 20 10:57:45 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 20 Jan 2010 17:57:45 +0200
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
Message-ID: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> 
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
> 
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
> 
> -Geoff
> 
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From rdobbins at arbor.net  Wed Jan 20 11:00:28 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 16:00:28 +0000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <340AED39-408C-4277-8992-245E2A4ACF00@arbor.net>


On Jan 20, 2010, at 10:51 PM, Andrew Gabriel wrote:

> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.

It's also important to note that 4500 NetFlow has the same caveats as 6500/7600 NetFlow with a Sup2.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From zivl at gilat.net  Wed Jan 20 11:11:10 2010
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 20 Jan 2010 18:11:10 +0200
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
	<SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
Message-ID: <EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>

Is it "ip accounting" an option for you?

Not as useful as netflow but it might just give you what you need


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 5:58 PM
To: geoff at pendery.net; jeff.wojciechowski at midlandpaper.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip route cache flow


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> 
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
> 
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
> 
> -Geoff
> 
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From jshearer at amedisys.com  Wed Jan 20 11:10:34 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 20 Jan 2010 10:10:34 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,<D6D1A486355A184C9
	BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e1
	3exa245a81ff48c022@mail.gmail.com><SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664A35@SVR-AMED-MAIL01.amedisys.com>

You could use a probe or span your traffic to an analyzer.  This is what I do to monitor some links that traverse devices that do not support NetFlow.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 9:58 AM
To: geoff at pendery.net; jeff.wojciechowski at midlandpaper.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip route cache flow


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
>
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
>
> -Geoff
>
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From psirt at cisco.com  Wed Jan 20 11:09:20 2010
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 20 Jan 2010 11:09:20 -0500
Subject: [c-nsp] Cisco Security Advisory: Cisco IOS XR Software SSH Denial
	of Service Vulnerability
Message-ID: <201001201110.xr-ssh@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service
Vulnerability

Advisory ID: cisco-sa-20100120-xr-ssh

Revision 1.0

For Public Release 2010 January 20 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

The SSH server implementation in Cisco IOS XR Software contains a
vulnerability that an unauthenticated, remote user could exploit to
cause a denial of service condition.

An attacker could trigger this vulnerability by sending a crafted SSH
version 2 packet that may cause a new SSH connection handler process to
crash. Repeated exploitation may cause each new SSH connection handler
process to crash and lead to a significant amount of memory being
consumed, which could introduce instability that may adversely impact
other system functionality. During this event, the parent SSH daemon
process will continue to function normally.

Cisco has released free software updates that address this
vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml.

Affected Products
=================

Vulnerable Products
+------------------

This vulnerability affects Cisco IOS XR systems that are running an
affected version of Cisco IOS XR Software and have the SSH server
feature enabled. A system with the SSH server feature enabled will
have the command ssh server [v2] present in its configuration. Refer
to the "Cisco IOS XR System Security Configuration Guide" at
http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/security/configuration/guide/sc39ssh.html#wp1044523
for additional details regarding configuration of the SSH server in Cisco
IOS XR Software.

The SSH server can only be enabled in Cisco IOS XR Software if
the "security" Package Information Envelope (PIE) is installed.
Administrators can issue the show install summary command to confirm
if the security PIE is installed. This command will display an active
package similar to "<platform>-k9sec-<version>" or, for example,
"c12k-k9sec-3.6.1" if the security PIE is installed.

Refer to the "Software Version and Fixes" section of this advisory for
information on specific affected software versions.

Products Confirmed Not Vulnerable
+--------------------------------

SSH server implementations in Cisco IOS Software and Cisco IOS XE
Software are not affected by this vulnerability.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

Cisco IOS XR Software is a member of the Cisco IOS Software family that
uses a microkernel-based distributed operating system infrastructure.
Cisco IOS XR Software runs on the Cisco CRS-1 Carrier Routing System,
Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation
Services Routers. More information on Cisco IOS XR Software is available
at http://www.cisco.com/en/US/products/ps5845/index.html.

The SSH protocol was developed as a secure replacement for the Telnet,
FTP, rlogin, remote shell (rsh), and Remote Copy Protocol (RCP)
protocols, which allow for remote device access. SSH varies from
these older protocols in that it provides strong authentication and
confidentiality and uses encrypted transactions.

The SSH server implementation in Cisco IOS XR Software contains a
vulnerability that an unauthenticated, remote user could exploit to
cause a denial of service condition.

The vulnerability is triggered when a new SSH handler process handles
a crafted SSH version 2 packet, which may cause the process to crash.
During this event, a significant amount of memory may be consumed.
Repeated exploitation may impact other system functionality, depending
upon the size of the available memory and the duration of attack.

Although exploitation of this vulnerability does not require user
authentication, the TCP three-way handshake must be completed, and some
SSH protocol negotiation must occur.

The SSH service will continue to function normally during an after an
attack.

During exploitation of this vulnerability, the system may generate the
following messages:

    RP/0/RP1/CPU0:Jan 14 16:56:34.885 : dumper[59]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 407 for process pkg/bin/sshd_child_handler
    RP/0/RP1/CPU0:Jan 14 16:56:34.897 : dumper[59]: %OS-DUMPER-7-SIGSEGV : Thread 1 received SIGSEGV
    RP/0/RP1/CPU0:Jan 14 16:56:34.901 : dumper[59]: %OS-DUMPER-7-BUS_ADRERR : Accessed BadAddr 50199000 at PC 4a280c64
    RP/0/RP1/CPU0:Jan 14 16:56:34.906 : dumper[59]: %OS-DUMPER-4-CRASH_INFO : Crashed pid = 21733716 (pkg/bin/sshd_child_handler)

This vulnerability is documented in Cisco bug ID CSCsu10574 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0137.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss


* CSCsu10574 ("sshd_child_handler crashes with crafted SSHv2 packet")

CVSS Base Score - 7.8
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 6.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Impact
======

Successful exploitation of the vulnerability described in this advisory
could result in a crash of the SSH connection handler process. Repeated
exploitation may impact other system functionality, depending upon the
size of the available memory and the duration of attack.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

This vulnerability can be addressed by applying the appropriate
Software Maintenance Upgrade (SMU), per the table below.
Installation of the appropriate SMU does not require a system
reload. Refer to the document "Guidelines for Cisco IOS XR Software"
(http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html)
for additional information on Cisco IOS XR Software and SMUs.

+---------------------------------------------------------------------------------+
| Cisco   | SMU Name and SMU ID                                                   |
|IOS XR   |-----------------------------------------------------------------------|
| Release | CRS-1                      | XR12000                     | ASR 9000   |
|         |                            |                             | (*)        |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.1.CSCsu10574 | c12k-k9sec-3.4.1.CSCsu10574 | Not        |
| 3.4.1   |                            |                             | applicable |
|         | AA03509                    | AA03532                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.2.CSCsu10574 | c12k-k9sec-3.4.2.CSCsu10574 | Not        |
| 3.4.2   |                            |                             | applicable |
|         | AA03510                    | AA03531                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.3.CSCsu10574 | c12k-k9sec-3.4.3.CSCsu10574 | Not        |
| 3.4.3   |                            |                             | applicable |
|         | AA03511                    | AA03530                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.2.CSCsu10574 | c12k-k9sec-3.5.2.CSCsu10574 | Not        |
| 3.5.2   |                            |                             | applicable |
|         | AA03512                    | AA03529                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.3.CSCsu10574 | c12k-k9sec-3.5.3.CSCsu10574 | Not        |
| 3.5.3   |                            |                             | applicable |
|         | AA03513                    | AA03528                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.4.CSCsu10574 | c12k-k9sec-3.5.4.CSCsu10574 | Not        |
| 3.5.4   |                            |                             | applicable |
|         | AA03514                    | AA03527                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.6.0.CSCsu10574 | c12k-k9sec-3.6.0.CSCsu10574 | Not        |
| 3.6.0   |                            |                             | applicable |
|         | AA03515                    | AA03526                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.6.1.CSCsu10574 | c12k-k9sec-3.6.1.CSCsu10574 | Not        |
| 3.6.1   |                            |                             | applicable |
|         | AA03516                    | AA03525                     |            |
|---------+----------------------------+-----------------------------+------------|
| 3.6.2   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
| 3.6.3   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.7.0.CSCsu10574 | c12k-k9sec-3.7.0.CSCsu10574 | Not        |
| 3.7.0   |                            |                             | applicable |
|         | AA03519                    | AA03522                     |            |
|---------+----------------------------+-----------------------------+------------|
| 3.7.1   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
|---------+----------------------------+-----------------------------+------------|
| 3.7.2   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
|---------+----------------------------+-----------------------------+------------|
| 3.8.x   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
| 3.9.x   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
+---------------------------------------------------------------------------------+

(*) Not all Cisco IOS XR Software versions are supported by the Cisco
ASR 9000 Aggregation Services Routers.

Workarounds
===========

There are no workarounds for this vulnerability. Network administrators
are advised to apply mitigation techniques to help limit exposure to the
vulnerability. Mitigation techniques consist of allowing only legitimate
devices to connect to the routers.

These access restrictions can be accomplished by using interface
access control lists (ACLs) or the Management Plane Protection (MPP)
feature that is available in Cisco IOS XR Software Release 3.5 and
later. For information on MPP, refer to the configuration guide
at
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8/security/configuration/guide/sc38mpp.html
and the MPP command reference at
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8/security/command/reference/sr38mpp.html.
Infrastructure ACLs (iACLs) are also a useful technique to mitigate
potential exploitation of this vulnerability.

For more information on these mitigations, consult the Cisco
Guide to Harden Cisco IOS XR Devices, which is available at
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html.

Note that access classes in line templates applied to VTY pools are not
an effective mitigation for this vulnerability.

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was discovered by Cisco during internal testing.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0  | 2010-January-20  | Initial public release  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008-2010 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Jan 20, 2010                             Document ID: 111459
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktXJ54ACgkQ86n/Gc8U/uAIqgCfaWWIDTslxxJspwldh8PiHYJD
WUcAn3jmQ+LHb8nCfKdp6fxuI4LZptpd
=4zi1
-----END PGP SIGNATURE-----

From psirt at cisco.com  Wed Jan 20 11:15:00 2010
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 20 Jan 2010 11:15:00 -0500`
Subject: [c-nsp] Cisco Security Advisory: CiscoWorks Internetwork
	Performance Monitor CORBA GIOP Overflow Vulnerability
Message-ID: <201001201115.ipm@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor
CORBA GIOP Overflow Vulnerability

Advisory ID: cisco-sa-20100120-ipm

Revision 1.0

For Public Release 2010 January 20 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

CiscoWorks Internetwork Performance Monitor (IPM) versions 2.6 and
earlier for Microsoft Windows operating systems contain a buffer
overflow vulnerability that could allow a remote unauthenticated
attacker to execute arbitrary code. There are no workarounds for this
vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml

Affected Products
=================

Vulnerable Products
+------------------

CiscoWorks IPM versions 2.6 and earlier for Windows operating systems
are affected.

Products Confirmed Not Vulnerable
+--------------------------------

CiscoWorks IPM version 2.x for Sun Solaris and CiscoWorks IPM version
4.x for Windows and Solaris operating systems are not affected. No
other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

CiscoWorks IPM is a troubleshooting application that gauges network
response time and availability. CiscoWorks IPM is available as a
component within the CiscoWorks LAN Management Solution (LMS) bundle.
CiscoWorks IPM versions 2.6 and earlier for Windows contain a buffer
overflow vulnerability when processing Common Object Request Broker
Architecture (CORBA) GIOP requests. By sending a crafted CORBA GIOP
request, a remote, unauthenticated attacker may be able to trigger
the buffer overflow condition and execute arbitrary code with SYSTEM
privileges on affected Windows systems. This vulnerability is
documented in Cisco Bug ID CSCsv62350 and has been assigned the
Common Vulnerabilities and Exposures (CVE) CVE-2010-0138.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsv62350 - Malformed CORBA GIOP request causes crash

CVSS Base Score - 10

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Complete
Integrity Impact        - Complete
Availability Impact     - Complete

CVSS Temporal Score - 9.5

Exploitability          - Functional
Remediation Level       - Unavailable
Report Confidence       - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in the
ability to execute arbitrary code with SYSTEM privileges on affected
Windows systems.

Software Versions and Fixes
===========================

Ciscoworks IPM versions 2.6 and earlier for Windows contain a
vulnerable third-party component that is no longer supported. Cisco
is unable to provide updated software for affected CiscoWorks
versions. Consult the "Obtaining Fixed Software" section of this
advisory for instructions on how to address vulnerable systems.

Workarounds
===========

There are no workarounds for this vulnerability. It is possible to
mitigate this vulnerability by restricting network access to TCP
ports on an affected Windows system running IPM versions 2.6 and
earlier to trusted systems.

Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20100120-ipm.shtml

Obtaining Fixed Software
========================

Ciscoworks IPM versions 2.6 and earlier for Windows contain a
vulnerable third-party component that is no longer supported. Cisco
is unable to provide updated software for affected CiscoWorks
versions.

Customers with active software licenses for the IPM component of
CiscoWorks versions 2.6 and earlier for Windows should send email to
the following address for instructions on migrating to non-vulnerable
software:

ipm-corba-fix at cisco.com

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was discovered and reported to Cisco by
TippingPoint. Cisco would like to thank TippingPoint for reporting
this vulnerability to us and for working with us on a coordinated
disclosure.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2010-January-20 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.

This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----

iD8DBQFLVyd986n/Gc8U/uARAmqKAJ4stu5goWKa8rPjt20IJNirQ3DLQQCeLeGN
SZmNQcg8O+mfC61WXL0oRRI=
=CVJH
-----END PGP SIGNATURE-----

From bacon at walleyesoftware.com  Wed Jan 20 11:17:39 2010
From: bacon at walleyesoftware.com (Jeff Bacon)
Date: Wed, 20 Jan 2010 10:17:39 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
References: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
Message-ID: <5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>

> > I've read through the data sheets, and I also can't see any
signficant
> > differences. I was wondering if there was some hardware differences
(like
> > CAM table size, ethernet input/output buffer sizes), etc...

Is the packet buffering on the -Es significantly better than on the
non-Es? It would seem that the buffering capabilities of a non-E are at
best limited, based on my experience - granted we have bursty server
loads that we were attempting to condense down into 4-port
etherchannels, but I would have expected the 3560Gs to do better than
they did. 

I suppose it's possible that if I split the ports up amongst the ASICs
better it might be better, but it seemed like there was only one TX
queue buffer for the entire switch, which if you did "mls qos" you could
split up some but you still had a limited choke that everything went
through. 

I really don't want to go buy a -E to find out. 

I never could get an answer from cisco as to the actual design of the
internals of the 3560/3750s. Is the information around anywhere?

(And why the heck does Cisco keep it such a secret?) 

> Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

Now _that_ is hard to imagine. :)


From BBlackford at nwresd.k12.or.us  Wed Jan 20 11:28:04 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Wed, 20 Jan 2010 08:28:04 -0800
Subject: [c-nsp] C3750G Interface Counters
Message-ID: <6069A203FD01884885C037F81DD750801742DA1107@wsc-mail-01.intra.nwresd.k12.or.us>

Hello all,

I am observing a strange issue where I have an interface that is showing zero packets/sec. The packets input and packets output are incrementing. My SNMP collector is graphing. This is one of two interconnect ports to a customer peering up with two BGP sessions using multipath. The other port's packets/sec counters are behaving as expected.

WS-C3750G-24TS-E1U
12.2(50)SE3


My_3750#sh int gi1/0/21
GigabitEthernet1/0/21 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0015.2bxx.xxxx (bia 0015.2bxx.xxxx)
  Description: CustA Port1
  Internet address is x.x.x.x/30
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 0/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:19, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:14:20
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4073
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     743069 packets input, 209425595 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     911587 packets output, 955053286 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
My_3750#sh int gi1/0/22
GigabitEthernet1/0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0015.2bxx.xxxx (bia 0015.2bxx.xxxx)
  Description: CustA Port2
  Internet address is x.x.x.x/30
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 31/255, rxload 2/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:02, output 00:00:25, output hang never
  Last clearing of "show interface" counters 00:14:22
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5710
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 937000 bits/sec, 864 packets/sec
  30 second output rate 12324000 bits/sec, 1292 packets/sec
     578583 packets input, 145713935 bytes, 0 no buffer
     Received 91 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 91 multicast, 0 pause input
     0 input packets with dribble condition detected
     919361 packets output, 991069241 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


Thank you,

-b

--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

this message was composed using 100% recycled electrons


From kloch at kl.net  Wed Jan 20 11:32:54 2010
From: kloch at kl.net (Kevin Loch)
Date: Wed, 20 Jan 2010 11:32:54 -0500
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100120071139.983.qmail@f4mail206.rediffmail.com>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
Message-ID: <4B573036.3050600@kl.net>

Have you tried replacing the lithium battery on the sup2?
Hopefully you have a newer board with a socket.

- Kevin

ambedkar wrote:
> Hi, i cleaned the modules of 6509 and reinstalled, it shows
> 
> 
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> 
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> 
> Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot: failed, BOOT string is empty
> rommon 1 >
> rommon 1 >
> 
> After this, if i execute the command BOOT, once again it is showing old log as below.
> 
> thanks, bye.
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.
> 
> 
> The following is the log:
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
> Module 1 reported following ports unusable
> port 1 bad
> port 2 bad
> port 3 bad
> port 4 bad
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete.
> 
> ---------------------------------------------------------
> 
> I tried the following commands:
> 1.boot
> 2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
> 3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.
> 
> please help me,
> Thanks.bye
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From geoff at pendery.net  Wed Jan 20 11:43:59 2010
From: geoff at pendery.net (Geoffrey Pendery)
Date: Wed, 20 Jan 2010 10:43:59 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <d6966e4b1001200843v4b58ea3al466b894d8114e089@mail.gmail.com>

Just to be clear, it is only supported with the *second* newest, the
Sup V 10GE.  NetFlow is NOT supported on the newest, the Sup 6E.  So
it was actually removed from the 4500's going forward.  At this time
the "E" series 4500 stuff, the latest-and-greatest, does NOT support
NetFlow.

I just rolled out 48 of them.  The QoS is also a bit tricky - good,
but different from previous 4500 or 6500 QoS.

-Geoff

On Wed, Jan 20, 2010 at 9:51 AM, Andrew Gabriel
<andrew.gabriel at sanmina-sci.com> wrote:
> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.
>
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
>
>
>
>
> On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
> Jeff.Wojciechowski at midlandpaper.com> wrote:
>
>> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
>> that we can monitor NetFlow are at router interfaces and I am pretty sure
>> that you need a chassis based switch before NetFlow is supported (someone
>> please correct me if I am wrong).
>>
>> -Jeff
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
>> Sent: Wednesday, January 20, 2010 8:19 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ip route cache flow
>>
>>
>> hi all i have metro ethernet 3750
>> i want to enable cache flow in order to monitor some traffic on our leased
>> line customers
>>
>>
>> i enabled under the vlan interface
>> ip route-cache flow
>>
>> but nothing appeard even when i enabled ip cef accounting non-recursive
>>
>> _________________________________________________________________
>> Windows Live: Make it easier for your friends to see what you're up to on
>> Facebook.
>>
>> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. ?If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. ?Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Wed Jan 20 12:39:01 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 20 Jan 2010 18:39:01 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
References: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
Message-ID: <1264009141.21532.5.camel@localhost>

On Wed, 2010-01-20 at 07:19 -0600, scott owens wrote:
> That stacking feature IS the cool thing.  If you don't need it; skip
> it, maybe even look at the 295x or 296x platform unless you possibly
> need POE as well - the "2"s don't support it.  But the ability to
> team/etherchannel servers via LACP and use BOTH teamed links at the
> same time instead of single links due to spanning-tree blocking is a
> great thing.  It is one reason GLBP is not available on the 3750s -
> its not needed to get load balanced routing either.
> 
> Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

IMHO the problem with StackWise is that you can't do a software upgrade
without rebooting both units. Compare this to two seperate switches and
RSTP, with which can do almost "zero touch" upgrades.

In my eyes StackWise stacks are in all aspects to be treated as a single
unit. When looking at "single points of failure" I consider a 3750 stack
(E or non-E) a single unit no matter how many members in the stack.

The VSS might have the same problem, haven't touched it.

-- 
Peter



From bitkraft at gmail.com  Wed Jan 20 14:27:28 2010
From: bitkraft at gmail.com (Brian Spade)
Date: Wed, 20 Jan 2010 11:27:28 -0800
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>
Message-ID: <505b616c1001201127k5f797092gc4bb49b959241767@mail.gmail.com>

If you use WCCP (i.e., wan acceleration/WAAS), the 3750-E supports denies in
the redirect ACL whereas the 3560-E does not.  Apparently this feature will
be added to the 3560-E this Spring.  It maybe minor but it's very annoying
have to create an entire ACL based on permits to control your redirected
traffic on the 3560-E.

/bs

On Tue, Jan 19, 2010 at 10:13 PM, Asbjorn Hojmark - Lists <lists at hojmark.org
> wrote:

> On Tue, 19 Jan 2010 15:17:26 -0500, you wrote:
>
> > Other than stackwise on the 3750-E, I haven't been able to discern a
> > whole lot of differences between the two switches.
>
> That *is* the only difference.
>
> -A
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From gert at greenie.muc.de  Wed Jan 20 14:34:57 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 20 Jan 2010 20:34:57 +0100
Subject: [c-nsp] ip route cache flow
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>
References: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
	<SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
	<EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>
Message-ID: <20100120193457.GM857@greenie.muc.de>

Hi,

On Wed, Jan 20, 2010 at 06:11:10PM +0200, Ziv Leyes wrote:
> Is it "ip accounting" an option for you?

Not supported on 3750 either.

These things are *switches*, with some l3 support added.  Fast, but dumb.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/90ede9a4/attachment.bin>

From avayner at cisco.com  Wed Jan 20 16:10:40 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 20 Jan 2010 22:10:40 +0100
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
In-Reply-To: <4B5611E4.3010600@rollernet.us>
References: <4B5611E4.3010600@rollernet.us>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C60107CBC7@XMB-AMS-101.cisco.com>

Seth,

I would say that the right approach for this would be to tune the logic
of your NMS system to ignore these events, or make them low-priority
events, and have a rule that alerts you about low-priority events only
during work hours...

Another approach (but only relatively new IOS versions) would be to use
the EEM SNMP Notification event detector. This would allow you to catch
specific traps and block them on the router (or modify them to a
different event).
In older IOS versions the same can be accomplished for Syslog, so if you
can turn off SNMP traps and use Syslog events, you can accomplish this
on most IOS versions.

The reference for the SNMP Notification EEM event detector is here:
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_06.html
#wp1178594

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
Sent: Tuesday, January 19, 2010 22:11
To: cisco-nsp
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors

Is there any way to disable SNMP traps for a subset of BGP neighbors
like there is for interfaces? I have a couple BGP sessions that are of
"don't care" priority and they don't need to send traps when they flap
(although rarely, it's always when I'm sleeping).

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From david at hughes.com.au  Wed Jan 20 18:18:59 2010
From: david at hughes.com.au (David Hughes)
Date: Thu, 21 Jan 2010 09:18:59 +1000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <7EB9DC8B-696D-4714-A444-AD24383BECA3@hughes.com.au>


And "supported on 6500" doesn't equate to "works as you'd expect on 6500".  It's better in SXI (per interface support at least) but it's still got major limitations.  We only have netflow on Cat6k left in one location and that's being moved to routers real soon now.


David
...


On 21/01/2010, at 1:51 AM, Andrew Gabriel wrote:

> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.
> 
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
> 
> 
> 
> 
> On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
> Jeff.Wojciechowski at midlandpaper.com> wrote:
> 
>> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
>> that we can monitor NetFlow are at router interfaces and I am pretty sure
>> that you need a chassis based switch before NetFlow is supported (someone
>> please correct me if I am wrong).
>> 
>> -Jeff
>> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
>> Sent: Wednesday, January 20, 2010 8:19 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ip route cache flow
>> 
>> 
>> hi all i have metro ethernet 3750
>> i want to enable cache flow in order to monitor some traffic on our leased
>> line customers
>> 
>> 
>> i enabled under the vlan interface
>> ip route-cache flow
>> 
>> but nothing appeard even when i enabled ip cef accounting non-recursive
>> 
>> _________________________________________________________________
>> Windows Live: Make it easier for your friends to see what you're up to on
>> Facebook.
>> 
>> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gk at ax.tc  Wed Jan 20 18:45:20 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 00:45:20 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
Message-ID: <4B579590.6050506@ax.tc>


I'am looking for a good solution to separate multiple branches from each
other by using a central firewall setup. The overall view looks like that:


Branch-1       Branch-n
(PC1)          (PCn)
  |              |
(SW1)          (SWn)
  |              |
 CPE1   ...    CPEn
  |              |
:::::::::::::::::::::
    DSL-CLOUD/PPP
:::::::::::::::::::::
  |              |
LNSa/PE        LNSb/PE
  |              |
=====================
   MPLS-BACKBONE
=====================
  |              |
RTRa/PE        RTRb/PE
  |              |
 SWa------------SWb
  |              |
(FW-prim)----(FW-standby)
  |              |
,,,,,,,,,,,,,,,,,,,,,
      INTERNET
,,,,,,,,,,,,,,,,,,,,,

 - each branch has 1-3 IPv4 networks
 - PPP-Sessions are terminated on the LNS via L2TP
   and configured via RADIUS
 - LNSs & RTRs are C7200 Systems
 - firewalls have VLAN capabilities

The () components will be under control of the customer, all other
systems are managed by us. The main goals are
 1) separate the branches in general but allow the firewalladministrator
to route between the branches so the customer is able to control his
internal traffic as well as his internet traffic
 2) provide redundancy for all of our components

At the moment we're providing only ordinary Layer3-MPLS VPNs but in this
case this isn't enough - unless if we plan to implement a dedicated VRF
for each branch. But because the customer has 100+ branches, I dont like
to 'waste' so much VRF instances for one customer. Exist other
approaches/BCPs for those kind of setups? Currently I investigate L2VPN,
AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
far, especially because I have to deal with a lot of dynamically
generated Virtual-Interfaces.

For now I see 3 options for us:

a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
Firewall-Ethernet Interface (how? bad idea?)
c) some other brilliant approach... ;-)

Any hints and thoughts are welcome.

Thx,
Gerald

From koug at intracom.gr  Thu Jan 21 01:43:26 2010
From: koug at intracom.gr (John Kougoulos)
Date: Thu, 21 Jan 2010 08:43:26 +0200 (EET)
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <4B579590.6050506@ax.tc>
References: <4B579590.6050506@ax.tc>
Message-ID: <alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>



On Thu, 21 Jan 2010, Gerald Krause wrote:
> For now I see 3 options for us:
>
> a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
> b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
> Firewall-Ethernet Interface (how? bad idea?)
> c) some other brilliant approach... ;-)
>


GRE or Ipsec or whatever tunnel from the CPE to (or near) the firewall?

From oboehmer at cisco.com  Thu Jan 21 02:10:35 2010
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 21 Jan 2010 08:10:35 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <4B579590.6050506@ax.tc>
References: <4B579590.6050506@ax.tc>
Message-ID: <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>

> I'am looking for a good solution to separate multiple branches from
each
> other by using a central firewall setup. The overall view looks like
that:
> 
[...]
> 
> The () components will be under control of the customer, all other
> systems are managed by us. The main goals are
>  1) separate the branches in general but allow the
firewalladministrator
> to route between the branches so the customer is able to control his
> internal traffic as well as his internet traffic
>  2) provide redundancy for all of our components
> 
> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
this
> case this isn't enough - unless if we plan to implement a dedicated
VRF
> for each branch. But because the customer has 100+ branches, I dont
like
> to 'waste' so much VRF instances for one customer. Exist other
> approaches/BCPs for those kind of setups? Currently I investigate
L2VPN,
> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
> far, especially because I have to deal with a lot of dynamically
> generated Virtual-Interfaces.

you might want to look at the "Half-Duplex VRF" feature, which allows to
build a hub & spoke VPN setup without having to put each "branch" on the
same PE into a different VRF. HD VRF will assign a different VRF for
upstream and downstream traffic, so packets entering the LNS from the
branch will only see the Hub routes, and not the other branches' routes.

check out
http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html

	oli

From md at bts.sk  Thu Jan 21 02:15:35 2010
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Thu, 21 Jan 2010 08:15:35 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>
References: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
	<5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>
Message-ID: <20100121070932.M18969@bts.sk>

On Wed, 20 Jan 2010 10:17:39 -0600, Jeff Bacon wrote
> > > I've read through the data sheets, and I also can't see any
> signficant
> > > differences. I was wondering if there was some hardware differences
> (like
> > > CAM table size, ethernet input/output buffer sizes), etc...
> 
> Is the packet buffering on the -Es significantly better than on the
> non-Es? It would seem that the buffering capabilities of a non-E are at
> best limited, based on my experience - granted we have bursty server
> loads that we were attempting to condense down into 4-port
> etherchannels, but I would have expected the 3560Gs to do better than
> they did.

In fact, 3560Es perform worse in the default configuration than 3560Gs.
Buffers might be tweaked via mls qos commands, but still, the buffering
is insufficient - have a look at: 

http://puck.nether.net/pipermail/cisco-nsp/2009-March/058758.html

    M.

From gk at ax.tc  Thu Jan 21 04:41:07 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 10:41:07 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>
References: <4B579590.6050506@ax.tc>
	<6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>
Message-ID: <4B582133.5030002@ax.tc>

Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb:
>> I'am looking for a good solution to separate multiple branches from
> each
>> other by using a central firewall setup. The overall view looks like
> that:
> [...]
>> The () components will be under control of the customer, all other
>> systems are managed by us. The main goals are
>>  1) separate the branches in general but allow the
> firewalladministrator
>> to route between the branches so the customer is able to control his
>> internal traffic as well as his internet traffic
>>  2) provide redundancy for all of our components
>>
>> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
> this
>> case this isn't enough - unless if we plan to implement a dedicated
> VRF
>> for each branch. But because the customer has 100+ branches, I dont
> like
>> to 'waste' so much VRF instances for one customer. Exist other
>> approaches/BCPs for those kind of setups? Currently I investigate
> L2VPN,
>> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
>> far, especially because I have to deal with a lot of dynamically
>> generated Virtual-Interfaces.
> 
> you might want to look at the "Half-Duplex VRF" feature, which allows to
> build a hub & spoke VPN setup without having to put each "branch" on the
> same PE into a different VRF. HD VRF will assign a different VRF for
> upstream and downstream traffic, so packets entering the LNS from the
> branch will only see the Hub routes, and not the other branches' routes.
> 
> check out
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html

Ok, that sounds interesting. I'll check the docs.

Gerald


From gk at ax.tc  Thu Jan 21 04:39:18 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 10:39:18 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>
References: <4B579590.6050506@ax.tc>
	<alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>
Message-ID: <4B5820C6.6090503@ax.tc>

Am 21.01.2010 07:43, John Kougoulos schrieb:
> 
> 
> On Thu, 21 Jan 2010, Gerald Krause wrote:
>> For now I see 3 options for us:
>>
>> a) implement dedicated VRFs for each branch and map VRFn<->VLANn on
>> the RTRs
>> b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
>> Firewall-Ethernet Interface (how? bad idea?)
>> c) some other brilliant approach... ;-)
>>
> 
> 
> GRE or Ipsec or whatever tunnel from the CPE to (or near) the firewall?

Jep, that might be a way, even not "beautiful" for us. We're moving this
customer from an ugly partial/fully IPSec-tunnel meshed setup with many
firewalls and IPSec tunnels and I don't want to implement and manage a
bunch of IPSec tunnels again.
I thought already about some pseudowire or other basic tunnel service
(like GRE) from the CPEs to the firewall but I have to deal with
redundant tunnel-endpoints as well - the tunneling setup must have an
fail-over/redundancy concept. That makes me think about implementing 2
tunnels from each CPE on to 2 additional tunnel-endpoints (between RTR
and FW) and configure a basic routing protokoll on top of the tunnels...

Hm, that "is" an solution but I'll check further if I have other options
before going that way.

Gerald

From asturluismi at gmail.com  Thu Jan 21 06:27:45 2010
From: asturluismi at gmail.com (luismi)
Date: Thu, 21 Jan 2010 12:27:45 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
Message-ID: <1264073265.17015.10.camel@hal9000>

Hi all,

I am looking for a Radius solution to configure on it the user accounts
of the users of the VPN Concentrator 3030 we have here -that is the
primary goal-. In the future I would like to use the same radius for
802.1x in the wireless network and maybe some captive portals or
similar.

The radius solution should support HA and a web interface to configure
the users, do some diagnostics and stats and similar.

The solution should run over linux.

I was checking radiator and freeradius, but I didn't find any details
regarding the integration experience over internet.
So I would like to hear from experiences there.

Thanks


From frederic.loui at renater.fr  Thu Jan 21 07:40:17 2010
From: frederic.loui at renater.fr (Frederic LOUI)
Date: Thu, 21 Jan 2010 13:40:17 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <1264073265.17015.10.camel@hal9000>
References: <1264073265.17015.10.camel@hal9000>
Message-ID: <4B584B31.3030207@renater.fr>

Hi Luismi,

Freeradius is a good alternative and can be used to cover all the needs 
you mentioned.
Coupled with openldap, you can benefit from having all the LDAP 
Directory GUI for user creation.
In addition, you can use MySQL backend for accounting purposes.

As far as I could find, Freeradius is very popular so that's the reason 
why we decided to go for it.

Finally, the whole solution can run on LINUX. Netherveless, I agree with 
you that the learning curve is quite difficult.
And the documentation is quite "sparse" so that makes things more 
difficuklt to grasp.

But the time spent on learning the system.is worth the result.

Hope this helps,
Cheers,

-- 
Frederic LOUI / GIP RENATER

Pilotage & Suivi du R?seau
Network Backbone Engineering & Planning

Tel: +33 1 53 94 20 40 / Fax: +33 1 53 94 20 31
loui at renater.fr http://www.renater.fr 



luismi a ?crit :
> Hi all,
>
> I am looking for a Radius solution to configure on it the user accounts
> of the users of the VPN Concentrator 3030 we have here -that is the
> primary goal-. In the future I would like to use the same radius for
> 802.1x in the wireless network and maybe some captive portals or
> similar.
>
> The radius solution should support HA and a web interface to configure
> the users, do some diagnostics and stats and similar.
>
> The solution should run over linux.
>
> I was checking radiator and freeradius, but I didn't find any details
> regarding the integration experience over internet.
> So I would like to hear from experiences there.
>
> Thanks
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From steve at ibctech.ca  Thu Jan 21 08:16:04 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 21 Jan 2010 08:16:04 -0500
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B584B31.3030207@renater.fr>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
Message-ID: <4B585394.4000606@ibctech.ca>

Frederic LOUI wrote:
> Hi Luismi,
> 
> Freeradius is a good alternative and can be used to cover all the needs
> you mentioned.
> Coupled with openldap, you can benefit from having all the LDAP
> Directory GUI for user creation.
> In addition, you can use MySQL backend for accounting purposes.
> 
> As far as I could find, Freeradius is very popular so that's the reason
> why we decided to go for it.

It supports HA for itself and its database back-ends, and has a web gui
(dialupadmin) for those so inclined, that does everything that the OP
required out of it.

> Finally, the whole solution can run on LINUX.

Most Unix-like OSs have pre-built packages that can be installed via its
packaging system. The documentation explains very clearly on how to
install it onto a myraid of systems.

> And the documentation is quite "sparse" so that makes things more
> difficuklt to grasp.

Actually, the documentation for FreeRADIUS is quite good. Even the
configuration files are full of notes explaining exactly what each
config variable does, and how to set it.

Also, FreeRADIUS has an extremely active mailing list, where I don't
think I've seen a day go by in years where the primary developer (Alan
DeKok) hasn't responded to at least one thread.

http://freeradius.org
http://wiki.freeradius.org

Steve

From frederic.loui at renater.fr  Thu Jan 21 08:27:35 2010
From: frederic.loui at renater.fr (Frederic LOUI)
Date: Thu, 21 Jan 2010 14:27:35 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B585394.4000606@ibctech.ca>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
	<4B585394.4000606@ibctech.ca>
Message-ID: <4B585647.2000104@renater.fr>

Hi Steve,
> It supports HA for itself and its database back-ends, and has a web gui
> (dialupadmin) for those so inclined, that does everything that the OP
> required out of it.
>
>   
>> Finally, the whole solution can run on LINUX.
>>     
>
> Most Unix-like OSs have pre-built packages that can be installed via its
> packaging system. The documentation explains very clearly on how to
> install it onto a myraid of systems.
>   

Thanks for the clarification :-)

>> And the documentation is quite "sparse" so that makes things more
>> difficuklt to grasp.
>>     
>
> Actually, the documentation for FreeRADIUS is quite good. Even the
> configuration files are full of notes explaining exactly what each
> config variable does, and how to set it.
>   
Ah great !
Do you have, by any chance some "cookbooks/pointers" related to  
FreeRADIUS+OPENLDAP+CISCO IOS / IOS-XR set-up ?

> Also, FreeRADIUS has an extremely active mailing list, where I don't
> think I've seen a day go by in years where the primary developer (Alan
> DeKok) hasn't responded to at least one thread.
>
> http://freeradius.org
> http://wiki.freeradius.org
>
> Steve
>   
Thanks for pointing that.
Regards / Frederic


From alex.wilkinson at dsto.defence.gov.au  Thu Jan 21 08:35:59 2010
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Thu, 21 Jan 2010 21:35:59 +0800
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <4B573036.3050600@kl.net>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com> 
	<4B573036.3050600@kl.net>
Message-ID: <20100121133559.GA56085@stlux503.dsto.defence.gov.au>


    0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote: 

    >> Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
    >> c6k_sup2 processor with 262144 Kbytes of main memory

I've been bitten by this exact same bug. You have hit a hardware bug. Please see
the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html

Had to do an RMA for the SUP to solve this problem (hope you have a support
contract in place) :)

  -Alex

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.


From mehdi.badreddine at fr.clara.net  Thu Jan 21 09:43:17 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Thu, 21 Jan 2010 14:43:17 -0000
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <mailman.13175.1264081433.2123.cisco-nsp@puck.nether.net>
References: <mailman.13175.1264081433.2123.cisco-nsp@puck.nether.net>
Message-ID: <70F55AD71714494087D3F5CF5ED100830598655C@EXVS02.claranet.local>

Hi all,

Can you advise me a good vpn ssl solution for accessing Office LAN from my desktop computer without having to install a client software ?
We should be able to access machines with ssh, http, imap and https.

Are cisco asa appliances a good solution for this purpose ? In this case, what bundle would one choose for about 50 users ?

I've already tried adito, which is a good open source product, it forked into a proprietary solution, SSL Explorer.

Regards,


Mehdi BADREDDINE

System&Network Administrator

CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS
FRANCE



From ulici at teleson.ro  Thu Jan 21 09:28:36 2010
From: ulici at teleson.ro (Ulici Alexandru)
Date: Thu, 21 Jan 2010 16:28:36 +0200
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <20100121133559.GA56085@stlux503.dsto.defence.gov.au>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
	<4B573036.3050600@kl.net>
	<20100121133559.GA56085@stlux503.dsto.defence.gov.au>
Message-ID: <ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>

Had the same problem, and the same solution (RMA).
alex
>
>     0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote:
>
>     >> Warning: Rommon NVRAM area is corrupted. Initialize the area to
> default values
>     >> c6k_sup2 processor with 262144 Kbytes of main memory
>
> I've been bitten by this exact same bug. You have hit a hardware bug.
> Please see
> the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html
>
> Had to do an RMA for the SUP to solve this problem (hope you have a
> support
> contract in place) :)
>
>   -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the
> CRIMES ACT 1914.  If you have received this email in error, you are
> requested to contact the sender and delete the email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From asturluismi at gmail.com  Thu Jan 21 10:16:04 2010
From: asturluismi at gmail.com (luismi)
Date: Thu, 21 Jan 2010 16:16:04 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B584B31.3030207@renater.fr>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
Message-ID: <1264086964.17015.20.camel@hal9000>

Yes, FreeRadius could be a solution, but I don't want to expend 2 or
more weeks learning how to get the best from the software and how to
integrate it in the network without problems.

In the other hand, Radiator looks to be great too. The paid support
behind gives me some relax. I dont need to put focus of software bugs,
integration problems -if it is supported, it must work- and all those
things.

The global idea is to cover the technical goals, as well, very small
time to deploy it and put it into production.
If freeradius installation+configuration+tuning+web ui+read the oreilly
book is more than 2 weeks... it is not acceptable for me -we don't have
free physical time for that-, we will go for radiator. And, maybe in the
future we could move to freeradius doing previously a proof of concept.

For me, right now, I think it could be faster -with the same features
and results- the Radiator solution. But as I told in my first email I am
still doing a research to take the best decision :D




El jue, 21-01-2010 a las 13:40 +0100, Frederic LOUI escribi?:
> Hi Luismi,
> 
> Freeradius is a good alternative and can be used to cover all the needs 
> you mentioned.
> Coupled with openldap, you can benefit from having all the LDAP 
> Directory GUI for user creation.
> In addition, you can use MySQL backend for accounting purposes.
> 
> As far as I could find, Freeradius is very popular so that's the reason 
> why we decided to go for it.
> 
> Finally, the whole solution can run on LINUX. Netherveless, I agree with 
> you that the learning curve is quite difficult.
> And the documentation is quite "sparse" so that makes things more 
> difficuklt to grasp.
> 
> But the time spent on learning the system.is worth the result.
> 
> Hope this helps,
> Cheers,
> 



From me at falz.net  Thu Jan 21 11:08:31 2010
From: me at falz.net (Chris Wopat)
Date: Thu, 21 Jan 2010 10:08:31 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
Message-ID: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris

From jasonleblanc at gmail.com  Thu Jan 21 11:47:24 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 21 Jan 2010 09:47:24 -0700
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
Message-ID: <B92831A7-A3D8-45F5-B762-C762B940E1EA@gmail.com>


On Jan 21, 2010, at 9:08 AM, Chris Wopat wrote:

>> Hi all,
>> 
>> Can you advise me a good vpn ssl solution for accessing Office LAN
>> from my desktop computer without having to install a client software ?
>> We should be able to access machines with ssh, http, imap and https.
>> 
>> Are cisco asa appliances a good solution for this purpose ? In this
>> case, what bundle would one choose for about 50 users ?
>> 
>> I've already tried adito, which is a good open source product, it
>> forked into a proprietary solution, SSL Explorer.
> 
> If you need only a client VPN that tunnels to your network. ASA with
> Anyconnect Essentials license works well and is inexpensive. If you a
> more advanced setup that will give your VPN users a "Portal" with
> links to things such as intranet pages, remote desktop sessions, file
> shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
> (IVE) devices as they are incredible boxes:
> 
> http://www.juniper.net/in/en/products-services/security/sa-series/
> 
> The downside is that these devices are only SSLVPN endpoints, not firewalls.
> 
> --Chris

This is exactly right.  I agree 100%.

//LeBlanc
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jshearer at amedisys.com  Thu Jan 21 11:47:58 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 21 Jan 2010 10:47:58 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From BBlackford at nwresd.k12.or.us  Thu Jan 21 12:03:15 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Thu, 21 Jan 2010 09:03:15 -0800
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <6069A203FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>

I believe there is additional costs for the SSL licensing on the asa5520 and it fairly high.

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Shearer
Sent: Thursday, January 21, 2010 8:48 AM
To: Chris Wopat; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jshearer at amedisys.com  Thu Jan 21 12:10:36 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 21 Jan 2010 11:10:36 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com><AF
	D31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com><6069A2
	03FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664BE9@SVR-AMED-MAIL01.amedisys.com>

For "traditional" clientless SSL that is right.  It is a per user cost.  With 8.2.1 there is a new license you can purchase called AnyConnect Essentials.  It is a flat license with no per user count.  If you have it installed you can ONLY run AnyConnect and not clientless SSL.

Jason

-----Original Message-----
From: Bill Blackford [mailto:BBlackford at nwresd.k12.or.us]
Sent: Thursday, January 21, 2010 11:03 AM
To: Jason Shearer; Chris Wopat; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] A good SSL VPN Solution ?

I believe there is additional costs for the SSL licensing on the asa5520 and it fairly high.

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Shearer
Sent: Thursday, January 21, 2010 8:48 AM
To: Chris Wopat; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From rwest at zyedge.com  Thu Jan 21 12:12:14 2010
From: rwest at zyedge.com (Ryan West)
Date: Thu, 21 Jan 2010 17:12:14 +0000
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0B1687@zy-ex1.zyedge.local>

> -----Original Message-----
> To: Chris Wopat; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] A good SSL VPN Solution ?
> 
> Keep in mind that Cisco's AnyConnect solution requires a client to be
> installed.  It has a pretty small footprint but a client nonetheless.
> As Chris stated it is cheap.  Like an additional $750 list for a 5520
> which will support 750 concurrent sessions.
> 

It retails at $250 for the 750 user license, but yeah cheap.

-ryan

From cm at n-home.ru  Thu Jan 21 15:31:17 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Thu, 21 Jan 2010 23:31:17 +0300
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
	<4B573036.3050600@kl.net>
	<20100121133559.GA56085@stlux503.dsto.defence.gov.au>
	<ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>
Message-ID: <6500AF15-D707-4D2E-82AB-AB35C9EA4045@n-home.ru>

SUP2 costs $400. So even he doesn't have smartnet, this would be not very expensive.


On Jan 21, 2010, at 5:28 PM, Ulici Alexandru wrote:

> Had the same problem, and the same solution (RMA).
> alex
>> 
>>    0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote:
>> 
>>>> Warning: Rommon NVRAM area is corrupted. Initialize the area to
>> default values
>>>> c6k_sup2 processor with 262144 Kbytes of main memory
>> 
>> I've been bitten by this exact same bug. You have hit a hardware bug.
>> Please see
>> the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html
>> 
>> Had to do an RMA for the SUP to solve this problem (hope you have a
>> support
>> contract in place) :)
>> 
>>  -Alex
>> 
>> IMPORTANT: This email remains the property of the Australian Defence
>> Organisation and is subject to the jurisdiction of section 70 of the
>> CRIMES ACT 1914.  If you have received this email in error, you are
>> requested to contact the sender and delete the email.
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From bjorn at mork.no  Thu Jan 21 15:00:24 2010
From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=)
Date: Thu, 21 Jan 2010 21:00:24 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <1264086964.17015.20.camel@hal9000> (luismi's message of "Thu, 21
	Jan 2010 16:16:04 +0100")
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
	<1264086964.17015.20.camel@hal9000>
Message-ID: <87y6jr9qjr.fsf@nemi.mork.no>

luismi <asturluismi at gmail.com> writes:

> Yes, FreeRadius could be a solution, but I don't want to expend 2 or
> more weeks learning how to get the best from the software and how to
> integrate it in the network without problems.
>
> In the other hand, Radiator looks to be great too. The paid support
> behind gives me some relax. I dont need to put focus of software bugs,
> integration problems -if it is supported, it must work- and all those
> things.

Just trying to make your decision more difficult :-) You can get paid
support for FreeRADIUS as well: http://networkradius.com/support/


Bj?rn

From david.freedman at uk.clara.net  Thu Jan 21 18:46:16 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 21 Jan 2010 23:46:16 -0000
Subject: [c-nsp] Mysterious ASIC
Message-ID: <7B8B0D6F623C3A40A0D0A80A66756E2B2C343E@EXVS01.claranet.local>

Look at this:

#sh ver | in cisco WS-
cisco WS-C2960G-48TC-L (PowerPC405) processor (revision E0) with 0K/4088K bytes of memory.

#sh platform port-asic version

Port-Asic Version Info: 
========================
ASIC-0: Version:1 DeviceType:0x2CA 
ASIC-1: Version:1 DeviceType:0x2CA 
ASIC-2: Version:1 DeviceType:0x2CA 
ASIC-3: Version:1 DeviceType:0x2CA 
ASIC-4: Version:1 DeviceType:0x2CA 
ASIC-5: Version:1 DeviceType:0x2CA 
ASIC-6: Version:1 DeviceType:0x2CA 
ASIC-7: Version:1 DeviceType:0x2CA 
ASIC-8: Version:1 DeviceType:0x2CA 
ASIC-9: Version:1 DeviceType:0x2CA 
ASIC-10: Version:1 DeviceType:0x2CA 
ASIC-11: Version:1 DeviceType:0x2CA 

So, the WS-C2960G-48TC-L has 12 Port ASICs , for a published 39Mpps of throughput. 

But now look at this, the 2960-24TC-L Advertised at 6.5Mpps:

#sh ver | in cisco WS-
cisco WS-C2960-24TC-L (PowerPC405) processor (revision H0) with 65536K bytes of memory.

#sh platform port-asic version 

Port-Asic Version Info: 
========================
ASIC-0: Version:8 DeviceType:0x2C1 

Yes, a single 6.5Mpps forwarding ASIC, type 0x2C1

Does anybody know what this new ASIC may be and what else it is used in?



------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From globichen at gmail.com  Thu Jan 21 19:28:37 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 01:28:37 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
References: <Acp6flbCebDbqc5ARyiMkFq2LB1+bw==>
	<F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
Message-ID: <d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>

Hi,

I just fell over this thread while doing a little reseach to solve a
similar situation.

Hardware:

- 6509 with SUP720-3BXL on both ends
- SXF15a
- Uptime: 46 weeks

Problem:

- OSPF (for the loopback between cores) and BGP (mostly customers whom
we send the full table) going up and down all the time:

%OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
FULL to DOWN, Neighbor Down: Dead timer expired
%OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
LOADING to FULL, Loading Done
%BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
%BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
%BGP-5-ADJCHANGE: neighbor y.y.y.14 Up

This keeps going on for several hours, and suddenly it stabilizes itself.

Furthermore I use cacti to generate graphs from the core router via
SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
router console becomes rather unresponsive and OSPF starts to behave
strangely.

What I can rule out is the fiber capacity. I have multiple circuits
and different paths and operators. The OSPF issue happens on all
circuits, not just a specific one. No 10 GE link is used more than
60%. In fact, traffic from inside my backbone to any place outside
remains unaffected (thank God), but the core router itself is pretty
useless. Pinging the core's loopback or any ip loaded on that box
results in a 40-60% packet loss.

CPU usage is not high, it's stable. No unusual processes, just IP
Input and BGP Scanner. More than 50% memory is still free at that
time.

I've had this many times recently, but it really just happens when my
core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
GBPS for 2 years and it never happaned at that time. Now all this mess
happens almost daily, rendering important billing graphs useless and
annoying full table BGP customers.

Is this a memory issue, due to the router's long uptime? Would
reloading the router help in this case? That's the last thing I would
want to do, but if it helps...

Cheers,

Andy

On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> Howdy all,
>
> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>
> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>
> Two of the three iBGP sessions randomly dropped with:
>
> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>
> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>
> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>
> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>
> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>
> thanks,
> -Drew
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jasonleblanc at gmail.com  Thu Jan 21 19:53:18 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 21 Jan 2010 17:53:18 -0700
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
References: <Acp6flbCebDbqc5ARyiMkFq2LB1+bw==>
	<F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
Message-ID: <B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>

Can you send your <snipped> OSPF config?

On Jan 21, 2010, at 5:28 PM, Andy B. wrote:

> Hi,
> 
> I just fell over this thread while doing a little reseach to solve a
> similar situation.
> 
> Hardware:
> 
> - 6509 with SUP720-3BXL on both ends
> - SXF15a
> - Uptime: 46 weeks
> 
> Problem:
> 
> - OSPF (for the loopback between cores) and BGP (mostly customers whom
> we send the full table) going up and down all the time:
> 
> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
> FULL to DOWN, Neighbor Down: Dead timer expired
> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
> LOADING to FULL, Loading Done
> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
> 
> This keeps going on for several hours, and suddenly it stabilizes itself.
> 
> Furthermore I use cacti to generate graphs from the core router via
> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
> and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
> router console becomes rather unresponsive and OSPF starts to behave
> strangely.
> 
> What I can rule out is the fiber capacity. I have multiple circuits
> and different paths and operators. The OSPF issue happens on all
> circuits, not just a specific one. No 10 GE link is used more than
> 60%. In fact, traffic from inside my backbone to any place outside
> remains unaffected (thank God), but the core router itself is pretty
> useless. Pinging the core's loopback or any ip loaded on that box
> results in a 40-60% packet loss.
> 
> CPU usage is not high, it's stable. No unusual processes, just IP
> Input and BGP Scanner. More than 50% memory is still free at that
> time.
> 
> I've had this many times recently, but it really just happens when my
> core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
> GBPS for 2 years and it never happaned at that time. Now all this mess
> happens almost daily, rendering important billing graphs useless and
> annoying full table BGP customers.
> 
> Is this a memory issue, due to the router's long uptime? Would
> reloading the router help in this case? That's the last thing I would
> want to do, but if it helps...
> 
> Cheers,
> 
> Andy
> 
> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
>> Howdy all,
>> 
>> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>> 
>> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>> 
>> Two of the three iBGP sessions randomly dropped with:
>> 
>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>> 
>> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>> 
>> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>> 
>> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>> 
>> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>> 
>> thanks,
>> -Drew
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From globichen at gmail.com  Thu Jan 21 20:06:53 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 02:06:53 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
Message-ID: <d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>

Hi,

here we go:

Core router that is causing headaches:

interface Loopback0
 ip address x.x.x.130 255.255.255.255

interface TenGigabitEthernet9/1
 ip address y.y.y.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no cdp enable

router ospf 1
 router-id x.x.x.130
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface TenGigabitEthernet8/1
 no passive-interface TenGigabitEthernet9/1
 no passive-interface TenGigabitEthernet9/2
 network y.y.y.0 0.0.0.3 area 0
 network y.y.y.4 0.0.0.3 area 0
 network y.y.y.8 0.0.0.3 area 0


Adjacent router (one of them):

interface Loopback0
 ip address x.x.x.131 255.255.255.255

interface TenGigabitEthernet4/1
 ip address y.y.y.2 255.255.255.252
 no ip redirects
 no ip proxy-arp

router ospf 1
 router-id x.x.x.131
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface TenGigabitEthernet4/1
 network y.y.y.0 0.0.0.3 area 0


I hope this helps...

Andy


On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Can you send your <snipped> OSPF config?
>
> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>
>> Hi,
>>
>> I just fell over this thread while doing a little reseach to solve a
>> similar situation.
>>
>> Hardware:
>>
>> - 6509 with SUP720-3BXL on both ends
>> - SXF15a
>> - Uptime: 46 weeks
>>
>> Problem:
>>
>> - OSPF (for the loopback between cores) and BGP (mostly customers whom
>> we send the full table) going up and down all the time:
>>
>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
>> FULL to DOWN, Neighbor Down: Dead timer expired
>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
>> LOADING to FULL, Loading Done
>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>
>> This keeps going on for several hours, and suddenly it stabilizes itself.
>>
>> Furthermore I use cacti to generate graphs from the core router via
>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>> and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
>> router console becomes rather unresponsive and OSPF starts to behave
>> strangely.
>>
>> What I can rule out is the fiber capacity. I have multiple circuits
>> and different paths and operators. The OSPF issue happens on all
>> circuits, not just a specific one. No 10 GE link is used more than
>> 60%. In fact, traffic from inside my backbone to any place outside
>> remains unaffected (thank God), but the core router itself is pretty
>> useless. Pinging the core's loopback or any ip loaded on that box
>> results in a 40-60% packet loss.
>>
>> CPU usage is not high, it's stable. No unusual processes, just IP
>> Input and BGP Scanner. More than 50% memory is still free at that
>> time.
>>
>> I've had this many times recently, but it really just happens when my
>> core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
>> GBPS for 2 years and it never happaned at that time. Now all this mess
>> happens almost daily, rendering important billing graphs useless and
>> annoying full table BGP customers.
>>
>> Is this a memory issue, due to the router's long uptime? Would
>> reloading the router help in this case? That's the last thing I would
>> want to do, but if it helps...
>>
>> Cheers,
>>
>> Andy
>>
>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
>>> Howdy all,
>>>
>>> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>>>
>>> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>>>
>>> Two of the three iBGP sessions randomly dropped with:
>>>
>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>>>
>>> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>>>
>>> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>>>
>>> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>>>
>>> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>>>
>>> thanks,
>>> -Drew
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From madunix at gmail.com  Fri Jan 22 01:57:17 2010
From: madunix at gmail.com (madunix)
Date: Fri, 22 Jan 2010 08:57:17 +0200
Subject: [c-nsp] mysql update
Message-ID: <4d3f56c91001212257j20bb9160kb2c083097627f05f@mail.gmail.com>

I have the following update procedure that update mySQL DB over the
internet between source Linux Centos (local machine on my net behind a
DMZ with real IP A.B.C.D) and target Linux fedora (web server
www.myweb.com) every day on a specific time 18:00 through a crontab on
my source linux server

server(source) ---DMZ---ASA---Router-----Internet----HostingCompany---Myweb(target)
[root at source]# mysql -u updatex -p -h www.myweb.com test < sample.SQL


[root at source]$ mysql -u updatex -p -h www.myweb.com test < sample.SQL
Enter password: *****
CURTIME()
19:41:44
CURTIME()
19:50:09

[root at source]$ mysql -u updatex -p -h www.myweb.com test < sample.SQL
Enter password:*****
CURTIME()
08:26:08
CURTIME()
08:26:34

I did the above procedure multiple times in different times in the
day. the duration of this procedure takes from 22sec to 10min
see above...., before a while it was running constant with duration of
30sec. I checked with my ISP, hosting company and network nothing been
changed from the structure/configuration.....

[root at source]# lsof -i -P | grep 3306
mysqld     3806   mysql   11u  IPv4  10926       TCP *:3306 (LISTEN)
mysql     15150    user    3u  IPv4 297528       TCP
192.168.10.5:8376->www.myweb.com:3306 (ESTABLISHED)

[root at target]# netstat -a |grep mysql
tcp        0      0 *:mysql                     *:*
     LISTEN
tcp        0      0 www.myweb.:mysql A.B.C.D:8366 TIME_WAIT
tcp        0     11 www.myweb.:mysql A.B.C.D:8372 ESTABLISHED
also i attached tcp connection between the nodes as above from source
and target,
can any one help why i have this behavior and how can i fix the delay,
thinking doing QoS or clean up and remoteexcution at that time ...

Thanks

From skoal at skoal.name  Fri Jan 22 03:07:42 2010
From: skoal at skoal.name (Gergely Antal)
Date: Fri, 22 Jan 2010 09:07:42 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
Message-ID: <20100122090742.565d4609@roadrunner.skoal.name>


just a thought :
sh ip bgp neighbors | i Datagrams

maybe one router tries to negotiate the session with low datagram size
and the update storm floods the connection.


On Fri, 22 Jan 2010 02:06:53 +0100
"Andy B." <globichen at gmail.com> wrote:

>Hi,
>
>here we go:
>
>Core router that is causing headaches:
>
>interface Loopback0
> ip address x.x.x.130 255.255.255.255
>
>interface TenGigabitEthernet9/1
> ip address y.y.y.1 255.255.255.252
> no ip redirects
> no ip proxy-arp
> no cdp enable
>
>router ospf 1
> router-id x.x.x.130
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> passive-interface default
> no passive-interface TenGigabitEthernet8/1
> no passive-interface TenGigabitEthernet9/1
> no passive-interface TenGigabitEthernet9/2
> network y.y.y.0 0.0.0.3 area 0
> network y.y.y.4 0.0.0.3 area 0
> network y.y.y.8 0.0.0.3 area 0
>
>
>Adjacent router (one of them):
>
>interface Loopback0
> ip address x.x.x.131 255.255.255.255
>
>interface TenGigabitEthernet4/1
> ip address y.y.y.2 255.255.255.252
> no ip redirects
> no ip proxy-arp
>
>router ospf 1
> router-id x.x.x.131
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> passive-interface default
> no passive-interface TenGigabitEthernet4/1
> network y.y.y.0 0.0.0.3 area 0
>
>
>I hope this helps...
>
>Andy
>
>
>On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
><jasonleblanc at gmail.com> wrote:
>> Can you send your <snipped> OSPF config?
>>
>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>
>>> Hi,
>>>
>>> I just fell over this thread while doing a little reseach to solve a
>>> similar situation.
>>>
>>> Hardware:
>>>
>>> - 6509 with SUP720-3BXL on both ends
>>> - SXF15a
>>> - Uptime: 46 weeks
>>>
>>> Problem:
>>>
>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>> whom we send the full table) going up and down all the time:
>>>
>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>> from LOADING to FULL, Loading Done
>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>
>>> This keeps going on for several hours, and suddenly it stabilizes
>>> itself.
>>>
>>> Furthermore I use cacti to generate graphs from the core router via
>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>> core router console becomes rather unresponsive and OSPF starts to
>>> behave strangely.
>>>
>>> What I can rule out is the fiber capacity. I have multiple circuits
>>> and different paths and operators. The OSPF issue happens on all
>>> circuits, not just a specific one. No 10 GE link is used more than
>>> 60%. In fact, traffic from inside my backbone to any place outside
>>> remains unaffected (thank God), but the core router itself is pretty
>>> useless. Pinging the core's loopback or any ip loaded on that box
>>> results in a 40-60% packet loss.
>>>
>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>> Input and BGP Scanner. More than 50% memory is still free at that
>>> time.
>>>
>>> I've had this many times recently, but it really just happens when
>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>> all this mess happens almost daily, rendering important billing
>>> graphs useless and annoying full table BGP customers.
>>>
>>> Is this a memory issue, due to the router's long uptime? Would
>>> reloading the router help in this case? That's the last thing I
>>> would want to do, but if it helps...
>>>
>>> Cheers,
>>>
>>> Andy
>>>
>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>> <drew.weaver at thenap.com> wrote:
>>>> Howdy all,
>>>>
>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>> SUP7203-BXL.
>>>>
>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>> also running OSPF.
>>>>
>>>> Two of the three iBGP sessions randomly dropped with:
>>>>
>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>> dropped with Neighbor Down: Dead timer expired
>>>>
>>>> and then re-established, and then failed again, and
>>>> re-established, and failed again, and so-on, and so-on.
>>>>
>>>> I checked the physical interfaces between this 6500 and the two
>>>> GSR 12000s it peers with and there were no errors, there was also
>>>> no obvious spike in traffic that would account for latency that
>>>> might cause the hold timers to expire. I remember when this system
>>>> first came online it took a really long time for it to download
>>>> the full internet tables from the upstream GSRs and also during
>>>> that time there was a lot of CPU time being eaten up, I am
>>>> wondering if maybe the first session failing caused sort of a
>>>> 'performance' domino effect which then caused everything else to
>>>> fail, the issue eventually corrected itself and stabilized.
>>>>
>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>> to believe it is a software bug.
>>>>
>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>> issue altogether and also how I can make it so that if a session
>>>> does go down and re-establish it doesn't totally nail the CPU
>>>> while it's trying to re-establish/download the routes? A long time
>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>> can make BGP tables download faster, I don't know if that's true
>>>> or not, has anyone else found that?
>>>>
>>>> thanks,
>>>> -Drew
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100122/0aee0d24/attachment.bin>

From bandwidth.user at gmail.com  Fri Jan 22 05:00:49 2010
From: bandwidth.user at gmail.com (roy)
Date: Fri, 22 Jan 2010 18:00:49 +0800
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <20100122090742.565d4609@roadrunner.skoal.name>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
	<20100122090742.565d4609@roadrunner.skoal.name>
Message-ID: <4B597751.5020600@gmail.com>

We had a somewhat similar problem with ospf/bgp which was eventually 
resolved by making link mtu uniform across the links. Let me know if 
this helps.

On Friday, 22 January, 2010 04:07 PM, Gergely Antal wrote:
>
> just a thought :
> sh ip bgp neighbors | i Datagrams
>
> maybe one router tries to negotiate the session with low datagram size
> and the update storm floods the connection.
>
>
> On Fri, 22 Jan 2010 02:06:53 +0100
> "Andy B."<globichen at gmail.com>  wrote:
>
>> Hi,
>>
>> here we go:
>>
>> Core router that is causing headaches:
>>
>> interface Loopback0
>> ip address x.x.x.130 255.255.255.255
>>
>> interface TenGigabitEthernet9/1
>> ip address y.y.y.1 255.255.255.252
>> no ip redirects
>> no ip proxy-arp
>> no cdp enable
>>
>> router ospf 1
>> router-id x.x.x.130
>> log-adjacency-changes
>> redistribute connected subnets
>> redistribute static subnets
>> passive-interface default
>> no passive-interface TenGigabitEthernet8/1
>> no passive-interface TenGigabitEthernet9/1
>> no passive-interface TenGigabitEthernet9/2
>> network y.y.y.0 0.0.0.3 area 0
>> network y.y.y.4 0.0.0.3 area 0
>> network y.y.y.8 0.0.0.3 area 0
>>
>>
>> Adjacent router (one of them):
>>
>> interface Loopback0
>> ip address x.x.x.131 255.255.255.255
>>
>> interface TenGigabitEthernet4/1
>> ip address y.y.y.2 255.255.255.252
>> no ip redirects
>> no ip proxy-arp
>>
>> router ospf 1
>> router-id x.x.x.131
>> log-adjacency-changes
>> redistribute connected subnets
>> redistribute static subnets
>> passive-interface default
>> no passive-interface TenGigabitEthernet4/1
>> network y.y.y.0 0.0.0.3 area 0
>>
>>
>> I hope this helps...
>>
>> Andy
>>
>>
>> On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
>> <jasonleblanc at gmail.com>  wrote:
>>> Can you send your<snipped>  OSPF config?
>>>
>>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>>
>>>> Hi,
>>>>
>>>> I just fell over this thread while doing a little reseach to solve a
>>>> similar situation.
>>>>
>>>> Hardware:
>>>>
>>>> - 6509 with SUP720-3BXL on both ends
>>>> - SXF15a
>>>> - Uptime: 46 weeks
>>>>
>>>> Problem:
>>>>
>>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>>> whom we send the full table) going up and down all the time:
>>>>
>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>>> from LOADING to FULL, Loading Done
>>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>>
>>>> This keeps going on for several hours, and suddenly it stabilizes
>>>> itself.
>>>>
>>>> Furthermore I use cacti to generate graphs from the core router via
>>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>>> core router console becomes rather unresponsive and OSPF starts to
>>>> behave strangely.
>>>>
>>>> What I can rule out is the fiber capacity. I have multiple circuits
>>>> and different paths and operators. The OSPF issue happens on all
>>>> circuits, not just a specific one. No 10 GE link is used more than
>>>> 60%. In fact, traffic from inside my backbone to any place outside
>>>> remains unaffected (thank God), but the core router itself is pretty
>>>> useless. Pinging the core's loopback or any ip loaded on that box
>>>> results in a 40-60% packet loss.
>>>>
>>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>>> Input and BGP Scanner. More than 50% memory is still free at that
>>>> time.
>>>>
>>>> I've had this many times recently, but it really just happens when
>>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>>> all this mess happens almost daily, rendering important billing
>>>> graphs useless and annoying full table BGP customers.
>>>>
>>>> Is this a memory issue, due to the router's long uptime? Would
>>>> reloading the router help in this case? That's the last thing I
>>>> would want to do, but if it helps...
>>>>
>>>> Cheers,
>>>>
>>>> Andy
>>>>
>>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>>> <drew.weaver at thenap.com>  wrote:
>>>>> Howdy all,
>>>>>
>>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>>> SUP7203-BXL.
>>>>>
>>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>>> also running OSPF.
>>>>>
>>>>> Two of the three iBGP sessions randomly dropped with:
>>>>>
>>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>>> dropped with Neighbor Down: Dead timer expired
>>>>>
>>>>> and then re-established, and then failed again, and
>>>>> re-established, and failed again, and so-on, and so-on.
>>>>>
>>>>> I checked the physical interfaces between this 6500 and the two
>>>>> GSR 12000s it peers with and there were no errors, there was also
>>>>> no obvious spike in traffic that would account for latency that
>>>>> might cause the hold timers to expire. I remember when this system
>>>>> first came online it took a really long time for it to download
>>>>> the full internet tables from the upstream GSRs and also during
>>>>> that time there was a lot of CPU time being eaten up, I am
>>>>> wondering if maybe the first session failing caused sort of a
>>>>> 'performance' domino effect which then caused everything else to
>>>>> fail, the issue eventually corrected itself and stabilized.
>>>>>
>>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>>> to believe it is a software bug.
>>>>>
>>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>>> issue altogether and also how I can make it so that if a session
>>>>> does go down and re-establish it doesn't totally nail the CPU
>>>>> while it's trying to re-establish/download the routes? A long time
>>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>>> can make BGP tables download faster, I don't know if that's true
>>>>> or not, has anyone else found that?
>>>>>
>>>>> thanks,
>>>>> -Drew
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From globichen at gmail.com  Fri Jan 22 05:26:39 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 11:26:39 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <4B597751.5020600@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
	<20100122090742.565d4609@roadrunner.skoal.name>
	<4B597751.5020600@gmail.com>
Message-ID: <d626d8701001220226r47cad153i27981421ff30c4d2@mail.gmail.com>

MTU is 1500 on all links:

Core 1:

#sh int te9/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te9/2 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te8/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 2:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 3:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 4:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 1 is physically connected to 2,3 and 4 (star topology).

BGP is fully meshed - no route reflector.

Andy

On Fri, Jan 22, 2010 at 11:00 AM, roy <bandwidth.user at gmail.com> wrote:
> We had a somewhat similar problem with ospf/bgp which was eventually
> resolved by making link mtu uniform across the links. Let me know if this
> helps.
>
> On Friday, 22 January, 2010 04:07 PM, Gergely Antal wrote:
>>
>> just a thought :
>> sh ip bgp neighbors | i Datagrams
>>
>> maybe one router tries to negotiate the session with low datagram size
>> and the update storm floods the connection.
>>
>>
>> On Fri, 22 Jan 2010 02:06:53 +0100
>> "Andy B."<globichen at gmail.com> ?wrote:
>>
>>> Hi,
>>>
>>> here we go:
>>>
>>> Core router that is causing headaches:
>>>
>>> interface Loopback0
>>> ip address x.x.x.130 255.255.255.255
>>>
>>> interface TenGigabitEthernet9/1
>>> ip address y.y.y.1 255.255.255.252
>>> no ip redirects
>>> no ip proxy-arp
>>> no cdp enable
>>>
>>> router ospf 1
>>> router-id x.x.x.130
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> passive-interface default
>>> no passive-interface TenGigabitEthernet8/1
>>> no passive-interface TenGigabitEthernet9/1
>>> no passive-interface TenGigabitEthernet9/2
>>> network y.y.y.0 0.0.0.3 area 0
>>> network y.y.y.4 0.0.0.3 area 0
>>> network y.y.y.8 0.0.0.3 area 0
>>>
>>>
>>> Adjacent router (one of them):
>>>
>>> interface Loopback0
>>> ip address x.x.x.131 255.255.255.255
>>>
>>> interface TenGigabitEthernet4/1
>>> ip address y.y.y.2 255.255.255.252
>>> no ip redirects
>>> no ip proxy-arp
>>>
>>> router ospf 1
>>> router-id x.x.x.131
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> passive-interface default
>>> no passive-interface TenGigabitEthernet4/1
>>> network y.y.y.0 0.0.0.3 area 0
>>>
>>>
>>> I hope this helps...
>>>
>>> Andy
>>>
>>>
>>> On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
>>> <jasonleblanc at gmail.com> ?wrote:
>>>>
>>>> Can you send your<snipped> ?OSPF config?
>>>>
>>>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just fell over this thread while doing a little reseach to solve a
>>>>> similar situation.
>>>>>
>>>>> Hardware:
>>>>>
>>>>> - 6509 with SUP720-3BXL on both ends
>>>>> - SXF15a
>>>>> - Uptime: 46 weeks
>>>>>
>>>>> Problem:
>>>>>
>>>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>>>> whom we send the full table) going up and down all the time:
>>>>>
>>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>>>> from LOADING to FULL, Loading Done
>>>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>>>
>>>>> This keeps going on for several hours, and suddenly it stabilizes
>>>>> itself.
>>>>>
>>>>> Furthermore I use cacti to generate graphs from the core router via
>>>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>>>> core router console becomes rather unresponsive and OSPF starts to
>>>>> behave strangely.
>>>>>
>>>>> What I can rule out is the fiber capacity. I have multiple circuits
>>>>> and different paths and operators. The OSPF issue happens on all
>>>>> circuits, not just a specific one. No 10 GE link is used more than
>>>>> 60%. In fact, traffic from inside my backbone to any place outside
>>>>> remains unaffected (thank God), but the core router itself is pretty
>>>>> useless. Pinging the core's loopback or any ip loaded on that box
>>>>> results in a 40-60% packet loss.
>>>>>
>>>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>>>> Input and BGP Scanner. More than 50% memory is still free at that
>>>>> time.
>>>>>
>>>>> I've had this many times recently, but it really just happens when
>>>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>>>> all this mess happens almost daily, rendering important billing
>>>>> graphs useless and annoying full table BGP customers.
>>>>>
>>>>> Is this a memory issue, due to the router's long uptime? Would
>>>>> reloading the router help in this case? That's the last thing I
>>>>> would want to do, but if it helps...
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Andy
>>>>>
>>>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>>>> <drew.weaver at thenap.com> ?wrote:
>>>>>>
>>>>>> Howdy all,
>>>>>>
>>>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>>>> SUP7203-BXL.
>>>>>>
>>>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>>>> also running OSPF.
>>>>>>
>>>>>> Two of the three iBGP sessions randomly dropped with:
>>>>>>
>>>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>>>> dropped with Neighbor Down: Dead timer expired
>>>>>>
>>>>>> and then re-established, and then failed again, and
>>>>>> re-established, and failed again, and so-on, and so-on.
>>>>>>
>>>>>> I checked the physical interfaces between this 6500 and the two
>>>>>> GSR 12000s it peers with and there were no errors, there was also
>>>>>> no obvious spike in traffic that would account for latency that
>>>>>> might cause the hold timers to expire. I remember when this system
>>>>>> first came online it took a really long time for it to download
>>>>>> the full internet tables from the upstream GSRs and also during
>>>>>> that time there was a lot of CPU time being eaten up, I am
>>>>>> wondering if maybe the first session failing caused sort of a
>>>>>> 'performance' domino effect which then caused everything else to
>>>>>> fail, the issue eventually corrected itself and stabilized.
>>>>>>
>>>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>>>> to believe it is a software bug.
>>>>>>
>>>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>>>> issue altogether and also how I can make it so that if a session
>>>>>> does go down and re-establish it doesn't totally nail the CPU
>>>>>> while it's trying to re-establish/download the routes? A long time
>>>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>>>> can make BGP tables download faster, I don't know if that's true
>>>>>> or not, has anyone else found that?
>>>>>>
>>>>>> thanks,
>>>>>> -Drew
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From david.freedman at uk.clara.net  Fri Jan 22 08:15:59 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Fri, 22 Jan 2010 13:15:59 -0000
Subject: [c-nsp] CSCsu45425 fix for 12K GRP-B
Message-ID: <7B8B0D6F623C3A40A0D0A80A66756E2B2C3449@EXVS01.claranet.local>

Notice there are no fixed 12K GRP-B images (12.0(33)S2) on cco yet as fix for this, I know GRP-B is nearing end of s/w maint support (Aug 10) but since we didn't hit this already, can I assume that a GRP-B compile will be forthcoming? 

Dave.


------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From swmike at swm.pp.se  Fri Jan 22 08:45:00 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 22 Jan 2010 14:45:00 +0100 (CET)
Subject: [c-nsp] CSCsu45425 fix for 12K GRP-B
In-Reply-To: <7B8B0D6F623C3A40A0D0A80A66756E2B2C3449@EXVS01.claranet.local>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B2C3449@EXVS01.claranet.local>
Message-ID: <alpine.DEB.1.10.1001221443430.15329@uplift.swm.pp.se>

On Fri, 22 Jan 2010, David Freedman wrote:

> Notice there are no fixed 12K GRP-B images (12.0(33)S2) on cco yet as 
> fix for this, I know GRP-B is nearing end of s/w maint support (Aug 10) 
> but since we didn't hit this already, can I assume that a GRP-B compile 
> will be forthcoming?

http://www.cisco.com/en/US/products/hw/routers/ps167/prod_eol_notice09186a008032d52d.html

It went End-of-support end of March 2009 and is now considered obsolete 
and no further compiles will be available for it.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From david.freedman at uk.clara.net  Fri Jan 22 09:01:13 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Fri, 22 Jan 2010 14:01:13 +0000
Subject: [c-nsp] CSCsu45425 fix for 12K GRP-B
In-Reply-To: <alpine.DEB.1.10.1001221443430.15329@uplift.swm.pp.se>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B2C3449@EXVS01.claranet.local>
	<alpine.DEB.1.10.1001221443430.15329@uplift.swm.pp.se>
Message-ID: <511F9F08-D6BC-4ECE-A7E8-9DAA204D4ADD@uk.clara.net>

Argh, of course GRP-B != GRP-B *memory* :(



On 22 Jan 2010, at 13:45, "Mikael Abrahamsson" <swmike at swm.pp.se> wrote:

> On Fri, 22 Jan 2010, David Freedman wrote:
>
>> Notice there are no fixed 12K GRP-B images (12.0(33)S2) on cco yet  
>> as fix for this, I know GRP-B is nearing end of s/w maint support  
>> (Aug 10) but since we didn't hit this already, can I assume that a  
>> GRP-B compile will be forthcoming?
>
> http://www.cisco.com/en/US/products/hw/routers/ps167/prod_eol_notice09186a008032d52d.html
>
> It went End-of-support end of March 2009 and is now considered  
> obsolete and no further compiles will be available for it.
>
> -- 
> Mikael Abrahamsson    email: swmike at swm.pp.se

From r.tahina at moov.mg  Fri Jan 22 08:02:04 2010
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Fri, 22 Jan 2010 16:02:04 +0300
Subject: [c-nsp] SSL max MTU
Message-ID: <7.0.1.0.2.20100122155842.01060188@moov.mg>

Hi all,

For about 2 days, we have customers connecting to secure (ssl) web 
site can not get connected, I found that lowering the MTU can solve 
that for end user may 1400 instead of default 1500, do ISP need to 
change their own MTU and which value to use?

Regards.

From eriks at nationalfastfreight.com  Fri Jan 22 09:43:19 2010
From: eriks at nationalfastfreight.com (Erik Soosalu)
Date: Fri, 22 Jan 2010 09:43:19 -0500
Subject: [c-nsp] Mysterious ASIC
In-Reply-To: <7B8B0D6F623C3A40A0D0A80A66756E2B2C343E@EXVS01.claranet.local>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B2C343E@EXVS01.claranet.local>
Message-ID: <0B224A2FE01CC54C860290D42474BF60041127F3@exchange.nff.local>

Apparently not very new (as some of this gear is 2.5 years old) and used
in a lot of stuff...

#sh version | i cisco WS-
cisco WS-C3560-24PS (PowerPC405) processor (revision U0) with
122880K/8184K bytes of memory.
vau1sw-01#sh platform port-asic version

Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1
#

#sh ver | i cisco WS-
cisco WS-C3560-8PC (PowerPC405) processor (revision A0) with 131072K
bytes of memory.
#sh platform port-asic version

Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1

#sh ver | i cisco WS-
cisco WS-C2960-8TC-L (PowerPC405) processor (revision A0) with 65536K
bytes of memory.
#sh platform port-asic version

Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1

#sh ver | i cisco WS-
cisco WS-C2960-48TT-L (PowerPC405) processor (revision D0) with 65536K
bytes of memory.
con1sw-04#sh pla
con1sw-04#sh platform port-asic versi

Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1
ASIC-1: Version:8 DeviceType:0x2C1

#sh ver | i cisco WS-
cisco WS-C3560-48PS (PowerPC405) processor (revision N0) with 131072K
bytes of memory.
#sh platform port-asic version

Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1
ASIC-1: Version:8 DeviceType:0x2C1

Thanks,
Erik


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman
Sent: Thursday, January 21, 2010 6:46 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Mysterious ASIC

Look at this:

#sh ver | in cisco WS-
cisco WS-C2960G-48TC-L (PowerPC405) processor (revision E0) with
0K/4088K bytes of memory.

#sh platform port-asic version

Port-Asic Version Info: 
========================
ASIC-0: Version:1 DeviceType:0x2CA 
ASIC-1: Version:1 DeviceType:0x2CA 
ASIC-2: Version:1 DeviceType:0x2CA 
ASIC-3: Version:1 DeviceType:0x2CA 
ASIC-4: Version:1 DeviceType:0x2CA 
ASIC-5: Version:1 DeviceType:0x2CA 
ASIC-6: Version:1 DeviceType:0x2CA 
ASIC-7: Version:1 DeviceType:0x2CA 
ASIC-8: Version:1 DeviceType:0x2CA 
ASIC-9: Version:1 DeviceType:0x2CA 
ASIC-10: Version:1 DeviceType:0x2CA 
ASIC-11: Version:1 DeviceType:0x2CA 

So, the WS-C2960G-48TC-L has 12 Port ASICs , for a published 39Mpps of
throughput. 

But now look at this, the 2960-24TC-L Advertised at 6.5Mpps:

#sh ver | in cisco WS-
cisco WS-C2960-24TC-L (PowerPC405) processor (revision H0) with 65536K
bytes of memory.

#sh platform port-asic version 

Port-Asic Version Info: 
========================
ASIC-0: Version:8 DeviceType:0x2C1 

Yes, a single 6.5Mpps forwarding ASIC, type 0x2C1

Does anybody know what this new ASIC may be and what else it is used in?



------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From madunix at gmail.com  Fri Jan 22 11:34:43 2010
From: madunix at gmail.com (madunix)
Date: Fri, 22 Jan 2010 18:34:43 +0200
Subject: [c-nsp] Bandwidth Throttling for HOST
Message-ID: <4d3f56c91001220834q81d9027ycb7009a982a735e@mail.gmail.com>

my office network is connected to net via leasedline speed 2Mbps
backup---Internet--- Router ---ASA--DMZ--HOST
HOST got eth0:DMZ IP  w.x.y.z and eth1:LAN IP a.b.c.d
I want to take backup remotely of this server from outside through the
net, to speed up the backup i am looking to control the amount of
bandwidth (perform some sort of Quality of Service QOS) for this
(HOST) using a Cisco ASA for specific time 22:00-24:00 in order to
take the backup in short time.
i want to have full bw or limiting bandwidth to this particular IP
address (HOST) use e.g. 1.5Mbps of the bandwidth could i implement
this in asa or cisco router and how?

Thanks

From walter.keen at RainierConnect.net  Fri Jan 22 12:41:06 2010
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Fri, 22 Jan 2010 09:41:06 -0800
Subject: [c-nsp] Cisco 7600 BGP route-map processing
Message-ID: <4B59E332.6020003@rainierconnect.net>

I was curious if route-map processing in BGP neighbor statements is done 
in software or hardware on the 7600/rsp7203cxl and 7600/sup7203b.

Mostly looking at route-maps to define blocks to advertise, and set 
communities, as well as perform actions based on communities (control 
level of prepending to certain upstream peers(prepend 3x to provider A, 
but 1x to provider C), or the exit point to upstream peers based on the 
set communities(likely by setting next-hop ip for egress traffic)) and 
wondering if this will have a significant impact on the CPU.  Total bgp 
routes are probably <50, and bandwidth through any one link is typically 
<100mbit (each router has 3 links)

-- 


Walter Keen
Network Technician
Rainier Connect


From rodunn at cisco.com  Fri Jan 22 13:04:37 2010
From: rodunn at cisco.com (Rodney Dunn)
Date: Fri, 22 Jan 2010 13:04:37 -0500
Subject: [c-nsp] Cisco 7600 BGP route-map processing
In-Reply-To: <4B59E332.6020003@rainierconnect.net>
References: <4B59E332.6020003@rainierconnect.net>
Message-ID: <4B59E8B5.7090206@cisco.com>

Software.

Rodney



On 1/22/10 12:41 PM, Walter Keen wrote:
> I was curious if route-map processing in BGP neighbor statements is done
> in software or hardware on the 7600/rsp7203cxl and 7600/sup7203b.
>
> Mostly looking at route-maps to define blocks to advertise, and set
> communities, as well as perform actions based on communities (control
> level of prepending to certain upstream peers(prepend 3x to provider A,
> but 1x to provider C), or the exit point to upstream peers based on the
> set communities(likely by setting next-hop ip for egress traffic)) and
> wondering if this will have a significant impact on the CPU. Total bgp
> routes are probably <50, and bandwidth through any one link is typically
> <100mbit (each router has 3 links)
>

From gert at greenie.muc.de  Fri Jan 22 14:14:34 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 22 Jan 2010 20:14:34 +0100
Subject: [c-nsp] Cisco 7600 BGP route-map processing
In-Reply-To: <4B59E332.6020003@rainierconnect.net>
References: <4B59E332.6020003@rainierconnect.net>
Message-ID: <20100122191434.GE857@greenie.muc.de>

Hi,

On Fri, Jan 22, 2010 at 09:41:06AM -0800, Walter Keen wrote:
> I was curious if route-map processing in BGP neighbor statements is done 
> in software or hardware on the 7600/rsp7203cxl and 7600/sup7203b.

Software.  The only thing "normal" routers do "in hardware" is 
"move packets" (with everything that this entails, like "ACL checking"
or "netflow accounting").

The CRS-1 architecture can have dedicated CPU cards for BGP processing,
but it's still "software".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100122/0a2ba1e5/attachment.bin>

From gert at greenie.muc.de  Fri Jan 22 14:34:26 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 22 Jan 2010 20:34:26 +0100
Subject: [c-nsp] SSL max MTU
In-Reply-To: <7.0.1.0.2.20100122155842.01060188@moov.mg>
References: <7.0.1.0.2.20100122155842.01060188@moov.mg>
Message-ID: <20100122193426.GG857@greenie.muc.de>

Hi,

On Fri, Jan 22, 2010 at 04:02:04PM +0300, RAZAFINDRATSIFA Rivo Tahina wrote:
> For about 2 days, we have customers connecting to secure (ssl) web 
> site can not get connected, I found that lowering the MTU can solve 
> that for end user may 1400 instead of default 1500, do ISP need to 
> change their own MTU and which value to use?

Problems with MTU hint at path MTU discovery problems - and those are
usually a consequence of overzealous ICMP blocking.

Did you, per chance, install a new firewall two days ago?

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100122/245a8517/attachment.bin>

From james at mor-pah.net  Fri Jan 22 14:26:56 2010
From: james at mor-pah.net (James Greig)
Date: Fri, 22 Jan 2010 19:26:56 -0000
Subject: [c-nsp] 6509 problem
Message-ID: <001e01ca9b98$dc046410$940d2c30$@net>

Hi,

Recently bought a standard 6509 + highspeed fan along with a WS-SUP32-GE-3B
and 2x WS-X6148A-RJ-45.  The 6500 boots up fine with the sup32, however,
when it runs a diagnostic on the two switch modules (WS-X6148A-RJ-45) it
fails stating:

*Feb 28 22:29:29.055: %DIAG-SP-3-MAJOR: Module 1: Online Diagnostics
detected a Major Error. Please use 'show diagnostic result <target>' to see
test results.
*Feb 28 22:29:29.059: %CONST_DIAG-SP-3-BOOTUP_TEST_FAIL: Module 1:
TestLoopback failed on port(s) 1-48
*Feb 28 22:29:29.987: %OIR-SP-3-LC_FAILURE: Module 1 has Major online
diagnostic failure, Card will be reset to re-run diagnostic. Please check
sup-bootflash diaginfo file for previous detailed diagnostic result.

Both switch modules are reporting the above, any help is really appreciated
on this as i'm stumped.

Mod Ports Card Type                              Model              
--- ----- -------------------------------------- ------------------ 
  1   48  48-port 10/100 RJ45 Ethernet Module    WS-X6148A-RJ-45    
  2   48  48-port 10/100 RJ45 Ethernet Module    WS-X6148A-RJ-45    
  5    9  Supervisor Engine 32 8GE (Active)      WS-SUP32-GE-3B     

Mod MAC addresses                       Hw    Fw           Sw
Status
--- ---------------------------------- ------ ------------ ------------
-------
  1  001c.582d.0c30 to 001c.582d.0c5f   3.5   8.4(1)       12.2(33)SXI2
PwrDown
  2  0007.0e49.c430 to 0007.0e49.c45f   3.5   8.4(1)       12.2(33)SXI2
PwrDown
  5  001b.533a.7b80 to 001b.533a.7b8b   4.5   12.2(18r)SX2 12.2(33)SXI2 Ok

Kind Regards

James Greig


From A.L.M.Buxey at lboro.ac.uk  Fri Jan 22 16:02:42 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Fri, 22 Jan 2010 21:02:42 +0000
Subject: [c-nsp] 6509 problem
In-Reply-To: <001e01ca9b98$dc046410$940d2c30$@net>
References: <001e01ca9b98$dc046410$940d2c30$@net>
Message-ID: <20100122210242.GB711@lboro.ac.uk>

Hi,

> *Feb 28 22:29:29.055: %DIAG-SP-3-MAJOR: Module 1: Online Diagnostics
> detected a Major Error. Please use 'show diagnostic result <target>' to see
> test results.

what did the ouput of that command ('show diagnostic result <target>') give?

> *Feb 28 22:29:29.987: %OIR-SP-3-LC_FAILURE: Module 1 has Major online
> diagnostic failure, Card will be reset to re-run diagnostic. Please check
> sup-bootflash diaginfo file for previous detailed diagnostic result.

whats in the diaginfo file?

the routers trying to help you - and that info needs to be read
to find out whats going wrong here.....then you'll probably
want to run the usual tests..eg

show diagnostics event all

and 

show diagnostics results module 1

alan

From james at mor-pah.net  Fri Jan 22 16:18:07 2010
From: james at mor-pah.net (James Greig)
Date: Fri, 22 Jan 2010 21:18:07 -0000
Subject: [c-nsp] 6509 problem
In-Reply-To: <20100122210242.GB711@lboro.ac.uk>
References: <001e01ca9b98$dc046410$940d2c30$@net>
	<20100122210242.GB711@lboro.ac.uk>
Message-ID: <002d01ca9ba8$64542e90$2cfc8bb0$@net>

Hi,

Thanks for the response.

I've pasted below the most prominent errors in the event log.  

Again, any ideas or anything to try are appreciated.

2/28 22:44:29.919 E  [1]    check_ether_packet [1/48]: newpak is NULL!
02/28 22:44:29.927 E  [1]    loopback_port[1/48]: check_ether_packet failed,
r
                             etry = 1
02/28 22:44:30.851 E  [1]    TestLoopback Failed
02/28 22:44:30.859 E  [1]    test_loopback_common[1]: loopback failed on
port[
                             48] w. retry[3], err_code[43]
02/28 22:44:30.875 E  [1]    diag_get_test_port_not_found_reason[1]:
1:LBF,2:L
 
BF,3:LBF,4:LBF,5:LBF,6:LBF,7:LBF,8:LBF,9:LBF,10:L
                             BF,11:LBF,12:LBF,13:LBF,14:LBF
02/28 22:44:30.879 E  [1]    diag_is_disabled_elam_dump[1]:TestLoopback:
Canno
                             t find good port, skipping elam capture
02/28 22:44:30.879 E  [1]    Major Error Detected
02/28 22:44:30.887 E  [1]    test_loopback[1]: test_loopback_common failed
02/28 22:44:31.523 E  [1]    diag_test_failure_action: card/sub_card(1/-1),
te
                             st_name(bootup)  flag=0
02/28 22:44:31.947 E  [1]    hm_diag_free_lb_fail_cntr[1]: hm_lpbk_stats is
NU
                             LL!

Module 1 : 48-port 10/100 RJ45 Ethernet Module
Software : 12.2(33)SXI2a
Online Diagnostic Result : MAJOR ERROR
Online Diagnostic Level when Module 1 came up = Minimal

Test Results: (. = Pass, F = Fail, U = Unknown)

1 . TestScratchRegister           : U
2 . TestNonDisruptiveLoopback :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

3 . TestLoopback :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F
F

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F
F

4 . TestNetflowInlineRewrite :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

5 . TestAsicMemory                : U
6 . TestEobcStressPing            : U
7 . TestFirmwareDiagStatus        : .
8 . TestAsicSync                  : U
9 . TestErrorCounterMonitor       : U
10. TestLtlFpoeMemoryConsistency  : U




-----Original Message-----
From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk] 
Sent: 22 January 2010 21:03
To: James Greig
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 problem

Hi,

> *Feb 28 22:29:29.055: %DIAG-SP-3-MAJOR: Module 1: Online Diagnostics
> detected a Major Error. Please use 'show diagnostic result <target>' to
see
> test results.

what did the ouput of that command ('show diagnostic result <target>') give?

> *Feb 28 22:29:29.987: %OIR-SP-3-LC_FAILURE: Module 1 has Major online
> diagnostic failure, Card will be reset to re-run diagnostic. Please check
> sup-bootflash diaginfo file for previous detailed diagnostic result.

whats in the diaginfo file?

the routers trying to help you - and that info needs to be read
to find out whats going wrong here.....then you'll probably
want to run the usual tests..eg

show diagnostics event all

and 

show diagnostics results module 1

alan


From ioan.branet at gmail.com  Sat Jan 23 07:12:15 2010
From: ioan.branet at gmail.com (Ioan Branet)
Date: Sat, 23 Jan 2010 14:12:15 +0200
Subject: [c-nsp] Does QPPB works on 7600 ?
Message-ID: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>

Hello group,

Do you know if QPPB can be implemented on 7600 routers?
I read a post that the commands are supported but it is not working.
Here is the post from the blog:
http://ccie-in-3-months.blogspot.com/2008/05/qos-classificationmarking-using-pbr.html
I want to match by qos-group,not by precedence.
I do no have SIP or ES cards on  7600 ,just WS6704 and WS-6724 cards.
I tested configuration only in dynamips on 3640/7206 routers but not on
7600.

Thank you,
John
-- 
Ioan Branet
CCIE #23474 R&S

From rdobbins at arbor.net  Sat Jan 23 07:37:10 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Sat, 23 Jan 2010 12:37:10 +0000
Subject: [c-nsp] Does QPPB works on 7600 ?
In-Reply-To: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
References: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
Message-ID: <6C3F07C0-5D65-4A38-A64A-813B0F73C421@arbor.net>


On Jan 23, 2010, at 7:12 PM, Ioan Branet wrote:

> Do you know if QPPB can be implemented on 7600 routers?

I believe QPPB only works on GSRs and 7500s running S-train, and maybe T-train software-based routers (happy to be corrected, of course).  Don't know if it's been implemented in XR or not.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From paveldimow at gmail.com  Sat Jan 23 09:23:58 2010
From: paveldimow at gmail.com (Pavel Dimow)
Date: Sat, 23 Jan 2010 15:23:58 +0100
Subject: [c-nsp] Tunnel interface to vlan
Message-ID: <6d2cb0d51001230623i59634eb7u368410afc9c90a5a@mail.gmail.com>

Is there any way to put tunnel interface (not dot1qtunnel) to vlan on cat 7600?
Or anyother way to force traffic from tunnel interface to pass via
specific port on switch?

From adrian.minta at gmail.com  Sat Jan 23 11:31:38 2010
From: adrian.minta at gmail.com (Adrian Minta)
Date: Sat, 23 Jan 2010 18:31:38 +0200
Subject: [c-nsp] Tunnel interface to vlan
In-Reply-To: <6d2cb0d51001230623i59634eb7u368410afc9c90a5a@mail.gmail.com>
References: <6d2cb0d51001230623i59634eb7u368410afc9c90a5a@mail.gmail.com>
Message-ID: <4B5B246A.6050101@gmail.com>

Pavel Dimow wrote:
> Is there any way to put tunnel interface (not dot1qtunnel) to vlan on cat 7600?
> Or anyother way to force traffic from tunnel interface to pass via
> specific port on switch?
>
>   
Pehaps bridge-group ?


From mtinka at globaltransit.net  Sat Jan 23 11:32:15 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 24 Jan 2010 00:32:15 +0800
Subject: [c-nsp] Does QPPB works on 7600 ?
In-Reply-To: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
References: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
Message-ID: <201001240032.16691.mtinka@globaltransit.net>

On Saturday 23 January 2010 08:12:15 pm Ioan Branet wrote:

> Do you know if QPPB can be implemented on 7600 routers?
> I read a post that the commands are supported but it is
>  not working.

No, it is not supported on the 7600, as the current EARL7 
implemented on the SUP720 and RSP720 does not support it in 
hardware.

This issue will be fixed in the EARL8 implementation for the 
6500 (still no news on whether that supervisor module will 
be supported on the 7600, or if/when the 7600 will implement 
the EARL8).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100124/4d58ae45/attachment.bin>

From mtinka at globaltransit.net  Sat Jan 23 11:39:56 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 24 Jan 2010 00:39:56 +0800
Subject: [c-nsp] Does QPPB works on 7600 ?
In-Reply-To: <6C3F07C0-5D65-4A38-A64A-813B0F73C421@arbor.net>
References: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
	<6C3F07C0-5D65-4A38-A64A-813B0F73C421@arbor.net>
Message-ID: <201001240039.57105.mtinka@globaltransit.net>

On Saturday 23 January 2010 08:37:10 pm Dobbins, Roland 
wrote:

> I believe QPPB only works on GSRs and 7500s running
>  S-train, and maybe T-train software-based routers (happy
>  to be corrected, of course).

It's supported in 12.2(33)SRC and later on the 7200-VXR. As 
it's implemented in software on software-based routers, I 
assume it should work on most if not all current software-
based hardware (although there are some known issues with 
certain versions of code and some attributes of the feature, 
e.g., counters, e.t.c.).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100124/a13350b7/attachment.bin>

From fajri at freebsd.or.id  Sat Jan 23 12:58:56 2010
From: fajri at freebsd.or.id (Anthony Fajri)
Date: Sun, 24 Jan 2010 00:58:56 +0700
Subject: [c-nsp] show proc cpu vs snmp cpu monitoring
Message-ID: <98822f651001230958v7947f98boe13c642b0099c55a@mail.gmail.com>

Hi there,

on WS-SU720-3BXL, there are 2 processors, which are route processor and
switch processor.
if we monitor it by snmp, there are 2 result: CPU of routing and CPU of
switching.

if I did: show proc cpu, which one is shown in the result? CPU of routing,
CPU of switching, or sum of both?
I realize that the result of show proc cpu is more similar to the sum of
both.

I've tried to search the info on cisco website, but can't get useful
information on it.

thanks and regards,

-----
Anthony Fajri
http://fajri.freebsd.or.id

From achatz at forthnet.gr  Sat Jan 23 13:37:12 2010
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Sat, 23 Jan 2010 20:37:12 +0200
Subject: [c-nsp] show proc cpu vs snmp cpu monitoring
In-Reply-To: <98822f651001230958v7947f98boe13c642b0099c55a@mail.gmail.com>
References: <98822f651001230958v7947f98boe13c642b0099c55a@mail.gmail.com>
Message-ID: <4B5B41D8.1050809@forthnet.gr>

"sh proc cpu" for RP
"rem com sw sh proc cpu" for SP
"sh plat hard capa cpu" for both

--
Tassos

Anthony Fajri wrote on 23/01/2010 19:58:
> Hi there,
>
> on WS-SU720-3BXL, there are 2 processors, which are route processor and
> switch processor.
> if we monitor it by snmp, there are 2 result: CPU of routing and CPU of
> switching.
>
> if I did: show proc cpu, which one is shown in the result? CPU of routing,
> CPU of switching, or sum of both?
> I realize that the result of show proc cpu is more similar to the sum of
> both.
>
> I've tried to search the info on cisco website, but can't get useful
> information on it.
>
> thanks and regards,
>
> -----
> Anthony Fajri
> http://fajri.freebsd.or.id
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From nicolasleiva at gmail.com  Sat Jan 23 13:55:15 2010
From: nicolasleiva at gmail.com (=?ISO-8859-1?Q?Nicol=E1s_Leiva?=)
Date: Sat, 23 Jan 2010 15:55:15 -0300
Subject: [c-nsp] Does QPPB works on 7600 ?
In-Reply-To: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
References: <257d19981001230412x102f93e5v3b8270c296cc8642@mail.gmail.com>
Message-ID: <13a807351001231055j3e7741edu9bce1fc694433b64@mail.gmail.com>

Your line cards do not support matches on QoS group (neither do the ES
cards).

7606(config-if)#
7606(config-if)#service-policy input qppb-map
Match qos-group is not supported for this interface
7606(config-if)#

I think there's no line card for the 7600's that will match a qos-group in
both directions. According to http://tinyurl.com/ybe7wfe a SIP-400 will support
it output interface only in 12.2(33)SXH.

Nicolas
http://ccie-en-espanol.blogspot.com/

On Sat, Jan 23, 2010 at 9:12 AM, Ioan Branet <ioan.branet at gmail.com> wrote:

> Hello group,
>
> Do you know if QPPB can be implemented on 7600 routers?
> I read a post that the commands are supported but it is not working.
> Here is the post from the blog:
>
> http://ccie-in-3-months.blogspot.com/2008/05/qos-classificationmarking-using-pbr.html
> I want to match by qos-group,not by precedence.
> I do no have SIP or ES cards on  7600 ,just WS6704 and WS-6724 cards.
> I tested configuration only in dynamips on 3640/7206 routers but not on
> 7600.
>
> Thank you,
> John
> --
> Ioan Branet
> CCIE #23474 R&S
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From wargo1 at gmail.com  Sat Jan 23 14:16:54 2010
From: wargo1 at gmail.com (Christopher J. Wargaski)
Date: Sat, 23 Jan 2010 13:16:54 -0600
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 71
In-Reply-To: <mailman.13370.1264178158.2123.cisco-nsp@puck.nether.net>
References: <mailman.13370.1264178158.2123.cisco-nsp@puck.nether.net>
Message-ID: <17065121001231116n6feaf1a5jd9a0e9801efedd02@mail.gmail.com>

Good day--

   QoS over the Internet is not reliable. If you set the QoS bits in
the IP header on your side, they most likely will be cleared as soon
as the pass from one carrier to another. If you have the same carrier
from end to end, you must confirm that the carrier will honor the QoS
settings and not clear them.

      ASA 7.X code does not have the ability to set QoS bits, only to
honor them when forwarding. A Cisco router can certainly set the bits.
However, even if you apply QoS on your equipment, you will not gain
much. Traffic that is coming from the Internet to your equipment will
not be controlled by any QoS policy.


cjw
>
> Message: 7
> Date: Fri, 22 Jan 2010 18:34:43 +0200
> From: madunix <madunix at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Bandwidth Throttling for HOST
> Message-ID:
> ? ? ? ?<4d3f56c91001220834q81d9027ycb7009a982a735e at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> my office network is connected to net via leasedline speed 2Mbps
> backup---Internet--- Router ---ASA--DMZ--HOST
> HOST got eth0:DMZ IP ?w.x.y.z and eth1:LAN IP a.b.c.d
> I want to take backup remotely of this server from outside through the
> net, to speed up the backup i am looking to control the amount of
> bandwidth (perform some sort of Quality of Service QOS) for this
> (HOST) using a Cisco ASA for specific time 22:00-24:00 in order to
> take the backup in short time.
> i want to have full bw or limiting bandwidth to this particular IP
> address (HOST) use e.g. 1.5Mbps of the bandwidth could i implement
> this in asa or cisco router and how?
>
> Thanks
>

From ip at ioshints.info  Sat Jan 23 14:34:07 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Sat, 23 Jan 2010 20:34:07 +0100
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C60107CBC7@XMB-AMS-101.cisco.com>
References: <4B5611E4.3010600@rollernet.us>
	<FDD1CDB3FB499E4087CC7670BBCA22C60107CBC7@XMB-AMS-101.cisco.com>
Message-ID: <004e01ca9c63$084c8b90$18e5a2b0$@info>

You need EEM 3.1 to catch outbound SNMP traps. EEM 3.1 is (at the moment) only available in IOS release 15.0M.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Sent: Wednesday, January 20, 2010 10:11 PM
> To: Seth Mattinen; cisco-nsp
> Subject: Re: [c-nsp] Disabling SNMP for certain BGP neighbors
> 
> Seth,
> 
> I would say that the right approach for this would be to tune the logic
> of your NMS system to ignore these events, or make them low-priority
> events, and have a rule that alerts you about low-priority events only
> during work hours...
> 
> Another approach (but only relatively new IOS versions) would be to use
> the EEM SNMP Notification event detector. This would allow you to catch
> specific traps and block them on the router (or modify them to a
> different event).
> In older IOS versions the same can be accomplished for Syslog, so if you
> can turn off SNMP traps and use Syslog events, you can accomplish this
> on most IOS versions.
> 
> The reference for the SNMP Notification EEM event detector is here:
> http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_06.html
> #wp1178594
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
> Sent: Tuesday, January 19, 2010 22:11
> To: cisco-nsp
> Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
> 
> Is there any way to disable SNMP traps for a subset of BGP neighbors
> like there is for interfaces? I have a couple BGP sessions that are of
> "don't care" priority and they don't need to send traps when they flap
> (although rarely, it's always when I'm sleeping).
> 
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From kevinw at telnetww.com  Sat Jan 23 22:46:43 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sat, 23 Jan 2010 22:46:43 -0500
Subject: [c-nsp] 7600 Rate Limiting Output
Message-ID: <000301ca9ca7$d82538f0$886faad0$@com>

I was curious what is the best way to limit bandwidth in/out with policy
maps.  I can apply this inbound on a subinterface:

 

policy-map 26MB-INPUT

  class class-default

   police rate 26000000 bps

     conform-action transmit

     exceed-action drop

 

but the below won't apply in the outbound direction:

 

policy-map 26MB-OUTPUT

  class class-default

   police rate 26000000 bps

     conform-action transmit

     exceed-action drop

 

Gives me:

 

int gig4/0/0.8

service-policy output 26MB-OUTPUT    

Police and strict priority must be configured together for egress QOS.

Invalid feature combination for the class class-default

Configuration failed

 

Any help would be appreciated!  I miss the rate-limiting command from 7200
routers :).

 

Kevin


From jmaimon at ttec.com  Sun Jan 24 11:06:21 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Sun, 24 Jan 2010 11:06:21 -0500
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
	sessions
Message-ID: <4B5C6FFD.2010201@ttec.com>

Hey All,

So as is commonly talked about, I have seen a number of end user sites 
with simple redundancy service using IOS routers.

Multiple lines, coulds be the same provider, could be different 
providers, no dynamic routing, different source addresses, uRPF/SAV at 
the provider(s) is to be presumed. CBAC IOS firewall is also in place.

All this with event object tracking with policy routing and nat based on 
egress works just fine EXCEPT.

Long lived NAT sessions, especially the UDP ones dont seem to become 
inactive when the egress changes.

So the VOIP handsets are out of service after either a failover or 
failback. Obviously this is the visible problem symptom.

I have seen this for ICMP as well for continuous pings.

I have in place the workaround of using EEM with clear ip nat trans *

Is there some better way to approach it, other than using dynamic 
routing and routable addresses to eliminate NAT?

c1700-adventerprisek9-mz.124-25b.bin

Thanks in advance. Any and all feedback is most welcome.

Best,

Joe

From ip at ioshints.info  Sun Jan 24 12:23:12 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Sun, 24 Jan 2010 18:23:12 +0100
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
	sessions
In-Reply-To: <4B5C6FFD.2010201@ttec.com>
References: <4B5C6FFD.2010201@ttec.com>
Message-ID: <000001ca9d19$e8c1aaf0$ba4500d0$@info>

Whenever the NAT outside IP address changes, the session has to be killed and restarted as the NAT device cannot signal to the remote end that the outside source IP address has changed.

EEM & "clear ip nat trans *" is probably the cleanest method. You might want to get more specific and use "clear ip nat translation outside <address>" to kill only the NAT translations tied to the failed IP address.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Joe Maimon [mailto:jmaimon at ttec.com]
> Sent: Sunday, January 24, 2010 5:06 PM
> To: cisco-nsp
> Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
> sessions
> 
> Hey All,
> 
> So as is commonly talked about, I have seen a number of end user sites
> with simple redundancy service using IOS routers.
> 
> Multiple lines, coulds be the same provider, could be different
> providers, no dynamic routing, different source addresses, uRPF/SAV at
> the provider(s) is to be presumed. CBAC IOS firewall is also in place.
> 
> All this with event object tracking with policy routing and nat based on
> egress works just fine EXCEPT.
> 
> Long lived NAT sessions, especially the UDP ones dont seem to become
> inactive when the egress changes.
> 
> So the VOIP handsets are out of service after either a failover or
> failback. Obviously this is the visible problem symptom.
> 
> I have seen this for ICMP as well for continuous pings.
> 
> I have in place the workaround of using EEM with clear ip nat trans *
> 
> Is there some better way to approach it, other than using dynamic
> routing and routable addresses to eliminate NAT?
> 
> c1700-adventerprisek9-mz.124-25b.bin
> 
> Thanks in advance. Any and all feedback is most welcome.
> 
> Best,
> 
> Joe



From james at mor-pah.net  Sun Jan 24 12:27:53 2010
From: james at mor-pah.net (James Greig)
Date: Sun, 24 Jan 2010 17:27:53 -0000
Subject: [c-nsp] 6509 problem
In-Reply-To: <002d01ca9ba8$64542e90$2cfc8bb0$@net>
References: <001e01ca9b98$dc046410$940d2c30$@net>	<20100122210242.GB711@lboro.ac.uk>
	<002d01ca9ba8$64542e90$2cfc8bb0$@net>
Message-ID: <001201ca9d1a$8f90ea30$aeb2be90$@net>

Anyone else have any other thoughts on this?  Could it be a bug or a faulty
backplane on the 6500 chassis?

James G

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Greig
Sent: 22 January 2010 21:18
To: 'Alan Buxey'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 problem

Hi,

Thanks for the response.

I've pasted below the most prominent errors in the event log.  

Again, any ideas or anything to try are appreciated.

2/28 22:44:29.919 E  [1]    check_ether_packet [1/48]: newpak is NULL!
02/28 22:44:29.927 E  [1]    loopback_port[1/48]: check_ether_packet failed,
r
                             etry = 1
02/28 22:44:30.851 E  [1]    TestLoopback Failed
02/28 22:44:30.859 E  [1]    test_loopback_common[1]: loopback failed on
port[
                             48] w. retry[3], err_code[43]
02/28 22:44:30.875 E  [1]    diag_get_test_port_not_found_reason[1]:
1:LBF,2:L
 
BF,3:LBF,4:LBF,5:LBF,6:LBF,7:LBF,8:LBF,9:LBF,10:L
                             BF,11:LBF,12:LBF,13:LBF,14:LBF
02/28 22:44:30.879 E  [1]    diag_is_disabled_elam_dump[1]:TestLoopback:
Canno
                             t find good port, skipping elam capture
02/28 22:44:30.879 E  [1]    Major Error Detected
02/28 22:44:30.887 E  [1]    test_loopback[1]: test_loopback_common failed
02/28 22:44:31.523 E  [1]    diag_test_failure_action: card/sub_card(1/-1),
te
                             st_name(bootup)  flag=0
02/28 22:44:31.947 E  [1]    hm_diag_free_lb_fail_cntr[1]: hm_lpbk_stats is
NU
                             LL!

Module 1 : 48-port 10/100 RJ45 Ethernet Module
Software : 12.2(33)SXI2a
Online Diagnostic Result : MAJOR ERROR
Online Diagnostic Level when Module 1 came up = Minimal

Test Results: (. = Pass, F = Fail, U = Unknown)

1 . TestScratchRegister           : U
2 . TestNonDisruptiveLoopback :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

3 . TestLoopback :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F
F

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F  F
F

4 . TestNetflowInlineRewrite :

   Port  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

   Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48
 
----------------------------------------------------------------------------
         U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U  U
U

5 . TestAsicMemory                : U
6 . TestEobcStressPing            : U
7 . TestFirmwareDiagStatus        : .
8 . TestAsicSync                  : U
9 . TestErrorCounterMonitor       : U
10. TestLtlFpoeMemoryConsistency  : U




-----Original Message-----
From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk] 
Sent: 22 January 2010 21:03
To: James Greig
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 problem

Hi,

> *Feb 28 22:29:29.055: %DIAG-SP-3-MAJOR: Module 1: Online Diagnostics
> detected a Major Error. Please use 'show diagnostic result <target>' to
see
> test results.

what did the ouput of that command ('show diagnostic result <target>') give?

> *Feb 28 22:29:29.987: %OIR-SP-3-LC_FAILURE: Module 1 has Major online
> diagnostic failure, Card will be reset to re-run diagnostic. Please check
> sup-bootflash diaginfo file for previous detailed diagnostic result.

whats in the diaginfo file?

the routers trying to help you - and that info needs to be read
to find out whats going wrong here.....then you'll probably
want to run the usual tests..eg

show diagnostics event all

and 

show diagnostics results module 1

alan

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jmaimon at ttec.com  Sun Jan 24 13:25:49 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Sun, 24 Jan 2010 13:25:49 -0500
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
 sessions
In-Reply-To: <000001ca9d19$e8c1aaf0$ba4500d0$@info>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
Message-ID: <4B5C90AD.5090406@ttec.com>


Thanks for the response.

The nat is inside nat of course.

After the routing and egress changes, the router should be well aware 
that continued traffic no longer matches the

ip nat inside source route-map ISPA Di1 overload

and now matches the

ip nat inside source route-map ISPB Di2 overload

for a simplistic example.

So the old translations are no longer valid with the new egress. They 
should be abandoned and new ones created.

However, the router continues to send the traffic out the new interface 
with the nat session and translation setup when the egress was the old 
interface.

New sessions work just fine.

This isnt a problem for web browsing and possibly not for most other TCP 
sessions. "Stateless" sessions such as UDP and ICMP seem to be most 
problematic.

And I would be quite happy clearing just the translations for the 
"wrong" global for all local inside translations, but syntax does not 
seem to allow that.

clear ip nat inside a.b.c.d * would be quite nice.


Ivan Pepelnjak wrote:
> Whenever the NAT outside IP address changes, the session has to be killed and restarted as the NAT device cannot signal to the remote end that the outside source IP address has changed.
>
> EEM&  "clear ip nat trans *" is probably the cleanest method. You might want to get more specific and use "clear ip nat translation outside<address>" to kill only the NAT translations tied to the failed IP address.
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>
>> -----Original Message-----
>> From: Joe Maimon [mailto:jmaimon at ttec.com]
>> Sent: Sunday, January 24, 2010 5:06 PM
>> To: cisco-nsp
>> Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
>> sessions
>>
>> Hey All,
>>
>> So as is commonly talked about, I have seen a number of end user sites
>> with simple redundancy service using IOS routers.
>>
>> Multiple lines, coulds be the same provider, could be different
>> providers, no dynamic routing, different source addresses, uRPF/SAV at
>> the provider(s) is to be presumed. CBAC IOS firewall is also in place.
>>
>> All this with event object tracking with policy routing and nat based on
>> egress works just fine EXCEPT.
>>
>> Long lived NAT sessions, especially the UDP ones dont seem to become
>> inactive when the egress changes.
>>
>> So the VOIP handsets are out of service after either a failover or
>> failback. Obviously this is the visible problem symptom.
>>
>> I have seen this for ICMP as well for continuous pings.
>>
>> I have in place the workaround of using EEM with clear ip nat trans *
>>
>> Is there some better way to approach it, other than using dynamic
>> routing and routable addresses to eliminate NAT?
>>
>> c1700-adventerprisek9-mz.124-25b.bin
>>
>> Thanks in advance. Any and all feedback is most welcome.
>>
>> Best,
>>
>> Joe
>
>
>
>

From ip at ioshints.info  Sun Jan 24 14:19:34 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Sun, 24 Jan 2010 20:19:34 +0100
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
	sessions
In-Reply-To: <4B5C90AD.5090406@ttec.com>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
	<4B5C90AD.5090406@ttec.com>
Message-ID: <000f01ca9d2a$2a735830$7f5a0890$@info>

> After the routing and egress changes, the router should be well aware
> that continued traffic no longer matches the
> 
> ip nat inside source route-map ISPA Di1 overload
> 
> and now matches the
> 
> ip nat inside source route-map ISPB Di2 overload
> 
> for a simplistic example.
> 
> So the old translations are no longer valid with the new egress. They
> should be abandoned and new ones created.

Obviously the router does NOT check the "ip nat" rules if it gets a match in the NAT translation table. This behavior makes sense; if you'd change the NAT parameters of a live session, you'd lose the session anyway.

> And I would be quite happy clearing just the translations for the
> "wrong" global for all local inside translations, but syntax does not
> seem to allow that.

Write a Tcl script that does "show ip nat translations" and kills only the relevant ones ;)

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info





From petelists at templin.org  Sun Jan 24 13:59:48 2010
From: petelists at templin.org (Pete Templin)
Date: Sun, 24 Jan 2010 12:59:48 -0600
Subject: [c-nsp] 6509 problem
In-Reply-To: <001201ca9d1a$8f90ea30$aeb2be90$@net>
References: <001e01ca9b98$dc046410$940d2c30$@net>	<20100122210242.GB711@lboro.ac.uk>	<002d01ca9ba8$64542e90$2cfc8bb0$@net>
	<001201ca9d1a$8f90ea30$aeb2be90$@net>
Message-ID: <4B5C98A4.5080707@templin.org>

James Greig wrote:
> Anyone else have any other thoughts on this?  Could it be a bug or a faulty
> backplane on the 6500 chassis?

It looks similar to what I got when I toasted a chassis in November.  I 
didn't capture the console output, but basically the primary Sup was OK 
but the rest were all MAJOR failures.

pt


From jmaimon at ttec.com  Sun Jan 24 15:43:16 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Sun, 24 Jan 2010 15:43:16 -0500
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
 sessions
In-Reply-To: <000f01ca9d2a$2a735830$7f5a0890$@info>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
	<4B5C90AD.5090406@ttec.com> <000f01ca9d2a$2a735830$7f5a0890$@info>
Message-ID: <4B5CB0E4.4050709@ttec.com>



Ivan Pepelnjak wrote:

> Obviously the router does NOT check the "ip nat" rules if it gets a match in the NAT translation table. This behavior makes sense; if you'd change the NAT parameters of a live session, you'd lose the session anyway.

The problem is that the session stays active. I want the session to be 
lost. I believe the rules should be adhered to a bit more strictly.

If the current matching nat statement would result in a different value 
for the inside global address, than a new translation should be called for.

It isnt actually all that hard to check for, conceptually.

(What would you expect to happen when the DHCP client address changes on 
the egress interface? Or if you change the ip address on an interface 
referenced by the ip nat statement?)

Apparently, the end stations dont change the source port for new 
attempts. So as far as the router is concerned, unless those voip 
handsets are off the network beyond udp session timeout, they will never 
reconnect through the new egress.

This behavior has very disruptive end user symptoms.


>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>

From ip at ioshints.info  Mon Jan 25 06:58:12 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Mon, 25 Jan 2010 12:58:12 +0100
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
	sessions
In-Reply-To: <4B5CB0E4.4050709@ttec.com>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
	<4B5C90AD.5090406@ttec.com> <000f01ca9d2a$2a735830$7f5a0890$@info>
	<4B5CB0E4.4050709@ttec.com>
Message-ID: <001501ca9db5$ac3b4f90$04b1eeb0$@info>

> The problem is that the session stays active. I want the session to be
> lost. I believe the rules should be adhered to a bit more strictly.

The session DOES NOT stay active. The phone is stupid. It should have realized there's no reply and restart the session.

> If the current matching nat statement would result in a different value
> for the inside global address, than a new translation should be called
> for.
> 
> It isnt actually all that hard to check for, conceptually.

And then you'd complain about the CPU load. What do you think is cheaper: checking the NAT table or NAT rules (including route maps) for every packet?

> (What would you expect to happen when the DHCP client address changes on
> the egress interface? Or if you change the ip address on an interface
> referenced by the ip nat statement?)

You'd lose all sessions, obviously. What else would you expect?

> Apparently, the end stations dont change the source port for new
> attempts. 

Proves my point. The phone is stupid ;) There's a reason every new client session should use a new dynamic port number.

> This behavior has very disruptive end user symptoms.

Many stupid implementations have disruptive end-user symptoms. Microsoft Network Load Balancing with unknown unicast MAC addresses immediately comes to mind ;)

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info



From james at mor-pah.net  Mon Jan 25 07:11:49 2010
From: james at mor-pah.net (James Greig)
Date: Mon, 25 Jan 2010 12:11:49 -0000
Subject: [c-nsp] 6509 problem
In-Reply-To: <4B5C98A4.5080707@templin.org>
References: <001e01ca9b98$dc046410$940d2c30$@net>	<20100122210242.GB711@lboro.ac.uk>	<002d01ca9ba8$64542e90$2cfc8bb0$@net>
	<001201ca9d1a$8f90ea30$aeb2be90$@net>
	<4B5C98A4.5080707@templin.org>
Message-ID: <001b01ca9db7$92bd5ca0$b83815e0$@net>

Hi Pete,

Thanks for your response, I think you've confirmed our suspicions.  We'll
source another chassis:)

James G

-----Original Message-----
From: Pete Templin [mailto:petelists at templin.org] 
Sent: 24 January 2010 19:00
To: James Greig
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 problem

James Greig wrote:
> Anyone else have any other thoughts on this?  Could it be a bug or a
faulty
> backplane on the 6500 chassis?

It looks similar to what I got when I toasted a chassis in November.  I 
didn't capture the console output, but basically the primary Sup was OK 
but the rest were all MAJOR failures.

pt



From jonvoip at gmail.com  Mon Jan 25 08:27:05 2010
From: jonvoip at gmail.com (Jonathan Charles)
Date: Mon, 25 Jan 2010 07:27:05 -0600
Subject: [c-nsp] Wr mem causes massive delay...
Message-ID: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>

So, noticed something weird...

Got a 2851 with 512MB or RAM... if I have a constant ping going thru the
router and I write mem, the ping goes up by a factor of 5....


Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory.
Processor board ID FTX1345A0EY
2 Gigabit Ethernet interfaces
51 Serial interfaces
6 Channelized/Clear T1/PRI ports
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)




Reply from 172.16.2.11: bytes=32 time=32ms TTL=60
Reply from 172.16.2.11: bytes=32 time=34ms TTL=60
Reply from 172.16.2.11: bytes=32 time=133ms TTL=60
Reply from 172.16.2.11: bytes=32 time=30ms TTL=60
Reply from 172.16.2.11: bytes=32 time=25ms TTL=60

So, is this normal?



Jonathan

From p.mayers at imperial.ac.uk  Mon Jan 25 08:43:22 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 25 Jan 2010 13:43:22 +0000
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
Message-ID: <4B5D9FFA.8010500@imperial.ac.uk>

> So, is this normal?

Ours does it. I wouldn't worry about it - it does not mean packet 
forwarding will be adversely affected.

From jonvoip at gmail.com  Mon Jan 25 08:49:47 2010
From: jonvoip at gmail.com (Jonathan Charles)
Date: Mon, 25 Jan 2010 07:49:47 -0600
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <1ebb7fa91001250547t40adfabbt7f605b063e313fcb@mail.gmail.com>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<1ebb7fa91001250547t40adfabbt7f605b063e313fcb@mail.gmail.com>
Message-ID: <5d093f9a1001250549m7dd44548ya4d21cdd7152cd75@mail.gmail.com>

It is an IP address past the router, on the other side of the WAN...



Jonathan

On Mon, Jan 25, 2010 at 7:47 AM, Byrd, William <will at collier-byrd.net>wrote:

> Is that IP address on an interface in the router or something behind it?
>
> William Collier-Byrd / will at collier-byrd.net
> Make note, my e-mail address has changed.
>
>
> On Mon, Jan 25, 2010 at 8:27 AM, Jonathan Charles <jonvoip at gmail.com>wrote:
>
>> So, noticed something weird...
>>
>> Got a 2851 with 512MB or RAM... if I have a constant ping going thru the
>> router and I write mem, the ping goes up by a factor of 5....
>>
>>
>> Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory.
>> Processor board ID FTX1345A0EY
>> 2 Gigabit Ethernet interfaces
>> 51 Serial interfaces
>> 6 Channelized/Clear T1/PRI ports
>> 1 Virtual Private Network (VPN) Module
>> 4 Voice FXS interfaces
>> DRAM configuration is 64 bits wide with parity enabled.
>> 239K bytes of non-volatile configuration memory.
>> 126000K bytes of ATA CompactFlash (Read/Write)
>>
>>
>>
>>
>> Reply from 172.16.2.11: bytes=32 time=32ms TTL=60
>> Reply from 172.16.2.11: bytes=32 time=34ms TTL=60
>> Reply from 172.16.2.11: bytes=32 time=133ms TTL=60
>> Reply from 172.16.2.11: bytes=32 time=30ms TTL=60
>> Reply from 172.16.2.11: bytes=32 time=25ms TTL=60
>>
>> So, is this normal?
>>
>>
>>
>> Jonathan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From jlewis at lewis.org  Mon Jan 25 08:50:21 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 25 Jan 2010 08:50:21 -0500 (EST)
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
Message-ID: <Pine.LNX.4.61.1001250848000.22812@soloth.lewis.org>

Are you pinging "through" (i.e. from one device on one side of the router 
through to another device on the other side of the router) or are you 
pinging an interface on the router?  Packets forwarded through the router 
really shouldn't be affected.  Pinging the router itself will definitely 
be affected by things that use a lot of CPU.

On Mon, 25 Jan 2010, Jonathan Charles wrote:

> So, noticed something weird...
>
> Got a 2851 with 512MB or RAM... if I have a constant ping going thru the
> router and I write mem, the ping goes up by a factor of 5....
>
>
> Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory.
> Processor board ID FTX1345A0EY
> 2 Gigabit Ethernet interfaces
> 51 Serial interfaces
> 6 Channelized/Clear T1/PRI ports
> 1 Virtual Private Network (VPN) Module
> 4 Voice FXS interfaces
> DRAM configuration is 64 bits wide with parity enabled.
> 239K bytes of non-volatile configuration memory.
> 126000K bytes of ATA CompactFlash (Read/Write)
>
>
>
>
> Reply from 172.16.2.11: bytes=32 time=32ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=34ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=133ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=30ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=25ms TTL=60
>
> So, is this normal?
>
>
>
> Jonathan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From jmaimon at ttec.com  Mon Jan 25 08:55:05 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Mon, 25 Jan 2010 08:55:05 -0500
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <4B5D9FFA.8010500@imperial.ac.uk>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<4B5D9FFA.8010500@imperial.ac.uk>
Message-ID: <4B5DA2B9.90300@ttec.com>



Phil Mayers wrote:
>> So, is this normal?
>
> Ours does it. I wouldn't worry about it - it does not mean packet
> forwarding will be adversely affected.
> _______________________________________________

Depends if he is pinging the router or pinging through it, as per the OP.

If it affects pings through the router, not just pings TO the router, I 
would check that cef is on.


From jonvoip at gmail.com  Mon Jan 25 09:17:23 2010
From: jonvoip at gmail.com (Jonathan Charles)
Date: Mon, 25 Jan 2010 08:17:23 -0600
Subject: [c-nsp] [cisco-voip]  Wr mem causes massive delay...
In-Reply-To: <779553.27248.qm@web27201.mail.ukl.yahoo.com>
References: <5d093f9a1001250549m7dd44548ya4d21cdd7152cd75@mail.gmail.com>
	<779553.27248.qm@web27201.mail.ukl.yahoo.com>
Message-ID: <5d093f9a1001250617x6baf4d60m1e0823a35347f95a@mail.gmail.com>

Well, it is a voice/BGP gateway with CCME as SRST... two PRIs three
multilink T1s...




J




On Mon, Jan 25, 2010 at 8:14 AM, Rhodium <rhodium_uk at yahoo.co.uk> wrote:

> This is normally because the CPU shoots up to about 100% during the wri mem
> depending on the platform as it needs to save the config. This especially
> happens if the config file needs to be compressed as it is too long.
>
> Make sure you are running CEF on the router and dont do too many wri mems.
> :)
>
> Alternatively, you can try different IOS versions to determine which ones
> don't have as much impact on router as the current one but it is one of
> those things that I dont worry about.
>
> Regards,
>
> Jason
>
>
> --- On Mon, 1/25/10, Jonathan Charles <jonvoip at gmail.com> wrote:
>
> > From: Jonathan Charles <jonvoip at gmail.com>
> > Subject: Re: [cisco-voip] [c-nsp] Wr mem causes massive delay...
> > To: "Byrd, William" <will at collier-byrd..net>
> > Cc: cisco-voip at puck.nether.net, cisco-nsp at puck.nether.net
> > Date: Monday, January 25, 2010, 1:49 PM
> > It is an IP address past the router, on the
> > other side of the WAN...
> >
> >
> >
> > Jonathan
> >
> > On Mon, Jan 25, 2010 at 7:47 AM,
> > Byrd, William <will at collier-byrd.net>
> > wrote:
> >
> > Is that IP address on an interface
> > in the router or something behind it?
> >
> >
> > William Collier-Byrd / will at collier-byrd.net
> > Make note, my e-mail address has changed.
> >
> >
> >
> >
> > On
> > Mon, Jan 25, 2010 at 8:27 AM, Jonathan Charles <jonvoip at gmail.com>
> > wrote:
> >
> >
> > So, noticed something weird...
> >
> >
> >
> > Got a 2851 with 512MB or RAM... if I have a constant ping
> > going thru the
> >
> > router and I write mem, the ping goes up by a factor of
> > 5.....
> >
> >
> >
> >
> >
> > Cisco 2851 (revision 53.50) with 507904K/16384K bytes of
> > memory.
> >
> > Processor board ID FTX1345A0EY
> >
> > 2 Gigabit Ethernet interfaces
> >
> > 51 Serial interfaces
> >
> > 6 Channelized/Clear T1/PRI ports
> >
> > 1 Virtual Private Network (VPN) Module
> >
> > 4 Voice FXS interfaces
> >
> > DRAM configuration is 64 bits wide with parity enabled.
> >
> > 239K bytes of non-volatile configuration memory.
> >
> > 126000K bytes of ATA CompactFlash (Read/Write)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Reply from 172.16.2.11: bytes=32
> > time=32ms TTL=60
> >
> > Reply from 172.16.2.11: bytes=32
> > time=34ms TTL=60
> >
> > Reply from 172.16.2.11: bytes=32
> > time=133ms TTL=60
> >
> > Reply from 172.16.2.11: bytes=32
> > time=30ms TTL=60
> >
> > Reply from 172.16.2.11: bytes=32
> > time=25ms TTL=60
> >
> >
> >
> > So, is this normal?
> >
> >
> >
> >
> >
> >
> >
> > Jonathan
> >
> > _______________________________________________
> >
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
>
>
>
>
>

From p.mayers at imperial.ac.uk  Mon Jan 25 09:35:13 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 25 Jan 2010 14:35:13 +0000
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <4B5DA2B9.90300@ttec.com>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<4B5D9FFA.8010500@imperial.ac.uk> <4B5DA2B9.90300@ttec.com>
Message-ID: <4B5DAC21.2020600@imperial.ac.uk>

On 25/01/10 13:55, Joe Maimon wrote:
>
>
> Phil Mayers wrote:
>>> So, is this normal?
>>
>> Ours does it. I wouldn't worry about it - it does not mean packet
>> forwarding will be adversely affected.
>> _______________________________________________
>
> Depends if he is pinging the router or pinging through it, as per the OP.
>
> If it affects pings through the router, not just pings TO the router, I
> would check that cef is on.
>

Well, although he said pinging "thru" the router, I pretty much assumed 
he meant "to". But sure, CEF is worth checking if not.

OTOH are there any IOS releases for 28xx series which will *let* you 
disable CEF? Not a platform we use very much, so I'm not sure.

From tvarriale at comcast.net  Mon Jan 25 10:34:57 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 25 Jan 2010 09:34:57 -0600
Subject: [c-nsp] Wr mem causes massive delay...
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
Message-ID: <DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>


----- Original Message ----- 
From: "Jonathan Charles" <jonvoip at gmail.com>
To: <cisco-voip at puck.nether.net>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 7:27 AM
Subject: [c-nsp] Wr mem causes massive delay...


> So, noticed something weird...
>
> Got a 2851 with 512MB or RAM... if I have a constant ping going thru the
> router and I write mem, the ping goes up by a factor of 5....
>
>
> Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory.
> Processor board ID FTX1345A0EY
> 2 Gigabit Ethernet interfaces
> 51 Serial interfaces
> 6 Channelized/Clear T1/PRI ports
> 1 Virtual Private Network (VPN) Module
> 4 Voice FXS interfaces
> DRAM configuration is 64 bits wide with parity enabled.
> 239K bytes of non-volatile configuration memory.
> 126000K bytes of ATA CompactFlash (Read/Write)
>
>
>
>
> Reply from 172.16.2.11: bytes=32 time=32ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=34ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=133ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=30ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=25ms TTL=60
>
> So, is this normal?
>
>
>
> Jonathan

If you are pinging through the router, no that is not normal.  There will 
always be some delay while it writes to media.  But, it should not affect 
the forwarding path.

Care to forward a config and code rev? 


From saku at ytti.fi  Mon Jan 25 11:06:19 2010
From: saku at ytti.fi (Saku Ytti)
Date: Mon, 25 Jan 2010 18:06:19 +0200
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
Message-ID: <20100125160619.GA26086@mx.ytti.net>

On (2010-01-25 09:34 -0600), Tony Varriale wrote:
 
> If you are pinging through the router, no that is not normal.  There
> will always be some delay while it writes to media.  But, it should
> not affect the forwarding path.

It does, but only slightly, 'write' and 'dir' will both do that, as they
interrupt. This is true at least for VXR, I don't see why 2800 would be
different.
To see these, you'd need non-averaging SLA measurments with very frequent
polling interval, but if you can do that, you can see from transit SLA
graphs e.g. when rancid was ran.
When I've been able to see this, I've used some other methods than simple
ping as the effect is extremely short and thus hard to see with ping.  If
OP was pinging once a second, and can reproduce this every time he does
'write', then this is much more likely real issue.

-- 
  ++ytti

From Charles.Church at harris.com  Mon Jan 25 11:07:46 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Mon, 25 Jan 2010 11:07:46 -0500
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C66B8864@MLBMXUS2.cs.myharris.net>

This is a software based router, and 'wri mem' is very CPU intensive.  What does the CPU look like before the wri mem is done?  I don't think this is abnormal. 

Chuck 

----- Original Message ----- 
From: "Jonathan Charles" <jonvoip at gmail.com>
To: <cisco-voip at puck.nether.net>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 7:27 AM
Subject: [c-nsp] Wr mem causes massive delay...


> So, noticed something weird...
>
> Got a 2851 with 512MB or RAM... if I have a constant ping going thru the
> router and I write mem, the ping goes up by a factor of 5....
>
>
> Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory.
> Processor board ID FTX1345A0EY
> 2 Gigabit Ethernet interfaces
> 51 Serial interfaces
> 6 Channelized/Clear T1/PRI ports
> 1 Virtual Private Network (VPN) Module
> 4 Voice FXS interfaces
> DRAM configuration is 64 bits wide with parity enabled.
> 239K bytes of non-volatile configuration memory.
> 126000K bytes of ATA CompactFlash (Read/Write)
>
>
>
>
> Reply from 172.16.2.11: bytes=32 time=32ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=34ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=133ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=30ms TTL=60
> Reply from 172.16.2.11: bytes=32 time=25ms TTL=60
>
> So, is this normal?
>
>
>
> Jonathan


From jmaimon at ttec.com  Mon Jan 25 11:26:37 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Mon, 25 Jan 2010 11:26:37 -0500
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
 sessions
In-Reply-To: <001501ca9db5$ac3b4f90$04b1eeb0$@info>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
	<4B5C90AD.5090406@ttec.com> <000f01ca9d2a$2a735830$7f5a0890$@info>
	<4B5CB0E4.4050709@ttec.com> <001501ca9db5$ac3b4f90$04b1eeb0$@info>
Message-ID: <4B5DC63D.9030802@ttec.com>



Ivan Pepelnjak wrote:
>> The problem is that the session stays active. I want the session to be
>> lost. I believe the rules should be adhered to a bit more strictly.
>
> The session DOES NOT stay active. The phone is stupid. It should have realized there's no reply and restart the session.

With UDP and other stateless protocols "sessions", the router cannot 
tell that the phone thinks it is doing exactly that.

You can view this issue with ping -t from windows stations as well.

>
>> If the current matching nat statement would result in a different value
>> for the inside global address, than a new translation should be called
>> for.
>>
>> It isnt actually all that hard to check for, conceptually.
>
> And then you'd complain about the CPU load. What do you think is cheaper: checking the NAT table or NAT rules (including route maps) for every packet?

It would be nice if there were some happy medium somewhere that would 
not result in sessions that wont die and cant work.

>
>> (What would you expect to happen when the DHCP client address changes on
>> the egress interface? Or if you change the ip address on an interface
>> referenced by the ip nat statement?)
>
> You'd lose all sessions, obviously. What else would you expect?

Thats exactly what I would expect. So either there is some validation 
going on beyond matching existing sessions for the the nat sessions or 
the event of changing an interface address referenced in nat rules 
triggers cleanup. I suppose I should pay more attention the next time an 
opportunity to view this presents itself - it may very well not be the case.

>
>> Apparently, the end stations dont change the source port for new
>> attempts.
>
> Proves my point. The phone is stupid ;) There's a reason every new client session should use a new dynamic port number.

Is it a big surprise that IP handsets can have extremely shoddy stacks? 
How about traceroutes to phones that would have the remainder of the 
default 30 hops be the phone itself?

Voice competency and networking competency seem to have oil/water 
difficulties.

Most of these handsets can cost about as much as many new workstations do.

>
>> This behavior has very disruptive end user symptoms.
>
> Many stupid implementations have disruptive end-user symptoms. Microsoft Network Load Balancing with unknown unicast MAC addresses immediately comes to mind ;)
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info


So what is the bottom line? Is this the best that can be done with 
simple end site redundancy with object tracking and without dynamic routing?

Thanks for all your help.

Joe


From sethm at rollernet.us  Mon Jan 25 12:14:41 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 25 Jan 2010 09:14:41 -0800
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C66B8864@MLBMXUS2.cs.myharris.net>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
	<290EF89F13F04F4E924BB235A46D18F108C66B8864@MLBMXUS2.cs.myharris.net>
Message-ID: <4B5DD181.8020109@rollernet.us>

On 1/25/10 8:07 AM, Church, Charles wrote:
> This is a software based router, and 'wri mem' is very CPU intensive.  What does the CPU look like before the wri mem is done?  I don't think this is abnormal. 
> 

Very large config on an already busy router with compress-config turned on?

~Seth

From jonvoip at gmail.com  Mon Jan 25 12:40:13 2010
From: jonvoip at gmail.com (Jonathan Charles)
Date: Mon, 25 Jan 2010 11:40:13 -0600
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <4B5DD181.8020109@rollernet.us>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
	<290EF89F13F04F4E924BB235A46D18F108C66B8864@MLBMXUS2.cs.myharris.net>
	<4B5DD181.8020109@rollernet.us>
Message-ID: <5d093f9a1001250940x43ed2169va607c88fcfac3932@mail.gmail.com>

It is a big config... cuz of all the voipy stuff.


J

On Mon, Jan 25, 2010 at 11:14 AM, Seth Mattinen <sethm at rollernet.us> wrote:

> On 1/25/10 8:07 AM, Church, Charles wrote:
> > This is a software based router, and 'wri mem' is very CPU intensive.
>  What does the CPU look like before the wri mem is done?  I don't think this
> is abnormal.
> >
>
> Very large config on an already busy router with compress-config turned on?
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ip at ioshints.info  Mon Jan 25 12:52:58 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Mon, 25 Jan 2010 18:52:58 +0100
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
	sessions
In-Reply-To: <4B5DC63D.9030802@ttec.com>
References: <4B5C6FFD.2010201@ttec.com> <000001ca9d19$e8c1aaf0$ba4500d0$@info>
	<4B5C90AD.5090406@ttec.com> <000f01ca9d2a$2a735830$7f5a0890$@info>
	<4B5CB0E4.4050709@ttec.com> <001501ca9db5$ac3b4f90$04b1eeb0$@info>
	<4B5DC63D.9030802@ttec.com>
Message-ID: <005301ca9de7$3d444150$b7ccc3f0$@info>

Just did a few tests with 12.4(24)T. IOS NAT is extra stupid when it comes to clearing NAT translation table. Even though you have NAT rules tied to an interface ("ip nat inside ... interface") they are not cleared when the interface IP address is lost or when the interface is shut down.

So (I guess) the best you can do is to catch changes in tracked object's state with an EEM applet that clears all NAT translations.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> So what is the bottom line? Is this the best that can be done with
> simple end site redundancy with object tracking and without dynamic
> routing?


From samuelmenon at yahoo.com.br  Mon Jan 25 14:38:32 2010
From: samuelmenon at yahoo.com.br (SAMUEL MENON)
Date: Mon, 25 Jan 2010 11:38:32 -0800 (PST)
Subject: [c-nsp] Res: BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <d626d8701001220226r47cad153i27981421ff30c4d2@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
	<20100122090742.565d4609@roadrunner.skoal.name>
	<4B597751.5020600@gmail.com>
	<d626d8701001220226r47cad153i27981421ff30c4d2@mail.gmail.com>
Message-ID: <957426.40336.qm@web112602.mail.gq1.yahoo.com>

Hi,

My experience with this kind of problem of "Dead timer expired" on OSPF solve with:

- Put in the interface and subinterface all the same MTU.
- Configure on the OSPF - ip ospf ignore-mtu
- We use the topology 7600 <-> SWITCH<->7600,  that almost 100% of the times when this problem happed have been solve with the upgrade of IOS on the switch (Extreme). Normaly is some kind of problem (BUG) with the switch to work with a lot of traffic on the interfaces. 

I hope that can help with the problem of OSPF - "Dead timer expired"

Regards,
Samuel 




________________________________
De: Andy B. <globichen at gmail.com>
Para: roy <bandwidth.user at gmail.com>
Cc: cisco-nsp at puck.nether.net
Enviadas: Sexta-feira, 22 de Janeiro de 2010 8:26:39
Assunto: Re: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL

MTU is 1500 on all links:

Core 1:

#sh int te9/1 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te9/2 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te8/1 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 2:

#sh int te4/1 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 3:

#sh int te4/1 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 4:

#sh int te4/1 | i MTU
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 1 is physically connected to 2,3 and 4 (star topology).

BGP is fully meshed - no route reflector.

Andy

On Fri, Jan 22, 2010 at 11:00 AM, roy <bandwidth.user at gmail.com> wrote:
> We had a somewhat similar problem with ospf/bgp which was eventually
> resolved by making link mtu uniform across the links. Let me know if this
> helps.
>
> On Friday, 22 January, 2010 04:07 PM, Gergely Antal wrote:
>>
>> just a thought :
>> sh ip bgp neighbors | i Datagrams
>>
>> maybe one router tries to negotiate the session with low datagram size
>> and the update storm floods the connection.
>>
>>
>> On Fri, 22 Jan 2010 02:06:53 +0100
>> "Andy B."<globichen at gmail.com>  wrote:
>>
>>> Hi,
>>>
>>> here we go:
>>>
>>> Core router that is causing headaches:
>>>
>>> interface Loopback0
>>> ip address x.x.x.130 255.255.255.255
>>>
>>> interface TenGigabitEthernet9/1
>>> ip address y.y.y.1 255.255.255.252
>>> no ip redirects
>>> no ip proxy-arp
>>> no cdp enable
>>>
>>> router ospf 1
>>> router-id x.x.x.130
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> passive-interface default
>>> no passive-interface TenGigabitEthernet8/1
>>> no passive-interface TenGigabitEthernet9/1
>>> no passive-interface TenGigabitEthernet9/2
>>> network y.y.y.0 0.0.0.3 area 0
>>> network y.y.y.4 0.0.0.3 area 0
>>> network y.y.y.8 0.0.0.3 area 0
>>>
>>>
>>> Adjacent router (one of them):
>>>
>>> interface Loopback0
>>> ip address x.x.x.131 255.255.255.255
>>>
>>> interface TenGigabitEthernet4/1
>>> ip address y.y.y.2 255.255.255.252
>>> no ip redirects
>>> no ip proxy-arp
>>>
>>> router ospf 1
>>> router-id x.x.x.131
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> passive-interface default
>>> no passive-interface TenGigabitEthernet4/1
>>> network y.y.y.0 0.0.0.3 area 0
>>>
>>>
>>> I hope this helps...
>>>
>>> Andy
>>>
>>>
>>> On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
>>> <jasonleblanc at gmail.com>  wrote:
>>>>
>>>> Can you send your<snipped>  OSPF config?
>>>>
>>>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just fell over this thread while doing a little reseach to solve a
>>>>> similar situation.
>>>>>
>>>>> Hardware:
>>>>>
>>>>> - 6509 with SUP720-3BXL on both ends
>>>>> - SXF15a
>>>>> - Uptime: 46 weeks
>>>>>
>>>>> Problem:
>>>>>
>>>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>>>> whom we send the full table) going up and down all the time:
>>>>>
>>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>>>> from LOADING to FULL, Loading Done
>>>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>>>
>>>>> This keeps going on for several hours, and suddenly it stabilizes
>>>>> itself.
>>>>>
>>>>> Furthermore I use cacti to generate graphs from the core router via
>>>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>>>> core router console becomes rather unresponsive and OSPF starts to
>>>>> behave strangely.
>>>>>
>>>>> What I can rule out is the fiber capacity. I have multiple circuits
>>>>> and different paths and operators. The OSPF issue happens on all
>>>>> circuits, not just a specific one. No 10 GE link is used more than
>>>>> 60%. In fact, traffic from inside my backbone to any place outside
>>>>> remains unaffected (thank God), but the core router itself is pretty
>>>>> useless. Pinging the core's loopback or any ip loaded on that box
>>>>> results in a 40-60% packet loss.
>>>>>
>>>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>>>> Input and BGP Scanner. More than 50% memory is still free at that
>>>>> time.
>>>>>
>>>>> I've had this many times recently, but it really just happens when
>>>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>>>> all this mess happens almost daily, rendering important billing
>>>>> graphs useless and annoying full table BGP customers.
>>>>>
>>>>> Is this a memory issue, due to the router's long uptime? Would
>>>>> reloading the router help in this case? That's the last thing I
>>>>> would want to do, but if it helps...
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Andy
>>>>>
>>>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>>>> <drew.weaver at thenap.com>  wrote:
>>>>>>
>>>>>> Howdy all,
>>>>>>
>>>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>>>> SUP7203-BXL.
>>>>>>
>>>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>>>> also running OSPF.
>>>>>>
>>>>>> Two of the three iBGP sessions randomly dropped with:
>>>>>>
>>>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>>>> dropped with Neighbor Down: Dead timer expired
>>>>>>
>>>>>> and then re-established, and then failed again, and
>>>>>> re-established, and failed again, and so-on, and so-on.
>>>>>>
>>>>>> I checked the physical interfaces between this 6500 and the two
>>>>>> GSR 12000s it peers with and there were no errors, there was also
>>>>>> no obvious spike in traffic that would account for latency that
>>>>>> might cause the hold timers to expire. I remember when this system
>>>>>> first came online it took a really long time for it to download
>>>>>> the full internet tables from the upstream GSRs and also during
>>>>>> that time there was a lot of CPU time being eaten up, I am
>>>>>> wondering if maybe the first session failing caused sort of a
>>>>>> 'performance' domino effect which then caused everything else to
>>>>>> fail, the issue eventually corrected itself and stabilized.
>>>>>>
>>>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>>>> to believe it is a software bug.
>>>>>>
>>>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>>>> issue altogether and also how I can make it so that if a session
>>>>>> does go down and re-establish it doesn't totally nail the CPU
>>>>>> while it's trying to re-establish/download the routes? A long time
>>>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>>>> can make BGP tables download faster, I don't know if that's true
>>>>>> or not, has anyone else found that?
>>>>>>
>>>>>> thanks,
>>>>>> -Drew
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      ____________________________________________________________________________________
Veja quais s?o os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

From tvarriale at comcast.net  Mon Jan 25 14:53:33 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 25 Jan 2010 13:53:33 -0600
Subject: [c-nsp] Wr mem causes massive delay...
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com><DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
	<20100125160619.GA26086@mx.ytti.net>
Message-ID: <4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>

Assuming the config isn't huge and your router is already oversubbed you 
shouldn't be able to tell.

tv
----- Original Message ----- 
From: "Saku Ytti" <saku at ytti.fi>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 10:06 AM
Subject: Re: [c-nsp] Wr mem causes massive delay...


> On (2010-01-25 09:34 -0600), Tony Varriale wrote:
>
>> If you are pinging through the router, no that is not normal.  There
>> will always be some delay while it writes to media.  But, it should
>> not affect the forwarding path.
>
> It does, but only slightly, 'write' and 'dir' will both do that, as they
> interrupt. This is true at least for VXR, I don't see why 2800 would be
> different.
> To see these, you'd need non-averaging SLA measurments with very frequent
> polling interval, but if you can do that, you can see from transit SLA
> graphs e.g. when rancid was ran.
> When I've been able to see this, I've used some other methods than simple
> ping as the effect is extremely short and thus hard to see with ping.  If
> OP was pinging once a second, and can reproduce this every time he does
> 'write', then this is much more likely real issue.
>
> -- 
>  ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From sethm at rollernet.us  Mon Jan 25 14:56:34 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 25 Jan 2010 11:56:34 -0800
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com><DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>	<20100125160619.GA26086@mx.ytti.net>
	<4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>
Message-ID: <4B5DF772.1060409@rollernet.us>

On 1/25/2010 11:53, Tony Varriale wrote:
> Assuming the config isn't huge and your router is already oversubbed you
> shouldn't be able to tell.
> 


Well, he does have 64 interfaces, so it's probably large-ish.

~Seth

From tvarriale at comcast.net  Mon Jan 25 14:58:00 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 25 Jan 2010 13:58:00 -0600
Subject: [c-nsp] Wr mem causes massive delay...
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com><DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01><290EF89F13F04F4E924BB235A46D18F108C66B8864@MLBMXUS2.cs.myharris.net><4B5DD181.8020109@rollernet.us>
	<5d093f9a1001250940x43ed2169va607c88fcfac3932@mail.gmail.com>
Message-ID: <99E31337570F4389B2CD5F8A6D4299EC@flamdt01>

A large VoIP config isn't what I consider normal for your platform.  As a 
side note, what's typical utilization and what is the utilization when you 
typically make changes?

So, either you can size the platform appropriately or do config management 
during non-biz hours.

So if you wr mem is taking 60 seconds to complete, yes your spike in latency 
through the box is expected.  Conversely, you would always try it with IP 
addressing only and see what you get.

tv
----- Original Message ----- 
From: "Jonathan Charles" <jonvoip at gmail.com>
To: "Seth Mattinen" <sethm at rollernet.us>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 11:40 AM
Subject: Re: [c-nsp] Wr mem causes massive delay...


> It is a big config... cuz of all the voipy stuff.
>
>
> J
>
> On Mon, Jan 25, 2010 at 11:14 AM, Seth Mattinen <sethm at rollernet.us> 
> wrote:
>
>> On 1/25/10 8:07 AM, Church, Charles wrote:
>> > This is a software based router, and 'wri mem' is very CPU intensive.
>>  What does the CPU look like before the wri mem is done?  I don't think 
>> this
>> is abnormal.
>> >
>>
>> Very large config on an already busy router with compress-config turned 
>> on?
>>
>> ~Seth
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Mon Jan 25 15:00:26 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 25 Jan 2010 14:00:26 -0600
Subject: [c-nsp] Wr mem causes massive delay...
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com><DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01><20100125160619.GA26086@mx.ytti.net>
	<4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>
Message-ID: <FEA05EFBE90243868F826C1AB8184653@flamdt01>


----- Original Message ----- 
From: "Tony Varriale" <tvarriale at comcast.net>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 1:53 PM
Subject: Re: [c-nsp] Wr mem causes massive delay...


> Assuming the config isn't huge and your router is already oversubbed you 
> shouldn't be able to tell.
>

Should say:

> Assuming the config isn't huge and your router isn't already oversubbed 
> you shouldn't be able to tell. 


From saku at ytti.fi  Mon Jan 25 15:50:49 2010
From: saku at ytti.fi (Saku Ytti)
Date: Mon, 25 Jan 2010 22:50:49 +0200
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <FEA05EFBE90243868F826C1AB8184653@flamdt01>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
	<20100125160619.GA26086@mx.ytti.net>
	<4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>
	<FEA05EFBE90243868F826C1AB8184653@flamdt01>
Message-ID: <20100125205049.GA29819@mx.ytti.net>

On (2010-01-25 14:00 -0600), Tony Varriale wrote:
 
> >Assuming the config isn't huge and your router isn't already
> >oversubbed you shouldn't be able to tell.

It doesn't really matter, interrupt is interrupt, while compiling the
config is what you can do, when you don't have packets to push, but the
point you're writing it, there is today interrupt and it does interfere
measurably with packet pushing, even if your CPU load is very small, in
fact it makes the spotting easier, since then your jitter is extremely
small and smaller deviation can be reliably picked up from measurements.
But again, if OP is seeing this reliably with ping sent every 1s, this is
real issue, not expected behaviour.

-- 
  ++ytti

From bdikici at gmail.com  Mon Jan 25 15:53:00 2010
From: bdikici at gmail.com (Burak Dikici)
Date: Mon, 25 Jan 2010 22:53:00 +0200
Subject: [c-nsp] Cisco 7600 Series Ethernet Services cards types & queue
	values
Message-ID: <d9281f5c1001251253r283105a0qade19f2cc12c00e3@mail.gmail.com>

  Hello,

There is different types for the Cisco 7600 Series Ethernet Services cards.
( More expensive cards with high queue values and less expensive cards with
low queue values.)

http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549419.html
Hardware queues
ES Plus XT 40G line cards
? 128,000 ingress queues
? 256,000 egress queues
ES Plus XT 20G line cards
*? 64,000 ingress queues*
? 128,000 egress queues
Hierarchical QoS (H-QoS)



http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-570730.html
Hardware queues
Cisco 7600 Series ES Plus Transport 40G and 20G Line Cards
*Supporting up to 16 level 4 queues per physical port*
Hierarchical QoS (H-QoS)


Low queue cards have got only 4 queues per physical port. High queue cards
have got minimum 64.000 queue. This is very huge difference.  In what kind
of scenario do we have to use the High queue cards ? Could you give some
examples please ?  Kind Regards.

Burak

From guru6111 at gmail.com  Mon Jan 25 15:59:23 2010
From: guru6111 at gmail.com (Atif Sid)
Date: Mon, 25 Jan 2010 15:59:23 -0500
Subject: [c-nsp] 7600 + egress netflow + 12.2(33)SRE
Message-ID: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>

New code 12.2(33)SRE have removed the command ip flow egress from the
interfaces.  it shows the command but does not configure it?
example:

PE2(config)#int vlan 3500
PE2(config-if)#ip flow
PE2(config-if)#ip flow ?
  egress   Enable outbound NetFlow
  ingress  Enable inbound NetFlow
PE2(config-if)#ip flow eg
PE2(config-if)#ip flow egress ?
  <cr>
PE2(config-if)#ip flow egress
PE2(config-if)#end

when I look at the config it does not show egrees

interface Vlan3500
 ip vrf forwarding TEST
 ip address 10.10.176.1 255.255.255.252
 ip flow ingress
end



PE2#sh ip interface vlan 3500
Vlan3500 is up, line protocol is up
  Internet address is 10.10.176.1/30
....
...
 Input features: Ingress-NetFlow, MCI Check
  Output features: Post-Ingress-NetFlow, HW Shortcut Installation

in 12.2(33)SRB2 we can see it enabled:

 Input features: Ingress-NetFlow, uRPF
  Output features: Post-Ingress-NetFlow, Egress-Netflow, HW Shortcut
Installation


Upgraded from 12.2(33)SRB2 to 12.2(33)SRE and it removed the ip flow egress
commands from  all the interfaces.

Any other way we can enable it?

From jonvoip at gmail.com  Mon Jan 25 16:39:10 2010
From: jonvoip at gmail.com (Jonathan Charles)
Date: Mon, 25 Jan 2010 15:39:10 -0600
Subject: [c-nsp] Wr mem causes massive delay...
In-Reply-To: <4B5DF772.1060409@rollernet.us>
References: <5d093f9a1001250527g18beac22h4de4ac4c442d159@mail.gmail.com>
	<DFDB60B25A004ECBAB52F73F6A0920B4@flamdt01>
	<20100125160619.GA26086@mx.ytti.net>
	<4C388AF5D4824D2B9F05737FD9FE1A7B@flamdt01>
	<4B5DF772.1060409@rollernet.us>
Message-ID: <5d093f9a1001251339x32d36c5bxb5479abdead8a498@mail.gmail.com>

Two PRIs for voice, about 150 dial-peers (30 ephone-dn's as octo-lines, plus
pots and voip DPs).... three T1s in a multilink ppp....

I really don't think the config is that big... 34k.... with 239k total
NVRAM, so it shouldn't need to compress anything...



Jonathan

On Mon, Jan 25, 2010 at 1:56 PM, Seth Mattinen <sethm at rollernet.us> wrote:

> On 1/25/2010 11:53, Tony Varriale wrote:
> > Assuming the config isn't huge and your router is already oversubbed you
> > shouldn't be able to tell.
> >
>
>
> Well, he does have 64 interfaces, so it's probably large-ish.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter.hicks at poggs.co.uk  Mon Jan 25 17:40:21 2010
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Mon, 25 Jan 2010 22:40:21 +0000
Subject: [c-nsp] PPP CHAP spoofed challenges
Message-ID: <4B5E1DD5.4050101@poggs.co.uk>

All,

We have a DSL circuit here terminated on an 1801 with IOS 15.1(XB).
It's having trouble authenticating through to our ISP's LNS:

Jan 25 22:14:42.653: Vi2 PPP: Phase is AUTHENTICATING, by both
Jan 25 22:14:42.653: Vi2 CHAP: O CHALLENGE id 1 len 36 from
"test-phph38 at a.1"
Jan 25 22:14:42.653: Vi2 LCP: State is Open
Jan 25 22:14:42.681: Vi2 CHAP: I CHALLENGE id 1 len 29 from "sov.lac0"
Jan 25 22:14:42.681: Vi2 PPP: Sent CHAP SENDAUTH Request
Jan 25 22:14:42.681: Vi2 PPP: Received SENDAUTH Response FAIL
Jan 25 22:14:42.681: Vi2 CHAP: Using hostname from interface CHAP
Jan 25 22:14:42.681: Vi2 CHAP: Using password from interface CHAP
Jan 25 22:14:42.681: Vi2 CHAP: O RESPONSE id 1 len 36 from "test-phph38 at a.1"
Jan 25 22:14:44.021: Vi2 LCP: I CONFREQ [Open] id 0 len 15
Jan 25 22:14:44.021: Vi2 LCP:    MagicNumber 0x71F64BD1 (0x050671F64BD1)
Jan 25 22:14:44.021: Vi2 LCP:    AuthProto CHAP (0x0305C22305)
Jan 25 22:14:44.025: Vi2 PPP DISC: PPP Renegotiating
Jan 25 22:14:44.025: Vi2 LCP: Event[LCP Reneg] State[Open to Open]
Jan 25 22:14:44.025: Vi2 LCP: Event[DOWN] State[Open to Starting]
...
Jan 25 22:14:44.061: Vi2 PPP: Phase is AUTHENTICATING, by both
Jan 25 22:14:44.061: Vi2 CHAP: O CHALLENGE id 1 len 36 from
"test-phph38 at a.1"
Jan 25 22:14:44.061: Vi2 CHAP: Redirect packet to Vi2
Jan 25 22:14:44.061: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:44.061: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:44.061: Vi2 LCP: State is Open
Jan 25 22:14:46.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:46.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:48.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:48.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:50.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:50.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:52.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:52.021: Vi2 CHAP: Ignoring spoofed Challenge

Here, sov.lac0 is the DSL provider's LAC, and 'doubtless' is the ISP's
LNS - which restarts LCP when it receives a new L2TP session from the LAC.

The 1801 here is unhappy at receiving a CHAP challenge from a different
hostname, and thus refuses to authenticate.

The Dialer interface has 'ppp authentication chap callin' set, and I've
tried 'ppp direction dedicated', but it doesn't help.

Can any shed some light on this and/or suggest a workaround either on
our end or the ISP's end?

Regards,


Peter


From gsgranados at comcast.net  Mon Jan 25 18:22:38 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 25 Jan 2010 15:22:38 -0800
Subject: [c-nsp] Self rebooting pix?
Message-ID: <002401ca9e15$53269620$2608120a@am.thmulti.com>

Hi All,
I'm having a strange problem and not much diagnostic output so maybe I can 
get some pointers as to what to look at next.

    I have a Pix 501 with a non restrictive license that I'm using as a 
general firewall and nat device.  There's a 10 megabit ethernet connection 
handing a statically routed Internet feed on the WAN side and a 100 megabit 
fast E which connects to a core switch.  We nat probably about 50 - 100 
users at a time and the throughput over the public pathway is less than 8 
megabits for the most part and generally stays around 3 - 5.  The output of 
show cpu usage shows a usage of between 10 and 20 percent with lows of 4% 
and highs around 25.
    Randomly through out the day the connection / device will hang, the 
switch it's attached to shows the ethernet port go down and come back up a 
few times then packets start to flow again.  After the most recent event I 
did a show ver on the Pix and saw that the uptime was less than 2 minutes. 
After each drop this counter returns to 0 which tells me the Pix is 
rebooting for some reason.  Show log doesn't yield anything interesting and 
the syslog server that captures the log output doesn't have any messages 
around the time of the outages either.  Total traffic disruption lasts for 
approximately 30 seconds.  The time of day is random and it does not seem to 
increase in frequency with bursts in traffic.  I've obviously checked and 
insure that the power cables are firmly attached and the network cables are 
securely attached as well.  What other things should I try?  Are there any 
other show commands that might yield some more clues?  Has anyone else 
experienced this.  The software rev is 6.3.

Thanks
Scott



From walter.keen at RainierConnect.net  Mon Jan 25 18:27:45 2010
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Mon, 25 Jan 2010 15:27:45 -0800
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <002401ca9e15$53269620$2608120a@am.thmulti.com>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
Message-ID: <4B5E28F1.8030102@rainierconnect.net>

We had a similar problem with a PIX-525 (or was it the 520....) with 
6.3, We assumed it was hardware issues and replaced it, but if you have 
a computer you can stick on the console port, and have it's terminal 
program log everything to a file, it may provide more information.

Scott Granados wrote:
> Hi All,
> I'm having a strange problem and not much diagnostic output so maybe I 
> can get some pointers as to what to look at next.
>
>    I have a Pix 501 with a non restrictive license that I'm using as a 
> general firewall and nat device.  There's a 10 megabit ethernet 
> connection handing a statically routed Internet feed on the WAN side 
> and a 100 megabit fast E which connects to a core switch.  We nat 
> probably about 50 - 100 users at a time and the throughput over the 
> public pathway is less than 8 megabits for the most part and generally 
> stays around 3 - 5.  The output of show cpu usage shows a usage of 
> between 10 and 20 percent with lows of 4% and highs around 25.
>    Randomly through out the day the connection / device will hang, the 
> switch it's attached to shows the ethernet port go down and come back 
> up a few times then packets start to flow again.  After the most 
> recent event I did a show ver on the Pix and saw that the uptime was 
> less than 2 minutes. After each drop this counter returns to 0 which 
> tells me the Pix is rebooting for some reason.  Show log doesn't yield 
> anything interesting and the syslog server that captures the log 
> output doesn't have any messages around the time of the outages 
> either.  Total traffic disruption lasts for approximately 30 seconds.  
> The time of day is random and it does not seem to increase in 
> frequency with bursts in traffic.  I've obviously checked and insure 
> that the power cables are firmly attached and the network cables are 
> securely attached as well.  What other things should I try?  Are there 
> any other show commands that might yield some more clues?  Has anyone 
> else experienced this.  The software rev is 6.3.
>
> Thanks
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 


Walter Keen
Network Technician
Rainier Connect
(o) 360-832-4024
(c) 253-302-0194


From gsgranados at comcast.net  Mon Jan 25 18:28:48 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 25 Jan 2010 15:28:48 -0800
Subject: [c-nsp] Self rebooting pix?
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<4B5E28F1.8030102@rainierconnect.net>
Message-ID: <003801ca9e16$2a390710$2608120a@am.thmulti.com>

Ah that's a good idea, I can give that a shot.

----- Original Message ----- 
From: "Walter Keen" <walter.keen at rainierconnect.net>
To: "Scott Granados" <gsgranados at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, January 25, 2010 3:27 PM
Subject: Re: [c-nsp] Self rebooting pix?


> We had a similar problem with a PIX-525 (or was it the 520....) with 
> 6.3, We assumed it was hardware issues and replaced it, but if you have 
> a computer you can stick on the console port, and have it's terminal 
> program log everything to a file, it may provide more information.
> 
> Scott Granados wrote:
>> Hi All,
>> I'm having a strange problem and not much diagnostic output so maybe I 
>> can get some pointers as to what to look at next.
>>
>>    I have a Pix 501 with a non restrictive license that I'm using as a 
>> general firewall and nat device.  There's a 10 megabit ethernet 
>> connection handing a statically routed Internet feed on the WAN side 
>> and a 100 megabit fast E which connects to a core switch.  We nat 
>> probably about 50 - 100 users at a time and the throughput over the 
>> public pathway is less than 8 megabits for the most part and generally 
>> stays around 3 - 5.  The output of show cpu usage shows a usage of 
>> between 10 and 20 percent with lows of 4% and highs around 25.
>>    Randomly through out the day the connection / device will hang, the 
>> switch it's attached to shows the ethernet port go down and come back 
>> up a few times then packets start to flow again.  After the most 
>> recent event I did a show ver on the Pix and saw that the uptime was 
>> less than 2 minutes. After each drop this counter returns to 0 which 
>> tells me the Pix is rebooting for some reason.  Show log doesn't yield 
>> anything interesting and the syslog server that captures the log 
>> output doesn't have any messages around the time of the outages 
>> either.  Total traffic disruption lasts for approximately 30 seconds.  
>> The time of day is random and it does not seem to increase in 
>> frequency with bursts in traffic.  I've obviously checked and insure 
>> that the power cables are firmly attached and the network cables are 
>> securely attached as well.  What other things should I try?  Are there 
>> any other show commands that might yield some more clues?  Has anyone 
>> else experienced this.  The software rev is 6.3.
>>
>> Thanks
>> Scott
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> 
> 
> Walter Keen
> Network Technician
> Rainier Connect
> (o) 360-832-4024
> (c) 253-302-0194
>

From jasongurtz at npumail.com  Mon Jan 25 18:46:28 2010
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Mon, 25 Jan 2010 18:46:28 -0500
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <002401ca9e15$53269620$2608120a@am.thmulti.com>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
Message-ID: <A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>

> After each drop this counter returns to 0 which tells me the Pix is
> rebooting for some reason.
[...]
> experienced this.  The software rev is 6.3.

We experienced this on a 515E running 6.3 code.  A move to the 7.0 series
solved this issue.

I can't remember what exactly we saw using console but IIRC was something
like runaway memory use.

~JasonG

-- 

From v.jones at networkingunlimited.com  Mon Jan 25 20:55:32 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Mon, 25 Jan 2010 20:55:32 -0500
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
Message-ID: <1264470932.5442.8.camel@X61.NetworkingUnlimited.nul>

Another possibility, given that it is a PIX501, is a loose power
connection. Some of the older PIX 501s were so sensitive it seemed they
would power cycle if you so much as looked at them. Moving the box, or
even bumping into the desk they were on, could reboot them. Crazy,
because otherwise they are solid and will run for years with no issues.

Good luck and good hunting!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Mon, 2010-01-25 at 18:46 -0500, Jason Gurtz wrote:
> > After each drop this counter returns to 0 which tells me the Pix is
> > rebooting for some reason.
> [...]
> > experienced this.  The software rev is 6.3.
> 
> We experienced this on a 515E running 6.3 code.  A move to the 7.0 series
> solved this issue.
> 
> I can't remember what exactly we saw using console but IIRC was something
> like runaway memory use.
> 
> ~JasonG
> 

From cm at n-home.ru  Tue Jan 26 03:26:00 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Tue, 26 Jan 2010 11:26:00 +0300
Subject: [c-nsp] Cisco 7600 Series Ethernet Services cards types & queue
	values
In-Reply-To: <d9281f5c1001251253r283105a0qade19f2cc12c00e3@mail.gmail.com>
References: <d9281f5c1001251253r283105a0qade19f2cc12c00e3@mail.gmail.com>
Message-ID: <6F281913-7B12-4F0F-B675-707799EF0328@n-home.ru>

When you implement broadband access services for a lot of clients - you use ES+ cards to control internet access speed. 
When you have about 30K VPLS services sold out among all the city - you use ES+ cards to control speed of these services and build QoS hierarchy for marked traffic within one VPLS.

On Jan 25, 2010, at 11:53 PM, Burak Dikici wrote:

>  Hello,
> 
> There is different types for the Cisco 7600 Series Ethernet Services cards.
> ( More expensive cards with high queue values and less expensive cards with
> low queue values.)
> 
> http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549419.html
> Hardware queues
> ES Plus XT 40G line cards

> Low queue cards have got only 4 queues per physical port. High queue cards
> have got minimum 64.000 queue. This is very huge difference.  In what kind
> of scenario do we have to use the High queue cards ? Could you give some
> examples please ?  Kind Regards.
> 
> Burak
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From cm at n-home.ru  Tue Jan 26 03:28:07 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Tue, 26 Jan 2010 11:28:07 +0300
Subject: [c-nsp] 7600 + egress netflow + 12.2(33)SRE
In-Reply-To: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>
References: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>
Message-ID: <A16D0C23-0863-4CD8-89A9-E01A37973A9D@n-home.ru>

7600 routers have almost no reason to use ip flow ingress / ip flow egress commands. They use NDE through PFC, because it's hardware architecture is very different from 7200 routers.

On Jan 25, 2010, at 11:59 PM, Atif Sid wrote:

> New code 12.2(33)SRE have removed the command ip flow egress from the
> interfaces.  it shows the command but does not configure it?
> example:
> 
> PE2(config)#int vlan 3500
> PE2(config-if)#ip flow
> PE2(config-if)#ip flow ?
>  egress   Enable outbound NetFlow
>  ingress  Enable inbound NetFlow
> PE2(config-if)#ip flow eg


From p.mayers at imperial.ac.uk  Tue Jan 26 04:10:05 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 26 Jan 2010 09:10:05 +0000
Subject: [c-nsp] 7600 + egress netflow + 12.2(33)SRE
In-Reply-To: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>
References: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>
Message-ID: <4B5EB16D.7040104@imperial.ac.uk>

On 01/25/2010 08:59 PM, Atif Sid wrote:
> New code 12.2(33)SRE have removed the command ip flow egress from the
> interfaces.  it shows the command but does not configure it?
> example:

7600s with PFC-based linecards don't support egress netflow, because the 
hardware does not - only ingress. Is this the kind of interface you're 
trying to configure on?

I suspect the egress command was present previously either as a cosmetic 
bug (e.g. it was intended for WAN/ES cards but "accidentally" appeared 
for all interfaces) or was only capturing software-switches flows.

From p.mayers at imperial.ac.uk  Tue Jan 26 04:19:24 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 26 Jan 2010 09:19:24 +0000
Subject: [c-nsp] Resetting (or not) a 6500/sup720 from the console/rommon
Message-ID: <4B5EB39C.9090208@imperial.ac.uk>

This morning we had a crash on a remote site router, a single-sup720 
6504 running 12.2(33)SXI (I know, it needs upgrading).

I got in over our out-of-band network and found the sup sitting at 
rommon, so typed reset, and it said:

System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2005 by cisco Systems, Inc.
Cat6k-Sup720/RP platform with 524288 Kbytes of main memory

...and then hung. I sent a break, typed reset, and it did it again... 
and again... and again...

Normally I'd remote power-cycle it, but at this particular location we 
don't have an inline switch, so I eventually had to ask a colleague who 
was on-site to do it.

Looking at the above, it seems like the sup was stuck with the RP in 
ownership of the console, and the SP somewhere (dead?). When I finally 
booted via a power-cycle I saw the familiar:

System Bootstrap, Version 8.4(2) Release
Copyright (c) 1994-2005 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 524288 Kbytes of main memory

...and from there the SP booted, and then chain-loaded the RP and all 
was well.

So - I conclude from this that you basically ALWAYS need remote power 
cycling equipment on a 6500/sup720, as the split RP/SP processor setup 
means you might get stuck and unable to boot.

Is this the case? Is there a command I could have typed at RP rommon to 
make it cold-boot? The commands present seemed to be a sub-set of the 
normal rommon commands, and told me weird things like:

rommon 3 > dir

This operation is not permitted after send-break.

...and:

rommon 5 > set

Access of environmental variables not permitted.
Please set confreg to 0 and reset if you want to make any changes.

From paul at paulcatchpole.co.uk  Tue Jan 26 06:45:09 2010
From: paul at paulcatchpole.co.uk (Paul Catchpole)
Date: Tue, 26 Jan 2010 11:45:09 +0000
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <4B5ED5C5.9070803@paulcatchpole.co.uk>

Hi Charles,

Firstly, disclosure time, over a year ago, I was UK 
SE/Implementation-engineer for Bluecat's sole disty in the UK, up until 
the point they pulled distribution and went direct-to-reseller. During 
that time I rolled out implementations including a UK ISP, a UK-wide 
distributed corporate install, and a global rollout, amongst others.  
I'm currently working for a UK university (as a Network Specialist, not 
DNS/DHCP) which runs a 1xProteus,6xAdonis setup.

I'm not clear from the comments so far whether everyone's commenting on 
running an Adonis-only setup just using the Adonis Management Console. 
If that's the case, then it's a limited solution that works well for 
small single-administrator setups and is good at replacing existing *nix 
home-grown boxes.

I've never seen a large install not running a Proteus, and I think it'd 
be fair to say that without it, there can't be any concept of actual 
IPAM. The Uni is on 2.5-latest (with one patch) and my own Proteus is on 
2.3.

Back when I was actually installing this stuff, Infoblox didn't have 
anything to compare with Bluecat's Proteus, in my opinion. Nothing that 
could offer a simultaneous overview and management of IP 
addressing/subnet topology and DNS at the same time, for any number of 
simultaneous administrators, from a web gui.

The point about actually having root access on the boxes, as well as the 
code being unpatched (for BIND and DHCPd) makes quite a difference in 
security-concious environments. It was a major sell into most installs I 
did, including the Uni here - and without it, they wouldn't have got the 
US defence deals I think.

There's been some good additions recently too, including reconciliation 
- using SNMP to match the switch CAM/ARP tables with what's in the 
Proteus and flagging discrepancies. Service monitoring has been improved 
a lot too. You can now import and export without having to know the 
Bluecat-only (ish, supposedly) tricks and XML schema.

I'd agree that there've been bugs, I've raised a few myself. The only 
one to have bitten me properly has been the XHA (Cluster) instability - 
it was historically far too sensitive to minor network glitches, causing 
the cluster to fall apart and go dual-active. It's also a right royal 
pain to readdress a cluster - for example due to a datacentre move. 
That's been stable for us at the uni, on the hostile residence network, 
for a good while now. I've another one regarding the SOAP API flagged at 
the moment but it's engineer-committed.

I will happily admit though that I've not kept up with Infoblox to see 
what they've developed since buying out the french graduates who'd 
developed a 'proper' IPAM solution. It may be that they're competitive 
now! :) I moved on to become Borderware UK SE for a while and I'm now 
trying to regain my Cisco roots and I'm at the uni to do that as they've 
just afforded 4x N7Ks and the rest in a full replacement.

Anyhoo, if anyone wants a play on a real Proteus, I can provide a guest 
account on mine, if you unicast me. It still has some of the sample 
datasets on it from my SE days and provides live DNS for my hosting 
environment. I can answer specific questions about bugs I've seen in the 
past if you've got any, or anything else really. I'm quite open to being 
a bit biased, but my experiences with the kit are real...

If anyone wants it, I can put them in touch with the European SE, Frey 
Khademi, who's been with the company since it had 15 employees and knows 
far more than me - someone I have a lot of respect for.

-----

IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

-----

I've not tried with Adonis only, but with the Proteus, they certainly do 
support IPv6 DNS records, see below for a sample query of 
ipv6.greenferret.net (on Adonis/Proteus 2.3). As for addressing the 
actual Adonis on IPv6, I can't imagine why it shouldn't but I'll have to 
try it and see!

DHCPv6 is supported but limited at the moment in some ways. Partly 
because, I think, that BCN aren't very clear on market direction and 
none of their massive customers are screaming loudly enough to go a 
certain way with it.

; <<>> DiG 9.4.1 <<>> AAAA ipv6.greenferret.net

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 647

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;ipv6.greenferret.net.          IN      AAAA


;; ANSWER SECTION:

ipv6.greenferret.net.   3600    IN      AAAA    2001:470:1f09:3d7::2


;; AUTHORITY SECTION:

greenferret.net.        3600    IN      NS      adonis2.greenferret.net.

greenferret.net.        3600    IN      NS      adonis3.greenferret.net.


;; ADDITIONAL SECTION:

adonis2.greenferret.net. 44787  IN      A       85.234.158.213

adonis3.greenferret.net. 44787  IN      A       85.234.158.216



I'll try it and let you know!
---

Cheers,

Paul

Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
>
> Thanks in advance,
>
> Chuck
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

-- 
Paul Catchpole CCNA
Network & IT Security Engineer
Bluecat Certified Professional

www.paulcatchpole.co.uk
paul at paulcatchpole.co.uk
07939 04 08 06


From sven at darkman.de  Tue Jan 26 08:06:14 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Tue, 26 Jan 2010 14:06:14 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>	
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>	
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
Message-ID: <4B5EE8C6.40106@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel, rest,

sorry for coming back on the topic. I had now the time to play with the setup
a bit more and run into a problem: pvlans are not working well.

The config:
having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and 15)
configured as follow:
interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-349
 switchport mode trunk
 no ip address
 flowcontrol receive on
 flowcontrol send on
end

both ports have the following config:
interface GigabitEthernet3/13
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-349
 switchport mode trunk
 no ip address
 flowcontrol receive on
 flowcontrol send on
 no cdp enable
 channel-group 1 mode on

The PVLAN is 334,335:
interface Vlan334
 ip address xx.xx.xx.1 255.255.255.0
 ip verify unicast source reachable-via rx
 no ip redirects
 ip sticky-arp ignore
 no ip proxy-arp
 no ip mroute-cache
 private-vlan mapping 335
end

VLan config:
vlan 334
 name ISOLATOR-FOR-335
  private-vlan primary
  private-vlan association 335
end

vlan 335
 name ISOLATED-BY-334
  private-vlan isolated
end

VLAN335 has no interface, of course.

Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the
Switch:

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-336
 switchport mode trunk
 ip arp inspection trust
 ip dhcp snooping trust
end

interface GigabitEthernet0/49
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-336
 switchport mode trunk
 ip arp inspection trust
 udld port
 channel-group 1 mode on
 ip dhcp snooping trust
end

(same for 50).

and the vlan config:
vlan 334
 name transport-335
  private-vlan primary
  private-vlan association 335
end

vlan 335
 name lan
  private-vlan isolated
end

And the lan port:
interface GigabitEthernet0/41
 switchport private-vlan host-association 334 335
 switchport mode private-vlan host
 switchport nonegotiate
 speed auto 10 100
 no cdp enable
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 10
end

its just a small device connected to check if ping works fine so far.

Now the problem: ping from 6509:

c6509#ping ip xx.xx.xx.13 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
..!.!
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms
c6509#ping ip xx.xx.xx.13 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms

This is far away from beeing good :(

The interesting thing: I have vlan336 on the same setup as normal vlan,
where a small dmz is located. This one works perfectly: no loss, ping
is okay... So it seems to be a problem related to the pvlan itself, not
to the setup, right?
I also shutted one port for the channel to see if that helps, but no luck :(

I've no more ideas, beside removing the Portchannel and try again, which would
be sad...

Thanks and regards,
Sven

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE
AKEAoJZluXFPj7CpI/k8sube4R4s5des
=urBf
-----END PGP SIGNATURE-----

From pavel.skovajsa at gmail.com  Tue Jan 26 09:02:12 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 26 Jan 2010 15:02:12 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B5EE8C6.40106@darkman.de>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
	<4B5EE8C6.40106@darkman.de>
Message-ID: <323aca891001260602j60535feayd3ef9cd4c209d952@mail.gmail.com>

Hi Sven,

I had not exactly the same but similar issues but with 7606 - see
http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg26651.html. I
learned from TAC that the issue was with the fact that I used it in
combination with VRFs and the traffic got incorrectly punted into 7606
MSFC CPU where there are hardware rate limiters (show mls rate-limit).

Anyway, try upgrading the 6509 I am sure some old SXD code has number
of bugs around this.

-pavel


On Tue, Jan 26, 2010 at 2:06 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pavel, rest,
>
> sorry for coming back on the topic. I had now the time to play with the setup
> a bit more and run into a problem: pvlans are not working well.
>
> The config:
> having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and 15)
> configured as follow:
> interface Port-channel1
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 330-349
> ?switchport mode trunk
> ?no ip address
> ?flowcontrol receive on
> ?flowcontrol send on
> end
>
> both ports have the following config:
> interface GigabitEthernet3/13
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 330-349
> ?switchport mode trunk
> ?no ip address
> ?flowcontrol receive on
> ?flowcontrol send on
> ?no cdp enable
> ?channel-group 1 mode on
>
> The PVLAN is 334,335:
> interface Vlan334
> ?ip address xx.xx.xx.1 255.255.255.0
> ?ip verify unicast source reachable-via rx
> ?no ip redirects
> ?ip sticky-arp ignore
> ?no ip proxy-arp
> ?no ip mroute-cache
> ?private-vlan mapping 335
> end
>
> VLan config:
> vlan 334
> ?name ISOLATOR-FOR-335
> ?private-vlan primary
> ?private-vlan association 335
> end
>
> vlan 335
> ?name ISOLATED-BY-334
> ?private-vlan isolated
> end
>
> VLAN335 has no interface, of course.
>
> Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the
> Switch:
>
> interface Port-channel1
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 330-336
> ?switchport mode trunk
> ?ip arp inspection trust
> ?ip dhcp snooping trust
> end
>
> interface GigabitEthernet0/49
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 330-336
> ?switchport mode trunk
> ?ip arp inspection trust
> ?udld port
> ?channel-group 1 mode on
> ?ip dhcp snooping trust
> end
>
> (same for 50).
>
> and the vlan config:
> vlan 334
> ?name transport-335
> ?private-vlan primary
> ?private-vlan association 335
> end
>
> vlan 335
> ?name lan
> ?private-vlan isolated
> end
>
> And the lan port:
> interface GigabitEthernet0/41
> ?switchport private-vlan host-association 334 335
> ?switchport mode private-vlan host
> ?switchport nonegotiate
> ?speed auto 10 100
> ?no cdp enable
> ?spanning-tree bpduguard enable
> ?ip dhcp snooping limit rate 10
> end
>
> its just a small device connected to check if ping works fine so far.
>
> Now the problem: ping from 6509:
>
> c6509#ping ip xx.xx.xx.13 repeat 5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
> ..!.!
> Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms
> c6509#ping ip xx.xx.xx.13 repeat 5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
> ....!
> Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms
>
> This is far away from beeing good :(
>
> The interesting thing: I have vlan336 on the same setup as normal vlan,
> where a small dmz is located. This one works perfectly: no loss, ping
> is okay... So it seems to be a problem related to the pvlan itself, not
> to the setup, right?
> I also shutted one port for the channel to see if that helps, but no luck :(
>
> I've no more ideas, beside removing the Portchannel and try again, which would
> be sad...
>
> Thanks and regards,
> Sven
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE
> AKEAoJZluXFPj7CpI/k8sube4R4s5des
> =urBf
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From sven at darkman.de  Tue Jan 26 09:15:26 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Tue, 26 Jan 2010 15:15:26 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001260602j60535feayd3ef9cd4c209d952@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>	
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>	
	<4B4E21CF.10803@darkman.de>	
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>	
	<4B5EE8C6.40106@darkman.de>
	<323aca891001260602j60535feayd3ef9cd4c209d952@mail.gmail.com>
Message-ID: <4B5EF8FE.5080300@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

Pavel Skovajsa schrieb:
> Hi Sven,
> 
> I had not exactly the same but similar issues but with 7606 - see
> http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg26651.html. I
> learned from TAC that the issue was with the fact that I used it in
> combination with VRFs and the traffic got incorrectly punted into 7606
> MSFC CPU where there are hardware rate limiters (show mls rate-limit).

But since i don't use VRFs, this might be something similar?

i checked the rate limit, but i'm not familar with the output... maybe you
can see something:
#show mls rate-limit
 Sharing Codes: S - static, D - dynamic
 Codes dynamic sharing: H - owner (head) of the group, g - guest of the group

   Rate Limiter Type       Status     Packets/s   Burst  Sharing
 ---------------------   ----------   ---------   -----  -------
         MCAST NON RPF   Off                  -       -     -
        MCAST DFLT ADJ   On              100000     100  Not sharing
      MCAST DIRECT CON   Off                  -       -     -
        ACL BRIDGED IN   Off                  -       -     -
       ACL BRIDGED OUT   Off                  -       -     -
           IP FEATURES   Off                  -       -     -
          ACL VACL LOG   On                2000       1  Not sharing
           CEF RECEIVE   Off                  -       -     -
             CEF GLEAN   Off                  -       -     -
      MCAST PARTIAL SC   On              100000     100  Not sharing
        IP RPF FAILURE   On                 100      10  Group:0 S
           TTL FAILURE   Off                  -       -     -
 ICMP UNREAC. NO-ROUTE   On                 100      10  Group:0 S
 ICMP UNREAC. ACL-DROP   On                 100      10  Group:0 S
         ICMP REDIRECT   Off                  -       -     -
           MTU FAILURE   Off                  -       -     -
       MCAST IP OPTION   Off                  -       -     -
       UCAST IP OPTION   Off                  -       -     -
           LAYER_2 PDU   Off                  -       -     -
            LAYER_2 PT   Off                  -       -     -
       LAYER_2 PORTSEC   Off                  -       -     -
             IP ERRORS   On                 100      10  Group:0 S
           CAPTURE PKT   Off                  -       -     -
            MCAST IGMP   Off                  -       -     -
 MCAST IPv6 DIRECT CON   Off                  -       -     -
 MCAST IPv6 ROUTE CNTL   Off                  -       -     -
 MCAST IPv6 *G M BRIDG   Off                  -       -     -
  MCAST IPv6 SG BRIDGE   Off                  -       -     -
  MCAST IPv6 DFLT DROP   Off                  -       -     -
 MCAST IPv6 SECOND. DR   Off                  -       -     -
  MCAST IPv6 *G BRIDGE   Off                  -       -     -
        MCAST IPv6 MLD   Off                  -       -     -
  IP ADMIS. ON L2 PORT   Off                  -       -     -


> Anyway, try upgrading the 6509 I am sure some old SXD code has number
> of bugs around this.

By upgrading you mean a newer software release, i hope? ;)

Thanks again!

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkte+P4ACgkQQoCguWUBzBxVwACdF8AE7fZcd/pWnTEylqhrOPAZ
TLEAnAx1xOXWx5hS4akjsWKAj6OktlMO
=o1at
-----END PGP SIGNATURE-----

From scott at labyrinth.org  Tue Jan 26 09:33:07 2010
From: scott at labyrinth.org (Scott Keoseyan)
Date: Tue, 26 Jan 2010 09:33:07 -0500
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <1264470932.5442.8.camel@X61.NetworkingUnlimited.nul>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
	<1264470932.5442.8.camel@X61.NetworkingUnlimited.nul>
Message-ID: <1819DE9B-3BB5-40E0-A75C-11289461E5F9@labyrinth.org>

I have experienced this exact same issue as well.  I was told by my SE  
that it had to do with the way the input was connected to the rest of  
the unit.

Scott

On Jan 25, 2010, at 8:55 PM, Vincent C Jones wrote:

> Another possibility, given that it is a PIX501, is a loose power
> connection. Some of the older PIX 501s were so sensitive it seemed  
> they
> would power cycle if you so much as looked at them. Moving the box, or
> even bumping into the desk they were on, could reboot them. Crazy,
> because otherwise they are solid and will run for years with no  
> issues.
>
> Good luck and good hunting!
> -- 
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
> On Mon, 2010-01-25 at 18:46 -0500, Jason Gurtz wrote:
>>> After each drop this counter returns to 0 which tells me the Pix is
>>> rebooting for some reason.
>> [...]
>>> experienced this.  The software rev is 6.3.
>>
>> We experienced this on a 515E running 6.3 code.  A move to the 7.0  
>> series
>> solved this issue.
>>
>> I can't remember what exactly we saw using console but IIRC was  
>> something
>> like runaway memory use.
>>
>> ~JasonG
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Scott Keoseyan
scott at labyrinth.org
704-443-8229
Homepage - http://www.labyrinth.org/homepages/scott
Blog - http://www.labyrinth.org/wp1
PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html






From pavel.skovajsa at gmail.com  Tue Jan 26 09:40:02 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 26 Jan 2010 15:40:02 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B5EF8FE.5080300@darkman.de>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
	<4B5EE8C6.40106@darkman.de>
	<323aca891001260602j60535feayd3ef9cd4c209d952@mail.gmail.com>
	<4B5EF8FE.5080300@darkman.de>
Message-ID: <323aca891001260640g37139135re5127fed02f9064a@mail.gmail.com>

On Tue, Jan 26, 2010 at 3:15 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pavel,
>
> Pavel Skovajsa schrieb:
>> Hi Sven,
>>
>> I had not exactly the same but similar issues but with 7606 - see
>> http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg26651.html. I
>> learned from TAC that the issue was with the fact that I used it in
>> combination with VRFs and the traffic got incorrectly punted into 7606
>> MSFC CPU where there are hardware rate limiters (show mls rate-limit).
>
> But since i don't use VRFs, this might be something similar?
>
> i checked the rate limit, but i'm not familar with the output... maybe you
> can see something:
> #show mls rate-limit
> ?Sharing Codes: S - static, D - dynamic
> ?Codes dynamic sharing: H - owner (head) of the group, g - guest of the group
>
> ? Rate Limiter Type ? ? ? Status ? ? Packets/s ? Burst ?Sharing
> ?--------------------- ? ---------- ? --------- ? ----- ?-------
> ? ? ? ? MCAST NON RPF ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ?MCAST DFLT ADJ ? On ? ? ? ? ? ? ?100000 ? ? 100 ?Not sharing
> ? ? ?MCAST DIRECT CON ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ?ACL BRIDGED IN ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ACL BRIDGED OUT ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? IP FEATURES ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ?ACL VACL LOG ? On ? ? ? ? ? ? ? ?2000 ? ? ? 1 ?Not sharing
> ? ? ? ? ? CEF RECEIVE ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? ? CEF GLEAN ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ?MCAST PARTIAL SC ? On ? ? ? ? ? ? ?100000 ? ? 100 ?Not sharing
> ? ? ? ?IP RPF FAILURE ? On ? ? ? ? ? ? ? ? 100 ? ? ?10 ?Group:0 S
> ? ? ? ? ? TTL FAILURE ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?ICMP UNREAC. NO-ROUTE ? On ? ? ? ? ? ? ? ? 100 ? ? ?10 ?Group:0 S
> ?ICMP UNREAC. ACL-DROP ? On ? ? ? ? ? ? ? ? 100 ? ? ?10 ?Group:0 S
> ? ? ? ? ICMP REDIRECT ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? MTU FAILURE ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? MCAST IP OPTION ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? UCAST IP OPTION ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? LAYER_2 PDU ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? ?LAYER_2 PT ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? LAYER_2 PORTSEC ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? ? IP ERRORS ? On ? ? ? ? ? ? ? ? 100 ? ? ?10 ?Group:0 S
> ? ? ? ? ? CAPTURE PKT ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ? ? ?MCAST IGMP ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 DIRECT CON ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 ROUTE CNTL ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 *G M BRIDG ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 SG BRIDGE ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 DFLT DROP ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 SECOND. DR ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?MCAST IPv6 *G BRIDGE ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ? ? ? ?MCAST IPv6 MLD ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
> ?IP ADMIS. ON L2 PORT ? Off ? ? ? ? ? ? ? ? ?- ? ? ? - ? ? -
>

Actually the correct command is "show mls rate-limit usage".
The easiest way to find out whether this is something connected to CPU
punt is to configure " no mls rate-limit unicast ip icmp unreachable
no-route", however this may have some impact on production device, if
you have any situation where traffic matches no-route situation in
hardware and gets punted to CPU and overwhelming it......

As another idea you can try to "localize" the issue to the 6509 only
simply by taking a free port on 6509 and testing PVLAN end-user port
on that one.


>
>> Anyway, try upgrading the 6509 I am sure some old SXD code has number
>> of bugs around this.
>
> By upgrading you mean a newer software release, i hope? ;)

Exactly....
....also forgot to mention that for PVLANs to work you need to use
golden RJ45 connectors :) ... joking

-pavel

>
> Thanks again!
>
> Regards,
> Sven
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkte+P4ACgkQQoCguWUBzBxVwACdF8AE7fZcd/pWnTEylqhrOPAZ
> TLEAnAx1xOXWx5hS4akjsWKAj6OktlMO
> =o1at
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From denaccie at gmail.com  Tue Jan 26 10:06:24 2010
From: denaccie at gmail.com (My Name)
Date: Tue, 26 Jan 2010 10:06:24 -0500
Subject: [c-nsp] SDR
Message-ID: <c99007611001260706x7fb179ffn41e409e3ae9c4ff3@mail.gmail.com>

Is any one running SDR on the CRS platform? Are there any issues?
One area that I am unclear on is the linecard requirements, documenation
states that an additional  DRP or DRP pair must be utilized, so does that
mean
you require at least one DRP for overall chassis management and
additional DRP for each SDR?

So for example, assuming you are not deploying redundant DRPs and you want
to
configure 2 SDRs, then you would need 3 total DRPs?


thanx,

mike

From Charles.Church at harris.com  Tue Jan 26 10:09:12 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Tue, 26 Jan 2010 10:09:12 -0500
Subject: [c-nsp] 802.1X on WS-X4448-GB-SFP
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C66B8B1F@MLBMXUS2.cs.myharris.net>

Anyone know if 802.1x is supported on this line card?  Not finding the answer on Cisco's web site or anywhere else.  My Sup's gig port looks like this:

PSRB-U01-AS-01#sh int g1/1 cap
GigabitEthernet1/1
  Model:                 WS-X4515-Gbic
  Type:                  1000BaseSX
................
  Dot1x:                 yes                         <---------------*****************************
  Maximum MTU:           9198 bytes (Jumbo Frames)
  Multiple Media Types:  no
  Diagnostic Monitoring: N/A
  Queuing:               rx-(N/A), tx-(1p3q1t, Sharing/Shaping)

But I can't find definitively if that SFP module supports it.

Thanks in advance,

Chuck Church
Network Planning Engineer, CCIE #8776
Southcom
Harris IT Services
1210 N. Parker Rd.
Greenville, SC 29609 
Office: 864-335-9473
Cell: 864-266-3978
E-mail: charles.church at harris.com
Southcom E-mail: charles.church.ctr at hq.southcom.mil



From dudepron at gmail.com  Tue Jan 26 10:28:08 2010
From: dudepron at gmail.com (Aaron)
Date: Tue, 26 Jan 2010 10:28:08 -0500
Subject: [c-nsp] SDR
In-Reply-To: <c99007611001260706x7fb179ffn41e409e3ae9c4ff3@mail.gmail.com>
References: <c99007611001260706x7fb179ffn41e409e3ae9c4ff3@mail.gmail.com>
Message-ID: <480dad641001260728j7353b715mbc4df612dc4af1d1@mail.gmail.com>

You need 1. The second DRP would be standby if so desired.
In your example you should be able to get away with 2.

Your RPs still handle overall system management.

Aaron

On Tue, Jan 26, 2010 at 10:06, My Name <denaccie at gmail.com> wrote:

> Is any one running SDR on the CRS platform? Are there any issues?
> One area that I am unclear on is the linecard requirements, documenation
> states that an additional  DRP or DRP pair must be utilized, so does that
> mean
> you require at least one DRP for overall chassis management and
> additional DRP for each SDR?
>
> So for example, assuming you are not deploying redundant DRPs and you want
> to
> configure 2 SDRs, then you would need 3 total DRPs?
>
>
> thanx,
>
> mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From SPfister at dps.k12.oh.us  Tue Jan 26 11:34:35 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 26 Jan 2010 11:34:35 -0500
Subject: [c-nsp] Limits on dynamically learned MAC addresses per vlan
Message-ID: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>

I'm trying to troubleshoot connectivity problems between a virtual server at a central site and PCs in the same vlan at a remote site. At the central site is several VMWare servers connected to a 3560 switch. The PCs at the remote site need to reach this virtual server, and while most do, some have trouble seeing it.

A common thread seems to be whether the 3560 has been able to learn the MAC address of the PC. If it hasn't, we can put in a static address and everything is OK. 

I'm wondering... is there a limit to the number of dynamic MAC addresses that a switch like the 3560 can learn? If so, can that limit be changed, and is the situation the same for static addresses?

Also, is the limit of total MAC addresses for the switch fixed, or can that be changed?

Thanks!


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From p.mayers at imperial.ac.uk  Tue Jan 26 11:59:23 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 26 Jan 2010 16:59:23 +0000
Subject: [c-nsp] Limits on dynamically learned MAC addresses per vlan
In-Reply-To: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>
References: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <4B5F1F6B.7010401@imperial.ac.uk>

On 26/01/10 16:34, Steven Pfister wrote:
> I'm trying to troubleshoot connectivity problems between a virtual
> server at a central site and PCs in the same vlan at a remote site.
> At the central site is several VMWare servers connected to a 3560
> switch. The PCs at the remote site need to reach this virtual server,
> and while most do, some have trouble seeing it.
>
> A common thread seems to be whether the 3560 has been able to learn
> the MAC address of the PC. If it hasn't, we can put in a static
> address and everything is OK.
>
> I'm wondering... is there a limit to the number of dynamic MAC

Yes. Obviously all devices have a hard limit based on RAM or hardware 
CAM size. Your actual limit may be lower than the theoretical max - see 
below.

> addresses that a switch like the 3560 can learn? If so, can that
> limit be changed, and is the situation the same for static

Maybe

> addresses?

Maybe.

I've not used the 3560, but on 3550 and 3750 there is a concept of a 
thing called an "SDM" template, which partitions the hardware resources 
into certain sized buckets depending on the use of the switch.

e.g. one of ours says:

rt1#sh sdm prefer
  The current template is "aggregate IPv4 and IPv6 default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  2K
   number of IPv4 IGMP groups + multicast routes:    1K

I'm not sure how static MAC entries are handled, but I'm willing to bet 
they'll take precedence over dynamic ones, so adding a static might 
"push" someone else out.

Other templates have numbers like:

rt1#sh sdm prefer access
  "aggregator access IPv4" template:
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  6K

...or:

rt1#sh sdm prefer vlan
  "aggregate vlan" template:
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  12K


What does:

sh mac address-table count

...say?

If your device does need the SDM template changing, it will need a 
reboot to take effect I'm afraid.

From jasonleblanc at gmail.com  Tue Jan 26 16:19:40 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Tue, 26 Jan 2010 14:19:40 -0700
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
Message-ID: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>

Team,

This questions was put out there before in another chain but I wasn't able to figure out the best solution.  We have multiple campuses connecting to an MPLS VPN cloud running BGP internally.  At some locations we have backup ISP services and an IPSec VPN tunnel over that.  Currently BGP provides a default route to each campus as external BGP / Pref 40 / Metric 0.  Our backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the campus and our main datacenter.  What is the best way to achieve this? 

Thanks,

//LeBlanc




From SPfister at dps.k12.oh.us  Tue Jan 26 16:21:54 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 26 Jan 2010 16:21:54 -0500
Subject: [c-nsp] Limits on dynamically learned MAC addresses per	vlan
In-Reply-To: <4B5F1F6B.7010401@imperial.ac.uk>
References: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>
	<4B5F1F6B.7010401@imperial.ac.uk>
Message-ID: <4B5F16A1.9E6F.00B8.0@dps.k12.oh.us>

Just wanted to follow up with some more details on this network set up...

[remote side 4500] ----> (CSME) ----> [central side 4500] ----> (ATM) ---->  [central side 8540] ----> [vmware 3560] ----> [vmware server]

the remote side has a vlan, let's call it 321, and the vmware server has a virtual machine set up for vlan 321. Most remote machines find the vmware server, and some find it one minute and not the next.

The remote side has about 330 MAC addresses in the vlan in question. The central side 4500 never seems to learn more than about 200 or so. I'm assuming that the central side 4500 learns mac addresses from the remote side, and passes it through the 8540 (configured for IRB) to the 3560. None of the central side devices seem to learn much more than 200 of the MAC addresses and I'm not sure where that limitation would be. Does anyone have any idea what's going on here?

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Phil Mayers <p.mayers at imperial.ac.uk> 1/26/2010 11:59 AM >>>
On 26/01/10 16:34, Steven Pfister wrote:
> I'm trying to troubleshoot connectivity problems between a virtual
> server at a central site and PCs in the same vlan at a remote site.
> At the central site is several VMWare servers connected to a 3560
> switch. The PCs at the remote site need to reach this virtual server,
> and while most do, some have trouble seeing it.
>
> A common thread seems to be whether the 3560 has been able to learn
> the MAC address of the PC. If it hasn't, we can put in a static
> address and everything is OK.
>
> I'm wondering... is there a limit to the number of dynamic MAC

Yes. Obviously all devices have a hard limit based on RAM or hardware 
CAM size. Your actual limit may be lower than the theoretical max - see 
below.

> addresses that a switch like the 3560 can learn? If so, can that
> limit be changed, and is the situation the same for static

Maybe

> addresses?

Maybe.

I've not used the 3560, but on 3550 and 3750 there is a concept of a 
thing called an "SDM" template, which partitions the hardware resources 
into certain sized buckets depending on the use of the switch.

e.g. one of ours says:

rt1#sh sdm prefer
  The current template is "aggregate IPv4 and IPv6 default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  2K
   number of IPv4 IGMP groups + multicast routes:    1K

I'm not sure how static MAC entries are handled, but I'm willing to bet 
they'll take precedence over dynamic ones, so adding a static might 
"push" someone else out.

Other templates have numbers like:

rt1#sh sdm prefer access
  "aggregator access IPv4" template:
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  6K

...or:

rt1#sh sdm prefer vlan
  "aggregate vlan" template:
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  12K


What does:

sh mac address-table count

...say?

If your device does need the SDM template changing, it will need a 
reboot to take effect I'm afraid.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/


From mike-cisconsplist at tiedyenetworks.com  Tue Jan 26 16:57:01 2010
From: mike-cisconsplist at tiedyenetworks.com (Mike)
Date: Tue, 26 Jan 2010 13:57:01 -0800
Subject: [c-nsp] Limits on dynamically learned MAC addresses per	vlan
In-Reply-To: <4B5F16A1.9E6F.00B8.0@dps.k12.oh.us>
References: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>	<4B5F1F6B.7010401@imperial.ac.uk>
	<4B5F16A1.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <4B5F652D.5090406@tiedyenetworks.com>

Steven Pfister wrote:
> Just wanted to follow up with some more details on this network set up...
>
> [remote side 4500] ----> (CSME) ----> [central side 4500] ----> (ATM) ---->  [central side 8540] ----> [vmware 3560] ----> [vmware server]
>   
Steve, is that CSME link the managed ethernet product from ATT? If so, 
you may be hitting a limitation in that product where it only allows a 
set number of mac addresses. You said 'seems to be 200' as the number 
you can observe, and that sounds in line with what I know about it.

If so, you can confirm with your ATT account rep and either buy more mac 
address allocations, or (how it was intended to be used), establish your 
own l2vpn between the sites and eliminate the restriction entirely.

please report to the list if any of this is/is not helpful.

thanks.

Mike-

From luan at netcraftsmen.net  Tue Jan 26 18:44:29 2010
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Tue, 26 Jan 2010 18:44:29 -0500
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
Message-ID: <001c01ca9ee1$80d19710$8274c530$@net>

What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this is
the case, then if at one site MPLS goes down, it starts to use IPSEC tunnel,
when packets get to the other side, the default route to MPLS VPN is still
there so packets will get routed back into the MPLS cloud. You need more
specific routes advertised so that when MPLS lost, it will withdraw the
route and IPSEC will kick in.  Just a default won't work unless you'll be
doing some creative conditional advertising in the BGP or some fancy EEM
scripting...or maybe using ip sla to withdraw route...which might be a
little more complicated than need be.

Even with specific routes, you still have lots of decision to make like
whether to switch everything to use IPSEC tunnels once just ONE MPLS
connection goes down or only that site.  Then you have to make sure not
running into asymmetric routing...etc.
With GNS3/Dynagen, you could probably test this whole thing out in your
labtop.

---------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
---------------------------------------

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason LeBlanc
Sent: Tuesday, January 26, 2010 4:20 PM
To: Cisco-nsp
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Team,

This questions was put out there before in another chain but I wasn't able
to figure out the best solution.  We have multiple campuses connecting to an
MPLS VPN cloud running BGP internally.  At some locations we have backup ISP
services and an IPSec VPN tunnel over that.  Currently BGP provides a
default route to each campus as external BGP / Pref 40 / Metric 0.  Our
backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
campus and our main datacenter.  What is the best way to achieve this? 

Thanks,

//LeBlanc



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4807 (20100126) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




From jasonleblanc at gmail.com  Tue Jan 26 19:47:31 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Tue, 26 Jan 2010 17:47:31 -0700
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <001c01ca9ee1$80d19710$8274c530$@net>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<001c01ca9ee1$80d19710$8274c530$@net>
Message-ID: <D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>

Current topology is pretty simple.  AT&T drops an MPLS circuit either PPP Multilink Bundled T1's or an Ethernet hand off.  On another interface we generally have an ethernet hand off from another ISP.  We run BGP to move all the traffic around on one 172.x.x.x/30's and then our LAN is on 10.x.x.x.  We have an outside IP address on another ethernet port which is the IPSEC termination point.  BGP from our main campus injects a default route which we receive.  Currently we just manually added static 0.0.0.0 routes out the tunnel interfaces with a metric of 32000.  So when BGP drops off we will route over the IPSEC VPN Tunnel back home.

Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 --> 
                                                                                                        ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) --> 10.1.1.1/24
                                                                                                        ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC VPN Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24

BGP Provides default route
Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000

It is my assumption that if the traffic cant get to its destination because BGP has lost it our backup link the IPSEC VPN with the higher metric will become the new default route.


On Jan 26, 2010, at 4:44 PM, Luan Nguyen wrote:

> What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this is
> the case, then if at one site MPLS goes down, it starts to use IPSEC tunnel,
> when packets get to the other side, the default route to MPLS VPN is still
> there so packets will get routed back into the MPLS cloud. You need more
> specific routes advertised so that when MPLS lost, it will withdraw the
> route and IPSEC will kick in.  Just a default won't work unless you'll be
> doing some creative conditional advertising in the BGP or some fancy EEM
> scripting...or maybe using ip sla to withdraw route...which might be a
> little more complicated than need be.
> 
> Even with specific routes, you still have lots of decision to make like
> whether to switch everything to use IPSEC tunnels once just ONE MPLS
> connection goes down or only that site.  Then you have to make sure not
> running into asymmetric routing...etc.
> With GNS3/Dynagen, you could probably test this whole thing out in your
> labtop.
> 
> ---------------------------------------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> [Web] http://www.netcraftsmen.net
> ---------------------------------------
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason LeBlanc
> Sent: Tuesday, January 26, 2010 4:20 PM
> To: Cisco-nsp
> Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
> 
> Team,
> 
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to an
> MPLS VPN cloud running BGP internally.  At some locations we have backup ISP
> services and an IPSec VPN tunnel over that.  Currently BGP provides a
> default route to each campus as external BGP / Pref 40 / Metric 0.  Our
> backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
> BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
> campus and our main datacenter.  What is the best way to achieve this? 
> 
> Thanks,
> 
> //LeBlanc
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 4807 (20100126) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 


From luan at netcraftsmen.net  Tue Jan 26 22:14:43 2010
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Tue, 26 Jan 2010 22:14:43 -0500
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<001c01ca9ee1$80d19710$8274c530$@net>
	<D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
Message-ID: <002601ca9efe$df2005a0$9d6010e0$@net>

At the remote site, yes, if MPLS goes down, the default route over the IPSEC
tunnel will kick in.  But at HQ, does it know how to get back to the remote
site?  Does it also have a default route out of MPLS or does it have
specific subnets from all remotes?  What then if HQ goes down? Remotes only
has default route out of MPLS so they will continue to look for the way home
that way.
Back when I was at VzB managed services, it's EIGRP over the DMVPN/IPSEC
tunnel backing up BGP MPLS.  Too bad I didn't use Dynagen, else I would just
shoot over to you my dot net file.

-------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[AIM/YIM/GTalk] luancnc
-------------------------------------


-----Original Message-----
From: Jason LeBlanc [mailto:jasonleblanc at gmail.com] 
Sent: Tuesday, January 26, 2010 7:48 PM
To: Luan Nguyen
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
Internet

Current topology is pretty simple.  AT&T drops an MPLS circuit either PPP
Multilink Bundled T1's or an Ethernet hand off.  On another interface we
generally have an ethernet hand off from another ISP.  We run BGP to move
all the traffic around on one 172.x.x.x/30's and then our LAN is on
10.x.x.x.  We have an outside IP address on another ethernet port which is
the IPSEC termination point.  BGP from our main campus injects a default
route which we receive.  Currently we just manually added static 0.0.0.0
routes out the tunnel interfaces with a metric of 32000.  So when BGP drops
off we will route over the IPSEC VPN Tunnel back home.

Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 --> 
 
ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
10.1.1.1/24
 
ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC VPN
Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24

BGP Provides default route
Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000

It is my assumption that if the traffic cant get to its destination because
BGP has lost it our backup link the IPSEC VPN with the higher metric will
become the new default route.


On Jan 26, 2010, at 4:44 PM, Luan Nguyen wrote:

> What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this
is
> the case, then if at one site MPLS goes down, it starts to use IPSEC
tunnel,
> when packets get to the other side, the default route to MPLS VPN is still
> there so packets will get routed back into the MPLS cloud. You need more
> specific routes advertised so that when MPLS lost, it will withdraw the
> route and IPSEC will kick in.  Just a default won't work unless you'll be
> doing some creative conditional advertising in the BGP or some fancy EEM
> scripting...or maybe using ip sla to withdraw route...which might be a
> little more complicated than need be.
> 
> Even with specific routes, you still have lots of decision to make like
> whether to switch everything to use IPSEC tunnels once just ONE MPLS
> connection goes down or only that site.  Then you have to make sure not
> running into asymmetric routing...etc.
> With GNS3/Dynagen, you could probably test this whole thing out in your
> labtop.
> 
> ---------------------------------------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> [Web] http://www.netcraftsmen.net
> ---------------------------------------
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason LeBlanc
> Sent: Tuesday, January 26, 2010 4:20 PM
> To: Cisco-nsp
> Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
> 
> Team,
> 
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to
an
> MPLS VPN cloud running BGP internally.  At some locations we have backup
ISP
> services and an IPSec VPN tunnel over that.  Currently BGP provides a
> default route to each campus as external BGP / Pref 40 / Metric 0.  Our
> backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
> BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
> campus and our main datacenter.  What is the best way to achieve this? 
> 
> Thanks,
> 
> //LeBlanc
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> __________ Information from ESET NOD32 Antivirus, version of virus
signature
> database 4807 (20100126) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 


__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4808 (20100126) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




From andrew.gabriel at sanmina-sci.com  Tue Jan 26 23:14:45 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Wed, 27 Jan 2010 09:44:45 +0530
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
Message-ID: <d06fb6b31001262014s4e43434ew38fa8f2804d4211f@mail.gmail.com>

What devices do the VPN tunnels terminate on? If they are Cisco routers, it
should be pretty straightforward to run BGP between the VPN endpoints as
well. You can use AS padding and local preference for manipulating the
preferred path for the incoming and outgoing traffic respectively.


Regards,
Andrew Gabriel.

On Wed, Jan 27, 2010 at 2:49 AM, Jason LeBlanc <jasonleblanc at gmail.com>wrote:

> Team,
>
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to an
> MPLS VPN cloud running BGP internally.  At some locations we have backup ISP
> services and an IPSec VPN tunnel over that.  Currently BGP provides a
> default route to each campus as external BGP / Pref 40 / Metric 0.  Our
> backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
> BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
> campus and our main datacenter.  What is the best way to achieve this?
>
> Thanks,
>
> //LeBlanc
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From ivan.pepelnjak at zaplana.net  Wed Jan 27 01:53:50 2010
From: ivan.pepelnjak at zaplana.net (Ivan Pepelnjak)
Date: Wed, 27 Jan 2010 07:53:50 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
Message-ID: <000001ca9f1d$7c21fa70$7465ef50$@pepelnjak@zaplana.net>

* Configure EBGP sessions over IPSec between remote sites and central site.
* On remote sites use EEM to detect MPLS VPN EBGP neighbor loss (either default route is gone or you might rely on SNMP traps)
* When the MPLS VPN EBGP neighbor is down, enable IPSec tunnel. Only then will the EBGP session be established and you'll get more specific routes over IPSec.

This will ensure that the IPSec tunnel on remote sites is operational only when the connectivity with the MPLS VPN cloud is gone and so the central site uses default route into MPLS VPN cloud unless it has a more specific one over IPSec due to failure at one of the remote sites.

Note: You might want to use something else to detect MPLS VPN failure, for example IP SLA between remote router and central router. This will detect a failure anywhere in the end-to-end path.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> Sent: Tuesday, January 26, 2010 10:20 PM
> To: Cisco-nsp
> Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
> 
> Team,
> 
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to
> an MPLS VPN cloud running BGP internally.  At some locations we have
> backup ISP services and an IPSec VPN tunnel over that.  Currently BGP
> provides a default route to each campus as external BGP / Pref 40 / Metric
> 0.  Our backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we
> lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic
> between the campus and our main datacenter.  What is the best way to
> achieve this?
> 
> Thanks,
> 
> //LeBlanc
> 
> 
> 



From gert at greenie.muc.de  Wed Jan 27 05:24:51 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 27 Jan 2010 11:24:51 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <002601ca9efe$df2005a0$9d6010e0$@net>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<001c01ca9ee1$80d19710$8274c530$@net>
	<D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
	<002601ca9efe$df2005a0$9d6010e0$@net>
Message-ID: <20100127102451.GM857@greenie.muc.de>

Hi,

On Tue, Jan 26, 2010 at 10:14:43PM -0500, Luan Nguyen wrote:
> Back when I was at VzB managed services, it's EIGRP over the DMVPN/IPSEC
> tunnel backing up BGP MPLS.  

Something along that line would be my suggestion as well.  Run an IGP over
the IPSEC tunnels (GRE-in-IPSEC, routing protocol on that) and also on
the MPLS links (as you can't reliably see whether an ethernet link is
"down" without some sort of protocol hello).

Set metrics so that MPLS links will be preferred, while available.  Done.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100127/32833a4f/attachment.bin>

From gert at greenie.muc.de  Wed Jan 27 05:27:26 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 27 Jan 2010 11:27:26 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <000001ca9f1d$7c21fa70$7465ef50$@pepelnjak@zaplana.net>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<000001ca9f1d$7c21fa70$7465ef50$@pepelnjak@zaplana.net>
Message-ID: <20100127102726.GN857@greenie.muc.de>

Hi,

On Wed, Jan 27, 2010 at 07:53:50AM +0100, Ivan Pepelnjak wrote:
> * Configure EBGP sessions over IPSec between remote sites and central site.
> * On remote sites use EEM to detect MPLS VPN EBGP neighbor loss (either default route is gone or you might rely on SNMP traps)
> * When the MPLS VPN EBGP neighbor is down, enable IPSec tunnel. Only then will the EBGP session be established and you'll get more specific routes over IPSec.

> This will ensure that the IPSec tunnel on remote sites is operational only when the connectivity with the MPLS VPN cloud is gone and so the central site uses default route into MPLS VPN cloud unless it has a more specific one over IPSec due to failure at one of the remote sites.

The drawback of this is that you are not going to notice if the IPSEC
tunnel is broken unless you need it, in which case it's too late.

This is why I suggested to make this much more simple - treat all links,
IPSEC and MPLS, as "AS internal" links, run an IGP over them, and let 
protocols handle end-to-end keepalive and failover that are built to do
this.  One can do this with BGP, of course, but it tends to be less
convenient/helpful in these scenarios.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100127/e2ec01a2/attachment.bin>

From atif.jauhar at gmail.com  Wed Jan 27 07:24:06 2010
From: atif.jauhar at gmail.com (Muhammad Atif Jauahar)
Date: Wed, 27 Jan 2010 17:24:06 +0500
Subject: [c-nsp] Cisco ACS Authorization per device
Message-ID: <6a51198a1001270424r48660e41s2ae9a06ce4c887af@mail.gmail.com>

Hi,

I want to authorized user in Cisco ACS per network devices added in Cisco
ACS 4.2. My theme is to give full access on device-1 and read-only access on
device-2 to same user. Kindly guide me to do this.



Regards,

Atif.


-- 
Regards,

Muhammad Atif Jauhar
(+92-33-3346-0000)

From wim.holemans at ua.ac.be  Wed Jan 27 09:01:45 2010
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Wed, 27 Jan 2010 15:01:45 +0100
Subject: [c-nsp] best ios version for VSS
Message-ID: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>

We have a VSS running, L2 only for the moment. We plan to enable L3
(static routing only for the moment) next week (along with a FWSM board
in each chassis).

We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
the moment (I know this version has too much features for what we need
for the moment)

The problems we had with this version until now :

-          One of the supervisors rebooted spontaneously leaving no
traces on why it restarted

-          ISSU (I don't remember what the version was we started the
upgrade) didn't work, so I had to boot both chassis manually, giving a
much higher downtime than expected

-          The activation of the first FWSM (inserted with power down
for that specific module, followed by power up of the module), caused a
crash and reboot of the supervisor of the chassis in with the FWSM was
inserted.

 

So anyone has comments on to which version we eventually should upgrade
to before going to L3 ? (downtime will have a much larger impact from
that moment on).

I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
version 12.2.33-SXI3(ED) available.

 

Greetings,

 

Wim Holemans

Network Services

University of Antwerp


From jshearer at amedisys.com  Wed Jan 27 09:53:03 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 27 Jan 2010 08:53:03 -0600
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033C40B69@SVR-AMED-MAIL01.amedisys.com>

I am running three VSSs on 's72033-advipservicesk9_wan-vz.122-33.SXI.bin' with an ACE and a FWSM.

'Time since CORP-CORE01 switched to active is 1 year, 9 weeks, 5 days, 19 hours, 46 minutes'

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim
Sent: Wednesday, January 27, 2010 8:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] best ios version for VSS

We have a VSS running, L2 only for the moment. We plan to enable L3
(static routing only for the moment) next week (along with a FWSM board
in each chassis).

We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
the moment (I know this version has too much features for what we need
for the moment)

The problems we had with this version until now :

-          One of the supervisors rebooted spontaneously leaving no
traces on why it restarted

-          ISSU (I don't remember what the version was we started the
upgrade) didn't work, so I had to boot both chassis manually, giving a
much higher downtime than expected

-          The activation of the first FWSM (inserted with power down
for that specific module, followed by power up of the module), caused a
crash and reboot of the supervisor of the chassis in with the FWSM was
inserted.



So anyone has comments on to which version we eventually should upgrade
to before going to L3 ? (downtime will have a much larger impact from
that moment on).

I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
version 12.2.33-SXI3(ED) available.



Greetings,



Wim Holemans

Network Services

University of Antwerp

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From SPfister at dps.k12.oh.us  Wed Jan 27 10:02:09 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Wed, 27 Jan 2010 10:02:09 -0500
Subject: [c-nsp] Limits on dynamically learned MAC addresses	per	vlan
In-Reply-To: <4B5F652D.5090406@tiedyenetworks.com>
References: <4B5ED34A.9E6F.00B8.0@dps.k12.oh.us>	<4B5F1F6B.7010401@imperial.ac.uk>
	<4B5F16A1.9E6F.00B8.0@dps.k12.oh.us><4B5F16A1.9E6F.00B8.0@dps.k12.oh.us>
	<4B5F652D.5090406@tiedyenetworks.com>
Message-ID: <4B600F1D.9E6F.00B8.0@dps.k12.oh.us>

Yes, the limit was set to 200 at AT&T. They've bumped it up and everything seems to be happy now. 

Thanks to everyone who responded.... I thought I was going crazy... :-)

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Mike <mike-cisconsplist at tiedyenetworks.com> 1/26/2010 4:57 PM >>>
Steven Pfister wrote:
> Just wanted to follow up with some more details on this network set up...
>
> [remote side 4500] ----> (CSME) ----> [central side 4500] ----> (ATM) ---->  [central side 8540] ----> [vmware 3560] ----> [vmware server]
>   
Steve, is that CSME link the managed ethernet product from ATT? If so, 
you may be hitting a limitation in that product where it only allows a 
set number of mac addresses. You said 'seems to be 200' as the number 
you can observe, and that sounds in line with what I know about it.

If so, you can confirm with your ATT account rep and either buy more mac 
address allocations, or (how it was intended to be used), establish your 
own l2vpn between the sites and eliminate the restriction entirely.

please report to the list if any of this is/is not helpful.

thanks.

Mike-


From alasdairm at gmail.com  Wed Jan 27 11:25:41 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 27 Jan 2010 16:25:41 +0000
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
Message-ID: <6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>

I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole thing off (both chassis) to break the loops and restore service, but the whole installation was offline for much longer than a reboot because ACE modules take flipping ages to boot...

I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been rock solid. Touch wood.

I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.

HTH




On 27 Jan 2010, at 14:01, Holemans Wim wrote:

> We have a VSS running, L2 only for the moment. We plan to enable L3
> (static routing only for the moment) next week (along with a FWSM board
> in each chassis).
> 
> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
> the moment (I know this version has too much features for what we need
> for the moment)
> 
> The problems we had with this version until now :
> 
> -          One of the supervisors rebooted spontaneously leaving no
> traces on why it restarted
> 
> -          ISSU (I don't remember what the version was we started the
> upgrade) didn't work, so I had to boot both chassis manually, giving a
> much higher downtime than expected
> 
> -          The activation of the first FWSM (inserted with power down
> for that specific module, followed by power up of the module), caused a
> crash and reboot of the supervisor of the chassis in with the FWSM was
> inserted.
> 
> 
> 
> So anyone has comments on to which version we eventually should upgrade
> to before going to L3 ? (downtime will have a much larger impact from
> that moment on).
> 
> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
> version 12.2.33-SXI3(ED) available.
> 
> 
> 
> Greetings,
> 
> 
> 
> Wim Holemans
> 
> Network Services
> 
> University of Antwerp
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jared at puck.nether.net  Wed Jan 27 11:32:00 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 27 Jan 2010 11:32:00 -0500
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
Message-ID: <BF71AD2F-401B-4D9B-821B-D884EEDD4416@puck.nether.net>


On Jan 27, 2010, at 11:25 AM, Alasdair McWilliam wrote:

> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.

Is this the bug where the private key goes away?  We've seen this as well and the "helpful" eng at tac can't seem to follow our simple reproduction instructions and keeps trying to offer us other ways to workaround their bug.

I hope this tac eng gets canned so someone helpful can have a job.

- Jared

From psirt at cisco.com  Wed Jan 27 11:30:00 2010
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 27 Jan 2010 11:30:00 -0500
Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco
	Unified MeetingPlace
Message-ID: <201001271130.mp@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified
MeetingPlace

Advisory ID: cisco-sa-20100127-mp

Revision 1.0

For Public Release 2010 Jan 27 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Multiple vulnerabilities exist in Cisco Unified MeetingPlace. This
security advisory outlines the details of these vulnerabilities:

  * Insufficient validation of SQL commands
  * Unauthorized account creation
  * User and password enumeration in Cisco MeetingTime
  * Privilege escalation in Cisco MeetingTime

Workarounds are not available for these vulnerabilities.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml

Affected Products
=================

Vulnerable Products
+------------------

Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by
at least one of the vulnerabilities described in this document.

The Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network and
integrated directly into an organization's private voice/data
networks and enterprise applications. Cisco Unified MeetingPlace
servers can be deployed so that the server is accessible from the
Internet, allowing external parties to participate in meetings.

Cisco MeetingTime is a desktop application included with Cisco
Unified MeetingPlace version 6.x that could be used to access and
configure the Cisco Unified MeetingPlace Audio Server systems.
MeetingTime classifies users as either end users, contacts,
attendants, or system administrators.

The end-of-software maintenance for MeetingPlace version 5.3 occurred
in April 2009. End-of-sale and end-of-life details are available at:

http://cco-rtp-1.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5664/ps5669/prod_end-of-life_notice0900aecd806e743c.html

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

This Security Advisory describes multiple distinct vulnerabilities in
the MeetingPlace and MeetingTime products. These vulnerabilities are
independent of each other.

Insufficient Validation of SQL Commands

An unauthenticated user may be able to send SQL commands to
manipulate the database that MeetingPlace uses to store information
about server configuration, meetings, and users. These commands could
be used to create, delete, or alter any of the information contained
in the Cisco Unified MeetingPlace database.

This vulnerability is documented in Cisco Bug ID CSCtc39691
and has been assigned CVE ID CVE-2010-0139.

Unauthorized Account Creation

An unauthenticated user may be able to send a crafted URL to the
internal interface of the Cisco Unified MeetingPlace web server to
create a MeetingPlace user or administrator account.

This vulnerability is documented in Cisco Bug IDs CSCtc59231 
and CSCtd40661 and has been assigned CVE ID CVE-2010-0140.

User and Password Enumeration in Cisco MeetingTime

The MeetingTime authentication sequence consists of a series of
packets that are transmitted between the client and the Cisco Meeting
Place Audio Server over TCP port 5001. An attacker may be able to
alter the authentication sequence to access sensitive information in
the user database including usernames and passwords.

This vulnerability is documented in Cisco Bug ID CSCsv76935
and has been assigned CVE ID CVE-2010-0141.

Privilege Escalation in Cisco MeetingTime

An attacker may be able to alter the packets in the MeetingTime
authentication sequence to elevate the privileges of a normal user to
an administrative user.

This vulnerability is documented in Cisco Bug ID CSCsv66530 
and has been assigned CVE ID CVE-2010-0142.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCtc39691 - Insufficient validation of SQL commands

CVSS Base Score - 9

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Partial
Integrity Impact        - Partial
Availability Impact     - Complete

CVSS Temporal Score - 7.8

Exploitability          - Functional
Remediation Level       - Official-Fix
Report Confidence       - Confirmed

CSCtc59231/CSCtd40661 - Unauthorized account creation

CVSS Base Score - 10

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Complete
Integrity Impact        - Complete
Availability Impact     - Complete

CVSS Temporal Score - 8.7

Exploitability          - Functional
Remediation Level       - Official-Fix
Report Confidence       - Confirmed

CSCsv76935 - User and password enumeration in Cisco MeetingTime

CVSS Base Score - 6.4

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Partial
Integrity Impact        - Partial
Availability Impact     - None

CVSS Temporal Score - 5.3

Exploitability          - Functional
Remediation Level       - Official-Fix
Report Confidence       - Confirmed

CSCsv66530 - Privilege escalation in Cisco MeetingTime

CVSS Base Score - 8.5

Access Vector           - Network
Access Complexity       - Medium
Authentication          - Single
Confidentiality Impact  - Complete
Integrity Impact        - Complete
Availability Impact     - Complete

CVSS Temporal Score - 7.4

Exploitability          - Functional
Remediation Level       - Official-Fix
Report Confidence       - Confirmed

Impact
======

Successful exploitation of these vulnerabilities may result in a
variety of conditions including: information disclosure, denial of
service, privilege escalation, account creation, or alteration of
configuration data.

Software Versions and Fixes
===========================

The following table identifies the version of software in which each
vulnerability was first fixed.

The latest versions of Cisco MeetingPlace software can be downloaded
from:

http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278785523

+---------------------------------------------+
| Vulnerability | MeetingPlace | MeetingPlace |
|               |      6       |      7       |
|---------------+--------------+--------------|
| Insufficient  |              | 7.0(2.3)     |
| validation of | 6.0.639.2    | hotfix 5F    |
| SQL commands  |              |              |
|---------------+--------------+--------------|
| Unauthorized  |              | 7.0(2.3)     |
| account       | 6.0.639.3    | hotfix 5F    |
| creation      |              |              |
|---------------+--------------+--------------|
| User and      |              |              |
| password      |              | Not          |
| enumeration   | MR5          | applicable   |
| in Cisco      |              |              |
| MeetingTime   |              |              |
|---------------+--------------+--------------|
| Privilege     |              | Not          |
| escalation in | MR5          | applicable   |
| MeetingTime   |              |              |
+---------------------------------------------+

When considering software upgrades, also consult:

http://www.cisco.com/go/psirt

and any subsequent advisories to determine exposure and a
complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Workarounds
===========

There are no workarounds for the vulnerabilities described in this
advisory.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

or as otherwise set forth at Cisco.com Downloads at:

http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt at cisco.com or security-alert at cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to:

http://www.cisco.com/en/US/support tsd_cisco_worldwide_contacts.html

for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

Cisco would like to thank the National Australia Bank's Security
Assurance team and Credit Suisse for the discovery and reporting of
these vulnerabilities.

The Cisco PSIRT is not aware of any malicious use of the
vulnerabilities described in this advisory.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |             | Initial      |
| 1.0      | 2010-Jan-27 | public       |
|          |             | release      |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----

iD8DBQFLYGd786n/Gc8U/uARAu+BAJ9or3rjhPrSCaJfmbjdMSGHzp5A8ACeNROt
M798UXmGaMGfPDCThSQKYbE=
=YjBI
-----END PGP SIGNATURE-----

From mhuff at ox.com  Wed Jan 27 11:50:02 2010
From: mhuff at ox.com (Matthew Huff)
Date: Wed, 27 Jan 2010 11:50:02 -0500
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>

With SXI3 there is a quick fix for the SSH bug. 

Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 

For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".

The solution is to create a key with the bad label that will overwrite the phantom, then delete it:

switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co

and the phantom key will be gone.


----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Alasdair McWilliam
> Sent: Wednesday, January 27, 2010 11:26 AM
> To: Holemans Wim
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] best ios version for VSS
> 
> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
> thing off (both chassis) to break the loops and restore service, but the whole installation was
> offline for much longer than a reboot because ACE modules take flipping ages to boot...
> 
> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
> rock solid. Touch wood.
> 
> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
> 
> HTH
> 
> 
> 
> 
> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
> 
> > We have a VSS running, L2 only for the moment. We plan to enable L3
> > (static routing only for the moment) next week (along with a FWSM board
> > in each chassis).
> >
> > We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
> > the moment (I know this version has too much features for what we need
> > for the moment)
> >
> > The problems we had with this version until now :
> >
> > -          One of the supervisors rebooted spontaneously leaving no
> > traces on why it restarted
> >
> > -          ISSU (I don't remember what the version was we started the
> > upgrade) didn't work, so I had to boot both chassis manually, giving a
> > much higher downtime than expected
> >
> > -          The activation of the first FWSM (inserted with power down
> > for that specific module, followed by power up of the module), caused a
> > crash and reboot of the supervisor of the chassis in with the FWSM was
> > inserted.
> >
> >
> >
> > So anyone has comments on to which version we eventually should upgrade
> > to before going to L3 ? (downtime will have a much larger impact from
> > that moment on).
> >
> > I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
> > version 12.2.33-SXI3(ED) available.
> >
> >
> >
> > Greetings,
> >
> >
> >
> > Wim Holemans
> >
> > Network Services
> >
> > University of Antwerp
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From ip at ioshints.info  Wed Jan 27 13:06:18 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Wed, 27 Jan 2010 19:06:18 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <20100127102726.GN857@greenie.muc.de>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<000001ca9f1d$7c21fa70$7465ef50$@pepelnjak@zaplana.net>
	<20100127102726.GN857@greenie.muc.de>
Message-ID: <005801ca9f7b$6ddc2c20$49948460$@info>

Gert,

If I understood the original question correctly, he's an MPLS VPN customer running BGP with his Service Provider. Unless I'm mistaken, it's somewhat hard to run IGP on top of that, unless you build GRE or DMVPN tunnels over MPLS VPN first.

Ivan

> This is why I suggested to make this much more simple - treat all links,
> IPSEC and MPLS, as "AS internal" links, run an IGP over them, and let
> protocols handle end-to-end keepalive and failover that are built to do
> this.  One can do this with BGP, of course, but it tends to be less
> convenient/helpful in these scenarios.
> 
> gert


From malitsky at netabn.com  Wed Jan 27 12:54:03 2010
From: malitsky at netabn.com (Michael Malitsky)
Date: Wed, 27 Jan 2010 11:54:03 -0600
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <mailman.13947.1264462229.2123.cisco-nsp@puck.nether.net>
References: <mailman.13947.1264462229.2123.cisco-nsp@puck.nether.net>
Message-ID: <79AF0C3901752A49881FE4CB31F7AA4001931C18@abn-borg2.NETABN.LOCAL>

We've had a few PIX-501s overheat.  No internal fans, so they are
susceptible.

We've also had one or two of these have problems with the power
connector.  It would boot and run, but slight movement of the power
connector on the box would cause it to loose connection momentarily and
reset.

In both cases, symptoms are similar to what you describe.

Sincerely,
Michael Malitsky

> Message: 7
> Date: Mon, 25 Jan 2010 15:22:38 -0800
> From: "Scott Granados" <gsgranados at comcast.net>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Self rebooting pix?
> 
> Hi All,
> I'm having a strange problem and not much diagnostic output so maybe I
> can
> get some pointers as to what to look at next.
> 
>     I have a Pix 501 with a non restrictive license that I'm using as
a
> general firewall and nat device.  There's a 10 megabit ethernet
> connection
> handing a statically routed Internet feed on the WAN side and a 100
> megabit
> fast E which connects to a core switch.  We nat probably about 50 -
100
> users at a time and the throughput over the public pathway is less
than
> 8
> megabits for the most part and generally stays around 3 - 5.  The
> output of
> show cpu usage shows a usage of between 10 and 20 percent with lows of
> 4%
> and highs around 25.
>     Randomly through out the day the connection / device will hang,
the
> switch it's attached to shows the ethernet port go down and come back
> up a
> few times then packets start to flow again.  After the most recent
> event I
> did a show ver on the Pix and saw that the uptime was less than 2
> minutes.
> After each drop this counter returns to 0 which tells me the Pix is
> rebooting for some reason.  Show log doesn't yield anything
interesting
> and
> the syslog server that captures the log output doesn't have any
> messages
> around the time of the outages either.  Total traffic disruption lasts
> for
> approximately 30 seconds.  The time of day is random and it does not
> seem to
> increase in frequency with bursts in traffic.  I've obviously checked
> and
> insure that the power cables are firmly attached and the network
cables
> are
> securely attached as well.  What other things should I try?  Are there
> any
> other show commands that might yield some more clues?  Has anyone else
> experienced this.  The software rev is 6.3.
> 
> Thanks
> Scott
> 
> 

From jasongurtz at npumail.com  Wed Jan 27 13:42:43 2010
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Wed, 27 Jan 2010 13:42:43 -0500
Subject: [c-nsp] 4900M vs. 4503 for core
Message-ID: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>

We are doing a long overdue redesign of our network as part of a voip
implementation, hopefully ending up with a collapsed core w/routed access
layer.  A consultant has proposed the 4507 as access switches and a pair
of 3750-E switches as the core.  The 3750-E seems a strange choice to me
for a few reasons and I'm thinking a pair of 4900M or 4503 switches would
be a better fit looking forward.

We are a smaller shop (7 access switches including the datacenter) with
100Mb desktops and a mix of 100/1000 for servers.  Switch-to-switch trunks
are 1Gb.  The number of access switches is very unlikely to change and we
could, in the future move to a 10Gb.  The 4900M solution would save a
non-trivial amount over 4503 with Sup6.

Is there anything glaringly wrong with choosing the 4900M using twin-gig
based connections to the access layer over the 4503 Sup6 and 46xx line
cards in our situation?

~Jason

From cjk at klement.org  Wed Jan 27 13:56:39 2010
From: cjk at klement.org (Charles Klement)
Date: Wed, 27 Jan 2010 10:56:39 -0800
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
Message-ID: <8852ac1c1001271056n5098e6bcwa61b3f3f410d2f2d@mail.gmail.com>

I don't believe that twin-gig converters are supported in the onboard 10G
interfaces of the 4900M.  I think they are only supported on the
oversubscribed 8 port 10G card.  Also, watch for licensing costs.  The adder
to get up to enterprise licensing is very expensive.  Look in the feature
navigator to see if all the IOS features you want are in the base license.

Have you looked into using the 3560E platform for your small core?  I
believe that there is a 12port 10G version which supports the twingig
converters and (gasp!) actually has 2 power supplies.

charles

On Wed, Jan 27, 2010 at 10:42 AM, Jason Gurtz <jasongurtz at npumail.com>wrote:

> We are doing a long overdue redesign of our network as part of a voip
> implementation, hopefully ending up with a collapsed core w/routed access
> layer.  A consultant has proposed the 4507 as access switches and a pair
> of 3750-E switches as the core.  The 3750-E seems a strange choice to me
> for a few reasons and I'm thinking a pair of 4900M or 4503 switches would
> be a better fit looking forward.
>
> We are a smaller shop (7 access switches including the datacenter) with
> 100Mb desktops and a mix of 100/1000 for servers.  Switch-to-switch trunks
> are 1Gb.  The number of access switches is very unlikely to change and we
> could, in the future move to a 10Gb.  The 4900M solution would save a
> non-trivial amount over 4503 with Sup6.
>
> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?
>
> ~Jason
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andrew.coates at internode.on.net  Wed Jan 27 14:38:55 2010
From: andrew.coates at internode.on.net (andrew)
Date: Thu, 28 Jan 2010 06:38:55 +1100
Subject: [c-nsp] BGP inject map question
In-Reply-To: <4B601307.1000400@internode.on.net>
References: <4B601307.1000400@internode.on.net>
Message-ID: <4B60964F.8030803@internode.on.net>


> for the cisco people here (hehehe), can i do the following:
>
> use an inject map for a route that is locally originated, i think im 
> having issues with the route source ie.
>
>
> int fas 0/1
> ip address 123.123.123.1 255.255.255.0
>
> router bgp 1
> neigh blah remote-as blah
> network 123.123.123.0 mask 255.255.255.0 route-map filter
> bgp inject-map INJECT exist EXIST
>
> route-map INJECT
> set ip address prefix-list INJECT
>
> route-map EXIST
> match ip address prefix-list EXSIST
> match ip source-route HOST
>
> route-map filter
> set community no-export
>
> ip prefix-list INJECT permit 123.123.123.12/32
> ip prefix-list EXIST permit 123.123.123.0/24
> ip prefix-listHOST permit ???????????? ( have tried 0.0.0.0/32 and the 
> bgp router id)
>
> i have typed this by hand  so the syntax might not be 100% accurate.
>
> i have been trying and cant get it working,
> basiclly i have an MPLS VPN extranet and lan address of the CE is in 
> the same subnet as a /32 host i wish to advertise into the VPN.
>
> im running an old IOS on this router 12.3 adv ip services
>
> cheers
>
> Andrew
>


From guru6111 at gmail.com  Wed Jan 27 14:43:06 2010
From: guru6111 at gmail.com (Atif Sid)
Date: Wed, 27 Jan 2010 14:43:06 -0500
Subject: [c-nsp] 7600 + egress netflow + 12.2(33)SRE
In-Reply-To: <4B5EB16D.7040104@imperial.ac.uk>
References: <766b203d1001251259p53193198i12f7c53511dba44@mail.gmail.com>
	<4B5EB16D.7040104@imperial.ac.uk>
Message-ID: <766b203d1001271143xfa653aeo4ca1b72c487a4024@mail.gmail.com>

This is HW we have:

Mod Ports Card Type                              Model
--- ----- -------------------------------------- ------------------
  1    8  8 port 1000mb GBIC Enhanced QoS        WS-X6408A-GBIC
  2   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX
  3   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX

  5    9  Supervisor Engine 32 8GE (Hot)         WS-SUP32-GE-3B
  6    9  Supervisor Engine 32 8GE (Active)      WS-SUP32-GE-3B




On Tue, Jan 26, 2010 at 4:10 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 01/25/2010 08:59 PM, Atif Sid wrote:
>
>> New code 12.2(33)SRE have removed the command ip flow egress from the
>> interfaces.  it shows the command but does not configure it?
>> example:
>>
>
> 7600s with PFC-based linecards don't support egress netflow, because the
> hardware does not - only ingress. Is this the kind of interface you're
> trying to configure on?
>
> I suspect the egress command was present previously either as a cosmetic
> bug (e.g. it was intended for WAN/ES cards but "accidentally" appeared for
> all interfaces) or was only capturing software-switches flows.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andrew.gabriel at sanmina-sci.com  Wed Jan 27 15:09:53 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Thu, 28 Jan 2010 01:39:53 +0530
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
Message-ID: <d06fb6b31001271209g36711d19s1f51ee4c043935c4@mail.gmail.com>

Are you talking about using the twin-gig connectors to provide 1 G uplinks?
Nothing wrong with that but its pretty expensive by comparison to a regular
gig SFP.


Regards,
Andrew Gabriel.




On Thu, Jan 28, 2010 at 12:12 AM, Jason Gurtz <jasongurtz at npumail.com>wrote:

> We are doing a long overdue redesign of our network as part of a voip
> implementation, hopefully ending up with a collapsed core w/routed access
> layer.  A consultant has proposed the 4507 as access switches and a pair
> of 3750-E switches as the core.  The 3750-E seems a strange choice to me
> for a few reasons and I'm thinking a pair of 4900M or 4503 switches would
> be a better fit looking forward.
>
> We are a smaller shop (7 access switches including the datacenter) with
> 100Mb desktops and a mix of 100/1000 for servers.  Switch-to-switch trunks
> are 1Gb.  The number of access switches is very unlikely to change and we
> could, in the future move to a 10Gb.  The 4900M solution would save a
> non-trivial amount over 4503 with Sup6.
>
> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?
>
> ~Jason
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From gert at greenie.muc.de  Wed Jan 27 15:18:59 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 27 Jan 2010 21:18:59 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <005801ca9f7b$6ddc2c20$49948460$@info>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<20100127102726.GN857@greenie.muc.de>
	<005801ca9f7b$6ddc2c20$49948460$@info>
Message-ID: <20100127201859.GS857@greenie.muc.de>

Hi,

On Wed, Jan 27, 2010 at 07:06:18PM +0100, Ivan Pepelnjak wrote:
> If I understood the original question correctly, he's an MPLS
> VPN customer running BGP with his Service Provider. Unless I'm
> mistaken, it's somewhat hard to run IGP on top of that, unless you
> build GRE or DMVPN tunnels over MPLS VPN first.

Oh.  In that case I wasn't reading properly, I was assuming L2 MPLS VPN 
links (ethernet over MPLS or similar), not L3 VPN.

Indeed, in that case it's better to use BGP for everything - but I'd
still use a single protocol both for the IPSEC and for the VPN links
instead of relying on EEM to react to "things" and change configs.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100127/2193cd13/attachment-0001.bin>

From justin at justinshore.com  Wed Jan 27 15:30:52 2010
From: justin at justinshore.com (Justin Shore)
Date: Wed, 27 Jan 2010 14:30:52 -0600
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
Message-ID: <4B60A27C.6020502@justinshore.com>

Jason Gurtz wrote:
>> After each drop this counter returns to 0 which tells me the Pix is
>> rebooting for some reason.
> [...]
>> experienced this.  The software rev is 6.3.
> 
> We experienced this on a 515E running 6.3 code.  A move to the 7.0 series
> solved this issue.

Same thing here.  It would crash about once a month on us but the 
duration was show short that it was seldom ever noticed.  It only took 
45 seconds to boot.  We solved it by installing ASAs. :-)

Justin


From SPfister at dps.k12.oh.us  Wed Jan 27 15:39:47 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Wed, 27 Jan 2010 15:39:47 -0500
Subject: [c-nsp] Vlans and PIX firewal
Message-ID: <4B605E3F.9E6F.00B8.0@dps.k12.oh.us>

Thanks again to everyone who replied to my last post... I've got another project related to the same VMWare server...

I have a situation where I need to set up network access for a new virtual server in a vlan where most of the existing hosts are on the other side of a PIX 525 (running 7.2(2)). 

The other hosts in the vlan are connected to a 4507 core switch, which is connected to an interface which is the DMZ and has the default gateway address of that vlan. Actually, the vlan, let's use the number 10, was set up at one point but is currently shutdown. The connection to the PIX is an access port in the 10 vlan. The inside interface is connected to another port on the same 4507. The port the inside interface is connected to is an access port in the central site's core vlan... let's use 20 for this discussion. 

The VMWare server is 2 hops away, first through an ATM connection to a 8540 (set up with IRB) to a 3560. Two other things about the configuration that might be important: (1) there is a second PIX in an active/standby configuration, and (2) the inside ports that the two PIXes are connected to is the source in a port mirror to a port that a content filter is connected to. 

I'm guessing that some sort of routing needs to be set up on the PIX(es)... what is the best method of doing that? Since this is a production network, I was hoping to have to change as little as possible (obviously...)

Thanks!


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From scottowens12 at gmail.com  Wed Jan 27 16:28:51 2010
From: scottowens12 at gmail.com (scott owens)
Date: Wed, 27 Jan 2010 15:28:51 -0600
Subject: [c-nsp] 4900M vs. 4503 for core
Message-ID: <c0c598d51001271328n69df1bf5k34f5e92f780ef238@mail.gmail.com>

>
> Message: 3
> Date: Wed, 27 Jan 2010 13:42:43 -0500
> From: "Jason Gurtz" <jasongurtz at npumail.com>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] 4900M vs. 4503 for core
> Message-ID:
>        <A92EAF652EC423438D55C14C60771C8701F3E5AD at exchgsrv.nputilities.local
> >
> Content-Type: text/plain;       charset="us-ascii"
>
> We are doing a long overdue redesign of our network as part of a voip
> implementation, hopefully ending up with a collapsed core w/routed access
> layer.  A consultant has proposed the 4507 as access switches and a pair
> of 3750-E switches as the core.  The 3750-E seems a strange choice to me
> for a few reasons and I'm thinking a pair of 4900M or 4503 switches would
> be a better fit looking forward.
>
> We are a smaller shop (7 access switches including the datacenter) with
> 100Mb desktops and a mix of 100/1000 for servers.  Switch-to-switch trunks
> are 1Gb.  The number of access switches is very unlikely to change and we
> could, in the future move to a 10Gb.  The 4900M solution would save a
> non-trivial amount over 4503 with Sup6.
>
> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?
>
> ~Jason
>
>
> What the 3750Gs - I would pick the "G" over the E/10GB  until you need 10
GB ... the price will have dropped by then -
is an clustered switch stack that you can run redundant etherchannels to ;
one link to one 3750, one link to the other.

Yes, yes, yes ... if you have to reboot the 3750 stack you lose all
connectivity as both ( or more ) members reboot.
It switches, it routes , it port channels.
jumbo frames, teaming, ....

Save your money until you need [ unless you are going to run 10GB to 10GB
links where a single client to server connection will exceed 1 GB you can
just as easily port channel a bunch of 1 GB links and get almost the same
effect.

From jasonleblanc at gmail.com  Wed Jan 27 16:49:47 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Wed, 27 Jan 2010 14:49:47 -0700
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <4B60A27C.6020502@justinshore.com>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
	<4B60A27C.6020502@justinshore.com>
Message-ID: <99C9EE92-486B-4AFF-AEC1-9B3B13A23058@gmail.com>

The point of termination between the pix and the power supply end point (shaped like a 7) is a known issue.  If it moves at all or gets bumped at all it will reboot the devices.  To rule this out you can try to zip tie it to the device in an effort to keep it still.  If there is no possible movement and it still occurs it is most likely overheating as previously mentioned.

On Jan 27, 2010, at 1:30 PM, Justin Shore wrote:

> Jason Gurtz wrote:
>>> After each drop this counter returns to 0 which tells me the Pix is
>>> rebooting for some reason.
>> [...]
>>> experienced this.  The software rev is 6.3.
>> We experienced this on a 515E running 6.3 code.  A move to the 7.0 series
>> solved this issue.
> 
> Same thing here.  It would crash about once a month on us but the duration was show short that it was seldom ever noticed.  It only took 45 seconds to boot.  We solved it by installing ASAs. :-)
> 
> Justin
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jasonleblanc at gmail.com  Wed Jan 27 17:12:12 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Wed, 27 Jan 2010 15:12:12 -0700
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <007b01ca9f7d$b6369800$22a3c800$@pepelnjak@zaplana.net>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>	<001c01ca9ee1$80d19710$8274c530$@net>
	<D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
	<007b01ca9f7d$b6369800$22a3c800$@pepelnjak@zaplana.net>
Message-ID: <47FB370E-C073-4613-927F-F75C9C6D01F2@gmail.com>

Exactly.  This is a secondary form of calling back home if the MPLS Link or BGP breaks.  We have static routes at the remote site pointing traffic over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote campus to be able to communicate with the main datacenter which is also where the main MPLS router exists.  We currently have a VPN devices at the Datacenter that runs OSPF on the home end.

                   
                                                                             MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
                                                                           /                                                                                                                  \
Core 6500 --> Distribution Router 6500 --                                                                                                                      -- Campus Router Cisco or Juniper SSG
                                                                           \                                                                                                                  /
                                                                             Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->




On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:

> Jason, are you trying to solve only the remote site problem? Is the main campus receiving specific routes for each remote site through the MPLS VPN cloud?
> 
>> -----Original Message-----
>> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
>> Sent: Wednesday, January 27, 2010 1:48 AM
>> To: Luan Nguyen
>> Cc: 'Cisco-nsp'
>> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
>> Internet
>> 
>> Current topology is pretty simple.  AT&T drops an MPLS circuit either PPP
>> Multilink Bundled T1's or an Ethernet hand off.  On another interface we
>> generally have an ethernet hand off from another ISP.  We run BGP to move
>> all the traffic around on one 172.x.x.x/30's and then our LAN is on
>> 10.x.x.x.  We have an outside IP address on another ethernet port which is
>> the IPSEC termination point.  BGP from our main campus injects a default
>> route which we receive.  Currently we just manually added static 0.0.0.0
>> routes out the tunnel interfaces with a metric of 32000.  So when BGP
>> drops off we will route over the IPSEC VPN Tunnel back home.
>> 
>> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
>> 
>> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
>> 10.1.1.1/24
>> 
>> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC VPN
>> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
>> 
>> BGP Provides default route
>> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
>> 
>> It is my assumption that if the traffic cant get to its destination
>> because BGP has lost it our backup link the IPSEC VPN with the higher
>> metric will become the new default route.
> 


From adam.korab at gmail.com  Wed Jan 27 17:42:52 2010
From: adam.korab at gmail.com (Adam Korab)
Date: Wed, 27 Jan 2010 16:42:52 -0600
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
Message-ID: <cdfbfb011001271442l64448d15wbbab3a148770b91c@mail.gmail.com>

On Wed, Jan 27, 2010 at 10:50 AM, Matthew Huff <mhuff at ox.com> wrote:
> With SXI3 there is a quick fix for the SSH bug.

Do you happen to have the bug ID for the ssh bug?

We're considering the possibility that we'll need to upgrade to SXI
very shortly here, although it's purported to also be affected by
CSCte44349, which is a real pain in the ass. (Synopsis: HA config
parser fails when you add a seq to an extended ACL (in our case, not
WCCP) and reloads the standby chassis.)

--Adam

From alasdairm at gmail.com  Wed Jan 27 18:01:48 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 27 Jan 2010 23:01:48 +0000
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
Message-ID: <D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>

Oooh... :-)

The bug I had stumbled over was CSCtc41114, matching our conditions and symptoms. I've had no luck with the workarounds mentioned in the bug notes and my interpretation was that SXI3 'caused' the bug. I don't have the luxury of test boxes, multiple downtime windows or just enabling alternative remote access mechanisms (i.e. telnet !), so was going to try just downgrade back to SXI2a.

I'll try this and see how we go... :)


On 27 Jan 2010, at 16:50, Matthew Huff wrote:

> With SXI3 there is a quick fix for the SSH bug. 
> 
> Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 
> 
> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
> 
> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
> 
> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
> 
> and the phantom key will be gone.
> 
> 
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
> 
> 
> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Alasdair McWilliam
>> Sent: Wednesday, January 27, 2010 11:26 AM
>> To: Holemans Wim
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] best ios version for VSS
>> 
>> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
>> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
>> thing off (both chassis) to break the loops and restore service, but the whole installation was
>> offline for much longer than a reboot because ACE modules take flipping ages to boot...
>> 
>> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
>> rock solid. Touch wood.
>> 
>> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
>> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
>> 
>> HTH
>> 
>> 
>> 
>> 
>> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
>> 
>>> We have a VSS running, L2 only for the moment. We plan to enable L3
>>> (static routing only for the moment) next week (along with a FWSM board
>>> in each chassis).
>>> 
>>> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
>>> the moment (I know this version has too much features for what we need
>>> for the moment)
>>> 
>>> The problems we had with this version until now :
>>> 
>>> -          One of the supervisors rebooted spontaneously leaving no
>>> traces on why it restarted
>>> 
>>> -          ISSU (I don't remember what the version was we started the
>>> upgrade) didn't work, so I had to boot both chassis manually, giving a
>>> much higher downtime than expected
>>> 
>>> -          The activation of the first FWSM (inserted with power down
>>> for that specific module, followed by power up of the module), caused a
>>> crash and reboot of the supervisor of the chassis in with the FWSM was
>>> inserted.
>>> 
>>> 
>>> 
>>> So anyone has comments on to which version we eventually should upgrade
>>> to before going to L3 ? (downtime will have a much larger impact from
>>> that moment on).
>>> 
>>> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
>>> version 12.2.33-SXI3(ED) available.
>>> 
>>> 
>>> 
>>> Greetings,
>>> 
>>> 
>>> 
>>> Wim Holemans
>>> 
>>> Network Services
>>> 
>>> University of Antwerp
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> <Matthew Huff.vcf>


From alasdairm at gmail.com  Wed Jan 27 18:03:22 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 27 Jan 2010 23:03:22 +0000
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
	<D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>
Message-ID: <31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>

I take back what I just said about the specified workaround not working....... I clearly had blinkers on and missed the line about taking the last character off !!!

Ho hum..


On 27 Jan 2010, at 23:01, Alasdair McWilliam wrote:

> Oooh... :-)
> 
> The bug I had stumbled over was CSCtc41114, matching our conditions and symptoms. I've had no luck with the workarounds mentioned in the bug notes and my interpretation was that SXI3 'caused' the bug. I don't have the luxury of test boxes, multiple downtime windows or just enabling alternative remote access mechanisms (i.e. telnet !), so was going to try just downgrade back to SXI2a.
> 
> I'll try this and see how we go... :)
> 
> 
> On 27 Jan 2010, at 16:50, Matthew Huff wrote:
> 
>> With SXI3 there is a quick fix for the SSH bug. 
>> 
>> Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 
>> 
>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>> 
>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>> 
>> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
>> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>> 
>> and the phantom key will be gone.
>> 
>> 
>> ----
>> Matthew Huff       | One Manhattanville Rd
>> OTA Management LLC | Purchase, NY 10577
>> http://www.ox.com  | Phone: 914-460-4039
>> aim: matthewbhuff  | Fax:   914-460-4139
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>> Alasdair McWilliam
>>> Sent: Wednesday, January 27, 2010 11:26 AM
>>> To: Holemans Wim
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] best ios version for VSS
>>> 
>>> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
>>> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
>>> thing off (both chassis) to break the loops and restore service, but the whole installation was
>>> offline for much longer than a reboot because ACE modules take flipping ages to boot...
>>> 
>>> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
>>> rock solid. Touch wood.
>>> 
>>> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
>>> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
>>> 
>>> HTH
>>> 
>>> 
>>> 
>>> 
>>> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
>>> 
>>>> We have a VSS running, L2 only for the moment. We plan to enable L3
>>>> (static routing only for the moment) next week (along with a FWSM board
>>>> in each chassis).
>>>> 
>>>> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
>>>> the moment (I know this version has too much features for what we need
>>>> for the moment)
>>>> 
>>>> The problems we had with this version until now :
>>>> 
>>>> -          One of the supervisors rebooted spontaneously leaving no
>>>> traces on why it restarted
>>>> 
>>>> -          ISSU (I don't remember what the version was we started the
>>>> upgrade) didn't work, so I had to boot both chassis manually, giving a
>>>> much higher downtime than expected
>>>> 
>>>> -          The activation of the first FWSM (inserted with power down
>>>> for that specific module, followed by power up of the module), caused a
>>>> crash and reboot of the supervisor of the chassis in with the FWSM was
>>>> inserted.
>>>> 
>>>> 
>>>> 
>>>> So anyone has comments on to which version we eventually should upgrade
>>>> to before going to L3 ? (downtime will have a much larger impact from
>>>> that moment on).
>>>> 
>>>> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
>>>> version 12.2.33-SXI3(ED) available.
>>>> 
>>>> 
>>>> 
>>>> Greetings,
>>>> 
>>>> 
>>>> 
>>>> Wim Holemans
>>>> 
>>>> Network Services
>>>> 
>>>> University of Antwerp
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> <Matthew Huff.vcf>
> 


From dharmachris at gmail.com  Wed Jan 27 18:05:05 2010
From: dharmachris at gmail.com (Christopher Hunt)
Date: Wed, 27 Jan 2010 15:05:05 -0800
Subject: [c-nsp] ip sla echo vrf with df-bit set?
Message-ID: <c8ba049f1001271505y1cd32997haf160901354aec7a@mail.gmail.com>

I'm trying to setup a mechanism for ensuring end-to-end MTU in our L3 MPLS
VPN network.  I'd like to use ip sla tracking to do so and I have setup a
monitor:

ip sla monitor 99
 type echo protocol ipIcmpEcho x.x.x.x
 request-data-size 1500
 vrf XYZ

Unfortunately, I cannot find any way to set the DF bit using "ip sla
monitor".  Anyone know if it's available anywhere or coming soon?  Can
anyone else think of another strategy?  I'm currently running 12.4(22)T on a
series of 7200VXRs.

Cheer,
Christopher Hunt

From mhuff at ox.com  Wed Jan 27 18:07:08 2010
From: mhuff at ox.com (Matthew Huff)
Date: Wed, 27 Jan 2010 18:07:08 -0500
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
	<D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>
	<31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>

Actually, the bug notice was updated recently. I had escalated to a back line engineer and he was the one that wrote the original bug text, and he updated it with the new workaround. So you didn't miss anything the first time

-----Original Message-----
From: Alasdair McWilliam [mailto:alasdairm at gmail.com] 
Sent: Wednesday, January 27, 2010 6:03 PM
To: Alasdair McWilliam
Cc: Matthew Huff; Adam Korab; 'Holemans Wim'; 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] best ios version for VSS

I take back what I just said about the specified workaround not working....... I clearly had blinkers on and missed the line about taking the last character off !!!

Ho hum..


On 27 Jan 2010, at 23:01, Alasdair McWilliam wrote:

> Oooh... :-)
> 
> The bug I had stumbled over was CSCtc41114, matching our conditions and symptoms. I've had no luck with the workarounds mentioned in the bug notes and my interpretation was that SXI3 'caused' the bug. I don't have the luxury of test boxes, multiple downtime windows or just enabling alternative remote access mechanisms (i.e. telnet !), so was going to try just downgrade back to SXI2a.
> 
> I'll try this and see how we go... :)
> 
> 
> On 27 Jan 2010, at 16:50, Matthew Huff wrote:
> 
>> With SXI3 there is a quick fix for the SSH bug. 
>> 
>> Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 
>> 
>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>> 
>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>> 
>> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
>> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>> 
>> and the phantom key will be gone.
>> 
>> 
>> ----
>> Matthew Huff       | One Manhattanville Rd
>> OTA Management LLC | Purchase, NY 10577
>> http://www.ox.com  | Phone: 914-460-4039
>> aim: matthewbhuff  | Fax:   914-460-4139
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>> Alasdair McWilliam
>>> Sent: Wednesday, January 27, 2010 11:26 AM
>>> To: Holemans Wim
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] best ios version for VSS
>>> 
>>> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
>>> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
>>> thing off (both chassis) to break the loops and restore service, but the whole installation was
>>> offline for much longer than a reboot because ACE modules take flipping ages to boot...
>>> 
>>> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
>>> rock solid. Touch wood.
>>> 
>>> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
>>> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
>>> 
>>> HTH
>>> 
>>> 
>>> 
>>> 
>>> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
>>> 
>>>> We have a VSS running, L2 only for the moment. We plan to enable L3
>>>> (static routing only for the moment) next week (along with a FWSM board
>>>> in each chassis).
>>>> 
>>>> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
>>>> the moment (I know this version has too much features for what we need
>>>> for the moment)
>>>> 
>>>> The problems we had with this version until now :
>>>> 
>>>> -          One of the supervisors rebooted spontaneously leaving no
>>>> traces on why it restarted
>>>> 
>>>> -          ISSU (I don't remember what the version was we started the
>>>> upgrade) didn't work, so I had to boot both chassis manually, giving a
>>>> much higher downtime than expected
>>>> 
>>>> -          The activation of the first FWSM (inserted with power down
>>>> for that specific module, followed by power up of the module), caused a
>>>> crash and reboot of the supervisor of the chassis in with the FWSM was
>>>> inserted.
>>>> 
>>>> 
>>>> 
>>>> So anyone has comments on to which version we eventually should upgrade
>>>> to before going to L3 ? (downtime will have a much larger impact from
>>>> that moment on).
>>>> 
>>>> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
>>>> version 12.2.33-SXI3(ED) available.
>>>> 
>>>> 
>>>> 
>>>> Greetings,
>>>> 
>>>> 
>>>> 
>>>> Wim Holemans
>>>> 
>>>> Network Services
>>>> 
>>>> University of Antwerp
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> <Matthew Huff.vcf>
> 


From alasdairm at gmail.com  Wed Jan 27 18:16:35 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 27 Jan 2010 23:16:35 +0000
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
	<D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>
	<31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>
Message-ID: <37CAB25F-3AAD-4D92-A25F-8BBA80E9FB6F@gmail.com>

Here's me thinking I'm cracking up.

I just did what you recommended and it worked! I guess SXI3 can stay... you've just saved me another early downtime window.

Thank you. :-)


On 27 Jan 2010, at 23:07, Matthew Huff wrote:

> Actually, the bug notice was updated recently. I had escalated to a back line engineer and he was the one that wrote the original bug text, and he updated it with the new workaround. So you didn't miss anything the first time
> 
> -----Original Message-----
> From: Alasdair McWilliam [mailto:alasdairm at gmail.com] 
> Sent: Wednesday, January 27, 2010 6:03 PM
> To: Alasdair McWilliam
> Cc: Matthew Huff; Adam Korab; 'Holemans Wim'; 'cisco-nsp at puck.nether.net'
> Subject: Re: [c-nsp] best ios version for VSS
> 
> I take back what I just said about the specified workaround not working....... I clearly had blinkers on and missed the line about taking the last character off !!!
> 
> Ho hum..
> 
> 
> On 27 Jan 2010, at 23:01, Alasdair McWilliam wrote:
> 
>> Oooh... :-)
>> 
>> The bug I had stumbled over was CSCtc41114, matching our conditions and symptoms. I've had no luck with the workarounds mentioned in the bug notes and my interpretation was that SXI3 'caused' the bug. I don't have the luxury of test boxes, multiple downtime windows or just enabling alternative remote access mechanisms (i.e. telnet !), so was going to try just downgrade back to SXI2a.
>> 
>> I'll try this and see how we go... :)
>> 
>> 
>> On 27 Jan 2010, at 16:50, Matthew Huff wrote:
>> 
>>> With SXI3 there is a quick fix for the SSH bug. 
>>> 
>>> Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 
>>> 
>>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>>> 
>>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>>> 
>>> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
>>> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>>> 
>>> and the phantom key will be gone.
>>> 
>>> 
>>> ----
>>> Matthew Huff       | One Manhattanville Rd
>>> OTA Management LLC | Purchase, NY 10577
>>> http://www.ox.com  | Phone: 914-460-4039
>>> aim: matthewbhuff  | Fax:   914-460-4139
>>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>>> Alasdair McWilliam
>>>> Sent: Wednesday, January 27, 2010 11:26 AM
>>>> To: Holemans Wim
>>>> Cc: cisco-nsp at puck.nether.net
>>>> Subject: Re: [c-nsp] best ios version for VSS
>>>> 
>>>> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
>>>> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
>>>> thing off (both chassis) to break the loops and restore service, but the whole installation was
>>>> offline for much longer than a reboot because ACE modules take flipping ages to boot...
>>>> 
>>>> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
>>>> rock solid. Touch wood.
>>>> 
>>>> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
>>>> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
>>>> 
>>>> HTH
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
>>>> 
>>>>> We have a VSS running, L2 only for the moment. We plan to enable L3
>>>>> (static routing only for the moment) next week (along with a FWSM board
>>>>> in each chassis).
>>>>> 
>>>>> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
>>>>> the moment (I know this version has too much features for what we need
>>>>> for the moment)
>>>>> 
>>>>> The problems we had with this version until now :
>>>>> 
>>>>> -          One of the supervisors rebooted spontaneously leaving no
>>>>> traces on why it restarted
>>>>> 
>>>>> -          ISSU (I don't remember what the version was we started the
>>>>> upgrade) didn't work, so I had to boot both chassis manually, giving a
>>>>> much higher downtime than expected
>>>>> 
>>>>> -          The activation of the first FWSM (inserted with power down
>>>>> for that specific module, followed by power up of the module), caused a
>>>>> crash and reboot of the supervisor of the chassis in with the FWSM was
>>>>> inserted.
>>>>> 
>>>>> 
>>>>> 
>>>>> So anyone has comments on to which version we eventually should upgrade
>>>>> to before going to L3 ? (downtime will have a much larger impact from
>>>>> that moment on).
>>>>> 
>>>>> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
>>>>> version 12.2.33-SXI3(ED) available.
>>>>> 
>>>>> 
>>>>> 
>>>>> Greetings,
>>>>> 
>>>>> 
>>>>> 
>>>>> Wim Holemans
>>>>> 
>>>>> Network Services
>>>>> 
>>>>> University of Antwerp
>>>>> 
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> <Matthew Huff.vcf>
>> 
> 


From bacon at walleyesoftware.com  Wed Jan 27 18:30:38 2010
From: bacon at walleyesoftware.com (Jeff Bacon)
Date: Wed, 27 Jan 2010 17:30:38 -0600
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <mailman.14321.1264633401.2123.cisco-nsp@puck.nether.net>
References: <mailman.14321.1264633401.2123.cisco-nsp@puck.nether.net>
Message-ID: <5A69C25361FED34F83ABF05F5047524507F05D74@wally.walleyetrading.net>

> > We are a smaller shop (7 access switches including the datacenter)
with
> > 100Mb desktops and a mix of 100/1000 for servers.  Switch-to- switch
trunks
> > are 1Gb.  The number of access switches is very unlikely to change
and we
> > could, in the future move to a 10Gb.  The 4900M solution would save
a
> > non-trivial amount over 4503 with Sup6.

And a cat4948 would be cheaper than either one, while serving the same
purpose. 

> > Is there anything glaringly wrong with choosing the 4900M using
twin-gig
> > based connections to the access layer over the 4503 Sup6 and 46xx
line
> > cards in our situation?

When it comes time that you need 10G, there may/will be other fun
options, and your needs may be totally different anyway. In the
meantime, using a 4900M chassis with twin-gig ports seems like a waste.

> What the 3750Gs - I would pick the "G" over the E/10GB  until you need
10
> GB ... the price will have dropped by then -
> is an clustered switch stack that you can run redundant etherchannels
to ;
> one link to one 3750, one link to the other.

If you can still get 3560G/3750Gs. (Well, you can, used/refurb. I have a
stack of 3560Gs I'll sell you!)

> Save your money until you need [ unless you are going to run 10GB to
10GB
> links where a single client to server connection will exceed 1 GB you
can
> just as easily port channel a bunch of 1 GB links and get almost the
same
> effect.

Agreed. It doesn't sound like you need 10G. If you don't care about
microsecond latency and don't have a lot of gig-connected servers
screaming at each other at wire speed (in which case you might end up in
a situation where two full-bore streams map onto the same gig port),
etherchannel will do you fine. 

You could probably use a pair of 3560Gs for your core and get away with
it, without having to spend any real money. I wouldn't actually stack
the cores - too easy for one to take out the other via the stack
cable... but that's a personal preference. 


The other issue is that cat4948s/4900Ms are in short supply nationwide,
at least according to my supplier (and a quick look at ebay) - they
appear to be going like hotcakes. I actually had to wait a couple weeks
for the 4900M I just ordered, and I'm getting offers on my 4948Es that
are WAY higher than you'd think for used equipment. (On the other hand,
if you need to go with Cisco and want something with < 15usec switching
latency, your choices are fairly limited - cat4k or Nexus - and one of
those is a lot cheaper than the other...) 


If you _need_ to buy now once and for all, then you've got a problem.
But if you don't, don't. 



From gsgranados at comcast.net  Wed Jan 27 18:44:25 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 27 Jan 2010 15:44:25 -0800
Subject: [c-nsp] Self rebooting pix?
References: <002401ca9e15$53269620$2608120a@am.thmulti.com><A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local><4B60A27C.6020502@justinshore.com>
	<99C9EE92-486B-4AFF-AEC1-9B3B13A23058@gmail.com>
Message-ID: <001301ca9faa$af4fcde0$2608120a@am.thmulti.com>

Tried that as well as with a new cable, still no luck.  Next I'm going to 
capture the console output and see if that sheds any light on anything.

----- Original Message ----- 
From: "Jason LeBlanc" <jasonleblanc at gmail.com>
To: "Justin Shore" <justin at justinshore.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 27, 2010 1:49 PM
Subject: Re: [c-nsp] Self rebooting pix?


> The point of termination between the pix and the power supply end point 
> (shaped like a 7) is a known issue.  If it moves at all or gets bumped at 
> all it will reboot the devices.  To rule this out you can try to zip tie 
> it to the device in an effort to keep it still.  If there is no possible 
> movement and it still occurs it is most likely overheating as previously 
> mentioned.
>
> On Jan 27, 2010, at 1:30 PM, Justin Shore wrote:
>
>> Jason Gurtz wrote:
>>>> After each drop this counter returns to 0 which tells me the Pix is
>>>> rebooting for some reason.
>>> [...]
>>>> experienced this.  The software rev is 6.3.
>>> We experienced this on a 515E running 6.3 code.  A move to the 7.0 
>>> series
>>> solved this issue.
>>
>> Same thing here.  It would crash about once a month on us but the 
>> duration was show short that it was seldom ever noticed.  It only took 45 
>> seconds to boot.  We solved it by installing ASAs. :-)
>>
>> Justin
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mhuff at ox.com  Wed Jan 27 17:59:31 2010
From: mhuff at ox.com (Matthew Huff)
Date: Wed, 27 Jan 2010 17:59:31 -0500
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <cdfbfb011001271442l64448d15wbbab3a148770b91c@mail.gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
	<cdfbfb011001271442l64448d15wbbab3a148770b91c@mail.gmail.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F66A@PUR-EXCH07.ox.com>

The base bug is CSCtc41114. The workaround that I provided is derived from the bugid and a cisco engineer.

-----Original Message-----
From: Adam Korab [mailto:adam.korab at gmail.com] 
Sent: Wednesday, January 27, 2010 5:43 PM
To: Matthew Huff
Cc: Alasdair McWilliam; Holemans Wim; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] best ios version for VSS

On Wed, Jan 27, 2010 at 10:50 AM, Matthew Huff <mhuff at ox.com> wrote:
> With SXI3 there is a quick fix for the SSH bug.

Do you happen to have the bug ID for the ssh bug?

We're considering the possibility that we'll need to upgrade to SXI
very shortly here, although it's purported to also be affected by
CSCte44349, which is a real pain in the ass. (Synopsis: HA config
parser fails when you add a seq to an extended ACL (in our case, not
WCCP) and reloads the standby chassis.)

--Adam

From mtinka at globaltransit.net  Wed Jan 27 21:19:07 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 28 Jan 2010 10:19:07 +0800
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05D74@wally.walleyetrading.net>
References: <mailman.14321.1264633401.2123.cisco-nsp@puck.nether.net>
	<5A69C25361FED34F83ABF05F5047524507F05D74@wally.walleyetrading.net>
Message-ID: <201001281019.12581.mtinka@globaltransit.net>

On Thursday 28 January 2010 07:30:38 am Jeff Bacon wrote:

> You could probably use a pair of 3560Gs for your core and
>  get away with it, without having to spend any real
>  money. I wouldn't actually stack the cores - too easy
>  for one to take out the other via the stack cable... but
>  that's a personal preference.

I tend to agree with this one - stacking (using proprietary 
technologies) core switches could get risky when things get 
hairy. Besides, how much can you stack before a chassis 
makes sense, and not just in ports?

I've used 3560G's as core switches in relatively small PoP's 
(pushing about 1Gbps or more with LACP). They're solid!

> If you _need_ to buy now once and for all, then you've
>  got a problem. But if you don't, don't.

Agree.

If you're not averse to other vendors, you could consider 
Juniper's EX3200's and EX4200's as well.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100128/a30e8a2f/attachment.bin>

From mtinka at globaltransit.net  Wed Jan 27 22:02:25 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 28 Jan 2010 11:02:25 +0800
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <37CAB25F-3AAD-4D92-A25F-8BBA80E9FB6F@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>
	<37CAB25F-3AAD-4D92-A25F-8BBA80E9FB6F@gmail.com>
Message-ID: <201001281102.26069.mtinka@globaltransit.net>

On Thursday 28 January 2010 07:16:35 am Alasdair McWilliam 
wrote:

> Here's me thinking I'm cracking up.
> 
> I just did what you recommended and it worked! I guess
>  SXI3 can stay... you've just saved me another early
>  downtime window.

It never ceases to amaze me how problematic the history of 
the 6500 has been with regard to hardware and software 
stability, and yet we love it so and would put our heads on 
the block for it.

I long for the day when 6500 code becomes GD (if that's 
still a relevant goal with IOS these days, and not that GD-
status necessarily eliminates a network melt here or a 
network melt there). But meanwhile, I'll keep buying more of 
these boxes :-). The irony...

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100128/97b7e7a8/attachment.bin>

From jasonleblanc at gmail.com  Wed Jan 27 22:19:39 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Wed, 27 Jan 2010 20:19:39 -0700
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<6C14ED1D-C004-4E79-9BB8-15E6DF2C2E72@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F65E@PUR-EXCH07.ox.com>
	<D0120AA6-F896-4F1B-ACA5-76B6F8275BD8@gmail.com>
	<31A53B4D-BF50-4263-A441-D833AB7A03DB@gmail.com>
Message-ID: <A828A4C9-5B18-4F69-99D6-3D5EF458F87A@gmail.com>

I did the exact same thing first go round ;)  Crazy thing is I just went through this 2 days ago and thanks to Matthew got it fixed!

On Jan 27, 2010, at 4:03 PM, Alasdair McWilliam wrote:

> I take back what I just said about the specified workaround not working....... I clearly had blinkers on and missed the line about taking the last character off !!!
> 
> Ho hum..
> 
> 
> On 27 Jan 2010, at 23:01, Alasdair McWilliam wrote:
> 
>> Oooh... :-)
>> 
>> The bug I had stumbled over was CSCtc41114, matching our conditions and symptoms. I've had no luck with the workarounds mentioned in the bug notes and my interpretation was that SXI3 'caused' the bug. I don't have the luxury of test boxes, multiple downtime windows or just enabling alternative remote access mechanisms (i.e. telnet !), so was going to try just downgrade back to SXI2a.
>> 
>> I'll try this and see how we go... :)
>> 
>> 
>> On 27 Jan 2010, at 16:50, Matthew Huff wrote:
>> 
>>> With SXI3 there is a quick fix for the SSH bug. 
>>> 
>>> Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 
>>> 
>>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>>> 
>>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>>> 
>>> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
>>> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>>> 
>>> and the phantom key will be gone.
>>> 
>>> 
>>> ----
>>> Matthew Huff       | One Manhattanville Rd
>>> OTA Management LLC | Purchase, NY 10577
>>> http://www.ox.com  | Phone: 914-460-4039
>>> aim: matthewbhuff  | Fax:   914-460-4139
>>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>>> Alasdair McWilliam
>>>> Sent: Wednesday, January 27, 2010 11:26 AM
>>>> To: Holemans Wim
>>>> Cc: cisco-nsp at puck.nether.net
>>>> Subject: Re: [c-nsp] best ios version for VSS
>>>> 
>>>> I have used 12.2(33)SXI1 on a VSS but encountered a *very* nasty bug triggered when performing an SSO
>>>> failover, which causes STP to get its knickers in a twist. Ultimately we had to just power the whole
>>>> thing off (both chassis) to break the loops and restore service, but the whole installation was
>>>> offline for much longer than a reboot because ACE modules take flipping ages to boot...
>>>> 
>>>> I now run 12.2(33)SXI2 on VSS with a 'workaround' for a memory leak bug (fixed in SXI2a) and it's been
>>>> rock solid. Touch wood.
>>>> 
>>>> I've run 12.2(33)SXI3 on some non-VSS nodes but the upgrade breaks SSH beyond repair (to my
>>>> knowledge?) if you do an SSO failover, so these are going to be downgraded back to SXI2a.
>>>> 
>>>> HTH
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 27 Jan 2010, at 14:01, Holemans Wim wrote:
>>>> 
>>>>> We have a VSS running, L2 only for the moment. We plan to enable L3
>>>>> (static routing only for the moment) next week (along with a FWSM board
>>>>> in each chassis).
>>>>> 
>>>>> We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
>>>>> the moment (I know this version has too much features for what we need
>>>>> for the moment)
>>>>> 
>>>>> The problems we had with this version until now :
>>>>> 
>>>>> -          One of the supervisors rebooted spontaneously leaving no
>>>>> traces on why it restarted
>>>>> 
>>>>> -          ISSU (I don't remember what the version was we started the
>>>>> upgrade) didn't work, so I had to boot both chassis manually, giving a
>>>>> much higher downtime than expected
>>>>> 
>>>>> -          The activation of the first FWSM (inserted with power down
>>>>> for that specific module, followed by power up of the module), caused a
>>>>> crash and reboot of the supervisor of the chassis in with the FWSM was
>>>>> inserted.
>>>>> 
>>>>> 
>>>>> 
>>>>> So anyone has comments on to which version we eventually should upgrade
>>>>> to before going to L3 ? (downtime will have a much larger impact from
>>>>> that moment on).
>>>>> 
>>>>> I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
>>>>> version 12.2.33-SXI3(ED) available.
>>>>> 
>>>>> 
>>>>> 
>>>>> Greetings,
>>>>> 
>>>>> 
>>>>> 
>>>>> Wim Holemans
>>>>> 
>>>>> Network Services
>>>>> 
>>>>> University of Antwerp
>>>>> 
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> <Matthew Huff.vcf>
>> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From cze.lists at gmail.com  Thu Jan 28 00:46:26 2010
From: cze.lists at gmail.com (Christian Zeng)
Date: Thu, 28 Jan 2010 06:46:26 +0100
Subject: [c-nsp] ip sla echo vrf with df-bit set?
In-Reply-To: <c8ba049f1001271505y1cd32997haf160901354aec7a@mail.gmail.com>
References: <c8ba049f1001271505y1cd32997haf160901354aec7a@mail.gmail.com>
Message-ID: <20100128054626.GA2596@zengl.net>

Hi,

* Christopher Hunt <dharmachris at gmail.com> wrote:
> Unfortunately, I cannot find any way to set the DF bit using "ip sla
> monitor".  Anyone know if it's available anywhere or coming soon?  Can
> anyone else think of another strategy?  I'm currently running 12.4(22)T on a
> series of 7200VXRs.

Look around the cli if there is a "tos" command/option in the ip sla
subprompt. Then take your DSCP value and convert it to the decimal TOS
value (decimal to binary, add 2 zeros to the right, convert it back to
decimal).

Best regards,


Christian

From kseedorf at gmail.com  Thu Jan 28 01:12:44 2010
From: kseedorf at gmail.com (Robert Seedorf)
Date: Thu, 28 Jan 2010 01:12:44 -0500
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <001301ca9faa$af4fcde0$2608120a@am.thmulti.com>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com>
	<A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local>
	<4B60A27C.6020502@justinshore.com>
	<99C9EE92-486B-4AFF-AEC1-9B3B13A23058@gmail.com>
	<001301ca9faa$af4fcde0$2608120a@am.thmulti.com>
Message-ID: <f649d1381001272212s59065c6asa28c93482f11a0ef@mail.gmail.com>

We had this issue on a 525 and opened a TAC case. We provided Cisco with sh
tech (I think) and the root cause was a code issue (ver. 6.x) concerning the
number of connections. The issue was resolved with an update to the code.
Sorry would like to confirm that the issue is most likely a code problem but
doing this from memory.

On Wed, Jan 27, 2010 at 6:44 PM, Scott Granados <gsgranados at comcast.net>wrote:

> Tried that as well as with a new cable, still no luck.  Next I'm going to
> capture the console output and see if that sheds any light on anything.
>
> ----- Original Message ----- From: "Jason LeBlanc" <jasonleblanc at gmail.com
> >
> To: "Justin Shore" <justin at justinshore.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, January 27, 2010 1:49 PM
> Subject: Re: [c-nsp] Self rebooting pix?
>
>
>
>  The point of termination between the pix and the power supply end point
>> (shaped like a 7) is a known issue.  If it moves at all or gets bumped at
>> all it will reboot the devices.  To rule this out you can try to zip tie it
>> to the device in an effort to keep it still.  If there is no possible
>> movement and it still occurs it is most likely overheating as previously
>> mentioned.
>>
>> On Jan 27, 2010, at 1:30 PM, Justin Shore wrote:
>>
>>  Jason Gurtz wrote:
>>>
>>>> After each drop this counter returns to 0 which tells me the Pix is
>>>>> rebooting for some reason.
>>>>>
>>>> [...]
>>>>
>>>>> experienced this.  The software rev is 6.3.
>>>>>
>>>> We experienced this on a 515E running 6.3 code.  A move to the 7.0
>>>> series
>>>> solved this issue.
>>>>
>>>
>>> Same thing here.  It would crash about once a month on us but the
>>> duration was show short that it was seldom ever noticed.  It only took 45
>>> seconds to boot.  We solved it by installing ASAs. :-)
>>>
>>> Justin
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ip at ioshints.info  Thu Jan 28 01:15:58 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Thu, 28 Jan 2010 07:15:58 +0100
Subject: [c-nsp] ip sla echo vrf with df-bit set?
In-Reply-To: <c8ba049f1001271505y1cd32997haf160901354aec7a@mail.gmail.com>
References: <c8ba049f1001271505y1cd32997haf160901354aec7a@mail.gmail.com>
Message-ID: <004b01ca9fe1$5c6fa8c0$154efa40$@info>

Just guessing: Local policy routing that sets DF bit on ICMP ECHO traffic between two known IP addresses with the "set ip df 1" command within the route-map.

Let me know if it works ;)

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Christopher Hunt [mailto:dharmachris at gmail.com]
> Sent: Thursday, January 28, 2010 12:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ip sla echo vrf with df-bit set?
> 
> I'm trying to setup a mechanism for ensuring end-to-end MTU in our L3 MPLS
> VPN network.  I'd like to use ip sla tracking to do so and I have setup a
> monitor:
> 
> ip sla monitor 99
>  type echo protocol ipIcmpEcho x.x.x.x
>  request-data-size 1500
>  vrf XYZ
> 
> Unfortunately, I cannot find any way to set the DF bit using "ip sla
> monitor".  Anyone know if it's available anywhere or coming soon?  Can
> anyone else think of another strategy?  I'm currently running 12.4(22)T on
> a
> series of 7200VXRs.
> 
> Cheer,
> Christopher Hunt



From ip at ioshints.info  Thu Jan 28 01:27:25 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Thu, 28 Jan 2010 07:27:25 +0100
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <47FB370E-C073-4613-927F-F75C9C6D01F2@gmail.com>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>	<001c01ca9ee1$80d19710$8274c530$@net>
	<D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
	<007b01ca9f7d$b6369800$22a3c800$@pepelnjak@zaplana.net>
	<47FB370E-C073-4613-927F-F75C9C6D01F2@gmail.com>
Message-ID: <005b01ca9fe2$f5e94050$e1bbc0f0$@info>

OK, it looks like I've over-engineered the solution ;)

The best solution (if you can make it work) would be to run BGP over the backup links and use BGP attributes to make backup links a less desirable BGP path.

Running OSPF on backup links and BGP on MPLS VPN can be made to work ... barely. I did a workshop once using almost exactly the same network. Each site was fully redundant with two routers, one connected to Internet, the other one to MPLS VPN network. I was able to make it work after a lot of tweaking and two-way redistribution, but I'm not sure anyone in the audience got all the details ;) 

Your situation might be easier as you're using default routing from the central site, but do try to go for "BGP everywhere".

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info


> -----Original Message-----
> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> Sent: Wednesday, January 27, 2010 11:12 PM
> To: Ivan Pepelnjak
> Cc: 'Luan Nguyen'; 'Cisco-nsp'
> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> Internet
> 
> Exactly.  This is a secondary form of calling back home if the MPLS Link
> or BGP breaks.  We have static routes at the remote site pointing traffic
> over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote
> campus to be able to communicate with the main datacenter which is also
> where the main MPLS router exists.  We currently have a VPN devices at the
> Datacenter that runs OSPF on the home end.
> 
> 
> 
> MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
> 
> /
> \
> Core 6500 --> Distribution Router 6500 --
> -- Campus Router Cisco or Juniper SSG
> 
> \
> /
> 
> Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->
> 
> 
> 
> 
> On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:
> 
> > Jason, are you trying to solve only the remote site problem? Is the main
> campus receiving specific routes for each remote site through the MPLS VPN
> cloud?
> >
> >> -----Original Message-----
> >> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> >> Sent: Wednesday, January 27, 2010 1:48 AM
> >> To: Luan Nguyen
> >> Cc: 'Cisco-nsp'
> >> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> >> Internet
> >>
> >> Current topology is pretty simple.  AT&T drops an MPLS circuit either
> PPP
> >> Multilink Bundled T1's or an Ethernet hand off.  On another interface
> we
> >> generally have an ethernet hand off from another ISP.  We run BGP to
> move
> >> all the traffic around on one 172.x.x.x/30's and then our LAN is on
> >> 10.x.x.x.  We have an outside IP address on another ethernet port which
> is
> >> the IPSEC termination point.  BGP from our main campus injects a
> default
> >> route which we receive.  Currently we just manually added static
> 0.0.0.0
> >> routes out the tunnel interfaces with a metric of 32000.  So when BGP
> >> drops off we will route over the IPSEC VPN Tunnel back home.
> >>
> >> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
> >>
> >> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
> >> 10.1.1.1/24
> >>
> >> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC
> VPN
> >> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
> >>
> >> BGP Provides default route
> >> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
> >>
> >> It is my assumption that if the traffic cant get to its destination
> >> because BGP has lost it our backup link the IPSEC VPN with the higher
> >> metric will become the new default route.
> >



From kenny.sallee at gmail.com  Thu Jan 28 01:59:23 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 27 Jan 2010 22:59:23 -0800
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
In-Reply-To: <005b01ca9fe2$f5e94050$e1bbc0f0$@info>
References: <0092312D-11F0-4C27-9251-ABEF65F04652@gmail.com>
	<001c01ca9ee1$80d19710$8274c530$@net>
	<D0293323-69DB-4532-B826-0F7624E7CA0C@gmail.com>
	<47FB370E-C073-4613-927F-F75C9C6D01F2@gmail.com>
	<005b01ca9fe2$f5e94050$e1bbc0f0$@info>
Message-ID: <4a80ecce1001272259q3eb91a5p7aa4df9945c2f3b9@mail.gmail.com>

Why not an IGP on the backup link, BGP over MPLS, and eBGP peer from your
'MPLS' router to your core network? All of your MPLS routes will be eBGP w/
admin of 20 and depending on what IGP you choose it'll have a higher admin
distance.  Normal ops BGP routes are preferred.  If MPLS goes away IGP route
will be there.

I have something like this setup in a lab and planned for production soon.
 Works great

Or - if you can't run BGP on your core (code versions don't support BGP for
example) - run BGP over MPLS and GRE only.  Redistro BGP into whatever IGP
and tweak the metrics on redistro so backup link looks worse.  If EIGRP
tweak the seed metrics.  If OSPF you can use a route-map to set the OSPF
route-type to E1 for primary and  E2 for backup. I wouldn't do mutual
redistro - use network statements in BGP to originate your routes over MPLS
and GRE.  Makes it a little easier / less error prone methinks.

Kenny

On Wed, Jan 27, 2010 at 10:27 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:

> OK, it looks like I've over-engineered the solution ;)
>
> The best solution (if you can make it work) would be to run BGP over the
> backup links and use BGP attributes to make backup links a less desirable
> BGP path.
>
> Running OSPF on backup links and BGP on MPLS VPN can be made to work ...
> barely. I did a workshop once using almost exactly the same network. Each
> site was fully redundant with two routers, one connected to Internet, the
> other one to MPLS VPN network. I was able to make it work after a lot of
> tweaking and two-way redistribution, but I'm not sure anyone in the audience
> got all the details ;)
>
> Your situation might be easier as you're using default routing from the
> central site, but do try to go for "BGP everywhere".
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>
>
> > -----Original Message-----
> > From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> > Sent: Wednesday, January 27, 2010 11:12 PM
> > To: Ivan Pepelnjak
> > Cc: 'Luan Nguyen'; 'Cisco-nsp'
> > Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> > Internet
> >
> > Exactly.  This is a secondary form of calling back home if the MPLS Link
> > or BGP breaks.  We have static routes at the remote site pointing traffic
> > over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote
> > campus to be able to communicate with the main datacenter which is also
> > where the main MPLS router exists.  We currently have a VPN devices at
> the
> > Datacenter that runs OSPF on the home end.
> >
> >
> >
> > MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
> >
> > /
> > \
> > Core 6500 --> Distribution Router 6500 --
> > -- Campus Router Cisco or Juniper SSG
> >
> > \
> > /
> >
> > Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->
> >
> >
> >
> >
> > On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:
> >
> > > Jason, are you trying to solve only the remote site problem? Is the
> main
> > campus receiving specific routes for each remote site through the MPLS
> VPN
> > cloud?
> > >
> > >> -----Original Message-----
> > >> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> > >> Sent: Wednesday, January 27, 2010 1:48 AM
> > >> To: Luan Nguyen
> > >> Cc: 'Cisco-nsp'
> > >> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> > >> Internet
> > >>
> > >> Current topology is pretty simple.  AT&T drops an MPLS circuit either
> > PPP
> > >> Multilink Bundled T1's or an Ethernet hand off.  On another interface
> > we
> > >> generally have an ethernet hand off from another ISP.  We run BGP to
> > move
> > >> all the traffic around on one 172.x.x.x/30's and then our LAN is on
> > >> 10.x.x.x.  We have an outside IP address on another ethernet port
> which
> > is
> > >> the IPSEC termination point.  BGP from our main campus injects a
> > default
> > >> route which we receive.  Currently we just manually added static
> > 0.0.0.0
> > >> routes out the tunnel interfaces with a metric of 32000.  So when BGP
> > >> drops off we will route over the IPSEC VPN Tunnel back home.
> > >>
> > >> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
> > >>
> > >> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
> > >> 10.1.1.1/24
> > >>
> > >> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC
> > VPN
> > >> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
> > >>
> > >> BGP Provides default route
> > >> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
> > >>
> > >> It is my assumption that if the traffic cant get to its destination
> > >> because BGP has lost it our backup link the IPSEC VPN with the higher
> > >> metric will become the new default route.
> > >
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From gert at greenie.muc.de  Thu Jan 28 03:00:13 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 28 Jan 2010 09:00:13 +0100
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <201001281102.26069.mtinka@globaltransit.net>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>
	<37CAB25F-3AAD-4D92-A25F-8BBA80E9FB6F@gmail.com>
	<201001281102.26069.mtinka@globaltransit.net>
Message-ID: <20100128080013.GX857@greenie.muc.de>

Hi,

On Thu, Jan 28, 2010 at 11:02:25AM +0800, Mark Tinka wrote:
> But meanwhile, I'll keep buying more of these boxes :-). 

Cisco must really hate this box.

All their attempts to drive customers away (BU split, shoddy support 
for modular IOS, confusing platform strategy) are *still* not working -
and customers are still refusing to buy $EXPENSIVE $REAL_ROUTER boxes
instead...

Indeed, I fully share your sentiments - we're hoping that SX IOS might
eventually reach a less-buggy state, but we've learned to live with 
it, and keep buying new gear...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100128/464e74a1/attachment.bin>

From Kevin.Hatem at pgs.com  Thu Jan 28 07:37:35 2010
From: Kevin.Hatem at pgs.com (Kevin Hatem)
Date: Thu, 28 Jan 2010 06:37:35 -0600
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <201001281019.12581.mtinka@globaltransit.net>
References: <mailman.14321.1264633401.2123.cisco-nsp@puck.nether.net>
	<5A69C25361FED34F83ABF05F5047524507F05D74@wally.walleyetrading.net>
	<201001281019.12581.mtinka@globaltransit.net>
Message-ID: <15D5002F61F31A45A82A153D2F739067B173289594@HOUMS26.onshore.pgs.com>

The 4900m are is very short supply as Jeff mentions.  I waited 3 months for the chassis (fall 2009) and just ordered the 20 port 1G module and is back ordered to March.

The 4900m is very good if you need to aggregate your 10G as top of rack, then maybe out to a metro E.  The 3560G is a great mid-core solution for small shops.  I also agree that using a stack in the core is bad.

-kevin
++++++++++++++++
-----
++++++++++++++++

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
Sent: Wednesday, January 27, 2010 20:19
To: cisco-nsp at puck.nether.net
Cc: Jeff Bacon
Subject: Re: [c-nsp] 4900M vs. 4503 for core

On Thursday 28 January 2010 07:30:38 am Jeff Bacon wrote:

> You could probably use a pair of 3560Gs for your core and  get away 
> with it, without having to spend any real  money. I wouldn't actually 
> stack the cores - too easy  for one to take out the other via the 
> stack cable... but  that's a personal preference.

I tend to agree with this one - stacking (using proprietary
technologies) core switches could get risky when things get hairy. Besides, how much can you stack before a chassis makes sense, and not just in ports?

I've used 3560G's as core switches in relatively small PoP's (pushing about 1Gbps or more with LACP). They're solid!

> If you _need_ to buy now once and for all, then you've  got a problem. 
> But if you don't, don't.

Agree.

If you're not averse to other vendors, you could consider Juniper's EX3200's and EX4200's as well.

Cheers,

Mark.

This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author.

From geoff at pendery.net  Thu Jan 28 09:49:15 2010
From: geoff at pendery.net (Geoffrey Pendery)
Date: Thu, 28 Jan 2010 08:49:15 -0600
Subject: [c-nsp] 4900M vs. 4503 for core
In-Reply-To: <15D5002F61F31A45A82A153D2F739067B173289594@HOUMS26.onshore.pgs.com>
References: <mailman.14321.1264633401.2123.cisco-nsp@puck.nether.net>
	<5A69C25361FED34F83ABF05F5047524507F05D74@wally.walleyetrading.net>
	<201001281019.12581.mtinka@globaltransit.net>
	<15D5002F61F31A45A82A153D2F739067B173289594@HOUMS26.onshore.pgs.com>
Message-ID: <d6966e4b1001280649r62dd33a8l6423304195c1a255@mail.gmail.com>

Thirded.
We recently built out a large deployment, with a mix of hardware
ordered, and the 4900Ms were the last thing to arrive, many months
late.
The 4500's with Sup 6E were also significantly delayed due to short
supply (and indeed, I believe the 4900M really is a 4500 Sup6E, just
in a fixed slot chassis).

-Geoff

On Thu, Jan 28, 2010 at 6:37 AM, Kevin Hatem <Kevin.Hatem at pgs.com> wrote:
> The 4900m are is very short supply as Jeff mentions. ?I waited 3 months for the chassis (fall 2009) and just ordered the 20 port 1G module and is back ordered to March.
>
> The 4900m is very good if you need to aggregate your 10G as top of rack, then maybe out to a metro E. ?The 3560G is a great mid-core solution for small shops. ?I also agree that using a stack in the core is bad.
>
> -kevin
> ++++++++++++++++
> -----
> ++++++++++++++++
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
> Sent: Wednesday, January 27, 2010 20:19
> To: cisco-nsp at puck.nether.net
> Cc: Jeff Bacon
> Subject: Re: [c-nsp] 4900M vs. 4503 for core
>
> On Thursday 28 January 2010 07:30:38 am Jeff Bacon wrote:
>
>> You could probably use a pair of 3560Gs for your core and ?get away
>> with it, without having to spend any real ?money. I wouldn't actually
>> stack the cores - too easy ?for one to take out the other via the
>> stack cable... but ?that's a personal preference.
>
> I tend to agree with this one - stacking (using proprietary
> technologies) core switches could get risky when things get hairy. Besides, how much can you stack before a chassis makes sense, and not just in ports?
>
> I've used 3560G's as core switches in relatively small PoP's (pushing about 1Gbps or more with LACP). They're solid!
>
>> If you _need_ to buy now once and for all, then you've ?got a problem.
>> But if you don't, don't.
>
> Agree.
>
> If you're not averse to other vendors, you could consider Juniper's EX3200's and EX4200's as well.
>
> Cheers,
>
> Mark.
>
> This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author.
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From bacon at walleyesoftware.com  Thu Jan 28 10:24:44 2010
From: bacon at walleyesoftware.com (Jeff Bacon)
Date: Thu, 28 Jan 2010 09:24:44 -0600
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 90
In-Reply-To: <mailman.14443.1264690248.2123.cisco-nsp@puck.nether.net>
References: <mailman.14443.1264690248.2123.cisco-nsp@puck.nether.net>
Message-ID: <5A69C25361FED34F83ABF05F5047524507F05D8A@wally.walleyetrading.net>


> From: Geoffrey Pendery <geoff at pendery.net>
>
> Thirded.
> We recently built out a large deployment, with a mix of hardware
> ordered, and the 4900Ms were the last thing to arrive, many months
late.
> The 4500's with Sup 6E were also significantly delayed due to short
> supply (and indeed, I believe the 4900M really is a 4500 Sup6E,
> just in a fixed slot chassis).

All of the 4900s are just forms of 4500-supXs in a fixed-unit box at a
far better price. 
The 4948 is I believe a sup-V, only you can't oversubscribe it (which
you could easily do in the 4k chassis form). Rather nice of them. 

It's a crying shame really that the cat4k development group lost the Big
Nexus Battle and went off to Arista. Well, unless you happen to like
Arista. :) 

-bacon
(planning to put an Arista in his test lab soon)



From SPfister at dps.k12.oh.us  Thu Jan 28 10:40:02 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 28 Jan 2010 10:40:02 -0500
Subject: [c-nsp] Vlans and PIX firewal
In-Reply-To: <4B605E3F.9E6F.00B8.0@dps.k12.oh.us>
References: <4B605E3F.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <4B61697B.9E6F.00B8.0@dps.k12.oh.us>

I've got a diagram together that I probably should have included with my original post, and hopefully I've got everything on there that I need to...

http://www.pfisterfarm.com/vlan_and_pix_post.jpg 

The ports on the 4507R going to the pix are both access ports in the appropriate vlan. All other ports should be trunk ports, currently.

Thanks!


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> "Steven Pfister" <SPfister at dps.k12.oh.us> 1/27/2010 3:39 PM >>>
Thanks again to everyone who replied to my last post... I've got another project related to the same VMWare server...

I have a situation where I need to set up network access for a new virtual server in a vlan where most of the existing hosts are on the other side of a PIX 525 (running 7.2(2)). 

The other hosts in the vlan are connected to a 4507 core switch, which is connected to an interface which is the DMZ and has the default gateway address of that vlan. Actually, the vlan, let's use the number 10, was set up at one point but is currently shutdown. The connection to the PIX is an access port in the 10 vlan. The inside interface is connected to another port on the same 4507. The port the inside interface is connected to is an access port in the central site's core vlan... let's use 20 for this discussion. 

The VMWare server is 2 hops away, first through an ATM connection to a 8540 (set up with IRB) to a 3560. Two other things about the configuration that might be important: (1) there is a second PIX in an active/standby configuration, and (2) the inside ports that the two PIXes are connected to is the source in a port mirror to a port that a content filter is connected to. 

I'm guessing that some sort of routing needs to be set up on the PIX(es)... what is the best method of doing that? Since this is a production network, I was hoping to have to change as little as possible (obviously...)

Thanks!


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us 


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jasongurtz at npumail.com  Thu Jan 28 10:57:25 2010
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Thu, 28 Jan 2010 10:57:25 -0500
Subject: [c-nsp] Self rebooting pix?
In-Reply-To: <f649d1381001272212s59065c6asa28c93482f11a0ef@mail.gmail.com>
References: <002401ca9e15$53269620$2608120a@am.thmulti.com><A92EAF652EC423438D55C14C60771C8701F3E396@exchgsrv.nputilities.local><4B60A27C.6020502@justinshore.com><99C9EE92-486B-4AFF-AEC1-9B3B13A23058@gmail.com><001301ca9faa$af4fcde0$2608120a@am.thmulti.com>
	<f649d1381001272212s59065c6asa28c93482f11a0ef@mail.gmail.com>
Message-ID: <A92EAF652EC423438D55C14C60771C8701F3E68D@exchgsrv.nputilities.local>

> We had this issue on a 525 and opened a TAC case. We provided Cisco with
> sh tech (I think) and the root cause was a code issue (ver. 6.x)
> concerning the number of connections.

Never called the TAC here but that sounds about right.  At the time we
experienced this we were adding PAT mappings as well as steadily
increasing the amount of IPSEC client connections and adding user
accounts.

7.0 series has user account corruption issue and we have a case open on
it, though I hope to go Justin's way and have an ASA here in the near
future.

~JasonG

From AMcglinchey at wiseman-dairies.co.uk  Thu Jan 28 11:01:26 2010
From: AMcglinchey at wiseman-dairies.co.uk (Alun Mcglinchey)
Date: Thu, 28 Jan 2010 16:01:26 +0000
Subject: [c-nsp] Alun Mcglinchey is out of the office.
Message-ID: <OFE1431003.FB730A57-ON802576B9.005805D2-802576B9.005805D2@wiseman-dairies.co.uk>


I will be out of the office starting  28/01/2010 and will not return until
01/02/2010.

I will respond to your message when I return, if your query is urgent
please contact the IT servicedesk team on 6634 or email Cameron McKinnon
(cmckinnon at wiseman-dairies.co.uk)



*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.

Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.

This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.

ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA

********************************************************************************

From rsm at fast-serv.com  Thu Jan 28 14:39:57 2010
From: rsm at fast-serv.com (Randy McAnally)
Date: Thu, 28 Jan 2010 14:39:57 -0500
Subject: [c-nsp] port-channel help (warning, might be dumb)
Message-ID: <20100128192903.M71356@fast-serv.com>

I'm trying to configure a LACP port-channel between Cisco 6509 and Foundry FESX.

Cisco config:

interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,28
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1/5
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,28
 switchport mode trunk
 no ip address
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet1/6
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,28
 switchport mode trunk
 no ip address
 channel-protocol lacp
 channel-group 1 mode active
!

Foundry config:

trunk ethe 1 to 2
trunk deploy


After everything is seemingly up and running on the Foundry side (trunk
active), I notice some intermittent connectivity, along with Arp traffic
looping back from the Cisco.  So I check the Cisco and po1 is 'down', no trunk...

#sh int po1
Port-channel1 is down, line protocol is down (notconnect)
 Hardware is EtherChannel, address is 0013.6067.899a (bia 0013.6067.899a)
 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
<--snip--> 

I hope I'm just missing something really stupid on the Cisco side...

Thanks in advance.

--
Randy



From gsgranados at comcast.net  Thu Jan 28 15:26:00 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 28 Jan 2010 12:26:00 -0800
Subject: [c-nsp] More on the rebooting pix, log settings?
Message-ID: <004c01caa058$1efd3f80$2608120a@am.thmulti.com>

Hi,
Per some of the suggestions I've attached a console cable and laptop to 
capture the output to try to see if there is any clue of the cause of these 
spontanious reboots.  All I'm capturing though are TCP / UDP connection 
built / tare down messages.  What log settings should I add and what if 
anything specific to the console should I change?  Any logging pointers 
would be appreciated.  The device is a Pix running 6.3 code.

Thank you
Scott



From ross at kallisti.us  Thu Jan 28 15:33:31 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Thu, 28 Jan 2010 15:33:31 -0500
Subject: [c-nsp] best ios version for VSS
In-Reply-To: <201001281102.26069.mtinka@globaltransit.net>
References: <A9C0DC3E3383224B83C528B074390E8C262FEB@xmail04.ad.ua.ac.be>
	<483E6B0272B0284BA86D7596C40D29F9E2BC79F66B@PUR-EXCH07.ox.com>
	<37CAB25F-3AAD-4D92-A25F-8BBA80E9FB6F@gmail.com>
	<201001281102.26069.mtinka@globaltransit.net>
Message-ID: <20100128203331.GA13711@kallisti.us>

On Thu, Jan 28, 2010 at 11:02:25AM +0800, Mark Tinka wrote:
> It never ceases to amaze me how problematic the history of 
> the 6500 has been with regard to hardware and software 
> stability, and yet we love it so and would put our heads on 
> the block for it.

That sentiment boggles my mind.  Am I the only one that bitterly hates
the 6500 for it's unexplainable inconsistency and prolific crash bugs?
Put my head on the chopping block for the 6500?  No thanks - I can't
depend on them for anything.  Wish I could get rid of them faster!

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100128/51c4d38f/attachment.bin>

From tkacprzynski at SpencerStuart.com  Thu Jan 28 15:04:15 2010
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Thu, 28 Jan 2010 14:04:15 -0600
Subject: [c-nsp] Traceroute parser/visualizer
Message-ID: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>

Hi,
I'm looking for some tool/script that takes in traceroute output
generated by Cisco devices and graphs it. 

Has anyone heard of anything like that?

Thank you,

Tom 


From livio.zanol.puppim at gmail.com  Thu Jan 28 15:54:27 2010
From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim)
Date: Thu, 28 Jan 2010 18:54:27 -0200
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
Message-ID: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>

Hi folks,

Can anyone please tell me the advantages of using Nexus 2000 over Catalyst
4948 as access layers switches?
Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that
could be used by servers with 10GbE/FCoE servers.

Also, are there any advantages on NX-OS compared to IOS?

Thanks.

-- 
[]'s

L?vio Zanol Puppim

From eng_mssk at hotmail.com  Thu Jan 28 16:30:02 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 28 Jan 2010 23:30:02 +0200
Subject: [c-nsp] Traceroute parser/visualizer
In-Reply-To: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
References: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
Message-ID: <SNT134-w438D603C11AF127541E7FEFA5C0@phx.gbl>


try pingplotter

> Date: Thu, 28 Jan 2010 14:04:15 -0600
> From: tkacprzynski at spencerstuart.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Traceroute parser/visualizer
> 
> Hi,
> I'm looking for some tool/script that takes in traceroute output
> generated by Cisco devices and graphs it. 
> 
> Has anyone heard of anything like that?
> 
> Thank you,
> 
> Tom 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969

From tkacprzynski at SpencerStuart.com  Thu Jan 28 16:33:29 2010
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Thu, 28 Jan 2010 15:33:29 -0600
Subject: [c-nsp] Traceroute parser/visualizer
In-Reply-To: <SNT134-w438D603C11AF127541E7FEFA5C0@phx.gbl>
References: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
	<SNT134-w438D603C11AF127541E7FEFA5C0@phx.gbl>
Message-ID: <A8A11BA006DA57498FAC0A56686865042BE4C97C@usilwdex04.spencerstuart.com>

Thank you for you response. I'm actually looking for something that will
take in text files of traceroutes generated on cisco routers and
visualize them instead a program that generates them.

 

Thanks

 

 

Tom

 

From: Mohammad Khalil [mailto:eng_mssk at hotmail.com] 
Sent: Thursday, January 28, 2010 3:30 PM
To: Kacprzynski, Tomasz; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Traceroute parser/visualizer

 

try pingplotter

> Date: Thu, 28 Jan 2010 14:04:15 -0600
> From: tkacprzynski at spencerstuart.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Traceroute parser/visualizer
> 
> Hi,
> I'm looking for some tool/script that takes in traceroute output
> generated by Cisco devices and graphs it. 
> 
> Has anyone heard of anything like that?
> 
> Thank you,
> 
> Tom 
> 
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

________________________________

Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up
now. <https://signup.live.com/signup.aspx?id=60969> 


From jasongurtz at npumail.com  Thu Jan 28 16:33:40 2010
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Thu, 28 Jan 2010 16:33:40 -0500
Subject: [c-nsp] [SUMMARY]:  4900M vs. 4503 for core
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
Message-ID: <A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>

> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?

Thanks all for the replies!  A person also responded privately with the
opinion that most people want Netflow down the road.  Unfortunately, since
Netflow has been removed from the 45xx with the Sup6 it would require 65xx
at $$++.  Squarely in the want vs. need bucket for us

Unfortunately, I left out that that most of the gig uplink connections are
fiber so a 3560G doesn't have enough SFP ports.  I did find the
WS-C3750G-12S-E which looks like the good low-cost option.  On the minuses
side, it's a softswitch, and no 10G uplinks for linking in the server
access switches.  The main downside here is advocating for their
replacement and purchasing strategies around here.  eBay, used equip.,
etc... are pretty much verboten.  Basically, if we buy these now, they'll
be here in 5 years and forklifting the network core could be painful.

Point well taken on the stacking related maintenance downtime issue.  We
plan on doing pure routing and GLBP so thankfully this wouldn't affect us.
This issue will bite us with the server access layer. :(  I'll join the
many who want this problem to go away.

The availability issues with 45xx and 49xx shouldn't be a problem as
4507's are being spec'ed for some access switches and we have until
summertime to do this.  It's interesting though, makes me wonder if it's
just really high demand, or C pushing other platforms.

I discovered the 4928-10G, but the 4900M config comes in cheaper,
apparently due to only needing one 8 port card.  I'm assuming the 2:1
oversubscription is not an issue when running these 10G ports at 1G.  Only
thing is 2000W of power supply vs. 600W.  It does seem silly to do the
twingig thing; if only there was a 20-port sfp halfcard!

Thanks again,

~JasonG

From A.L.M.Buxey at lboro.ac.uk  Thu Jan 28 16:38:11 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Thu, 28 Jan 2010 21:38:11 +0000
Subject: [c-nsp] port-channel help (warning, might be dumb)
In-Reply-To: <20100128192903.M71356@fast-serv.com>
References: <20100128192903.M71356@fast-serv.com>
Message-ID: <20100128213811.GB17804@lboro.ac.uk>

Hi,

> Foundry config:
> 
> trunk ethe 1 to 2
> trunk deploy

foundry does LACP... did you do

link-aggregate active

on the foundry?


alan

From ariemer at wesenergy.com.au  Thu Jan 28 16:55:00 2010
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Fri, 29 Jan 2010 05:55:00 +0800
Subject: [c-nsp] Traceroute parser/visualizer
In-Reply-To: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
References: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
Message-ID: <77DF40FD-4F8B-447B-BA80-C742E67DC259@wesenergy.com.au>

Feed IP SLA rtt into cacti for graphing.

Sent from my iPod Touch.

On 29/01/2010, at 4:38 AM, "tkacprzynski at SpencerStuart.com" <tkacprzynski at SpencerStuart.com 
 > wrote:

> Hi,
> I'm looking for some tool/script that takes in traceroute output
> generated by Cisco devices and graphs it.
>
> Has anyone heard of anything like that?
>
> Thank you,
>
> Tom
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From kevinw at telnetww.com  Thu Jan 28 17:10:39 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Thu, 28 Jan 2010 17:10:39 -0500
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <000301ca9ca7$d82538f0$886faad0$@com>
References: <000301ca9ca7$d82538f0$886faad0$@com>
Message-ID: <006001caa066$b987e600$2c97b200$@com>

Anyone have a suggestion/comment?

Thanks,
Kevin


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kevin Warwashana
Sent: Saturday, January 23, 2010 10:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7600 Rate Limiting Output

I was curious what is the best way to limit bandwidth in/out with policy
maps.  I can apply this inbound on a subinterface:

 

policy-map 26MB-INPUT

  class class-default

   police rate 26000000 bps

     conform-action transmit

     exceed-action drop

 

but the below won't apply in the outbound direction:

 

policy-map 26MB-OUTPUT

  class class-default

   police rate 26000000 bps

     conform-action transmit

     exceed-action drop

 

Gives me:

 

int gig4/0/0.8

service-policy output 26MB-OUTPUT    

Police and strict priority must be configured together for egress QOS.

Invalid feature combination for the class class-default

Configuration failed

 

Any help would be appreciated!  I miss the rate-limiting command from 7200
routers :).

 

Kevin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From rsm at fast-serv.com  Thu Jan 28 17:52:36 2010
From: rsm at fast-serv.com (Randy McAnally)
Date: Thu, 28 Jan 2010 17:52:36 -0500
Subject: [c-nsp] port-channel help (warning, might be dumb)
In-Reply-To: <20100128213811.GB17804@lboro.ac.uk>
References: <20100128192903.M71356@fast-serv.com>
	<20100128213811.GB17804@lboro.ac.uk>
Message-ID: <20100128225016.M448@fast-serv.com>

Whoops, no I didn't...

LACP isn't a requirement (and is not configured on the foundry), so if I
remove the LACP line and set the channel mode to 'on' instead of 'active'
would that work?  I could have sworn I had it working in the lab without LACP...

--
Randy

---------- Original Message -----------
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
To: Randy McAnally <rsm at fast-serv.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Thu, 28 Jan 2010 21:38:11 +0000
Subject: Re: [c-nsp] port-channel help (warning, might be dumb)

> Hi,
> 
> > Foundry config:
> > 
> > trunk ethe 1 to 2
> > trunk deploy
> 
> foundry does LACP... did you do
> 
> link-aggregate active
> 
> on the foundry?
> 
> alan
------- End of Original Message -------


From A.L.M.Buxey at lboro.ac.uk  Thu Jan 28 18:39:50 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Thu, 28 Jan 2010 23:39:50 +0000
Subject: [c-nsp] port-channel help (warning, might be dumb)
In-Reply-To: <20100128225016.M448@fast-serv.com>
References: <20100128192903.M71356@fast-serv.com>
	<20100128213811.GB17804@lboro.ac.uk>
	<20100128225016.M448@fast-serv.com>
Message-ID: <20100128233950.GC18257@lboro.ac.uk>

Hi,
> Whoops, no I didn't...
> 
> LACP isn't a requirement (and is not configured on the foundry), so if I
> remove the LACP line and set the channel mode to 'on' instead of 'active'
> would that work?  I could have sworn I had it working in the lab without LACP...

channel-mode 'on' is the 'just do it and forget about setup/discussion protocols..
its the method recommended for connecting random other systems - eg VMWare multi-link
etc.... its worth a go

alan

From nick at inex.ie  Thu Jan 28 18:49:49 2010
From: nick at inex.ie (Nick Hilliard)
Date: Thu, 28 Jan 2010 23:49:49 +0000
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
In-Reply-To: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
References: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
Message-ID: <4B62229D.1080002@inex.ie>

On 28/01/2010 20:54, Livio Zanol Puppim wrote:
> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst
> 4948 as access layers switches?
> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that
> could be used by servers with 10GbE/FCoE servers.

the current generation of n2k:

- does not support 10/100, only 1000
- has serious etherchannel limitations
- no netflow
- no rspan / erspan

It's an interesting switch which should improve lots in the next generation
of hardware.  But right now, it is very specifically aimed at a particular
niche.  For that niche, it will perform very well indeed, but it's not
really a general purpose access switch.

wrt NX-OS vs. IOS, they are two different systems.  NX-OS is very young in
its development cycle; IOS is much more mature and has many more features.

Nick

From cisco at peakpeak.com  Thu Jan 28 19:44:58 2010
From: cisco at peakpeak.com (Security Team)
Date: Thu, 28 Jan 2010 17:44:58 -0700
Subject: [c-nsp] Busting up VLANs and bridging
Message-ID: <C7877D9A.6BEE%cisco@peakpeak.com>

What is the "right" way to combine IP layer 3 traffic so that it can go to
multiple VLANs? I'm working with a Catalyst 65xx setup.

For example, I am starting from a working setup that looks something like
this:

interface GigabitEthernet4/1
 speed auto
 switchport
 switchport access vlan 247
!
interface GigabitEthernet4/2
 speed auto
 switchport
 switchport access vlan 248
!
interface Vlan247
 ip address 192.168.247.1 255.255.255.0
!
interface Vlan248
 ip address 192.168.248.1 255.255.255.0

Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I
want to make that server become a bridge so that I can give it other IP
addresses in other blocks how would I do that?

So let's say the *.247.36 IP of the server is working, but I want to change
my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
busting up the .248. Netblock from a /24 to smaller blocks that will be on
different servers).

How would I go about doing this?

Thanks,
CJ

From dcp at dcptech.com  Thu Jan 28 19:59:42 2010
From: dcp at dcptech.com (David Prall)
Date: Thu, 28 Jan 2010 19:59:42 -0500
Subject: [c-nsp] Busting up VLANs and bridging
In-Reply-To: <C7877D9A.6BEE%cisco@peakpeak.com>
References: <C7877D9A.6BEE%cisco@peakpeak.com>
Message-ID: <00d401caa07e$5924fc40$0b6ef4c0$@com>

Create a dot1q trunk to the server and configure the server the same. Add an
additional interface to the server. Remove the second vlan altogether and
add the subnet as a secondary on the first vlan.

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Security Team
> Sent: Thursday, January 28, 2010 7:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Busting up VLANs and bridging
> 
> What is the "right" way to combine IP layer 3 traffic so that it can go
> to
> multiple VLANs? I'm working with a Catalyst 65xx setup.
> 
> For example, I am starting from a working setup that looks something
> like
> this:
> 
> interface GigabitEthernet4/1
>  speed auto
>  switchport
>  switchport access vlan 247
> !
> interface GigabitEthernet4/2
>  speed auto
>  switchport
>  switchport access vlan 248
> !
> interface Vlan247
>  ip address 192.168.247.1 255.255.255.0
> !
> interface Vlan248
>  ip address 192.168.248.1 255.255.255.0
> 
> Now, if I wanted to actually have a server 192.168.247.36 in Vlan247,
> but I
> want to make that server become a bridge so that I can give it other IP
> addresses in other blocks how would I do that?
> 
> So let's say the *.247.36 IP of the server is working, but I want to
> change
> my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
> busting up the .248. Netblock from a /24 to smaller blocks that will be
> on
> different servers).
> 
> How would I go about doing this?
> 
> Thanks,
> CJ
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From steve at ibctech.ca  Thu Jan 28 20:43:23 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 28 Jan 2010 20:43:23 -0500
Subject: [c-nsp] Busting up VLANs and bridging
In-Reply-To: <C7877D9A.6BEE%cisco@peakpeak.com>
References: <C7877D9A.6BEE%cisco@peakpeak.com>
Message-ID: <4B623D3B.4050402@ibctech.ca>

Security Team wrote:
> What is the "right" way to combine IP layer 3 traffic so that it can go to
> multiple VLANs? I'm working with a Catalyst 65xx setup.
> 
> For example, I am starting from a working setup that looks something like
> this:
> 
> interface GigabitEthernet4/1
>  speed auto
>  switchport
>  switchport access vlan 247
> !
> interface GigabitEthernet4/2
>  speed auto
>  switchport
>  switchport access vlan 248
> !
> interface Vlan247
>  ip address 192.168.247.1 255.255.255.0
> !
> interface Vlan248
>  ip address 192.168.248.1 255.255.255.0
> 
> Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I
> want to make that server become a bridge so that I can give it other IP
> addresses in other blocks how would I do that?
> 
> So let's say the *.247.36 IP of the server is working, but I want to change
> my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
> busting up the .248. Netblock from a /24 to smaller blocks that will be on
> different servers).
> 
> How would I go about doing this?

Are you trying to come up with a strategy to make this a permanent
migration? It really depends on what you are attempting to do, and how
many hosts you already have in .248.64/29. Assuming none:

You could carve up the /24 for .248 into:

192.168.248.0/26
192.168.248.72/29
192.168.248.80/29
192.168.248.88/29
192.168.248.96/28
192.168.248.112/28
192.168.248.128/25

...and add them as secondaries on the vlan248 interface. Although not
the ultimate solution, you could even leave all of the hosts on that
vlan int with their existing 'default gateway', as the interface will
still accept it. (please forgive me if my numbers are wrong... it was
off the top of my head).

You could then assign 192.168.248.64/29 as a secondary onto vlan 247,
and add the same as a secondary address on the same NIC as the .247
address on the server.

I've used this sort of tactic during renumbering transitions, and it
works well. Documentation is *very* important however ;)

I just read David's message, and that will work as well, if your server
NIC can handle hardware VLAN, and assuming that the second VLAN doesn't
connect to a different piece of network infrastructure as the first.

Either way, slicing a /29 out of a /24 will require you to divide up .248.

Steve

...

From mtinka at globaltransit.net  Thu Jan 28 20:34:21 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 29 Jan 2010 09:34:21 +0800
Subject: [c-nsp] [SUMMARY]:  4900M vs. 4503 for core
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
	<A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
Message-ID: <201001290934.26561.mtinka@globaltransit.net>

On Friday 29 January 2010 05:33:40 am Jason Gurtz wrote:

> Unfortunately, I left out that that most of the gig
>  uplink connections are fiber so a 3560G doesn't have
>  enough SFP ports.  I did find the WS-C3750G-12S-E which
>  looks like the good low-cost option.  On the minuses
>  side, it's a softswitch, and no 10G uplinks for linking
>  in the server access switches.  The main downside here
>  is advocating for their replacement and purchasing
>  strategies around here.  eBay, used equip., etc... are
>  pretty much verboten.  Basically, if we buy these now,
>  they'll be here in 5 years and forklifting the network
>  core could be painful.

We've been down this road before when searching for a 1U 
Ethernet switch that provides decent fibre-only port 
density.

On the Cisco end, the 4928 is a little on the pricey side, 
and not very fetching if Layer 3 applications are needed, 
i.e., IPv6 is done in software, eek!

For these requirements, we keep coming back to Juniper's 
EX4200-24F, which is a 24-port fibre-only switch, with 4x 
1Gbps or 2x 10Gbps uplinks.

Brocade's NetIron CES/CER 2000 platforms are probably also 
worth considering, as they can scale to 24- and 48-port 
fibre-only densities. But they are fairly advanced, 
supporting a vast array of IP/MPLS features, so unless they 
have interesting licensing strategies, that proposition 
could be pricey.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100129/c1857933/attachment-0001.bin>

From ghira at mistral.co.uk  Fri Jan 29 01:28:15 2010
From: ghira at mistral.co.uk (Adam Atkinson)
Date: Fri, 29 Jan 2010 06:28:15 +0000
Subject: [c-nsp] [SUMMARY]:  4900M vs. 4503 for core
In-Reply-To: <201001290934.26561.mtinka@globaltransit.net>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>	<A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
	<201001290934.26561.mtinka@globaltransit.net>
Message-ID: <4B627FFF.9020308@mistral.co.uk>

Mark Tinka wrote:

> We've been down this road before when searching for a 1U 
> Ethernet switch that provides decent fibre-only port 
> density.

Extreme X650?

From andrew.gabriel at sanmina-sci.com  Fri Jan 29 01:47:03 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Fri, 29 Jan 2010 12:17:03 +0530
Subject: [c-nsp] [SUMMARY]: 4900M vs. 4503 for core
In-Reply-To: <4B627FFF.9020308@mistral.co.uk>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
	<A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local> 
	<201001290934.26561.mtinka@globaltransit.net>
	<4B627FFF.9020308@mistral.co.uk>
Message-ID: <d06fb6b31001282247o50d80db9x47da9122b111dd73@mail.gmail.com>

For pure L2 aggregation HP also has a 24-port fiber switch that is very
reasonably priced. It also has 10 G uplinks that you can use to connect to a
4948 10G switch, which will work out to be fairly cost effective.


Regards,
Andrew Gabriel.




On Fri, Jan 29, 2010 at 11:58 AM, Adam Atkinson <ghira at mistral.co.uk> wrote:

> Mark Tinka wrote:
>
>  We've been down this road before when searching for a 1U Ethernet switch
>> that provides decent fibre-only port density.
>>
>
> Extreme X650?
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From rmikisa at gmail.com  Fri Jan 29 02:42:27 2010
From: rmikisa at gmail.com (Mikisa Richard)
Date: Fri, 29 Jan 2010 10:42:27 +0300
Subject: [c-nsp] Policer on c4503
Message-ID: <4B629163.3060207@gmail.com>

Hi all,

Any ideas why the Policer policy below does not work. Intention is for 
me to lock down traffic to 3Mbps both ways on interface g3/11.

!!
class-map match-all ROKE-LIMIT
   match access-group name ROKE-SLAP
!
policy-map POLICY-ROKE
   class ROKE-LIMIT
  police 3000000 bps 30000 byte conform-action transmit exceed-action drop
!
interface GigabitEthernet3/11
  description link to ROKE
  no switchport
  ip address x.x.x.x
  service-policy input POLICY-ROKE
  service-policy output POLICY-ROKE

Regards
Richard




From sthaug at nethelp.no  Fri Jan 29 04:26:46 2010
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Fri, 29 Jan 2010 10:26:46 +0100 (CET)
Subject: [c-nsp] [SUMMARY]: 4900M vs. 4503 for core
In-Reply-To: <4B627FFF.9020308@mistral.co.uk>
References: <A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
	<201001290934.26561.mtinka@globaltransit.net>
	<4B627FFF.9020308@mistral.co.uk>
Message-ID: <20100129.102646.74679695.sthaug@nethelp.no>

> > We've been down this road before when searching for a 1U 
> > Ethernet switch that provides decent fibre-only port 
> > density.
> 
> Extreme X650?

The new X480 series also looks interesting.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From uvh at siemens.com  Fri Jan 29 06:39:07 2010
From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342))
Date: Fri, 29 Jan 2010 12:39:07 +0100
Subject: [c-nsp] Network Management solution for Large Cisco deployement
Message-ID: <5FD7A7EC774B114092B1603D69E42C9B03122B4E@BDKB1EEA.ww007.siemens.net>

Hi all,
 
We are moving forward at a very high pace at the moment. We currently
maintain a multi-vendor environment with approx. 9000 switches, routers
and firewalls.
Over the next few years that number is expected to grow by another
3000-5000 devices.
 
We have multiple NMS systems running today, but as we regionalizes we
want to keep track of everything in one preferely NMS.
CiscoWorks LMS has a limit of 10.000 devices (and it's only for Cisco
ofc.) so i'm not sure this is the right solution for us.
New devices deployed will be Cisco only.
 
What are my alternatives in terms of large scale management and
deployment (Up to 50.000+ devices) ?
 
Thanks.
 
// Ulrich

From nils.kolstein at sscplus.nl  Fri Jan 29 06:48:58 2010
From: nils.kolstein at sscplus.nl (Nils Kolstein)
Date: Fri, 29 Jan 2010 12:48:58 +0100 (CET)
Subject: [c-nsp] Network Management solution for Large Cisco deployement
In-Reply-To: <5FD7A7EC774B114092B1603D69E42C9B03122B4E@BDKB1EEA.ww007.siemens.net>
Message-ID: <1135928761.941361264765738345.JavaMail.root@webmail>

Open source? Closed source? 

Open Source gives several platforms like Nagios (also does service management but also element management). OpenNMS is also a good option.

Closed source: HP OpenView, IBM Tivoli. Comes with a price tag of course. Remeber that most platforms need to be tweaked and tuned to get the best results. Also consider having your CMDB up to date and stuff like that.

Nils Kolstein
SSCPlus



----- "Ulrich Vestergaard B. Hansen (E R WP EN 342)" <uvh at siemens.com> schreef:

> Hi all,
>  
> We are moving forward at a very high pace at the moment. We currently
> maintain a multi-vendor environment with approx. 9000 switches,
> routers
> and firewalls.
> Over the next few years that number is expected to grow by another
> 3000-5000 devices.
>  
> We have multiple NMS systems running today, but as we regionalizes we
> want to keep track of everything in one preferely NMS.
> CiscoWorks LMS has a limit of 10.000 devices (and it's only for Cisco
> ofc.) so i'm not sure this is the right solution for us.
> New devices deployed will be Cisco only.
>  
> What are my alternatives in terms of large scale management and
> deployment (Up to 50.000+ devices) ?
>  
> Thanks.
>  
> // Ulrich
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rdobbins at arbor.net  Fri Jan 29 07:12:55 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Fri, 29 Jan 2010 12:12:55 +0000
Subject: [c-nsp] Network Management solution for Large Cisco deployement
In-Reply-To: <1135928761.941361264765738345.JavaMail.root@webmail>
References: <1135928761.941361264765738345.JavaMail.root@webmail>
Message-ID: <6D62816E-3D7A-42C5-AF51-19CD87C5841D@arbor.net>


On Jan 29, 2010, at 6:48 PM, Nils Kolstein wrote:

> Closed source: HP OpenView, IBM Tivoli.

I believe Cisco also OEM NetCool.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From gkg at gmx.de  Fri Jan 29 07:19:36 2010
From: gkg at gmx.de (Garry)
Date: Fri, 29 Jan 2010 13:19:36 +0100
Subject: [c-nsp] Network Management solution for Large Cisco deployement
In-Reply-To: <1135928761.941361264765738345.JavaMail.root@webmail>
References: <1135928761.941361264765738345.JavaMail.root@webmail>
Message-ID: <4B62D258.9010609@gmx.de>

On 29.01.2010 12:48, Nils Kolstein wrote:
> Open source? Closed source? 
>
> Open Source gives several platforms like Nagios (also does service management but also element management). OpenNMS is also a good option.
>
> Closed source: HP OpenView, IBM Tivoli. Comes with a price tag of course. Remeber that most platforms need to be tweaked and tuned to get the best results. Also consider having your CMDB up to date and stuff like that.
>   
As we have rolled out OpenNMS at several customer sites (apart from our
own network; site sizes range from a couple of dozens of devices up to
something like 15000 systems with lots of room for growth) and
previously were using Nagios, I very much doubt you'd be able to run
Nagios on a network with 50000 systems in it ... unless you start
stacking up multiple servers to work in parallel ...

There are OpenNMS-based installations out there with at least 48000
systems, running smoothly with detailed overview over the connected
devices ... YMMV of course, but I believe OpenNMS is your best shot here
... License and support cost for OV will cost you more than an arm and a
leg for such a large scenario, and Tivoli might not cover your
requirements (apart from the cost & performance). Both the latter we
have replaced with OpenNMS in two customer installations ... and they
are very glad they threw them out :)

When we found that Nagios was unable to cope with our (and customer)
requirements, we did an internal review of multiple FOSS systems - of
those, only few were able to cope with anything larger than 10000
systems, and most lacked important features we had on our must-have-list ...

-garry

From Kevin.Hatem at pgs.com  Fri Jan 29 07:50:22 2010
From: Kevin.Hatem at pgs.com (Kevin Hatem)
Date: Fri, 29 Jan 2010 06:50:22 -0600
Subject: [c-nsp] [SUMMARY]:  4900M vs. 4503 for core
In-Reply-To: <A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
References: <A92EAF652EC423438D55C14C60771C8701F3E5AD@exchgsrv.nputilities.local>
	<A92EAF652EC423438D55C14C60771C8701F3E738@exchgsrv.nputilities.local>
Message-ID: <15D5002F61F31A45A82A153D2F739067B1732895AE@HOUMS26.onshore.pgs.com>

The 4900m is a robust switch with plenty of BW on the fabric. Port density is not plentiful but.......Using the twinG is a choice - just check on the limitation of use not only with using them on the onboard X2 slots, but also ASIC restrictions.  I know that the SUP6E (the 4900m SUP?) uses stub asics to the fabric and has limitations for combining 1G and 10G on the same asic.

The Juniper and HP boxes that others have suggested are good boxes too.  It appears you have some time to investigate many solutions.  The shortage of the 4900 and other such products are derived as a result of limited component production from Cisco's manufacturing plants (overseas).  But the suggestion that Cisco is pushing other products (Nexus) is plausible.

-nuff said.
-kevin.



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Gurtz
Sent: Thursday, January 28, 2010 15:34
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] [SUMMARY]: 4900M vs. 4503 for core

> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?

Thanks all for the replies!  A person also responded privately with the
opinion that most people want Netflow down the road.  Unfortunately, since
Netflow has been removed from the 45xx with the Sup6 it would require 65xx
at $$++.  Squarely in the want vs. need bucket for us

Unfortunately, I left out that that most of the gig uplink connections are
fiber so a 3560G doesn't have enough SFP ports.  I did find the
WS-C3750G-12S-E which looks like the good low-cost option.  On the minuses
side, it's a softswitch, and no 10G uplinks for linking in the server
access switches.  The main downside here is advocating for their
replacement and purchasing strategies around here.  eBay, used equip.,
etc... are pretty much verboten.  Basically, if we buy these now, they'll
be here in 5 years and forklifting the network core could be painful.

Point well taken on the stacking related maintenance downtime issue.  We
plan on doing pure routing and GLBP so thankfully this wouldn't affect us.
This issue will bite us with the server access layer. :(  I'll join the
many who want this problem to go away.

The availability issues with 45xx and 49xx shouldn't be a problem as
4507's are being spec'ed for some access switches and we have until
summertime to do this.  It's interesting though, makes me wonder if it's
just really high demand, or C pushing other platforms.

I discovered the 4928-10G, but the 4900M config comes in cheaper,
apparently due to only needing one 8 port card.  I'm assuming the 2:1
oversubscription is not an issue when running these 10G ports at 1G.  Only
thing is 2000W of power supply vs. 600W.  It does seem silly to do the
twingig thing; if only there was a 20-port sfp halfcard!

Thanks again,

~JasonG
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author.

From bluffmaster4hearts at gmail.com  Fri Jan 29 08:17:44 2010
From: bluffmaster4hearts at gmail.com (bharath kondi)
Date: Fri, 29 Jan 2010 21:17:44 +0800
Subject: [c-nsp] Memory Status in GSR
Message-ID: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>

Dear Everyone,

Kindly check the below Memory status on my GSR and suggest me what need to
be done or everything looks okay.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GW-04-KLS-AIMS-MY#show memory free
                  Head          Total(b)        Used(b)         Free(b)
  Lowest(b)    Largest(b)
Processor   5697F3A0   426249312   343181988    83067324    80783476
 44276424
     Fast      5695F3A0   131072         130712         360             360
            316
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks and Regards
Bharath K

From drew.weaver at thenap.com  Fri Jan 29 10:01:12 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Fri, 29 Jan 2010 10:01:12 -0500
Subject: [c-nsp] Memory Status in GSR
In-Reply-To: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>
References: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>
Message-ID: <F3318834F1F89D46857972DD4B411D700183108334@EXCHANGE.thenap.com>

As far as I understand the more important statistic is 'show ip cef resources'.

thanks,
-Drew


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of bharath kondi
Sent: Friday, January 29, 2010 8:18 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Memory Status in GSR

Dear Everyone,

Kindly check the below Memory status on my GSR and suggest me what need to
be done or everything looks okay.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GW-04-KLS-AIMS-MY#show memory free
                  Head          Total(b)        Used(b)         Free(b)
  Lowest(b)    Largest(b)
Processor   5697F3A0   426249312   343181988    83067324    80783476
 44276424
     Fast      5695F3A0   131072         130712         360             360
            316
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks and Regards
Bharath K
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bluffmaster4hearts at gmail.com  Fri Jan 29 10:27:26 2010
From: bluffmaster4hearts at gmail.com (bharath kondi)
Date: Fri, 29 Jan 2010 23:27:26 +0800
Subject: [c-nsp] Memory Status in GSR
In-Reply-To: <F3318834F1F89D46857972DD4B411D700183108334@EXCHANGE.thenap.com>
References: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>
	<F3318834F1F89D46857972DD4B411D700183108334@EXCHANGE.thenap.com>
Message-ID: <82957ce51001290727u47380b0l548f6894b3f18a57@mail.gmail.com>

Dear Drew,

I cannot see any thing from that command. Kindly check the below finding
from our GSR.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GW-04-KLS-AIMS-MY#show ip cef resource ?
  |  Output modifiers
  <cr>

GW-04-KLS-AIMS-MY#show ip cef resource
GW-04-KLS-AIMS-MY#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks
Bharath

On Fri, Jan 29, 2010 at 11:01 PM, Drew Weaver <drew.weaver at thenap.com>wrote:

> As far as I understand the more important statistic is 'show ip cef
> resources'.
>
> thanks,
> -Drew
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of bharath kondi
> Sent: Friday, January 29, 2010 8:18 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Memory Status in GSR
>
> Dear Everyone,
>
> Kindly check the below Memory status on my GSR and suggest me what need to
> be done or everything looks okay.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> GW-04-KLS-AIMS-MY#show memory free
>                  Head          Total(b)        Used(b)         Free(b)
>  Lowest(b)    Largest(b)
> Processor   5697F3A0   426249312   343181988    83067324    80783476
>  44276424
>     Fast      5695F3A0   131072         130712         360             360
>            316
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Thanks and Regards
> Bharath K
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
                  (?`?.???) With
--------------------`?.?(?`?.???) Lots of -------
           (?`?.??(?`?.???)?.?? Love & Luck...
            `?.?.?? ? ????... ??

From Michael.Robson at manchester.ac.uk  Fri Jan 29 11:33:20 2010
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 29 Jan 2010 16:33:20 +0000
Subject: [c-nsp] IPV6 again
Message-ID: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>

OK so looking at/listening to various recommendations, when allocating IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish out the DNS servers and domain looks the most appealing. Since the IOS version we are using on our 6500s doesn't support IPV6 DHCP relaying (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve the DNS and domain information but I cannot get it to work. When I use the following configuration the clients are configured with appropriate v6 IPs and can get out into the IPV6 Internet, but no DNS or domain information is received. Turning on "debug ipv6 DHCP" yields no entries in the log at all for either an iMac or an XP laptop: am I missing some configuration?


interface Vlan798
 ipv6 address X/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server test
end
!
!
ipv6 dhcp pool test
 dns-server Y
 domain-name Z
!



Thanks,

Michael
--

From oboehmer at cisco.com  Fri Jan 29 12:00:36 2010
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Fri, 29 Jan 2010 18:00:36 +0100
Subject: [c-nsp] BGP inject map question
In-Reply-To: <4B60964F.8030803@internode.on.net>
References: <4B601307.1000400@internode.on.net>
	<4B60964F.8030803@internode.on.net>
Message-ID: <6E4D2678AC543844917CA081C9D6B33F011AB415@XMB-AMS-103.cisco.com>

Andrew,
 
> for the cisco people here (hehehe), can i do the following:
>
> use an inject map for a route that is locally originated, i think im 
> having issues with the route source ie.

I'm not 100% sure, but looking how this is implemented, it seems like
you can't use the exist-map to match for locally-originated prefixes.
Can you verify your config with a remotely-learnt route (i.e. just
change the exist-map) to verify?

> i have been trying and cant get it working,
> basiclly i have an MPLS VPN extranet and lan address of the CE is in 
> the same subnet as a /32 host i wish to advertise into the VPN.

How about a hack:

int fas 0/1
 ip address 123.123.123.1 255.255.255.0
!
ip route 123.123.123.12 255.255.255.255 fas0/1 123.123.123.12

and then do a "redistribute static" or a network entry.

So you will advertise the /32 as long as the interface is up, which
should achieve the same as your inject-map example. Not very pretty, but
effective?

	oli

From paul at paulstewart.org  Fri Jan 29 12:01:58 2010
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 29 Jan 2010 12:01:58 -0500
Subject: [c-nsp] Card Throughput - 6148A-GE-TX
Message-ID: <000701caa104$c4ad6700$4e083500$@org>

Hi there.

 

We are aware of what the entire card is capable of (2 Gb/s), but is there
any way to see how much is being utilized from within IOS itself?  We can
start counting up all the ports but is there an easier way? ;)

 

Relating to this, is the card limited to 2Gb/s total or 1Gb/s per  half?  We
have a situation with a couple of these cards where they are pushing the
potential limits and we want to make sure..

 

Cheers,

 

Paul

 

 

 


From dcp at dcptech.com  Fri Jan 29 12:07:59 2010
From: dcp at dcptech.com (David Prall)
Date: Fri, 29 Jan 2010 12:07:59 -0500
Subject: [c-nsp] IPV6 again
In-Reply-To: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>
References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>
Message-ID: <011401caa105$9c985da0$d5c918e0$@com>

So XP doesn't support IPv6 DHCP, nor do they support IPv6 DNS. Not sure
about the macintosh. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Michael Robson
> Sent: Friday, January 29, 2010 11:33 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPV6 again
> 
> OK so looking at/listening to various recommendations, when allocating
> IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish
> out the DNS servers and domain looks the most appealing. Since the IOS
> version we are using on our 6500s doesn't support IPV6 DHCP relaying
> (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve
> the DNS and domain information but I cannot get it to work. When I use
> the following configuration the clients are configured with appropriate
> v6 IPs and can get out into the IPV6 Internet, but no DNS or domain
> information is received. Turning on "debug ipv6 DHCP" yields no entries
> in the log at all for either an iMac or an XP laptop: am I missing some
> configuration?
> 
> 
> interface Vlan798
>  ipv6 address X/64
>  ipv6 enable
>  ipv6 nd other-config-flag
>  ipv6 dhcp server test
> end
> !
> !
> ipv6 dhcp pool test
>  dns-server Y
>  domain-name Z
> !
> 
> 
> 
> Thanks,
> 
> Michael
> --
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mhuff at ox.com  Fri Jan 29 12:22:19 2010
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 29 Jan 2010 12:22:19 -0500
Subject: [c-nsp] 10GE WAN options for 7606 for market data / micro-bursting
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>

We are planning on moving a large portion of our data center to a colo facility at an financial exchange. We will be using redundant 10-GE connections from our existing pair of 7604 to a new pair of 7606 with Sup720-3B. We won't be doing MPLS/VPN, etc... Just normal L3 routing including PIM sparse mode multicast. Since a significant amount of the traffic will be market data, the line rate will be very bursty including micro-bursts. We will be setting up a series of LLQ queues with Modular QoS CLI and are interested in H-QOS, so I have some questions regarding which 10GB interface.

The choices are:

1) WS-X6704-10GE. The standard linecard. TX queue of 1p7q8t. 16MB per port buffer
2) 7600-ES20-10G3C. TX queue ??? (configurable ???), buffer size ???
3) 7600-SIP-600 with SPA-10X1GE. TX queue ???, buffer size ???

The SIP and ES20 may be overkill, maybe not. We aren't doing MPLS or VRF, or QinQ or any other tunneling, but we need the most flexible, best 10GB WAN interface that can help us deal with bursting/QOS.

Any experiences, suggestions, warnings...?

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139




From petelists at templin.org  Fri Jan 29 13:00:16 2010
From: petelists at templin.org (Pete Templin)
Date: Fri, 29 Jan 2010 12:00:16 -0600
Subject: [c-nsp] Memory Status in GSR
In-Reply-To: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>
References: <82957ce51001290517i2d1fbd40wb97cff534dae9598@mail.gmail.com>
Message-ID: <4B632230.6050501@templin.org>

bharath kondi wrote:
> Dear Everyone,
> 
> Kindly check the below Memory status on my GSR and suggest me what need to
> be done or everything looks okay.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> GW-04-KLS-AIMS-MY#show memory free
>                   Head          Total(b)        Used(b)         Free(b)
>   Lowest(b)   
> Processor   5697F3A0   426249312   343181988    83067324    80783476

Your RP seems to be OK.  I have less free memory on the one GSR I just 
spot-checked.  I'd also recommend doing 'exec all sh mem summ | i ^Proc' 
to check all linecards.  I came up with the following:

core1-dlls#exec all sh mem summ | i ^Proc
========= Line Card (Slot 0) =========
Processor   44645E60   996909472   149267456   847642016   847640576 
846752284

========= Line Card (Slot 1) =========
Processor   44645E60   996909472   149270208   847639264   847636520 
846993916

========= Line Card (Slot 4) =========
Processor   44645E60   194748832   109755540    84993292    84993292 
84019676

========= Line Card (Slot 6) =========
Processor   44645E60   194748832   109550656    85198176    85181976 
84362364

========= Line Card (Slot 9) =========
Processor   44645E60   460038560   171487896   288550664   288550664 
287672988

========= Line Card (Slot 11) =========
Processor   44645E60   194748832   120640368    74108464    74102216 
73371388

========= Line Card (Slot 12) =========
Processor   44645E60   194748832   120648284    74100548    74100548 
73281468

========= Line Card (Slot 15) =========
Processor   44645E60   194748832   110465016    84283816    84282672 
83334076

core1-dlls#sh diag | i Eng
   L3 Engine: 3 - ISE OC48 (2.5 Gbps)
   L3 Engine: 3 - ISE OC48 (2.5 Gbps)
   L3 Engine: 0 - OC12 (622 Mbps)
   L3 Engine: 0 - OC12 (622 Mbps)
   L3 Engine: 3 - ISE OC48 (2.5 Gbps)
   L3 Engine: 2 - Backbone OC48 (2.5 Gbps)
   L3 Engine: 2 - Backbone OC48 (2.5 Gbps)
   L3 Engine: 1 - Standard OC48 (2.5 Gbps)
core1-dlls#

My Engine 2 cards are the most likely to run out, though they're doing 
OK for now.  The Engine 1/0 cards are next likely to have issues; the 
Engine 3 cards seem to be fine.

pt

From FitzgeraldB at camosun.bc.ca  Fri Jan 29 12:41:27 2010
From: FitzgeraldB at camosun.bc.ca (Brian Fitzgerald)
Date: Fri, 29 Jan 2010 09:41:27 -0800
Subject: [c-nsp] IPV6 again
In-Reply-To: <011401caa105$9c985da0$d5c918e0$@com>
Message-ID: <C7885DC7.394A%fitzgeraldb@camosun.bc.ca>


Last I looked, DHCPv6 isn't implemented on Windows XP, Vista, or Server2003,
nor on Mac OSX up to 10.6.  Don't know about Win7, but the Server2008 DHCP
server DOES include IPv6, so it may be there.

I have used an open-source client called Dibbler for Windows boxes - works
well.  They have installable binaries for WindowsXP,Vista,2k3, Windows
NT,2k, and Linux, with the source available as well.

http://klub.com.pl/dhcpv6/

On the Mac, I don't know.  If you have the Developers Kit installed, you
might be able to build dhcp6c or Dibbler from source (I haven't tried it).

Hope that helps.


Brian Fitzgerald
Sr. Network & Security Admin.
ITS, Camosun College, Victoria, BC.
Phone: 250-370-3076
Fax: 250-370-3966
Email: fitzgeraldb (at) camosun.bc.ca





On 10-01-29 9:07 AM, "David Prall" <dcp at dcptech.com> wrote:

> So XP doesn't support IPv6 DHCP, nor do they support IPv6 DNS. Not sure
> about the macintosh.
> 
> --
> http://dcp.dcptech.com
> 
> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Michael Robson
>> Sent: Friday, January 29, 2010 11:33 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] IPV6 again
>> 
>> OK so looking at/listening to various recommendations, when allocating
>> IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish
>> out the DNS servers and domain looks the most appealing. Since the IOS
>> version we are using on our 6500s doesn't support IPV6 DHCP relaying
>> (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve
>> the DNS and domain information but I cannot get it to work. When I use
>> the following configuration the clients are configured with appropriate
>> v6 IPs and can get out into the IPV6 Internet, but no DNS or domain
>> information is received. Turning on "debug ipv6 DHCP" yields no entries
>> in the log at all for either an iMac or an XP laptop: am I missing some
>> configuration?
>> 
>> 
>> interface Vlan798
>>  ipv6 address X/64
>>  ipv6 enable
>>  ipv6 nd other-config-flag
>>  ipv6 dhcp server test
>> end
>> !
>> !
>> ipv6 dhcp pool test
>>  dns-server Y
>>  domain-name Z
>> !
>> 
>> 
>> 
>> Thanks,
>> 
>> Michael
>> --
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From A.L.M.Buxey at lboro.ac.uk  Fri Jan 29 14:09:37 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Fri, 29 Jan 2010 19:09:37 +0000
Subject: [c-nsp] IPV6 again
In-Reply-To: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>
References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>
Message-ID: <20100129190937.GB20301@lboro.ac.uk>

Hi,
> OK so looking at/listening to various recommendations, when allocating IPV6 addresses, stateless auto-configuration with DHCPv6 used to dish out the DNS servers and domain looks the most appealing. Since the IOS version we are using on our 6500s doesn't support IPV6 DHCP relaying (12.2(18)SXF13) I tried to set up a test using the 6500 itself to serve the DNS and domain information but I cannot get it to work. When I use the following configuration the clients are configured with appropriate v6 IPs and can get out into the IPV6 Internet, but no DNS or domain information is received. Turning on "debug ipv6 DHCP" yields no entries in the log at all for either an iMac or an XP laptop: am I missing some configuration?


DHCPv6 and stateless configuration are pretty much still very messy right now.
yes, DHCPv6 would be a direct replacement for clients on the v6 landscape but
not many clients support it.... 

worse, stateless configuration, whilst in a way elegant, hardly anything gets
handed over to it....eg DNS or NTP information . theres also no way to hand over
any encrpytion or seed things eg for SeND - we've been in chats with people
about getting some nice extensions into the stateless RFC - it'd be good/useful
to have these things sorted.

..now...what are those IPv6 youtube addresses, I've got an hour to burn ;-)
alan

From thomas at habets.pp.se  Fri Jan 29 13:52:33 2010
From: thomas at habets.pp.se (Thomas Habets)
Date: Fri, 29 Jan 2010 19:52:33 +0100 (CET)
Subject: [c-nsp] 10GE WAN options for 7606 for market data /
 micro-bursting
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
Message-ID: <alpine.DEB.1.10.1001291951170.23745@red.crap.retrofitta.se>

On Fri, 29 Jan 2010, Matthew Huff wrote:
> 1) WS-X6704-10GE. The standard linecard. TX queue of 1p7q8t. 16MB per port buffer

If it's bursty you may want to consider 6708 instead. It has bigger
buffers.

---------
typedef struct me_s {
   char name[]      = { "Thomas Habets" };
   char email[]     = { "thomas at habets.pp.se" };
   char kernel[]    = { "Linux" };
   char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
   char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
   char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

From chris at lavin-llc.com  Fri Jan 29 14:16:59 2010
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Fri, 29 Jan 2010 14:16:59 -0500
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
In-Reply-To: <4B62229D.1080002@inex.ie>
References: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
	<4B62229D.1080002@inex.ie>
Message-ID: <c322407a5ca5c76b043fa62c4bee5476.squirrel@email.fatcow.com>

> wrt NX-OS vs. IOS, they are two different systems.  NX-OS is very young in
> its development cycle; IOS is much more mature and has many more features.
>
> Nick


I'm curious why you suggest that the NX-OS is very young. My understanding
(I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS
OS into a routing/switching combination with IOS.

I had the recent experience of a Nexus CPOC down in RTP. Going into it I
was apprehensive about learning a new OS. But through the CPOC I learned
that it's not that much different from IOS. Seemed like they did a decent
job of importing/aliasing the IOS related commands. I didn't feel as lost
within the CLI as I had expected.

-chris


From chris at lavin-llc.com  Fri Jan 29 14:44:27 2010
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Fri, 29 Jan 2010 14:44:27 -0500
Subject: [c-nsp] Network Management solution for Large Cisco deployement
In-Reply-To: <5FD7A7EC774B114092B1603D69E42C9B03122B4E@BDKB1EEA.ww007.siemens.net>
References: <5FD7A7EC774B114092B1603D69E42C9B03122B4E@BDKB1EEA.ww007.siemens.net>
Message-ID: <f78c0e992a0bebd639d8ee5bfe8c48ea.squirrel@email.fatcow.com>

> Hi all,
>
> We are moving forward at a very high pace at the moment. We currently
> maintain a multi-vendor environment with approx. 9000 switches, routers
> and firewalls.
> Over the next few years that number is expected to grow by another
> 3000-5000 devices.
>
> We have multiple NMS systems running today, but as we regionalizes we
> want to keep track of everything in one preferely NMS.
> CiscoWorks LMS has a limit of 10.000 devices (and it's only for Cisco
> ofc.) so i'm not sure this is the right solution for us.
> New devices deployed will be Cisco only.
>
> What are my alternatives in terms of large scale management and
> deployment (Up to 50.000+ devices) ?
>
> Thanks.
>
> // Ulrich

If you aren't looking for an Open solution:

Having worked with HP Openview, IBM Tivoli (ITNM), CA Spectrum and EMC
SMARTS; I highly recommend SMARTS.

During our bake-offs and side-by-side live trials SMARTS consistently
showed a real ability to provide root cause analysis for fault management.
In one shop we had an architecture of SMARTS servers that supported over
20,000 network devices. And being able to interact with and program into a
common information database, we were able to tweak for all of our
additional requirements.

The one common trap enterprises fall into is the idea that one tool can
provide all the fault management and performance management for each piece
of the infrastructure (network, servers, storage). Regardless of vendor
hype, there isn't one tool to rule them all.

Regardless of what you choose, expect to have trained staff to make
adjustments as needed. A robust NMS system should be considered part of
the network eco system and as such also needs a percentage of the care and
feeding that you apply to your routing and switching environments.

-chris






From swmike at swm.pp.se  Fri Jan 29 15:17:19 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 29 Jan 2010 21:17:19 +0100 (CET)
Subject: [c-nsp] IPV6 again
In-Reply-To: <C7885DC7.394A%fitzgeraldb@camosun.bc.ca>
References: <C7885DC7.394A%fitzgeraldb@camosun.bc.ca>
Message-ID: <alpine.DEB.1.10.1001292115270.15329@uplift.swm.pp.se>

On Fri, 29 Jan 2010, Brian Fitzgerald wrote:

> Last I looked, DHCPv6 isn't implemented on Windows XP, Vista, or Server2003,
> nor on Mac OSX up to 10.6.  Don't know about Win7, but the Server2008 DHCP
> server DOES include IPv6, so it may be there.

Both Vista and Win7 can live in a purely native ipv6 environemnt without 
any ipv4, get DNS-server and IP via DHCPv6, and also get prefixes for 
"Internet Connection Sharing" via DHCPv6-PD.

It doesn't null route the prefix it gets via PD (thus routing loop if you 
give it anything larger than /64), but that's another story. I have 
reported this to people in MS, don't know if there is a fix brewing 
somewhere. Haven't tested this in Win7, only Vista.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From alex at digriz.org.uk  Fri Jan 29 15:35:35 2010
From: alex at digriz.org.uk (Alexander Clouter)
Date: Fri, 29 Jan 2010 20:35:35 +0000
Subject: [c-nsp] IPV6 again
References: <4A6CEA4C-ADA2-458F-B77D-4EACAB8ACB70@manchester.ac.uk>
	<20100129190937.GB20301@lboro.ac.uk>
Message-ID: <ndtb37-qen.ln1@chipmunk.wormnet.eu>

Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> [snipped]
>
> worse, stateless configuration, whilst in a way elegant, hardly 
> anything gets handed over to it....eg DNS or NTP information . theres 
> also no way to hand over any encrpytion or seed things eg for SeND - 
> we've been in chats with people about getting some nice extensions 
> into the stateless RFC - it'd be good/useful to have these things 
> sorted.
>
DNS is via RFC5006 (if your client supports it, however for now 
stateless DHCPv6 can give you that) and NTP should be discovered via 
multicast...like most other services.
 
Cheers

-- 
Alexander Clouter
.sigmonster says: I will never lie to you.


From nick at inex.ie  Fri Jan 29 16:30:24 2010
From: nick at inex.ie (Nick Hilliard)
Date: Fri, 29 Jan 2010 21:30:24 +0000
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
In-Reply-To: <c322407a5ca5c76b043fa62c4bee5476.squirrel@email.fatcow.com>
References: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
	<4B62229D.1080002@inex.ie>
	<c322407a5ca5c76b043fa62c4bee5476.squirrel@email.fatcow.com>
Message-ID: <4B635370.9070000@inex.ie>

On 29/01/2010 19:16, chris at lavin-llc.com wrote:
> I'm curious why you suggest that the NX-OS is very young. My understanding
> (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS
> OS into a routing/switching combination with IOS.

I should have been more careful what I said there.  Yes, san-os 4.1 was
released as nx-os 4.1. However, san-os has been extended by quite a
substantial amount in the last couple of years, and there is a lot of new
code in the os relating to L3 stuff in particular.  The basic SAN code is
very mature, but the original poster was interested in the nexus boxes as
ethernet switches rather than san switches.

Nick

From devon at noved.org  Fri Jan 29 16:35:29 2010
From: devon at noved.org (Devon True)
Date: Fri, 29 Jan 2010 16:35:29 -0500
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
Message-ID: <4B6354A1.7070202@noved.org>

All:

I am curious what the purpose of uRPF's "allow-default" option is? Based
on Cisco's page explaining the command, I interpret that it allows uRPF
to match on a default route... but doesn't that defeat the purpose of uRPF?

My best guess is that it allows you to set static routes for networks
whose source IPs you want to drop (using the null interface) while
allowing everything else.

e.g.

interface Vlan100
 ip verify unicast source reachable-via any allow-default
!
ip route 192.168.0.0 255.255.255.0 null0
ip route 0.0.0.0 0.0.0.0 x.x.x.x

uRPF would allow Vlan100 to use any source IP address except
192.168.0.0/24. Is that correct?

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html

Thanks!

--
Devon

From hag at linnaean.org  Fri Jan 29 16:02:59 2010
From: hag at linnaean.org (Daniel Hagerty)
Date: 29 Jan 2010 16:02:59 -0500
Subject: [c-nsp] Traceroute parser/visualizer
In-Reply-To: <tkacprzynski@SpencerStuart.com>'s message of "Thu,
	28 Jan 2010 14:04:15 -0600"
References: <A8A11BA006DA57498FAC0A56686865042BE4C917@usilwdex04.spencerstuart.com>
Message-ID: <c2ihbq4wrng.fsf@perdition.linnaean.org>

<tkacprzynski at SpencerStuart.com> writes:

> Hi,
> I'm looking for some tool/script that takes in traceroute output
> generated by Cisco devices and graphs it. 

    The Net::Traceroute perl module could be pretty readily tweaked to
do this.  There might be one or two places where the output parsing
needs to be adjusted, as cisco's output is slightly different from
stock LBL traceroute, but only slightly.  Also, parsing from text
rather than running traceroute on its own isn't officially in the API,
but it's easy enough to do anyway.

    I'm its maintainer, and am going to look at doing this, as its all
useful functionality that isn't there, but ought to be.

From tony at lava.net  Fri Jan 29 16:46:08 2010
From: tony at lava.net (Antonio Querubin)
Date: Fri, 29 Jan 2010 11:46:08 -1000 (HST)
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
In-Reply-To: <4B6354A1.7070202@noved.org>
References: <4B6354A1.7070202@noved.org>
Message-ID: <alpine.OSX.2.00.1001291143220.144@cust11794.lava.net>

On Fri, 29 Jan 2010, Devon True wrote:

> I am curious what the purpose of uRPF's "allow-default" option is? Based
> on Cisco's page explaining the command, I interpret that it allows uRPF
> to match on a default route... but doesn't that defeat the purpose of uRPF?

See below.

> interface Vlan100
> ip verify unicast source reachable-via any allow-default
> !
> ip route 192.168.0.0 255.255.255.0 null0
> ip route 0.0.0.0 0.0.0.0 x.x.x.x
>
> uRPF would allow Vlan100 to use any source IP address except
> 192.168.0.0/24. Is that correct?

Yes but that's not the interface where you would apply it.  You apply 
'allow-default' on your upstream interface that you point your default 
route to.  Ie. if you set your default-route at a particular interface or 
IP address, then you add urpf 'allow-default' on the interface that leads 
to your upstream gateway.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From tony at lava.net  Fri Jan 29 16:57:08 2010
From: tony at lava.net (Antonio Querubin)
Date: Fri, 29 Jan 2010 11:57:08 -1000 (HST)
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
In-Reply-To: <alpine.OSX.2.00.1001291143220.144@cust11794.lava.net>
References: <4B6354A1.7070202@noved.org>
	<alpine.OSX.2.00.1001291143220.144@cust11794.lava.net>
Message-ID: <alpine.OSX.2.00.1001291155090.144@cust11794.lava.net>

On Fri, 29 Jan 2010, Antonio Querubin wrote:

> Yes but that's not the interface where you would apply it.  You apply
                     ^
                necessarilly
> 'allow-default' on your upstream interface that you point your default route 
> to.  Ie. if you set your default-route at a particular interface or IP 
> address, then you add urpf 'allow-default' on the interface that leads to 
> your upstream gateway.

Ie. you normally do not use allow-default on most of your interfaces.  You 
use it only on upstream interfaces.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From devon at noved.org  Fri Jan 29 17:01:46 2010
From: devon at noved.org (Devon True)
Date: Fri, 29 Jan 2010 17:01:46 -0500
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
In-Reply-To: <alpine.OSX.2.00.1001291155090.144@cust11794.lava.net>
References: <4B6354A1.7070202@noved.org>	<alpine.OSX.2.00.1001291143220.144@cust11794.lava.net>
	<alpine.OSX.2.00.1001291155090.144@cust11794.lava.net>
Message-ID: <4B635ACA.9010603@noved.org>

On 1/29/2010 4:57 PM, Antonio Querubin wrote:
> On Fri, 29 Jan 2010, Antonio Querubin wrote:
> 
>> Yes but that's not the interface where you would apply it.  You apply
>                     ^
>                necessarilly
>> 'allow-default' on your upstream interface that you point your default
>> route to.  Ie. if you set your default-route at a particular interface
>> or IP address, then you add urpf 'allow-default' on the interface that
>> leads to your upstream gateway.
> 
> Ie. you normally do not use allow-default on most of your interfaces. 
> You use it only on upstream interfaces.

So it is for the situation where you do not have a full table (so strict
and/or loose mode would not work), but you want uRPF on the edge to be
able to drop packets whose network is routed to null on your FIB?

--
Devon

From philxor at gmail.com  Fri Jan 29 17:04:42 2010
From: philxor at gmail.com (Phil Bedard)
Date: Fri, 29 Jan 2010 17:04:42 -0500
Subject: [c-nsp] 10GE WAN options for 7606 for market data /
	micro-bursting
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
Message-ID: <41FBD55F-73C4-4190-8EB5-7392813B0B83@gmail.com>

The ES20 cards have 512MB, the SIP-600 has 256MB, but I think they both say 100ms unidirectional buffering...  Is there a chance of congesting the egress interfaces where you would need the larger buffers?  They all support LLQ for priority traffic. 

Phil   


On Jan 29, 2010, at 12:22 PM, Matthew Huff wrote:

> We are planning on moving a large portion of our data center to a colo facility at an financial exchange. We will be using redundant 10-GE connections from our existing pair of 7604 to a new pair of 7606 with Sup720-3B. We won't be doing MPLS/VPN, etc... Just normal L3 routing including PIM sparse mode multicast. Since a significant amount of the traffic will be market data, the line rate will be very bursty including micro-bursts. We will be setting up a series of LLQ queues with Modular QoS CLI and are interested in H-QOS, so I have some questions regarding which 10GB interface.
> 
> The choices are:
> 
> 1) WS-X6704-10GE. The standard linecard. TX queue of 1p7q8t. 16MB per port buffer
> 2) 7600-ES20-10G3C. TX queue ??? (configurable ???), buffer size ???
> 3) 7600-SIP-600 with SPA-10X1GE. TX queue ???, buffer size ???
> 
> The SIP and ES20 may be overkill, maybe not. We aren't doing MPLS or VRF, or QinQ or any other tunneling, but we need the most flexible, best 10GB WAN interface that can help us deal with bursting/QOS.
> 
> Any experiences, suggestions, warnings...?
> 
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tstevens at cisco.com  Fri Jan 29 17:10:20 2010
From: tstevens at cisco.com (Tim Stevenson)
Date: Fri, 29 Jan 2010 14:10:20 -0800
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
In-Reply-To: <4B6354A1.7070202@noved.org>
References: <4B6354A1.7070202@noved.org>
Message-ID: <201001292210.o0TMALf4026905@sj-core-3.cisco.com>

Hi Devon -
With loose mode uRPF ("reachable-via any"), "allow-default" does mean 
that any packet will pass the uRPF check (unless the default route goes away).

However, with strict mode uRPF ("reachable-via rx") with 
allow-default, traffic not matching a more specific prefix only 
passes the RPF check if it arrives on the interface(s) where the 
default is learned (and of course, only if the default route is 
present in the routing table).

Hope that helps,
Tim


At 01:35 PM 1/29/2010, Devon True declared:

>All:
>
>I am curious what the purpose of uRPF's "allow-default" option is? Based
>on Cisco's page explaining the command, I interpret that it allows uRPF
>to match on a default route... but doesn't that defeat the purpose of uRPF?
>
>My best guess is that it allows you to set static routes for networks
>whose source IPs you want to drop (using the null interface) while
>allowing everything else.
>
>e.g.
>
>interface Vlan100
>  ip verify unicast source reachable-via any allow-default
>!
>ip route 192.168.0.0 255.255.255.0 null0
>ip route 0.0.0.0 0.0.0.0 x.x.x.x
>
>uRPF would allow Vlan100 to use any source IP address except
>192.168.0.0/24. Is that correct?
>
><http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html>http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html
>
>Thanks!
>
>--
>Devon
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at 
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/




Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


From tony at lava.net  Fri Jan 29 18:09:52 2010
From: tony at lava.net (Antonio Querubin)
Date: Fri, 29 Jan 2010 13:09:52 -1000 (HST)
Subject: [c-nsp] Purposed of uRPF's "allow-default" Option?
In-Reply-To: <4B635ACA.9010603@noved.org>
References: <4B6354A1.7070202@noved.org>
	<alpine.OSX.2.00.1001291143220.144@cust11794.lava.net>
	<alpine.OSX.2.00.1001291155090.144@cust11794.lava.net>
	<4B635ACA.9010603@noved.org>
Message-ID: <alpine.OSX.2.00.1001291305060.144@cust11794.lava.net>

On Fri, 29 Jan 2010, Devon True wrote:

> So it is for the situation where you do not have a full table (so strict
> and/or loose mode would not work), but you want uRPF on the edge to be
> able to drop packets whose network is routed to null on your FIB?

To be able to accept and forward (not drop) packets from networks that are 
reached by your default route.  Hence the term ALLOW-default.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From scottowens12 at gmail.com  Fri Jan 29 18:56:04 2010
From: scottowens12 at gmail.com (scott owens)
Date: Fri, 29 Jan 2010 17:56:04 -0600
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
Message-ID: <c0c598d51001291556r198b76e9g7ed1cea8ecc6dd13@mail.gmail.com>

>
>   1. Re: Nexus 2000 vs Catalyst 4948 for access layer
>      (chris at lavin-llc.com)
> --------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 29 Jan 2010 14:16:59 -0500
> From: chris at lavin-llc.com
> To: "Nick Hilliard" <nick at inex.ie>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
> Message-ID:
>        <c322407a5ca5c76b043fa62c4bee5476.squirrel at email.fatcow.com>
> Content-Type: text/plain;charset=iso-8859-1
>
> > wrt NX-OS vs. IOS, they are two different systems.  NX-OS is very young
> in
> > its development cycle; IOS is much more mature and has many more
> features.
> >
> > Nick
>
>
> I'm curious why you suggest that the NX-OS is very young. My understanding
> (I'm not a SAN guy) is that the NX-OS is just a move of bringing the MDS
> OS into a routing/switching combination with IOS.
>
> I had the recent experience of a Nexus CPOC down in RTP. Going into it I
> was apprehensive about learning a new OS. But through the CPOC I learned
> that it's not that much different from IOS. Seemed like they did a decent
> job of importing/aliasing the IOS related commands. I didn't feel as lost
> within the CLI as I had expected.
>
> -chris
>


We have about a dozen 2148Ts connected to 4 Nexus 5Ks and a couple of 7Ks

I would absolutely NOT pick the 2148Ts for just switching unless you had
some larger data center needs; they and their "parent" 5Ks don't route ..
.so we do some ( and we wanted to) vlan tagging on servers to bypass
routing.

I will say that "show log last 20" is worth every penny :)

They are stable if you hook them up right - currently you can not do
active/active with a FEX connected to multiple 5Ks & do LACP teaming to
servers.

Got question  - shoot them on over ...

From andrew.coates at internode.on.net  Fri Jan 29 20:50:48 2010
From: andrew.coates at internode.on.net (andrew)
Date: Sat, 30 Jan 2010 12:50:48 +1100
Subject: [c-nsp] BGP inject map question
In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F011AB415@XMB-AMS-103.cisco.com>
References: <4B601307.1000400@internode.on.net>
	<4B60964F.8030803@internode.on.net>
	<6E4D2678AC543844917CA081C9D6B33F011AB415@XMB-AMS-103.cisco.com>
Message-ID: <4B639078.2040707@internode.on.net>


thax for the reply,
 thats pretty much my fall back plan, its a little disapointing there 
isn't a better solution, to me an inject map just seems so neat.

cheers

> Andrew,
>  
>   
>> for the cisco people here (hehehe), can i do the following:
>>
>> use an inject map for a route that is locally originated, i think im 
>> having issues with the route source ie.
>>     
>
> I'm not 100% sure, but looking how this is implemented, it seems like
> you can't use the exist-map to match for locally-originated prefixes.
> Can you verify your config with a remotely-learnt route (i.e. just
> change the exist-map) to verify?
>
>   
>> i have been trying and cant get it working,
>> basiclly i have an MPLS VPN extranet and lan address of the CE is in 
>> the same subnet as a /32 host i wish to advertise into the VPN.
>>     
>
> How about a hack:
>
> int fas 0/1
>  ip address 123.123.123.1 255.255.255.0
> !
> ip route 123.123.123.12 255.255.255.255 fas0/1 123.123.123.12
>
> and then do a "redistribute static" or a network entry.
>
> So you will advertise the /32 as long as the interface is up, which
> should achieve the same as your inject-map example. Not very pretty, but
> effective?
>
> 	oli
>
>   


From janasamit at wlink.com.np  Sat Jan 30 09:46:17 2010
From: janasamit at wlink.com.np (Samit)
Date: Sat, 30 Jan 2010 20:31:17 +0545
Subject: [c-nsp] APS issue on Cisco 7204VXR-NPE-G1
Message-ID: <4B644639.4060107@wlink.com.np>

Hi,

I am trying to configure the APS on the same router with my provider
mux. I have Cisco 7204vxr with dual  PA-POS-OC3SMI interface and using
c7200-p-mz.124-25b.bin image. My provider has provided me two STM-1 for
redundancy from their mux.

When primary link goes down it switches back to secondary without any
issue, but when primary link comes back again and after 1 min when the
link revert to primary it doesn't work ie the link doesn't switch back
to primary and traffic stuck due to primary link continues flap.

Jan 30 20:11:28.637 NP: APS POS3/0: aps_resend_current_k1k2
Jan 30 20:11:29.641 NP: %LINEPROTO-5-UPDOWN: Line protocol on Interface
POS3/0, changed state to down
Jan 30 20:11:39.638 NP: %LINEPROTO-5-UPDOWN: Line protocol on Interface
POS3/0, changed state to up
Jan 30 20:11:58.638 NP: APS POS3/0: aps_resend_current_k1k2
Jan 30 20:11:59.642 NP: %LINEPROTO-5-UPDOWN: Line protocol on Interface
POS3/0, changed state to down
Jan 30 20:12:09.638 NP: %LINEPROTO-5-UPDOWN: Line protocol on Interface
POS3/0, changed state to up

The primary link doesn't comes up until, the secondary interface was
manually is "shut" and "no shut" or its fiber cable was unplugged and
plugged.

After some debugging and show aps output comparison the only thing I had
noticed that APS gives indication in the log that link state
administratively down along with line protocol down under normal condition.

Jan 30 20:13:21.322 NP: %ENTITY_ALARM-6-INFO: ASSERT INFO PO4/0 Physical
Port Administrative State Down

But when then the link switch back to primary it doesn't shows the
Administratively Down State log indication.

It seems to me that APS is not putting the secondary link to "Complete
Administrative Down State" and "Alarm Indicate Signal - Line LAIS " was
not send back to provider MUX during the APS revert switch back process
from secondary to primary. The reason why the primary link doesn't comes
up until, the secondary interface was manually is "shut" and "no shut"
or its fiber cable was unplugged and plugged, or am I missing something?

this is my config:

interface Loopback0
 ip address 192.168.0.1 255.255.255.255
!
interface POS3/0
 description PRIMARY STM-1
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 pos ais-shut
 aps working 1
 no cdp enable
end

interface POS4/0
 description STM-1 SECONDARY/PROTECTED STM-1
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 pos ais-shut
 aps revert 1
 aps protect 1 192.168.0.1

 no cdp enable
end



Regards,
Samit



From pavel.skovajsa at gmail.com  Sat Jan 30 12:59:52 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Sat, 30 Jan 2010 18:59:52 +0100
Subject: [c-nsp] 10GE WAN options for 7606 for market data /
	micro-bursting
In-Reply-To: <41FBD55F-73C4-4190-8EB5-7392813B0B83@gmail.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
	<41FBD55F-73C4-4190-8EB5-7392813B0B83@gmail.com>
Message-ID: <323aca891001300959u1cf7b2d1x85095e9dd1cf1cb6@mail.gmail.com>

The WS-X6704-10GE has:
- Xenpacks
- only 16MB buffers per port compared to 200MB on WS-X6708
- is about 5 years old. I remember this was the first 10G card we used
in 6500 back in 2005/6
- traditionally targeted for LAN and DC segment with simple/none QoS
-> hence the QoS implementation is simple based on WRR - see
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698
- needs a DFC card for ingress 8q8t - see
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698

Therefore a much better alternative is WS-X6708 or even WS-X6716.
However bare in mind that these are also "LAN" cards therefore might
not suite your QoS needs. For general QoS architecture on C6500 see
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5269.html.

Cisco quickly found out that you cannot do much "sophisticated" stuff
with cards above and came with ES product line for service provider
segment - which is the ES20 and newer ES+
(http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698).

Hope it helps,
-Pavel


On Fri, Jan 29, 2010 at 11:04 PM, Phil Bedard <philxor at gmail.com> wrote:
> The ES20 cards have 512MB, the SIP-600 has 256MB, but I think they both say 100ms unidirectional buffering... ?Is there a chance of congesting the egress interfaces where you would need the larger buffers? ?They all support LLQ for priority traffic.
>
> Phil
>
>
> On Jan 29, 2010, at 12:22 PM, Matthew Huff wrote:
>
>> We are planning on moving a large portion of our data center to a colo facility at an financial exchange. We will be using redundant 10-GE connections from our existing pair of 7604 to a new pair of 7606 with Sup720-3B. We won't be doing MPLS/VPN, etc... Just normal L3 routing including PIM sparse mode multicast. Since a significant amount of the traffic will be market data, the line rate will be very bursty including micro-bursts. We will be setting up a series of LLQ queues with Modular QoS CLI and are interested in H-QOS, so I have some questions regarding which 10GB interface.
>>
>> The choices are:
>>
>> 1) WS-X6704-10GE. The standard linecard. TX queue of 1p7q8t. 16MB per port buffer
>> 2) 7600-ES20-10G3C. TX queue ??? (configurable ???), buffer size ???
>> 3) 7600-SIP-600 with SPA-10X1GE. TX queue ???, buffer size ???
>>
>> The SIP and ES20 may be overkill, maybe not. We aren't doing MPLS or VRF, or QinQ or any other tunneling, but we need the most flexible, best 10GB WAN interface that can help us deal with bursting/QOS.
>>
>> Any experiences, suggestions, warnings...?
>>
>> ----
>> Matthew Huff ? ? ? | One Manhattanville Rd
>> OTA Management LLC | Purchase, NY 10577
>> http://www.ox.com ?| Phone: 914-460-4039
>> aim: matthewbhuff ?| Fax: ? 914-460-4139
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Sat Jan 30 13:07:51 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Sat, 30 Jan 2010 19:07:51 +0100
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <006001caa066$b987e600$2c97b200$@com>
References: <000301ca9ca7$d82538f0$886faad0$@com>
	<006001caa066$b987e600$2c97b200$@com>
Message-ID: <323aca891001301007o944be9cw101fdeb716228636@mail.gmail.com>

Hi,

It looks like you are trying to configure this on the WS-X67xy cards,
which are basically the LAN/DC cards taken from 6500. These cards have
very limited QoS capabilities as they are targetted for LAN/DC
segment, not for service provider. Hence you cannot expect MUCH.

If you need sophisticated QoS you should buy ES20 or ES+
(http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549419.html).

To give you some hope, many people have fallen into this "trap" (me
for example, there are much much more things the WS-X67xy cards cannot
do), and it is simply due to not reading the documentation before
buying. There is a nice explanation of the 6500/7600 hardware based
QoS on http://www.networkworld.com/community/node/43764

-pavel







On Thu, Jan 28, 2010 at 11:10 PM, Kevin Warwashana <kevinw at telnetww.com> wrote:
> Anyone have a suggestion/comment?
>
> Thanks,
> Kevin
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kevin Warwashana
> Sent: Saturday, January 23, 2010 10:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7600 Rate Limiting Output
>
> I was curious what is the best way to limit bandwidth in/out with policy
> maps. ?I can apply this inbound on a subinterface:
>
>
>
> policy-map 26MB-INPUT
>
> ?class class-default
>
> ? police rate 26000000 bps
>
> ? ? conform-action transmit
>
> ? ? exceed-action drop
>
>
>
> but the below won't apply in the outbound direction:
>
>
>
> policy-map 26MB-OUTPUT
>
> ?class class-default
>
> ? police rate 26000000 bps
>
> ? ? conform-action transmit
>
> ? ? exceed-action drop
>
>
>
> Gives me:
>
>
>
> int gig4/0/0.8
>
> service-policy output 26MB-OUTPUT
>
> Police and strict priority must be configured together for egress QOS.
>
> Invalid feature combination for the class class-default
>
> Configuration failed
>
>
>
> Any help would be appreciated! ?I miss the rate-limiting command from 7200
> routers :).
>
>
>
> Kevin
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From kevinw at telnetww.com  Sat Jan 30 13:29:54 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sat, 30 Jan 2010 13:29:54 -0500
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <323aca891001301007o944be9cw101fdeb716228636@mail.gmail.com>
References: <000301ca9ca7$d82538f0$886faad0$@com>	
	<006001caa066$b987e600$2c97b200$@com>
	<323aca891001301007o944be9cw101fdeb716228636@mail.gmail.com>
Message-ID: <00db01caa1da$38260a40$a8721ec0$@com>

Actually I am using a SIP-600 with a SPA-5X1GE.

Kevin


-----Original Message-----
From: Pavel Skovajsa [mailto:pavel.skovajsa at gmail.com] 
Sent: Saturday, January 30, 2010 1:08 PM
To: Kevin Warwashana
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 Rate Limiting Output

Hi,

It looks like you are trying to configure this on the WS-X67xy cards,
which are basically the LAN/DC cards taken from 6500. These cards have
very limited QoS capabilities as they are targetted for LAN/DC
segment, not for service provider. Hence you cannot expect MUCH.

If you need sophisticated QoS you should buy ES20 or ES+
(http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549
419.html).

To give you some hope, many people have fallen into this "trap" (me
for example, there are much much more things the WS-X67xy cards cannot
do), and it is simply due to not reading the documentation before
buying. There is a nice explanation of the 6500/7600 hardware based
QoS on http://www.networkworld.com/community/node/43764

-pavel







On Thu, Jan 28, 2010 at 11:10 PM, Kevin Warwashana <kevinw at telnetww.com>
wrote:
> Anyone have a suggestion/comment?
>
> Thanks,
> Kevin
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kevin Warwashana
> Sent: Saturday, January 23, 2010 10:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7600 Rate Limiting Output
>
> I was curious what is the best way to limit bandwidth in/out with policy
> maps. ?I can apply this inbound on a subinterface:
>
>
>
> policy-map 26MB-INPUT
>
> ?class class-default
>
> ? police rate 26000000 bps
>
> ? ? conform-action transmit
>
> ? ? exceed-action drop
>
>
>
> but the below won't apply in the outbound direction:
>
>
>
> policy-map 26MB-OUTPUT
>
> ?class class-default
>
> ? police rate 26000000 bps
>
> ? ? conform-action transmit
>
> ? ? exceed-action drop
>
>
>
> Gives me:
>
>
>
> int gig4/0/0.8
>
> service-policy output 26MB-OUTPUT
>
> Police and strict priority must be configured together for egress QOS.
>
> Invalid feature combination for the class class-default
>
> Configuration failed
>
>
>
> Any help would be appreciated! ?I miss the rate-limiting command from 7200
> routers :).
>
>
>
> Kevin
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From pavel.skovajsa at gmail.com  Sat Jan 30 13:44:28 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Sat, 30 Jan 2010 19:44:28 +0100
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <00db01caa1da$38260a40$a8721ec0$@com>
References: <000301ca9ca7$d82538f0$886faad0$@com>
	<006001caa066$b987e600$2c97b200$@com>
	<323aca891001301007o944be9cw101fdeb716228636@mail.gmail.com>
	<00db01caa1da$38260a40$a8721ec0$@com>
Message-ID: <323aca891001301044o3afa64c3ke7ff5cac7ee0910e@mail.gmail.com>

well, that kind of makes my earlier post not relevant.

Anyway, noticed that you are trying to police egress. I don't know
about SIP-600 but normally this is not possible - you need to SHAPE.
So change police to shape.

-pavel

On Sat, Jan 30, 2010 at 7:29 PM, Kevin Warwashana <kevinw at telnetww.com> wrote:
> Actually I am using a SIP-600 with a SPA-5X1GE.
>
> Kevin
>
>
> -----Original Message-----
> From: Pavel Skovajsa [mailto:pavel.skovajsa at gmail.com]
> Sent: Saturday, January 30, 2010 1:08 PM
> To: Kevin Warwashana
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 7600 Rate Limiting Output
>
> Hi,
>
> It looks like you are trying to configure this on the WS-X67xy cards,
> which are basically the LAN/DC cards taken from 6500. These cards have
> very limited QoS capabilities as they are targetted for LAN/DC
> segment, not for service provider. Hence you cannot expect MUCH.
>
> If you need sophisticated QoS you should buy ES20 or ES+
> (http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549
> 419.html).
>
> To give you some hope, many people have fallen into this "trap" (me
> for example, there are much much more things the WS-X67xy cards cannot
> do), and it is simply due to not reading the documentation before
> buying. There is a nice explanation of the 6500/7600 hardware based
> QoS on http://www.networkworld.com/community/node/43764
>
> -pavel
>
>
>
>
>
>
>
> On Thu, Jan 28, 2010 at 11:10 PM, Kevin Warwashana <kevinw at telnetww.com>
> wrote:
>> Anyone have a suggestion/comment?
>>
>> Thanks,
>> Kevin
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kevin Warwashana
>> Sent: Saturday, January 23, 2010 10:47 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] 7600 Rate Limiting Output
>>
>> I was curious what is the best way to limit bandwidth in/out with policy
>> maps. ?I can apply this inbound on a subinterface:
>>
>>
>>
>> policy-map 26MB-INPUT
>>
>> ?class class-default
>>
>> ? police rate 26000000 bps
>>
>> ? ? conform-action transmit
>>
>> ? ? exceed-action drop
>>
>>
>>
>> but the below won't apply in the outbound direction:
>>
>>
>>
>> policy-map 26MB-OUTPUT
>>
>> ?class class-default
>>
>> ? police rate 26000000 bps
>>
>> ? ? conform-action transmit
>>
>> ? ? exceed-action drop
>>
>>
>>
>> Gives me:
>>
>>
>>
>> int gig4/0/0.8
>>
>> service-policy output 26MB-OUTPUT
>>
>> Police and strict priority must be configured together for egress QOS.
>>
>> Invalid feature combination for the class class-default
>>
>> Configuration failed
>>
>>
>>
>> Any help would be appreciated! ?I miss the rate-limiting command from 7200
>> routers :).
>>
>>
>>
>> Kevin
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From panas4 at yahoo.com  Sat Jan 30 16:22:04 2010
From: panas4 at yahoo.com (Dimitris Pantzartzis)
Date: Sat, 30 Jan 2010 13:22:04 -0800 (PST)
Subject: [c-nsp] 7206 input, ignored and rx_resource_error errors
Message-ID: <921900.41655.qm@web51402.mail.re2.yahoo.com>

I have errors in a ge interface. The error count is 
the same for input, ignored and rx_resource_error

there are no overrun errors and have:

  Input queue: 0/75/3/0 (size/max/drops/flushes); Total output drops: 0

Any ideas what might  cause this and how to resolve?

See below:


lax_router7206_2#sh ver
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)

Cisco 7206VXR (NPE-G2) processor (revision A) with 1966080K/65536K bytes of memory.
Processor board ID 31781651
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.7

Last reset from power-on

PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points. 
This configuration is within the PCI bus capacity and is supported. 

PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported. 

Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.


1 FastEthernet interface
3 Gigabit Ethernet interfaces
4 Serial interfaces
4 Channelized T1/PRI ports
2045K bytes of NVRAM.

250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).

>sh int gigabitethernet 0/3

GigabitEthernet0/3 is up, line protocol is up 
  Hardware is MV64460 Internal MAC, address is 0011.20a5.a019 (bia 0011.20a5.a019)
  Description: Primary LAN Interface
  Internet address is 10.0.5.1/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is force-up, media type is SX
  output flow-control is XON, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 01:42:58
  Input queue: 0/75/3/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 4116000 bits/sec, 3718 packets/sec
  5 minute output rate 4106000 bits/sec, 3393 packets/sec
     32370673 packets input, 3809839544 bytes, 0 no buffer
     Received 4204 broadcasts, 0 runts, 0 giants, 0 throttles
     236 input errors, 0 CRC, 0 frame, 0 overrun, 236 ignored
     0 watchdog, 4428 multicast, 0 pause input
     0 input packets with dribble condition detected
     26599809 packets output, 3642106327 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

show controllers:

 Internal Driver Information:
  RX Ring base: 0xD7FC6000
  TX Ring base: 0xD7FC7000
  Software RX Head: 0xD7FC6540
  Hardware RX Head: 0xD7FC6DA0
  Software TX Head: 0xD7FC8960
  Hardware TX Head: 0xD7FC8980
  ring sizes: RX = 128, TX = 256
  rx_particle_size: 512
  rx_pak = 0x06762BF8
  rx_head = 42
  rx_discard = FALSE
  tx_head = 203, tx_count = 0
  chip_state = 2, ds->tx_limited = 0
  throttled = 0, enabled = 0, disabled = 13
  reset=6(init=1, restart=5), auto_restart=6
  tx_underflow = 0, tx_overflow = 0,  tx_end_count = 50636739
  rx_nobuffer = 0, rx_overrun = 0
  rx_no_descriptors = 0,  rx_interrupt_count = 19562530 
  rx_crc_error = 0, rx_too_big = 0, rx_resource_error = 236
  rx_sop_eop_error = 0
  tqc = 0xF1002C48, cause = 0xF1002C60, cause_ext = 0xF1002C64
 Address Filter:
  Promiscuous mode OFF
  (All other entries are empty)


      

From rjs at eng.gxn.net  Sat Jan 30 17:18:41 2010
From: rjs at eng.gxn.net (Rob Shakir)
Date: Sat, 30 Jan 2010 22:18:41 +0000
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <000301ca9ca7$d82538f0$886faad0$@com>
References: <000301ca9ca7$d82538f0$886faad0$@com>
Message-ID: <C129021B-7D03-43E2-8708-781DED1842DE@eng.gxn.net>


On 24 Jan 2010, at 03:46, Kevin Warwashana wrote:
> 
> int gig4/0/0.8
> 
> service-policy output 26MB-OUTPUT    
> 
> Police and strict priority must be configured together for egress QOS.
> 
> Invalid feature combination for the class class-default
> 
> Configuration failed

This looks like what you see on ES-20 when trying a similar configuration. It implies that one must configure an LLQ to be able to police. Therefore to achieve this, you can do:

policy-map POLICY-POLICE-26MBPS-OUT
 class class-default
  police cir 26000000 conform-action transmit exceed-action drop
  ! forced to be an llq
  priority
 !
!

However, interestingly, the configuration that you supplied appears to be configurable on SIP-400 w/ SPA-2x1GE:

7600#sh policy-map RJS-TEST

  Policy Map RJS-TEST
    Class class-default
     police rate 26000000 bps
       conform-action transmit
       exceed-action drop

7600#sh run int giga1/0/0.4011
Building configuration...

Current configuration : 239 bytes
!
interface GigabitEthernet1/0/0.4011
 encapsulation dot1Q 4011
 ip address 192.168.88.42 255.255.255.0
 ip vrf forwarding RJS-TEST
 service-policy input POLICY-SET-IP-DSCP-DEFAULT
 service-policy output RJS-TEST
end

This may be due to the fact that the datasheet for SIP-400 [0] says that it supports "egress queueing", whereas SIP-600 [1] states only "egress shaping". If you don't have inter-op requirements, can you configure it as a shaper with a very short queue length, so that you start to emulate policing?

Alternatively, it might be worth checking whether you can configure a shaper at class-default, with an attached service-policy that can then police under this.

Hope this helps!

Kind regards,
Rob

[0]: http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html
[1]: http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8033998f_ps708_Products_Data_Sheet.html


-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html





From rjs at eng.gxn.net  Sat Jan 30 17:04:53 2010
From: rjs at eng.gxn.net (Rob Shakir)
Date: Sat, 30 Jan 2010 22:04:53 +0000
Subject: [c-nsp] 10GE WAN options for 7606 for market data /
	micro-bursting
In-Reply-To: <323aca891001300959u1cf7b2d1x85095e9dd1cf1cb6@mail.gmail.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
	<41FBD55F-73C4-4190-8EB5-7392813B0B83@gmail.com>
	<323aca891001300959u1cf7b2d1x85095e9dd1cf1cb6@mail.gmail.com>
Message-ID: <17A7BFB0-FBFA-4605-97D4-B96B9744272B@eng.gxn.net>


On 30 Jan 2010, at 17:59, Pavel Skovajsa wrote:
> Cisco quickly found out that you cannot do much "sophisticated" stuff
> with cards above and came with ES product line for service provider
> segment - which is the ES20 and newer ES+
> (http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698).

If you are going to spend the money on ES, a few words of warning about ES-20. It is very limited in terms of what the card can actually do in terms of QoS (for example, there's no tuneable Tc for any policy) - additionally, everything needs to be under a class-default on sub-interfaces for example. We found that this has severely limited a number of QoS deployments that we've tried to do.

SIP-400 is actually better than ES-20 - I'd look at ES+20/ES+40 for your requirements. LAN cards don't seem the best way to go if you need such strict control. 

However, I'd put together a strict statement of requirements and get Cisco to demonstrate that the card meets your demands before you go forward. The 7600 platform can have a nasty habit of biting you back.

I can probably share more details of the ES off-list if you need them!

Cheers,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html





From mhuff at ox.com  Sat Jan 30 19:12:45 2010
From: mhuff at ox.com (Matthew Huff)
Date: Sat, 30 Jan 2010 19:12:45 -0500
Subject: [c-nsp] 10GE WAN options for 7606 for market data /
 micro-bursting
In-Reply-To: <17A7BFB0-FBFA-4605-97D4-B96B9744272B@eng.gxn.net>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F697@PUR-EXCH07.ox.com>
	<41FBD55F-73C4-4190-8EB5-7392813B0B83@gmail.com>
	<323aca891001300959u1cf7b2d1x85095e9dd1cf1cb6@mail.gmail.com>
	<17A7BFB0-FBFA-4605-97D4-B96B9744272B@eng.gxn.net>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F6AB@PUR-EXCH07.ox.com>

Thanks. I had missed the ES+ line cards since they are a bit obscured on the main web page of the 7600. I'm definitely going to run everything by/through cisco, but my experience is that if you don't know enough to ask the right questions, you end up with whatever hardware they are pushing that quarter.



-----Original Message-----
From: Rob Shakir [mailto:rjs at eng.gxn.net] 
Sent: Saturday, January 30, 2010 5:05 PM
To: Matthew Huff
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 10GE WAN options for 7606 for market data / micro-bursting


On 30 Jan 2010, at 17:59, Pavel Skovajsa wrote:
> Cisco quickly found out that you cannot do much "sophisticated" stuff
> with cards above and came with ES product line for service provider
> segment - which is the ES20 and newer ES+
> (http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698).

If you are going to spend the money on ES, a few words of warning about ES-20. It is very limited in terms of what the card can actually do in terms of QoS (for example, there's no tuneable Tc for any policy) - additionally, everything needs to be under a class-default on sub-interfaces for example. We found that this has severely limited a number of QoS deployments that we've tried to do.

SIP-400 is actually better than ES-20 - I'd look at ES+20/ES+40 for your requirements. LAN cards don't seem the best way to go if you need such strict control. 

However, I'd put together a strict statement of requirements and get Cisco to demonstrate that the card meets your demands before you go forward. The 7600 platform can have a nasty habit of biting you back.

I can probably share more details of the ES off-list if you need them!

Cheers,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html





From yanf787 at yahoo.com  Sat Jan 30 21:22:41 2010
From: yanf787 at yahoo.com (Yan Filyurin)
Date: Sat, 30 Jan 2010 18:22:41 -0800 (PST)
Subject: [c-nsp] BGP inject map question
Message-ID: <97881.76172.qm@web58705.mail.re1.yahoo.com>

Well the problem is that you are originating the the route as opposed to receiving it, so it would not come from anywhere. Not sure if this could even work.  What if you tried it without a route source or by redistributing connected instead of a network statement?  Most likely it won't work either.


But would you be able to define a static route for that /32 point it to the CE, even though it is in the same subnet and redistribute it into BGP and that way you could have your /32 in the table without the inject map.  Could it work for you?

I tried in on newer IOS, but this static route trick might be as old as the Earth itself.   Don't know how well it would work in a VRF environment, but you could associate with that VRF and defined various community attribute. 

Yan




________________________________
From: andrew <andrew.coates at internode.on.net>
To: cisco-nsp at puck.nether.net
Sent: Wed, January 27, 2010 2:38:55 PM
Subject: [c-nsp] BGP inject map question


> for the cisco people here (hehehe), can i do the following:
>
> use an inject map for a route that is locally originated, i think im 
> having issues with the route source ie.
>
>
> int fas 0/1
> ip address 123.123.123.1 255.255.255.0
>
> router bgp 1
> neigh blah remote-as blah
> network 123.123.123.0 mask 255.255.255.0 route-map filter
> bgp inject-map INJECT exist EXIST
>
> route-map INJECT
> set ip address prefix-list INJECT
>
> route-map EXIST
> match ip address prefix-list EXSIST
> match ip source-route HOST
>
> route-map filter
> set community no-export
>
> ip prefix-list INJECT permit 123.123.123.12/32
> ip prefix-list EXIST permit 123.123.123.0/24
> ip prefix-listHOST permit ???????????? ( have tried 0.0.0.0/32 and the 
> bgp router id)
>
> i have typed this by hand  so the syntax might not be 100% accurate.
>
> i have been trying and cant get it working,
> basiclly i have an MPLS VPN extranet and lan address of the CE is in 
> the same subnet as a /32 host i wish to advertise into the VPN.
>
> im running an old IOS on this router 12.3 adv ip services
>
> cheers
>
> Andrew
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


      

From kevinw at telnetww.com  Sat Jan 30 22:18:56 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sat, 30 Jan 2010 22:18:56 -0500
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <C129021B-7D03-43E2-8708-781DED1842DE@eng.gxn.net>
References: <000301ca9ca7$d82538f0$886faad0$@com>
	<C129021B-7D03-43E2-8708-781DED1842DE@eng.gxn.net>
Message-ID: <001b01caa224$1fbd9140$5f38b3c0$@com>

I was able to use the below configuration and it appears to max out the
connection pretty close to 26mb.  I did have to tinker with the queue size
since the default (3300+) would allow traffic to exceed and a size of 5
didn't seem to work very well.

policy-map 26MB-OUTPUT
  class class-default
    shape average 26000000
    queue-limit 100 packets
    bandwidth 26000

You mentioned "configure a shaper at class-default, with an attached
service-policy" which I believe would be adding a service policy to the
policy map, but got:

policy-map 26MB-RATE
  class class-default
    police cir 26000000 conform-action transmit exceed-action drop
policy-map 26MB-OUTPUT
  class class-default
    shape average 26000000
    queue-limit 100 packets
    bandwidth 26000
    service-policy 26MB-RATE 
Only 'shape' and 'bandwidth remaining ratio' actions are supported in parent
classes for this interface.
Only 'shape' and 'bandwidth remaining ratio' actions are supported in parent
classes for this interface.
Only 'shape' and 'bandwidth remaining ratio' actions are supported in parent
classes for this interface.
    
Please let me know if I misunderstand your statement.  Greatly appreciate
the follow up emails.

Thanks,
Kevin


-----Original Message-----
From: Rob Shakir [mailto:rjs at eng.gxn.net] 
Sent: Saturday, January 30, 2010 5:19 PM
To: Kevin Warwashana
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 Rate Limiting Output


On 24 Jan 2010, at 03:46, Kevin Warwashana wrote:
> 
> int gig4/0/0.8
> 
> service-policy output 26MB-OUTPUT    
> 
> Police and strict priority must be configured together for egress QOS.
> 
> Invalid feature combination for the class class-default
> 
> Configuration failed

This looks like what you see on ES-20 when trying a similar configuration.
It implies that one must configure an LLQ to be able to police. Therefore to
achieve this, you can do:

policy-map POLICY-POLICE-26MBPS-OUT
 class class-default
  police cir 26000000 conform-action transmit exceed-action drop
  ! forced to be an llq
  priority
 !
!

However, interestingly, the configuration that you supplied appears to be
configurable on SIP-400 w/ SPA-2x1GE:

7600#sh policy-map RJS-TEST

  Policy Map RJS-TEST
    Class class-default
     police rate 26000000 bps
       conform-action transmit
       exceed-action drop

7600#sh run int giga1/0/0.4011
Building configuration...

Current configuration : 239 bytes
!
interface GigabitEthernet1/0/0.4011
 encapsulation dot1Q 4011
 ip address 192.168.88.42 255.255.255.0
 ip vrf forwarding RJS-TEST
 service-policy input POLICY-SET-IP-DSCP-DEFAULT
 service-policy output RJS-TEST
end

This may be due to the fact that the datasheet for SIP-400 [0] says that it
supports "egress queueing", whereas SIP-600 [1] states only "egress
shaping". If you don't have inter-op requirements, can you configure it as a
shaper with a very short queue length, so that you start to emulate
policing?

Alternatively, it might be worth checking whether you can configure a shaper
at class-default, with an attached service-policy that can then police under
this.

Hope this helps!

Kind regards,
Rob

[0]:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0
900aecd8027c9e6.html
[1]:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0
900aecd8033998f_ps708_Products_Data_Sheet.html


-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html







From matt at overloaded.net  Sun Jan 31 05:05:36 2010
From: matt at overloaded.net (Matt Buford)
Date: Sun, 31 Jan 2010 04:05:36 -0600
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B5EE8C6.40106@darkman.de>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
	<4B5EE8C6.40106@darkman.de>
Message-ID: <8e157ab41001310205n600a64bbs7db9deb57d3998a8@mail.gmail.com>

On Tue, Jan 26, 2010 at 7:06 AM, Sven 'Darkman' Michels <sven at darkman.de>wrote:
>
> Now the problem: ping from 6509:
>
> c6509#ping ip xx.xx.xx.13 repeat 5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
> ..!.!
>

Your basic PVLAN configuration looks good.  Try disabling ARP inspection,
DHCP snooping, and ip verify unicast.  Enabling extra features often break
things, so I think it is best for you to test with the simplest config.  If
that doesn't do it, try upgrading code to at least SXF.  You could also
perhaps try pinging from a host behind the 6500 instead of pinging from the
6500 management interface itself (though you SHOULD be able to ping from the
router, and I can on my PVLANs).

From matt at overloaded.net  Sun Jan 31 05:27:58 2010
From: matt at overloaded.net (Matt Buford)
Date: Sun, 31 Jan 2010 04:27:58 -0600
Subject: [c-nsp] Busting up VLANs and bridging
In-Reply-To: <C7877D9A.6BEE%cisco@peakpeak.com>
References: <C7877D9A.6BEE%cisco@peakpeak.com>
Message-ID: <8e157ab41001310227ld5e1060v5db2bfa2334bcdbe@mail.gmail.com>

On Thu, Jan 28, 2010 at 6:44 PM, Security Team <cisco at peakpeak.com> wrote:

> What is the "right" way to combine IP layer 3 traffic so that it can go to
> multiple VLANs? I'm working with a Catalyst 65xx setup.
>
> For example, I am starting from a working setup that looks something like
> this:
>
> interface GigabitEthernet4/1
>  speed auto
>  switchport
>  switchport access vlan 247
> !
> interface GigabitEthernet4/2
>  speed auto
>  switchport
>  switchport access vlan 248
> !
> interface Vlan247
>  ip address 192.168.247.1 255.255.255.0
> !
> interface Vlan248
>  ip address 192.168.248.1 255.255.255.0
>
> Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I
> want to make that server become a bridge so that I can give it other IP
> addresses in other blocks how would I do that?
>
> So let's say the *.247.36 IP of the server is working, but I want to change
> my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
> busting up the .248. Netblock from a /24 to smaller blocks that will be on
> different servers).
>
> How would I go about doing this?
>

In general, you should not try to break up a larger subnet that is already
on another interface unless you remove the larger subnet from the existing
interface.  Having more specifics carved out of a subnet on an interface is
messy and just a bad idea.  However, it can be done.

ip route 192.168.248.64 255.255.255.248 192.168.247.36

Then, on your server 192.168.248.36, bring up a secondary IP 192.168.248.65
mask 255.255.255.248.  It should just work.

Some might ask, "How will other servers on VLAN 248 reach 192.168.24.65?
 Won't they think it is local and try to ARP it with a broadcast on VLAN
248?"  Yes, they will.  However, because the 6500 has a more specific route
leading elsewhere and proxy ARP isn't disabled, the 6500 will answer ARPs on
VLAN 248 for 192.168.248.64/29 IPs with the 6500's own MAC.  Hosts on VLAN
248 will then send packets destined for that smaller subnet to the router,
which will then forward it on to follow the static route out VLAN 247.

You can also do this to route /32s elsewhere.  Just configure the secondary
IP on the server with a netmask of 255.255.255.255.  Windows won't let you
enter an interface IP with a /32 mask, but most/all Unix systems will.

If you need to do it for a short term problem, fine, but I really suggest
you rethink what you are trying to do if this is something you want
permanent.

From matt at overloaded.net  Sun Jan 31 05:40:39 2010
From: matt at overloaded.net (Matt Buford)
Date: Sun, 31 Jan 2010 04:40:39 -0600
Subject: [c-nsp] Card Throughput - 6148A-GE-TX
In-Reply-To: <000701caa104$c4ad6700$4e083500$@org>
References: <000701caa104$c4ad6700$4e083500$@org>
Message-ID: <8e157ab41001310240le80f4b4o61177233d9c13fed@mail.gmail.com>

On Fri, Jan 29, 2010 at 11:01 AM, Paul Stewart <paul at paulstewart.org> wrote:

> We are aware of what the entire card is capable of (2 Gb/s), but is there
> any way to see how much is being utilized from within IOS itself?  We can
> start counting up all the ports but is there an easier way? ;)
>
> Relating to this, is the card limited to 2Gb/s total or 1Gb/s per  half?
>  We
> have a situation with a couple of these cards where they are pushing the
> potential limits and we want to make sure..
>

Each range of 8 ports (1-8, 9-16, 17-24, 25-32, 33-40, 41-48) has an ASIC.
 Each ASIC can do a max of 1 Gb in each direction.  If all ports on a group
of 8 were to upload and download, their combined throughput would be 1 Gb
upload and 1 Gb download.  If all ports on the card were to upload and
download at the same time, the combined throughput would be 6 Gb upload and
6 Gb download (1 Gb per group with 6 groups).

For details, including counters for dropped packets due to this issue:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC

From rjs at eng.gxn.net  Sun Jan 31 06:26:43 2010
From: rjs at eng.gxn.net (Rob Shakir)
Date: Sun, 31 Jan 2010 11:26:43 +0000
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <001b01caa224$1fbd9140$5f38b3c0$@com>
References: <000301ca9ca7$d82538f0$886faad0$@com>
	<C129021B-7D03-43E2-8708-781DED1842DE@eng.gxn.net>
	<001b01caa224$1fbd9140$5f38b3c0$@com>
Message-ID: <1CE727FA-17E7-4322-93BF-20973987DEE4@eng.gxn.net>


On 31 Jan 2010, at 03:18, Kevin Warwashana wrote:

> I was able to use the below configuration and it appears to max out the
> connection pretty close to 26mb.  I did have to tinker with the queue size
> since the default (3300+) would allow traffic to exceed and a size of 5
> didn't seem to work very well.
> 
> policy-map 26MB-OUTPUT
>  class class-default
>    shape average 26000000
>    queue-limit 100 packets
>    bandwidth 26000
> 
> You mentioned "configure a shaper at class-default, with an attached
> service-policy" which I believe would be adding a service policy to the
> policy map, but got:

What I meant was this:

policy-map RJS-TEST
  class class-default
    shape average 30000000
   service-policy RJS-CHILD-TEST
!
policy-map RJS-CHILD-TEST
  class class-default
   police cir 26000000 conform-action transmit exceed-action drop
!

Which is something that one can apply on SIP-400:

7600#sh run int giga1/0/0.4011
Building configuration...

Current configuration : 239 bytes
!
interface GigabitEthernet1/0/0.4011
 encapsulation dot1Q 4011
 ip address 192.168.88.42 255.255.255.0
 ip vrf forwarding RJS-TEST
 shutdown
 service-policy input POLICY-SET-IP-DSCP-DEFAULT
 service-policy output RJS-TEST
end

Out of interest - what IOS are you running on the 7600 in question?

Kind regards,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html


From petelists at templin.org  Sun Jan 31 09:06:20 2010
From: petelists at templin.org (Pete Templin)
Date: Sun, 31 Jan 2010 08:06:20 -0600
Subject: [c-nsp] Card Throughput - 6148A-GE-TX
In-Reply-To: <8e157ab41001310240le80f4b4o61177233d9c13fed@mail.gmail.com>
References: <000701caa104$c4ad6700$4e083500$@org>
	<8e157ab41001310240le80f4b4o61177233d9c13fed@mail.gmail.com>
Message-ID: <4B658E5C.2080103@templin.org>

Matt Buford wrote:

> Each range of 8 ports (1-8, 9-16, 17-24, 25-32, 33-40, 41-48) has an ASIC.
>  Each ASIC can do a max of 1 Gb in each direction.  If all ports on a group
> of 8 were to upload and download, their combined throughput would be 1 Gb
> upload and 1 Gb download.  If all ports on the card were to upload and
> download at the same time, the combined throughput would be 6 Gb upload and
> 6 Gb download (1 Gb per group with 6 groups).

I've also heard that there's a 1Gbps limit on EtherChannels - apparently 
EtherChannel packets have to be sent to each ASIC, so building any 
EtherChannels on the card could be detrimental.

pt

From paul at paulstewart.org  Sun Jan 31 09:27:07 2010
From: paul at paulstewart.org (Paul Stewart)
Date: Sun, 31 Jan 2010 09:27:07 -0500
Subject: [c-nsp] Card Throughput - 6148A-GE-TX
In-Reply-To: <4B658E5C.2080103@templin.org>
References: <000701caa104$c4ad6700$4e083500$@org>
	<8e157ab41001310240le80f4b4o61177233d9c13fed@mail.gmail.com>
	<4B658E5C.2080103@templin.org>
Message-ID: <001e01caa281$775f36d0$661da470$@org>

Thanks to everyone for the on-list/off-list replies.  We were of the
understanding it was 2Gb/s which I was obviously wrong on - this keeps us
"out of trouble" for the time being thankfully.

No etherchannel on these cards neither ;)

Cheers,

Paul


-----Original Message-----
From: Pete Templin [mailto:petelists at templin.org] 
Sent: January-31-10 9:06 AM
To: Matt Buford
Cc: Paul Stewart; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Card Throughput - 6148A-GE-TX

Matt Buford wrote:

> Each range of 8 ports (1-8, 9-16, 17-24, 25-32, 33-40, 41-48) has an ASIC.
>  Each ASIC can do a max of 1 Gb in each direction.  If all ports on a
group
> of 8 were to upload and download, their combined throughput would be 1 Gb
> upload and 1 Gb download.  If all ports on the card were to upload and
> download at the same time, the combined throughput would be 6 Gb upload
and
> 6 Gb download (1 Gb per group with 6 groups).

I've also heard that there's a 1Gbps limit on EtherChannels - apparently 
EtherChannel packets have to be sent to each ASIC, so building any 
EtherChannels on the card could be detrimental.

pt



From kevinw at telnetww.com  Sun Jan 31 10:20:57 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sun, 31 Jan 2010 10:20:57 -0500
Subject: [c-nsp] 7600 Rate Limiting Output
In-Reply-To: <1CE727FA-17E7-4322-93BF-20973987DEE4@eng.gxn.net>
References: <000301ca9ca7$d82538f0$886faad0$@com>
	<C129021B-7D03-43E2-8708-781DED1842DE@eng.gxn.net>
	<001b01caa224$1fbd9140$5f38b3c0$@com>
	<1CE727FA-17E7-4322-93BF-20973987DEE4@eng.gxn.net>
Message-ID: <003d01caa288$fd0055b0$f7010110$@com>

I have the same config as your example, but created the additional
policy-map first in order to apply it.  It didn't take so it was missing
from policy-map 26MB-OUTPUT.  Looks to be a feature limitation of the
SIP-600.

I am running 12.2.33 SRD3.  Looks like my only option is to shape and not
police egress.

Thanks,
Kevin

-----Original Message-----
From: Rob Shakir [mailto:rjs at eng.gxn.net] 
Sent: Sunday, January 31, 2010 6:27 AM
To: Kevin Warwashana
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 Rate Limiting Output


On 31 Jan 2010, at 03:18, Kevin Warwashana wrote:

> I was able to use the below configuration and it appears to max out the
> connection pretty close to 26mb.  I did have to tinker with the queue size
> since the default (3300+) would allow traffic to exceed and a size of 5
> didn't seem to work very well.
> 
> policy-map 26MB-OUTPUT
>  class class-default
>    shape average 26000000
>    queue-limit 100 packets
>    bandwidth 26000
> 
> You mentioned "configure a shaper at class-default, with an attached
> service-policy" which I believe would be adding a service policy to the
> policy map, but got:

What I meant was this:

policy-map RJS-TEST
  class class-default
    shape average 30000000
   service-policy RJS-CHILD-TEST
!
policy-map RJS-CHILD-TEST
  class class-default
   police cir 26000000 conform-action transmit exceed-action drop
!

Which is something that one can apply on SIP-400:

7600#sh run int giga1/0/0.4011
Building configuration...

Current configuration : 239 bytes
!
interface GigabitEthernet1/0/0.4011
 encapsulation dot1Q 4011
 ip address 192.168.88.42 255.255.255.0
 ip vrf forwarding RJS-TEST
 shutdown
 service-policy input POLICY-SET-IP-DSCP-DEFAULT
 service-policy output RJS-TEST
end

Out of interest - what IOS are you running on the 7600 in question?

Kind regards,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html




From merlyn at Geeks.ORG  Sun Jan 31 10:39:23 2010
From: merlyn at Geeks.ORG (Doug McIntyre)
Date: Sun, 31 Jan 2010 09:39:23 -0600
Subject: [c-nsp] Policer on c4503
In-Reply-To: <4B629163.3060207@gmail.com>
References: <4B629163.3060207@gmail.com>
Message-ID: <20100131153923.GC1461@geeks.org>

On Fri, Jan 29, 2010 at 10:42:27AM +0300, Mikisa Richard wrote:
> Hi all,
> 
> Any ideas why the Policer policy below does not work. Intention is for 
> me to lock down traffic to 3Mbps both ways on interface g3/11.
> 
> !!
> class-map match-all ROKE-LIMIT
>    match access-group name ROKE-SLAP
> !
> policy-map POLICY-ROKE
>    class ROKE-LIMIT
>   police 3000000 bps 30000 byte conform-action transmit exceed-action drop
> !
> interface GigabitEthernet3/11
>   description link to ROKE
>   no switchport
>   ip address x.x.x.x
>   service-policy input POLICY-ROKE
>   service-policy output POLICY-ROKE


Looks like the correct thing, assuming the access-group traffic is
being matched.

Do you have 'qos' enabled? Its off by default on the 4500.

Just a simple 'qos' as a config option in this platform. 



From omar.parihuana at gmail.com  Sun Jan 31 11:31:50 2010
From: omar.parihuana at gmail.com (omar parihuana)
Date: Sun, 31 Jan 2010 11:31:50 -0500
Subject: [c-nsp] QoS for MetroEthernet
Message-ID: <834c50111001310831rd07731cw6f3d9525229546c3@mail.gmail.com>

Hello,

I'm facing a strange problem I think that is a QoS configuration, I've tried
some conf without success. The situation is as follows:

Actually I have a 1Mbps Serial link between two remote branchs and one
application in particular: a SQL client/server application that works fine.
(there are other apps but is not relevant now). We've contracted a
MetroEthernet Link at 1Mbps between the same branchs (in order to replace
the current serial link) In each site I put a router after migrate the SQL
app didn't work (it got suck for  a long time). Therefore I decided raise a
GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without
success, all working well (additional apps and voice traffic) but SQL app
didn't work.  I don't know what's happenning with this app, but if you have
faced the same problem, or I need take special considerations for
MetroEthernel Link please your comments will be appreciated.

I paste my conf:

!
!
policy-map child13
 class VOIP-TRAFFIC
  priority 200
 class DATA-IMPORTANT
  bandwidth percent 60
 class class-default
  fair-queue
policy-map tunnel13
 class class-default
  shape average 1024000
  service-policy child13
!
!
!
interface Tunnel13
 bandwidth 1000
 ip address 10.1.13.1 255.255.255.0
 ip tcp adjust-mss 1440
 load-interval 30
 qos pre-classify
 tunnel source 172.21.1.17
 tunnel destination 172.21.1.19
 service-policy output tunnel13
!
interface FastEthernet0/0
 description LAN interface
 ip address 172.16.96.6 255.255.252.0
 no ip unreachables
 no ip proxy-arp
 load-interval 30
 speed 100
 full-duplex
!
interface FastEthernet0/1
 description MAN interface
 bandwidth 3000
 ip address 172.21.1.17 255.255.255.248
 no ip proxy-arp
 load-interval 30
 speed 100
 full-duplex


-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!

From pavel.skovajsa at gmail.com  Sun Jan 31 12:34:48 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Sun, 31 Jan 2010 18:34:48 +0100
Subject: [c-nsp] QoS for MetroEthernet
In-Reply-To: <834c50111001310831rd07731cw6f3d9525229546c3@mail.gmail.com>
References: <834c50111001310831rd07731cw6f3d9525229546c3@mail.gmail.com>
Message-ID: <323aca891001310934w5f8f2fa0g74dd02b31716ffbb@mail.gmail.com>

Hi Omar,

No you definively should not take any special considerations for Metro
link - you are the end customer the service is transparent to you - it
moves packets back and forth.

Therefore it is hard to tell what is the actual problem. It is easy to
troubleshoot though - sniff it:
a) sniff the SQL activity with Serial link
b) sniff the SQL activity with Metro link
c) compare and find out what types of packets do not get on the other side.

There could be number of things that can go wrong - like service
provider maximum MTU, certain TOS values being dropped etc. etc.

-pavel

p.s. For sniffing we usually use Wireshark.



On Sun, Jan 31, 2010 at 5:31 PM, omar parihuana
<omar.parihuana at gmail.com> wrote:
> Hello,
>
> I'm facing a strange problem I think that is a QoS configuration, I've tried
> some conf without success. The situation is as follows:
>
> Actually I have a 1Mbps Serial link between two remote branchs and one
> application in particular: a SQL client/server application that works fine.
> (there are other apps but is not relevant now). We've contracted a
> MetroEthernet Link at 1Mbps between the same branchs (in order to replace
> the current serial link) In each site I put a router after migrate the SQL
> app didn't work (it got suck for ?a long time). Therefore I decided raise a
> GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without
> success, all working well (additional apps and voice traffic) but SQL app
> didn't work. ?I don't know what's happenning with this app, but if you have
> faced the same problem, or I need take special considerations for
> MetroEthernel Link please your comments will be appreciated.
>
> I paste my conf:
>
> !
> !
> policy-map child13
> ?class VOIP-TRAFFIC
> ?priority 200
> ?class DATA-IMPORTANT
> ?bandwidth percent 60
> ?class class-default
> ?fair-queue
> policy-map tunnel13
> ?class class-default
> ?shape average 1024000
> ?service-policy child13
> !
> !
> !
> interface Tunnel13
> ?bandwidth 1000
> ?ip address 10.1.13.1 255.255.255.0
> ?ip tcp adjust-mss 1440
> ?load-interval 30
> ?qos pre-classify
> ?tunnel source 172.21.1.17
> ?tunnel destination 172.21.1.19
> ?service-policy output tunnel13
> !
> interface FastEthernet0/0
> ?description LAN interface
> ?ip address 172.16.96.6 255.255.252.0
> ?no ip unreachables
> ?no ip proxy-arp
> ?load-interval 30
> ?speed 100
> ?full-duplex
> !
> interface FastEthernet0/1
> ?description MAN interface
> ?bandwidth 3000
> ?ip address 172.21.1.17 255.255.255.248
> ?no ip proxy-arp
> ?load-interval 30
> ?speed 100
> ?full-duplex
>
>
> --
> Omar E.P.T
> -----------------
> Certified Networking Professionals make better Connections!
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From omar.parihuana at gmail.com  Sun Jan 31 13:03:35 2010
From: omar.parihuana at gmail.com (omar parihuana)
Date: Sun, 31 Jan 2010 13:03:35 -0500
Subject: [c-nsp] QoS for MetroEthernet
In-Reply-To: <323aca891001310934w5f8f2fa0g74dd02b31716ffbb@mail.gmail.com>
References: <834c50111001310831rd07731cw6f3d9525229546c3@mail.gmail.com>
	<323aca891001310934w5f8f2fa0g74dd02b31716ffbb@mail.gmail.com>
Message-ID: <834c50111001311003s4b269e17y7d5e16421cd02940@mail.gmail.com>

Hi Pavel,

Unfortunately I'm in a remote location but I'm thinking about install a
WireShark in a client PC.

Rgds. & Thanks.

On Sun, Jan 31, 2010 at 12:34 PM, Pavel Skovajsa
<pavel.skovajsa at gmail.com>wrote:

> Hi Omar,
>
> No you definively should not take any special considerations for Metro
> link - you are the end customer the service is transparent to you - it
> moves packets back and forth.
>
> Therefore it is hard to tell what is the actual problem. It is easy to
> troubleshoot though - sniff it:
> a) sniff the SQL activity with Serial link
> b) sniff the SQL activity with Metro link
> c) compare and find out what types of packets do not get on the other side.
>
> There could be number of things that can go wrong - like service
> provider maximum MTU, certain TOS values being dropped etc. etc.
>
> -pavel
>
> p.s. For sniffing we usually use Wireshark.
>
>
>
> On Sun, Jan 31, 2010 at 5:31 PM, omar parihuana
> <omar.parihuana at gmail.com> wrote:
> > Hello,
> >
> > I'm facing a strange problem I think that is a QoS configuration, I've
> tried
> > some conf without success. The situation is as follows:
> >
> > Actually I have a 1Mbps Serial link between two remote branchs and one
> > application in particular: a SQL client/server application that works
> fine.
> > (there are other apps but is not relevant now). We've contracted a
> > MetroEthernet Link at 1Mbps between the same branchs (in order to replace
> > the current serial link) In each site I put a router after migrate the
> SQL
> > app didn't work (it got suck for  a long time). Therefore I decided raise
> a
> > GRE tunnel between both sites, applied QoS conf, adjust the tcp mss
> without
> > success, all working well (additional apps and voice traffic) but SQL app
> > didn't work.  I don't know what's happenning with this app, but if you
> have
> > faced the same problem, or I need take special considerations for
> > MetroEthernel Link please your comments will be appreciated.
> >
> > I paste my conf:
> >
> > !
> > !
> > policy-map child13
> >  class VOIP-TRAFFIC
> >  priority 200
> >  class DATA-IMPORTANT
> >  bandwidth percent 60
> >  class class-default
> >  fair-queue
> > policy-map tunnel13
> >  class class-default
> >  shape average 1024000
> >  service-policy child13
> > !
> > !
> > !
> > interface Tunnel13
> >  bandwidth 1000
> >  ip address 10.1.13.1 255.255.255.0
> >  ip tcp adjust-mss 1440
> >  load-interval 30
> >  qos pre-classify
> >  tunnel source 172.21.1.17
> >  tunnel destination 172.21.1.19
> >  service-policy output tunnel13
> > !
> > interface FastEthernet0/0
> >  description LAN interface
> >  ip address 172.16.96.6 255.255.252.0
> >  no ip unreachables
> >  no ip proxy-arp
> >  load-interval 30
> >  speed 100
> >  full-duplex
> > !
> > interface FastEthernet0/1
> >  description MAN interface
> >  bandwidth 3000
> >  ip address 172.21.1.17 255.255.255.248
> >  no ip proxy-arp
> >  load-interval 30
> >  speed 100
> >  full-duplex
> >
> >
> > --
> > Omar E.P.T
> > -----------------
> > Certified Networking Professionals make better Connections!
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>



-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!

From david at hughes.com.au  Sun Jan 31 18:25:25 2010
From: david at hughes.com.au (David Hughes)
Date: Mon, 1 Feb 2010 09:25:25 +1000
Subject: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
In-Reply-To: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
References: <fa1469131001281254u75463150r3417b81def9b1392@mail.gmail.com>
Message-ID: <A94E8CBF-D8BF-4F36-A18A-54EDD85959B6@hughes.com.au>


On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote:

> Can anyone please tell me the advantages of using Nexus 2000 over Catalyst
> 4948 as access layers switches?
> Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that
> could be used by servers with 10GbE/FCoE servers.

The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more "traditional" access switch.  Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment.



David
...