From oogali at gmail.com  Fri Jan  1 23:09:07 2010
From: oogali at gmail.com (Omachonu Ogali)
Date: Fri, 1 Jan 2010 23:09:07 -0500
Subject: [c-nsp] RESOLVED: Port 1720 & 1863
In-Reply-To: <512FA3E0D3874060AF00D7BAF13B9E6A@flamdt01>
References: <649021.33824.qm@web53707.mail.re2.yahoo.com>
	<512FA3E0D3874060AF00D7BAF13B9E6A@flamdt01>
Message-ID: <e399ee81001012009o3608e6cfq8dafbd748d350a1@mail.gmail.com>

I have TWC Residential in NYC, and I can fling packets back and forth no
problem.

from TWC to remote host:{1720, 1863}: works fine.
from remote host to TWC:{1720, 1863}: works fine.

Both TCP and UDP.

oo

On Thu, Dec 24, 2009 at 3:35 PM, Tony Varriale <tvarriale at comcast.net>wrote:

> Residental or business service?
>
> tv
> ----- Original Message ----- From: "abs" <abhishake00 at yahoo.com>
> To: "Ziv Leyes" <zivl at gilat.net>; "Jared Mauch" <jared at puck.nether.net>
>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, December 24, 2009 2:07 PM
>
> Subject: Re: [c-nsp] RESOLVED: Port 1720 & 1863
>
>
> Seems like everyone is interested in knowing the ISP.
> And the winner is..... Time Warner Cable. They are also doing the same for
> port 1863.
>
> --- On Thu, 12/24/09, Jared Mauch <jared at puck.nether.net> wrote:
>
> From: Jared Mauch <jared at puck.nether.net>
> Subject: Re: [c-nsp] RESOLVED:  Port 1720 & 1863
> To: "Ziv Leyes" <zivl at gilat.net>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Thursday, December 24, 2009, 9:37 AM
>
> It may be worthwhile to name & shame the provider for intercepting your
> h.323 directed traffic.
>
> (Unless of course you're in one of those countries that uses high telecom
> rates to justify blocking VoIP).
>
> - Jared
>
> On Dec 24, 2009, at 3:20 AM, Ziv Leyes wrote:
>
>  Oh, man, that's dirty, why would they do that??
>> Just when it started to get interesting...
>> But I'm glad for you that the issue is resolved
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
>> Sent: Thursday, December 24, 2009 3:01 AM
>> To: Steve Bertrand
>> Cc: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] RESOLVED: Port 1720 & 1863
>>
>> thank you all for your help. for the folks interested the issue was that
>> the two ports are being intercepted by my ISP. once again thank you all for
>> you help
>>
>> cheers,
>> abs
>>
>> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
>>
>> From: Steve Bertrand <steve at ibctech.ca>
>> Subject: Re: [c-nsp] Port 1720 & 1863
>> To: "abs" <abhishake00 at yahoo.com>
>> Date: Wednesday, December 23, 2009, 7:49 PM
>>
>> abs wrote:
>>
>>> Now this makes a lot more sense. i was going crazy trying to figure
>>> this out. I think they are doing the same for port 1863.
>>>
>>> It would be greatly appreciated if you could setup a vm for me to run
>>> some scans off of.
>>>
>>
>> No problem.
>>
>> I've got to finish up writing some code right now, so I'll get the vm
>> set up first thing tomorrow before I'm done for the week.
>>
>> Hopefully you're familiar with FreeBSD, as that is what the host will be.
>>
>> All I ask is that you *only* probe hosts that are your own. I'm an ISP,
>> and I've been burned before after being taken advantage of after doing
>> favours like this.
>>
>> Believe it or not, I'm not generally a trusting person, but that is
>> generally outweighed my desire to help others.
>>
>> So, with that understanding, and the understanding that you can do
>> whatever you want within the vm so long as there is no network abuse,
>> I'll get things configured, and send you the detail in the morning so
>> that you can SSH into the box via IPv4 and IPv6.
>>
>> Cheers!
>>
>> Steve
>>
>> ps. it would likely be kind to reply your original post to the cisco-nsp
>> list with [RESOLVED] in the subject, just so the others who were
>> following the thread can rest assured that all is well and good with you
>> ;)
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
>> viruses.
>>
>> ************************************************************************************
>>
>>
>>
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
>> viruses.
>>
>> ************************************************************************************
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mtinka at globaltransit.net  Sat Jan  2 02:31:02 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sat, 2 Jan 2010 15:31:02 +0800
Subject: [c-nsp] 3750ME L2/MPLS combined scenario - "Thread Resurrection"
In-Reply-To: <6bb5f5b10802010836u58f055ddnf78ac79f26fc92d7@mail.gmail.com>
References: <6B43981C32F8464CB24CEE209DA32BD3011AB2C5@kenya.tronet.as>
	<6bb5f5b10802010836u58f055ddnf78ac79f26fc92d7@mail.gmail.com>
Message-ID: <201001021531.07359.mtinka@globaltransit.net>

On Saturday 02 February 2008 12:36:08 am Rubens Kuhl Jr. 
wrote:

Hello all.

Apologies for resurrecting this very old thread, but...

> We've tried that with 3750ME, and the half a million bugs
>  and architectural flaws made us drop that line of
>  devices out of MPLS altogether. Keeping the PW with L2
>  on 3750ME will make your customer happier.

... we're in a situation where extending MPLS into the 
access may make a bit of sense.

The platform currently in the field is as described in this 
thread, the Cisco 3750ME, albeit it's working in Layer 2-
only mode, today. In the spirit of not wanting to replace 
these boxes with something else more capable as yet, do the 
comments from Rubens, above, still hold true as of IOS 
12.2(52)SE?

Keeping in mind the various hardware/software restrictions 
associated with this class of platforms, we'd be looking to 
run the following on the system (some are advertised as 
supported by Cisco, others are implied as such):

	* MPLS upstream to the core
	* IPv4 forwarding for customers
	* IPv4 forwarding over MPLS (upstream to core)
	* IPv6 forwarding for customers
	* IPv4, IPv6, MPLS ECMP
	* Locally-significant VLAN's for customers
	* EoMPLS for customers
	* l3vpn's for customers (BGP-based)
	* IS-IS (Loopbacks + Infrastructure)
	* BGP (default route importation only)

Since all our Layer 2 features are used to "wire" customers 
to the nearest Layer 3/MPLS-capable box, we have no need to 
implement Layer 2 features beyond local VLAN support, 
provided the ones mentioned above can work without issue.

We haven't had a chance to run anything as remotely advanced 
as the features highlighted above, so any useful operational 
feedback (especially the negatives) from folk who have would 
be much appreciated, as we begin our own tests as well.

Operator feedback in this case is initially far more useful 
than input from Cisco themselves. The 3750ME really only 
makes sense if those features can be reliably supported 
beyond paper; else, the case for Layer 2-only Ethernet 
switches becomes far more compelling, e.g., Cisco 2960, 
e.t.c.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100102/5ac9e8e4/attachment.bin>

From domintefamily at yahoo.co.uk  Sat Jan  2 12:09:52 2010
From: domintefamily at yahoo.co.uk (C and C Dominte)
Date: Sat, 2 Jan 2010 17:09:52 +0000 (GMT)
Subject: [c-nsp] CIsco 6509-E issues
In-Reply-To: <dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
References: <16e2ac180912290541n6cfcb6b2yb4de7a88f40bd7f7@mail.gmail.com>
	<dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
Message-ID: <535857.93381.qm@web27904.mail.ukl.yahoo.com>

Hi,

Is there any chance of overlapping subnets configured on two different routers?

I saw similar issues caused by this, but traceroute and show ip route commands should help diagnosing that.

Catalin



________________________________
From: Lee <ler762 at gmail.com>
To: Renelson Panosky <panocisco77 at gmail.com>
Cc: cisco-nsp at puck.nether.net
Sent: Tue, 29 December, 2009 21:53:57
Subject: Re: [c-nsp] CIsco 6509-E issues

On Tue, Dec 29, 2009 at 8:41 AM, Renelson Panosky <panocisco77 at gmail.com>wrote:

> I am experiencing a small problem with one of my Cisco 6509-E on my
> network,  My management device (SNMP) showing one of my switch is down but
> i
> am able to log in to the switch, ping it from my PC, ping it from other
> cisco devices on the network.  A couple computer on my network is not able
> to ping it or telnet however every user who is directly connected to that
> switch is able to get online.  I have not received any complaints yet from
> any of my users.   I just want to make sure this doesn't turn to abigger
> issue.  Any advice.
>

I've seen the same type of thing - traceroute <whatever> to find where it
breaks and 'clear ip route *' on that box or the next hop cleared it up.

Regards,
Lee



>
> Happy Holidays
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From jasonleblanc at gmail.com  Sun Jan  3 01:11:48 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Sat, 2 Jan 2010 23:11:48 -0700
Subject: [c-nsp]  IOS Code Recommendations
Message-ID: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>

All,

Cisco only does safe harbor on a few select devices.  Being as how this group is made up of a lot of service providers and enterprise networks, does anyone know the latest stable version of code for any or all of the following:

2651XM
WS-C3550-24-PWR
WS-C3560-24PS-S
Catalyst 3560-48TS

Thanks,

//LeBlanc


From listensammler at gmx.de  Sun Jan  3 14:22:34 2010
From: listensammler at gmx.de (listensammler at gmx.de)
Date: Sun, 03 Jan 2010 20:22:34 +0100
Subject: [c-nsp] understanding ping ipv6 output
Message-ID: <4B40EE7A.8060200@gmx.de>

Hi List,

i have some problems with understanding the output of "ping ipv6" 
command and can't find any documentation on cisco website.

Ping in IPv4-mode uses these characters:
!	Each exclamation point indicates receipt of a reply.	
.	Each period indicates the network server timed out while waiting for 
a reply.	
U	A destination unreachable error PDU was received.	
Q	Source quench (destination too busy).	
M	Could not fragment.
?	Unknown packet type.
&	Packet lifetime exceeded

Can someone give me an overview of the ipv6 output characters or an 
explanation of the following output?

ipv6#ping 2A00:1450:8001::6A size 900

Type escape sequence to abort.
Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
CCCCC
Success rate is 0 percent (0/5)
ipv6#ping 2A00:1450:8001::6A size 1600

Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
AAAAA
Success rate is 0 percent (0/5)
ipv6#ping 2A00:1450:8001::6A size 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Thanks in advance...

Regards,
Alex

From achatz at forthnet.gr  Sun Jan  3 15:37:54 2010
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Sun, 03 Jan 2010 22:37:54 +0200
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B40EE7A.8060200@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
Message-ID: <4B410022.8040508@forthnet.gr>

http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2269378

Although "C" doesn't seem to be there.


-- 
Tassos

listensammler at gmx.de wrote on 03/01/2010 21:22:
> Hi List,
> 
> i have some problems with understanding the output of "ping ipv6" 
> command and can't find any documentation on cisco website.
> 
> Ping in IPv4-mode uses these characters:
> !    Each exclamation point indicates receipt of a reply.   
> .    Each period indicates the network server timed out while waiting 
> for a reply.   
> U    A destination unreachable error PDU was received.   
> Q    Source quench (destination too busy).   
> M    Could not fragment.
> ?    Unknown packet type.
> &    Packet lifetime exceeded
> 
> Can someone give me an overview of the ipv6 output characters or an 
> explanation of the following output?
> 
> ipv6#ping 2A00:1450:8001::6A size 900
> 
> Type escape sequence to abort.
> Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
> CCCCC
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 1600
> 
> Type escape sequence to abort.
> Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 
> seconds:
> AAAAA
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 100
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
> 
> Thanks in advance...
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From kiyoshi.suzuki at kvh.co.jp  Sun Jan  3 19:31:44 2010
From: kiyoshi.suzuki at kvh.co.jp (Suzuki,
	Kiyoshi (Network Service Development))
Date: Mon, 4 Jan 2010 09:31:44 +0900
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B40EE7A.8060200@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
Message-ID: <E36743E818B4BD459AD226DE75F6D1FC083797A4@CLSMS309.tel.kvh.co.jp>


http://www.cisco.com/en/US/customer/docs/ios/fundamentals/command/reference/cf_m1.html#wp1013837

C for congestion?

-Yoshi 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> listensammler at gmx.de
> Sent: Monday, January 04, 2010 4:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] understanding ping ipv6 output
> 
> Hi List,
> 
> i have some problems with understanding the output of "ping ipv6" 
> command and can't find any documentation on cisco website.
> 
> Ping in IPv4-mode uses these characters:
> !	Each exclamation point indicates receipt of a reply.	
> .	Each period indicates the network server timed out 
> while waiting for 
> a reply.	
> U	A destination unreachable error PDU was received.	
> Q	Source quench (destination too busy).	
> M	Could not fragment.
> ?	Unknown packet type.
> &	Packet lifetime exceeded
> 
> Can someone give me an overview of the ipv6 output characters or an 
> explanation of the following output?
> 
> ipv6#ping 2A00:1450:8001::6A size 900
> 
> Type escape sequence to abort.
> Sending 5, 900-byte ICMP Echos to 2A00:1450:8001::6A, timeout 
> is 2 seconds:
> CCCCC
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 1600
> 
> Type escape sequence to abort.
> Sending 5, 1600-byte ICMP Echos to 2A00:1450:8001::6A, 
> timeout is 2 seconds:
> AAAAA
> Success rate is 0 percent (0/5)
> ipv6#ping 2A00:1450:8001::6A size 100
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2A00:1450:8001::6A, timeout 
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 
> 20/20/20 ms
> 
> Thanks in advance...
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
****************************************************************
"PLEASE NOTE:  This email,  and  any  attachments  hereto,  are
intended only  for use  by the specified addressee(s)  and  may
contain legally privileged and/or confidential and/or proprietary
information of KVH Co., Ltd.  and/or its affiliates  (including
personal information).  If you are not the intended recipient of
this email, please immediately notify the sender by email,  and
please permanently  delete the original,  any print out and any
copies of the foregoing. "
****************************************************************

From jlewis at lewis.org  Mon Jan  4 14:51:35 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 4 Jan 2010 14:51:35 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
Message-ID: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>

We had a recent network event during which all of our 3550 access layer 
switches started logging things like:

%SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48, 
alignment 0
Pool: I/O  Free: 5936  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool

-Process= "Pool Manager", ipl= 0, pid= 5
-Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC

A few minutes later, all was back to normal, though one 3550 did a 
software forced crash / reload.

Under normal circumstances, these switches have 4.5-5mb of free IO memory.

This looks very similar to what was posted several years ago at

http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html

Searching bug toolkit, I didn't find anything that looked relevant.  Has 
anyone else run into this sort of thing with 12.1EA software or have an 
idea what the cause/solutions might be?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From david.freedman at uk.clara.net  Mon Jan  4 15:10:18 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 04 Jan 2010 20:10:18 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <4B424B2A.3060406@uk.clara.net>

What release are you running? could it be CSCdz51522?

Dave.


Jon Lewis wrote:
> We had a recent network event during which all of our 3550 access layer
> switches started logging things like:
> 
> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
> alignment 0
> Pool: I/O  Free: 5936  Cause: Memory fragmentation
> Alternate Pool: None  Free: 0  Cause: No Alternate pool
> 
> -Process= "Pool Manager", ipl= 0, pid= 5
> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
> 
> A few minutes later, all was back to normal, though one 3550 did a
> software forced crash / reload.
> 
> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
> 
> This looks very similar to what was posted several years ago at
> 
> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
> 
> Searching bug toolkit, I didn't find anything that looked relevant.  Has
> anyone else run into this sort of thing with 12.1EA software or have an
> idea what the cause/solutions might be?
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From david.freedman at uk.clara.net  Mon Jan  4 15:10:18 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 04 Jan 2010 20:10:18 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <4B424B2A.3060406@uk.clara.net>

What release are you running? could it be CSCdz51522?

Dave.


Jon Lewis wrote:
> We had a recent network event during which all of our 3550 access layer
> switches started logging things like:
> 
> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
> alignment 0
> Pool: I/O  Free: 5936  Cause: Memory fragmentation
> Alternate Pool: None  Free: 0  Cause: No Alternate pool
> 
> -Process= "Pool Manager", ipl= 0, pid= 5
> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
> 
> A few minutes later, all was back to normal, though one 3550 did a
> software forced crash / reload.
> 
> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
> 
> This looks very similar to what was posted several years ago at
> 
> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
> 
> Searching bug toolkit, I didn't find anything that looked relevant.  Has
> anyone else run into this sort of thing with 12.1EA software or have an
> idea what the cause/solutions might be?
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From drew.weaver at thenap.com  Mon Jan  4 15:35:20 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 4 Jan 2010 15:35:20 -0500
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>

Howdy,

I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.

It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.

Does anyone know of a seemingly more sensible way of doing this?

-Drew




From jared at puck.nether.net  Mon Jan  4 15:42:08 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Mon, 4 Jan 2010 15:42:08 -0500
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <72814585-3C40-4FD9-8F6F-0A682E689DA4@puck.nether.net>


On Jan 4, 2010, at 3:35 PM, Drew Weaver wrote:

> Howdy,
> 
> I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.
> 
> It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.
> 
> Does anyone know of a seemingly more sensible way of doing this?


You could always tag these hold-down routes with a community, then when someone sends a packet to them, the next-hop could be rewritten to a local discard/null0 instance.

This should allow you to distribute the load instead of backhauling the traffic to the final destination/aggregation location.

- Jared


From jlewis at lewis.org  Mon Jan  4 16:01:00 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 4 Jan 2010 16:01:00 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <4B424B2A.3060406@uk.clara.net>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<4B424B2A.3060406@uk.clara.net>
Message-ID: <Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>

Most of the 3550s, including the one that crashed, are running 
121-22.EA10b.  CSCdz51522 seems unlikely as there was nobody logged in 
making changes and nobody should have been making (and there are no logged 
signs of) physical changes to the network at the time of the event.

On Mon, 4 Jan 2010, David Freedman wrote:

> What release are you running? could it be CSCdz51522?
>
> Dave.
>
>
> Jon Lewis wrote:
>> We had a recent network event during which all of our 3550 access layer
>> switches started logging things like:
>>
>> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from 0x17FC48,
>> alignment 0
>> Pool: I/O  Free: 5936  Cause: Memory fragmentation
>> Alternate Pool: None  Free: 0  Cause: No Alternate pool
>>
>> -Process= "Pool Manager", ipl= 0, pid= 5
>> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
>>
>> A few minutes later, all was back to normal, though one 3550 did a
>> software forced crash / reload.
>>
>> Under normal circumstances, these switches have 4.5-5mb of free IO memory.
>>
>> This looks very similar to what was posted several years ago at
>>
>> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
>>
>> Searching bug toolkit, I didn't find anything that looked relevant.  Has
>> anyone else run into this sort of thing with 12.1EA software or have an
>> idea what the cause/solutions might be?
>>
>> ----------------------------------------------------------------------
>>  Jon Lewis                   |  I route
>>  Senior Network Engineer     |  therefore you are
>>  Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From gsgranados at comcast.net  Mon Jan  4 16:02:40 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 4 Jan 2010 13:02:40 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <013901ca8d81$4694e0a0$2408120a@am.thmulti.com>

Drew, network statements are for the weak.:)
(I'm kidding of course) but there is a better way.
You should use community tagging in combination with prefix lists and route 
maps.  The idea is that you announce routes according to a tag and the 
behavior of the announcements depends on the specific tag applied.  For 
example, you could tag routes as peers, transits, global announce, etc and 
formulate the type of feeds you give your customers by filtering against 
communities so a customer wants peers and customers only you could match the 
two appropriate community tags.  This also allows you to tag the communities 
you globally announce uniquely and make the announcements in a unified way 
at your edges.  If you accompany this method with the appropriate 
redistribute static, redistribute connected, etc and use route maps to 
control this behavior you can remove the need for network statements 
completely and greatly decrease the things you need to modify and as a 
result the possible mistakes.  The other upside here is you can mark your 
more specifics as do not export and better control traffic internally better 
directing the traffic in your example.  It also allows you to accept 
communities from your customers and have automatic actions taken based on 
the tags they apply.  Let me know if you need some configuration examples.



----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, January 04, 2010 12:35 PM
Subject: [c-nsp] BGP - Announcing routes to Internet providers.


> Howdy,
>
> I am trying to figure out if there is a different/newer/better(?) way to 
> announce our public IP ranges to our Internet providers, currently we are 
> declaring our subnets in 'network statements' in the BGP configuration, we 
> have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and 
> then we have a extended access-list applied to each peer with our net 
> blocks listed in them.
>
> It appears that because of the network statements, the supernet routes 
> (/18s, /19s, etc) are being distributed via BGP to the rest of the network 
> which is by design(I assume). This doesn't seem ideal because if traffic 
> is sent to an IP address that doesn't have a more specific route than say 
> /18, or /19 it travels all the way through the network to the edge before 
> stopping. I might be blowing the impact of this out of proportion, but it 
> just seems like a waste of resources.
>
> Does anyone know of a seemingly more sensible way of doing this?
>
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From MatlockK at exempla.org  Mon Jan  4 16:07:07 2010
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 4 Jan 2010 14:07:07 -0700
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org><4B424B2A.3060406@uk.clara.net>
	<Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>

Do you have traffic graphs during this timeframe? Maybe a DDOS at or
through these boxes tied up the available memory. Especially since 'I/O'
was the pool it was trying to grab from at the time?

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
Sent: Monday, January 04, 2010 2:01 PM
To: David Freedman
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 3550 IO memory fragmentation

Most of the 3550s, including the one that crashed, are running 
121-22.EA10b.  CSCdz51522 seems unlikely as there was nobody logged in 
making changes and nobody should have been making (and there are no
logged 
signs of) physical changes to the network at the time of the event.

On Mon, 4 Jan 2010, David Freedman wrote:

> What release are you running? could it be CSCdz51522?
>
> Dave.
>
>
> Jon Lewis wrote:
>> We had a recent network event during which all of our 3550 access
layer
>> switches started logging things like:
>>
>> %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed from
0x17FC48,
>> alignment 0
>> Pool: I/O  Free: 5936  Cause: Memory fragmentation
>> Alternate Pool: None  Free: 0  Cause: No Alternate pool
>>
>> -Process= "Pool Manager", ipl= 0, pid= 5
>> -Traceback= 1C919C 1CA760 17FC4C 1DB43C 1DB658 1EBACC 1EF0FC
>>
>> A few minutes later, all was back to normal, though one 3550 did a
>> software forced crash / reload.
>>
>> Under normal circumstances, these switches have 4.5-5mb of free IO
memory.
>>
>> This looks very similar to what was posted several years ago at
>>
>> http://www.velocityreviews.com/forums/t31947-catalysts-trouble.html
>>
>> Searching bug toolkit, I didn't find anything that looked relevant.
Has
>> anyone else run into this sort of thing with 12.1EA software or have
an
>> idea what the cause/solutions might be?
>>
>>
----------------------------------------------------------------------
>>  Jon Lewis                   |  I route
>>  Senior Network Engineer     |  therefore you are
>>  Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public
key_________
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.garzon at gmail.com  Tue Jan  5 02:05:12 2010
From: chris.garzon at gmail.com (Dracul)
Date: Tue, 5 Jan 2010 15:05:12 +0800
Subject: [c-nsp] BGP ip addresses re-route to specific link
Message-ID: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>

Hi there,

I was wondering if you could do a segregate route, for specfic ip addresses
under BGP going only to a specific link.
for example if I have /24 default route BGP pool and I want only /28 ip
addresses using upstream1 and not by any
account go through upstream2. The rest would still be using the usual BGP
routing behavior. THanks!

regards,
Chris

From ip at ioshints.info  Tue Jan  5 02:30:27 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 08:30:27 +0100
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
Message-ID: <00a501ca8dd8$f4eb15a0$dec140e0$@info>

Let's back a step and ask the questions we should have been asking in the first place:

* Are you an end-user or a Service Provider (somewhat reliable answer could be gleaned from Drew's e-mail address)?
* What's the size of your network?
* How many uplinks do you have?
* How far apart are your uplinks?

If it turns out Drew's uplinks are close together, all the beautiful design ideas presented here are a huge overkill.

And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D

Ivan

> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Monday, January 04, 2010 10:03 PM
> To: Drew Weaver; Cisco-nsp
> Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.
> 
> Drew, network statements are for the weak.:)
> (I'm kidding of course) but there is a better way.
> You should use community tagging in combination with prefix lists and
> route
> maps.  The idea is that you announce routes according to a tag and the
> behavior of the announcements depends on the specific tag applied.  For
> example, you could tag routes as peers, transits, global announce, etc and
> formulate the type of feeds you give your customers by filtering against
> communities so a customer wants peers and customers only you could match
> the
> two appropriate community tags.  This also allows you to tag the
> communities
> you globally announce uniquely and make the announcements in a unified way
> at your edges.  If you accompany this method with the appropriate
> redistribute static, redistribute connected, etc and use route maps to
> control this behavior you can remove the need for network statements
> completely and greatly decrease the things you need to modify and as a
> result the possible mistakes.  The other upside here is you can mark your
> more specifics as do not export and better control traffic internally
> better
> directing the traffic in your example.  It also allows you to accept
> communities from your customers and have automatic actions taken based on
> the tags they apply.  Let me know if you need some configuration examples.
> 
> 
> 
> ----- Original Message -----
> From: "Drew Weaver" <drew.weaver at thenap.com>
> To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 04, 2010 12:35 PM
> Subject: [c-nsp] BGP - Announcing routes to Internet providers.
> 
> 
> > Howdy,
> >
> > I am trying to figure out if there is a different/newer/better(?) way to
> > announce our public IP ranges to our Internet providers, currently we
> are
> > declaring our subnets in 'network statements' in the BGP configuration,
> we
> > have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254
> and
> > then we have a extended access-list applied to each peer with our net
> > blocks listed in them.
> >
> > It appears that because of the network statements, the supernet routes
> > (/18s, /19s, etc) are being distributed via BGP to the rest of the
> network
> > which is by design(I assume). This doesn't seem ideal because if traffic
> > is sent to an IP address that doesn't have a more specific route than
> say
> > /18, or /19 it travels all the way through the network to the edge
> before
> > stopping. I might be blowing the impact of this out of proportion, but
> it
> > just seems like a waste of resources.
> >
> > Does anyone know of a seemingly more sensible way of doing this?
> >
> > -Drew
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



From s.ganschow at buelow-masiak.de  Tue Jan  5 02:34:56 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 08:34:56 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7AA@XMB-AMS-101.cisco.com>
Message-ID: <H000008400894c0a.1262676895.bohr.dbmg.de@MHS>

Hi,

Output of show vpdn history failure 

#sh vpdn history failure 
User: xyz, MID = 902
NAS: lac, IP address = 1.2.3.4, CLID = 63366
Gateway: lns, IP address = 5.6.7.8, CLID = 1417
Log time: Jan 4 10:55:24.390, Error repeat count: 3
Failure type: The remote server closed this session
Failure reason: Result 2, Error 6

As I found out, the failure reason could be interpreted as the 
following:

Result 2 	- General error (Error code indicates problem)
Error 2  	- Invalid destination

What is the meaning of invalid destination? As the tunnel is established 
and gets only dropped, if you exceed your bandwith, I can't get the 
meaning of the error message from the context.

Regards,
Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Mittwoch, 23. Dezember 2009 17:23
> An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> Betreff: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> You can try looking at the output of "show vpdn history".
> I think the error you get means that the remote side requested a
> disconnect, but I also see some cases this appears by mistake...
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> Ganschow
> Sent: Wednesday, December 23, 2009 12:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPDN Problem
> 
> Hi all,
> 
> we've got a little problem with our vpdn where we're stuck. Could
> anyone
> explain the following debugging messages from our 7206 to me:
> 
> VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> Host Close
> VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> syslog_error_code=23, syslog_key_type=1
> %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> Result
> 2, Error 6, Locally generated disconnect
> 
> 
> What is the meaning of:
>  - 8/port-error Ascend: 41/TCP
>  - Result 2, Error 6, Locally generated disconnect
> 
> On CCO there is no information about those messages.
> 
> The session gets disconnected, if the upstream bandwith is exceeded.
> There
> are two providers, who are delivering those vpdn sessions to us. We've
> tried with users of them, but the disconnect only happens on our own
> LNS.
> If the user is connected two the LNS of one of the two providers, the
> session won't be disconnected.
> 
> Any Ideas?
> 
> Regards
> Sebastian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From ccie19804 at gmail.com  Tue Jan  5 03:02:09 2010
From: ccie19804 at gmail.com (swap m)
Date: Tue, 5 Jan 2010 12:02:09 +0400
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
Message-ID: <b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>

you can use "BGP Conditional Route Injection" to generate the /28. (it shud
be a child subnet out of the parent /24). then filter the prefixes so select
which all upstreams shud receive this injected subnet.

cheers


On Tue, Jan 5, 2010 at 11:05 AM, Dracul <chris.garzon at gmail.com> wrote:

> Hi there,
>
> I was wondering if you could do a segregate route, for specfic ip addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28 ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual BGP
> routing behavior. THanks!
>
> regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From avayner at cisco.com  Tue Jan  5 03:10:46 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:10:46 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <H000008400894c0a.1262676895.bohr.dbmg.de@MHS>
References: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7AA@XMB-AMS-101.cisco.com>
	<H000008400894c0a.1262676895.bohr.dbmg.de@MHS>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>

Sebastian,

What do you mean by "if you exceed your bandwidth"?

You could try the following debugs for more info:
debug ppp nego
debug vpdn l2x event
debug vpdn l2x error
debug radius

Arie

-----Original Message-----
From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de] 
Sent: Tuesday, January 05, 2010 09:35
To: Arie Vayner (avayner); cisco-nsp
Subject: AW: RE: [c-nsp] VPDN Problem

Hi,

Output of show vpdn history failure 

#sh vpdn history failure 
User: xyz, MID = 902
NAS: lac, IP address = 1.2.3.4, CLID = 63366
Gateway: lns, IP address = 5.6.7.8, CLID = 1417
Log time: Jan 4 10:55:24.390, Error repeat count: 3
Failure type: The remote server closed this session
Failure reason: Result 2, Error 6

As I found out, the failure reason could be interpreted as the 
following:

Result 2 	- General error (Error code indicates problem)
Error 2  	- Invalid destination

What is the meaning of invalid destination? As the tunnel is established 
and gets only dropped, if you exceed your bandwith, I can't get the 
meaning of the error message from the context.

Regards,
Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Mittwoch, 23. Dezember 2009 17:23
> An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> Betreff: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> You can try looking at the output of "show vpdn history".
> I think the error you get means that the remote side requested a
> disconnect, but I also see some cases this appears by mistake...
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> Ganschow
> Sent: Wednesday, December 23, 2009 12:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPDN Problem
> 
> Hi all,
> 
> we've got a little problem with our vpdn where we're stuck. Could
> anyone
> explain the following debugging messages from our 7206 to me:
> 
> VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> Host Close
> VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> syslog_error_code=23, syslog_key_type=1
> %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> Result
> 2, Error 6, Locally generated disconnect
> 
> 
> What is the meaning of:
>  - 8/port-error Ascend: 41/TCP
>  - Result 2, Error 6, Locally generated disconnect
> 
> On CCO there is no information about those messages.
> 
> The session gets disconnected, if the upstream bandwith is exceeded.
> There
> are two providers, who are delivering those vpdn sessions to us. We've
> tried with users of them, but the disconnect only happens on our own
> LNS.
> If the user is connected two the LNS of one of the two providers, the
> session won't be disconnected.
> 
> Any Ideas?
> 
> Regards
> Sebastian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From avayner at cisco.com  Tue Jan  5 03:12:18 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:12:18 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
	<b48b7d091001050002u2ad41b73k2c4ebe4acd1a80ef@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F15498@XMB-AMS-101.cisco.com>

Dracul,

Be aware that many (most) ISPs would filter subnets longer than /24, so
your /28 would be most likely filtered (even if you direct upstream
would send it through).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of swap m
Sent: Tuesday, January 05, 2010 10:02
To: Dracul
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP ip addresses re-route to specific link

you can use "BGP Conditional Route Injection" to generate the /28. (it
shud
be a child subnet out of the parent /24). then filter the prefixes so
select
which all upstreams shud receive this injected subnet.

cheers


On Tue, Jan 5, 2010 at 11:05 AM, Dracul <chris.garzon at gmail.com> wrote:

> Hi there,
>
> I was wondering if you could do a segregate route, for specfic ip
addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28
ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual
BGP
> routing behavior. THanks!
>
> regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From s.ganschow at buelow-masiak.de  Tue Jan  5 03:48:20 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 09:48:20 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>
Message-ID: <H0000084008963c5.1262681286.bohr.dbmg.de@MHS>

Hi Arie,

I mean, that if you've got a DSL-line with 160kbit upstream and you use 
it all.

The main thing I don't understand, is the error message "invalid 
destination". Do I understand it right, that the message I see in sh 
vpdn hist fail is send by the LAC to our LNS?

Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:11
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> What do you mean by "if you exceed your bandwidth"?
> 
> You could try the following debugs for more info:
> debug ppp nego
> debug vpdn l2x event
> debug vpdn l2x error
> debug radius
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 09:35
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: [c-nsp] VPDN Problem
> 
> Hi,
> 
> Output of show vpdn history failure
> 
> #sh vpdn history failure
> User: xyz, MID = 902
> NAS: lac, IP address = 1.2.3.4, CLID = 63366
> Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> Log time: Jan 4 10:55:24.390, Error repeat count: 3
> Failure type: The remote server closed this session
> Failure reason: Result 2, Error 6
> 
> As I found out, the failure reason could be interpreted as the
> following:
> 
> Result 2 	- General error (Error code indicates problem)
> Error 2  	- Invalid destination
> 
> What is the meaning of invalid destination? As the tunnel is
> established
> and gets only dropped, if you exceed your bandwith, I can't get the
> meaning of the error message from the context.
> 
> Regards,
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > Betreff: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > You can try looking at the output of "show vpdn history".
> > I think the error you get means that the remote side requested a
> > disconnect, but I also see some cases this appears by mistake...
> >
> > Arie
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > Ganschow
> > Sent: Wednesday, December 23, 2009 12:17
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] VPDN Problem
> >
> > Hi all,
> >
> > we've got a little problem with our vpdn where we're stuck. Could
> > anyone
> > explain the following debugging messages from our 7206 to me:
> >
> > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> > Host Close
> > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > syslog_error_code=23, syslog_key_type=1
> > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > Result
> > 2, Error 6, Locally generated disconnect
> >
> >
> > What is the meaning of:
> >  - 8/port-error Ascend: 41/TCP
> >  - Result 2, Error 6, Locally generated disconnect
> >
> > On CCO there is no information about those messages.
> >
> > The session gets disconnected, if the upstream bandwith is exceeded.
> > There
> > are two providers, who are delivering those vpdn sessions to us.
> We've
> > tried with users of them, but the disconnect only happens on our own
> > LNS.
> > If the user is connected two the LNS of one of the two providers, 
the
> > session won't be disconnected.
> >
> > Any Ideas?
> >
> > Regards
> > Sebastian
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



From avayner at cisco.com  Tue Jan  5 03:53:58 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 5 Jan 2010 09:53:58 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <H0000084008963c5.1262681286.bohr.dbmg.de@MHS>
References: <FDD1CDB3FB499E4087CC7670BBCA22C6F15496@XMB-AMS-101.cisco.com>
	<H0000084008963c5.1262681286.bohr.dbmg.de@MHS>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F154D1@XMB-AMS-101.cisco.com>

Yes, it is sent from the LAC.
This is a message from the RFC, but I would assume it has something to do with the PPP/L2TP negotiation between the LAC and LNS, and the LAC not agreeing to something sent from the LNS...

The debugs below should help.

Arie

-----Original Message-----
From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de] 
Sent: Tuesday, January 05, 2010 10:48
To: Arie Vayner (avayner); cisco-nsp
Subject: AW: RE: RE: [c-nsp] VPDN Problem

Hi Arie,

I mean, that if you've got a DSL-line with 160kbit upstream and you use 
it all.

The main thing I don't understand, is the error message "invalid 
destination". Do I understand it right, that the message I see in sh 
vpdn hist fail is send by the LAC to our LNS?

Sebastian


> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:11
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: [c-nsp] VPDN Problem
> 
> Sebastian,
> 
> What do you mean by "if you exceed your bandwidth"?
> 
> You could try the following debugs for more info:
> debug ppp nego
> debug vpdn l2x event
> debug vpdn l2x error
> debug radius
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 09:35
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: [c-nsp] VPDN Problem
> 
> Hi,
> 
> Output of show vpdn history failure
> 
> #sh vpdn history failure
> User: xyz, MID = 902
> NAS: lac, IP address = 1.2.3.4, CLID = 63366
> Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> Log time: Jan 4 10:55:24.390, Error repeat count: 3
> Failure type: The remote server closed this session
> Failure reason: Result 2, Error 6
> 
> As I found out, the failure reason could be interpreted as the
> following:
> 
> Result 2 	- General error (Error code indicates problem)
> Error 2  	- Invalid destination
> 
> What is the meaning of invalid destination? As the tunnel is
> established
> and gets only dropped, if you exceed your bandwith, I can't get the
> meaning of the error message from the context.
> 
> Regards,
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > Betreff: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > You can try looking at the output of "show vpdn history".
> > I think the error you get means that the remote side requested a
> > disconnect, but I also see some cases this appears by mistake...
> >
> > Arie
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > Ganschow
> > Sent: Wednesday, December 23, 2009 12:17
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] VPDN Problem
> >
> > Hi all,
> >
> > we've got a little problem with our vpdn where we're stuck. Could
> > anyone
> > explain the following debugging messages from our 7206 to me:
> >
> > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
> > Host Close
> > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > syslog_error_code=23, syslog_key_type=1
> > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > Result
> > 2, Error 6, Locally generated disconnect
> >
> >
> > What is the meaning of:
> >  - 8/port-error Ascend: 41/TCP
> >  - Result 2, Error 6, Locally generated disconnect
> >
> > On CCO there is no information about those messages.
> >
> > The session gets disconnected, if the upstream bandwith is exceeded.
> > There
> > are two providers, who are delivering those vpdn sessions to us.
> We've
> > tried with users of them, but the disconnect only happens on our own
> > LNS.
> > If the user is connected two the LNS of one of the two providers, 
the
> > session won't be disconnected.
> >
> > Any Ideas?
> >
> > Regards
> > Sebastian
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



From peter.haag at switch.ch  Tue Jan  5 03:55:08 2010
From: peter.haag at switch.ch (Peter Haag)
Date: Tue, 05 Jan 2010 09:55:08 +0100
Subject: [c-nsp] nfdump-1.6 available
Message-ID: <4B42FE6C.3070500@switch.ch>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,
I'm happy to announce, that nfdump-1.6 is available for downloading
@ Sourceforge. Several new features have been added ( see list below )
nfdump-1.6 is mostly compatible with nfdump-1.5.x.
nfdump-1.6 works with current NfSen 1.3.2, however, the new features are not
accessible using the interface.
*** Please note: *** PortTracker from NfSen 1.3.2 does *NOT* work with nfdump-1.6.
An updated version for NfSen/PortTracker will be released later.

	- Peter

NEW in 1.6 since 1.5.8 ( latest on top )
- ----------------------
o Add router IP extension.
o Add router ID extension (engine type/ID)
o Add srcmask and dstmask aggregation
o Aggregated ( -a, -A, -b, -B ) or sorted flows ( -m ) can be written back
  to binary files ( -w )
  Note: This results in a behaviour change for -w in combination
  with aggregation
o Extend -N ( do not scale numbers ) to all text output not just summary
o Remove header lines of -s stat, when using -q ( quiet )
  Note: This results in a behaviour change for -N
o Remove legacy v1.4 file compatibility
o Remove -S option from nfdump ( legacy 1.4 compatibility )
o Make use of log (syslog) functions for nfprofile.
o Move log functions to util.c
o Update sflow collector.
o Add parse_csv.pl script as an example to parse csv output
o Add csv output format ( -o cvs ) as replacement for -o pipe - keep -o pipe for now.
o Flow-tools converter updated - supports all common elements.
o Sflow collector updated. Supports more common elements.
o Add sampling to nfdump. Sampling is automatically recognised
  in undocumented v5 header fields and in v9 option templates.
  see nfcapd(1)
o Add @include option for filter to include more filter files.
o Add bidirectional aggregation ( -b, -B ) - experimental feature
o Add flexible aggregation comparable to Flexible Netflow (FNF)
  over all available v9 tags
o All new tags can be selected in -o fmt:... see nfdump(1)
o topN stat for all new tags is implemented
o Integrate developer code to read from pcap files into stable branch
o Update filter syntax for new tags
o Add flexible storage option for nfcapd. To save disk space, the
  data extensions to be stored in the data file are user selectable.
o Added more v9 tags for netflow v9.
  The detailed tags are listed in nfcapd(1) Beside of MAC addresses
  and VLAN labels, also MPLS labels and many more v9 tags are now
  supported. AS numbers and interface numbers are now 32bit clean.
  Adding new tags also extended the binary file format with
  data block type 2, which is extension based. File format
  for version <= 1.5.* ( Data block format type 1 ) is read
  transparently. ( --enable-compat15 ) Data block type 2 are skipped
  by nfdump 1.5.8.
o Added option for multiple netflow stream to same port.
  -n <Ident,IP,base_directory>
  Example: -n router1,192.168.100.1,/var/nfdump/router1
  So multiple -n options may be given at the command line
  Old style syntax still works for compatibility, ( -I .. -l ... )
  but then only one source is supported.
o Move to automake for building nfdump
o Make nfdump fully 64bit compliant. ( 32/64bit data alignments and access )
  Compiles and runs cleanly on 32/64bit systems
o Switch scaling factor ( k, M, G ) from 1024 to 1000.


- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag at switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBS0L+a/5AbZRALNr/AQLe+wP8DWmHQ5KtEUDiDDDp/MsQo2FJYEawQD+c
eotuBTSi8Pz8XoLysWBFxYYtey1WdiaAGdbJZylltJa0To1iT92nejqOXaVJtl3u
Uo6tMIEV6R7hDPNqJ/hK5xfkVqVPBT72hGUOsvwxKJ6mosq3Ef7VkFDLzWmF9NOz
rkW9Rz0sF4k=
=jTuj
-----END PGP SIGNATURE-----

From ip at ioshints.info  Tue Jan  5 04:00:29 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 10:00:29 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
Message-ID: <002c01ca8de5$88bd6060$9a382120$@info>

Are you trying to do destination-based routing (packet TO specific address should go over specific link) or source-based routing (packet FROM specific /28 should go over specific upstream link)?

> -----Original Message-----
> From: Dracul [mailto:chris.garzon at gmail.com]
> Sent: Tuesday, January 05, 2010 8:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] BGP ip addresses re-route to specific link
> 
> Hi there,
> 
> I was wondering if you could do a segregate route, for specfic ip
> addresses
> under BGP going only to a specific link.
> for example if I have /24 default route BGP pool and I want only /28 ip
> addresses using upstream1 and not by any
> account go through upstream2. The rest would still be using the usual BGP
> routing behavior. THanks!
> 
> regards,
> Chris



From geert.nijs at gmail.com  Tue Jan  5 04:09:26 2010
From: geert.nijs at gmail.com (Geert Nijs)
Date: Tue, 5 Jan 2010 10:09:26 +0100
Subject: [c-nsp] Cisco N5000 vPC to connect HP c7000 with VC
Message-ID: <d79a45fa1001050109x3a50f425t8c4a1cf7fe0e77fa@mail.gmail.com>

Hi all,

- Does anyone have experience connecting an HP c7000 enclosure with 2 HP
VirtualConnect switches to a pair of Nexus 5000 switches using a vPC
configuration ?
- Other general vPC experience is also appreciated.


regards,
Geert

From x.illusi0n at gmail.com  Tue Jan  5 04:16:39 2010
From: x.illusi0n at gmail.com (ioluz)
Date: Tue, 5 Jan 2010 10:16:39 +0100
Subject: [c-nsp] Cisco 2600 ISDN
Message-ID: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>

Hello,

I actually have problem with my cisco 2600 configuration.

I have a cisco 2600 in a datacenter which is connected to a "Numeris"
connexion

In my office , i have a windows xp computer which is able to use a "Numeris"
connexion.

My goal is to be able to use the windows XP computer to connect to my cisco
2600 by using our "Numeris" connexion" (in case of rescue)

When i try to contatc my cisco by using my windows xp computer i get the
following error:

*Mar 15 20:33:37.911: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 1 state is 3
*Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old State
= 4
*Mar 15 20:33:37.915: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 6 state is 1
*Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
*Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
*Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 65
changed to up
*Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
*Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
Bearer Capability i = 0x9090A3
Standard = CCITT
Transfer Capability = 3.1kHz Audio
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0x89
Progress Ind i = 0x8483 - Origination address is non-ISDN
Calling Party Number i = 0x2083, '*********'
Plan:Unknown, Type:National
Called Party Number i = 0x81, '****'
Plan:ISDN, Type:Unknown
Sending Complete
*Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 0 tei 127 ces 0 ev 0x3
*Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 2 HOST_INCOMING_CALL
*Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
*Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0
*Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
ACCEPT_CALL (0x13)
*Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
up
*Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
to ********* N/A
*Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=0
nr=0
*Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref = 0xE6
Shift to Codeset 6
Codeset 6 IE 0x24 i = 0x80
*Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
*Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
*Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session id[106]
*Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
*Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
*Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
*Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=0
nr=1
*Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref =
0x66
*Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
*Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
*Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 63 tei 127 ces 0 ev 0x3
*Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
L2: sapi 63 tei 127 ces 0 ev 0x650
*Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
*Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
*Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
*Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
trivially
*Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
*Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
*Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
*Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
*Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
*Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
*Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
*Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
*Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
*Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
*Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
*Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
*Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
*Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
*Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
*Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
*Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
ISDN_HANGUP (0x1)
*Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
from ********* , call lasted 22 seconds
*Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=1
nr=1
*Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
0xE6
Cause i = 0x8790 - Normal call clearing
*Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
*Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=1
nr=2
*Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref = 0x66
*Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
*Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 1 HOST_DISCONNECT_ACK
*Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
down
*Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
*Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
profile Di0
*Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
calltype 1 HOST_DISCONNECT_ACK
*Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=2
nr=2
*Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref =
0xE6
Shift to Codeset 6
Codeset 6 IE 0x24 i = 0x80
*Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
*Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
*Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
*Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
*Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
*Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI
65 changed to down
*Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
*Mar 15 20:34:34.523: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 5 state is 1
*Mar 15 20:34:34.947: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
Recvd L1 prim 3 state is 2
*Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old State
= 4
*Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN Layer
3


here is my cisco's show run:

Building configuration...

Current configuration : 2191 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-adm.**********
!
boot-start-marker
boot-end-marker
!
enable secret 5 <secret>
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip dhcp pool secret
network 10.1.76.0 255.255.255.240
default-router 10.1.76.1
!
isdn switch-type vn3
!
username username privilege 0 secret 5 <secret>
username user privilege 0 secret 5 <secret>
username username2 password 0 <secret>
!
!
!
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
no ip mroute-cache
!
interface FastEthernet0/0
ip address 10.1.75.19 255.255.255.0
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface BRI0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type vn3
isdn incoming-voice data 64
no peer default ip address
ppp authentication chap
!
interface Serial0/0
no ip address
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer remote-name username2
!
no ip http server
ip classless
!
!
access-list 12 permit 10.1.75.20
access-list 100 permit tcp host 10.1.75.20 any eq telnet log
access-list 100 deny ip any any log
dialer-list 1 protocol ip permit
banner login ^Cc
Good luck^C
!
line con 0
privilege level 0
login local
line 33 64
session-timeout 20
exec-timeout 0 0
no exec
transport input all
line aux 0
session-timeout 20
exec-timeout 0 0
no exec
transport input all
line vty 0 4
access-class 100 in
exec-timeout 0 0
privilege level 0
login local
transport input telnet
line vty 5 15
login local
!
!
end

From s.ganschow at buelow-masiak.de  Tue Jan  5 04:48:17 2010
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Tue, 5 Jan 2010 10:48:17 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F154D1@XMB-AMS-101.cisco.com>
Message-ID: <H000008400899501.1262684895.bohr.dbmg.de@MHS>

Okay, probably the first line will tell us, where the problem is. But 
why are keepalives suddenly get lost?

Jan  5 10:41:51 mrl01cor01 35245: 035250: 1w0d: Vi26 PPP: Missed 5 
keepalives, taking LCP down
Jan  5 10:41:51 mrl01cor01 35246: 035251: 1w0d: Vi26 PPP: Sending Acct 
Event[Down] id[667]
Jan  5 10:41:51 mrl01cor01 35247: 035252: 1w0d: Vi26 LCP: State is 
Closed
Jan  5 10:41:51 mrl01cor01 35248: 035253: 1w0d: Vi26 PPP: Phase is DOWN
Jan  5 10:41:51 mrl01cor01 35249: 035254: 1w0d: Vi26 IPCP: State is 
Closed
Jan  5 10:41:51 mrl01cor01 35250: 035255: 1w0d: Vi26 PPP: Send 
Message[Disconnect]
Jan  5 10:41:51 mrl01cor01 35251: 035256: 1w0d: Vi26 IPCP: Remove route 
to 1.2.3.4
Jan  5 10:41:51 mrl01cor01 35252: 035257: 1w0d: Vi26 Tnl/Sn 21483/1151 
L2TP: disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign Host 
Close
Jan  5 10:41:51 mrl01cor01 35253: 035258: Jan  5 10:41:42.127 met: 
%VPDN-6-CLOSED: L2TP LNS lns closed Vi26 user dsluser; Result 2, Error 6
Jan  5 10:41:51 mrl01cor01 35254: 035259: 1w0d: Vi26 Tnl/Sn 21483/1151 
L2TP: O CDN to lac 37514/6429
Jan  5 10:41:52 mrl01cor01 35255: 035260: Jan  5 10:41:42.131 met: 
%LINK-3-UPDOWN: Interface Virtual-Access26, changed state to down
Jan  5 10:41:52 mrl01cor01 35256: 035261: 1w0d:  Tnl 21483 L2TP: Control 
channel retransmit delay set to 1 seconds
Jan  5 10:41:53 mrl01cor01 35257: 035262: Jan  5 10:41:43.127 met: 
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access26, 
changed state to down
Jan  5 10:42:12 mrl01cor01 35258: 035263: 1w0d:  Tnl 63366 L2TP: I ICRQ 
from lac tnl 1417
Jan  5 10:42:12 mrl01cor01 35259: 035264: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
Session FS enabled
Jan  5 10:42:12 mrl01cor01 35260: 035265: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
Session state change from idle to wait-connect
Jan  5 10:42:12 mrl01cor01 35261: 035266: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
New session created
Jan  5 10:42:12 mrl01cor01 35262: 035267: 1w0d:  Tnl/Sn 63366/1162 L2TP: 
O ICRP to lac 1417/49006

Sebastian

> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Dienstag, 5. Januar 2010 09:54
> An: Sebastian Ganschow; cisco-nsp
> Betreff: RE: RE: RE: [c-nsp] VPDN Problem
> 
> Yes, it is sent from the LAC.
> This is a message from the RFC, but I would assume it has something to
> do with the PPP/L2TP negotiation between the LAC and LNS, and the LAC
> not agreeing to something sent from the LNS...
> 
> The debugs below should help.
> 
> Arie
> 
> -----Original Message-----
> From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> Sent: Tuesday, January 05, 2010 10:48
> To: Arie Vayner (avayner); cisco-nsp
> Subject: AW: RE: RE: [c-nsp] VPDN Problem
> 
> Hi Arie,
> 
> I mean, that if you've got a DSL-line with 160kbit upstream and you 
use
> it all.
> 
> The main thing I don't understand, is the error message "invalid
> destination". Do I understand it right, that the message I see in sh
> vpdn hist fail is send by the LAC to our LNS?
> 
> Sebastian
> 
> 
> > -----Urspr?ngliche Nachricht-----
> > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > Gesendet: Dienstag, 5. Januar 2010 09:11
> > An: Sebastian Ganschow; cisco-nsp
> > Betreff: RE: RE: [c-nsp] VPDN Problem
> >
> > Sebastian,
> >
> > What do you mean by "if you exceed your bandwidth"?
> >
> > You could try the following debugs for more info:
> > debug ppp nego
> > debug vpdn l2x event
> > debug vpdn l2x error
> > debug radius
> >
> > Arie
> >
> > -----Original Message-----
> > From: Sebastian Ganschow [mailto:s.ganschow at buelow-masiak.de]
> > Sent: Tuesday, January 05, 2010 09:35
> > To: Arie Vayner (avayner); cisco-nsp
> > Subject: AW: RE: [c-nsp] VPDN Problem
> >
> > Hi,
> >
> > Output of show vpdn history failure
> >
> > #sh vpdn history failure
> > User: xyz, MID = 902
> > NAS: lac, IP address = 1.2.3.4, CLID = 63366
> > Gateway: lns, IP address = 5.6.7.8, CLID = 1417
> > Log time: Jan 4 10:55:24.390, Error repeat count: 3
> > Failure type: The remote server closed this session
> > Failure reason: Result 2, Error 6
> >
> > As I found out, the failure reason could be interpreted as the
> > following:
> >
> > Result 2 	- General error (Error code indicates problem)
> > Error 2  	- Invalid destination
> >
> > What is the meaning of invalid destination? As the tunnel is
> > established
> > and gets only dropped, if you exceed your bandwith, I can't get the
> > meaning of the error message from the context.
> >
> > Regards,
> > Sebastian
> >
> >
> > > -----Urspr?ngliche Nachricht-----
> > > Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> > > Gesendet: Mittwoch, 23. Dezember 2009 17:23
> > > An: Sebastian Ganschow; cisco-nsp at puck.nether.net
> > > Betreff: RE: [c-nsp] VPDN Problem
> > >
> > > Sebastian,
> > >
> > > You can try looking at the output of "show vpdn history".
> > > I think the error you get means that the remote side requested a
> > > disconnect, but I also see some cases this appears by mistake...
> > >
> > > Arie
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
> > > Ganschow
> > > Sent: Wednesday, December 23, 2009 12:17
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] VPDN Problem
> > >
> > > Hi all,
> > >
> > > we've got a little problem with our vpdn where we're stuck. Could
> > > anyone
> > > explain the following debugging messages from our 7206 to me:
> > >
> > > VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP
> Foreign
> > > Host Close
> > > VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
> > > syslog_error_code=23, syslog_key_type=1
> > > %VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
> > > Result
> > > 2, Error 6, Locally generated disconnect
> > >
> > >
> > > What is the meaning of:
> > >  - 8/port-error Ascend: 41/TCP
> > >  - Result 2, Error 6, Locally generated disconnect
> > >
> > > On CCO there is no information about those messages.
> > >
> > > The session gets disconnected, if the upstream bandwith is
> exceeded.
> > > There
> > > are two providers, who are delivering those vpdn sessions to us.
> > We've
> > > tried with users of them, but the disconnect only happens on our
> own
> > > LNS.
> > > If the user is connected two the LNS of one of the two providers,
> the
> > > session won't be disconnected.
> > >
> > > Any Ideas?
> > >
> > > Regards
> > > Sebastian
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> 



From A.L.M.Buxey at lboro.ac.uk  Tue Jan  5 05:26:08 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 5 Jan 2010 10:26:08 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
Message-ID: <20100105102608.GC5984@lboro.ac.uk>

hi,

we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
platform.

note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
seems to only be relevant for the 3550-24td or such specific version - dont
run it on any other one as , though it appears to work, you egt some interesting
results! ;-)

alan

> Searching bug toolkit, I didn't find anything that looked relevant.  Has 
> anyone else run into this sort of thing with 12.1EA software or have an 
> idea what the cause/solutions might be?

any reason for lurking down in the 12.1EA release train?


From jared at puck.nether.net  Tue Jan  5 08:11:38 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 5 Jan 2010 08:11:38 -0500
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
Message-ID: <6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>

So there's a few things that I see missing here.

You need to have an IP that you will assign to the dial-in user.  (Unless you intend to use this as a bridge, which I don't know if XP will support).

You should define some local pool of IP(s) that you will hand out.

eg:

ip local pool mypool 192.168.0.1 192.168.0.2

 interface Group-Async1
  ip unnumbered FastEthernet0/0
  ip tcp header-compression passive
  ip pim border
  encapsulation ppp
  no ip mroute-cache
  async default routing
  async mode interactive
  peer default ip address pool mypool
  no fair-queue
  no cdp enable
  ppp max-bad-auth 3
  ppp authentication pap chap
  group-range 1 

This is taken from an old archive of configs that I have from doing dial in the good-old-days...

Hope it helps.

- Jared


On Jan 5, 2010, at 4:16 AM, ioluz wrote:

> Hello,
> 
> I actually have problem with my cisco 2600 configuration.
> 
> I have a cisco 2600 in a datacenter which is connected to a "Numeris"
> connexion
> 
> In my office , i have a windows xp computer which is able to use a "Numeris"
> connexion.
> 
> My goal is to be able to use the windows XP computer to connect to my cisco
> 2600 by using our "Numeris" connexion" (in case of rescue)
> 
> When i try to contatc my cisco by using my windows xp computer i get the
> following error:
> 
> *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 1 state is 3
> *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old State
> = 4
> *Mar 15 20:33:37.915: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 6 state is 1
> *Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
> *Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
> *Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 65
> changed to up
> *Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
> *Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
> Bearer Capability i = 0x9090A3
> Standard = CCITT
> Transfer Capability = 3.1kHz Audio
> Transfer Mode = Circuit
> Transfer Rate = 64 kbit/s
> Channel ID i = 0x89
> Progress Ind i = 0x8483 - Origination address is non-ISDN
> Calling Party Number i = 0x2083, '*********'
> Plan:Unknown, Type:National
> Called Party Number i = 0x81, '****'
> Plan:ISDN, Type:Unknown
> Sending Complete
> *Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 0 tei 127 ces 0 ev 0x3
> *Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 2 HOST_INCOMING_CALL
> *Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
> *Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di0
> *Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> ACCEPT_CALL (0x13)
> *Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> *Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
> to ********* N/A
> *Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=0
> nr=0
> *Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref = 0xE6
> Shift to Codeset 6
> Codeset 6 IE 0x24 i = 0x80
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session id[106]
> *Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
> *Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
> *Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
> *Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=0
> nr=1
> *Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref =
> 0x66
> *Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
> *Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
> *Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 63 tei 127 ces 0 ev 0x3
> *Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> L2: sapi 63 tei 127 ces 0 ev 0x650
> *Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
> *Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
> *Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
> *Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
> trivially
> *Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
> *Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
> *Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
> *Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
> *Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
> *Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
> *Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
> *Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
> *Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
> *Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> *Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
> *Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92 (0x05064FEE2E92)
> *Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
> *Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
> *Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
> *Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> ISDN_HANGUP (0x1)
> *Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
> from ********* , call lasted 22 seconds
> *Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=1
> nr=1
> *Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
> 0xE6
> Cause i = 0x8790 - Normal call clearing
> *Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
> *Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65, ns=1
> nr=2
> *Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref = 0x66
> *Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
> *Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 1 HOST_DISCONNECT_ACK
> *Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> down
> *Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
> *Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> profile Di0
> *Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid 1/0x10A
> calltype 1 HOST_DISCONNECT_ACK
> *Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65, ns=2
> nr=2
> *Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref =
> 0xE6
> Shift to Codeset 6
> Codeset 6 IE 0x24 i = 0x80
> *Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
> *Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
> *Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
> *Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
> *Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
> *Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI
> 65 changed to down
> *Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
> *Mar 15 20:34:34.523: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 5 state is 1
> *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: service_queue_from_physical_layer:
> Recvd L1 prim 3 state is 2
> *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old State
> = 4
> *Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN Layer
> 3
> 
> 
> here is my cisco's show run:
> 
> Building configuration...
> 
> Current configuration : 2191 bytes
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname sw-adm.**********
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 <secret>
> !
> no aaa new-model
> ip subnet-zero
> ip cef
> !
> !
> no ip domain lookup
> !
> ip dhcp pool secret
> network 10.1.76.0 255.255.255.240
> default-router 10.1.76.1
> !
> isdn switch-type vn3
> !
> username username privilege 0 secret 5 <secret>
> username user privilege 0 secret 5 <secret>
> username username2 password 0 <secret>
> !
> !
> !
> !
> interface Loopback1
> ip address 172.16.1.1 255.255.255.0
> no ip mroute-cache
> !
> interface FastEthernet0/0
> ip address 10.1.75.19 255.255.255.0
> no ip route-cache cef
> no ip route-cache
> duplex auto
> speed auto
> !
> interface BRI0/0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type vn3
> isdn incoming-voice data 64
> no peer default ip address
> ppp authentication chap
> !
> interface Serial0/0
> no ip address
> !
> interface Dialer0
> ip address negotiated
> encapsulation ppp
> dialer pool 1
> dialer remote-name username2
> !
> no ip http server
> ip classless
> !
> !
> access-list 12 permit 10.1.75.20
> access-list 100 permit tcp host 10.1.75.20 any eq telnet log
> access-list 100 deny ip any any log
> dialer-list 1 protocol ip permit
> banner login ^Cc
> Good luck^C
> !
> line con 0
> privilege level 0
> login local
> line 33 64
> session-timeout 20
> exec-timeout 0 0
> no exec
> transport input all
> line aux 0
> session-timeout 20
> exec-timeout 0 0
> no exec
> transport input all
> line vty 0 4
> access-class 100 in
> exec-timeout 0 0
> privilege level 0
> login local
> transport input telnet
> line vty 5 15
> login local
> !
> !
> end
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From x.illusi0n at gmail.com  Tue Jan  5 08:51:05 2010
From: x.illusi0n at gmail.com (ioluz)
Date: Tue, 5 Jan 2010 14:51:05 +0100
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
	<6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
Message-ID: <97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>

Thanks for your help.

I try your configuration and i have the same debug output.

The very strange point is the fact that i didn't see any I CONFREQ in the
debug output, isn't it ?

On Tue, Jan 5, 2010 at 2:11 PM, Jared Mauch <jared at puck.nether.net> wrote:

> So there's a few things that I see missing here.
>
> You need to have an IP that you will assign to the dial-in user.  (Unless
> you intend to use this as a bridge, which I don't know if XP will support).
>
> You should define some local pool of IP(s) that you will hand out.
>
> eg:
>
> ip local pool mypool 192.168.0.1 192.168.0.2
>
>  interface Group-Async1
>  ip unnumbered FastEthernet0/0
>  ip tcp header-compression passive
>  ip pim border
>  encapsulation ppp
>  no ip mroute-cache
>  async default routing
>  async mode interactive
>  peer default ip address pool mypool
>  no fair-queue
>  no cdp enable
>  ppp max-bad-auth 3
>  ppp authentication pap chap
>  group-range 1
>
> This is taken from an old archive of configs that I have from doing dial in
> the good-old-days...
>
> Hope it helps.
>
> - Jared
>
>
> On Jan 5, 2010, at 4:16 AM, ioluz wrote:
>
> > Hello,
> >
> > I actually have problem with my cisco 2600 configuration.
> >
> > I have a cisco 2600 in a datacenter which is connected to a "Numeris"
> > connexion
> >
> > In my office , i have a windows xp computer which is able to use a
> "Numeris"
> > connexion.
> >
> > My goal is to be able to use the windows XP computer to connect to my
> cisco
> > 2600 by using our "Numeris" connexion" (in case of rescue)
> >
> > When i try to contatc my cisco by using my windows xp computer i get the
> > following error:
> >
> > *Mar 15 20:33:37.911: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 1 state is 3
> > *Mar 15 20:33:37.911: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 4, Old
> State
> > = 4
> > *Mar 15 20:33:37.915: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 6 state is 1
> > *Mar 15 20:33:37.923: ISDN BR0/0 Q921: User TX -> SABMEp sapi=0 tei=65
> > *Mar 15 20:33:37.935: ISDN BR0/0 Q921: User RX <- UAf sapi=0 tei=65
> > *Mar 15 20:33:37.935: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI
> 65
> > changed to up
> > *Mar 15 20:33:38.159: ISDN BR0/0 Q921: User RX <- UI sapi=0 tei=127
> > *Mar 15 20:33:38.163: ISDN BR0/0 Q931: SETUP *censur?* = 8 callref = 0x66
> > Bearer Capability i = 0x9090A3
> > Standard = CCITT
> > Transfer Capability = 3.1kHz Audio
> > Transfer Mode = Circuit
> > Transfer Rate = 64 kbit/s
> > Channel ID i = 0x89
> > Progress Ind i = 0x8483 - Origination address is non-ISDN
> > Calling Party Number i = 0x2083, '*********'
> > Plan:Unknown, Type:National
> > Called Party Number i = 0x81, '****'
> > Plan:ISDN, Type:Unknown
> > Sending Complete
> > *Mar 15 20:33:38.167: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 0 tei 127 ces 0 ev 0x3
> > *Mar 15 20:33:38.171: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 2 HOST_INCOMING_CALL
> > *Mar 15 20:33:38.171: BR0/0:1: interface must be fifo queue, force fifo
> > *Mar 15 20:33:38.175: %DIALER-6-BIND: Interface BR0/0:1 bound to profile
> Di0
> > *Mar 15 20:33:38.175: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> > ACCEPT_CALL (0x13)
> > *Mar 15 20:33:38.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state
> to
> > up
> > *Mar 15 20:33:38.179: %ISDN-6-CONNECT: Interface BRI0/0:1 is now
> connected
> > to ********* N/A
> > *Mar 15 20:33:38.183: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=0
> > nr=0
> > *Mar 15 20:33:38.187: ISDN BR0/0 Q931: CONNECT *censur?* = 8 callref =
> 0xE6
> > Shift to Codeset 6
> > Codeset 6 IE 0x24 i = 0x80
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Using dialer call direction
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Treating connection as a callin
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Session handle[2F000076] Session
> id[106]
> > *Mar 15 20:33:38.187: BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
> > *Mar 15 20:33:38.187: BR0/0:1 LCP: State is Listen
> > *Mar 15 20:33:38.203: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=1
> > *Mar 15 20:33:38.255: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65,
> ns=0
> > nr=1
> > *Mar 15 20:33:38.255: ISDN BR0/0 Q931: CONNECT_ACK *censur?* = 8 callref
> =
> > 0x66
> > *Mar 15 20:33:38.259: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=1
> > *Mar 15 20:33:39.871: ISDN BR0/0 Q921: User RX <- IDCKRQ ri=0 ai=127
> > *Mar 15 20:33:39.875: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 63 tei 127 ces 0 ev 0x3
> > *Mar 15 20:33:39.879: ISDN BR0/0 SERROR: L2_Go: at bailout DLCB is NULL
> > L2: sapi 63 tei 127 ces 0 ev 0x650
> > *Mar 15 20:33:39.879: ISDN BR0/0 Q921: User TX -> IDCKRP ri=30551 ai=65
> > *Mar 15 20:33:40.179: BR0/0:1 LCP: Timeout: State Listen
> > *Mar 15 20:33:40.179: BR0/0:1 PPP: Authorization required
> > *Mar 15 20:33:40.179: BR0/0:1 AAA/AUTHOR/LCP: Authorization succeeds
> > trivially
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 15
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:40.183: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: O CONFREQ [REQsent] id 4 len 15
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:42.187: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: O CONFREQ [REQsent] id 5 len 15
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:44.203: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: O CONFREQ [REQsent] id 6 len 15
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:46.219: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: O CONFREQ [REQsent] id 7 len 15
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:48.235: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:48.259: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:48.271: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: O CONFREQ [REQsent] id 8 len 15
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:50.251: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: O CONFREQ [REQsent] id 9 len 15
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:52.267: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: O CONFREQ [REQsent] id 10 len 15
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:54.283: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: O CONFREQ [REQsent] id 11 len 15
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:56.299: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:33:58.271: ISDN BR0/0 Q921: User RX <- RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRp sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.275: ISDN BR0/0 Q921: User TX -> RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.287: ISDN BR0/0 Q921: User RX <- RRf sapi=0 tei=65 nr=1
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: O CONFREQ [REQsent] id 12 len 15
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
> > *Mar 15 20:33:58.315: BR0/0:1 LCP: MagicNumber 0x4FEE2E92
> (0x05064FEE2E92)
> > *Mar 15 20:34:00.331: BR0/0:1 LCP: Timeout: State REQsent
> > *Mar 15 20:34:00.331: BR0/0:1 DDR: disconnecting call
> > *Mar 15 20:34:00.331: BR0/0:1 LCP: State is Listen
> > *Mar 15 20:34:00.331: ISDN BR0/0 EVENT: UserIdle: callid 0x10A received
> > ISDN_HANGUP (0x1)
> > *Mar 15 20:34:00.331: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
> > from ********* , call lasted 22 seconds
> > *Mar 15 20:34:00.335: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=1
> > nr=1
> > *Mar 15 20:34:00.339: ISDN BR0/0 Q931: DISCONNECT *censur?* = 8 callref =
> > 0xE6
> > Cause i = 0x8790 - Normal call clearing
> > *Mar 15 20:34:00.355: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=2
> > *Mar 15 20:34:00.443: ISDN BR0/0 Q921: User RX <- INFO sapi=0 tei=65,
> ns=1
> > nr=2
> > *Mar 15 20:34:00.443: ISDN BR0/0 Q931: RELEASE *censur?* = 8 callref =
> 0x66
> > *Mar 15 20:34:00.447: ISDN BR0/0 Q921: User TX -> RR sapi=0 tei=65 nr=2
> > *Mar 15 20:34:00.451: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 1 HOST_DISCONNECT_ACK
> > *Mar 15 20:34:00.451: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state
> to
> > down
> > *Mar 15 20:34:00.451: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in
> 0
> > *Mar 15 20:34:00.455: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> > profile Di0
> > *Mar 15 20:34:00.459: ISDN BR0/0 EVENT: process_rxstate: ces/callid
> 1/0x10A
> > calltype 1 HOST_DISCONNECT_ACK
> > *Mar 15 20:34:00.459: ISDN BR0/0 Q921: User TX -> INFO sapi=0 tei=65,
> ns=2
> > nr=2
> > *Mar 15 20:34:00.459: ISDN BR0/0 Q931: RELEASE_COMP *censur?* = 8 callref
> =
> > 0xE6
> > Shift to Codeset 6
> > Codeset 6 IE 0x24 i = 0x80
> > *Mar 15 20:34:00.463: BR0/0:1 PPP: Sending Acct Event[Down] id[7C]
> > *Mar 15 20:34:00.463: BR0/0:1 LCP: State is Closed
> > *Mar 15 20:34:00.463: BR0/0:1 PPP: Phase is DOWN
> > *Mar 15 20:34:00.479: ISDN BR0/0 Q921: User RX <- RR sapi=0 tei=65 nr=3
> > *Mar 15 20:34:04.479: ISDN BR0/0 Q921: User RX <- DISCp sapi=0 tei=65
> > *Mar 15 20:34:04.479: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0,
> TEI
> > 65 changed to down
> > *Mar 15 20:34:04.483: ISDN BR0/0 Q921: User TX -> UAf sapi=0 tei=65
> > *Mar 15 20:34:34.523: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 5 state is 1
> > *Mar 15 20:34:34.947: ISDN BR0/0 EVENT:
> service_queue_from_physical_layer:
> > Recvd L1 prim 3 state is 2
> > *Mar 15 20:34:34.947: ISDN BR0/0 EVENT: isdn_sw_cstate: State = 0, Old
> State
> > = 4
> > *Mar 15 20:34:34.951: ISDN BR0/0 Q931: L3_ShutDown: Shutting down ISDN
> Layer
> > 3
> >
> >
> > here is my cisco's show run:
> >
> > Building configuration...
> >
> > Current configuration : 2191 bytes
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname sw-adm.**********
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > enable secret 5 <secret>
> > !
> > no aaa new-model
> > ip subnet-zero
> > ip cef
> > !
> > !
> > no ip domain lookup
> > !
> > ip dhcp pool secret
> > network 10.1.76.0 255.255.255.240
> > default-router 10.1.76.1
> > !
> > isdn switch-type vn3
> > !
> > username username privilege 0 secret 5 <secret>
> > username user privilege 0 secret 5 <secret>
> > username username2 password 0 <secret>
> > !
> > !
> > !
> > !
> > interface Loopback1
> > ip address 172.16.1.1 255.255.255.0
> > no ip mroute-cache
> > !
> > interface FastEthernet0/0
> > ip address 10.1.75.19 255.255.255.0
> > no ip route-cache cef
> > no ip route-cache
> > duplex auto
> > speed auto
> > !
> > interface BRI0/0
> > no ip address
> > encapsulation ppp
> > dialer pool-member 1
> > isdn switch-type vn3
> > isdn incoming-voice data 64
> > no peer default ip address
> > ppp authentication chap
> > !
> > interface Serial0/0
> > no ip address
> > !
> > interface Dialer0
> > ip address negotiated
> > encapsulation ppp
> > dialer pool 1
> > dialer remote-name username2
> > !
> > no ip http server
> > ip classless
> > !
> > !
> > access-list 12 permit 10.1.75.20
> > access-list 100 permit tcp host 10.1.75.20 any eq telnet log
> > access-list 100 deny ip any any log
> > dialer-list 1 protocol ip permit
> > banner login ^Cc
> > Good luck^C
> > !
> > line con 0
> > privilege level 0
> > login local
> > line 33 64
> > session-timeout 20
> > exec-timeout 0 0
> > no exec
> > transport input all
> > line aux 0
> > session-timeout 20
> > exec-timeout 0 0
> > no exec
> > transport input all
> > line vty 0 4
> > access-class 100 in
> > exec-timeout 0 0
> > privilege level 0
> > login local
> > transport input telnet
> > line vty 5 15
> > login local
> > !
> > !
> > end
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From eng_mssk at hotmail.com  Tue Jan  5 08:55:14 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Tue, 5 Jan 2010 15:55:14 +0200
Subject: [c-nsp] Load Balancing
Message-ID: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>


hi all 


i have 2 web servers connecting to one of the LAN switches 
i am thinking of implement HSRP for outgoing traffic thats right ??
the 2 servers are connected via cross cable as well for making data transfer as fast as possible
now the what i want to do from my routers is that when requsting web page hosted on the 2 sites can i make load balancer using normal router ??
if one of the 2 we servers are down can i redirect the request to the other one in case of failure ?
 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010

From jeff-kell at utc.edu  Tue Jan  5 09:46:18 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Tue, 05 Jan 2010 09:46:18 -0500
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <4B4350BA.3010604@utc.edu>

On 1/5/2010 5:26 AM, Alan Buxey wrote:
> hi,
>
> we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
> platform.
>   

Yes, 12.2(44)SE6 is the last "officially supported" release for all but
the DC-powered 3550 (the only one not EOS/EOL).

I've heard of others running later versions, but this is the first I've
heard of "interesting results", only compounding my paranoia :-)

Jeff

From jshearer at amedisys.com  Tue Jan  5 09:46:09 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 5 Jan 2010 08:46:09 -0600
Subject: [c-nsp] Load Balancing
In-Reply-To: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>
References: <BLU102-W226E29119A7EF099894922FA730@phx.gbl>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B316A@SVR-AMED-MAIL01.amedisys.com>

What switching platform are you using?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Tuesday, January 05, 2010 7:55 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Load Balancing


hi all


i have 2 web servers connecting to one of the LAN switches
i am thinking of implement HSRP for outgoing traffic thats right ??
the 2 servers are connected via cross cable as well for making data transfer as fast as possible
now the what i want to do from my routers is that when requsting web page hosted on the 2 sites can i make load balancer using normal router ??
if one of the 2 we servers are down can i redirect the request to the other one in case of failure ?

_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From gsgranados at comcast.net  Tue Jan  5 10:02:03 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Tue, 5 Jan 2010 07:02:03 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
Message-ID: <FC1F5105D6794F67B17420E40A07791F@scottnetbook>

The memory impact isn't that bad and one person's over kill is another 
person's good planning ahead of time.  Why not do something right the first 
time and prevent the redesign / reconfiguration down the road which makes 
things that much more tricky in the long term.  I can't tell you how many 
messes I get dragged in to that need cleaning up because someone took the up 
front short cuts.  We're not talking about rocket science here, from the 
atlantic.net address and from Drew's long history on the list I assumed (and 
I think correctly) that there was the required clue there and justified 
need.


----- Original Message ----- 
From: "Ivan Pepelnjak" <ip at ioshints.info>
To: "'Scott Granados'" <gsgranados at comcast.net>; "'Drew Weaver'" 
<drew.weaver at thenap.com>; "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
Sent: Monday, January 04, 2010 11:30 PM
Subject: RE: [c-nsp] BGP - Announcing routes to Internet providers.


Let's back a step and ask the questions we should have been asking in the 
first place:

* Are you an end-user or a Service Provider (somewhat reliable answer could 
be gleaned from Drew's e-mail address)?
* What's the size of your network?
* How many uplinks do you have?
* How far apart are your uplinks?

If it turns out Drew's uplinks are close together, all the beautiful design 
ideas presented here are a huge overkill.

And, BTW, I wish those of you that propose redistributing connected and 
static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of 
your routers/switches when everyone decides (after reading this mailing list 
:) that following your recommendations unconditionally is a good idea :D

Ivan

> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Monday, January 04, 2010 10:03 PM
> To: Drew Weaver; Cisco-nsp
> Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.
>
> Drew, network statements are for the weak.:)
> (I'm kidding of course) but there is a better way.
> You should use community tagging in combination with prefix lists and
> route
> maps.  The idea is that you announce routes according to a tag and the
> behavior of the announcements depends on the specific tag applied.  For
> example, you could tag routes as peers, transits, global announce, etc and
> formulate the type of feeds you give your customers by filtering against
> communities so a customer wants peers and customers only you could match
> the
> two appropriate community tags.  This also allows you to tag the
> communities
> you globally announce uniquely and make the announcements in a unified way
> at your edges.  If you accompany this method with the appropriate
> redistribute static, redistribute connected, etc and use route maps to
> control this behavior you can remove the need for network statements
> completely and greatly decrease the things you need to modify and as a
> result the possible mistakes.  The other upside here is you can mark your
> more specifics as do not export and better control traffic internally
> better
> directing the traffic in your example.  It also allows you to accept
> communities from your customers and have automatic actions taken based on
> the tags they apply.  Let me know if you need some configuration examples.
>
>
>
> ----- Original Message -----
> From: "Drew Weaver" <drew.weaver at thenap.com>
> To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 04, 2010 12:35 PM
> Subject: [c-nsp] BGP - Announcing routes to Internet providers.
>
>
> > Howdy,
> >
> > I am trying to figure out if there is a different/newer/better(?) way to
> > announce our public IP ranges to our Internet providers, currently we
> are
> > declaring our subnets in 'network statements' in the BGP configuration,
> we
> > have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254
> and
> > then we have a extended access-list applied to each peer with our net
> > blocks listed in them.
> >
> > It appears that because of the network statements, the supernet routes
> > (/18s, /19s, etc) are being distributed via BGP to the rest of the
> network
> > which is by design(I assume). This doesn't seem ideal because if traffic
> > is sent to an IP address that doesn't have a more specific route than
> say
> > /18, or /19 it travels all the way through the network to the edge
> before
> > stopping. I might be blowing the impact of this out of proportion, but
> it
> > just seems like a waste of resources.
> >
> > Does anyone know of a seemingly more sensible way of doing this?
> >
> > -Drew
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From chris.garzon at gmail.com  Tue Jan  5 11:17:02 2010
From: chris.garzon at gmail.com (Dracul)
Date: Wed, 6 Jan 2010 00:17:02 +0800
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <002c01ca8de5$88bd6060$9a382120$@info>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>
	<002c01ca8de5$88bd6060$9a382120$@info>
Message-ID: <876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>

> you can use "BGP Conditional Route Injection" to generate the /28. (it
shud be a child subnet out of the parent /24). then filter the prefixes so
select which all upstreams shud receive this injected
> subnet.

thanks swap will explore your suggestion.


>Be aware that many (most) ISPs would filter subnets longer than /24, so
>your /28 would be most likely filtered (even if you direct upstream
>would send it through).
>Arie

Thanks arie, will keep it in mind.

On Tue, Jan 5, 2010 at 5:00 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:

> Are you trying to do destination-based routing (packet TO specific address
> should go over specific link) or source-based routing (packet FROM specific
> /28 should go over specific upstream link)?
>
>
Hi Ivan, I guess both. i just want to have a specific ip block traffic
contained to a specific link ( the ip addresses are broadcast under BGP)

regards,
Chris

> -----Original Message-----
> > From: Dracul [mailto:chris.garzon at gmail.com]
> > Sent: Tuesday, January 05, 2010 8:05 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] BGP ip addresses re-route to specific link
> >
> > Hi there,
> >
> > I was wondering if you could do a segregate route, for specfic ip
> > addresses
> > under BGP going only to a specific link.
> > for example if I have /24 default route BGP pool and I want only /28 ip
> > addresses using upstream1 and not by any
> > account go through upstream2. The rest would still be using the usual BGP
> > routing behavior. THanks!
> >
> > regards,
> > Chris
>
>
>

From justin at justinshore.com  Tue Jan  5 11:49:41 2010
From: justin at justinshore.com (Justin Shore)
Date: Tue, 05 Jan 2010 10:49:41 -0600
Subject: [c-nsp] IS-IS Ethertype
Message-ID: <4B436DA5.9000007@justinshore.com>

Hey guys.  I hope you all had a good holiday break.

Does anyone know for sure what the Ethertype is for the CLNS packets? 
I've found a couple IEFT drafts that talk about it it to a degree:

http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01

They imply that for packet sizes under 1500 that CLNS uses the standard 
IEEE 802.3 ethertypes.  The drafts specifically address packets over 
1500 bytes though.  One suggests 0x8872 and the other suggests 0x8870. 
I can't find anything definitive though.

I'm trying to think what all could affect the Ethertype for IS-IS.  MPLS 
won't.  LAGs might (I can't find anything about Ethertype for PAgP or 
LACP either).  Nothing else comes to mind though.

Can anyone tell me for sure what the Ethertype is on IS-IS packets?

Thanks
  Justin

From gsgranados at comcast.net  Tue Jan  5 12:12:09 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Tue, 5 Jan 2010 09:12:09 -0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
	<20100105170333.GA12729@radiological.warningg.com>
Message-ID: <011d01ca8e2a$3f2d1450$2408120a@am.thmulti.com>

Brandon, you nailed it exactly and much better put.

----- Original Message ----- 
From: "Brandon Ewing" <nicotine at warningg.com>
To: "Ivan Pepelnjak" <ip at ioshints.info>
Cc: "'Scott Granados'" <gsgranados at comcast.net>; "'Drew Weaver'" 
<drew.weaver at thenap.com>; "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 05, 2010 9:03 AM
Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers.



From ip at ioshints.info  Tue Jan  5 12:47:40 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 18:47:40 +0100
Subject: [c-nsp] BGP ip addresses re-route to specific link
In-Reply-To: <876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>
References: <876789291001042305k67093dc1v9832dc6c4da82f2d@mail.gmail.com>	<002c01ca8de5$88bd6060$9a382120$@info>
	<876789291001050817p57cdc3dbgd0b6dc7da9fb8656@mail.gmail.com>
Message-ID: <004201ca8e2f$2e800770$8b801650$@info>

Inbound traffic: advertise /28 to upstream2. It will not get very far, though, so it's questionable whether it will leak over to upstream1 and influence the return traffic coming from upstream1.

Outbound traffic: policy routing seems to be the quickest (and the dirtiest ;) solution. Getting it to work if the exit points are too far apart is a nightmare. If you're OK with the /28 being very tightly bound to the specific uplink (i.e. no connectivity when the uplink is down), there are a few MPLS VPN tricks you could use.

Ivan

> -----Original Message-----
> From: Dracul [mailto:chris.garzon at gmail.com]
> Sent: Tuesday, January 05, 2010 5:17 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP ip addresses re-route to specific link
> 
> > you can use "BGP Conditional Route Injection" to generate the /28. (it
> shud be a child subnet out of the parent /24). then filter the prefixes so
> select which all upstreams shud receive this injected
> > subnet.
> 
> thanks swap will explore your suggestion.
> 
> 
> >Be aware that many (most) ISPs would filter subnets longer than /24, so
> >your /28 would be most likely filtered (even if you direct upstream
> >would send it through).
> >Arie
> 
> Thanks arie, will keep it in mind.
> 
> On Tue, Jan 5, 2010 at 5:00 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:
> 
> > Are you trying to do destination-based routing (packet TO specific
> address
> > should go over specific link) or source-based routing (packet FROM
> specific
> > /28 should go over specific upstream link)?
> >
> >
> Hi Ivan, I guess both. i just want to have a specific ip block traffic
> contained to a specific link ( the ip addresses are broadcast under BGP)
> 
> regards,
> Chris
> 
> > -----Original Message-----
> > > From: Dracul [mailto:chris.garzon at gmail.com]
> > > Sent: Tuesday, January 05, 2010 8:05 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] BGP ip addresses re-route to specific link
> > >
> > > Hi there,
> > >
> > > I was wondering if you could do a segregate route, for specfic ip
> > > addresses
> > > under BGP going only to a specific link.
> > > for example if I have /24 default route BGP pool and I want only /28
> ip
> > > addresses using upstream1 and not by any
> > > account go through upstream2. The rest would still be using the usual
> BGP
> > > routing behavior. THanks!
> > >
> > > regards,
> > > Chris
> >
> >
> >



From jlewis at lewis.org  Tue Jan  5 12:58:45 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Tue, 5 Jan 2010 12:58:45 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>

On Tue, 5 Jan 2010, Alan Buxey wrote:

> we've had an issue with certain IOS - now running 12.2(44)SE6 - on the 3550
> platform.
>
> note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
> seems to only be relevant for the 3550-24td or such specific version - dont
> run it on any other one as , though it appears to work, you egt some interesting
> results! ;-)

I noticed that one when looking at newer IOS's not too long ago.  I 
assumed it was only released "for" a specific version of the 3550-24 
because that's the only model left of the 3550 family that's not reached 
EOL.  I saw that it would boot on a 3550-48, but didn't go any further 
with it than watching it boot.  What goes wrong with it?

> any reason for lurking down in the 12.1EA release train?

Have you looked at the difference in RAM usage between 12.1EA and 12.2SE?
I suppose most of the RAM on a 3550 doesn't get used / won't get used...so 
15MB or 20MB free vs 40MB free really doesn't matter.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From jlewis at lewis.org  Tue Jan  5 13:00:58 2010
From: jlewis at lewis.org (Jon Lewis)
Date: Tue, 5 Jan 2010 13:00:58 -0500 (EST)
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org><4B424B2A.3060406@uk.clara.net>
	<Pine.LNX.4.61.1001041549540.22812@soloth.lewis.org>
	<4288131ED5E3024C9CD4782CECCAD2C7065D3D92@LMC-MAIL2.exempla.org>
Message-ID: <Pine.LNX.4.61.1001051259060.22812@soloth.lewis.org>

On Mon, 4 Jan 2010, Matlock, Kenneth L wrote:

> Do you have traffic graphs during this timeframe? Maybe a DDOS at or
> through these boxes tied up the available memory. Especially since 'I/O'
> was the pool it was trying to grab from at the time?

Actually, after studying more of the graphs, I think this may have been a 
very brief failure in STP.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From nicotine at warningg.com  Tue Jan  5 12:03:33 2010
From: nicotine at warningg.com (Brandon Ewing)
Date: Tue, 5 Jan 2010 11:03:33 -0600
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <00a501ca8dd8$f4eb15a0$dec140e0$@info>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<013901ca8d81$4694e0a0$2408120a@am.thmulti.com>
	<00a501ca8dd8$f4eb15a0$dec140e0$@info>
Message-ID: <20100105170333.GA12729@radiological.warningg.com>

On Tue, Jan 05, 2010 at 08:30:27AM +0100, Ivan Pepelnjak wrote:
> 
> And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D
> 
> Ivan
> 

I believe Scott was advocating using redistribution with route-maps to
community tag internal-only routes as no-export or similar to prevent
sending them to their upstreams.  This is a way to keep customer
prefixes in iBGP instead of your IGP.  Your actual global announcements can
be tagged with communities when generated (either by redistribution, or
network statements with route-maps) to be matched by per-eBGP peer
route-maps to influence (prepend, block, allow, change MED, tag with
provider community) their behavior.

This provides more control over your actual global announcements, and
provides much more information regarding your actual customer prefixes as
Scott stated when announcing to peers or other customers, especially if you
publish a BGP community document for them to reference. (See extremely long
NANOG thread from Oct/Nov regarding upstream community support)

Regarding Drew's initial question -- unless you are seeing significant
enough traffic to your unassigned address space to cause actual congestion
or network issues, there really isn't a performance problem.  If it is, the
suggestion of setting next-hop for your static hold-down routes to an IP
that is routed to Null0 on all your edge routers (192.0.2.1 is what I
commonly see listed in remote-blackholing documents) would cause the traffic
to be dropped at the ingress edge instead of transiting the network would
cause the traffic to be dropped at the ingress edge instead of crossing your
network from ingress to where the annoucement is sourced.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100105/fdeef85b/attachment.bin>

From ip at ioshints.info  Tue Jan  5 13:23:02 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 5 Jan 2010 19:23:02 +0100
Subject: [c-nsp] IS-IS Ethertype
In-Reply-To: <4B436DA5.9000007@justinshore.com>
References: <4B436DA5.9000007@justinshore.com>
Message-ID: <004601ca8e34$1efcd490$5cf67db0$@info>

This might help:

http://wiki.nil.com/IS-IS_in_OSI_protocol_stack

The drafts you've found deal with the fact that LLC1 packets (those that don't use Ethertypes) cannot use the "length" field higher than 1500 (otherwise the differentiation between LLC1 and Ethernet-II breaks down).

Ivan

> -----Original Message-----
> From: Justin Shore [mailto:justin at justinshore.com]
> Sent: Tuesday, January 05, 2010 5:50 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IS-IS Ethertype
> 
> Hey guys.  I hope you all had a good holiday break.
> 
> Does anyone know for sure what the Ethertype is for the CLNS packets?
> I've found a couple IEFT drafts that talk about it it to a degree:
> 
> http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
> http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01
> 
> They imply that for packet sizes under 1500 that CLNS uses the standard
> IEEE 802.3 ethertypes.  The drafts specifically address packets over
> 1500 bytes though.  One suggests 0x8872 and the other suggests 0x8870.
> I can't find anything definitive though.
> 
> I'm trying to think what all could affect the Ethertype for IS-IS.  MPLS
> won't.  LAGs might (I can't find anything about Ethertype for PAgP or
> LACP either).  Nothing else comes to mind though.
> 
> Can anyone tell me for sure what the Ethertype is on IS-IS packets?
> 
> Thanks
>   Justin



From A.L.M.Buxey at lboro.ac.uk  Tue Jan  5 14:46:04 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 5 Jan 2010 19:46:04 +0000
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
	<Pine.LNX.4.61.1001051254040.22812@soloth.lewis.org>
Message-ID: <20100105194604.GC7545@lboro.ac.uk>

Hi,

> EOL.  I saw that it would boot on a 3550-48, but didn't go any further 
> with it than watching it boot.  What goes wrong with it?

loss of access to management interface, failure of spanning-tree
calculations, memory leak with SNMP polling - these are the basic
things I noted before a quick change - some of these things take a
few days to happen though so first off all seems well.

> > any reason for lurking down in the 12.1EA release train?
> 
> Have you looked at the difference in RAM usage between 12.1EA and 12.2SE?
> I suppose most of the RAM on a 3550 doesn't get used / won't get used...so 
> 15MB or 20MB free vs 40MB free really doesn't matter.

ah - yes - some of the functions chew up more memory but thats a given..at
least they have the memory for that (and not much more if you do more
than basic L3 stuff on them!) ;-)

alan

From jared.a.gillis at gmail.com  Tue Jan  5 17:26:25 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Tue, 05 Jan 2010 14:26:25 -0800
Subject: [c-nsp] Fiber SFPs generating voltage threshold violation errors
Message-ID: <4B43BC91.9020502@gmail.com>

Hi all,

I've got some ME3400Gs with CWDM SFPs, and some of them are causing errors to be logged:

Jan  5 14:21:30.087 PST: %SFF8472-5-THRESHOLD_VIOLATION: Gi0/1: Voltage high warning; Operating value: 3.56 V, Threshold value: 3.50 V.

These SFPs are not Cisco official, which I think is the source of the errors. Is this a serious problem? The SFPs appear to work just fine.
If this is purely cosmetic, does anyone know how to suppress these log messages?

Thanks!

-- Jared

From lukasz at bromirski.net  Tue Jan  5 17:40:01 2010
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Tue, 05 Jan 2010 23:40:01 +0100
Subject: [c-nsp] 3550 IO memory fragmentation
In-Reply-To: <20100105102608.GC5984@lboro.ac.uk>
References: <Pine.LNX.4.61.1001041442090.22812@soloth.lewis.org>
	<20100105102608.GC5984@lboro.ac.uk>
Message-ID: <4B43BFC1.5030106@bromirski.net>

On 2010-01-05 11:26, Alan Buxey wrote:

> note...there is a newer IOS floating around - 12.2(50)SE-somesuch..but that
> seems to only be relevant for the 3550-24td or such specific version - dont
> run it on any other one as , though it appears to work, you egt some interesting
> results! ;-)

What kind of results? Any strange results would be a bug both for
the non-supported versions and the only supported -DC version, but
yes, if it's not supported, one way or another Cisco won't support
the box.

The 3550 pieces apart from 3550-12T and 3550-12G are build using the
same ASICs and architecture, the DC differs only in the power supply
mounted.

Just FYI:

c3550-sw1#sh ver | i IOS|WS-C3550
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version
12.2(52)SE, RELEASE SOFTWARE (fc3)
Cisco WS-C3550-48 (PowerPC) processor (revision L0) with 65526K/8192K bytes
of memory.
Model number: WS-C3550-48-EMI

This is one of my lab Cats (I have 8 of them) that went through a
various services tests, including preparing a content for CCIE R&S and
SP bootcamp, and it did behave correctly.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
 If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From mcaudill at cisco.com  Tue Jan  5 19:10:40 2010
From: mcaudill at cisco.com (Mike Caudill)
Date: Tue, 05 Jan 2010 19:10:40 -0500
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B410022.8040508@forthnet.gr>
References: <4B40EE7A.8060200@gmx.de> <4B410022.8040508@forthnet.gr>
Message-ID: <4B43D500.3050306@cisco.com>

On 1/3/10 3:37 PM, Tassos Chatzithomaoglou wrote:
> http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2269378
> 
> 
> Although "C" doesn't seem to be there.
> 
> 

I believe that the C is for Corrupted.  Bad checksum on the ping reply
or some other corruption to it.

-Mike-

-- 

Mike Caudill  <mcaudill at cisco.com>
PSIRT Incident Manager
DSS PGP: 0xEBBD5271
+1.919.392.2855 / +1.919.522.4931 (cell)
http://www.cisco.com/go/psirt


From gert at greenie.muc.de  Wed Jan  6 07:34:38 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 6 Jan 2010 13:34:38 +0100
Subject: [c-nsp] Cisco 2600 ISDN
In-Reply-To: <97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>
References: <97699e7b1001050116n585db967t792a11ebe7ac0e27@mail.gmail.com>
	<6DD0AA69-30FD-454E-96FB-437D9717C5EC@puck.nether.net>
	<97699e7b1001050551o73425880pf99839f53c178a4a@mail.gmail.com>
Message-ID: <20100106123438.GT857@greenie.muc.de>

Hi,

On Tue, Jan 05, 2010 at 02:51:05PM +0100, ioluz wrote:
> The very strange point is the fact that i didn't see any I CONFREQ in the
> debug output, isn't it ?

Indeed.  Seems as if the windows side doesn't know that it should do PPP.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/644893f9/attachment.bin>

From dmitry at dmitry.net  Wed Jan  6 07:56:36 2010
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Wed, 6 Jan 2010 14:56:36 +0200
Subject: [c-nsp] mac-address-table flags on 7600/6500
Message-ID: <20100106125636.GH9397@f17.dmitry.net>

Hello!

Could anybody explain me flags shown on "show mac-address-table detail"
SP output. I see traffic lose for host with MAC address marked "Trp=Yes".
I already found quick fix "clear mac-address-table dynamic", but
situation repeating time to time, which starts to bother me...
Looking for root cause and finally - the solution. :)

P.S. C7600/RSP720-3CXL under 12.2(33)SRC4. Mod.3,4,7 - 6708-3CXL


Router#remote command switch sh mac add 00e0.4cd0.a35c detail

Displaying entries from SP:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x7F 0      No  No  Yes  Yes Yes No  No  No  0

Router#remote command module 3 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 3:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x85 0      No  No  Yes  No  No  Yes No  No  0

Router#remote command module 4 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 4:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x5F 0      No  No  Yes  Yes Yes No  No  No  0

Router#remote command module 7 sh mac add 00e0.4cd0.a35c detail

Displaying entries from DFC 7:
Address Type Vlan   Mac  Address  Index Proto XTg Fld  Age AgeTmr RMA RM  PI_E Aln Trp Mod Nty Cap SwB
-------+----+-----+--------------+-----+-----+---+---+----+------+---+---+----+---+---+---+---+---+--
0xD3F0   DY  17    00e0.4cd0.a35c 342    ---- 0   No  0x5F 0      No  No  Yes  Yes Yes No  No  No  0


-- 
Dmitry Kiselev

From ross at kallisti.us  Wed Jan  6 09:28:06 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 09:28:06 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
Message-ID: <20100106142806.GA16336@kallisti.us>

Hi everyone,

I have a multi-VRF CE setup that is used to provide a different
forwarding path for two groups of VLANs (one group has a layer 2
firewall in front of it, the other does not).

Each VRF has a physical interface uplinking to the global table and a
default pointing out of that interface.  The global table uplinks to
the rest of the network and carries a full BGP view.  All three tables
have an OSPF instance.  I'm trying to move these routes out of OSPF
into iBGP, and IOS seems intent on foiling me.

1) There doesn't appear to be any BGP way to get a VRF route into the
global table as an IPv4 route.  This makes some sense, as that's
basically asking to redistribute between address families - which
doesn't make any sense in most cases.

2) I've tried redistributing from a VRF OSPF instance into ipv4
BGP, but IOS says no:
	lab-6506.dc3(config)#router bgp 65000
	lab-6506.dc3(config-router)#redistribute ospf 2 
	%VRF specified does not match this router
	lab-6506.dc3(config-router)#redistribute ospf 2 vrf shared
	%VRF specified does not match this router
Similar for other cross-VRF redistributions.

3) I've lab'd a config where I move everything into a VRF from the
global table, and then use PE-CEish eBGP to get the routes to the rest
of the network.  This works, but the AS_PATH is wrong.  I could use
as-override to fix this, but that isn't supported on the 6500 core
routers.

4) I tried to come up with a way to get the global table's OSPF
instance cut down appropriately, but most of the LSAs are type 5 since
we redistribute static routes.  This prevents the goal of getting the
routes out of OSPF.

5) Manually duplicate every VRF static/connected route in the global
table and just do the usual redistribution of statics.  This seems
like a very difficult config to keep in sync - about 3k prefixes with
occasional additions or updates.  But it does actually work.

Have I missed any options?  #5 seems like the only thing that has any
hope of being correct, but man, that's a pain.  I might be able to
live with #3, but I need to make sure that all of our tools will live
with the incorrect AS_PATH.

Thanks,
Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/17cea66b/attachment.bin>

From hnyhus at gmail.com  Wed Jan  6 09:44:29 2010
From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Staub_Nyhus?=)
Date: Wed, 6 Jan 2010 15:44:29 +0100
Subject: [c-nsp] Fiber SFPs generating voltage threshold violation errors
In-Reply-To: <4B43BC91.9020502@gmail.com>
References: <4B43BC91.9020502@gmail.com>
Message-ID: <6bc4a241001060644p6b3b92e8i763194bb65e1e88e@mail.gmail.com>

> If this is purely cosmetic, does anyone know how to suppress these log messages?

You could create a message discriminator:

logging discriminator LOGFILTER mnemonics drops SFF8472-5-THRESHOLD_VIOLATION
logging buffered discriminator LOGFILTER 4096
logging console discriminator LOGFILTER
logging monitor discriminator LOGFILTER
logging host (IP) discriminator LOGFILTER


--
H?vard Staub Nyhus
+47 41 88 00 99

From pavel.skovajsa at gmail.com  Wed Jan  6 10:05:15 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 6 Jan 2010 16:05:15 +0100
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106142806.GA16336@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
Message-ID: <323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>

Hi Ross,
The VRF route leaking is somehow complex stuff - there appears to be
scattered documentation about it around CIsco site - see for example
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html

What we do to dynamicly leak routing from one VRF to another is to do
it with eBGP. Simply make a eBGP session between the VRFs (f.e. create
a Loopback for each VRF) and send the routes across - see
http://forum.nil.com/viewtopic.php?f=10&t=59&sid=9c8b6a132bfdbfd0794b69b573b1914c&start=10

Another alternative is to put the routes into VRF BGP table and leak
them with "route-target import" - see
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

To take somewhat intelligent approach I suggest to read about the
"Common services VRF" in?"MPLS and VPN Architectures" -?~?Ivan
Pepelnjak,?Jim Guichard - a great set of  books not only about MPLS.

Hope it helps,
-pavel

On Wed, Jan 6, 2010 at 3:28 PM, Ross Vandegrift <ross at kallisti.us> wrote:
>
> Hi everyone,
>
> I have a multi-VRF CE setup that is used to provide a different
> forwarding path for two groups of VLANs (one group has a layer 2
> firewall in front of it, the other does not).
>
> Each VRF has a physical interface uplinking to the global table and a
> default pointing out of that interface. ?The global table uplinks to
> the rest of the network and carries a full BGP view. ?All three tables
> have an OSPF instance. ?I'm trying to move these routes out of OSPF
> into iBGP, and IOS seems intent on foiling me.
>
> 1) There doesn't appear to be any BGP way to get a VRF route into the
> global table as an IPv4 route. ?This makes some sense, as that's
> basically asking to redistribute between address families - which
> doesn't make any sense in most cases.
>
> 2) I've tried redistributing from a VRF OSPF instance into ipv4
> BGP, but IOS says no:
> ? ? ? ?lab-6506.dc3(config)#router bgp 65000
> ? ? ? ?lab-6506.dc3(config-router)#redistribute ospf 2
> ? ? ? ?%VRF specified does not match this router
> ? ? ? ?lab-6506.dc3(config-router)#redistribute ospf 2 vrf shared
> ? ? ? ?%VRF specified does not match this router
> Similar for other cross-VRF redistributions.
>
> 3) I've lab'd a config where I move everything into a VRF from the
> global table, and then use PE-CEish eBGP to get the routes to the rest
> of the network. ?This works, but the AS_PATH is wrong. ?I could use
> as-override to fix this, but that isn't supported on the 6500 core
> routers.
>
> 4) I tried to come up with a way to get the global table's OSPF
> instance cut down appropriately, but most of the LSAs are type 5 since
> we redistribute static routes. ?This prevents the goal of getting the
> routes out of OSPF.
>
> 5) Manually duplicate every VRF static/connected route in the global
> table and just do the usual redistribution of statics. ?This seems
> like a very difficult config to keep in sync - about 3k prefixes with
> occasional additions or updates. ?But it does actually work.
>
> Have I missed any options? ?#5 seems like the only thing that has any
> hope of being correct, but man, that's a pain. ?I might be able to
> live with #3, but I need to make sure that all of our tools will live
> with the incorrect AS_PATH.
>
> Thanks,
> Ross
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "If the fight gets hot, the songs get hotter. ?If the going gets tough,
> the songs get tougher."
> ? ? ? ?--Woody Guthrie
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAktEnfYACgkQMlMoONfO+HDNIgCgt3fTLm6coNVhSI3yxXpGB/b0
> fkAAn0z6IJEJbg6KxRI/XV4jBb+mkgwp
> =TMwu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From ross at kallisti.us  Wed Jan  6 10:32:57 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 10:32:57 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>
References: <20100106142806.GA16336@kallisti.us>
	<323aca891001060705i7493e75cje1186290b8077eea@mail.gmail.com>
Message-ID: <20100106153257.GB16336@kallisti.us>

On Wed, Jan 06, 2010 at 04:05:15PM +0100, Pavel Skovajsa wrote:
> Hi Ross,
> The VRF route leaking is somehow complex stuff - there appears to be
> scattered documentation about it around CIsco site - see for example
> http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html
> 
> What we do to dynamicly leak routing from one VRF to another is to do
> it with eBGP. Simply make a eBGP session between the VRFs (f.e. create
> a Loopback for each VRF) and send the routes across - see
> http://forum.nil.com/viewtopic.php?f=10&t=59&sid=9c8b6a132bfdbfd0794b69b573b1914c&start=10
> 
> Another alternative is to put the routes into VRF BGP table and leak
> them with "route-target import" - see
> http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

Unfortunately, BGP doesn't work in my case since I'm trying to leak
VRF routes into the global table.  BGP requires that all routes be
leaked between VRFs, since the BGP routes need to be matching types of
NLRIs - a route from a VRF has a different SAFI than an IPv4 route
from the global table.  If there is a way to do this without
duplicating the static routes as in your third link above, I'd love to
know about it!

If I move the global table into a VRF, I then have the problem that I
can't fix the AS path since my platform doesn't support as-override.

> To take somewhat intelligent approach I suggest to read about the
> "Common services VRF" in?"MPLS and VPN Architectures" -?~?Ivan
> Pepelnjak,?Jim Guichard - a great set of  books not only about
> MPLS.

That's the weird thing about this installation - there is no MPLS or
VPN here.  No interfaces even have MPLS enabled.  I'm strictly using
the multi-VRF CE functionality to provide separate routing tables.
This is installation should really be solved with a virtual router,
but it's stuck on IOS for the time being and the VRFs do the job
nicely.  But I'm finding that it's really hard to get the routes into
BGP.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/dfda1a3a/attachment.bin>

From bgalvez at gmail.com  Wed Jan  6 11:03:00 2010
From: bgalvez at gmail.com (=?ISO-8859-1?Q?Benjam=EDn_G=E1lvez?=)
Date: Wed, 6 Jan 2010 13:03:00 -0300
Subject: [c-nsp] Cisco 2801 full bgp multihome
Message-ID: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>

*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*

From sethm at rollernet.us  Wed Jan  6 11:10:28 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 08:10:28 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <4B44B5F4.1040103@rollernet.us>

Benjam?n G?lvez wrote:
> *Hi,
> 
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
> 

>From a 2811:

                Head    Total(b)     Used(b)     Free(b)   Lowest(b)
Largest(b)
Processor   44D83EB0   711442768   276400392   435042376   419450504
411444364
      I/O   3F400000    12582912     5747024     6835888     6489104
 6812348

So, probably not.

~Seth

From jshearer at amedisys.com  Wed Jan  6 11:13:45 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 10:13:45 -0600
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>

No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.

Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?

What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 10:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 2801 full bgp multihome

*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From bgalvez at gmail.com  Wed Jan  6 11:36:09 2010
From: bgalvez at gmail.com (=?ISO-8859-1?Q?Benjam=EDn_G=E1lvez?=)
Date: Wed, 6 Jan 2010 13:36:09 -0300
Subject: [c-nsp] Fwd:  Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
Message-ID: <a01aaeac1001060836n79f26bcby578d925c0f461309@mail.gmail.com>

Hi,

In Spanish

La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp
en modo full para tener Balanceo de carga de salida y entrada.
Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar
y su propio ASN.
La idea es lograr redundancia de salida a Internet y tambien de entrada para
acceso de clientes.

La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo
pasivo (standbye)

Ambos ISP pondran router Cisco 2801  pero con 256Mb.

La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo
por otro router con mejores prestaciones?
Ambos ISP me hablan de un router serie  7000 como "minimo".

In English

Pending traslate....
Sorry

Best regards
Saludos cordiales

Benjam?n


2010/1/6 Jason Shearer <jshearer at amedisys.com>

No way Jose.  You will start fragging.  I would recommend no less than 512
> to receive full tables.
>
> Outside of memory the 2801 is not going to be a very good platform to
> accept full tables on.  Any major routing updates is going to choke the
> platform.  How big are the circuits you are landing from each provider?
>
> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How
> many /24 prefixes to you have to advertise?
>
> Jason
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
> Sent: Wednesday, January 06, 2010 10:03 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 2801 full bgp multihome
>
> *Hi,
>
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
>
> Best regards
> Benjam?n
>
> *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> *** NOTICE--The attached communication contains privileged and confidential
> information. If you are not the intended recipient, DO NOT read, copy, or
> disseminate this communication. Non-intended recipients are hereby placed on
> notice that any unauthorized disclosure, duplication, distribution, or
> taking of any action in reliance on the contents of these materials is
> expressly prohibited. If you have received this communication in error,
> please delete this information in its entirety and contact the Amedisys
> Privacy Hotline at 1-866-518-6684. Also, please immediately notify the
> sender via e-mail that you have received this communication in error. ***
>

From jshearer at amedisys.com  Wed Jan  6 11:50:15 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 10:50:15 -0600
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>	<A
	FD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com><a01aa
	eac1001060835o1bdc31fdt9c4a0306bd986427@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>

Ben,

Not going to be able to load balance inbound as you only have a single /24 to advertise (this is the minimum prefix that will make it to the NAP).  Outbound you should be good....just note that you will experience asymmetric routing (in one out the other).

I have used 28xx routers for full tables before and it will be good when the going is good but very bad when the going gets bad.  If you are going to use an ISR I would recommend a 3825 at a minimum (two would be better).  Convergence will be much faster.

A better alternative if you are strapped for cash may be to just accept defaults.  Make your backup connection smaller but have it contracted to grow or burst if you experience problems with the primary.

Jason

>>>Tranlation<<<

No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia de enrutamiento asim?trico (en uno el otro).

He utilizado 28xx routers para mesas completas antes y que ser? bueno cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos ser?a mejor). Convergencia ser? mucho m?s r?pido.

Una mejor alternativa si est? atado por dinero en efectivo puede ser simplemente aceptar valores por defecto. Hacer la conexi?n de copia de seguridad m?s peque?a, pero que han contratado para crecer o explotar si tiene problemas con la primaria.


From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
Sent: Wednesday, January 06, 2010 10:35 AM
To: Jason Shearer
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome

Jason,

In Spanish

La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp en modo full para tener Balanceo de carga de salida y entrada.
Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar y su propio ASN.
La idea es lograr redundancia de salida a Internet y tambien de entrada para acceso de clientes.

La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo pasivo (standbye)

Ambos ISP pondran router Cisco 2801  pero con 256Mb.

La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo por otro router con mejores prestaciones?
Ambos ISP me hablan de un router serie  7000 como "minimo".

In English

Pending traslate....
Sorry

Benjam?n
2010/1/6 Jason Shearer <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.

Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?

What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 10:03 AM
To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: [c-nsp] Cisco 2801 full bgp multihome
*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n
*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***


________________________________
*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From cayers at ena.com  Wed Jan  6 11:57:39 2010
From: cayers at ena.com (Cory Ayers)
Date: Wed, 6 Jan 2010 10:57:39 -0600
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106142806.GA16336@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>

Hi Ross,

> Hi everyone,
> 
> I have a multi-VRF CE setup that is used to provide a different
> forwarding path for two groups of VLANs (one group has a layer 2
> firewall in front of it, the other does not).
> 
> Each VRF has a physical interface uplinking to the global table and a
> default pointing out of that interface.  The global table uplinks to
> the rest of the network and carries a full BGP view.  All three tables
> have an OSPF instance.  I'm trying to move these routes out of OSPF
> into iBGP, and IOS seems intent on foiling me.
> 

Have you looked at using two interfaces to loop traffic with one interface in the global table and one in the VRF?  You could run two different OSPF processes to transport routes between assuming you only need a default inside the VRF.  I haven't needed to get this to work with iBGP, but if that is a requirement you will need an IOS capable of per-VRF Router ID to peer on the same router.  (http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html)

Off the cuff configuration example.  These two interfaces would need to be crossed-over, but I'm assuming you have plenty of port density on a 6500.

interface GigabitEthernet2/15
 description Loop entering VRF 
 mac-address 020x.xxxx.xx0e
 ip address 172.23.254.1 255.255.255.252

interface GigabitEthernet2/16
 description Loop leaving VRF 
 mac-address 020x.xxxx.xx0f
 ip vrf forwarding VRFname
 ip address 172.23.254.2 255.255.255.252

router ospf 215
 network 172.23.254.1 0.0.0.0 area 0
 default-information originate

router ospf 216 vrf VRFname
 network 172.23.254.1 0.0.0.0 area 0


From Charles.Church at harris.com  Wed Jan  6 11:12:56 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Wed, 6 Jan 2010 11:12:56 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C64936B3@MLBMXUS2.cs.myharris.net>

No.  My 2821 running 12.4 mainline has 2 peers, has about 350 MB in use for everything.  512 really should be the minimum.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Benjam?n G?lvez
Sent: Wednesday, January 06, 2010 11:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 2801 full bgp multihome


*Hi,

Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
multihome) ?

Best regards
Benjam?n

*
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ross at kallisti.us  Wed Jan  6 12:05:53 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 Jan 2010 12:05:53 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
Message-ID: <20100106170553.GA17269@kallisti.us>

On Wed, Jan 06, 2010 at 10:57:39AM -0600, Cory Ayers wrote:
> Have you looked at using two interfaces to loop traffic with one
> interface in the global table and one in the VRF?  You could run two
> different OSPF processes to transport routes between assuming you
> only need a default inside the VRF.

Yep that's the key - it just hit me that if I run two OSPF processes
in the global table.  Use one just for redistribution of routes into
iBGP and use the other for my actual IGP.

Thanks,
Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100106/866ed414/attachment.bin>

From kenny.sallee at gmail.com  Wed Jan  6 13:04:37 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 6 Jan 2010 10:04:37 -0800
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <20100106170553.GA17269@kallisti.us>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
	<20100106170553.GA17269@kallisti.us>
Message-ID: <4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>

On Wed, Jan 6, 2010 at 9:05 AM, Ross Vandegrift <ross at kallisti.us> wrote:

> On Wed, Jan 06, 2010 at 10:57:39AM -0600, Cory Ayers wrote:
> > Have you looked at using two interfaces to loop traffic with one
> > interface in the global table and one in the VRF?  You could run two
> > different OSPF processes to transport routes between assuming you
> > only need a default inside the VRF.
>
> Yep that's the key - it just hit me that if I run two OSPF processes
> in the global table.  Use one just for redistribution of routes into
> iBGP and use the other for my actual IGP.
>
> Thanks,
> Ross
>
>

My .02 is that you should put everything in VRF's (even the global table)
and use route-target import/export and import maps (if required) to control
routing domains.

Question - can you use 'neighbor allowas-in' instead of as-override?  I'm
not sure why your BGP AS-PATH was wrong in scenario #3 above - but I'm using
that in a very similar scenario in my lab to solve the problem of having the
same eBGP AS used at 2 different sites connected to 2 different PE routers.
 BGP won't advertise a path it receives w/ it's own ASN in the path

http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_n5gt.html#wp1007547



Kenny

From v.jones at networkingunlimited.com  Wed Jan  6 14:57:39 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 06 Jan 2010 14:57:39 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com> <"A
	FD31EAF2DD7F346AA17E164615555B0321B333B"@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>

One trick I've used where resources are tight is to "take" full routes,
but filter them so that I only accept "local" (short AS path) and a few
key indicator prefixes (typically out of country root DNS server
subnets). The indicator prefixes are used to drive a conditional default
route (use this ISP as default only if it appears to be well connected)
while the number of ASN's allowed in "local" prefixes can be adjusted to
control the number accepted. 

Note that this only impacts traffic going out from you. Inbound traffic
is a separate issue. With only a single /24, your inbound load balancing
options are limited. Depending on the connectivity of your upstreams and
who your users are talking to, you may also see lots of asymmetric
routing.

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> Ben,
> 
> Not going to be able to load balance inbound as you only have a single /24 to advertise (this is the minimum prefix that will make it to the NAP).  Outbound you should be good....just note that you will experience asymmetric routing (in one out the other).
> 
> I have used 28xx routers for full tables before and it will be good when the going is good but very bad when the going gets bad.  If you are going to use an ISR I would recommend a 3825 at a minimum (two would be better).  Convergence will be much faster.
> 
> A better alternative if you are strapped for cash may be to just accept defaults.  Make your backup connection smaller but have it contracted to grow or burst if you experience problems with the primary.
> 
> Jason
> 
> >>>Tranlation<<<
> 
> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia de enrutamiento asim?trico (en uno el otro).
> 
> He utilizado 28xx routers para mesas completas antes y que ser? bueno cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos ser?a mejor). Convergencia ser? mucho m?s r?pido.
> 
> Una mejor alternativa si est? atado por dinero en efectivo puede ser simplemente aceptar valores por defecto. Hacer la conexi?n de copia de seguridad m?s peque?a, pero que han contratado para crecer o explotar si tiene problemas con la primaria.
> 
> 
> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> Sent: Wednesday, January 06, 2010 10:35 AM
> To: Jason Shearer
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> 
> Jason,
> 
> In Spanish
> 
> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a bgp en modo full para tener Balanceo de carga de salida y entrada.
> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a publicar y su propio ASN.
> La idea es lograr redundancia de salida a Internet y tambien de entrada para acceso de clientes.
> 
> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo pasivo (standbye)
> 
> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> 
> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito cambiarlo por otro router con mejores prestaciones?
> Ambos ISP me hablan de un router serie  7000 como "minimo".
> 
> In English
> 
> Pending traslate....
> Sorry
> 
> Benjam?n
> 2010/1/6 Jason Shearer <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> No way Jose.  You will start fragging.  I would recommend no less than 512 to receive full tables.
> 
> Outside of memory the 2801 is not going to be a very good platform to accept full tables on.  Any major routing updates is going to choke the platform.  How big are the circuits you are landing from each provider?
> 
> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How many /24 prefixes to you have to advertise?
> 
> Jason
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of Benjam?n G?lvez
> Sent: Wednesday, January 06, 2010 10:03 AM
> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Cisco 2801 full bgp multihome
> *Hi,
> 
> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> multihome) ?
> 
> Best regards
> Benjam?n
> *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> 
> 
> ________________________________
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 15:20:47 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:20:47 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<"AFD31EAF2DD7F346AA17E164615555B0321B333B"@SVR-AMED-MAIL01.amedisys.com><"a01aa
	eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com><AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
Message-ID: <019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>

This is a good approach, another is to filter the length of prefixes you 
install and set up some floating static defaults.

You could filter against a prefix list for something like

ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends 
on how finely you wish to filter.  In most full feeds you'd take a /24 or 
shorter but in your case you can't do this do to memory concerns.  You could 
try /20 or shorter, /19 etc until you meet your memory requirements.  Simply 
by filtering shorter than /24 you'll gain a lot of milage.  Of course your 
ability to control outbound traffic deteriorates the more heavily you filter 
but them's the breaks when memory is a concern.

On the inbound side with a single /24 you won't have a lot of flexability. 
You'll hit issues for example if upstream carriers filter shorter than /24 
and only pick up your provider's parent block.  If your upstreams have good 
community options you can control announcments of your block a bit more. 
For example, in the case of XO you can trigger prepends to specific major 
peers allowing you to pad say AS 701 more heavily but leave other networks 
untouched.  Depends on what knobs your carrier gives you to twittle. 
There's also local pref but that's non transative.



----- Original Message ----- 
From: "Vincent C Jones" <v.jones at networkingunlimited.com>
To: "Jason Shearer" <jshearer at amedisys.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 11:57 AM
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome


> One trick I've used where resources are tight is to "take" full routes,
> but filter them so that I only accept "local" (short AS path) and a few
> key indicator prefixes (typically out of country root DNS server
> subnets). The indicator prefixes are used to drive a conditional default
> route (use this ISP as default only if it appears to be well connected)
> while the number of ASN's allowed in "local" prefixes can be adjusted to
> control the number accepted.
>
> Note that this only impacts traffic going out from you. Inbound traffic
> is a separate issue. With only a single /24, your inbound load balancing
> options are limited. Depending on the connectivity of your upstreams and
> who your users are talking to, you may also see lots of asymmetric
> routing.
>
> Good luck and have fun!
> -- 
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
> On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
>> Ben,
>>
>> Not going to be able to load balance inbound as you only have a single 
>> /24 to advertise (this is the minimum prefix that will make it to the 
>> NAP).  Outbound you should be good....just note that you will experience 
>> asymmetric routing (in one out the other).
>>
>> I have used 28xx routers for full tables before and it will be good when 
>> the going is good but very bad when the going gets bad.  If you are going 
>> to use an ISR I would recommend a 3825 at a minimum (two would be 
>> better).  Convergence will be much faster.
>>
>> A better alternative if you are strapped for cash may be to just accept 
>> defaults.  Make your backup connection smaller but have it contracted to 
>> grow or burst if you experience problems with the primary.
>>
>> Jason
>>
>> >>>Tranlation<<<
>>
>> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen 
>> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el 
>> PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia 
>> de enrutamiento asim?trico (en uno el otro).
>>
>> He utilizado 28xx routers para mesas completas antes y que ser? bueno 
>> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. 
>> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos 
>> ser?a mejor). Convergencia ser? mucho m?s r?pido.
>>
>> Una mejor alternativa si est? atado por dinero en efectivo puede ser 
>> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de 
>> seguridad m?s peque?a, pero que han contratado para crecer o explotar si 
>> tiene problemas con la primaria.
>>
>>
>> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
>> Sent: Wednesday, January 06, 2010 10:35 AM
>> To: Jason Shearer
>> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
>>
>> Jason,
>>
>> In Spanish
>>
>> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a 
>> bgp en modo full para tener Balanceo de carga de salida y entrada.
>> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a 
>> publicar y su propio ASN.
>> La idea es lograr redundancia de salida a Internet y tambien de entrada 
>> para acceso de clientes.
>>
>> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo 
>> pasivo (standbye)
>>
>> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
>>
>> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito 
>> cambiarlo por otro router con mejores prestaciones?
>> Ambos ISP me hablan de un router serie  7000 como "minimo".
>>
>> In English
>>
>> Pending traslate....
>> Sorry
>>
>> Benjam?n
>> 2010/1/6 Jason Shearer 
>> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
>> No way Jose.  You will start fragging.  I would recommend no less than 
>> 512 to receive full tables.
>>
>> Outside of memory the 2801 is not going to be a very good platform to 
>> accept full tables on.  Any major routing updates is going to choke the 
>> platform.  How big are the circuits you are landing from each provider?
>>
>> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How 
>> many /24 prefixes to you have to advertise?
>>
>> Jason
>>
>> -----Original Message-----
>> From: 
>> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> 
>> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] 
>> On Behalf Of Benjam?n G?lvez
>> Sent: Wednesday, January 06, 2010 10:03 AM
>> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
>> Subject: [c-nsp] Cisco 2801 full bgp multihome
>> *Hi,
>>
>> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
>> multihome) ?
>>
>> Best regards
>> Benjam?n
>> *
>> _______________________________________________
>> cisco-nsp mailing list 
>> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> *** NOTICE--The attached communication contains privileged and 
>> confidential information. If you are not the intended recipient, DO NOT 
>> read, copy, or disseminate this communication. Non-intended recipients 
>> are hereby placed on notice that any unauthorized disclosure, 
>> duplication, distribution, or taking of any action in reliance on the 
>> contents of these materials is expressly prohibited. If you have received 
>> this communication in error, please delete this information in its 
>> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
>> Also, please immediately notify the sender via e-mail that you have 
>> received this communication in error. ***
>>
>>
>> ________________________________
>> *** NOTICE--The attached communication contains privileged and 
>> confidential information. If you are not the intended recipient, DO NOT 
>> read, copy, or disseminate this communication. Non-intended recipients 
>> are hereby placed on notice that any unauthorized disclosure, 
>> duplication, distribution, or taking of any action in reliance on the 
>> contents of these materials is expressly prohibited. If you have received 
>> this communication in error, please delete this information in its 
>> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
>> Also, please immediately notify the sender via e-mail that you have 
>> received this communication in error. ***
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From v.jones at networkingunlimited.com  Wed Jan  6 15:31:58 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 06 Jan 2010 15:31:58 -0500
Subject: [c-nsp] Cisco 2801 full bgp multihome
In-Reply-To: <019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
	<019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
Message-ID: <1262809919.17745.37.camel@X61.NetworkingUnlimited.nul>

Scott,

Careful... filtering on prefix length will block the very "local"
prefixes you are probably most interested in--the prefixes of the
upstreams' other customers who may be advertising a /24 not in that
upstream's address space. 

Vince
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 12:20 -0800, Scott Granados wrote:
> This is a good approach, another is to filter the length of prefixes you 
> install and set up some floating static defaults.
> 
> You could filter against a prefix list for something like
> 
> ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends 
> on how finely you wish to filter.  In most full feeds you'd take a /24 or 
> shorter but in your case you can't do this do to memory concerns.  You could 
> try /20 or shorter, /19 etc until you meet your memory requirements.  Simply 
> by filtering shorter than /24 you'll gain a lot of milage.  Of course your 
> ability to control outbound traffic deteriorates the more heavily you filter 
> but them's the breaks when memory is a concern.
> 
> On the inbound side with a single /24 you won't have a lot of flexability. 
> You'll hit issues for example if upstream carriers filter shorter than /24 
> and only pick up your provider's parent block.  If your upstreams have good 
> community options you can control announcments of your block a bit more. 
> For example, in the case of XO you can trigger prepends to specific major 
> peers allowing you to pad say AS 701 more heavily but leave other networks 
> untouched.  Depends on what knobs your carrier gives you to twittle. 
> There's also local pref but that's non transative.
> 
> 
> 
> ----- Original Message ----- 
> From: "Vincent C Jones" <v.jones at networkingunlimited.com>
> To: "Jason Shearer" <jshearer at amedisys.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, January 06, 2010 11:57 AM
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> 
> 
> > One trick I've used where resources are tight is to "take" full routes,
> > but filter them so that I only accept "local" (short AS path) and a few
> > key indicator prefixes (typically out of country root DNS server
> > subnets). The indicator prefixes are used to drive a conditional default
> > route (use this ISP as default only if it appears to be well connected)
> > while the number of ASN's allowed in "local" prefixes can be adjusted to
> > control the number accepted.
> >
> > Note that this only impacts traffic going out from you. Inbound traffic
> > is a separate issue. With only a single /24, your inbound load balancing
> > options are limited. Depending on the connectivity of your upstreams and
> > who your users are talking to, you may also see lots of asymmetric
> > routing.
> >
> > Good luck and have fun!
> > -- 
> > Vincent C. Jones
> > Networking Unlimited, Inc.
> > Phone: +1 201 568-7810
> > V.Jones at NetworkingUnlimited.com
> >
> > On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> >> Ben,
> >>
> >> Not going to be able to load balance inbound as you only have a single 
> >> /24 to advertise (this is the minimum prefix that will make it to the 
> >> NAP).  Outbound you should be good....just note that you will experience 
> >> asymmetric routing (in one out the other).
> >>
> >> I have used 28xx routers for full tables before and it will be good when 
> >> the going is good but very bad when the going gets bad.  If you are going 
> >> to use an ISR I would recommend a 3825 at a minimum (two would be 
> >> better).  Convergence will be much faster.
> >>
> >> A better alternative if you are strapped for cash may be to just accept 
> >> defaults.  Make your backup connection smaller but have it contracted to 
> >> grow or burst if you experience problems with the primary.
> >>
> >> Jason
> >>
> >> >>>Tranlation<<<
> >>
> >> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen 
> >> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el 
> >> PNA). De salida debe ser bueno .... Solo ten en cuenta que la experiencia 
> >> de enrutamiento asim?trico (en uno el otro).
> >>
> >> He utilizado 28xx routers para mesas completas antes y que ser? bueno 
> >> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen malas. 
> >> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos 
> >> ser?a mejor). Convergencia ser? mucho m?s r?pido.
> >>
> >> Una mejor alternativa si est? atado por dinero en efectivo puede ser 
> >> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de 
> >> seguridad m?s peque?a, pero que han contratado para crecer o explotar si 
> >> tiene problemas con la primaria.
> >>
> >>
> >> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> >> Sent: Wednesday, January 06, 2010 10:35 AM
> >> To: Jason Shearer
> >> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> >>
> >> Jason,
> >>
> >> In Spanish
> >>
> >> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a 
> >> bgp en modo full para tener Balanceo de carga de salida y entrada.
> >> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a 
> >> publicar y su propio ASN.
> >> La idea es lograr redundancia de salida a Internet y tambien de entrada 
> >> para acceso de clientes.
> >>
> >> La opcion "ruta default" me obliga a utilizar un enlace y el otro dejarlo 
> >> pasivo (standbye)
> >>
> >> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> >>
> >> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito 
> >> cambiarlo por otro router con mejores prestaciones?
> >> Ambos ISP me hablan de un router serie  7000 como "minimo".
> >>
> >> In English
> >>
> >> Pending traslate....
> >> Sorry
> >>
> >> Benjam?n
> >> 2010/1/6 Jason Shearer 
> >> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> >> No way Jose.  You will start fragging.  I would recommend no less than 
> >> 512 to receive full tables.
> >>
> >> Outside of memory the 2801 is not going to be a very good platform to 
> >> accept full tables on.  Any major routing updates is going to choke the 
> >> platform.  How big are the circuits you are landing from each provider?
> >>
> >> What are you trying to accomplish?  Outbound load sharing?  Inbound?  How 
> >> many /24 prefixes to you have to advertise?
> >>
> >> Jason
> >>
> >> -----Original Message-----
> >> From: 
> >> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> 
> >> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] 
> >> On Behalf Of Benjam?n G?lvez
> >> Sent: Wednesday, January 06, 2010 10:03 AM
> >> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> Subject: [c-nsp] Cisco 2801 full bgp multihome
> >> *Hi,
> >>
> >> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> >> multihome) ?
> >>
> >> Best regards
> >> Benjam?n
> >> *
> >> _______________________________________________
> >> cisco-nsp mailing list 
> >> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> *** NOTICE--The attached communication contains privileged and 
> >> confidential information. If you are not the intended recipient, DO NOT 
> >> read, copy, or disseminate this communication. Non-intended recipients 
> >> are hereby placed on notice that any unauthorized disclosure, 
> >> duplication, distribution, or taking of any action in reliance on the 
> >> contents of these materials is expressly prohibited. If you have received 
> >> this communication in error, please delete this information in its 
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
> >> Also, please immediately notify the sender via e-mail that you have 
> >> received this communication in error. ***
> >>
> >>
> >> ________________________________
> >> *** NOTICE--The attached communication contains privileged and 
> >> confidential information. If you are not the intended recipient, DO NOT 
> >> read, copy, or disseminate this communication. Non-intended recipients 
> >> are hereby placed on notice that any unauthorized disclosure, 
> >> duplication, distribution, or taking of any action in reliance on the 
> >> contents of these materials is expressly prohibited. If you have received 
> >> this communication in error, please delete this information in its 
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. 
> >> Also, please immediately notify the sender via e-mail that you have 
> >> received this communication in error. ***
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 

From razor at meganet.net  Wed Jan  6 14:41:21 2010
From: razor at meganet.net (P.A)
Date: Wed, 6 Jan 2010 14:41:21 -0500
Subject: [c-nsp] cisco frame-relay termination without a frame switch
Message-ID: <017f01ca8f08$398a3670$ac9ea350$@net>

Hi, we have a frame-relay switch that is no longer working. we have 28 t1s
on a channelized T3. I was wondering if anyone knows how and if it's
possible to terminate frame lines on a cisco, either a 7200 or 6500 without
a frame switch.

I followed the example here, 

http://www.ciscopress.com/articles/article.asp?p=170741
<http://www.ciscopress.com/articles/article.asp?p=170741&seqNum=7>
&amp;seqNum=7

but this will not work for me as it assumes you have 2 different frame-relay
circuits on two different t1 ports. I'm using a PA MC T# canrd and I also
tried creating sub interfaces off the t1 channel, but when I use the
frame-relay route command I gives me an error that both DLCIs are on the
same interface L.



All I'm trying to do is terminate a frame-relay on a cisco without a
frame-relay switch. if this possible could someone give me an example or
point me in that direction.

thanks! paul


From gsgranados at comcast.net  Wed Jan  6 15:36:26 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:36:26 -0800
Subject: [c-nsp] Cisco 2801 full bgp multihome
References: <a01aaeac1001060803w4aa2dcb0l1b8199b30a0d124d@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B333B@SVR-AMED-MAIL01.amedisys.com>
	<"a01aa eac1001060835o1bdc31fdt9c4a0306bd986427"@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B334C@SVR-AMED-MAIL01.amedisys.com>
	<1262807859.17745.29.camel@X61.NetworkingUnlimited.nul>
	<019001ca8f0d$c3839dd0$2408120a@am.thmulti.com>
	<1262809919.17745.37.camel@X61.NetworkingUnlimited.nul>
Message-ID: <01ae01ca8f0f$f1fd9650$2408120a@am.thmulti.com>

Right, which is why you'd need your floating default statics and why you 
should tag internal prefixes differently.  Tagging customer routes with one 
community say and your learned transit routes as another is a good idea. 
Your internal more specifics could be tagged and marked no-export so you're 
able to engineer as needed inside your network.


----- Original Message ----- 
From: "Vincent C Jones" <v.jones at networkingunlimited.com>
To: "Scott Granados" <gsgranados at comcast.net>
Cc: "Jason Shearer" <jshearer at amedisys.com>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 12:31 PM
Subject: Re: [c-nsp] Cisco 2801 full bgp multihome


Scott,

Careful... filtering on prefix length will block the very "local"
prefixes you are probably most interested in--the prefixes of the
upstreams' other customers who may be advertising a /24 not in that
upstream's address space.

Vince
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

On Wed, 2010-01-06 at 12:20 -0800, Scott Granados wrote:
> This is a good approach, another is to filter the length of prefixes you
> install and set up some floating static defaults.
>
> You could filter against a prefix list for something like
>
> ip prefix-list not-to-specific seq 5 permit 0.0.0.0/0 le X where X depends
> on how finely you wish to filter.  In most full feeds you'd take a /24 or
> shorter but in your case you can't do this do to memory concerns.  You 
> could
> try /20 or shorter, /19 etc until you meet your memory requirements. 
> Simply
> by filtering shorter than /24 you'll gain a lot of milage.  Of course your
> ability to control outbound traffic deteriorates the more heavily you 
> filter
> but them's the breaks when memory is a concern.
>
> On the inbound side with a single /24 you won't have a lot of flexability.
> You'll hit issues for example if upstream carriers filter shorter than /24
> and only pick up your provider's parent block.  If your upstreams have 
> good
> community options you can control announcments of your block a bit more.
> For example, in the case of XO you can trigger prepends to specific major
> peers allowing you to pad say AS 701 more heavily but leave other networks
> untouched.  Depends on what knobs your carrier gives you to twittle.
> There's also local pref but that's non transative.
>
>
>
> ----- Original Message ----- 
> From: "Vincent C Jones" <v.jones at networkingunlimited.com>
> To: "Jason Shearer" <jshearer at amedisys.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, January 06, 2010 11:57 AM
> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
>
>
> > One trick I've used where resources are tight is to "take" full routes,
> > but filter them so that I only accept "local" (short AS path) and a few
> > key indicator prefixes (typically out of country root DNS server
> > subnets). The indicator prefixes are used to drive a conditional default
> > route (use this ISP as default only if it appears to be well connected)
> > while the number of ASN's allowed in "local" prefixes can be adjusted to
> > control the number accepted.
> >
> > Note that this only impacts traffic going out from you. Inbound traffic
> > is a separate issue. With only a single /24, your inbound load balancing
> > options are limited. Depending on the connectivity of your upstreams and
> > who your users are talking to, you may also see lots of asymmetric
> > routing.
> >
> > Good luck and have fun!
> > -- 
> > Vincent C. Jones
> > Networking Unlimited, Inc.
> > Phone: +1 201 568-7810
> > V.Jones at NetworkingUnlimited.com
> >
> > On Wed, 2010-01-06 at 10:50 -0600, Jason Shearer wrote:
> >> Ben,
> >>
> >> Not going to be able to load balance inbound as you only have a single
> >> /24 to advertise (this is the minimum prefix that will make it to the
> >> NAP).  Outbound you should be good....just note that you will 
> >> experience
> >> asymmetric routing (in one out the other).
> >>
> >> I have used 28xx routers for full tables before and it will be good 
> >> when
> >> the going is good but very bad when the going gets bad.  If you are 
> >> going
> >> to use an ISR I would recommend a 3825 at a minimum (two would be
> >> better).  Convergence will be much faster.
> >>
> >> A better alternative if you are strapped for cash may be to just accept
> >> defaults.  Make your backup connection smaller but have it contracted 
> >> to
> >> grow or burst if you experience problems with the primary.
> >>
> >> Jason
> >>
> >> >>>Tranlation<<<
> >>
> >> No va a ser capaz de equilibrar la carga de entrada, ya que s?lo tienen
> >> un ?nico / 24 para anunciar (este es el prefijo m?nimo que har? en el
> >> PNA). De salida debe ser bueno .... Solo ten en cuenta que la 
> >> experiencia
> >> de enrutamiento asim?trico (en uno el otro).
> >>
> >> He utilizado 28xx routers para mesas completas antes y que ser? bueno
> >> cuando las cosas es bueno, pero muy mal cuando las cosas se ponen 
> >> malas.
> >> Si usted va a utilizar un ISR yo recomendar?a un 3825 a un m?nimo (dos
> >> ser?a mejor). Convergencia ser? mucho m?s r?pido.
> >>
> >> Una mejor alternativa si est? atado por dinero en efectivo puede ser
> >> simplemente aceptar valores por defecto. Hacer la conexi?n de copia de
> >> seguridad m?s peque?a, pero que han contratado para crecer o explotar 
> >> si
> >> tiene problemas con la primaria.
> >>
> >>
> >> From: Benjam?n G?lvez [mailto:bgalvez at gmail.com]
> >> Sent: Wednesday, January 06, 2010 10:35 AM
> >> To: Jason Shearer
> >> Subject: Re: [c-nsp] Cisco 2801 full bgp multihome
> >>
> >> Jason,
> >>
> >> In Spanish
> >>
> >> La idea es conectar la Empresa (Bank) a dos ISP (Service provider) v?a
> >> bgp en modo full para tener Balanceo de carga de salida y entrada.
> >> Ambos enlaces son de 10Mb. y la empresa tiene un solo prefijo /24 a
> >> publicar y su propio ASN.
> >> La idea es lograr redundancia de salida a Internet y tambien de entrada
> >> para acceso de clientes.
> >>
> >> La opcion "ruta default" me obliga a utilizar un enlace y el otro 
> >> dejarlo
> >> pasivo (standbye)
> >>
> >> Ambos ISP pondran router Cisco 2801  pero con 256Mb.
> >>
> >> La pregunta es ?Me sirve el router 2801 pero con 512Mb? o necesito
> >> cambiarlo por otro router con mejores prestaciones?
> >> Ambos ISP me hablan de un router serie  7000 como "minimo".
> >>
> >> In English
> >>
> >> Pending traslate....
> >> Sorry
> >>
> >> Benjam?n
> >> 2010/1/6 Jason Shearer
> >> <jshearer at amedisys.com<mailto:jshearer at amedisys.com>>
> >> No way Jose.  You will start fragging.  I would recommend no less than
> >> 512 to receive full tables.
> >>
> >> Outside of memory the 2801 is not going to be a very good platform to
> >> accept full tables on.  Any major routing updates is going to choke the
> >> platform.  How big are the circuits you are landing from each provider?
> >>
> >> What are you trying to accomplish?  Outbound load sharing?  Inbound? 
> >> How
> >> many /24 prefixes to you have to advertise?
> >>
> >> Jason
> >>
> >> -----Original Message-----
> >> From:
> >> cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>
> >> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>]
> >> On Behalf Of Benjam?n G?lvez
> >> Sent: Wednesday, January 06, 2010 10:03 AM
> >> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> Subject: [c-nsp] Cisco 2801 full bgp multihome
> >> *Hi,
> >>
> >> Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers,
> >> multihome) ?
> >>
> >> Best regards
> >> Benjam?n
> >> *
> >> _______________________________________________
> >> cisco-nsp mailing list
> >> cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> *** NOTICE--The attached communication contains privileged and
> >> confidential information. If you are not the intended recipient, DO NOT
> >> read, copy, or disseminate this communication. Non-intended recipients
> >> are hereby placed on notice that any unauthorized disclosure,
> >> duplication, distribution, or taking of any action in reliance on the
> >> contents of these materials is expressly prohibited. If you have 
> >> received
> >> this communication in error, please delete this information in its
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684.
> >> Also, please immediately notify the sender via e-mail that you have
> >> received this communication in error. ***
> >>
> >>
> >> ________________________________
> >> *** NOTICE--The attached communication contains privileged and
> >> confidential information. If you are not the intended recipient, DO NOT
> >> read, copy, or disseminate this communication. Non-intended recipients
> >> are hereby placed on notice that any unauthorized disclosure,
> >> duplication, distribution, or taking of any action in reliance on the
> >> contents of these materials is expressly prohibited. If you have 
> >> received
> >> this communication in error, please delete this information in its
> >> entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684.
> >> Also, please immediately notify the sender via e-mail that you have
> >> received this communication in error. ***
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From gsgranados at comcast.net  Wed Jan  6 15:46:25 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 12:46:25 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
Message-ID: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>

Hi,

I have an old Pix 501 with a 50 host limit.  I'd like to buy the unlimited 
host option and have a new key generated to unlock that feature but the 
product is of course EOL.  Is there any way to obtain / pay for these 
licenses or am I just out of luck and should just buy newer hardware?  What 
are my options if any?

Thank you
Scott


From mail4hh at pobox.com  Wed Jan  6 15:55:16 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Wed, 6 Jan 2010 12:55:16 -0800
Subject: [c-nsp] Bug ID CSCsv50653
Message-ID: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>

I don't have access to the bug toolkit.  Could someone please send the
details on this bug:  CSCsv50653  I want to know if it is affecting my
load-balancing setup.

Thank you

-- 
Hector

From mksmith at adhost.com  Wed Jan  6 15:58:43 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Wed, 6 Jan 2010 12:58:43 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
Message-ID: <17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>

Absolutely.... not.  I've got about 100 of them deployed and wanted to
do the same.  The VAR's aren't allowed to sell any more PAK's for those
devices.  However, by amazing coincidence, they *do* have 5500's for
sale to replace your gear.

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 16:24:05 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 13:24:05 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
Message-ID: <01eb01ca8f16$988dc200$2408120a@am.thmulti.com>

That's exactly what happened to me, tried to unload an ASA 5505 on me.

----- Original Message ----- 
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 12:58 PM
Subject: RE: [c-nsp] Question about EOL Pix licenses?


Absolutely.... not.  I've got about 100 of them deployed and wanted to
do the same.  The VAR's aren't allowed to sell any more PAK's for those
devices.  However, by amazing coincidence, they *do* have 5500's for
sale to replace your gear.

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Wed Jan  6 16:32:50 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 13:32:50 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <01eb01ca8f16$988dc200$2408120a@am.thmulti.com>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
	<01eb01ca8f16$988dc200$2408120a@am.thmulti.com>
Message-ID: <4B450182.5080506@rollernet.us>

Scott Granados wrote:
> That's exactly what happened to me, tried to unload an ASA 5505 on me.
> 

Ah, the joys of licensing. This is why I get paranoid about IOS 
licensing. I have some rather old hardware that's still in production 
because it keeps on working just fine.

~Seth

From jshearer at amedisys.com  Wed Jan  6 16:55:00 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 6 Jan 2010 15:55:00 -0600
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>

After reload, 3550 does not load share
Symptom:

A 3550 was reloaded. After it came back online, it was no longer load-sharing correctly out of its two uplinks (g0/1 + g0/2). All of the traffic was only going out one uplink.


Workaround:

Performed "shut" and "no shut" on the interface. Load sharing would come back on these two links.


Status
Fixed
(Verified)
Severity
3 - moderate


Product
Cisco IOS software

Technology


1st Found-In
12.2(35)SE
Known Affected Versions


Fixed-In
12.2(50)SE
12.2(50)SE1

Component(s)
ospf




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hector Herrera
Sent: Wednesday, January 06, 2010 2:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Bug ID CSCsv50653

I don't have access to the bug toolkit.  Could someone please send the
details on this bug:  CSCsv50653  I want to know if it is affecting my
load-balancing setup.

Thank you

--
Hector
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From jeff-kell at utc.edu  Wed Jan  6 17:03:05 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 06 Jan 2010 17:03:05 -0500
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <4B450899.4030801@utc.edu>

On 1/6/2010 4:55 PM, Jason Shearer wrote:
> After reload, 3550 does not load share
>
> 1st Found-In
> 12.2(35)SE
> Known Affected Versions
>
>
> Fixed-In
> 12.2(50)SE
> 12.2(50)SE1
>   

Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
officially supported/provided IOS release for that platform (other than
the DC version).

Jeff

From sgranger at randfinancial.com  Wed Jan  6 16:27:43 2010
From: sgranger at randfinancial.com (Sean Granger)
Date: Wed, 06 Jan 2010 15:27:43 -0600
Subject: [c-nsp] Question about EOL Pix licenses?
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com>
	<17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
Message-ID: <4B44ABEF020000D900006072@mail.randfinancial.com>

If you reeeeeally want to do it on the cheap.
You could see what the trade value might be worth with a grey market vendor for a 501 w/ unlimited.
Or, you could just get a 506E w/ unlimited for around 200 in the open market ...

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, January 06, 2010 12:46 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Question about EOL Pix licenses?
> 
> Hi,
> 
> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
> unlimited
> host option and have a new key generated to unlock that feature but
the
> product is of course EOL.  Is there any way to obtain / pay for these
> licenses or am I just out of luck and should just buy newer hardware?
> What
> are my options if any?
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gsgranados at comcast.net  Wed Jan  6 17:14:27 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 6 Jan 2010 14:14:27 -0800
Subject: [c-nsp] Question about EOL Pix licenses?
References: <01c501ca8f11$54698d20$2408120a@am.thmulti.com><17838240D9A5544AAA5FF95F8D520316074E7E37@ad-exh01.adhost.lan>
	<4B44ABEF020000D900006072@mail.randfinancial.com>
Message-ID: <02ef01ca8f1d$a24bf170$2408120a@am.thmulti.com>

Now that's a good idea.

Thanks

----- Original Message ----- 
From: "Sean Granger" <sgranger at randfinancial.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 06, 2010 1:27 PM
Subject: Re: [c-nsp] Question about EOL Pix licenses?


> If you reeeeeally want to do it on the cheap.
> You could see what the trade value might be worth with a grey market 
> vendor for a 501 w/ unlimited.
> Or, you could just get a 506E w/ unlimited for around 200 in the open 
> market ...
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Wednesday, January 06, 2010 12:46 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Question about EOL Pix licenses?
>>
>> Hi,
>>
>> I have an old Pix 501 with a 50 host limit.  I'd like to buy the
>> unlimited
>> host option and have a new key generated to unlock that feature but
> the
>> product is of course EOL.  Is there any way to obtain / pay for these
>> licenses or am I just out of luck and should just buy newer hardware?
>> What
>> are my options if any?
>>
>> Thank you
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mail4hh at pobox.com  Wed Jan  6 17:47:15 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Wed, 6 Jan 2010 14:47:15 -0800
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <4B450899.4030801@utc.edu>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
Message-ID: <c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>

On Wed, Jan 6, 2010 at 2:03 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>> After reload, 3550 does not load share
>>
>> 1st Found-In
>> 12.2(35)SE
>> Known Affected Versions
>>
>>
>> Fixed-In
>> 12.2(50)SE
>> 12.2(50)SE1
>>
>
> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
> officially supported/provided IOS release for that platform (other than
> the DC version).
>
> Jeff

Yes, that is quite ugly.  I'm currently using 12.2(50)SE3 on a
3550-12T and the only difficulties that I have run into is a high (
>90% cpu load when total throughput on the load-balanced links reaches
200 Mbps ).

I am curious to find out if the high cpu load is caused by some
incompatibility between 12.2(50)SE3 and the 3550-12T (since the
version is not officially supported on the platform).  However, this
bug (no load sharing after reload) is making me think twice about
testing 12.2(46)SE6.

On the other hand, the bug fix for this issue could be the reason for
the high cpu load ....

Out of curiosity, is anybody here using a 3550 to route more than
200Mbps ( at about 40,000 packets per second forwarding rate ), I
would be interested in comparing cpu loads with or without
load-sharing.

Thank you for all the copies of the bug that I received (both to the
list and privately).

-- 
Hector Herrera

From listensammler at gmx.de  Wed Jan  6 18:42:29 2010
From: listensammler at gmx.de (listensammler at gmx.de)
Date: Thu, 07 Jan 2010 00:42:29 +0100
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B43D500.3050306@cisco.com>
References: <4B40EE7A.8060200@gmx.de> <4B410022.8040508@forthnet.gr>
	<4B43D500.3050306@cisco.com>
Message-ID: <4B451FE5.1080708@gmx.de>

Thanks for your replies.
Okay, C stands for congestion.
But unfortunately, I didn't find any informations about "A".

Regards,
Alex

From kenny.sallee at gmail.com  Wed Jan  6 19:49:07 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 6 Jan 2010 16:49:07 -0800
Subject: [c-nsp] ASR1002
Message-ID: <4a80ecce1001061649j71005d4i19e172fae2a35ac1@mail.gmail.com>

Anyone have recommendations on solid IOS XE code for ASR 1002 that's just
doing:

- BGP
- VRF's
- Many sub-interfaces and ACL's

It shipped with 02.04.02.122-33.XND2.bin

Thanks,
Kenny

From jasonleblanc at gmail.com  Wed Jan  6 20:10:42 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Wed, 6 Jan 2010 18:10:42 -0700
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <4B450899.4030801@utc.edu>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
Message-ID: <441F7ED6-D0A3-432E-B6BC-432E0C568812@gmail.com>

Jeff or all,

What is the most stable current release available?  Would it be the same 12.2(46)SE6? (non-DC)

Thanks,

//LeBlanc

On Jan 6, 2010, at 3:03 PM, Jeff Kell wrote:

> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>> After reload, 3550 does not load share
>> 
>> 1st Found-In
>> 12.2(35)SE
>> Known Affected Versions
>> 
>> 
>> Fixed-In
>> 12.2(50)SE
>> 12.2(50)SE1
>> 
> 
> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
> officially supported/provided IOS release for that platform (other than
> the DC version).
> 
> Jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From andy.saykao at staff.netspace.net.au  Wed Jan  6 20:02:48 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 7 Jan 2010 12:02:48 +1100
Subject: [c-nsp] Strange SSH lag with ACL applied
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I have what seems like a trivial problem but can't figure out what's
causing it.
 
I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
from accessing it.
 
What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
VLAN2, it takes a very long time for the SSH login promtp to appear. If
I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
on with my ACL??? Why the lag for the SSH prompt to appear?
 
interface Vlan2
 ip address 203.12.53.aaa 255.255.255.224
 ip access-group VLAN2-FILTER-OUT out
 no ip redirects
 no ip mroute-cache
 ip ospf priority 15
 load-interval 30
 tag-switching ip
!
ip access-list extended VLAN1-FILTER-OUT
 permit ip host 203.10.110.x host 203.12.53.x
 permit ip host 203.10.110.y host 203.12.53.x
 permit ip host 203.10.110.z host 203.12.53.x
 permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
 permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
 permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
 permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
 permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
 deny   ip any host 203.12.53.x
 permit ip any any

 
Interestingly enough when I "permit ip any" to access Host B as the very
first line in the ACL, the SSH prompt is instantaneous. 
 
permit ip any host 203.12.53.x log
 
I even tried permiting Host A as the very first line in the ACL like so,
but no joy.
 
permit ip host 210.15.210.x host 203.12.53.x log
 
Any ideas???
 
Thanks.
 
Andy

From James.Baker at chelmer.co.nz  Wed Jan  6 20:45:03 2010
From: James.Baker at chelmer.co.nz (James Baker)
Date: Thu, 7 Jan 2010 14:45:03 +1300
Subject: [c-nsp] icmp breaks ipsec tunnel
Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>

 

Has anyone seen an issue where ICMP on the  external interface or to an
IP address which would go across a IPSec tunnel on a Cisco 877 router
would cause the IPSec tunnel to reset?

 

i.e.: 

 

ping external IP = tunnel drops

ping protected IP = tunnel drops

 

however RDP works fine across the link

 

ICMP is allow both to the router and across the tunnel, I can see the
ICMP hitting the router and a reply being sent

 

This is a 877 running 12.4-15T11 (ADVIPSERVICESK9) running ADSL (PPPoA @
MTU 1492 & MTU 1500)

 

Thanks

 

 

 

 

 


----------

The information contained in this e-mail and any attachments is confidential
and is intended for the attention and use of the named addressee(s) only.
Any views expressed in this message are those of the individual sender and
may not necessarily reflect the views of Chelmer Limited.

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################

From sethm at rollernet.us  Wed Jan  6 20:57:37 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 06 Jan 2010 17:57:37 -0800
Subject: [c-nsp] icmp breaks ipsec tunnel
In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>
References: <64396C74FCE435468BE2AF5A73F9C2FD017D03C5@chmaexch.chelmer.co.nz>
Message-ID: <4B453F91.3080009@rollernet.us>

James Baker wrote:
>  
> 
> Has anyone seen an issue where ICMP on the  external interface or to an
> IP address which would go across a IPSec tunnel on a Cisco 877 router
> would cause the IPSec tunnel to reset?
> 

> 
> This is a 877 running 12.4-15T11 (ADVIPSERVICESK9) running ADSL (PPPoA @
> MTU 1492 & MTU 1500)
> 

No; I'm using my 877's for DMVPN with 12.4(24)T2.

~Seth

From lesmith at ecsis.net  Wed Jan  6 21:18:20 2010
From: lesmith at ecsis.net (Larry Smith)
Date: Wed, 6 Jan 2010 20:18:20 -0600
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <201001062018.20825.lesmith@ecsis.net>

On Wed January 6 2010 19:02, Andy Saykao wrote:
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224
>  ip access-group VLAN2-FILTER-OUT out
>  no ip redirects
>  no ip mroute-cache
>  ip ospf priority 15
>  load-interval 30
>  tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
>  permit ip host 203.10.110.x host 203.12.53.x
>  permit ip host 203.10.110.y host 203.12.53.x
>  permit ip host 203.10.110.z host 203.12.53.x
>  permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
>  permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy

Possibly a "typo" but your ACL says it is named VLAN1-FILTER-OUT
(note VLAN1) and you are applying an ACL named VLAN2-FILTER-OUT

In your second try (permit ip host 210.15.210.x host 203.12.53.x log)
what did the log entries say??

-- 
Larry Smith
lesmith at ecsis.net

From andy.saykao at staff.netspace.net.au  Wed Jan  6 22:20:00 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 7 Jan 2010 14:20:00 +1100
Subject: [c-nsp] [Resolved] Strange SSH lag with ACL applied
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<E9C7C856673F6B4A9F8004DD1A7BF24F29FAC42602@suwmail01.XIOCOM.LOCAL>
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB090@vic-cr-ex1.staff.netspace.net.au>

Thanks to all those that replied.

It was exactly a reverse dns issue. I didn't know that SSH performed a
reverse dns on the incoming IP.

And silly me did not have our dns servers in the ACL.

Cheers.

Andy 

-----Original Message-----
From: Andrew Hoyos [mailto:ahoyos at xiocom.com] 
Sent: Thursday, 7 January 2010 2:16 PM
To: Andy Saykao; cisco-nsp at puck.nether.net
Subject: RE: Strange SSH lag with ACL applied

>From Host A, is traffic allowed to your DNS servers in your ACL?

If not, the delay might be a reverse DNS lookup timing out.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's 
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external 
> IP's from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to 
> VLAN2, it takes a very long time for the SSH login promtp to appear. 
> If I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's 
> going on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224  ip access-group 
> VLAN2-FILTER-OUT out  no ip redirects  no ip mroute-cache  ip ospf 
> priority 15  load-interval 30  tag-switching ip !
> ip access-list extended VLAN1-FILTER-OUT  permit ip host 203.10.110.x 
> host 203.12.53.x  permit ip host 203.10.110.y host 203.12.53.x  permit

> ip host 203.10.110.z host 203.12.53.x  permit ip 172.16.50.0 0.0.0.255

> host 203.12.53.x  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x  
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x  permit ip 
> 203.17.101.0 0.0.0.255 host 203.12.53.x  permit ip 210.15.210.0 
> 0.0.0.255 host 203.12.53.x  permit ip 203.17.96.0 0.0.0.255 host 
> 203.12.53.x  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x  permit

> ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the 
> very first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like 
> so, but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From brandon at burn.net  Wed Jan  6 21:53:14 2010
From: brandon at burn.net (Brandon Applegate)
Date: Wed, 6 Jan 2010 21:53:14 -0500 (EST)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <alpine.DEB.1.00.1001062150460.6142@orbital.burn.net>

Sounds like your SSH server is trying to reverse resolve your IP (for 
logging).  You can either fix your ACL to allow this DNS traffic, or there 
is a global config (UseDNS no) you can put in sshd_config.  Worth a shot 
to test at least.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


On Thu, 7 Jan 2010, Andy Saykao wrote:

> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
> ip address 203.12.53.aaa 255.255.255.224
> ip access-group VLAN2-FILTER-OUT out
> no ip redirects
> no ip mroute-cache
> ip ospf priority 15
> load-interval 30
> tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
> permit ip host 203.10.110.x host 203.12.53.x
> permit ip host 203.10.110.y host 203.12.53.x
> permit ip host 203.10.110.z host 203.12.53.x
> permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
> permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
> deny   ip any host 203.12.53.x
> permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ahoyos at xiocom.com  Wed Jan  6 22:15:34 2010
From: ahoyos at xiocom.com (Andrew Hoyos)
Date: Wed, 6 Jan 2010 22:15:34 -0500
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <E9C7C856673F6B4A9F8004DD1A7BF24F29FAC42602@suwmail01.XIOCOM.LOCAL>

>From Host A, is traffic allowed to your DNS servers in your ACL?

If not, the delay might be a reverse DNS lookup timing out.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224
>  ip access-group VLAN2-FILTER-OUT out
>  no ip redirects
>  no ip mroute-cache
>  ip ospf priority 15
>  load-interval 30
>  tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
>  permit ip host 203.10.110.x host 203.12.53.x
>  permit ip host 203.10.110.y host 203.12.53.x
>  permit ip host 203.10.110.z host 203.12.53.x
>  permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
>  permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mcaudill at cisco.com  Wed Jan  6 23:17:11 2010
From: mcaudill at cisco.com (Mike Caudill)
Date: Wed, 06 Jan 2010 23:17:11 -0500
Subject: [c-nsp] understanding ping ipv6 output
In-Reply-To: <4B451FE5.1080708@gmx.de>
References: <4B40EE7A.8060200@gmx.de>
	<4B410022.8040508@forthnet.gr>	<4B43D500.3050306@cisco.com>
	<4B451FE5.1080708@gmx.de>
Message-ID: <4B456047.9080801@cisco.com>

On 1/6/10 6:42 PM, listensammler at gmx.de wrote:
> Thanks for your replies.
> Okay, C stands for congestion.
> But unfortunately, I didn't find any informations about "A".
> 
> Regards,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Destination unreachable, (A)dministratively prohibited.

-Mike-


-- 

Mike Caudill  <mcaudill at cisco.com>
PSIRT Incident Manager
DSS PGP: 0xEBBD5271
+1.919.392.2855 / +1.919.522.4931 (cell)
http://www.cisco.com/go/psirt


From savage at savage.za.org  Thu Jan  7 01:17:49 2010
From: savage at savage.za.org (Chris Knipe)
Date: Thu, 7 Jan 2010 08:17:49 +0200
Subject: [c-nsp] Cisco 3620 and WIC-1ADSL
Message-ID: <052c01ca8f61$261b1830$72514890$@za.org>

Hi,

 

I have a C3620 with 2 ADSL WICs inside a NM-1FE2W (which is supposed to be
confirmed working).  After lots of googling, I read much controversy about
what is supposed to work and what not, both in terms of hardware, as well as
software versions.  From my understanding, I am running a IOS which is
supposed to be supported.

 

Before I upgraded (old IOS), the WIC-1ADSL cards was not detected.  Now,
both cards are detected, but I still do not have any ATM interfaces
available.  I would appreciate it if anyone can point me in the right
direction please - or, do I have a oversized paper weight here?

 

sh ver and sh diag below.

 

Many thanks,

Chris.

 

 

 

cpt-cc-core01#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3620-I-M), Version 12.3(21), RELEASE SOFTWARE (fc2)

 

cpt-cc-core01#sh diag

Slot 0:

        NM-1FE2W Port adapter, 1 port

        Port adapter is analyzed

        Port adapter insertion time unknown

        EEPROM contents at hardware discovery:

        Hardware Revision        : 1.0

        Top Assy. Part Number    : 800-04796-01

        Board Revision           : F0

        Deviation Number         : 0-8707

        Fab Version              : 05

        PCB Serial Number        : JAD05350Y3U

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : NM-1FE2W=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 D7 41 01 00 C0 46 03 20 00 12 BC 01

          0x10: 42 46 30 80 00 00 22 03 02 05 C1 8B 4A 41 44 30

          0x20: 35 33 35 30 59 33 55 03 00 81 00 00 00 00 04 00

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 

        WIC Slot 0:

        DSL SAR (ADSL)

 

        Hardware Revision        : 2.3

        Part Number              : 73-4771-09

        Board Revision           : C0

        Deviation Number         : 0-0

        Fab Version              : 05

        PCB Serial Number        : FOC10161M3C

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : PA-1C-P=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 09 42 43 30

          0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 31 30 31 36

          0x20: 31 4D 33 43 03 00 81 00 00 00 00 04 00 FF FF FF

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 

        WIC Slot 1:

        DSL SAR (ADSL)

 

        Hardware Revision        : 2.3

        Part Number              : 73-4771-08

        Board Revision           : B0

        Deviation Number         : 0-0

        Fab Version              : 05

        PCB Serial Number        : FOC07330WL9

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : PA-1C-P=

        EEPROM format version 4

        EEPROM contents (hex):

          0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 08 42 42 30

          0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 30 37 33 33

          0x20: 30 57 4C 39 03 00 81 00 00 00 00 04 00 FF FF FF

          0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

 


From swmike at swm.pp.se  Thu Jan  7 01:35:40 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 7 Jan 2010 07:35:40 +0100 (CET)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>

On Thu, 7 Jan 2010, Andy Saykao wrote:

> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?

The server is most likely doing an ident lookup, if you want to speed this 
up, make sure you don't silent-drop packets to 113/TCP to avoid this.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From gert at greenie.muc.de  Thu Jan  7 02:30:06 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 08:30:06 +0100
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <20100107073006.GX857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 12:02:48PM +1100, Andy Saykao wrote:
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>  
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>  
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?

Seems you've killed DNS from Host B.

Rule #1 with ACLs: if you can't figure out why it's affecting stuff, put
a "deny ip any any log" at the end, and look at the log to see what is
being dropped.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/de055440/attachment.bin>

From steve at ibctech.ca  Thu Jan  7 02:45:41 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 07 Jan 2010 02:45:41 -0500
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
Message-ID: <4B459125.8000701@ibctech.ca>

Mikael Abrahamsson wrote:
> On Thu, 7 Jan 2010, Andy Saykao wrote:
> 
>> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
>> VLAN2, it takes a very long time for the SSH login promtp to appear. If
>> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
>> on with my ACL??? Why the lag for the SSH prompt to appear?
> 
> The server is most likely doing an ident lookup, if you want to speed
> this up, make sure you don't silent-drop packets to 113/TCP to avoid this.

What SSH server software does this?

I was going to state that in all recent versions of OpenSSH (at least on
FreeBSD) one could change:

#UseDNS yes

...to:

UseDNS no

...in the /etc/ssh/sshd_config file.

Even though I've never done this change before, I have notified others
that the option is available.

My whole-hearted recommendation would be to configure forward and rDNS
for all hosts attempting to connect to the box. IPv6 inclusive.

Otherwise, the huge disheartening lag time is a non-subtle reminder that
the connecting host's DNS is fscked up.

If you are connecting from within RFC1918 space, it's internal, so fix it.

If it's v6, fix it, or contact your ISP to fix it (if you are an SSH
client trying to reach an SSH server on a remote network as an IPv6
client, in today's early v6 day-and-age, you *will* be able to find an
engineer that is v6-clueful).

If it is an IPv6 DNS resolution issue with your ISP-assigned addresses,
I will pretty much guarantee that they will be interested to learn about
the problem. They already have v6 deployed, and nobody has done so yet
without wanting and desiring feedback. If you feel that I am wrong in
the statements regarding IPv6, contact me privately.

It very well could be that the SSH server is trying to do a reverse
lookup on a residential client of an ISP that doesn't configure any rDNS
for its resi IP blocks whatsoever. In this case, contact your ISP, and
ask if they can  at least generate automated reverse entries for their
known 'dynamic' blocks. If they say no, ask why. If you get nothing, ask
for a static IP with an rDNS entry (some ISPs will only assign statics
at the /29 boundary. In cases of rDNS requirement, it may be worth
paying for it).

Port 113/TCP has nothing to do with this imho. This is a DNS issue that
can be resolved by the IP address supplier of the client, or at worst,
be fixed at server application level as specified above. I'm starting to
feel the dpi/hijacking anger sensation for some reason.

Perhaps someone will eventually create a global qinq (or its
technological equivalent) specifically for the revitalization of what
the Internet was meant to be ;)

...can we get back into ACL/firewall discussion now, I was thoroughly
enjoying what Roland has been saying. What he says is like very
expensive advise to the small net-ops who have never seen his hardware
in practice ;)

Steve

From swmike at swm.pp.se  Thu Jan  7 02:55:37 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 7 Jan 2010 08:55:37 +0100 (CET)
Subject: [c-nsp] Strange SSH lag with ACL applied
In-Reply-To: <4B459125.8000701@ibctech.ca>
References: <56F211C5E3F24F47B103EA1B253822BE044AB08B@vic-cr-ex1.staff.netspace.net.au>
	<alpine.DEB.1.10.1001070732170.15329@uplift.swm.pp.se>
	<4B459125.8000701@ibctech.ca>
Message-ID: <alpine.DEB.1.10.1001070853520.15329@uplift.swm.pp.se>

On Thu, 7 Jan 2010, Steve Bertrand wrote:

> What SSH server software does this?

I don't know, but it seemed to fit the profile. I checked and at least my 
OpenSSH doesn't use this.

> UseDNS no

In this case I think your DNS proposal is the more probable diagnosis, it 
didn't occur to me that someone would make DNS not work on a machine by 
means of access list.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From p_ambedkar at rediffmail.com  Thu Jan  7 04:07:23 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 7 Jan 2010 09:07:23 -0000
Subject: [c-nsp] =?utf-8?q?Finding_the_serial_numbers_of_cisco_devices?=
Message-ID: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>

	 
Hi, please help me. I am having approximately hundreds of cisco routers
and switches. i want to find out the serial numbers for AMC. can anybody
help me how to find out in a single stretch.

Thanks, bye.

From nick at inex.ie  Thu Jan  7 05:26:30 2010
From: nick at inex.ie (Nick Hilliard)
Date: Thu, 07 Jan 2010 10:26:30 +0000
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <4B45B6D6.6040802@inex.ie>

On 07/01/2010 09:07, ambedkar wrote:
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.

install RANCID, then grep the configuration files.

Or manually / auto log into each and execute "show inventory".

Nick

From jviadzishchau at gmail.com  Thu Jan  7 05:31:39 2010
From: jviadzishchau at gmail.com (Jauhen Viadzishchau)
Date: Thu, 07 Jan 2010 12:31:39 +0200
Subject: [c-nsp] Cisco 3620 and WIC-1ADSL
In-Reply-To: <052c01ca8f61$261b1830$72514890$@za.org>
References: <052c01ca8f61$261b1830$72514890$@za.org>
Message-ID: <4B45B80B.3070703@gmail.com>

Hello,

you are running IP feature set (I-M), but according FN you need IP PLUS 
(IS-M) minimum feature set to support ADSL cards.
IP PLUS will also require 64MB dram and 16MB flash memory.
Also, your ios recognize wic-adsl as pa-1c-p which is strange.

Jauhen.

Chris Knipe wrote:
> Hi,
>
>  
>
> I have a C3620 with 2 ADSL WICs inside a NM-1FE2W (which is supposed to be
> confirmed working).  After lots of googling, I read much controversy about
> what is supposed to work and what not, both in terms of hardware, as well as
> software versions.  From my understanding, I am running a IOS which is
> supposed to be supported.
>
>  
>
> Before I upgraded (old IOS), the WIC-1ADSL cards was not detected.  Now,
> both cards are detected, but I still do not have any ATM interfaces
> available.  I would appreciate it if anyone can point me in the right
> direction please - or, do I have a oversized paper weight here?
>
>  
>
> sh ver and sh diag below.
>
>  
>
> Many thanks,
>
> Chris.
>
>  
>
>  
>
>  
>
> cpt-cc-core01#sh ver
>
> Cisco Internetwork Operating System Software
>
> IOS (tm) 3600 Software (C3620-I-M), Version 12.3(21), RELEASE SOFTWARE (fc2)
>
>  
>
> cpt-cc-core01#sh diag
>
> Slot 0:
>
>         NM-1FE2W Port adapter, 1 port
>
>         Port adapter is analyzed
>
>         Port adapter insertion time unknown
>
>         EEPROM contents at hardware discovery:
>
>         Hardware Revision        : 1.0
>
>         Top Assy. Part Number    : 800-04796-01
>
>         Board Revision           : F0
>
>         Deviation Number         : 0-8707
>
>         Fab Version              : 05
>
>         PCB Serial Number        : JAD05350Y3U
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : NM-1FE2W=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 D7 41 01 00 C0 46 03 20 00 12 BC 01
>
>           0x10: 42 46 30 80 00 00 22 03 02 05 C1 8B 4A 41 44 30
>
>           0x20: 35 33 35 30 59 33 55 03 00 81 00 00 00 00 04 00
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
>         WIC Slot 0:
>
>         DSL SAR (ADSL)
>
>  
>
>         Hardware Revision        : 2.3
>
>         Part Number              : 73-4771-09
>
>         Board Revision           : C0
>
>         Deviation Number         : 0-0
>
>         Fab Version              : 05
>
>         PCB Serial Number        : FOC10161M3C
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : PA-1C-P=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 09 42 43 30
>
>           0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 31 30 31 36
>
>           0x20: 31 4D 33 43 03 00 81 00 00 00 00 04 00 FF FF FF
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
>         WIC Slot 1:
>
>         DSL SAR (ADSL)
>
>  
>
>         Hardware Revision        : 2.3
>
>         Part Number              : 73-4771-08
>
>         Board Revision           : B0
>
>         Deviation Number         : 0-0
>
>         Fab Version              : 05
>
>         PCB Serial Number        : FOC07330WL9
>
>         RMA Test History         : 00
>
>         RMA Number               : 0-0-0-0
>
>         RMA History              : 00
>
>         Product (FRU) Number     : PA-1C-P=
>
>         EEPROM format version 4
>
>         EEPROM contents (hex):
>
>           0x00: 04 FF 40 00 2E 41 02 03 82 49 12 A3 08 42 42 30
>
>           0x10: 80 00 00 00 00 02 05 C1 8B 46 4F 43 30 37 33 33
>
>           0x20: 30 57 4C 39 03 00 81 00 00 00 00 04 00 FF FF FF
>
>           0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From lists at hojmark.org  Thu Jan  7 05:40:58 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 07 Jan 2010 11:40:58 +0100
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <tfebk5hacklck8sverpqfene4at781t0fi@hojmark.net>

On 7 Jan 2010 09:07:23 -0000, you wrote:

> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.

Look at Pari Network Assessment Tool (PNAT)
http://www.parinetworks.com/products/pari_network_assessment_tool.htm

It's very easy to use and works well.

-A
PS: You could of cause get the same thing manually with telnet, show
version, show inventory, etc., cut-and-paste, a bit of scripting, a
spreadsheet etc.

From amolsapkal at gmail.com  Thu Jan  7 05:42:20 2010
From: amolsapkal at gmail.com (Amol Sapkal)
Date: Thu, 7 Jan 2010 14:42:20 +0400
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <4B45B6D6.6040802@inex.ie>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
	<4B45B6D6.6040802@inex.ie>
Message-ID: <ef4028ae1001070242o60f7f9edlc6968c1c8b1b7c75@mail.gmail.com>

If you have a linux box that has SNMP access to all devices, this task would
become very easy and fast with a simple Perl script and SNMP. I had written
a similar script few years back; let me know if you need it!



On Thu, Jan 7, 2010 at 2:26 PM, Nick Hilliard <nick at inex.ie> wrote:

> On 07/01/2010 09:07, ambedkar wrote:
> > Hi, please help me. I am having approximately hundreds of cisco routers
> > and switches. i want to find out the serial numbers for AMC. can anybody
> > help me how to find out in a single stretch.
>
> install RANCID, then grep the configuration files.
>
> Or manually / auto log into each and execute "show inventory".
>
> Nick
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

From gkg at gmx.de  Thu Jan  7 05:29:43 2010
From: gkg at gmx.de (Garry)
Date: Thu, 07 Jan 2010 11:29:43 +0100
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <4B45B797.3020505@gmx.de>

ambedkar wrote:
> 	 
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.
>   
If you are doing SNMP management, and have a DB of all IPs and 
SNMP-Communities, you could hack a little script to query the serial# 
via SNMP ... e.g.:

SNMPv2-SMI::mib-2.47.1.1.1.1.11.1

is the serial# for an 800 series router ... of course, this will only 
cover the base system in the case of modular routers ... not sure if/how 
you could query modules inserted into those ...

-garry

From A.L.M.Buxey at lboro.ac.uk  Thu Jan  7 06:08:45 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Thu, 7 Jan 2010 11:08:45 +0000
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <20100107110845.GA13227@lboro.ac.uk>

hi,

use eg RANCID, hiome scripts (with SNMP, telnet/ssh etc)
or a package such as NetDISCO

alan

From thegameiam at yahoo.com  Thu Jan  7 06:29:50 2010
From: thegameiam at yahoo.com (David Barak)
Date: Thu, 7 Jan 2010 03:29:50 -0800 (PST)
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <501910.28023.qm@web31806.mail.mud.yahoo.com>

Hi, please help me. I am having approximately hundreds of cisco routers
and switches. i want to find out the serial numbers for AMC. can anybody
help me how to find out in a single stretch.

+1 for using an SNMP tool to automatically gather this.? Rancid, Netbrain, or the other tool of your choice.

One note: if you have a 7200 router, the SN that the router will report is NOT the one you want - you want a number that starts with a 7, and is on a sticky label on the back of the router.? To the best of my knowledge there isn't a way to pull that from the router remotely if you didn't add it in (using snmp-server chassis-id or the like).? Other than that, the automated tools are definitely the way to go.

David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com


      

From david.freedman at uk.clara.net  Thu Jan  7 09:09:20 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 07 Jan 2010 14:09:20 +0000
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <hi4pug$apk$1@ger.gmane.org>

Prior to MPLS We null routed *all* our "supernets" (public aggregated
announcements) on *all* core routers such that unknown traffic only made
it as far as the nearest core (of which there are at least two in each
PoP), of course if your ASN becomes partitioned then you have to be
prepared to deal with this, our solution being never to allow the AS to
be partitioned by building a highly resilient topology :)

More specific customer networks in BGP were tagged by route-map and had
our "internal" communities applied plus "no-export" to ensure that they
couldn't be leaked by accident (say if border community filtering failed
somehow)

When you add MPLS into the mix (for internet routing, not just VPN) your
border router becomes an LER and as such you can't take advantage of the
core routers and have them MPLS only LSRs at the same time.
One solution may be to inject your supernets from your sources (i.e
reflectors), perhaps with a bogus next hop (i.e with enough validity to
be announced but not forwarding if it ever became a valid route for
traffic to follow at the edge)

Hope this helps

Dave./

Drew Weaver wrote:
> Howdy,
> 
> I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them.
> 
> It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources.
> 
> Does anyone know of a seemingly more sensible way of doing this?
> 
> -Drew
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From scottowens12 at gmail.com  Thu Jan  7 10:15:30 2010
From: scottowens12 at gmail.com (scott owens)
Date: Thu, 7 Jan 2010 09:15:30 -0600
Subject: [c-nsp] Data Center cooling
Message-ID: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>

Hello,

   Has anyone looked at using outside air to provide data center cooling
during the winter season ?  I am aware of Google and Intel research into
this area but how about on a smaller scale ?  How about raising ambient
temperatures as well - do you keep your data centers at 65 or 80 ?

Thank you,
Scott

From gert at greenie.muc.de  Thu Jan  7 10:51:46 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 16:51:46 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <20100107155146.GD857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> temperatures as well - do you keep your data centers at 65 or 80 ?

We try to stay below 22.  But 80 is good for green tea.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/cfe34bab/attachment.bin>

From jshearer at amedisys.com  Thu Jan  7 11:05:16 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 7 Jan 2010 10:05:16 -0600
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107155146.GD857@greenie.muc.de>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com><20100107155146.GD857@greenie.muc.de>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>

I am hoping you mean 22C? :)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Thursday, January 07, 2010 9:52 AM
To: scott owens
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Data Center cooling

Hi,

On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> temperatures as well - do you keep your data centers at 65 or 80 ?

We try to stay below 22.  But 80 is good for green tea.

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From jens.neu at biotronik.com  Thu Jan  7 10:37:29 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Thu, 7 Jan 2010 16:37:29 +0100
Subject: [c-nsp] ACLs and 2948G-L3
Message-ID: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>

Dear all,

I've come across a lot of people complaining about the 2948G-L3 and 
access-lists. I defined two extended access-lists which are bound to 
FastEthernet35 (in and out). The switch complains nowhere, but when the 
ACLs should trigger, this appears in the log:


Jan  6 16:03:57 172.16.15.250 13651: Jan  6 15:03:56.983 UTC: ACL card not 
present for interface FastEthernet35
Jan  6 16:04:05 172.16.15.250 13652: Jan  6 15:04:04.296 UTC: ACL card not 
present for interface FastEthernet35

I'm running SW 12.0(25)W5(27d) on the device, while 
http://www.cisco.com/cgi-bin/tablebuild.pl/cat2948g-l3 tells me this is 
the most recent one. Can anyone enlighten me what this "ACL card" is 
about? Is there a way to use ACLs on the device at all?

thanks and best regards!

Jens Neu



www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From justin at justinshore.com  Thu Jan  7 11:10:55 2010
From: justin at justinshore.com (Justin Shore)
Date: Thu, 07 Jan 2010 10:10:55 -0600
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <4B46078F.4040709@justinshore.com>

scott owens wrote:
> Hello,
> 
>    Has anyone looked at using outside air to provide data center cooling
> during the winter season ?  I am aware of Google and Intel research into
> this area but how about on a smaller scale ?  How about raising ambient
> temperatures as well - do you keep your data centers at 65 or 80 ?

The topic came up on NANOG several times in the past.  I seem to recall 
someone saying that they used outside air as well since they were in 
very high latitudes.  You might try searching those list archives.

Justin


From chip.gwyn at gmail.com  Thu Jan  7 11:15:57 2010
From: chip.gwyn at gmail.com (chip)
Date: Thu, 7 Jan 2010 11:15:57 -0500
Subject: [c-nsp] Finding the serial numbers of cisco devices
In-Reply-To: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
References: <20100107090723.55317.qmail@f4mail-235-139.rediffmail.com>
Message-ID: <64a8ad981001070815l31700d46ta6e1c9c5c9ad5456@mail.gmail.com>

On Thu, Jan 7, 2010 at 4:07 AM, ambedkar <p_ambedkar at rediffmail.com> wrote:

>
> Hi, please help me. I am having approximately hundreds of cisco routers
> and switches. i want to find out the serial numbers for AMC. can anybody
> help me how to find out in a single stretch.
>
> Thanks, bye.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


As you work through your gear you'll notice different versions of IOS can
give slightly different answers to the same questions, whether you use 'show
inventory' or snmp poll for entPhysicalDescr, entPhysicalSerialNum, or
entPhysicalModelName.  You're also going to have a difficult time with the
old AS-2511rj console servers and the smaller 1900/2900 style switches.

If you have an all Cisco shop, you can download an eval version of their
tool to automate this:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/index.html
Requires a CCO account and a win2008 or solaris server.

--chip


-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

From jasonleblanc at gmail.com  Thu Jan  7 11:19:04 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 7 Jan 2010 09:19:04 -0700
Subject: [c-nsp] Bug ID CSCsv50653
In-Reply-To: <c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>
References: <c7ef7cf71001061255x5d52f2dfpd381bb94757fe118@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B0321B3408@SVR-AMED-MAIL01.amedisys.com>
	<4B450899.4030801@utc.edu>
	<c7ef7cf71001061447u14aaa1adp1dffd9648a7fc8ec@mail.gmail.com>
Message-ID: <86AB693B-23FF-4380-AB7D-2FAD96D4DBF5@gmail.com>

Is 12.2(46)SE6 the recommended most stable version then since it was the last supported version?

On Jan 6, 2010, at 3:47 PM, Hector Herrera wrote:

> On Wed, Jan 6, 2010 at 2:03 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
>> On 1/6/2010 4:55 PM, Jason Shearer wrote:
>>> After reload, 3550 does not load share
>>> 
>>> 1st Found-In
>>> 12.2(35)SE
>>> Known Affected Versions
>>> 
>>> 
>>> Fixed-In
>>> 12.2(50)SE
>>> 12.2(50)SE1
>>> 
>> 
>> Well, that's a major crock-o-stuff, as 12.2(46)SE6 is the last
>> officially supported/provided IOS release for that platform (other than
>> the DC version).
>> 
>> Jeff
> 
> Yes, that is quite ugly.  I'm currently using 12.2(50)SE3 on a
> 3550-12T and the only difficulties that I have run into is a high (
>> 90% cpu load when total throughput on the load-balanced links reaches
> 200 Mbps ).
> 
> I am curious to find out if the high cpu load is caused by some
> incompatibility between 12.2(50)SE3 and the 3550-12T (since the
> version is not officially supported on the platform).  However, this
> bug (no load sharing after reload) is making me think twice about
> testing 12.2(46)SE6.
> 
> On the other hand, the bug fix for this issue could be the reason for
> the high cpu load ....
> 
> Out of curiosity, is anybody here using a 3550 to route more than
> 200Mbps ( at about 40,000 packets per second forwarding rate ), I
> would be interested in comparing cpu loads with or without
> load-sharing.
> 
> Thank you for all the copies of the bug that I received (both to the
> list and privately).
> 
> -- 
> Hector Herrera
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Thu Jan  7 11:19:34 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 17:19:34 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
References: <20100107155146.GD857@greenie.muc.de>
	<AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <20100107161934.GE857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)

Yes. 22K would be a bit too cold, indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/760f6456/attachment.bin>

From bmanning at vacation.karoshi.com  Thu Jan  7 11:25:16 2010
From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
Date: Thu, 7 Jan 2010 16:25:16 +0000
Subject: [c-nsp] Data Center cooling
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
References: <20100107155146.GD857@greenie.muc.de>
	<AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <20100107162516.GA1886@vacation.karoshi.com.>


 better than 22K

--bill

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Thursday, January 07, 2010 9:52 AM
> To: scott owens
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Data Center cooling
> 
> Hi,
> 
> On Thu, Jan 07, 2010 at 09:15:30AM -0600, scott owens wrote:
> > temperatures as well - do you keep your data centers at 65 or 80 ?
> 
> We try to stay below 22.  But 80 is good for green tea.
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> 
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From lists at hojmark.org  Thu Jan  7 11:43:59 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 07 Jan 2010 17:43:59 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
Message-ID: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>

On Thu, 7 Jan 2010 16:37:29 +0100, you wrote:

> I've come across a lot of people complaining about the 2948G-L3 and 
> access-lists. I defined two extended access-lists which are bound to 
> FastEthernet35 (in and out). The switch complains nowhere, but when the 
> ACLs should trigger, this appears in the log:

ACLs are only supported on the GE interfaces, not FE.

-A

From SPfister at dps.k12.oh.us  Thu Jan  7 12:12:11 2010
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 07 Jan 2010 12:12:11 -0500
Subject: [c-nsp] IRB and channel-group help needed
Message-ID: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>

I've got a 8540 switch running 12.1(20)E set up with IRB and I've got two interfaces I'm looking at:

interface GigabitEthernet0/0/3
 no ip address
 no ip redirects
!
interface GigabitEthernet0/0/3.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
!
interface GigabitEthernet0/0/3.99
 encapsulation dot1Q 99
 no ip redirects
 no cdp enable
 bridge-group 99

The other interface is Gigabit0/0/4 and is set up the exact same way. I'd like to be able to set up a channel group for those two interfaces. I set up the port channel like:

interface Port-channel1
 no ip address
 hold-queue 300 in
!
interface Port-channel1.1
 encapsulation dot1Q 1 native
 no ip redirects
!
interface Port-channel1.99
 encapsulation dot1Q 99
 no ip redirects
 bridge-group 99

But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From rob.mengert at pipelinefinancial.com  Thu Jan  7 11:40:26 2010
From: rob.mengert at pipelinefinancial.com (Robert Mengert)
Date: Thu, 7 Jan 2010 11:40:26 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107161934.GE857@greenie.muc.de>
References: <20100107155146.GD857@greenie.muc.de><AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com>
	<20100107161934.GE857@greenie.muc.de>
Message-ID: <BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>

Has the Fahrenheit scale been eradicated?  If so, this is an odd place
to first be hearing about it :)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Thursday, January 07, 2010 11:20 AM
To: Jason Shearer
Cc: scott owens; Gert Doering; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Data Center cooling

Hi,

On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
> I am hoping you mean 22C? :)

Yes. 22K would be a bit too cold, indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de


Disclaimer: Any references to Pipeline performance contained herein are based on internal testing and / or historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee.  Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. Pipeline is a member of FINRA and SIPC.

From gsgranados at comcast.net  Thu Jan  7 12:33:21 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 09:33:21 -0800
Subject: [c-nsp] Data Center cooling
References: <20100107155146.GD857@greenie.muc.de><AFD31EAF2DD7F346AA17E164615555B0321B34AF@SVR-AMED-MAIL01.amedisys.com><20100107161934.GE857@greenie.muc.de>
	<BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>
Message-ID: <009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>

Well, in the rest of the world outside the US definitely, remember there is 
a larger world out there.  We're the last (I think) not to go metric.


----- Original Message ----- 
From: "Robert Mengert" <rob.mengert at pipelinefinancial.com>
To: "Gert Doering" <gert at greenie.muc.de>; "Jason Shearer" 
<jshearer at amedisys.com>
Cc: "scott owens" <scottowens12 at gmail.com>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 8:40 AM
Subject: Re: [c-nsp] Data Center cooling


> Has the Fahrenheit scale been eradicated?  If so, this is an odd place
> to first be hearing about it :)
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Thursday, January 07, 2010 11:20 AM
> To: Jason Shearer
> Cc: scott owens; Gert Doering; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Data Center cooling
>
> Hi,
>
> On Thu, Jan 07, 2010 at 10:05:16AM -0600, Jason Shearer wrote:
>> I am hoping you mean 22C? :)
>
> Yes. 22K would be a bit too cold, indeed.
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
>
> Disclaimer: Any references to Pipeline performance contained herein are 
> based on internal testing and / or historic performance levels which 
> Pipeline expects to maintain or exceed but nevertheless does not 
> guarantee.  Congested networks, price volatility, or other extraordinary 
> events may impede future trading activities and degrade performance 
> statistics. Pipeline is a member of FINRA and SIPC.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mksmith at adhost.com  Thu Jan  7 13:08:36 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Thu, 7 Jan 2010 10:08:36 -0800
Subject: [c-nsp] Data Center cooling
In-Reply-To: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
Message-ID: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>

Hello Scott:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of scott owens
> Sent: Thursday, January 07, 2010 7:16 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Data Center cooling
> 
> Hello,
> 
>    Has anyone looked at using outside air to provide data center
> cooling
> during the winter season ?  I am aware of Google and Intel research
> into
> this area but how about on a smaller scale ?  How about raising
ambient
> temperatures as well - do you keep your data centers at 65 or 80 ?
> 
> Thank you,
> Scott

We are in Seattle and use an air-exchanger system that relies on outside
air as much as possible, and then blends in chilled water as necessary
up to 100% chilled.  It's fairly common here because of the nature of
our climate, and the psychrometric scale
(http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.

We've also looked at increasing our data center temps from 68F/20C to
closer to 78F/25.56C (hi Gert), but our marketing folks have been the
most resistant because of the prevailing expectation that colder is
better.  There is some good research and testing being done by
Microsoft, Intel and Google in this arena, but I don't think enough has
been published yet to give that calming feeling to the marketing folks.
I would imagine, however, that we will see increasing data center
temperatures more and more in the coming years.

Regards,

Mike

From gert at greenie.muc.de  Thu Jan  7 13:32:08 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 7 Jan 2010 19:32:08 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
Message-ID: <20100107183208.GN857@greenie.muc.de>

Hi,

On Thu, Jan 07, 2010 at 05:43:59PM +0100, Asbjorn Hojmark - Lists wrote:
> > I've come across a lot of people complaining about the 2948G-L3 and 
> ACLs are only supported on the GE interfaces, not FE.

And even there, there are nasty surprises lurking if the ACLs get too
long (they won't be installed, and the accompanying error message is
ONLY logged to the console).

The 2948G-L3 is not even a good door stop.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/48f5fb53/attachment.bin>

From sethm at rollernet.us  Thu Jan  7 13:47:40 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 07 Jan 2010 10:47:40 -0800
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <4B462C4C.50807@rollernet.us>

Michael K. Smith - Adhost wrote:
> 
> We are in Seattle and use an air-exchanger system that relies on outside
> air as much as possible, and then blends in chilled water as necessary
> up to 100% chilled.  It's fairly common here because of the nature of
> our climate, and the psychrometric scale
> (http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.
> 
> We've also looked at increasing our data center temps from 68F/20C to
> closer to 78F/25.56C (hi Gert), but our marketing folks have been the
> most resistant because of the prevailing expectation that colder is
> better.  There is some good research and testing being done by
> Microsoft, Intel and Google in this arena, but I don't think enough has
> been published yet to give that calming feeling to the marketing folks.
> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.
> 

Cooler temperatures can give you some headroom in the event of a
malfunction or hiccup that results in cooling capacity reduction. That
may or may not be an issue depending on your location. I don't have the
article handy, but I recall Google mentioning that they can just "turn
off" and redistribute load to other datacenters if one gets too hot.

~Seth

From oles at ovh.net  Thu Jan  7 13:59:28 2010
From: oles at ovh.net (oles at ovh.net)
Date: Thu, 7 Jan 2010 19:59:28 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <20100107185927.GA31395@ovh.net>

> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.

In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
we use only the water & outside air for the cooling on our 70 000 
dedicated servers that we host. We are #1 in Europe. Our PUE = 1.12. 
it means we don't waste the power for the cooling. That is why our 
prices are cheaper and our customers love it. It's our marketing. 
Some videos:
   http://www.youtube.com/user/OvhComOnVousHeberge


From sthaug at nethelp.no  Thu Jan  7 13:59:33 2010
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Thu, 07 Jan 2010 19:59:33 +0100 (CET)
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <20100107183208.GN857@greenie.muc.de>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
	<20100107183208.GN857@greenie.muc.de>
Message-ID: <20100107.195933.78793254.sthaug@nethelp.no>

> > > I've come across a lot of people complaining about the 2948G-L3 and 
> > ACLs are only supported on the GE interfaces, not FE.
> 
> And even there, there are nasty surprises lurking if the ACLs get too
> long (they won't be installed, and the accompanying error message is
> ONLY logged to the console).
> 
> The 2948G-L3 is not even a good door stop.

And hasn't been for quite a few years. I'm *very* glad we got rid of
our last 2948G-L3 around the 2003 time frame.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From peter at rathlev.dk  Thu Jan  7 14:08:28 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 07 Jan 2010 20:08:28 +0100
Subject: [c-nsp] IOS Code Recommendations
In-Reply-To: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
References: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
Message-ID: <1262891308.3649.31.camel@localhost>

Hi Jason,

On Sat, 2010-01-02 at 23:11 -0700, Jason LeBlanc wrote:
> Cisco only does safe harbor on a few select devices.  Being as how
> this group is made up of a lot of service providers and enterprise
> networks, does anyone know the latest stable version of code for any
> or all of the following:
> 
> 2651XM
> WS-C3550-24-PWR
> WS-C3560-24PS-S
> Catalyst 3560-48TS

I think the reason people are unwilling to give any advice on this (also
cf. your later questions) might be because the question is hard to
answer precisely for even low grades of precision.

For the 2651XM you have a huge lot of possibilities for different
versions (depending on amount of RAM), and which one suits your needs
would vary with what features you want to use. Without any information
regarding the latter your question is incomplete.

We have been using 12.2(40) mainline with several 2600s with no problems
for a long time, though not with XM models. They're primarily 2610s used
as RTR queriers and responders, and the a few devices for DLSw+
termination.

Regarding the L3 switches: I was once told an expert I respect a lot
(non Cisco employee) to generally use the newest supported version and
hope for the best. We currently use (as the customer) a few hundreds of
3560s running 12.2(35)SE5 IP Services as multi VRF-Lite CPE devices in
"branch offices". The only bug that has bitten us so far is that
interface counters don't show drops (e.g. OutDiscards).

We use lots of 3560s currently running 12.2(50)SE1 and SE3 IP Base and
only doing L2. No problems so far. (And OutDiscard counters work.)

We also have a handful of 3550s running 12.2(50)SE3 IP Base; this is not
supported, but we haven't had any problems so far. We replace them with
3560s on occasion. (The 3550 was IMHO a better platform though.)

Remember that if you are using the 3550s for anything critical you
really should use a supported release.

-- 
Peter




From panocisco77 at gmail.com  Thu Jan  7 14:08:38 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Thu, 7 Jan 2010 14:08:38 -0500
Subject: [c-nsp] CIsco 6509-E issues
In-Reply-To: <535857.93381.qm@web27904.mail.ukl.yahoo.com>
References: <16e2ac180912290541n6cfcb6b2yb4de7a88f40bd7f7@mail.gmail.com>
	<dd5f2deb0912291353p782e38c4j5e82972a509ceb28@mail.gmail.com>
	<535857.93381.qm@web27904.mail.ukl.yahoo.com>
Message-ID: <16e2ac181001071108gd875460r3ff0a0e5460ccd21@mail.gmail.com>

Thank you for all the responses i've received on this issue but i figured it
out.
It was a native vlan issue, i kind have the wrong native vlan number once i
fixed everything went back to normal

On Sat, Jan 2, 2010 at 12:09 PM, C and C Dominte
<domintefamily at yahoo.co.uk>wrote:

>  Hi,
>
> Is there any chance of overlapping subnets configured on two different
> routers?
>
> I saw similar issues caused by this, but traceroute and show ip route
> commands should help diagnosing that.
>
> Catalin
>
>  ------------------------------
> *From:* Lee <ler762 at gmail.com>
> *To:* Renelson Panosky <panocisco77 at gmail.com>
> *Cc:* cisco-nsp at puck.nether.net
> *Sent:* Tue, 29 December, 2009 21:53:57
> *Subject:* Re: [c-nsp] CIsco 6509-E issues
>
> On Tue, Dec 29, 2009 at 8:41 AM, Renelson Panosky <panocisco77 at gmail.com
> >wrote:
>
> > I am experiencing a small problem with one of my Cisco 6509-E on my
> > network,  My management device (SNMP) showing one of my switch is down
> but
> > i
> > am able to log in to the switch, ping it from my PC, ping it from other
> > cisco devices on the network.  A couple computer on my network is not
> able
> > to ping it or telnet however every user who is directly connected to that
> > switch is able to get online.  I have not received any complaints yet
> from
> > any of my users.  I just want to make sure this doesn't turn to abigger
> > issue.  Any advice.
> >
>
> I've seen the same type of thing - traceroute <whatever> to find where it
> breaks and 'clear ip route *' on that box or the next hop cleared it up.
>
> Regards,
> Lee
>
>
>
> >
> > Happy Holidays
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From Joel.Snyder at Opus1.COM  Thu Jan  7 11:33:13 2010
From: Joel.Snyder at Opus1.COM (Joel Snyder)
Date: Thu, 07 Jan 2010 09:33:13 -0700
Subject: [c-nsp] Data Center cooling
Message-ID: <4B460CC9.5010503@opus1.com>

 >   Has anyone looked at using outside air to provide data center
 > cooling during the winter season ?
 > I am aware of Google and Intel research into
 > this area but how about on a smaller scale ?
 > How about raising ambient
 > temperatures as well - do you keep your data centers at 65 or 80 ?

We do this and we have had mixed success.  We have Liebert A/C units 
which have something they call an "economizer."  Essentially, when the 
outside temperature falls below a certain point as measured by a simple 
thermostat, the A/C unit moves a damper and instead of sucking hot air 
from the room to cool, it sucks cold air from the outside, filters it, 
and blows it in.  At the same time, it turns off the compressor (because 
the air is, in theory, already cold).

In the sales presentations and talking to A/C gurus, it all sounded very 
smart and economical, but we've found that the actual management of the 
damper and the temperature that it shifts are very delicate settings. 
Depending on the time of the day (i.e., is there sunlight on that side 
of the building or not?) and the season of the year (i.e., is this just 
a little cold snap or an extended period?), as well as the outside 
humidity level (is it very different from the humidity in the room or 
not?), the temperature has to be adjusted a bit in each direction.  Our 
units don't have a computer control for that, so that means someone goes 
out every few weeks with a screwdriver and manually fiddles the 
economizer thermostat settings.

We can compensate a bit on the computer control side by changing the the 
system thermostat around a few degrees, but there is no direct linkage 
between the economizer part of the system--it's completely independent, 
essentially an add-on--and the rest of the cooling system.

I honestly can't tell whether we are saving any money on this or not, 
but for our latitude and climate, I would not recommend it to anyone 
else.  We have had to replace the thermostats and damper controllers, 
and that eats up $300 to $500 for every service call.  Plus, while we 
were learning about it, we had some midnight room-got-too-hot moments, 
which also cost us.

I think that if you lived someplace where it was in the 5C/40F range or 
below day-round for weeks at a time, this would probably work (assuming 
that you have physical ability to install this kind of unit).  In our 
climate, where it is 5C/40F for 8 hours at night and 20C/70F the rest of 
the day, for our 3 month winter, it was probably not the right decision.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

From mulitskiy at acedsl.com  Thu Jan  7 14:29:57 2010
From: mulitskiy at acedsl.com (Michael Ulitskiy)
Date: Thu, 7 Jan 2010 14:29:57 -0500
Subject: [c-nsp] IRB and channel-group help needed
In-Reply-To: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
References: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <201001071429.57202.mulitskiy@acedsl.com>

I have it working exactly this way. my IOS is 12.1(26)E7
the only special thing I remember about it is that if you want to spread port-channels across the
different cards then those cards must be the same (or compatible). For example you can't have port-channel
over ports on GE card and Enhanced GE card or between card with ACL daughter card and without it.

Michael

On Thursday 07 January 2010 12:12:11 pm Steven Pfister wrote:
> I've got a 8540 switch running 12.1(20)E set up with IRB and I've got two interfaces I'm looking at:
> 
> interface GigabitEthernet0/0/3
>  no ip address
>  no ip redirects
> !
> interface GigabitEthernet0/0/3.1
>  description Native VLAN
>  encapsulation dot1Q 1 native
>  no ip redirects
> !
> interface GigabitEthernet0/0/3.99
>  encapsulation dot1Q 99
>  no ip redirects
>  no cdp enable
>  bridge-group 99
> 
> The other interface is Gigabit0/0/4 and is set up the exact same way. I'd like to be able to set up a channel group for those two interfaces. I set up the port channel like:
> 
> interface Port-channel1
>  no ip address
>  hold-queue 300 in
> !
> interface Port-channel1.1
>  encapsulation dot1Q 1 native
>  no ip redirects
> !
> interface Port-channel1.99
>  encapsulation dot1Q 99
>  no ip redirects
>  bridge-group 99
> 
> But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?
> 
> 
> Steve Pfister
> Technical Coordinator, 
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St. 
> Dayton, OH 45402
>  
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



From jasonleblanc at gmail.com  Thu Jan  7 15:12:56 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 7 Jan 2010 13:12:56 -0700
Subject: [c-nsp] IOS Code Recommendations
In-Reply-To: <1262891308.3649.31.camel@localhost>
References: <B4CA4225-B428-4C73-B4F0-E9B78CD5AD95@gmail.com>
	<1262891308.3649.31.camel@localhost>
Message-ID: <D749E7F5-6E0C-441E-A593-1F35375D23F7@gmail.com>

Peter,

I understand the hesitation.  I wont hold anyone accountable.  We generally max out memory when we purchase devices so the XMs are stacked.  I cannot find a lot of definitive answers online so I figured I would ping the community in hopes to find caveats like the OuDiscards not working.  Thank you very much for you time I can definitely build off of this.

Regards,

//LeBlanc 

On Jan 7, 2010, at 12:08 PM, Peter Rathlev wrote:

> Hi Jason,
> 
> On Sat, 2010-01-02 at 23:11 -0700, Jason LeBlanc wrote:
>> Cisco only does safe harbor on a few select devices.  Being as how
>> this group is made up of a lot of service providers and enterprise
>> networks, does anyone know the latest stable version of code for any
>> or all of the following:
>> 
>> 2651XM
>> WS-C3550-24-PWR
>> WS-C3560-24PS-S
>> Catalyst 3560-48TS
> 
> I think the reason people are unwilling to give any advice on this (also
> cf. your later questions) might be because the question is hard to
> answer precisely for even low grades of precision.
> 
> For the 2651XM you have a huge lot of possibilities for different
> versions (depending on amount of RAM), and which one suits your needs
> would vary with what features you want to use. Without any information
> regarding the latter your question is incomplete.
> 
> We have been using 12.2(40) mainline with several 2600s with no problems
> for a long time, though not with XM models. They're primarily 2610s used
> as RTR queriers and responders, and the a few devices for DLSw+
> termination.
> 
> Regarding the L3 switches: I was once told an expert I respect a lot
> (non Cisco employee) to generally use the newest supported version and
> hope for the best. We currently use (as the customer) a few hundreds of
> 3560s running 12.2(35)SE5 IP Services as multi VRF-Lite CPE devices in
> "branch offices". The only bug that has bitten us so far is that
> interface counters don't show drops (e.g. OutDiscards).
> 
> We use lots of 3560s currently running 12.2(50)SE1 and SE3 IP Base and
> only doing L2. No problems so far. (And OutDiscard counters work.)
> 
> We also have a handful of 3550s running 12.2(50)SE3 IP Base; this is not
> supported, but we haven't had any problems so far. We replace them with
> 3560s on occasion. (The 3550 was IMHO a better platform though.)
> 
> Remember that if you are using the 3550s for anything critical you
> really should use a supported release.
> 
> -- 
> Peter
> 
> 
> 


From jared.a.gillis at gmail.com  Thu Jan  7 15:23:17 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 12:23:17 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to
	flap
Message-ID: <4B4642B5.70501@gmail.com>

Hi all,

I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:

interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
end

When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up

This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
Any thoughts on what I should be checking?

--Jared

From buz.dale at usg.edu  Thu Jan  7 15:32:23 2010
From: buz.dale at usg.edu (Harold 'Buz' Dale)
Date: Thu, 7 Jan 2010 15:32:23 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>

Check the other end to make the the LACP config is correct and maybe a "sh etherchannel" variation to look at what is going on. If the LACP is wrong maybe the trunk was carried over gi1/0/1.

Luck,
Buz

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Gillis
Sent: Thursday, January 07, 2010 3:23 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap

Hi all,

I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:

interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
 speed 1000
 duplex full
 channel-group 1 mode active
end

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102,400,664,1000-2999
 switchport mode trunk
end

When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up

This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
Any thoughts on what I should be checking?

--Jared
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Thu Jan  7 16:52:51 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 7 Jan 2010 15:52:51 -0600
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
	toflap
References: <4B4642B5.70501@gmail.com>
Message-ID: <8488320260324948B0C8ADF39F982C6E@flamdt01>

What was the command and where did you add it?

tv
----- Original Message ----- 
From: "Jared Gillis" <jared.a.gillis at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 2:23 PM
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel 
toflap


> Hi all,
>
> I just ran into a strange problem on a 3750ME. I've got two gig ports in 
> an active LACP port-channel looking like this:
>
> interface GigabitEthernet1/0/1
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> speed 1000
> duplex full
> channel-group 1 mode active
> end
>
> interface GigabitEthernet1/0/2
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> speed 1000
> duplex full
> channel-group 1 mode active
> end
>
> interface Port-channel1
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 101,102,400,664,1000-2999
> switchport mode trunk
> end
>
> When I added vlan 400 to the trunk allowed vlan list, one of the 
> underlying gig ports flapped, which caused the port-channel to flap as 
> well.
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed 
> state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed 
> state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> Vlan400, changed state to up
>
> This definitely seems like something that should not happen. I'm running 
> Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 
> 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
>
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Thu Jan  7 16:59:12 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 7 Jan 2010 15:59:12 -0600
Subject: [c-nsp] ACLs and 2948G-L3
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com><lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
	<20100107183208.GN857@greenie.muc.de>
Message-ID: <CA394F29787A411E8880668224A6154F@flamdt01>

Yup.  One of the worst C mistakes (top 5?).

tv
----- Original Message ----- 
From: "Gert Doering" <gert at greenie.muc.de>
To: "Asbjorn Hojmark - Lists" <lists at hojmark.org>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 12:32 PM
Subject: Re: [c-nsp] ACLs and 2948G-L3


> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jared.a.gillis at gmail.com  Thu Jan  7 17:28:23 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 14:28:23 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 toflap
In-Reply-To: <8488320260324948B0C8ADF39F982C6E@flamdt01>
References: <4B4642B5.70501@gmail.com>
	<8488320260324948B0C8ADF39F982C6E@flamdt01>
Message-ID: <4B466007.2050109@gmail.com>

"switchport trunk allowed vlan add 400" and I ran it under interface Port-Channel1.

Tony Varriale wrote:
> What was the command and where did you add it?
> 
> tv
> ----- Original Message ----- From: "Jared Gillis"
> <jared.a.gillis at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Thursday, January 07, 2010 2:23 PM
> Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
> toflap
> 
> 
>> Hi all,
>>
>> I just ran into a strange problem on a 3750ME. I've got two gig ports
>> in an active LACP port-channel looking like this:
>>
>> interface GigabitEthernet1/0/1
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> speed 1000
>> duplex full
>> channel-group 1 mode active
>> end
>>
>> interface GigabitEthernet1/0/2
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> speed 1000
>> duplex full
>> channel-group 1 mode active
>> end
>>
>> interface Port-channel1
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 101,102,400,664,1000-2999
>> switchport mode trunk
>> end
>>
>> When I added vlan 400 to the trunk allowed vlan list, one of the
>> underlying gig ports flapped, which caused the port-channel to flap as
>> well.
>> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface GigabitEthernet1/0/1, changed state to down
>> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Port-channel1, changed state to down
>> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1,
>> changed state to down
>> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface GigabitEthernet1/0/1, changed state to up
>> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1,
>> changed state to up
>> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Port-channel1, changed state to up
>> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on
>> Interface Vlan400, changed state to up
>>
>> This definitely seems like something that should not happen. I'm
>> running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M),
>> Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
>> Any thoughts on what I should be checking?
>>
>> --Jared
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jared.a.gillis at gmail.com  Thu Jan  7 17:30:06 2010
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Thu, 07 Jan 2010 14:30:06 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>
References: <4B4642B5.70501@gmail.com>
	<E85B28C18298B947A2A5804647D74F390341D343FE@exchmb-prod.uso.bor.usg.edu>
Message-ID: <4B46606E.4010200@gmail.com>

I see what you're thinking here, but I'm still not sure why adding a vlan to an existing trunk should ever cause a physical link to flap, or affect the underlying LACP session.

Harold 'Buz' Dale wrote:
> Check the other end to make the the LACP config is correct and maybe a "sh etherchannel" variation to look at what is going on. If the LACP is wrong maybe the trunk was carried over gi1/0/1.
> 
> Luck,
> Buz
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Gillis
> Sent: Thursday, January 07, 2010 3:23 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap
> 
> Hi all,
> 
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
> 
> interface GigabitEthernet1/0/1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
> 
> interface GigabitEthernet1/0/2
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
> 
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
> end
> 
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up
> 
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
> 
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gsgranados at comcast.net  Thu Jan  7 18:26:16 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 15:26:16 -0800
Subject: [c-nsp] =?iso-8859-1?q?am_I_being_bitten_by_this_bug_=2ECSCsw3741?=
	=?iso-8859-1?q?9_=28can=27t_connect_using_certificates_with_VPN_cl?=
	=?iso-8859-1?q?ient=29?=
Message-ID: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>

Hi,
I am using a pair of ASA5520s and the Cisco VPN client (latest release 
5.x.160)
When I connect on the client side I see the following log entries.

25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.

26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 0.

27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
Failed to RSA sign the hash for IKE phase 1 negotiation using my 
certificate.

28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)

29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)

30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)

31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main 
Mode) negotiator:(Navigator:2263)

32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075 
R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED

When I googled I found mention of issues if a cert uses a 4096 bit key.  My 
ca server has a root cert 4096 bits in length.  Have I Identified the 
problem or are there other things I should test before I have our windows 
admin revoke the main root cert and start creating from scratch?  We're in a 
testing phase for both the CA and ASA so starting over is not a big deal but 
before I create extra work I want to have some evidence.  Any pointers would 
be appreciated.

Thank you
Scott


From gsgranados at comcast.net  Thu Jan  7 19:06:14 2010
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 7 Jan 2010 16:06:14 -0800
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
	<006301ca8ff5$bc9dfb30$35d9f190$@com>
Message-ID: <01b001ca8ff6$69796290$2408120a@am.thmulti.com>

The version I'm using is
5.0.06.0160-k9
which is the most recent version available in the download manager.

Thanks
Scott

----- Original Message ----- 
From: "David Prall" <dcp at dcptech.com>
To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 4:01 PM
Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't 
connect using certificates with VPN client)


> CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, 
> don't
> know exactly what you are running with 5.x.160
>
>
> --
> http://dcp.dcptech.com
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Thursday, January 07, 2010 6:26 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
>> connect using certificates with VPN client)
>>
>> Hi,
>> I am using a pair of ASA5520s and the Cisco VPN client (latest release
>> 5.x.160)
>> When I connect on the client side I see the following log entries.
>>
>> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
>> Attempting to sign the hash for Windows XP or higher.
>>
>> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
>> Done with the hash signing with signature length of 0.
>>
>> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
>> Failed to RSA sign the hash for IKE phase 1 negotiation using my
>> certificate.
>>
>> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to generate signature: Signature generation failed (SigUtil:97)
>>
>> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to build Signature payload (MsgHandlerMM:489)
>>
>> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
>> Failed to build MM msg5 (NavigatorMM:312)
>>
>> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
>> Unexpected SW error occurred while processing Identity Protection (Main
>> Mode) negotiator:(Navigator:2263)
>>
>> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
>> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
>> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
>>
>> When I googled I found mention of issues if a cert uses a 4096 bit key.
>> My
>> ca server has a root cert 4096 bits in length.  Have I Identified the
>> problem or are there other things I should test before I have our
>> windows
>> admin revoke the main root cert and start creating from scratch?  We're
>> in a
>> testing phase for both the CA and ASA so starting over is not a big
>> deal but
>> before I create extra work I want to have some evidence.  Any pointers
>> would
>> be appreciated.
>>
>> Thank you
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From tom at netspot.com.au  Thu Jan  7 19:06:28 2010
From: tom at netspot.com.au (Tom Lanyon)
Date: Fri, 8 Jan 2010 10:36:28 +1030
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
	to flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>

On 08/01/2010, at 6:53 AM, Jared Gillis wrote:

> Hi all,
> 
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
> <snip>
> 
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> <snip>
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?

Hi Jared,

I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.

The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
	conf t
	int ran gi1/0/1, gi1/0/2, po1
	sw trunk allowed vlan add 400
	end

... but this didn't seem to help.

This has been a constant problem with earlier IOS releases too so I don't believe it's just 12.2(46) to blame. I assumed there was a simple solution, but hadn't had enough impetus to search for it yet.

Tom

From walter.keen at RainierConnect.net  Thu Jan  7 19:43:28 2010
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Thu, 07 Jan 2010 16:43:28 -0800
Subject: [c-nsp] customizing snmp-traps (interface description as well as
 physical name)
Message-ID: <4B467FB0.4000904@rainierconnect.net>

Is customizing snmp-traps possible through rmon or some other means so 
that the delivered message not only has the physical name (gi0/1, etc) 
but also the description of that port as named in the interface config?  
Dealing mostly with 2960's and 7600's, and trying to figure out if this 
is possible.
Even if I have to specify an rmon entry per physical interface, I'm 
dealing with small enough numbers that would work.
Something like '<int-name> <int-descr> is <down/up>' or similar would be 
ideal.

Going to want to have this for link up/down initially, and then also 
setup some traps for taking on interface errors, etc.

-- 


Walter Keen
Network Technician
Rainier Connect



From dcp at dcptech.com  Thu Jan  7 19:15:17 2010
From: dcp at dcptech.com (David Prall)
Date: Thu, 7 Jan 2010 19:15:17 -0500
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
In-Reply-To: <01b001ca8ff6$69796290$2408120a@am.thmulti.com>
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
	<006301ca8ff5$bc9dfb30$35d9f190$@com>
	<01b001ca8ff6$69796290$2408120a@am.thmulti.com>
Message-ID: <006401ca8ff7$b99675a0$2cc360e0$@com>

Both bugs show as Verified. The ASA bug shows as Integrated. The Client does
not. Open a TAC case and have them link it to the bug, and verify if it is
in the release you have. Per the bug it should be since they verified with
5.0.6.110. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Thursday, January 07, 2010 7:06 PM
> To: David Prall; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> The version I'm using is
> 5.0.06.0160-k9
> which is the most recent version available in the download manager.
> 
> Thanks
> Scott
> 
> ----- Original Message -----
> From: "David Prall" <dcp at dcptech.com>
> To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-
> nsp at puck.nether.net>
> Sent: Thursday, January 07, 2010 4:01 PM
> Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> 
> > CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> > CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110,
> > don't
> > know exactly what you are running with 5.x.160
> >
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Scott Granados
> >> Sent: Thursday, January 07, 2010 6:26 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> >> connect using certificates with VPN client)
> >>
> >> Hi,
> >> I am using a pair of ASA5520s and the Cisco VPN client (latest
> release
> >> 5.x.160)
> >> When I connect on the client side I see the following log entries.
> >>
> >> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> >> Attempting to sign the hash for Windows XP or higher.
> >>
> >> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> >> Done with the hash signing with signature length of 0.
> >>
> >> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> >> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> >> certificate.
> >>
> >> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to generate signature: Signature generation failed
> (SigUtil:97)
> >>
> >> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build Signature payload (MsgHandlerMM:489)
> >>
> >> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build MM msg5 (NavigatorMM:312)
> >>
> >> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> >> Unexpected SW error occurred while processing Identity Protection
> (Main
> >> Mode) negotiator:(Navigator:2263)
> >>
> >> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> >> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> >> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> >>
> >> When I googled I found mention of issues if a cert uses a 4096 bit
> key.
> >> My
> >> ca server has a root cert 4096 bits in length.  Have I Identified
> the
> >> problem or are there other things I should test before I have our
> >> windows
> >> admin revoke the main root cert and start creating from scratch?
> We're
> >> in a
> >> testing phase for both the CA and ASA so starting over is not a big
> >> deal but
> >> before I create extra work I want to have some evidence.  Any
> pointers
> >> would
> >> be appreciated.
> >>
> >> Thank you
> >> Scott
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From dcp at dcptech.com  Thu Jan  7 19:01:03 2010
From: dcp at dcptech.com (David Prall)
Date: Thu, 7 Jan 2010 19:01:03 -0500
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
	connect using certificates with VPN client)
In-Reply-To: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
References: <015201ca8ff0$d330e380$2408120a@am.thmulti.com>
Message-ID: <006301ca8ff5$bc9dfb30$35d9f190$@com>

CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, don't
know exactly what you are running with 5.x.160


--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Thursday, January 07, 2010 6:26 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> Hi,
> I am using a pair of ASA5520s and the Cisco VPN client (latest release
> 5.x.160)
> When I connect on the client side I see the following log entries.
> 
> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> Attempting to sign the hash for Windows XP or higher.
> 
> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> Done with the hash signing with signature length of 0.
> 
> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> certificate.
> 
> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to generate signature: Signature generation failed (SigUtil:97)
> 
> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build Signature payload (MsgHandlerMM:489)
> 
> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build MM msg5 (NavigatorMM:312)
> 
> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> Unexpected SW error occurred while processing Identity Protection (Main
> Mode) negotiator:(Navigator:2263)
> 
> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> 
> When I googled I found mention of issues if a cert uses a 4096 bit key.
> My
> ca server has a root cert 4096 bits in length.  Have I Identified the
> problem or are there other things I should test before I have our
> windows
> admin revoke the main root cert and start creating from scratch?  We're
> in a
> testing phase for both the CA and ASA so starting over is not a big
> deal but
> before I create extra work I want to have some evidence.  Any pointers
> would
> be appreciated.
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From sethm at rollernet.us  Thu Jan  7 20:39:37 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 07 Jan 2010 17:39:37 -0800
Subject: [c-nsp] customizing snmp-traps (interface description as well
 as physical name)
In-Reply-To: <4B467FB0.4000904@rainierconnect.net>
References: <4B467FB0.4000904@rainierconnect.net>
Message-ID: <4B468CD9.5060400@rollernet.us>

Walter Keen wrote:
> Is customizing snmp-traps possible through rmon or some other means so 
> that the delivered message not only has the physical name (gi0/1, etc) 
> but also the description of that port as named in the interface config?  
> Dealing mostly with 2960's and 7600's, and trying to figure out if this 
> is possible.
> Even if I have to specify an rmon entry per physical interface, I'm 
> dealing with small enough numbers that would work.
> Something like '<int-name> <int-descr> is <down/up>' or similar would be 
> ideal.
> 
> Going to want to have this for link up/down initially, and then also 
> setup some traps for taking on interface errors, etc.
> 


Have your trap receiver do a query on the ifIndex that gets sent with 
the trap. Example with snmpget where $1 is the ifIndex value:

snmpget -v1 -Oqv -c public host ifAlias.$1 ifName.$1

This will return the "description" of that interface and its name i.e. 
Fa0/0.

~Seth

From jmaimon at ttec.com  Thu Jan  7 22:00:07 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Thu, 07 Jan 2010 22:00:07 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
Message-ID: <4B469FB7.6050208@ttec.com>

Apparently, bpdufilter leaks sometimes on some switches, and I have the 
packet traces to prove it. The switches are probably not supported, so 
replacements are likely in order.

Anyone have an opinion of which cisco switches/IOS are guaranteed not to 
leak through bpdufilter?

From BBlackford at nwresd.k12.or.us  Thu Jan  7 22:09:59 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Thu, 7 Jan 2010 19:09:59 -0800
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B469FB7.6050208@ttec.com>
References: <4B469FB7.6050208@ttec.com>
Message-ID: <6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>

Do you have any details?
Models? Code vers?

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon
Sent: Thursday, January 07, 2010 7:00 PM
To: 'Cisco-nsp'
Subject: [c-nsp] spanning-tree bpdufilter leaks

Apparently, bpdufilter leaks sometimes on some switches, and I have the 
packet traces to prove it. The switches are probably not supported, so 
replacements are likely in order.

Anyone have an opinion of which cisco switches/IOS are guaranteed not to 
leak through bpdufilter?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From markom at ipexpert.com  Fri Jan  8 00:13:26 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Fri, 8 Jan 2010 06:13:26 +0100
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B469FB7.6050208@ttec.com>
References: <4B469FB7.6050208@ttec.com>
Message-ID: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>

On Fri, Jan 8, 2010 at 04:00, Joe Maimon <jmaimon at ttec.com> wrote:
>
> Apparently, bpdufilter leaks sometimes on some switches, and I have
> the packet traces to prove it. The switches are probably not supported,
> so replacements are likely in order.

Did you have it enabled globally for portfast enabled interfaces or
individually on each interface? If it was the first option, did you
have portfast enabled globally, or again, per interface?

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From andrew.gabriel at sanmina-sci.com  Fri Jan  8 03:55:27 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Fri, 8 Jan 2010 14:25:27 +0530
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
Message-ID: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>

Hi,

We have servers at two of our large locations in a single country that need
to be reached from the Internet. Both locations each have a single 45 M ISP
link, and also have internal connectivity with each other through multiple
private links. The private WAN connecting the two locations has plenty of
bandwidth and the latency is less than 40 ms between the two sites.

We have our own registered ASN and public IP ranges. We have multi-homed ISP
links at several other locations but not at these two locations. Also, both
locations are partly ready for multi-homing in that they already use our own
IP range and run BGP to the provider using our ASN.

We have been asked to implement failover, for both the locations. The
options we are considering are:

   1. Traditional multi-homing  by adding a second ISP at each location.
   2. Buying a leased line to connect the CER at both locations and letting
   the incoming traffic for either location transit over that line to provide
   failover when one site's ISP goes down. This link would terminate on the
   'dirty' side of our firewall and not have anything to do with the internal
   WAN.
   3. Setting up a VPN-type tunnel between the ISP routers at both sites
   that would be routed over our internal WAN. This is similar to option 2 but
   doesn't involve any extra cost.

Obviously we would prefer option 1 as it is simplest and safest to set up,
and we already have experience with that type of setup, however we have been
asked to look at cheaper options due to budget constaints, hence wanted some
advice on the other options, do you think they could work well, any
potential issues we should look out for, or should we even be considering
them?

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From marty at supine.com  Fri Jan  8 04:45:37 2010
From: marty at supine.com (Martin Barry)
Date: Fri, 8 Jan 2010 20:45:37 +1100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>
References: <BC29F0DD0C29FA4F9361A2CC55A56D28039A2AFB@EMAILSRV1.exad.net>
	<009d01ca8fbf$8a96e1f0$2408120a@am.thmulti.com>
Message-ID: <20100108094537.GA29141@tigger.mamista.net>

$quoted_author = "Scott Granados" ;
> 
> Well, in the rest of the world outside the US definitely, remember there 
> is a larger world out there.  We're the last (I think) not to go metric.

Not the last, but for company you only have Burma (Myanmar) and Liberia!

http://en.wikipedia.org/wiki/Metric_system

cheers
Marty

From avayner at cisco.com  Fri Jan  8 05:07:08 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 8 Jan 2010 11:07:08 +0100
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F160FE@XMB-AMS-101.cisco.com>

Andrew,

You should also look at another option where you can use your IPS's
addresses, and collocate a GSLB device (look at Cisco GSS, but not the
only one on the market), which would allow you to do some intelligent
selection for client/server connections.

Actually with BGP you would have issues with granularity, as BGP usually
can propagate only /24 routes (longer subnets usually get filtered by
upstreams).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel
Sent: Friday, January 08, 2010 10:55
To: Cisco-nsp
Subject: [c-nsp] Need some advice on ISP failover for an enterprise

Hi,

We have servers at two of our large locations in a single country that
need
to be reached from the Internet. Both locations each have a single 45 M
ISP
link, and also have internal connectivity with each other through
multiple
private links. The private WAN connecting the two locations has plenty
of
bandwidth and the latency is less than 40 ms between the two sites.

We have our own registered ASN and public IP ranges. We have multi-homed
ISP
links at several other locations but not at these two locations. Also,
both
locations are partly ready for multi-homing in that they already use our
own
IP range and run BGP to the provider using our ASN.

We have been asked to implement failover, for both the locations. The
options we are considering are:

   1. Traditional multi-homing  by adding a second ISP at each location.
   2. Buying a leased line to connect the CER at both locations and
letting
   the incoming traffic for either location transit over that line to
provide
   failover when one site's ISP goes down. This link would terminate on
the
   'dirty' side of our firewall and not have anything to do with the
internal
   WAN.
   3. Setting up a VPN-type tunnel between the ISP routers at both sites
   that would be routed over our internal WAN. This is similar to option
2 but
   doesn't involve any extra cost.

Obviously we would prefer option 1 as it is simplest and safest to set
up,
and we already have experience with that type of setup, however we have
been
asked to look at cheaper options due to budget constaints, hence wanted
some
advice on the other options, do you think they could work well, any
potential issues we should look out for, or should we even be
considering
them?

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail message, you are hereby notified that any dissemination,
distribution or copying of this e-mail message, and any attachments
thereto, is strictly prohibited.  If you have received this e-mail
message in error, please immediately notify the sender and permanently
delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS
NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
Electronic Transactions Act or the applicability of any other law of
similar substance and effect, absent an express statement to the
contrary hereinabove, this e-mail message its contents, and any
attachments hereto are not intended to represent an offer or acceptance
to enter into a contract and are not otherwise intended to bind the
sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gkg at gmx.de  Fri Jan  8 05:25:38 2010
From: gkg at gmx.de (Garry)
Date: Fri, 08 Jan 2010 11:25:38 +0100
Subject: [c-nsp] SA 520 - Virus filter?
Message-ID: <4B470822.70900@gmx.de>

Hi,

we just picked up an SA520 box for a customer, seems like a nice SOHO 
box ... anyway, while I got most everything working easily (after going 
through all kinds of hassle with the TrendMicro website registration for 
the filtering license), including web site filtering based on 
classification, but somehow filtering of virus files doesn't seem to be 
working - I've enabled all "Content Filter" options on the firewall 
page, but can still download the EICAR test signature without any 
intervention by the SA ...

Any idea what I might be missing here?

Tnx, Garry

From jens.neu at biotronik.com  Fri Jan  8 05:32:08 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 11:32:08 +0100
Subject: [c-nsp] ACLs and 2948G-L3
In-Reply-To: <lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
References: <OF8EFE4B6D.F0372E50-ONC12576A4.00512DAB-C12576A4.00557FB6@biotronik.com>
	<lp3ck558qadldn63jjpqqdirsn170jrm4t@hojmark.net>
Message-ID: <OF6951FC6C.CD6EBBC4-ONC12576A5.0039A317-C12576A5.00398AEC@biotronik.com>

Hm thanks,
I think I'm going to need two GBICs then.

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de



Asbjorn Hojmark - Lists <lists at hojmark.org> 
01/07/2010 05:44 PM

To
Jens Neu <jens.neu at biotronik.com>
cc
<cisco-nsp at puck.nether.net>
Subject
Re: [c-nsp] ACLs and 2948G-L3






On Thu, 7 Jan 2010 16:37:29 +0100, you wrote:

> I've come across a lot of people complaining about the 2948G-L3 and 
> access-lists. I defined two extended access-lists which are bound to 
> FastEthernet35 (in and out). The switch complains nowhere, but when the 
> ACLs should trigger, this appears in the log:

ACLs are only supported on the GE interfaces, not FE.

-A




www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From vijaygore27 at gmail.com  Fri Jan  8 06:45:01 2010
From: vijaygore27 at gmail.com (vijay gore)
Date: Fri, 8 Jan 2010 17:15:01 +0530
Subject: [c-nsp] Subnetting Issue --- help
Message-ID: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>

Dear All,

i have one question regarding subneting,

in my network i have given ip for FastEthernet1 192.168.9.65/27

this interface is connected to local LAN - in the local machine ip i have
given 192.168.9.66 TO 192.168.9.75 using subnet /24

my question is that if there is any problem in using /24 subneting in LOCAL
LAN, i mean problem link speed issue or any bandwidth issue will happen ??

please help.

From paul at paulstewart.org  Fri Jan  8 06:48:31 2010
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 8 Jan 2010 06:48:31 -0500
Subject: [c-nsp] QOS - Multilink Question
Message-ID: <004301ca9058$7ffd02d0$7ff70870$@org>

Hey folks...  I haven't run across this before so hoping someone can suggest
a quick fix..;)

 

Cisco 6500 - off this box feeding three T1's out to customer prem using
multilink PPP. These are full rate T1:

 

dis1-rtr-pt#sh interfaces Serial 5/0/2:21

Serial5/0/2:21 is up, line protocol is up

  Hardware is Multichannel T1

  Description: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation PPP, crc 16, Data non-inverted

  Keepalive set (10 sec)

  LCP Open, multilink Open

  Last input 00:00:05, output 00:00:05, output hang never

  Last clearing of "show interface" counters 00:00:01

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     8 packets input, 630 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     7 packets output, 594 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

     0 carrier transitions no alarm present

  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags

 

I have a very basis QOS profile to apply on the multilink interface but it
keeps telling me there isn't enough bandwidth available - the QOS config
does a match on DSCP=EF and then strict priority of 2000.  Can you not
exceed a strict priority higher than one of the physical interfaces in a
multilink bundle??

 

class-map match-any KCU-Mapleridge-MAP

  match  dscp ef

 

policy-map KCU-Mapleridge

  class KCU-Mapleridge-MAP

    priority 2000

 

interface Multilink21

 description xxxxxxxxxxxxxxxxxxxxxx

 bandwidth 4608

 ip address xx.xx.xx.217 255.255.255.248

 ppp multilink

 ppp multilink interleave

 multilink-group 21

end

 

dis1-rtr-pt#conf t

dis1-rtr-pt(config)#interface Multilink 21

dis1-rtr-pt(config-if)#service-policy output KCU-Mapleridge

bandwidth of 2000 kbps is not available (1536).

 

Appreciate any input...

 

Paul

 


From jens.neu at biotronik.com  Fri Jan  8 08:04:05 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 14:04:05 +0100
Subject: [c-nsp] PXE not working on Cat2948
Message-ID: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>

Der all,

I have a Catalyst 2948G which seems to keep PXE boot from working 
properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
boot server and the PXE client - both are directly connected and share a 
/24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
using the onboard GBit interfaces.
Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
and the PXE client, it is magically working.
Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
Client == works. In fact, any additional Layer 2 device that appears 
between PXE Client and the Cat 2948 scares the problem away.

Anyone seen this before? Any hints where to start looking? The switch 
looks as follows:

WS-C2948 Software, Version NmpSW: 8.4(11)GLX
Copyright (c) 1995-2006 by Cisco Systems, Inc.
NMP S/W compiled on Apr 27 2006, 12:46:44
GSP S/W compiled on Apr 27 2006, 11:47:52

System Bootstrap Version: 6.1(4)

Hardware Version: 2.5  Model: WS-C2948  Serial #: JAE061500JB

Mod Port Model              Serial #              Versions
--- ---- ------------------ -------------------- 
---------------------------------
1   0    WS-X2948           JAE061500JB          Hw : 2.5
                                                 Gsp: 8.4(11.0)
                                                 Nmp: 8.4(11)GLX
2   50   WS-C2948G          JAE061500JB          Hw : 2.5

       DRAM                    FLASH                   NVRAM
Module Total   Used    Free    Total   Used    Free    Total Used  Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
1       65536K  37349K  28187K  12288K  10648K   1640K  480K   85K  395K

best regards!

Jens Neu

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de


www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From ianh at ianh.net.au  Fri Jan  8 08:24:14 2010
From: ianh at ianh.net.au (Ian Henderson)
Date: Fri, 8 Jan 2010 21:24:14 +0800 (WST)
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <alpine.DEB.2.00.1001082121460.18996@highball.ianh.net.au>

On Fri, 8 Jan 2010, Jens Neu wrote:

> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:

Sounds like you need to enable spanning-tree portfast on the interfaces 
towards the PXE clients. This reduces the link up delay from 50 seconds to 
about 3. If the switch doesn't forward traffic quickly enough, the NIC may 
time out and decide PXE is unavailable.

Rgds,



- I.

From gert at greenie.muc.de  Fri Jan  8 08:26:19 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 8 Jan 2010 14:26:19 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <20100108132619.GY857@greenie.muc.de>

Hi,

On Fri, Jan 08, 2010 at 02:04:05PM +0100, Jens Neu wrote:
> Anyone seen this before? Any hints where to start looking? 

spanning-tree portfast

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100108/561072b5/attachment.bin>

From steve at ibctech.ca  Fri Jan  8 08:30:27 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 08 Jan 2010 08:30:27 -0500
Subject: [c-nsp] Subnetting Issue --- help
In-Reply-To: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
References: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
Message-ID: <4B473373.4050806@ibctech.ca>

vijay gore wrote:
> Dear All,
> 
> i have one question regarding subneting,
> 
> in my network i have given ip for FastEthernet1 192.168.9.65/27
> 
> this interface is connected to local LAN - in the local machine ip i have
> given 192.168.9.66 TO 192.168.9.75 using subnet /24
> 
> my question is that if there is any problem in using /24 subneting in LOCAL
> LAN, i mean problem link speed issue or any bandwidth issue will happen ??

No link speed or bandwidth issues, but your network will not be able to
see anything within the 192.168.9/24 prefix (other than what is within
your /27).

All devices within your network will never go to the default gateway to
route externally like they should, as all devices will think that the
rest of the /24 is internal, rendering the subnet unreachable.

Either render a /24 prefix on the router's fast Ethernet interface, or
change the internal hosts to /27 as well.

Steve

From v.jones at networkingunlimited.com  Fri Jan  8 08:32:22 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Fri, 08 Jan 2010 08:32:22 -0500
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com>
Message-ID: <1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>

Given that the majority of your failures will be in the "last mile," if
you do not have physical link diversity, adding a second link will
typically only provide a small improvement in availability. Beyond that,
your key concerns are complexity, cost and future growth.

If you pick option 3 and you need to tunnel for security purposes, think
through how you plan to deal with the reduced MTU of the tunnel.
Depending on your server requirements, the cleanest approach is often to
just reduce the MTU used by the server to match the tunnel, even though
it is smaller than what you could use under normal circumstances. Also
keep track of traffic so that when the backup link is put to use, you
don't discover the hard way that traffic has grown to the point where it
won't fit!

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


On Fri, 2010-01-08 at 14:25 +0530, Andrew Gabriel wrote:
> Hi,
> 
> We have servers at two of our large locations in a single country that need
> to be reached from the Internet. Both locations each have a single 45 M ISP
> link, and also have internal connectivity with each other through multiple
> private links. The private WAN connecting the two locations has plenty of
> bandwidth and the latency is less than 40 ms between the two sites.
> 
> We have our own registered ASN and public IP ranges. We have multi-homed ISP
> links at several other locations but not at these two locations. Also, both
> locations are partly ready for multi-homing in that they already use our own
> IP range and run BGP to the provider using our ASN.
> 
> We have been asked to implement failover, for both the locations. The
> options we are considering are:
> 
>    1. Traditional multi-homing  by adding a second ISP at each location.
>    2. Buying a leased line to connect the CER at both locations and letting
>    the incoming traffic for either location transit over that line to provide
>    failover when one site's ISP goes down. This link would terminate on the
>    'dirty' side of our firewall and not have anything to do with the internal
>    WAN.
>    3. Setting up a VPN-type tunnel between the ISP routers at both sites
>    that would be routed over our internal WAN. This is similar to option 2 but
>    doesn't involve any extra cost.
> 
> Obviously we would prefer option 1 as it is simplest and safest to set up,
> and we already have experience with that type of setup, however we have been
> asked to look at cheaper options due to budget constaints, hence wanted some
> advice on the other options, do you think they could work well, any
> potential issues we should look out for, or should we even be considering
> them?
> 
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
> 
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From v.jones at networkingunlimited.com  Fri Jan  8 08:37:11 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Fri, 08 Jan 2010 08:37:11 -0500
Subject: [c-nsp] Subnetting Issue --- help
In-Reply-To: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
References: <31533f201001080345y419f17c6m5ef6a138ca37df1d@mail.gmail.com>
Message-ID: <1262957831.11618.13.camel@X61.NetworkingUnlimited.nul>

This reads like a homework assignment. Look up the use of the "all
zeroes" and "all ones" subnets.


On Fri, 2010-01-08 at 17:15 +0530, vijay gore wrote:
> Dear All,
> 
> i have one question regarding subneting,
> 
> in my network i have given ip for FastEthernet1 192.168.9.65/27
> 
> this interface is connected to local LAN - in the local machine ip i have
> given 192.168.9.66 TO 192.168.9.75 using subnet /24
> 
> my question is that if there is any problem in using /24 subneting in LOCAL
> LAN, i mean problem link speed issue or any bandwidth issue will happen ??
> 
> please help.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jens.neu at biotronik.com  Fri Jan  8 08:49:29 2010
From: jens.neu at biotronik.com (Jens Neu)
Date: Fri, 8 Jan 2010 14:49:29 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <20100108132619.GY857@greenie.muc.de>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
	<20100108132619.GY857@greenie.muc.de>
Message-ID: <OF52FA5456.86DEB7F7-ONC12576A5.004B8F75-C12576A5.004BA15D@biotronik.com>

> spanning-tree portfast

Thank you all, I'm going to update my STP knowledge :)

regards
Jens Neu

Phone: +49 (0) 30 68905-2412
Mail: jens.neu at biotronik.de



Gert Doering <gert at greenie.muc.de> 
01/08/2010 02:26 PM

To
Jens Neu <jens.neu at biotronik.com>
cc
cisco-nsp at puck.nether.net
Subject
Re: [c-nsp] PXE not working on Cat2948






Hi,

On Fri, Jan 08, 2010 at 02:04:05PM +0100, Jens Neu wrote:
> Anyone seen this before? Any hints where to start looking? 

spanning-tree portfast

gert
-- 
USENET is *not* the non-clickable part of WWW!
 //www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de




www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplement?rin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

From rbf+cisco-nsp at panix.com  Fri Jan  8 08:59:36 2010
From: rbf+cisco-nsp at panix.com (Brett Frankenberger)
Date: Fri, 8 Jan 2010 07:59:36 -0600
Subject: [c-nsp] IRB and channel-group help needed
In-Reply-To: <201001071429.57202.mulitskiy@acedsl.com>
References: <4B45D00D.9E6F.00B8.0@dps.k12.oh.us>
	<201001071429.57202.mulitskiy@acedsl.com>
Message-ID: <20100108135936.GA20328@panix.com>

On Thu, Jan 07, 2010 at 02:29:57PM -0500, Michael Ulitskiy wrote:
> I have it working exactly this way. my IOS is 12.1(26)E7
> the only special thing I remember about it is that if you want to spread port-channels across the
> different cards then those cards must be the same (or compatible). For example you can't have port-channel
> over ports on GE card and Enhanced GE card or between card with ACL daughter card and without it.
> 
> Michael
> 
> On Thursday 07 January 2010 12:12:11 pm Steven Pfister wrote:
> > I've got a 8540 switch running 12.1(20)E set up with IRB and I've
> > got two interfaces I'm looking at:
> > 
> > interface GigabitEthernet0/0/3
> >  no ip address
> >  no ip redirects
> > !
> > interface GigabitEthernet0/0/3.1
> >  description Native VLAN
> >  encapsulation dot1Q 1 native
> >  no ip redirects
> > !
> > interface GigabitEthernet0/0/3.99
> >  encapsulation dot1Q 99
> >  no ip redirects
> >  no cdp enable
> >  bridge-group 99
> > 
> > The other interface is Gigabit0/0/4 and is set up the exact same
> > way. I'd like to be able to set up a channel group for those two
> > interfaces. I set up the port channel like:
> > 
> > interface Port-channel1
> >  no ip address
> >  hold-queue 300 in
> > !
> > interface Port-channel1.1
> >  encapsulation dot1Q 1 native
> >  no ip redirects
> > !
> > interface Port-channel1.99
> >  encapsulation dot1Q 99
> >  no ip redirects
> >  bridge-group 99
> > 
> > But if I apply it to one of the interfaces, I get an error: "Error: Interface has sub-interface configured". I can take the subinterfaces off temporarily and set up the channel-group, but it I try and re-add the subinterfaces, I can't do that. Is this something that is possible? If so, what am I missing?

I'm not completely clear on what is being attempted here, but if the
goal is just to have a portchannel with 802.1q subinterfaces, you don't
configure the subinterfaces on the physical interface, just the
port-channel.  So in the config, the following interfaces should exist:
   Gi0/0/3
   Gi0/0/4
   Po1
   Po1.1
   Po1.99

     -- Brett

From erik at infopact.nl  Fri Jan  8 08:23:37 2010
From: erik at infopact.nl (E. Versaevel)
Date: Fri, 08 Jan 2010 14:23:37 +0100
Subject: [c-nsp] PXE not working on Cat2948
In-Reply-To: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <4B4731D9.7030907@infopact.nl>


Sounds like spanning-tree port enable delay, issue try using spanning-tree portfast on the PXE client port


Op 8-1-2010 14:04, Jens Neu schreef:
> Der all,
> 
> I have a Catalyst 2948G which seems to keep PXE boot from working 
> properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
> boot server and the PXE client - both are directly connected and share a 
> /24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
> apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
> using the onboard GBit interfaces.
> Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
> and the PXE client, it is magically working.
> Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
> Client == works. In fact, any additional Layer 2 device that appears 
> between PXE Client and the Cat 2948 scares the problem away.
> 
> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:
> 
> WS-C2948 Software, Version NmpSW: 8.4(11)GLX
> Copyright (c) 1995-2006 by Cisco Systems, Inc.
> NMP S/W compiled on Apr 27 2006, 12:46:44
> GSP S/W compiled on Apr 27 2006, 11:47:52
> 
> System Bootstrap Version: 6.1(4)
> 
> Hardware Version: 2.5  Model: WS-C2948  Serial #: JAE061500JB
> 
> Mod Port Model              Serial #              Versions
> --- ---- ------------------ -------------------- 
> ---------------------------------
> 1   0    WS-X2948           JAE061500JB          Hw : 2.5
>                                                  Gsp: 8.4(11.0)
>                                                  Nmp: 8.4(11)GLX
> 2   50   WS-C2948G          JAE061500JB          Hw : 2.5
> 
>        DRAM                    FLASH                   NVRAM
> Module Total   Used    Free    Total   Used    Free    Total Used  Free
> ------ ------- ------- ------- ------- ------- ------- ----- ----- -----
> 1       65536K  37349K  28187K  12288K  10648K   1640K  480K   85K  395K
> 
> best regards!
> 
> Jens Neu
> 
> Phone: +49 (0) 30 68905-2412
> Mail: jens.neu at biotronik.de
> 
> 
> www.biotronik.com
> 
> BIOTRONIK SE & Co. KG
> Woermannkehre 1, 12359 Berlin, Germany
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
> 
> Vertreten durch ihre Komplement?rin:
> BIOTRONIK MT SE
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
> Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
> Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. 
> Lothar Krings
> 
> BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
> systems and Vascular Intervention devices. Quality, innovation, and 
> reliability define BIOTRONIK and our growing success. We are innovators of 
> technologies like the first wireless remote monitoring system - Home 
> Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as 
> state-of-the-art stents, balloons and guide wires for coronary and 
> peripheral indications. We highly invest in the development of drug 
> eluting devices and are leading the industry with our bioabsorbable metal 
> stent program.
> 
> This e-mail and the information it contains including attachments are 
> confidential and meant only for use by the intended recipient(s); 
> disclosure or copying is strictly prohibited. If you are not addressed, 
> but in the possession of this e-mail, please notify the sender immediately 
> and delete the document.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From alex at digriz.org.uk  Fri Jan  8 08:50:38 2010
From: alex at digriz.org.uk (Alexander Clouter)
Date: Fri, 8 Jan 2010 13:50:38 +0000
Subject: [c-nsp] PXE not working on Cat2948
References: <OF395A21AE.D3A47182-ONC12576A5.0045ED5E-C12576A5.00477478@biotronik.com>
Message-ID: <eqpj17-dr8.ln1@chipmunk.wormnet.eu>

Jens Neu <jens.neu at biotronik.com> wrote:
> 
> I have a Catalyst 2948G which seems to keep PXE boot from working 
> properly. This one Cat2948 is the only Layer 2 device between the DHCP/PXE 
> boot server and the PXE client - both are directly connected and share a 
> /24. PXE boot is not working at all, and DHCP is unbearably slow, for no 
> apparent reason. Both PXE Server and Client(s) are various IBM xSeries 
> using the onboard GBit interfaces.
> Now the fun stuff: when I put a second Layer 2 device between the Cat 2948 
> and the PXE client, it is magically working.
> Means: PXE Server -> Cat 2948 -> "some cheap Netgear Office switch" -> PXE 
> Client == works. In fact, any additional Layer 2 device that appears 
> between PXE Client and the Cat 2948 scares the problem away.
> 
> Anyone seen this before? Any hints where to start looking? The switch 
> looks as follows:
>
.....'spanning-tree portfast default'?

The PXE times out before the STP action has finished and the port is in 
blocking mode for the duration.  You should also consider 'spanning-tree 
portfast bpduguard/filter default' too.

Cheers

-- 
Alexander Clouter
.sigmonster says: That's what she said.


From mcgrath at fas.harvard.edu  Fri Jan  8 09:17:02 2010
From: mcgrath at fas.harvard.edu (Scott McGrath)
Date: Fri, 8 Jan 2010 09:17:02 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B339C0D.5060906@ttec.com>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com>
Message-ID: <4B473E5E.3000309@fas.harvard.edu>

Cisco on the older boxes used a non-FAT flash file system the key is 
whether the flash is referred to as slotX or diskX.   if the 
nomenclature is slotX it uses a proprietary disk format which cannot be 
read by an external reader. 


 to format CF card for use with older system

format slot0:



Joe Maimon wrote:
> ML wrote:
>
>   
>> Are the alternate CF cards formatted correctly for your platform?
>>     
>
> Probably. However, IOS doesnt seem to think there is any card there or 
> worse, it hangs upon insert.
>
>   
>> The original CF card may have gone bad but if you're sure the other CF
>> cards are OK then they may be formatted wrong.
>>     
>
> The card is fine, tested in external reader. They are all fine.
>
> Thanks.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From jmaimon at ttec.com  Fri Jan  8 11:37:51 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 11:37:51 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B473E5E.3000309@fas.harvard.edu>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com> <4B473E5E.3000309@fas.harvard.edu>
Message-ID: <4B475F5F.30108@ttec.com>

http://en.wikipedia.org/wiki/Linear_Flash

To workaround the original issue, an IO Controller was installed, which 
works very nicely. Only downside is having different serial/aux ports.

nvram stays the same.
bootflash stays the same.
slot[01]/disk[01] become available
more ethernet ports become available
No bandwidth points are consumed so nothing needs to change slots.

Not a bad arrangement.

Interestingly enough, we did see an issue with a variant of CF flash 
that caused the boothelper, an older 12.3 image, to crash while booting 
with that CF in the IO controller, even as a fully booted IOS had no 
issue reading,writing,formatting it.

A slightly older CF worked fine. An upgraded boothelper probably would 
have also solved the issue.

The CF slot on the NPE-G1 (disk2:) seems to be toast.

Joe


Scott McGrath wrote:
> Cisco on the older boxes used a non-FAT flash file system the key is
> whether the flash is referred to as slotX or diskX. if the nomenclature
> is slotX it uses a proprietary disk format which cannot be read by an
> external reader.
>
> to format CF card for use with older system
>
> format slot0:
>
>
>
> Joe Maimon wrote:
>> ML wrote:
>>
>>> Are the alternate CF cards formatted correctly for your platform?
>>
>> Probably. However, IOS doesnt seem to think there is any card there or
>> worse, it hangs upon insert.
>>
>>> The original CF card may have gone bad but if you're sure the other CF
>>> cards are OK then they may be formatted wrong.
>>
>> The card is fine, tested in external reader. They are all fine.
>>
>> Thanks.
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From coloccia at geneseo.edu  Fri Jan  8 10:52:25 2010
From: coloccia at geneseo.edu (Rick Coloccia)
Date: Fri, 08 Jan 2010 10:52:25 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to	flap
In-Reply-To: <4B4642B5.70501@gmail.com>
References: <4B4642B5.70501@gmail.com>
Message-ID: <4B4754B9.3050000@geneseo.edu>

I've run into flapping issues when adding a vlan if the vlan wasn't 
present upstream.  I don't know if this is your case, but in my case, I 
had two 6500 cores each attached to the same 3750.  port channels and 
spanning tree in place.  When I added a vlan to an interface on one 
core, the spanning tree went nuts because the vlan wasn't present 
everywhere it should have been.  My suggestion, then, is be sure the 
vlan you're adding is everywhere it needs to me.  I would have sworn I 
had my vlan everywhere, but I didn't, I'd missed in 1 place, so give it 
a look......

-Rick

Jared Gillis wrote:
> Hi all,
>
> I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this:
>
> interface GigabitEthernet1/0/1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
>
> interface GigabitEthernet1/0/2
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
>  speed 1000
>  duplex full
>  channel-group 1 mode active
> end
>
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 101,102,400,664,1000-2999
>  switchport mode trunk
> end
>
> When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. 
> Jan  7 12:09:27.647 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
> Jan  7 12:09:27.656 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
> Jan  7 12:09:28.654 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
> Jan  7 12:09:31.464 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
> Jan  7 12:09:32.454 PST: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
> Jan  7 12:09:33.461 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
> Jan  7 12:09:48.745 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan400, changed state to up
>
> This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2).
> Any thoughts on what I should be checking?
>
> --Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

-- 
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

CIT will never ask for your password or other confidential information via email. 


From zoe-nsp at complicity.co.uk  Fri Jan  8 11:58:01 2010
From: zoe-nsp at complicity.co.uk (Zoe O'Connell)
Date: Fri, 08 Jan 2010 16:58:01 +0000
Subject: [c-nsp] Data Center cooling
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
Message-ID: <4B476419.5040609@complicity.co.uk>

Michael K. Smith - Adhost wrote:
> We are in Seattle and use an air-exchanger system that relies on outside
> air as much as possible, and then blends in chilled water as necessary
> up to 100% chilled.  It's fairly common here because of the nature of
> our climate, and the psychrometric scale
> (http://en.wikipedia.org/wiki/Psychrometrics) is favorable for us.
>
> We've also looked at increasing our data center temps from 68F/20C to
> closer to 78F/25.56C (hi Gert), but our marketing folks have been the
> most resistant because of the prevailing expectation that colder is
> better.  There is some good research and testing being done by
> Microsoft, Intel and Google in this arena, but I don't think enough has
> been published yet to give that calming feeling to the marketing folks.
> I would imagine, however, that we will see increasing data center
> temperatures more and more in the coming years.

This also depends on how well you're circulating the air within your
data centre - having air at 25?C is fine as long as all that air
actually reaches the things it needs to cool. If it's been mixed in with
enough hot air by the time it's got to the top of the rack at the far
end of each row however, you're going to run into trouble.

Closer to the original topic, I do recall seeing a TV programme some
time in the last few years that mentioned cooling the computer room at
some Antarctic science base and they did still have to use compressors
etc as it was easier than trying to make the outside air suitable,
although I forget the details. (I suppose, at least, you could dump the
warm air into the rest of the base but I seem to recall the computers
were in a separate hut/building)

From jmaimon at ttec.com  Fri Jan  8 12:15:38 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:15:38 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
References: <4B469FB7.6050208@ttec.com>
	<4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
Message-ID: <4B47683A.6000405@ttec.com>



Marko Milivojevic wrote:
> On Fri, Jan 8, 2010 at 04:00, Joe Maimon<jmaimon at ttec.com>  wrote:
>>
>> Apparently, bpdufilter leaks sometimes on some switches, and I have
>> the packet traces to prove it. The switches are probably not supported,
>> so replacements are likely in order.
>
> Did you have it enabled globally for portfast enabled interfaces or

No

> individually on each interface?

Yes

> If it was the first option, did you
> have portfast enabled globally,

No

> or again, per interface?

Yes, but not on the same interfaces.

Thanks for the reply.

Joe

From jmaimon at ttec.com  Fri Jan  8 12:16:41 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:16:41 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
References: <4B469FB7.6050208@ttec.com>
	<6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <4B476879.2070802@ttec.com>



Bill Blackford wrote:
> Do you have any details?
> Models? Code vers?
>
> -b

3524XL, 12.0(5)WC17


From jeff-kell at utc.edu  Fri Jan  8 12:18:39 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Fri, 08 Jan 2010 12:18:39 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
References: <4B4642B5.70501@gmail.com>
	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
Message-ID: <4B4768EF.9020909@utc.edu>

On 1/7/2010 7:06 PM, Tom Lanyon wrote:
> I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.
>
> The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
> 	conf t
> 	int ran gi1/0/1, gi1/0/2, po1
> 	sw trunk allowed vlan add 400
>    

For vlan changes on port channels, I've always used just the 
port-channel configuration (e.g., int portch1) and applying vlan 
adjustments there, which IOS appears to propagate to the active member 
configurations, provided of course the port channel is up.  We do this 
"a lot" across a broad range of Catalysts (no MEs though) with no issues.

If you change an individual member characteristic, it will indeed break 
the interfaces out of the port-channel and bounce.

Jeff

From BBlackford at nwresd.k12.or.us  Fri Jan  8 12:35:56 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Fri, 8 Jan 2010 09:35:56 -0800
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <4B4768EF.9020909@utc.edu>
References: <4B4642B5.70501@gmail.com>
	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
	<4B4768EF.9020909@utc.edu>
Message-ID: <6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>

It does this on cat6.5k/sup720 for sure. I don't recollect if the propagation occurs the same on 3560/3750's.
-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell
Sent: Friday, January 08, 2010 9:19 AM
To: Tom Lanyon
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap

On 1/7/2010 7:06 PM, Tom Lanyon wrote:
> I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far.
>
> The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg:
> 	conf t
> 	int ran gi1/0/1, gi1/0/2, po1
> 	sw trunk allowed vlan add 400
>    

For vlan changes on port channels, I've always used just the 
port-channel configuration (e.g., int portch1) and applying vlan 
adjustments there, which IOS appears to propagate to the active member 
configurations, provided of course the port channel is up.  We do this 
"a lot" across a broad range of Catalysts (no MEs though) with no issues.

If you change an individual member characteristic, it will indeed break 
the interfaces out of the port-channel and bounce.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jmaimon at ttec.com  Fri Jan  8 12:59:13 2010
From: jmaimon at ttec.com (Joe Maimon)
Date: Fri, 08 Jan 2010 12:59:13 -0500
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
References: <4B469FB7.6050208@ttec.com>
	<4a15acd91001072113h4558ab79vb069989e5e453615@mail.gmail.com>
Message-ID: <4B477271.9060408@ttec.com>



Marko Milivojevic wrote:
> On Fri, Jan 8, 2010 at 04:00, Joe Maimon<jmaimon at ttec.com>  wrote:
>>
>> Apparently, bpdufilter leaks sometimes on some switches, and I have
>> the packet traces to prove it. The switches are probably not supported,
>> so replacements are likely in order.

To clarify, it only leaks occasionally, the capture suggests once per 
reload or otherwise perhaps every couple days.

From jeff-kell at utc.edu  Fri Jan  8 13:00:45 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Fri, 08 Jan 2010 13:00:45 -0500
Subject: [c-nsp] Adding vlan to port-channel trunk causes port-channel
 to flap
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>
References: <4B4642B5.70501@gmail.com>	<E0D3DCFC-546F-438B-8F12-A48162F314EF@netspot.com.au>
	<4B4768EF.9020909@utc.edu>
	<6069A203FD01884885C037F81DD750801742DA107E@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <4B4772CD.2050409@utc.edu>

On 1/8/2010 12:35 PM, Bill Blackford wrote:
> It does this on cat6.5k/sup720 for sure. I don't recollect if the propagation occurs the same on 3560/3750's.
>    

I can verify that 3550, 3560, 3750, 3750E, 4500 SupIV, 6500 Sup2/Sup720 
all propagate to the members when the associated port-channel is 
changed.  Interface specific characteristics (e.g., channel-group x 
mode) are not and can't be used in the port-channel configuration context.

Jeff

From ip at ioshints.info  Fri Jan  8 13:26:12 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Fri, 8 Jan 2010 19:26:12 +0100
Subject: [c-nsp] customizing snmp-traps (interface description as well
	as physical name)
In-Reply-To: <4B467FB0.4000904@rainierconnect.net>
References: <4B467FB0.4000904@rainierconnect.net>
Message-ID: <00d101ca9090$0f321030$2d963090$@info>

Solution#1 (ugly): syslog messages can be sent as SNMP traps. You'll get the whole syslog message on your NMS.

Solution#2: use EEM to match syslog UP/DOWN messages, extract interface description and generate a custom SNMP trap. You can do it with EEM applets if your IOS supports EEM 3.0 (12.4(late)T, 12.5, 12.2SRE), otherwise you have to use a Tcl EEM policy (pre-EEM 3.0 applets are too dumb). These posts could be useful:

http://blog.ioshints.info/2009/12/send-snmp-trap-from-eem-applet.html
http://blog.ioshints.info/2009/10/report-interface-loss-based-on-ospf.html

You can generate custom SNMP trap from an EEM applet with "action snmp-trap" command (I haven't covered that one yet in my blog).

Hope it helps

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Walter Keen [mailto:walter.keen at RainierConnect.net]
> Sent: Friday, January 08, 2010 1:43 AM
> To: 'Cisco-nsp'
> Subject: [c-nsp] customizing snmp-traps (interface description as well as
> physical name)
> 
> Is customizing snmp-traps possible through rmon or some other means so
> that the delivered message not only has the physical name (gi0/1, etc)
> but also the description of that port as named in the interface config?
> Dealing mostly with 2960's and 7600's, and trying to figure out if this
> is possible.
> Even if I have to specify an rmon entry per physical interface, I'm
> dealing with small enough numbers that would work.
> Something like '<int-name> <int-descr> is <down/up>' or similar would be
> ideal.
> 
> Going to want to have this for link up/down initially, and then also
> setup some traps for taking on interface errors, etc.
> 
> --
> 
> 
> Walter Keen
> Network Technician
> Rainier Connect
> 
> 



From andrew.gabriel at sanmina-sci.com  Fri Jan  8 14:42:04 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Sat, 9 Jan 2010 01:12:04 +0530
Subject: [c-nsp] Need some advice on ISP failover for an enterprise
In-Reply-To: <1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>
References: <d06fb6b31001080055p570e71d3ub1b9d12aa20989d9@mail.gmail.com> 
	<1262957542.11618.12.camel@X61.NetworkingUnlimited.nul>
Message-ID: <d06fb6b31001081142u131fb7e4m71075c4693be4a1c@mail.gmail.com>

Good points, thanks for sharing.

Regards,
Andrew Gabriel.




On Fri, Jan 8, 2010 at 7:02 PM, Vincent C Jones <
v.jones at networkingunlimited.com> wrote:

> Given that the majority of your failures will be in the "last mile," if
> you do not have physical link diversity, adding a second link will
> typically only provide a small improvement in availability. Beyond that,
> your key concerns are complexity, cost and future growth.
>
> If you pick option 3 and you need to tunnel for security purposes, think
> through how you plan to deal with the reduced MTU of the tunnel.
> Depending on your server requirements, the cleanest approach is often to
> just reduce the MTU used by the server to match the tunnel, even though
> it is smaller than what you could use under normal circumstances. Also
> keep track of traffic so that when the backup link is put to use, you
> don't discover the hard way that traffic has grown to the point where it
> won't fit!
>
> Good luck and have fun!
> --
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
>
> On Fri, 2010-01-08 at 14:25 +0530, Andrew Gabriel wrote:
> > Hi,
> >
> > We have servers at two of our large locations in a single country that
> need
> > to be reached from the Internet. Both locations each have a single 45 M
> ISP
> > link, and also have internal connectivity with each other through
> multiple
> > private links. The private WAN connecting the two locations has plenty of
> > bandwidth and the latency is less than 40 ms between the two sites.
> >
> > We have our own registered ASN and public IP ranges. We have multi-homed
> ISP
> > links at several other locations but not at these two locations. Also,
> both
> > locations are partly ready for multi-homing in that they already use our
> own
> > IP range and run BGP to the provider using our ASN.
> >
> > We have been asked to implement failover, for both the locations. The
> > options we are considering are:
> >
> >    1. Traditional multi-homing  by adding a second ISP at each location.
> >    2. Buying a leased line to connect the CER at both locations and
> letting
> >    the incoming traffic for either location transit over that line to
> provide
> >    failover when one site's ISP goes down. This link would terminate on
> the
> >    'dirty' side of our firewall and not have anything to do with the
> internal
> >    WAN.
> >    3. Setting up a VPN-type tunnel between the ISP routers at both sites
> >    that would be routed over our internal WAN. This is similar to option
> 2 but
> >    doesn't involve any extra cost.
> >
> > Obviously we would prefer option 1 as it is simplest and safest to set
> up,
> > and we already have experience with that type of setup, however we have
> been
> > asked to look at cheaper options due to budget constaints, hence wanted
> some
> > advice on the other options, do you think they could work well, any
> > potential issues we should look out for, or should we even be considering
> > them?
> >
> > Regards,
> > Andrew Gabriel.
> > Network Engineer,
> > Enterprise Data Services.
> > +91 44 42 22 88 75 (Direct)
> > +91 98 41 41 40 19 (Mobile)
> > www.sanmina-sci.com
> > Sanmina-SCI India Pvt. Ltd.
> > A51, 2nd Avenue, Anna Nagar,
> > Chennai - 600 102, INDIA.
> >
> > CONFIDENTIALITY
> > This e-mail message and any attachments thereto, is intended only for use
> by the addressee(s) named herein and may contain legally privileged and/or
> confidential information. If you are not the intended recipient of this
> e-mail message, you are hereby notified that any dissemination, distribution
> or copying of this e-mail message, and any attachments thereto, is strictly
> prohibited.  If you have received this e-mail message in error, please
> immediately notify the sender and permanently delete the original and any
> copies of this email and any prints thereof.
> > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS
> NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform
> Electronic Transactions Act or the applicability of any other law of similar
> substance and effect, absent an express statement to the contrary
> hereinabove, this e-mail message its contents, and any attachments hereto
> are not intended to represent an offer or acceptance to enter into a
> contract and are not otherwise intended to bind the sender, Sanmina-SCI
> Corporation (or any of its subsidiaries), or any other person or entity.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From jp at saucer.midcoast.com  Fri Jan  8 14:49:05 2010
From: jp at saucer.midcoast.com (jp)
Date: Fri, 8 Jan 2010 14:49:05 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <4B460CC9.5010503@opus1.com>
References: <4B460CC9.5010503@opus1.com>
Message-ID: <20100108194903.GA25109@saucer.midcoast.com>

On Thu, Jan 07, 2010 at 09:33:13AM -0700, Joel Snyder wrote:
> >   Has anyone looked at using outside air to provide data center
> > cooling during the winter season ?
> > I am aware of Google and Intel research into
> > this area but how about on a smaller scale ?
> > How about raising ambient
> > temperatures as well - do you keep your data centers at 65 or 80 ?
>
> We do this and we have had mixed success.  We have Liebert A/C units which 
> have something they call an "economizer."  Essentially, when the outside 
> temperature falls below a certain point as measured by a simple thermostat, 
> the A/C unit moves a damper and instead of sucking hot air from the room to 
> cool, it sucks cold air from the outside, filters it, and blows it in.  At 
> the same time, it turns off the compressor (because the air is, in theory, 
> already cold).

That's a good description of it. The compressor goes off so it will not 
ice up. If the coils are compressor-cooled AND taking in fresh damp air, 
it can ice up really good. We had the damper get stuck once and cause 
that. We have more than one A/C unit, so one damper failing and messing 
up the A/C isn't the end of the world. We have 2 A/C systems. The 
addition of the economizers meant two good sized insulated ducts going 
from the air handlers to vent grates on the end of the building about 
10' off the ground. There is also an exit louver in the hot section to 
allow efficient pumping of air without over-pressurization.

We use an economizer. 44N latitude in Maine. Saves us good cooling money 
from mid november till april by not running the compressors. We see it 
looking at the power bills year round. Your climate description doesn't 
sound like an ideal place to really see the benefits of it.

If you adjust the switchover temperature conservatively for the low 
side, you don't really have to worry about fiddling with it. It will of 
course vary for different locations, loads, building insulation, etc.. 
We have ours to switch at 48f, but could switch at a higher temp if we 
had a lesser load. We keep the space at 72f. We use 1-wire sensors to 
monitor temperature.

> In the sales presentations and talking to A/C gurus, it all sounded very 
> smart and economical, but we've found that the actual management of the 
> damper and the temperature that it shifts are very delicate settings. 
> Depending on the time of the day (i.e., is there sunlight on that side of 
> the building or not?) and the season of the year (i.e., is this just a 
> little cold snap or an extended period?), as well as the outside humidity 
> level (is it very different from the humidity in the room or not?), the 
> temperature has to be adjusted a bit in each direction.  Our units don't 
> have a computer control for that, so that means someone goes out every few 
> weeks with a screwdriver and manually fiddles the economizer thermostat 
> settings.
>
> We can compensate a bit on the computer control side by changing the the 
> system thermostat around a few degrees, but there is no direct linkage 
> between the economizer part of the system--it's completely independent, 
> essentially an add-on--and the rest of the cooling system.
>
> I honestly can't tell whether we are saving any money on this or not, but 
> for our latitude and climate, I would not recommend it to anyone else.  We 
> have had to replace the thermostats and damper controllers, and that eats 
> up $300 to $500 for every service call.  Plus, while we were learning about 
> it, we had some midnight room-got-too-hot moments, which also cost us.
>
> I think that if you lived someplace where it was in the 5C/40F range or 
> below day-round for weeks at a time, this would probably work (assuming 
> that you have physical ability to install this kind of unit).  In our 
> climate, where it is 5C/40F for 8 hours at night and 20C/70F the rest of 
> the day, for our 3 month winter, it was probably not the right decision.
>
> jms
>
> -- 
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Senior Partner, Opus One       Phone: +1 520 324 0494
> jms at Opus1.COM                http://www.opus1.com/jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/

From cnsp at shreddedmail.com  Fri Jan  8 15:44:55 2010
From: cnsp at shreddedmail.com (Rick Ernst)
Date: Fri, 8 Jan 2010 12:44:55 -0800
Subject: [c-nsp] Difference in OSPF maximum-paths - operational problem?
Message-ID: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>

I have several generations of Cisco equipment in my network, and am in the
middle of a rolling upgrade.  There are currently 3 core routers and all
routers in the network use OSPF maximum-paths 6.  With an A/B network and 3
cores, this works fine.  Some of the equipment is limited to 6 paths, some
can handle 8.


If I add the 4th router, I'll have 7 paths (the new cores will be either "A"
or "B", not both).  Will OSPF just pick 6 of the 7 possible paths, or is
something horrible going to happen?

Thanks,
Rick

From ross at kallisti.us  Fri Jan  8 15:47:21 2010
From: ross at kallisti.us (Ross Vandegrift)
Date: Fri, 8 Jan 2010 15:47:21 -0500
Subject: [c-nsp] VRF->Global route leaking in multi-VRF CE installation
In-Reply-To: <4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>
References: <20100106142806.GA16336@kallisti.us>
	<A7B0A9F02975A74A845FE85D0B95B8FA0DD0B41C@misex01.ena.com>
	<20100106170553.GA17269@kallisti.us>
	<4a80ecce1001061004x26812a49k968ca0d2cd6fda28@mail.gmail.com>
Message-ID: <20100108204721.GC1917@kallisti.us>

On Wed, Jan 06, 2010 at 10:04:37AM -0800, Kenny Sallee wrote:
> My .02 is that you should put everything in VRF's (even the global table)
> and use route-target import/export and import maps (if required) to control
> routing domains.
> 
> Question - can you use 'neighbor allowas-in' instead of as-override?  I'm
> not sure why your BGP AS-PATH was wrong in scenario #3 above - but I'm using
> that in a very similar scenario in my lab to solve the problem of having the
> same eBGP AS used at 2 different sites connected to 2 different PE routers.
>  BGP won't advertise a path it receives w/ it's own ASN in the path
> 
> http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_n5gt.html#wp1007547

I don't see how allowas-in would help - my ASN doesn't even appear in
those routes yet.  They come out the other side as eBGP routes with
whatever private ASN I used to make the session to eBGP.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100108/133374bd/attachment.bin>

From jp at saucer.midcoast.com  Fri Jan  8 15:16:18 2010
From: jp at saucer.midcoast.com (jp)
Date: Fri, 8 Jan 2010 15:16:18 -0500
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107185927.GA31395@ovh.net>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
	<20100107185927.GA31395@ovh.net>
Message-ID: <20100108201607.GA29833@saucer.midcoast.com>

Nice set of youtube videos! I like 4 generator startup "Test de 
groupes" and the hard drive dominoes.

On Thu, Jan 07, 2010 at 07:59:28PM +0100, oles at ovh.net wrote:
> > I would imagine, however, that we will see increasing data center
> > temperatures more and more in the coming years.
> 
> In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
> we use only the water & outside air for the cooling on our 70 000 
> dedicated servers that we host. We are #1 in Europe. Our PUE = 1.12. 
> it means we don't waste the power for the cooling. That is why our 
> prices are cheaper and our customers love it. It's our marketing. 
> Some videos:
>    http://www.youtube.com/user/OvhComOnVousHeberge
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/

From devon at noved.org  Fri Jan  8 15:01:59 2010
From: devon at noved.org (Devon True)
Date: Fri, 08 Jan 2010 15:01:59 -0500
Subject: [c-nsp] Using Advanced IP vs Advanced Enterprise IOS Image
Message-ID: <4B478F37.9060403@noved.org>

All:

I am looking at upgrading our Cat6500s (Sup720/MSFC3) and we currently
run an Advanced Enterprise image. Since we are an IP-only shop, I am
looking at using Advanced IP instead, but I didn't know if it brought
any advantages or disadvantages. Does it offer any savings in memory or
other resources? We have 512MB of flash space, so that is not a concern.

Thanks for any input!

--
Devon

From dcp at dcptech.com  Fri Jan  8 16:02:33 2010
From: dcp at dcptech.com (David Prall)
Date: Fri, 8 Jan 2010 16:02:33 -0500
Subject: [c-nsp] Difference in OSPF maximum-paths - operational problem?
In-Reply-To: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>
References: <d066472f1001081244u53575715ka73bb42becbb233@mail.gmail.com>
Message-ID: <003a01ca90a5$f7a01eb0$e6e05c10$@com>

It is my experience that 6 of the 7 will randomly be chosen, each time an
SPF run is done a different 6th could be installed. With enough CPU power it
shouldn't cause issues, but in the past I've seen routers running close to
the limit that cause traffic loss. This was with the default configuration
of 4 and having the possibility of 8 though, so we may have been removing
all 4 active and replacing them at times. We upped the maximum to 8 and
never had the issue again.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Rick Ernst
> Sent: Friday, January 08, 2010 3:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Difference in OSPF maximum-paths - operational
> problem?
> 
> I have several generations of Cisco equipment in my network, and am in
> the
> middle of a rolling upgrade.  There are currently 3 core routers and
> all
> routers in the network use OSPF maximum-paths 6.  With an A/B network
> and 3
> cores, this works fine.  Some of the equipment is limited to 6 paths,
> some
> can handle 8.
> 
> 
> If I add the 4th router, I'll have 7 paths (the new cores will be
> either "A"
> or "B", not both).  Will OSPF just pick 6 of the 7 possible paths, or
> is
> something horrible going to happen?
> 
> Thanks,
> Rick
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter at rathlev.dk  Fri Jan  8 16:44:59 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 08 Jan 2010 22:44:59 +0100
Subject: [c-nsp] MPLS TTL exceeded "problems"
Message-ID: <1262987099.20208.27.camel@localhost>

Hi,

We have a (probably common) cosmetic problem regarding MPLS LSRs sending
ICMP TTL exceeded along the LSP that carries the traffic.

The "problem" is that when the exit PE receives the packet it doesn't do
a RIB lookup (to send the traffic back to the correct recipient) but
instead it just uses the "adjacency" from the MPLS forwarding table to
send it to the next (non MPLS) device.

Is there any (easy-ish) way to force the exit PE to do a RIB lookup
(e.g. using the allocated aggregate label) and send the packet the right
way by itself? If so, would there be any significant performance penalty
from this on a Sup720/PFC3B?

The reason why it doesn't work now is that the device after the exit PE
is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
stating "no matching session" as the reason. When the trace probes have
got to the point (TTL wise) where they pass the firewall, all TTL
expired replies are accepted and in the end received by the originating
client. If there's a way to make a FWSM accept TTL expired like this I'd
love to know. (I tried "same-security-traffic permit intra-interface" to
defeat the "no xlate" but then the reverse path check fails. I even
tested with no reverse path checking, but still couldn't make it pass
(=return) the ICMP TTL expired packets.)

An example:

 +--------+
 | Host X |
 +--------+
     |
     | IP
   +---+      +---+        +---+        +---+
   | A |------| B |--------| C |--------| D |
   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
                                          |
                                          | IP
                                    +----------+
                                    | Firewall |
                                    +----------+
                                          | IP
                                          |
   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
   | H |------| G |--------| F |--------| E |
   +---+      +---+        +---+        +---+
     | IP
     |
 +--------+
 | Host Y |
 +--------+

 A is a "regular" IP router (CPE).
 B is a PE/LER doing tag imposition
 C is a P/LSR doing tag switching
 D is a PE/LER doing tag disposition
 The firewall is a FWSM v3.1
 E is a PE/LER doing tag imposition
 F is a P/LSR doing tag switching
 G is a PE/LER doing tag disposition
 H is a "regular" IP router (CPE)


An example traceroute gives:

 1  [A]
 2  [B]
 3  *
 4  [D]
 5  [E]
 6  [F]
 7  [G]
 8  [H]
 9  [Y] Done

Since the the path A -> D is often many hops some people tend to get
confused and report this as an error. Or even worse: Use this as "proof"
of the network being the cause of some badly configured server. :-|

-- 
Peter



From kilobit at gmail.com  Fri Jan  8 18:14:11 2010
From: kilobit at gmail.com (bas)
Date: Sat, 9 Jan 2010 00:14:11 +0100
Subject: [c-nsp] Data Center cooling
In-Reply-To: <20100107185927.GA31395@ovh.net>
References: <c0c598d51001070715v1ff2546eqe2cac5ad17218b12@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E7EE9@ad-exh01.adhost.lan>
	<20100107185927.GA31395@ovh.net>
Message-ID: <ba6c08fd1001081514o1db30ddn813943331381fc81@mail.gmail.com>

Hi,

On Thu, Jan 7, 2010 at 7:59 PM,  <oles at ovh.net> wrote:
> In 2004 & 2007 we developped the EcoDatacenter. 12 months per year,
> we use only the water & outside air for the cooling on our 70 000
> dedicated servers that we host.

But aren't those airco compressors I see in this movie?
http://www.youtube.com/user/OvhComOnVousHeberge#p/u/6/xtmkS1-4WTY
( at approx 2:03)

Bas

From pshem.k at gmail.com  Fri Jan  8 18:14:18 2010
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Sat, 9 Jan 2010 12:14:18 +1300
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <1262987099.20208.27.camel@localhost>
References: <1262987099.20208.27.camel@localhost>
Message-ID: <20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>

Hi,

You're right, it's quite common. We hit it on the sup720 (3bxl). The
simple answer is what you're asking for can't be done. According to
some Cisco guys we spoke to the hardware is not capable of doing that
lookup if there is a forwarding adjacency.
We tried various tricks (creating aggregates, pseudo-aggregates (like
0.0.0.0/1 ;-) ) none of that worked - in the best case scenario the
control plane showed the correct information, but the packet wasn't
processed correctly.

kind regards
Pshem

2010/1/9 Peter Rathlev <peter at rathlev.dk>:
> Hi,
>
> We have a (probably common) cosmetic problem regarding MPLS LSRs sending
> ICMP TTL exceeded along the LSP that carries the traffic.
>
> The "problem" is that when the exit PE receives the packet it doesn't do
> a RIB lookup (to send the traffic back to the correct recipient) but
> instead it just uses the "adjacency" from the MPLS forwarding table to
> send it to the next (non MPLS) device.
>
> Is there any (easy-ish) way to force the exit PE to do a RIB lookup
> (e.g. using the allocated aggregate label) and send the packet the right
> way by itself? If so, would there be any significant performance penalty
> from this on a Sup720/PFC3B?
>
> The reason why it doesn't work now is that the device after the exit PE
> is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
> stating "no matching session" as the reason. When the trace probes have
> got to the point (TTL wise) where they pass the firewall, all TTL
> expired replies are accepted and in the end received by the originating
> client. If there's a way to make a FWSM accept TTL expired like this I'd
> love to know. (I tried "same-security-traffic permit intra-interface" to
> defeat the "no xlate" but then the reverse path check fails. I even
> tested with no reverse path checking, but still couldn't make it pass
> (=return) the ICMP TTL expired packets.)
>
> An example:
>
> ?+--------+
> ?| Host X |
> ?+--------+
> ? ? |
> ? ? | IP
> ? +---+ ? ? ?+---+ ? ? ? ?+---+ ? ? ? ?+---+
> ? | A |------| B |--------| C |--------| D |
> ? +---+ ?IP ?+---+ ?MPLS ?+---+ ?MPLS ?+---+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?|
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| IP
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?+----------+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| Firewall |
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?+----------+
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| IP
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?|
> ? +---+ ?IP ?+---+ ?MPLS ?+---+ ?MPLS ?+---+
> ? | H |------| G |--------| F |--------| E |
> ? +---+ ? ? ?+---+ ? ? ? ?+---+ ? ? ? ?+---+
> ? ? | IP
> ? ? |
> ?+--------+
> ?| Host Y |
> ?+--------+
>
> ?A is a "regular" IP router (CPE).
> ?B is a PE/LER doing tag imposition
> ?C is a P/LSR doing tag switching
> ?D is a PE/LER doing tag disposition
> ?The firewall is a FWSM v3.1
> ?E is a PE/LER doing tag imposition
> ?F is a P/LSR doing tag switching
> ?G is a PE/LER doing tag disposition
> ?H is a "regular" IP router (CPE)
>
>
> An example traceroute gives:
>
> ?1 ?[A]
> ?2 ?[B]
> ?3 ?*
> ?4 ?[D]
> ?5 ?[E]
> ?6 ?[F]
> ?7 ?[G]
> ?8 ?[H]
> ?9 ?[Y] Done
>
> Since the the path A -> D is often many hops some people tend to get
> confused and report this as an error. Or even worse: Use this as "proof"
> of the network being the cause of some badly configured server. :-|
>
> --
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ler762 at gmail.com  Fri Jan  8 18:27:10 2010
From: ler762 at gmail.com (Lee)
Date: Fri, 8 Jan 2010 18:27:10 -0500
Subject: [c-nsp] Using Advanced IP vs Advanced Enterprise IOS Image
In-Reply-To: <4B478F37.9060403@noved.org>
References: <4B478F37.9060403@noved.org>
Message-ID: <dd5f2deb1001081527i7e5f064cp42b59f3a203ca492@mail.gmail.com>

On Fri, Jan 8, 2010 at 3:01 PM, Devon True <devon at noved.org> wrote:

> All:
>
> I am looking at upgrading our Cat6500s (Sup720/MSFC3) and we currently
> run an Advanced Enterprise image. Since we are an IP-only shop, I am
> looking at using Advanced IP instead, but I didn't know if it brought
> any advantages or disadvantages. Does it offer any savings in memory or
> other resources? We have 512MB of flash space, so that is not a concern.
>

I used feature navigator to compare the enterprise version to the advanced
ip version.  I didn't see anything we wanted that was only in Enterprise, so
went with advanced IP.  I don't know if it has any savings in memory or
other resources, but not having all those features that aren't going to be
used seems a plus.  As well as not having to put a "no mop ena" on every
interface :)

It just occurred to me that 'ttcp' used to be only in the Enterprise
version.. no idea if it's in advanced IP now [not being at work] or if
there's any other "goodies" that are only in Enterprise.

Regards,
Lee

From markom at ipexpert.com  Fri Jan  8 18:39:28 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Sat, 9 Jan 2010 00:39:28 +0100
Subject: [c-nsp] spanning-tree bpdufilter leaks
In-Reply-To: <4B476879.2070802@ttec.com>
References: <4B469FB7.6050208@ttec.com>
	<6069A203FD01884885C037F81DD750801742DA107A@wsc-mail-01.intra.nwresd.k12.or.us>
	<4B476879.2070802@ttec.com>
Message-ID: <4a15acd91001081539x20bb08c3ia31fc69778a617c3@mail.gmail.com>

On Fri, Jan 8, 2010 at 18:16, Joe Maimon <jmaimon at ttec.com> wrote:
>
>
> Bill Blackford wrote:
>>
>> Do you have any details?
>> Models? Code vers?
>>
>> -b
>
> 3524XL, 12.0(5)WC17

Oh. You should perhaps look for something newer... This model has been
end-of-life since 2002.

I am curious though - when do leaks occur?

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From jckdaniels12 at gmail.com  Sat Jan  9 07:47:41 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Sat, 9 Jan 2010 18:17:41 +0530
Subject: [c-nsp] Service Provider products
Message-ID: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>

Hi,

please help me with any link or book which can help enhace knowledge in SP
(MPLS/ISP) products/cards/design BASICALLY for a Solution architect guy.

Thanks

From bob at tink.com  Sat Jan  9 09:33:17 2010
From: bob at tink.com (Bob Tinkelman)
Date: Sat, 09 Jan 2010 09:33:17 -0500 (EST)
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: "Your message dated Mon, 04 Jan 2010 15:42:08 -0500"
	<72814585-3C40-4FD9-8F6F-0A682E689DA4@puck.nether.net>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
Message-ID: <01NI92P8ZICK8XIT3D@queens.tink.com>

I know I'm replying to an email from the beginning of the thread, but...

>> I am trying to figure out if there is a
>> different/newer/better(?) way to announce our public IP
>> ranges to our Internet providers, currently we are declaring
>> our subnets in 'network statements' in the BGP
>> configuration, we have static routes setup like ip route
>> x.x.x.x 255.255.224.0 Null0 254 and then we have a extended
>> access-list applied to each peer with our net blocks listed
>> in them.

>> It appears that because of the network statements, the
>> supernet routes (/18s, /19s, etc) are being distributed via
>> BGP to the rest of the network which is by design(I assume).
>> This doesn't seem ideal because if traffic is sent to an IP
>> address that doesn't have a more specific route than say
>> /18, or /19 it travels all the way through the network to
>> the edge before stopping. I might be blowing the impact of
>> this out of proportion, but it just seems like a waste of
>> resources.

>> Does anyone know of a seemingly more sensible way of doing
>> this?

> You could always tag these hold-down routes with a
> community, then when someone sends a packet to them, the
> next-hop could be rewritten to a local discard/null0
> instance.

> This should allow you to distribute the load instead of
> backhauling the traffic to the final destination/aggregation
> location.

> - Jared

I can think of one possible trap here when implementing this
on a network where

  o  Some routers have only partial routing tables.

  o  Jared's suggestion to black-hole the hold-down routes
     is implemented on these routers (and not just on edge
     routers, as was suggested elsewhere in the thread).

  o  Subnets of an aggregate are allocated to dual-homed
     customers.

Unless you arrange that upstream-heard bgp-announcements of
these subnets are propagated to your partial-routing-table
routers, those routers will be unable to reach the dual-
homed customers when its link is down to you, even if its
link to another upstream is working.


The above may seem like a very unusual combination of
circumstances, but Cogent has been known to commit a very
similar sin on the edge portions of their net between their
"A-peers" and "B-peers".


- Bob

From jared at puck.nether.net  Sat Jan  9 15:00:17 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Sat, 9 Jan 2010 15:00:17 -0500
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
References: <1262987099.20208.27.camel@localhost>
	<20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
Message-ID: <AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>

Just curious, did you try to enable "mls mpls tunnel-recir"?


- Jared

On Jan 8, 2010, at 6:14 PM, Pshem Kowalczyk wrote:

> Hi,
> 
> You're right, it's quite common. We hit it on the sup720 (3bxl). The
> simple answer is what you're asking for can't be done. According to
> some Cisco guys we spoke to the hardware is not capable of doing that
> lookup if there is a forwarding adjacency.
> We tried various tricks (creating aggregates, pseudo-aggregates (like
> 0.0.0.0/1 ;-) ) none of that worked - in the best case scenario the
> control plane showed the correct information, but the packet wasn't
> processed correctly.
> 
> kind regards
> Pshem
> 
> 2010/1/9 Peter Rathlev <peter at rathlev.dk>:
>> Hi,
>> 
>> We have a (probably common) cosmetic problem regarding MPLS LSRs sending
>> ICMP TTL exceeded along the LSP that carries the traffic.
>> 
>> The "problem" is that when the exit PE receives the packet it doesn't do
>> a RIB lookup (to send the traffic back to the correct recipient) but
>> instead it just uses the "adjacency" from the MPLS forwarding table to
>> send it to the next (non MPLS) device.
>> 
>> Is there any (easy-ish) way to force the exit PE to do a RIB lookup
>> (e.g. using the allocated aggregate label) and send the packet the right
>> way by itself? If so, would there be any significant performance penalty
>> from this on a Sup720/PFC3B?
>> 
>> The reason why it doesn't work now is that the device after the exit PE
>> is a firewall. Specifically FWSM v3.1. It denies the ICMP TTL Exceeded,
>> stating "no matching session" as the reason. When the trace probes have
>> got to the point (TTL wise) where they pass the firewall, all TTL
>> expired replies are accepted and in the end received by the originating
>> client. If there's a way to make a FWSM accept TTL expired like this I'd
>> love to know. (I tried "same-security-traffic permit intra-interface" to
>> defeat the "no xlate" but then the reverse path check fails. I even
>> tested with no reverse path checking, but still couldn't make it pass
>> (=return) the ICMP TTL expired packets.)
>> 
>> An example:
>> 
>>  +--------+
>>  | Host X |
>>  +--------+
>>     |
>>     | IP
>>   +---+      +---+        +---+        +---+
>>   | A |------| B |--------| C |--------| D |
>>   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
>>                                          |
>>                                          | IP
>>                                    +----------+
>>                                    | Firewall |
>>                                    +----------+
>>                                          | IP
>>                                          |
>>   +---+  IP  +---+  MPLS  +---+  MPLS  +---+
>>   | H |------| G |--------| F |--------| E |
>>   +---+      +---+        +---+        +---+
>>     | IP
>>     |
>>  +--------+
>>  | Host Y |
>>  +--------+
>> 
>>  A is a "regular" IP router (CPE).
>>  B is a PE/LER doing tag imposition
>>  C is a P/LSR doing tag switching
>>  D is a PE/LER doing tag disposition
>>  The firewall is a FWSM v3.1
>>  E is a PE/LER doing tag imposition
>>  F is a P/LSR doing tag switching
>>  G is a PE/LER doing tag disposition
>>  H is a "regular" IP router (CPE)
>> 
>> 
>> An example traceroute gives:
>> 
>>  1  [A]
>>  2  [B]
>>  3  *
>>  4  [D]
>>  5  [E]
>>  6  [F]
>>  7  [G]
>>  8  [H]
>>  9  [Y] Done
>> 
>> Since the the path A -> D is often many hops some people tend to get
>> confused and report this as an error. Or even worse: Use this as "proof"
>> of the network being the cause of some badly configured server. :-|
>> 
>> --
>> Peter
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter at rathlev.dk  Sat Jan  9 16:03:55 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 09 Jan 2010 22:03:55 +0100
Subject: [c-nsp] MPLS TTL exceeded "problems"
In-Reply-To: <AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>
References: <1262987099.20208.27.camel@localhost>
	<20fe625b1001081514g6bcdc075te07b1185c923fe33@mail.gmail.com>
	<AEE797EC-6F25-496E-9F67-1975D0FBC995@puck.nether.net>
Message-ID: <1263071035.27504.2.camel@localhost>

On Sat, 2010-01-09 at 15:00 -0500, Jared Mauch wrote:
> Just curious, did you try to enable "mls mpls tunnel-recir"?

Yup, tried with it enabled. Actually, only tried it with recirculation
enabled. I guess if it were to make a difference it would surely be in
favor of enabling it.

-- 
Peter



From bob_arthurs at hotmail.co.uk  Sat Jan  9 18:31:47 2010
From: bob_arthurs at hotmail.co.uk (Bob Arthurs)
Date: Sat, 9 Jan 2010 23:31:47 +0000
Subject: [c-nsp] BGP Peer Group drawbacks???
Message-ID: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>


Hi all,

A colleague recently told me not to use BGP peer groups because he insists that there a drawbacks to using them.

Does anyone know of any drawbacks to peer groups????



I dug the following up on the Cisco website:

"Cisco IOS Software Releases earlier than 11.1(18)CC have the
	 limitations described in this section. Failure to adhere to these rules can
	 result in inconsistent routing.

 
	 If you use peer groups for clients of a route reflector, all the
		clients must be fully meshed.

 
	 If you use an eBGP peer group, transit cannot be provided among the
		peer group members.

 
	 All eBGP peer group members must be from the same subnet to avoid
		non-connected next hop announcements.

 
  However, these limitations were removed starting with Cisco IOS
	 Software Releases 11.1(18)CC, 11.3(4), and 12.0. Only the router on which the
	 peer groups are defined needs to be upgraded to the new code."






But the above limitations have now gone, so I can't think of what drawbacks he might be refering to. 



Anyone know??


THanks in advance!







 		 	   		  
_________________________________________________________________
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/

From ras at e-gerbil.net  Sat Jan  9 18:44:22 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Sat, 9 Jan 2010 17:44:22 -0600
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
Message-ID: <20100109234422.GJ75640@gerbil.cluepon.net>

On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
> 
> Hi all,
> 
> A colleague recently told me not to use BGP peer groups because he
> insists that there a drawbacks to using them.
> 
> Does anyone know of any drawbacks to peer groups????
> 
> I dug the following up on the Cisco website:
> 
> "Cisco IOS Software Releases earlier than 11.1(18)CC have the

1998 called, it wants its release notes back. The modern version you 
should be using instead of peer groups is bgp templates:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From steve at ibctech.ca  Sat Jan  9 21:53:51 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Sat, 09 Jan 2010 21:53:51 -0500
Subject: [c-nsp] Service Provider products
In-Reply-To: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>
References: <8bb137f41001090447j4f26508lae8cacb9cc3d36b9@mail.gmail.com>
Message-ID: <4B49413F.3090108@ibctech.ca>

jack daniels wrote:
> Hi,
> 
> please help me with any link or book which can help enhace knowledge in SP
> (MPLS/ISP) products/cards/design BASICALLY for a Solution architect guy.

....google.ca?

I was going to name books, but your question is pretty undefined. The
mentioned link will get you started.

Steve

From steve at ibctech.ca  Sat Jan  9 22:04:39 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Sat, 09 Jan 2010 22:04:39 -0500
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <20100109234422.GJ75640@gerbil.cluepon.net>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
Message-ID: <4B4943C7.1060102@ibctech.ca>

Richard A Steenbergen wrote:
> On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
>> Hi all,
>>
>> A colleague recently told me not to use BGP peer groups because he
>> insists that there a drawbacks to using them.
>>
>> Does anyone know of any drawbacks to peer groups????
>>
>> I dug the following up on the Cisco website:
>>
>> "Cisco IOS Software Releases earlier than 11.1(18)CC have the
> 
> 1998 called, it wants its release notes back. The modern version you 
> should be using instead of peer groups is bgp templates:

...What...? ...Why?

At what scale should one consider dumping peer-group? When should one
switch to templates? How about a mix of groups AND templates?

Please have 1998 call me and let me know that my peer groups aren't
working for me.

Unless 1998 can provide many valid reasons and an automated strategy,
why are you recommending such a blind fix?

imho, this is NOT what the OP needed to hear. You don't even know what
IOS ver he's using.

Steve

From kenny.sallee at gmail.com  Sun Jan 10 00:42:01 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Sat, 9 Jan 2010 21:42:01 -0800
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4B4943C7.1060102@ibctech.ca>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
Message-ID: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>

>
> > 1998 called, it wants its release notes back. The modern version you
> > should be using instead of peer groups is bgp templates:
>
> ...What...? ...Why?
>
> At what scale should one consider dumping peer-group? When should one
> switch to templates? How about a mix of groups AND templates?
>
>
Seems to me that peer/session templates would allow you to get more granular
with your BGP configuration then peer-groups due to
their inheritance feature.  So it makes sense to me.

I don't think scale is the only deciding factor between peer group and
templates.  I think it also depends on the complexity of your routing policy
and # of prefix's etc...I guess a question could be - why wouldn't you use
templates - even for a simple BGP config?  Any ISP ops on the list - do you
use templates, peer-groups - or both?

To the original poster - perhaps you can decide for yourself?  See here:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
and
a good explanation here with configurations
http://cciethebeginning.wordpress.com/2009/01/09/358/

From markom at ipexpert.com  Sun Jan 10 01:05:01 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Sun, 10 Jan 2010 07:05:01 +0100
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net> 
	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
Message-ID: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>

> Seems to me that peer/session templates would allow you to get more granular
> with your BGP configuration then peer-groups due to
> their inheritance feature. ?So it makes sense to me.
>
> I don't think scale is the only deciding factor between peer group and
> templates. ?I think it also depends on the complexity of your routing policy
> and # of prefix's etc...I guess a question could be - why wouldn't you use
> templates - even for a simple BGP config? ?Any ISP ops on the list - do you
> use templates, peer-groups - or both?
>
> To the original poster - perhaps you can decide for yourself? ?See here:
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
> and
> a good explanation here with configurations
> http://cciethebeginning.wordpress.com/2009/01/09/358/

Well... comparing peer-groups and templates is just a little bit like
comparing apples and oranges. They were meant to solve different
problems.

When they were introduced, peer-groups were used to optimize the
updates sent to neighbors. I.e. using peer-groups had impact on your
CPU in such a way that members of the same peer group shared the same
update that was only replicated. Non-peer-group peers had to have
their updates built separately, even though it may end up being the
same. The fact that the peer-groups had this nice side effect of being
able to group configuration and make deployments somewhat easier, was
never their primary purpose in life... and that shows, as they look
unnatural and are not very flexible.

Naturally, over the years, Cisco found the way to optimize updates
automatically (using update-groups) and the only purpose of
peer-groups was to group commands together. Since they were not doing
that as well as one would hope (whoever configured peer-groups in
multiple address-families probably knows how ... "intuitive" that is),
another solution needed to be made. This is how we got templates,
whose only purpose is to group configurations and they do pretty good
job at that.

All that said, for all new deployments, I would suggest using
templates and not peer-groups... they could disappear at any time.

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From p.mayers at imperial.ac.uk  Sun Jan 10 08:19:01 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 10 Jan 2010 13:19:01 +0000
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>	<20100109234422.GJ75640@gerbil.cluepon.net>	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
Message-ID: <4B49D3C5.5050709@imperial.ac.uk>

> and # of prefix's etc...I guess a question could be - why wouldn't you use
> templates - even for a simple BGP config?  Any ISP ops on the list - do you
> use templates, peer-groups - or both?

We use templates, including inheritance. They're very handy.

 From memory however, some things don't quite work with them - the only 
specific example I can think of is using a "bgp listen" e.g. on a 
route-reflector, which will allow any BGP router from a particular 
subnet range to connect. IIRC on 12.2SX, when I tried it, it didn't 
support templates, just peer-groups.

We see some oddities with VPNv4 AFs too; the send-community commands 
seem to not get inherited, but are automatically added to the neighbour 
statements, and soft-reconfig refuses to apply, but AFAICT these are 
cosmetic.

That said, we use a peer-group in one or two places where the config is 
very simple and confined to one router (anycast DNS via eBGP, specifically)

I would use templates in a new deployment, and recommend against 
peer-groups - Marko's email has an excellent summary of the background.

From arturnrm at gmail.com  Sun Jan 10 08:42:34 2010
From: arturnrm at gmail.com (Artur)
Date: Sun, 10 Jan 2010 11:42:34 -0200
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
	<4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
Message-ID: <4B49D94A.5080705@gmail.com>

Great point Marko,

just adding to that, in the most recent IOS versions update-groups are 
built automatically when you have neighbors with an equal policy 
configuration.

That means, peers belonging to the same peer-group, or with the same 
peer-policy template or even without peer-groups or templates configured 
but with the same policy applied.

The optimization brought by update-groups is obtained because as all the 
neighbors have an equal policy IOS knows that it needs to calculate a 
single set of updates to all of them, in older versions it used to 
calculate updates for each neighbor, even though they had equal policies.

Artur

On 1/10/2010 4:05 AM, Marko Milivojevic wrote:
>> Seems to me that peer/session templates would allow you to get more granular
>> with your BGP configuration then peer-groups due to
>> their inheritance feature.  So it makes sense to me.
>>
>> I don't think scale is the only deciding factor between peer group and
>> templates.  I think it also depends on the complexity of your routing policy
>> and # of prefix's etc...I guess a question could be - why wouldn't you use
>> templates - even for a simple BGP config?  Any ISP ops on the list - do you
>> use templates, peer-groups - or both?
>>
>> To the original poster - perhaps you can decide for yourself?  See here:
>> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129
>> and
>> a good explanation here with configurations
>> http://cciethebeginning.wordpress.com/2009/01/09/358/
>>      
> Well... comparing peer-groups and templates is just a little bit like
> comparing apples and oranges. They were meant to solve different
> problems.
>
> When they were introduced, peer-groups were used to optimize the
> updates sent to neighbors. I.e. using peer-groups had impact on your
> CPU in such a way that members of the same peer group shared the same
> update that was only replicated. Non-peer-group peers had to have
> their updates built separately, even though it may end up being the
> same. The fact that the peer-groups had this nice side effect of being
> able to group configuration and make deployments somewhat easier, was
> never their primary purpose in life... and that shows, as they look
> unnatural and are not very flexible.
>
> Naturally, over the years, Cisco found the way to optimize updates
> automatically (using update-groups) and the only purpose of
> peer-groups was to group commands together. Since they were not doing
> that as well as one would hope (whoever configured peer-groups in
> multiple address-families probably knows how ... "intuitive" that is),
> another solution needed to be made. This is how we got templates,
> whose only purpose is to group configurations and they do pretty good
> job at that.
>
> All that said, for all new deployments, I would suggest using
> templates and not peer-groups... they could disappear at any time.
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> Mailto: markom at ipexpert.com
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Community: http://www.ipexpert.com/communities
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From kenny.sallee at gmail.com  Sun Jan 10 14:28:03 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Sun, 10 Jan 2010 11:28:03 -0800
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
	<4a80ecce1001092142m54d1db72n203f39aa84ae45e6@mail.gmail.com>
	<4a15acd91001092205k4aede89fte936311ca40d1d9e@mail.gmail.com>
Message-ID: <4a80ecce1001101128i2ef66c67h5d43b98fa76ec54@mail.gmail.com>

On Sat, Jan 9, 2010 at 10:05 PM, Marko Milivojevic <markom at ipexpert.com>wrote:

> > Seems to me that peer/session templates would allow you to get more
> granular
> > with your BGP configuration then peer-groups due to
> > their inheritance feature.  So it makes sense to me.
>


> >Well... comparing peer-groups and templates is just a little bit like
> >comparing apples and oranges. They were meant to solve different
> >problems.
>
>
I wouldn't say it's quite like apple and oranges for where they stand today
though - both are used to group configuration commands and both help to
solve BGP table scanning and update resource utilization issues..and they
both do it via BGP Dynamic Updates 'in the background' as Artur stated.
 However, templates allow you to get much more granular with your routing
policies.  It's more like comparing red apples to green apples - green are
more sour (peer groups).  I do get the rest of your point and history - it's
well stated.

Thanks,
Kenny

From arla at rn.dk  Sun Jan 10 15:16:04 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 10 Jan 2010 21:16:04 +0100
Subject: [c-nsp] software advice for sup720 on Cisoc 6500 and 7600
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>

Hi all.

Can someone give me an advice about what software to use.
We are current using TDP and would like to migrate to LDP in our MPLS network.
Which release off software does support enabling off both at the same time. 
I've tried 5 or 6 different that supports both, but can't enable both at the same time.
We have some different types off Sup720.: WS-SUP720-3BXL, RSP720-3C-GE, WS-SUP720-3CXL, WS-SUP720-3C

/Arne

From udiamond at gmail.com  Sun Jan 10 16:25:38 2010
From: udiamond at gmail.com (Marco)
Date: Sun, 10 Jan 2010 22:25:38 +0100
Subject: [c-nsp] VPN Tunnel Question
In-Reply-To: <63cd55240912281958i78e7dbeqc56486210a924ba1@mail.gmail.com>
References: <63cd55240912231944q7ce895ebxaf829eea861bedb@mail.gmail.com>	<b48b7d090912232350q7b2ef021tf7d80f7f5cb98f77@mail.gmail.com>
	<63cd55240912281958i78e7dbeqc56486210a924ba1@mail.gmail.com>
Message-ID: <4B4A45D2.6060708@gmail.com>

Il 29/12/09 04.58, O n i ha scritto:
> thanks!
>
<CUT>
>
> i can post the partial config after i edite out some details
>
> On Thu, Dec 24, 2009 at 15:50, swap m<ccie19804 at gmail.com>  wrote:
>

Well, post your config pls ....

Bye.

From markom at ipexpert.com  Sun Jan 10 18:15:23 2010
From: markom at ipexpert.com (Marko Milivojevic)
Date: Mon, 11 Jan 2010 00:15:23 +0100
Subject: [c-nsp] software advice for sup720 on Cisoc 6500 and 7600
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF9D@SRVEXC02.aas.its.nja.dk>
Message-ID: <4a15acd91001101515s3cb37c61k88b948ed611b095f@mail.gmail.com>

On Sun, Jan 10, 2010 at 21:16, Arne Larsen / Region Nordjylland
<arla at rn.dk> wrote:
> Hi all.
>
> Can someone give me an advice about what software to use.
> We are current using TDP and would like to migrate to LDP in our MPLS network.
> Which release off software does support enabling off both at the same time.
> I've tried 5 or 6 different that supports both, but can't enable both at the same time.
> We have some different types off Sup720.: WS-SUP720-3BXL, RSP720-3C-GE,
> WS-SUP720-3CXL, WS-SUP720-3C

Silly question, but I have to ask it... Have you tried enabling "mpls
label protocol both", either globally or on interfaces that you want
to run both LDP and TDP?

I believe that pretty much every IOS supports running both. I'm yet to
see one that supports both, but can't run them concurrently.

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert

Mailto: markom at ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Community: http://www.ipexpert.com/communities

From andy.saykao at staff.netspace.net.au  Sun Jan 10 18:57:31 2010
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 11 Jan 2010 10:57:31 +1100
Subject: [c-nsp] Service Provider products
References: <mailman.1.1263056410.33446.cisco-nsp@puck.nether.net>
Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AB09E@vic-cr-ex1.staff.netspace.net.au>

Hi Jack,

I used a multitue of books and online tutorials/labs when designing our
MPLS network.

I found this an excellent introduction into the basics of MPLS:

MPLS Fundamentals
By Luc De Ghein

This hands on lab really helped me put everything together.

Human Modem's MPLS Series - Vol. 2 - MPLS VPN
http://blog.humanmodem.com/?p=121

These are some other books I touched on looking for information specific
to what I needed to roll out (L2 VPN, QoS, etc..)

Building MPLS-Based Broadband Access VPN
By Kumar Reddy

Selecting MPLS VPN Services
By Chris Lewis, Steve Pickavance, Monique Morrow, John Monaghan, Craig
Huegen

MPLS and VPN Architectures
By Jim Guichard, Ivan Pepelnjak, Jeff Apcar

Hope that helps.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From ras at e-gerbil.net  Mon Jan 11 00:18:50 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Sun, 10 Jan 2010 23:18:50 -0600
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <4B4943C7.1060102@ibctech.ca>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
	<20100109234422.GJ75640@gerbil.cluepon.net>
	<4B4943C7.1060102@ibctech.ca>
Message-ID: <20100111051850.GO75640@gerbil.cluepon.net>

On Sat, Jan 09, 2010 at 10:04:39PM -0500, Steve Bertrand wrote:
> Richard A Steenbergen wrote:
> > On Sat, Jan 09, 2010 at 11:31:47PM +0000, Bob Arthurs wrote:
> >> Hi all,
> >>
> >> A colleague recently told me not to use BGP peer groups because he
> >> insists that there a drawbacks to using them.
> >>
> >> Does anyone know of any drawbacks to peer groups????
> >>
> >> I dug the following up on the Cisco website:
> >>
> >> "Cisco IOS Software Releases earlier than 11.1(18)CC have the
> > 
> > 1998 called, it wants its release notes back. The modern version you 
> > should be using instead of peer groups is bgp templates:
> 
> ...What...? ...Why?
> 
> At what scale should one consider dumping peer-group? When should one
> switch to templates? How about a mix of groups AND templates?
> 
> Please have 1998 call me and let me know that my peer groups aren't
> working for me.
> 
> Unless 1998 can provide many valid reasons and an automated strategy,
> why are you recommending such a blind fix?
> 
> imho, this is NOT what the OP needed to hear. You don't even know what
> IOS ver he's using.

Are you retarded? The release notes he is quoting are from 1998, anyone
who is still running 11.1(18)CC probably has bigger problems than their
peer groups. As for BGP templates, it has nothing to do with scale. BGP
templates are simply the newer and better replacement for the peer group
functionality, that adds more features and is less restrictive. Anyone
doing a new deployment should probably use the new system instead,
unless there is some specific reason not to (e.g. a noc which isn't
capable of learning new things, etc).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From avayner at cisco.com  Mon Jan 11 04:29:09 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 11 Jan 2010 10:29:09 +0100
Subject: [c-nsp] BGP Peer Group drawbacks???
In-Reply-To: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
References: <SNT104-W43B9DA063A646C566D3CB0D96F0@phx.gbl>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F82A47@XMB-AMS-101.cisco.com>

I think this would provide a comprehensive overview:

Peer-Groups are a relatively old feature which was introduced to provide
two functions:
- Reduce BGP configuration by creating a "template" which can be
reapplied to multiple peers
- Reduce CPU workload for BGP updates, as all members in a peer-group
had the same egress policy, so an update had to be computed only once

As combining both functionalities into a single feature is a bit
restrictive (you have to have (mostly) the same config for all peers)
then this was basically split up:
- Dynamic Update Groups are built on the fly for BGP peers with similar
update (output) policies. This allows for CPU load reduction.
- Templates are used to build config templates to reduce configuration
complexity/clutter.

Arie


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Arthurs
Sent: Sunday, January 10, 2010 01:32
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP Peer Group drawbacks???


Hi all,

A colleague recently told me not to use BGP peer groups because he
insists that there a drawbacks to using them.

Does anyone know of any drawbacks to peer groups????



I dug the following up on the Cisco website:

"Cisco IOS Software Releases earlier than 11.1(18)CC have the
	 limitations described in this section. Failure to adhere to
these rules can
	 result in inconsistent routing.

 
	 If you use peer groups for clients of a route reflector, all
the
		clients must be fully meshed.

 
	 If you use an eBGP peer group, transit cannot be provided among
the
		peer group members.

 
	 All eBGP peer group members must be from the same subnet to
avoid
		non-connected next hop announcements.

 
  However, these limitations were removed starting with Cisco IOS
	 Software Releases 11.1(18)CC, 11.3(4), and 12.0. Only the
router on which the
	 peer groups are defined needs to be upgraded to the new code."






But the above limitations have now gone, so I can't think of what
drawbacks he might be refering to. 



Anyone know??


THanks in advance!







 		 	   		  
_________________________________________________________________
We want to hear all your funny, exciting and crazy Hotmail stories. Tell
us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rasheed_ak at yahoo.com  Mon Jan 11 06:14:48 2010
From: rasheed_ak at yahoo.com (Rasheed Khan)
Date: Mon, 11 Jan 2010 03:14:48 -0800 (PST)
Subject: [c-nsp] recommended router for following specs
Message-ID: <102327.73473.qm@web36205.mail.mud.yahoo.com>

hi,

could anybody recommend core router and modules required for below specs

core router
 -  Wire speed throughput 
-  Chassis based technology (HW Redundancy ? 2 pcs.) 
-  Passive Backplane 
-  Scalable bandwidth  
-  Redundant power supplies (n + 1) 
-  Hot swappable hardware elements 
-  Redundant control plane/ CPUs/ switching fabrics 
-  Sub-Second Fail over of Chassis Hardware 
-  Every Core Router has to have at minimum two Gigabit Uplinks to 
each IDF (total no idf or switches 14) 
-  These two Uplinks have to run as a trunk based on LACP IEEE 
802.3ad or similar proprietary protocols. (Aggregation of several 
physical uplinks) Please describe if it is a variant technology. 
-  The link aggregation path routing (path routing decision) between 
the two pairs have to be on Layer 2 and Layer 3 base. 
-  Fail Over and load balancing between the 2 pairs of aggregated 
Uplinks to a IDF 
-  Each 1 Gbps Uplink have to support multi mode fibre 
-  Hardware-based support for IP multicast  
-  Dynamic Routing Protocols (RIP, OSPF, e.g. in compliance with 
network concept) 
-  Router Redundancy Technologies 
-  Multicast Routing compliance ? IGMP, DVMRP, PIM 
-  Standard Access Lists -
 ACL 
-  DHCP Relay RFC 2131 
-  IEEE 802.1Q  VLAN compliance 
-  Comprehensive Management 
-  Syslog 
-  SNMP V1,V2,V3 
-  Multi-configuration file support 
-  Quality of Service ?  minimal requirements 
?  IEEE 802.1p Prioritization 
?  IETF DiffServ / DSCP  
?  Policy based QoS by IP, Subnet,  Protocol, Ethertype, VLAN 
ID and Flow based traffic shaping 



      

From rolf-web at internet.ao  Mon Jan 11 09:36:30 2010
From: rolf-web at internet.ao (Rolf Mendelsohn)
Date: Mon, 11 Jan 2010 15:36:30 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
Message-ID: <201001111536.30292.rolf-web@internet.ao>

Hi Guys,

We have a number of Cisco 3550's doing QinQ on a Metro-E network.

I was wondering whether anybody is succesfully copying the 802.1P info from 
the Inner Tag, to the Outer Tag.

From the following doc:
http://www.cisco.mn/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swtunnel.html

The priority field on the metro tag is set to the interface class of service 
(CoS) priority configured on the tunnel port (the default is zero if none is 
configured).

IEEE 802.1Q Tunneling and Other Features 
 Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there 
are incompatibilities between some Layer 2 features and Layer 3 switching. 
 ?Tunnel ports do not support IP access control lists (ACLs). 
 ?Layer 3 quality of service (QoS) ACLs and other QoS features related to 
Layer 3 information are not supported on tunnel ports. MAC-based QoS is 
supported on tunnel ports. 

What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches? 
Cisco 3750's?

Thanks,
Rolf

From eng_mssk at hotmail.com  Mon Jan 11 10:21:33 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Mon, 11 Jan 2010 17:21:33 +0200
Subject: [c-nsp] Ethernet Network
Message-ID: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>


hi all
we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524 ME , Cisco 3750 ME
and we enabled MPLS in our network in order to provide MPLS service to our customers (VPLS , L3VPN , EoMPLS)
what is the best MTU value that i can enable on my network either on interface basis or on system basis

Thanks in advance
 		 	   		  
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

From felixnkansah at gmail.com  Mon Jan 11 10:27:00 2010
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 11 Jan 2010 15:27:00 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
Message-ID: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>

Hi All,

A telco (fixed line/mobile carrier) is looking to deploy a centralized
syslog solution for their environment for storing, viewing
and analyzing logs.

The plan is to have about 1,000+ server and network nodes configured to send
logs at all levels to the syslog server 24/7.

Among other things, the solution would need to be scalable, easy to use with
web access, allow granular logs searches and retrieval, events notifications
capabilities, and allow different levels of user access.

A linux-based platform / commercial offering is preferred.

Do you have any such product in mind? Thanks.

Felix

From nasir.shaikh at bt.com  Mon Jan 11 10:59:50 2010
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Mon, 11 Jan 2010 15:59:50 -0000
Subject: [c-nsp] 3550 as CE
Message-ID: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 


From rdobbins at arbor.net  Mon Jan 11 11:23:35 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Mon, 11 Jan 2010 16:23:35 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>


On Jan 11, 2010, at 10:27 PM, Felix Nkansah wrote:

> A linux-based platform / commercial offering is preferred.

<http://www.splunk.com/>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From BBlackford at nwresd.k12.or.us  Mon Jan 11 11:27:08 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Mon, 11 Jan 2010 08:27:08 -0800
Subject: [c-nsp] Finisar Optics | Cisco Equiv.
Message-ID: <6069A203FD01884885C037F81DD750801742DA1093@wsc-mail-01.intra.nwresd.k12.or.us>

I believe that Finisar makes many of the Cisco optics. I'm looking for the Finisar part number that is essentially the same as the Cisco GLC-SX-MM

Thanks

-b

From justin at justinshore.com  Mon Jan 11 11:44:40 2010
From: justin at justinshore.com (Justin Shore)
Date: Mon, 11 Jan 2010 10:44:40 -0600
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <4b8f66d70912091207j39a4adb4td5c2ea9287dd51c3@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>	<4B1C48D4.9080905@poggs.co.uk>	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>	<4B1D0AAD.50406@imperial.ac.uk>	<F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>	<fa672eef0912070642l295f392ar35c0a2423c30049b@mail.gmail.com>
	<4b8f66d70912091207j39a4adb4td5c2ea9287dd51c3@mail.gmail.com>
Message-ID: <4B4B5578.6060906@justinshore.com>

joshua sahala wrote:
> drew,
> 
> it may or may not be related, but...check the output of 'sh counter
> int <int> [delta]' and look at the qos[1-21][In|Out]lost counters.
> 
> i was experiencing various drops due to the default interface (qos)
> buffer allocation:  basically, all of my traffic was hitting the 76xx
> swouter in the q0 buffer and overrunning it (there were no drops in
> any of the other qos queues because no traffic was ever hitting them).
>  i ended up having to rewrite the buffer mapping to allocate
> everything to q0 and the random discards stopped (at least the ones
> caused by this issue).

I want to revive an old thread if I can.  I'm facing a similar issue 
now.  Gi1/1 on my 6724s in my core 7600s (3BXL) connect to one of my 
border routers, a 7206 G1.  Both interfaces on both 6724s show large 
volumes of input drops and flushes.  Gi1/2 on the same 6724s connect to 
a 3845 which is my other border and it shows significantly lower drops 
and flushes (4 digits instead of 7 or 8).  All 4 links are SX.  'sh 
counters' didn't yield anything terribly interesting either.

7613-1.clr#sh counters interface gi1/1 delta | e = 0
Time since last clear
---------------------
never

64 bit counters:
  0.                      rxHCTotalPkts = 123760873738
  1.                      txHCTotalPkts = 45947101814
  2.                    rxHCUnicastPkts = 123747989684
  3.                    txHCUnicastPkts = 45941233718
  4.                  rxHCMulticastPkts = 12883997
  5.                  txHCMulticastPkts = 5868073
  6.                  rxHCBroadcastPkts = 57
  7.                  txHCBroadcastPkts = 23
  8.                         rxHCOctets = 101377579108374
  9.                         txHCOctets = 16976124978053
10.                 rxTxHCPkts64Octets = 8893600878
11.            rxTxHCPkts65to127Octets = 57698604883
12.           rxTxHCPkts128to255Octets = 20633513794
13.           rxTxHCPkts256to511Octets = 7123204457
14.          rxTxHCpkts512to1023Octets = 6652027912
15.         rxTxHCpkts1024to1518Octets = 26440990980

32 bit counters:
  2.                    rxOversizedPkts = 2492150694
13.                         linkChange = 2
All Port Counters
  1.                          InPackets = 123760839646
  2.                           InOctets = 101377556782449
  3.                        InUcastPkts = 123747955595
  4.                        InMcastPkts = 12883994
  5.                        InBcastPkts = 57
  6.                         OutPackets = 45947087810
  7.                          OutOctets = 16976121260975
  8.                       OutUcastPkts = 45941219715
  9.                       OutMcastPkts = 5868072
10.                       OutBcastPkts = 23
22.                             Giants = 2492143293
35.                 rxTxHCPkts64Octets = 8893600875
36.            rxTxHCPkts65to127Octets = 57698582793
37.           rxTxHCPkts128to255Octets = 20633505929
38.           rxTxHCPkts256to511Octets = 7123201908
39.          rxTxHCpkts512to1023Octets = 6652026348
40.         rxTxHCpkts1024to1518Octets = 26440984821
44.                      OversizedPkts = 2492143293


The giants are explained by the MTU I have on those links.  I run 9000 
on all infrastructure links.  Other than that I don't see anything else 
wrong.  All the QoS Lost lines were 0.  All infrastructure interfaces 
are also MPLS enabled.  The 7206 carries the bulk of the Internet 
traffic as does 7600 #1 so it's not a big surprise to see its links 
affected much more so than the 3845 links.

I'm graphing interface errors/discards with Cacti.  I have to question 
the numbers it's giving me though.  They have never seemed to be 
accurate to me on any of my interfaces.

Are my queues not deep enough to carry the traffic flow?  Peak Mbps on 
through the 7206 is about 120Mbps and if Cacti is right then we're also 
only talking about 17,000 pps on the upstream-facing interface of the 
7206, most of which would come from 7600 #1.  Thoughts?

Thanks
  Justin

From simon at slimey.org  Mon Jan 11 11:47:46 2010
From: simon at slimey.org (Simon Lockhart)
Date: Mon, 11 Jan 2010 16:47:46 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <20100111164746.GG23204@virtual.bogons.net>

> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.

Isn't Splunk the defacto answer to that question?

Simon
-- 
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
   Director    |    * Domain & Web Hosting * Internet Consultancy * 
  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 

From jtrooney at nexdlevel.com  Mon Jan 11 12:09:44 2010
From: jtrooney at nexdlevel.com (Jeff Rooney)
Date: Mon, 11 Jan 2010 11:09:44 -0600
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<A4C57A06-B094-4EA2-9E99-B021E31C4CA1@arbor.net>
Message-ID: <e9109f2e1001110909k5be4ffdtd85e0257af26d501@mail.gmail.com>

+1 for splunk

Jeff Rooney
jtrooney at nexdlevel.com



On Mon, Jan 11, 2010 at 10:23 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Jan 11, 2010, at 10:27 PM, Felix Nkansah wrote:
>
>> A linux-based platform / commercial offering is preferred.
>
> <http://www.splunk.com/>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> ? ?Injustice is relatively easy to bear; what stings is justice.
>
> ? ? ? ? ? ? ? ? ? ? ? ?-- H.L. Mencken
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeff-kell at utc.edu  Mon Jan 11 12:16:03 2010
From: jeff-kell at utc.edu (Jeff Kell)
Date: Mon, 11 Jan 2010 12:16:03 -0500
Subject: [c-nsp] 3550 as CE
In-Reply-To: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
References: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <4B4B5CD3.5080006@utc.edu>

On 1/11/2010 10:59 AM, nasir.shaikh at bt.com wrote:
> Hi,
> Due to the global shortage of 73xx routers I am contemplating to use
> some old 3550-12Ts as CE routers on a stie where a connection is
> required urgently.
>   

It's fine as long as you don't need MPLS to the PE.  If you run VRFs
point-to-point over an 802.1Q trunk you'll be fine. 

There's no MPLS except in the MEs, and no hardware GRE support on the
3550s. 

Jeff

From jasonleblanc at gmail.com  Mon Jan 11 12:16:42 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Mon, 11 Jan 2010 10:16:42 -0700
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <27D2D991-9C8A-4DA9-8B55-8D751A09A96C@gmail.com>

Splunk for sure!

On Jan 11, 2010, at 8:27 AM, Felix Nkansah wrote:

> Hi All,
> 
> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> The plan is to have about 1,000+ server and network nodes configured to send
> logs at all levels to the syslog server 24/7.
> 
> Among other things, the solution would need to be scalable, easy to use with
> web access, allow granular logs searches and retrieval, events notifications
> capabilities, and allow different levels of user access.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.
> 
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From list-only at dnz.se  Mon Jan 11 12:37:11 2010
From: list-only at dnz.se (=?iso-8859-1?Q?Anders_Lindb=E4ck?=)
Date: Mon, 11 Jan 2010 18:37:11 +0100
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
Message-ID: <9444E0FD-D642-4D3F-BFA6-8A676CF24898@dnz.se>

Hi

I would second the recomendation of splunk for most of your needs, however depending on your definition of "events notifications capabilities" I would read the fine print about the notification support since I have found it somewhat lacking.

But of you for instance use it for its strengths, webgui, report builds and user handling and then using something like SEC (http://simple-evcorr.sourceforge.net/) for the event notifications then I think you will be happy.

/Anders.

On Jan 11, 2010, at 4:27 PM, Felix Nkansah wrote:

> Hi All,
> 
> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> syslog solution for their environment for storing, viewing
> and analyzing logs.
> 
> The plan is to have about 1,000+ server and network nodes configured to send
> logs at all levels to the syslog server 24/7.
> 
> Among other things, the solution would need to be scalable, easy to use with
> web access, allow granular logs searches and retrieval, events notifications
> capabilities, and allow different levels of user access.
> 
> A linux-based platform / commercial offering is preferred.
> 
> Do you have any such product in mind? Thanks.
> 
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jasonleblanc at gmail.com  Mon Jan 11 12:52:05 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Mon, 11 Jan 2010 10:52:05 -0700
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <20100111164746.GG23204@virtual.bogons.net>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<20100111164746.GG23204@virtual.bogons.net>
Message-ID: <FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>

As it should be :) Its earned it!

On Jan 11, 2010, at 9:47 AM, Simon Lockhart wrote:

>> A telco (fixed line/mobile carrier) is looking to deploy a centralized
>> syslog solution for their environment for storing, viewing
>> and analyzing logs.
>> 
>> A linux-based platform / commercial offering is preferred.
>> 
>> Do you have any such product in mind? Thanks.
> 
> Isn't Splunk the defacto answer to that question?
> 
> Simon
> -- 
> Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
>   Director    |    * Domain & Web Hosting * Internet Consultancy * 
>  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From felixnkansah at gmail.com  Mon Jan 11 13:13:54 2010
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 11 Jan 2010 18:13:54 +0000
Subject: [c-nsp] Syslog Platform for a Telco Environment
In-Reply-To: <FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>
References: <18dba4e51001110727n706f3298sa0c7ca6cdc1e7d91@mail.gmail.com>
	<20100111164746.GG23204@virtual.bogons.net>
	<FA71998C-4A8A-4D2D-BEA6-A9478AC82AC6@gmail.com>
Message-ID: <18dba4e51001111013i5d9c206au41b1a65b8233f648@mail.gmail.com>

Hi Guys.

Thanks so much for the jury's unanimous verdict.

Splunk you voted, and Splunk it is.


On Mon, Jan 11, 2010 at 5:52 PM, Jason LeBlanc <jasonleblanc at gmail.com>wrote:

> As it should be :) Its earned it!
>
> On Jan 11, 2010, at 9:47 AM, Simon Lockhart wrote:
>
> >> A telco (fixed line/mobile carrier) is looking to deploy a centralized
> >> syslog solution for their environment for storing, viewing
> >> and analyzing logs.
> >>
> >> A linux-based platform / commercial offering is preferred.
> >>
> >> Do you have any such product in mind? Thanks.
> >
> > Isn't Splunk the defacto answer to that question?
> >
> > Simon
> > --
> > Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
> >   Director    |    * Domain & Web Hosting * Internet Consultancy *
> >  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  *
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From avayner at cisco.com  Mon Jan 11 13:15:27 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 11 Jan 2010 19:15:27 +0100
Subject: [c-nsp] 3550 as CE
In-Reply-To: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
References: <D312CD05C8083447B01F57DCDECCF60003B7E3F2@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6F82DCB@XMB-AMS-101.cisco.com>

Nasir,

Be careful about QOS requirements. If your WAN uplink is a subrate link
(i.e. a 1GigE port with an SLAN of <1GigE) you need to perform egress
shaping on that interface, which is not supported on 3550 (or most LAN
switches).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nasir.shaikh at bt.com
Sent: Monday, January 11, 2010 18:00
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3550 as CE

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From brandon at burn.net  Mon Jan 11 14:41:19 2010
From: brandon at burn.net (Brandon Applegate)
Date: Mon, 11 Jan 2010 14:41:19 -0500 (EST)
Subject: [c-nsp] ASA ipv6 + icmp types
Message-ID: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>

So I'm playing around with ipv6 on the ASA.  I'm running the latest code 
(8.2(1)).  And in trying to get traceroutes and pings 'through' the ASA, 
I've found that icmp-types are translated to 'english' but using the ipv4 
codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config as 
unreachable (because unreachable == 3 in ipv4).

I'm guessing I should open a TAC case and complain ?  You could call it a 
cosmetic issue, but I see myself making mistakes because the burden is on 
me to translate the icmp types as I enter config :(

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


From kwoody at citytel.net  Mon Jan 11 14:37:35 2010
From: kwoody at citytel.net (Keith)
Date: Mon, 11 Jan 2010 11:37:35 -0800 (PST)
Subject: [c-nsp] Renumber of DSL.
Message-ID: <20100111111415.M28334@pop.citytel.net>


We have a 6260 Dslam which terminates its ATM interface on a 7204 ATM for
customers.

One the Dslam we configure a customer like this:

interface ATM1/2
 no ip address
 dsl subscriber xxxxx
 dsl profile standard
 no atm ilmi-keepalive
 atm pvc 0 35  interface  ATM0/1 1 36
!

Then on the 7204 the customer is terminated as so:

interface ATM4/0.3 point-to-point
 description xxxxx
 ip address 64.114.226.13 255.255.255.252
 atm route-bridged ip
 pvc 1/36
  oam-pvc 10
  encapsulation aal5snap
 !

We have a /23 and one /24 that we use for this DSL and we would
like to renumber out of them.

One the Dslam I was thinking of changing

atm pvc 0 35  interface  ATM0/1 1 36
to
atm pvc 0 35  interface  ATM0/1 1 <new pvc>

Then on the 7204 creating a new ATM p2p sub-interface with the new pvc and
new IP's and get the customer to renumber then delete the old sub
interface.

But now I just realized just change the IP address on the ATM
sub-interface on the router and get the customer to renumber to the new
IP. No changing of PVC's needed.

There is another faste interface on the 7204 that would connect to a new
switch which goes out to a new upstream that the new block of IP's would
route and would allow customers to use the old IP blocks until we get them
to renumber.

This is all just off the top of my head but it seems either should work.
Anyone see a problem with this renumber?

Thanks,
Keith




From lists at hojmark.org  Mon Jan 11 15:37:17 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Mon, 11 Jan 2010 21:37:17 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
In-Reply-To: <201001111536.30292.rolf-web@internet.ao>
References: <201001111536.30292.rolf-web@internet.ao>
Message-ID: <5v2nk5lgg8fttdg0ui5ndpnhjooogetfk2@hojmark.net>

On Mon, 11 Jan 2010 15:36:30 +0100, you wrote:

> What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches? 
> Cisco 3750's?

ME-3400E supports copying inner CoS to outer CoS.

-A

From perc69 at gmail.com  Mon Jan 11 15:46:54 2010
From: perc69 at gmail.com (Per Carlson)
Date: Mon, 11 Jan 2010 21:46:54 +0100
Subject: [c-nsp] QinQ Layer2 QoS - 3550?
In-Reply-To: <201001111536.30292.rolf-web@internet.ao>
References: <201001111536.30292.rolf-web@internet.ao>
Message-ID: <746ca6da1001111246gc701716vc75425e363c19e23@mail.gmail.com>

Hi.

> We have a number of Cisco 3550's doing QinQ on a Metro-E network.
>
> I was wondering whether anybody is succesfully copying the 802.1P info from
> the Inner Tag, to the Outer Tag.

Sorry, but that's not possible on a 3550-class of switch. Only
standard Catalyst (that I'm aware of) supporting it are 6500 with
WS-X67xx LC's using CoS-mutation
(http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1727443).

> What does one need to support Layer-2 QoS on QinQ, newer Juniper EX switches?
> Cisco 3750's?

A ME3400E (notice the E in the end) will do the trick
(http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_44_ey/configuration/guide/swqos.html#wp1643001).

-- 
Pelle

From tony at lava.net  Mon Jan 11 15:55:50 2010
From: tony at lava.net (Antonio Querubin)
Date: Mon, 11 Jan 2010 10:55:50 -1000 (HST)
Subject: [c-nsp] Renumber of DSL.
In-Reply-To: <20100111111415.M28334@pop.citytel.net>
References: <20100111111415.M28334@pop.citytel.net>
Message-ID: <alpine.OSX.1.00.1001111054160.1090@cust11794.lava.net>

On Mon, 11 Jan 2010, Keith wrote:

> But now I just realized just change the IP address on the ATM
> sub-interface on the router and get the customer to renumber to the new
> IP. No changing of PVC's needed.
>
> There is another faste interface on the 7204 that would connect to a new
> switch which goes out to a new upstream that the new block of IP's would
> route and would allow customers to use the old IP blocks until we get them
> to renumber.

Just add the new address as a primary and make the old address secondary. 
Then when the customer is done renumbering just delete the secondary 
address.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From dale.shaw+cisco-nsp at gmail.com  Mon Jan 11 16:13:50 2010
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 12 Jan 2010 08:13:50 +1100
Subject: [c-nsp] recommended router for following specs
In-Reply-To: <102327.73473.qm@web36205.mail.mud.yahoo.com>
References: <102327.73473.qm@web36205.mail.mud.yahoo.com>
Message-ID: <3329cbb41001111313mc5bb1e7ue5e23085f029da18@mail.gmail.com>

Hi,

On Mon, Jan 11, 2010 at 10:14 PM, Rasheed Khan <rasheed_ak at yahoo.com> wrote:
>
> could anybody recommend core router and modules required for below specs
>
<snip>

Yeah, sure, send us all a copy of the Request For Tender / Request For
Quote you're responding to, and we'll all have a go.

I mean, that's the only fair way, right? Unless you're offering some
kind of commission if you win the deal? ;-)

cheers,
Dale

From david at hughes.com.au  Mon Jan 11 18:17:35 2010
From: david at hughes.com.au (David Hughes)
Date: Tue, 12 Jan 2010 09:17:35 +1000
Subject: [c-nsp] Port channel bug in SXI3 - CSCtd93384
In-Reply-To: <E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
References: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>
	<E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
Message-ID: <7B899B02-8375-4DA2-87E6-B60604D7CA42@hughes.com.au>


Further follow-up on this for those running SXI3 :

Turns out to be a problem with the parser cache.  If you are running "parser config cache interface" then the "real" running config can get  out of sync with what the box thinks is the running config.  If you then do a "copy run start" things can get interesting.

Might be worth turning that feature off if you are running it.


David
...

On 18/12/2009, at 5:00 PM, David Hughes wrote:

> 
> This now has a bug ID associated with it.  We've got the same problem on SXI2 and SXI3.  For anyone interested, the Bug ID is CSCtd93384.
> 
> 
> David
> ...
> 
> 
> On 15/12/2009, at 11:59 AM, David Hughes wrote:
> 
>> Hi
>> 
>> Since moving to SXI3 we've seen issues with port channels.  Problems such as the physical interfaces and port channel config getting out of sync.  A "sh run int" on a member of the Po will say it's shutdown but a "sh run int" on the Po itself shows it's up (and a "sh int" does too).  It's not impacting on the operation of the box but it's confusing the hell out of some of the engineers having to work on them.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From lists.james.edwards at gmail.com  Mon Jan 11 19:50:06 2010
From: lists.james.edwards at gmail.com (james edwards)
Date: Mon, 11 Jan 2010 17:50:06 -0700
Subject: [c-nsp] Timing slips on an 2811
Message-ID: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>

I am getting timing slips on a ATM T-1 when the clocking is set to line.
Setting it to internal is of course no better.
I am using a VWIC2-1MFT-T1/E1 on IOS c2800nm-spservicesk9-mz.124-21a.bin.
Links to troubleshooting docs
about slips or suggestions on what is wrong with the config will be
appreciated.


#sho controllers t1 0/0/0
T1 0/0/0 is up.
  Applique type is Channelized T1
  Cablelength is short 330
  No alarms detected.
  alarm-trigger is not set
  Soaking time: 3, Clearance time: 10
  AIS State:Clear  LOS State:Clear  LOF State:Clear
  Version info Firmware: 20071011, FPGA: 13, spm_count = 0
  Framing is ESF, Line Code is B8ZS, Clock Source is Line. <----------------
  CRC Threshold is 320. Reported from firmware  is 320.
//////
Total Data (last 12 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     1512 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     1512 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail
Secs


Here is the config:

card type t1 0 0

network-clock-participate wic 0
network-clock-participate aim 0

controller T1 0/0/0
 mode atm aim 0
 framing esf
 linecode b8zs
 cablelength short 330
clock source line

interface ATM0/0/0
 description Circuit ID xxxxxx
 no ip address
 no scrambling-payload
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 description ATM T-1 to xxx
 ip address x.x.x.x x.x.x.x
 ip access-group 100 out
 snmp trap link-status
 pvc 1/32
  cbr 1536
  encapsulation aal5snap


-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From andy.petrenko at gmail.com  Tue Jan 12 06:55:32 2010
From: andy.petrenko at gmail.com (Andrey 'sshd' Petrenko)
Date: Tue, 12 Jan 2010 13:55:32 +0200
Subject: [c-nsp] Ethernet Network
In-Reply-To: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
Message-ID: <6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>

Sorry, in mpls interfaces use mtu 1546

2010/1/11 Mohammad Khalil <eng_mssk at hotmail.com>

>
> hi all
> we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524
> ME , Cisco 3750 ME
> and we enabled MPLS in our network in order to provide MPLS service to our
> customers (VPLS , L3VPN , EoMPLS)
> what is the best MTU value that i can enable on my network either on
> interface basis or on system basis
>
> Thanks in advance
>
> _________________________________________________________________
> Windows Live: Keep your friends up to date with what you do online.
>
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
With best regards,
     Andrey 'sshd' Petrenko
     xmmp: sshd at jabber.org
     gtalk: andy.petrenko at gmail.com
     skype: andy.petrenko
     web: http://sshd.by

From denaccie at gmail.com  Tue Jan 12 09:27:05 2010
From: denaccie at gmail.com (My Name)
Date: Tue, 12 Jan 2010 09:27:05 -0500
Subject: [c-nsp] Ethernet Network
In-Reply-To: <6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl>
	<6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
Message-ID: <c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>

Andrey,

Is there a break down or analysis on why you are choosing 1546?
I assume the following;

1500 bytes max data + 22 max header + 4 CRC trailer + 4 byte 802.1q tag
+16 up to 4 labels = 1546?

Why not just enable jumbos and set it as high as possible?

mike

On Tue, Jan 12, 2010 at 6:55 AM, Andrey 'sshd' Petrenko <
andy.petrenko at gmail.com> wrote:

> Sorry, in mpls interfaces use mtu 1546
>
> 2010/1/11 Mohammad Khalil <eng_mssk at hotmail.com>
>
> >
> > hi all
> > we have wimax network , our network are all cisco Cisco 7606 , Cisco 6524
> > ME , Cisco 3750 ME
> > and we enabled MPLS in our network in order to provide MPLS service to
> our
> > customers (VPLS , L3VPN , EoMPLS)
> > what is the best MTU value that i can enable on my network either on
> > interface basis or on system basis
> >
> > Thanks in advance
> >
> > _________________________________________________________________
> > Windows Live: Keep your friends up to date with what you do online.
> >
> >
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> With best regards,
>     Andrey 'sshd' Petrenko
>     xmmp: sshd at jabber.org
>     gtalk: andy.petrenko at gmail.com
>     skype: andy.petrenko
>     web: http://sshd.by
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From cisco-nsp at slepicka.net  Tue Jan 12 09:41:15 2010
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Tue, 12 Jan 2010 08:41:15 -0600
Subject: [c-nsp] Timing slips on an 2811
In-Reply-To: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
References: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
Message-ID: <4B4C8A0B.7020803@slepicka.net>

try 'network-clock-select 1 T1 0/0/0'

if you run a sh network-clocks, your output should be similar to this:

#sh network-clocks
  Network Clock Configuration
  ---------------------------
  Priority      Clock Source    Clock State     Clock Type

     1          T1 0/0/0        GOOD            T1
    10          Backplane       GOOD            PLL

  Current Primary Clock Source
  ---------------------------
  Priority      Clock Source    Clock State     Clock Type

     1          T1 0/0/0        GOOD            T1



james edwards wrote:
> I am getting timing slips on a ATM T-1 when the clocking is set to line.
> Setting it to internal is of course no better.
> I am using a VWIC2-1MFT-T1/E1 on IOS c2800nm-spservicesk9-mz.124-21a.bin.
> Links to troubleshooting docs
> about slips or suggestions on what is wrong with the config will be
> appreciated.
>
>
> #sho controllers t1 0/0/0
> T1 0/0/0 is up.
>   Applique type is Channelized T1
>   Cablelength is short 330
>   No alarms detected.
>   alarm-trigger is not set
>   Soaking time: 3, Clearance time: 10
>   AIS State:Clear  LOS State:Clear  LOF State:Clear
>   Version info Firmware: 20071011, FPGA: 13, spm_count = 0
>   Framing is ESF, Line Code is B8ZS, Clock Source is Line. <----------------
>   CRC Threshold is 320. Reported from firmware  is 320.
> //////
> Total Data (last 12 15 minute intervals):
>      0 Line Code Violations, 0 Path Code Violations,
>      1512 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
>      1512 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail
> Secs
>
>
> Here is the config:
>
> card type t1 0 0
>
> network-clock-participate wic 0
> network-clock-participate aim 0
>
> controller T1 0/0/0
>  mode atm aim 0
>  framing esf
>  linecode b8zs
>  cablelength short 330
> clock source line
>
> interface ATM0/0/0
>  description Circuit ID xxxxxx
>  no ip address
>  no scrambling-payload
>  no atm ilmi-keepalive
> !
> interface ATM0/0/0.1 point-to-point
>  description ATM T-1 to xxx
>  ip address x.x.x.x x.x.x.x
>  ip access-group 100 out
>  snmp trap link-status
>  pvc 1/32
>   cbr 1536
>   encapsulation aal5snap
>
>
>   

From drew.weaver at thenap.com  Tue Jan 12 09:47:53 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Tue, 12 Jan 2010 09:47:53 -0500
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>

Hi,

We've been struggling with an issue on one of our 6500s about a week or so. It started out where the system would run on the supervisor in slot 8 for about 16-24 hours, then fail over to the secondary supervisor on slot 7 for "no" reason, then this error would be presented, and then it would immediately flip back to slot 8.

Originally the error message was:

Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 4

We re-seated the card in slot 4, and eventually replaced it and everything seemed to finally stabilize. This morning, as a test I forced it to switchover to the card in slot 7 to see if it would immediately switch back to the card in slot 8 it did not, and I was fairly pleased, however we now got this error: 

Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 13

We went to re-seat the completely unused 6548 card in slot 13 (this is a 6513) and it caused a failover again.

Jan 12 09:35:10.353 EST: %OIR-SP-6-REMCARD: Card removed from slot 13, interfaces disabled
Jan 12 09:36:03.144 EST: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output.
Jan 12 09:36:03.144 EST: %FABRIC-SP-3-DISABLE_FAB: The fabric manager disabled active fabric in slot 7 due to the error (2) on this channel (FPOE 8) connected to slot 13
Jan 12 09:36:03.144 EST: %OIR-SP-3-PWRCYCLE: Card in module 7, is being power-cycled off (Fabric channel errors)

Anyone have any thoughts as to what might be occurring here? We can replace the card in slot 13 as well but we are concerned about the exciting game of musical fabric errors the switch is playing.

-Drew


From nasir.shaikh at bt.com  Tue Jan 12 10:07:27 2010
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Tue, 12 Jan 2010 15:07:27 -0000
Subject: [c-nsp] 3550 as CE
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6F82DCB@XMB-AMS-101.cisco.com>
Message-ID: <D312CD05C8083447B01F57DCDECCF60003BFBA22@E03MVZ4-UKDY.domain1.systemhost.net>

Arie,
Thanks. No I don't have a subrate link although I do intend to use (an
aggregate) policer on the !G link.
I am currently happily running 12.1(22)EA8 do you think I should upgrade
to 12.2(44)SE? I only need to be able to do QoS marking based on IP
acls.

tia


Nasir Shaikh 



-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: 11 January 2010 19:15
To: Shaikh,NM,Nasir,JBFQ R; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 3550 as CE

Nasir,

Be careful about QOS requirements. If your WAN uplink is a subrate link
(i.e. a 1GigE port with an SLAN of <1GigE) you need to perform egress
shaping on that interface, which is not supported on 3550 (or most LAN
switches).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nasir.shaikh at bt.com
Sent: Monday, January 11, 2010 18:00
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3550 as CE

Hi,
Due to the global shortage of 73xx routers I am contemplating to use
some old 3550-12Ts as CE routers on a stie where a connection is
required urgently.
I will be using a fibre link from the local ADM as my WAN link (int
g0/11 or g0/12 on the 3550)

I have enough experience with the 3550 platform EMI with full routing
but have always used it as a CPE behind the CE.

Given the right GBIC, is there any reason why this won't work?
Any experiences that someone would care to share?

Thanks in advance

Nasir Shaikh 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ianh at ianh.net.au  Tue Jan 12 10:15:10 2010
From: ianh at ianh.net.au (Ian Henderson)
Date: Tue, 12 Jan 2010 23:15:10 +0800 (WST)
Subject: [c-nsp] DS3 over STM1
Message-ID: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>


Hi all,

I'm in the process of moving one of our remote offices from one carrier to 
another. At the moment we have an L3VPN terminating GigE at the remote 
end on a 7301 and DS3 on a G1 with PA-2T3 at the head office. Link does 
10Mbit about half split between voice and data.

The new carrier has provisioned a 45Mbit clear channel service with a DS3 
at the remote site, and a channelised STM1 at the head office. I can't 
seem to find a combination of router/card/mux to make this work.

- Cisco 7200 with PA-MC-STM1 can't channelise larger than E1.

- Cisco 7600 with SPA-1XCHSTM1/OC3 can do it according to the spec sheet 
for the SPA, but is incredibly over-speced and pricey.

- Adtran Opti-3 is SONET/OC3 only (but I can't find confirmation of this).

- Juniper M7i with STM1 IQ PIC can't channelise larger than E1.

- Juniper M7i with OC3 IQ PIC can channelise DS3, but doesn't do SDH 
framing for STM1.

- The carrier suggested re-engineering the service to deliver 21 E1s and 
run MLPPP over them. The data sheet for the PA-MC-T3-EC indicates MLPPP is 
only possible in hardware up to 12 T1s. I doubt MLPPP in software would 
perform at all, let alone perform well.

I've never worked with channelised services more complicated than DS0s in 
an E1, so I've got a few questions:

- Has anyone ever done this? What config/hardware did you use?

- Are there any muxes/converters/router interfaces that can do this at the 
~20Mbit end of the market?

- Does the Adtran support intermixing of SONET and SDH (DS3 over STM1)?

Many thanks,




- I.

From asturluismi at gmail.com  Tue Jan 12 11:20:37 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 12 Jan 2010 17:20:37 +0100
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
Message-ID: <1263313237.30768.2.camel@hal9000>

Hi all,

We take a Cisco IP/VC 3526 from one of our racks.
We tried to access to it over the serial port with 9600 8N1 -as the
documentation says- and it didn't work.
We also have an alarm in the from but we were not able to find the
relation with it in the documentation.

As far as we read the product is EoL/EoS but it will have support until
2011 or 2012, so what is the natural alternative to replace it?

Any comment is welcome, not neccesary should be Cisco.


From p.mayers at imperial.ac.uk  Tue Jan 12 11:40:05 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 12 Jan 2010 16:40:05 +0000
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
Message-ID: <4B4CA5E5.7080909@imperial.ac.uk>

> 

> Anyone have any thoughts as to what might be occurring here? We can
> replace the card in slot 13 as well but we are concerned about the
> exciting game of musical fabric errors the switch is playing.

This might sound a bit odd, but you might see it go away with a reload. 
We've had funnies with fabric channels that were reliably reproducible, 
until we reloaded the box as a "last try" before RMAing - and it and all 
of its linecards have been fine since.

Not the more reassuring statement I know.

If you have a spare chassis you could try GOLDing the relevant cards one 
by one, using the disruptive tests (standard disclaimer: some of the 
disruptive tests fail if there's *ANY* config on the box at all; some 
fail under certain IOS versions; and so forth). If the cards all pass, 
it's probably fine :o/

From lists.james.edwards at gmail.com  Tue Jan 12 11:44:35 2010
From: lists.james.edwards at gmail.com (james edwards)
Date: Tue, 12 Jan 2010 09:44:35 -0700
Subject: [c-nsp] Timing slips on an 2811
In-Reply-To: <4B4C8A0B.7020803@slepicka.net>
References: <b7f636a61001111650n79c976fdh4f3c8a2468e315aa@mail.gmail.com>
	<4B4C8A0B.7020803@slepicka.net>
Message-ID: <b7f636a61001120844q1942b8e8s29f7e9ea897c746d@mail.gmail.com>

On Tue, Jan 12, 2010 at 7:41 AM, James Slepicka <cisco-nsp at slepicka.net>wrote:

> try 'network-clock-select 1 T1 0/0/0'
>
> if you run a sh network-clocks, your output should be similar to this:
>
> #sh network-clocks
>  Network Clock Configuration
>  ---------------------------
>  Priority      Clock Source    Clock State     Clock Type
>
>    1          T1 0/0/0        GOOD            T1
>   10          Backplane       GOOD            PLL
>
>  Current Primary Clock Source
>  ---------------------------
>  Priority      Clock Source    Clock State     Clock Type
>
>    1          T1 0/0/0        GOOD            T1



Thanks James, that did the trick. Thanks to everyone who helped out on this
one.


-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From drew.weaver at thenap.com  Tue Jan 12 12:01:06 2010
From: drew.weaver at thenap.com (Drew Weaver)
Date: Tue, 12 Jan 2010 12:01:06 -0500
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <4B4CA5E5.7080909@imperial.ac.uk>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
	<4B4CA5E5.7080909@imperial.ac.uk>
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>

Hi Phil,

We actually upgraded from SXF13 to SXF17 since this issue began so we have 'reloaded' it, we haven't completely powered it off and back on yet though.

thanks,
-Drew


-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] 
Sent: Tuesday, January 12, 2010 11:40 AM
To: Drew Weaver
Cc: Cisco-nsp
Subject: Re: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB

> 

> Anyone have any thoughts as to what might be occurring here? We can
> replace the card in slot 13 as well but we are concerned about the
> exciting game of musical fabric errors the switch is playing.

This might sound a bit odd, but you might see it go away with a reload. 
We've had funnies with fabric channels that were reliably reproducible, 
until we reloaded the box as a "last try" before RMAing - and it and all 
of its linecards have been fine since.

Not the more reassuring statement I know.

If you have a spare chassis you could try GOLDing the relevant cards one 
by one, using the disruptive tests (standard disclaimer: some of the 
disruptive tests fail if there's *ANY* config on the box at all; some 
fail under certain IOS versions; and so forth). If the cards all pass, 
it's probably fine :o/

From p.mayers at imperial.ac.uk  Tue Jan 12 12:03:17 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 12 Jan 2010 17:03:17 +0000
Subject: [c-nsp] 6500 - FABRIC-SP-3-DISABLE_FAB
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF0622@EXCHANGE.thenap.com>
	<4B4CA5E5.7080909@imperial.ac.uk>
	<F3318834F1F89D46857972DD4B411D700181FF062E@EXCHANGE.thenap.com>
Message-ID: <4B4CAB55.2080004@imperial.ac.uk>

Drew Weaver wrote:
> Hi Phil,
> 
> We actually upgraded from SXF13 to SXF17 since this issue began so we
> have 'reloaded' it, we haven't completely powered it off and back on
> yet though.

I'm trying to remember whether we actually cold- or warm-booted ours. I 
think it very likely it was a warm boot.

From DLasher at newedgenetworks.com  Tue Jan 12 12:28:20 2010
From: DLasher at newedgenetworks.com (Lasher, Donn)
Date: Tue, 12 Jan 2010 09:28:20 -0800
Subject: [c-nsp] Ethernet Network
In-Reply-To: <c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>
References: <SNT134-w53A25E3A595034D2C4E08EFA6D0@phx.gbl><6b300f5d1001120355l74ee55b3x6d83992f56b0a0c8@mail.gmail.com>
	<c99007611001120627u5192968ex5fa7e984fbe2e08a@mail.gmail.com>
Message-ID: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>

From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of My Name
Sent: Tuesday, January 12, 2010 9:27 AM
To: Andrey 'sshd' Petrenko
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Ethernet Network

>> SNIP >>
>1500 bytes max data + 22 max header + 4 CRC trailer + 4 byte 802.1q tag
>+16 up to 4 labels = 1546?
>
>Why not just enable jumbos and set it as high as possible?


1546 = largest MTU the 355x/356x switches, PA-FE, etc, will support, as
I recall.


From ibrahim.abozaid at gmail.com  Tue Jan 12 13:08:50 2010
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 12 Jan 2010 20:08:50 +0200
Subject: [c-nsp] MPLS TE and PIM
Message-ID: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>

Hi

I have a question about PIM , is PIM messages can flow across MPLS TE Tunnel
? why PIM neighborship can't be established over the tunnel ?


thanks
--Ibrahim

From dwcarder at wisc.edu  Tue Jan 12 12:20:58 2010
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Tue, 12 Jan 2010 11:20:58 -0600
Subject: [c-nsp] ASA ipv6 + icmp types
In-Reply-To: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
References: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
Message-ID: <22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>

On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:

> So I'm playing around with ipv6 on the ASA.  I'm running the latest code (8.2(1)).  And in trying to get traceroutes and pings 'through' the ASA, I've found that icmp-types are translated to 'english' but using the ipv4 codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config as unreachable (because unreachable == 3 in ipv4).
> 
> I'm guessing I should open a TAC case and complain ?  You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :(


I would certainly open a tac case and insist on getting a bug id.  

C's v6 support across across product lines is pretty craptastic.
I recently got CSCtb29296 filed.  This is very, very, basic broken
functionality that shows their v6 feature support and testing is 
negligible.

Dale




From dpz at berkeley.edu  Tue Jan 12 13:29:06 2010
From: dpz at berkeley.edu (David Paul Zimmerman)
Date: Tue, 12 Jan 2010 10:29:06 -0800
Subject: [c-nsp] ASA Transparent Firewall with Multiple VLANs
In-Reply-To: <000001ca84bf$ff777800$fe666800$@net>
References: <000001ca84bf$ff777800$fe666800$@net>
Message-ID: <BDB26C55-2460-45E2-86D3-56CE0CEC57CC@berkeley.edu>

Sercan,

Did you ever get a response to this privately?  I can rework one of my  
transparent-mode context configurations as a sample configuration if  
not.

	dp

On Dec 24, 2009, at 9:39 AM, Sercan Aktas wrote:

> Hi guys,
>
>
>
> I have a specific customer scenario, where multiple VLANs need to be
> firewalled and due to the environment transparent firewall seems to  
> be the
> best solution. However, this is an SP environment and my customer  
> has the
> concern of having 50 virtual contexts as a serious limitation. I  
> have seen
> in some Cisco documents stating that multiple VLANs in transparent  
> mode were
> allowed either single mode or per virtual context. There is no  
> detailed
> explanation or configuration example though.
>
>
>
> So what I am trying to find out is if I can bridge multiple VLAN pairs
> either through a single transparent firewall or a transparent virtual
> context? If this is doable, do any of you guys have a sample  
> configuration
> as reference?
>
>
>
> Thanks,
>
> Sercan
>
>
>
> Note:The information contained in this message may be privileged and  
> confidential and protected from disclosure . If the reader of this  
> message is not the
> intended recipient, or an employee or agent responsible for  
> delivering this message to the intended recipient, you are hereby  
> notified that any
> dissemination, distribution or copying of this communication is  
> strictly prohibited. If you have received this communication in  
> error, please notify us
> immediately by replying to the message and deleting it from your  
> computer. Thankyou. ThruPoint Ltd.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jshearer at amedisys.com  Tue Jan 12 14:11:14 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 12 Jan 2010 13:11:14 -0600
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
In-Reply-To: <1263313237.30768.2.camel@hal9000>
References: <1263313237.30768.2.camel@hal9000>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>

Have you tried different baud rates?  I have found some 35xx MCUs come from the factory set at 115200.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
Sent: Tuesday, January 12, 2010 10:21 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything

Hi all,

We take a Cisco IP/VC 3526 from one of our racks.
We tried to access to it over the serial port with 9600 8N1 -as the
documentation says- and it didn't work.
We also have an alarm in the from but we were not able to find the
relation with it in the documentation.

As far as we read the product is EoL/EoS but it will have support until
2011 or 2012, so what is the natural alternative to replace it?

Any comment is welcome, not neccesary should be Cisco.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From panocisco77 at gmail.com  Tue Jan 12 14:35:41 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 14:35:41 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
Message-ID: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>

Hello All

How do I fix Minor Errors beside reseating the module, anybody knows

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Minor Error
  5  Pass
  6  Pass
  7  Pass
  8  Pass
  9  Minor Error

From panocisco77 at gmail.com  Tue Jan 12 14:38:02 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 14:38:02 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45AF
Message-ID: <16e2ac181001121138l295b8ee4k44ecddb7485c2df8@mail.gmail.com>

Hello All

How do I fix Minor Errors beside reseating the module, anybody knows

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Minor Error
  5  Pass
  6  Pass
  7  Pass
  8  Pass
  9  Minor Error

From dcp at dcptech.com  Tue Jan 12 14:57:05 2010
From: dcp at dcptech.com (David Prall)
Date: Tue, 12 Jan 2010 14:57:05 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
Message-ID: <001e01ca93c1$6b2071a0$416154e0$@com>

What does "sh diag" give you for the module. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Renelson Panosky
> Sent: Tuesday, January 12, 2010 2:36 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 
> Hello All
> 
> How do I fix Minor Errors beside reseating the module, anybody knows
> 
> Mod  Online Diag Status
> ---- -------------------
>   1  Pass
>   2  Pass
>   3  Pass
>   4  Minor Error
>   5  Pass
>   6  Pass
>   7  Pass
>   8  Pass
>   9  Minor Error
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From panocisco77 at gmail.com  Tue Jan 12 15:03:13 2010
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 12 Jan 2010 15:03:13 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <001e01ca93c1$6b2071a0$416154e0$@com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>
	<001e01ca93c1$6b2071a0$416154e0$@com>
Message-ID: <16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>

sho diagnostic status

<BU> - Bootup Diagnostics, <HM> - Health Monitoring Diagnostics,
<OD> - OnDemand Diagnostics, <SCH> - Scheduled Diagnostics

====== ================================= ===============================
======
Card   Description                       Current Running Test            Run
by
------ --------------------------------- -------------------------------
------
1      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

2      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

3      48-port 10/100/1000 RJ45 EtherMod TestNonDisruptiveLoopback
<HM>

4      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

5      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

6      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

7      Supervisor Engine 32 8GE (Active) N/A
N/A

8      48-port 10/100/1000 RJ45 EtherMod N/A
N/A

9      48 port 10/100/1000mb EtherModule N/A
N/A

====== ================================= ===============================
======


On Tue, Jan 12, 2010 at 2:57 PM, David Prall <dcp at dcptech.com> wrote:

> What does "sh diag" give you for the module.
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Renelson Panosky
> > Sent: Tuesday, January 12, 2010 2:36 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> >
> > Hello All
> >
> > How do I fix Minor Errors beside reseating the module, anybody knows
> >
> > Mod  Online Diag Status
> > ---- -------------------
> >   1  Pass
> >   2  Pass
> >   3  Pass
> >   4  Minor Error
> >   5  Pass
> >   6  Pass
> >   7  Pass
> >   8  Pass
> >   9  Minor Error
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From dcp at dcptech.com  Tue Jan 12 15:12:34 2010
From: dcp at dcptech.com (David Prall)
Date: Tue, 12 Jan 2010 15:12:34 -0500
Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
In-Reply-To: <16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>
References: <16e2ac181001121135x5a3bbb61v9f37c05778ba8937@mail.gmail.com>	
	<001e01ca93c1$6b2071a0$416154e0$@com>
	<16e2ac181001121203o664cc7d2l5a80e37a8634ed5d@mail.gmail.com>
Message-ID: <002501ca93c3$956e9ac0$c04bd040$@com>

That's the status, which shows one is currently running. But what does sh
diag tell us is wrong.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Renelson Panosky [mailto:panocisco77 at gmail.com]
> Sent: Tuesday, January 12, 2010 3:03 PM
> To: David Prall
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 
> sho diagnostic status
> 
> <BU> - Bootup Diagnostics, <HM> - Health Monitoring Diagnostics,
> <OD> - OnDemand Diagnostics, <SCH> - Scheduled Diagnostics
> 
> ====== =================================
> =============================== ======
> Card   Description                       Current Running Test
> Run by
> ------ --------------------------------- ------------------------------
> - ------
> 1      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 2      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 3      48-port 10/100/1000 RJ45 EtherMod TestNonDisruptiveLoopback
> <HM>
> 
> 4      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 5      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 6      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 7      Supervisor Engine 32 8GE (Active) N/A
> N/A
> 
> 8      48-port 10/100/1000 RJ45 EtherMod N/A
> N/A
> 
> 9      48 port 10/100/1000mb EtherModule N/A
> N/A
> 
> ====== =================================
> =============================== ======
> 
> 
> 
> 
> On Tue, Jan 12, 2010 at 2:57 PM, David Prall <dcp at dcptech.com> wrote:
> 
> 
> 	What does "sh diag" give you for the module.
> 
> 	--
> 	http://dcp.dcptech.com <http://dcp.dcptech.com/>
> 
> 
> 
> 	> -----Original Message-----
> 	> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> 	> bounces at puck.nether.net] On Behalf Of Renelson Panosky
> 	> Sent: Tuesday, January 12, 2010 2:36 PM
> 	> To: cisco-nsp at puck.nether.net
> 	> Subject: [c-nsp] 6509-E with WS-X6148A-GE-45A
> 	>
> 	> Hello All
> 	>
> 	> How do I fix Minor Errors beside reseating the module, anybody
> knows
> 	>
> 	> Mod  Online Diag Status
> 	> ---- -------------------
> 	>   1  Pass
> 	>   2  Pass
> 	>   3  Pass
> 	>   4  Minor Error
> 	>   5  Pass
> 	>   6  Pass
> 	>   7  Pass
> 	>   8  Pass
> 	>   9  Minor Error
> 
> 	> _______________________________________________
> 	> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> 	> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 	> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 



From maillist at webjogger.net  Tue Jan 12 16:12:03 2010
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 12 Jan 2010 16:12:03 -0500
Subject: [c-nsp] GRE tunnel optimization
Message-ID: <4B4CE5A3.4040709@webjogger.net>

Hi,

I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with 
mixed results (some packet loss, high latency).

Configs on both ends:

==========
2811, 12.4(21), traffic is sent over bonded DSL lines
==========
interface Tunnel0
 ip address 172.16.16.9 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface Virtual-Template1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface Multilink1
 ip address x.x.x.x z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1

==========
1841, 12.4(24)T2, traffic is sent over Cablevision link
===========
interface Tunnel0
 ip address 172.16.16.10 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source y.y.y.y
 tunnel destination x.x.x.x
!
interface FastEthernet0/0/0
 description *** Cablevision ***
 ip address y.y.y.y z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto

The VPN is being generated by Sonicwalls on both ends. I've set MTU to 
1460 on them as well.

I had originally set MTU to 1400, but it was worse.

Are there any obvious configurations I am missing to optimize this 
traffic?  For example, is  something like the following recommended on 
the Tunnel interfaces?

hold-queue 1024 in
hold-queue 1024 out


Thanks for your help.

Adam





From jshearer at amedisys.com  Tue Jan 12 18:35:52 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 12 Jan 2010 17:35:52 -0600
Subject: [c-nsp] GRE tunnel optimization
In-Reply-To: <4B4CE5A3.4040709@webjogger.net>
References: <4B4CE5A3.4040709@webjogger.net>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B03366433A@SVR-AMED-MAIL01.amedisys.com>

Why the IPSec over GRE?  Typically you see GRE over IPSec to get the benefits of multicast.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Greene
Sent: Tuesday, January 12, 2010 3:12 PM
To: Cisco NSP
Subject: [c-nsp] GRE tunnel optimization

Hi,

I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with
mixed results (some packet loss, high latency).

Configs on both ends:

==========
2811, 12.4(21), traffic is sent over bonded DSL lines
==========
interface Tunnel0
 ip address 172.16.16.9 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 0/35
  protocol ppp Virtual-Template1
 !
interface Virtual-Template1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface Multilink1
 ip address x.x.x.x z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1

==========
1841, 12.4(24)T2, traffic is sent over Cablevision link
===========
interface Tunnel0
 ip address 172.16.16.10 255.255.255.252
 ip tcp adjust-mss 1460
 tunnel source y.y.y.y
 tunnel destination x.x.x.x
!
interface FastEthernet0/0/0
 description *** Cablevision ***
 ip address y.y.y.y z.z.z.z
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto

The VPN is being generated by Sonicwalls on both ends. I've set MTU to
1460 on them as well.

I had originally set MTU to 1400, but it was worse.

Are there any obvious configurations I am missing to optimize this
traffic?  For example, is  something like the following recommended on
the Tunnel interfaces?

hold-queue 1024 in
hold-queue 1024 out


Thanks for your help.

Adam




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From frnkblk at iname.com  Wed Jan 13 01:02:41 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 13 Jan 2010 00:02:41 -0600
Subject: [c-nsp] Unicast flooding?
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>

We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
We have a VLAN (with four /24s) configured on three ports across two
10/100/1000 blades facing some FTTH transport equipment.  

Customers hanging off the FTTH equipment on the third port are complaining
that several times per day they lose internet access.  We've been able to
correlate their complaints with failed ping attempts from our workstations
and the 7609-S to their public IPs.  What's interesting is that it's not all
the traffic, and of the 4 IPs we are tracking, two of which are on separate
/24s, the outages happen within the same /24.  At the same time, while using
Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
traffic that should be going to one of the other two Ethernet interfaces.
This is happening about a dozen times per day for 4 to 6 minutes at a time.


While the event is occurring I have verified the ARP and CAM entry.  The CAM
entry is associated with one of the first two Ethernet interfaces, not the
third.  I can clear the ARP and CAM entry from the CLI and they are
re-learned with the same information, yet the traffic continues to egress
the wrong Ethernet port.

I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
default configuration of 5 minutes, but there was no improvement.  One more
observation -- the errant port is the root of the bridge.

Any ideas why the 7609 would be sending traffic out an Ethernet port to a
device that the CAM table says is on a different Ethernet port?

Frank


interface Vlan10
 description FTTH network
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address 67.22.a.1 255.255.255.0 secondary
 ip address 67.22.b.1 255.255.255.0 secondary
 ip address 67.22.c.1 255.255.255.0 secondary
 ip address 67.22.d.1 255.255.255.0
 ip helper-address e.f.g.h
 no ip redirects
 arp timeout 300
end

interface GigabitEthernet1/29 (and 3/39 and 3/45) 
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 spanning-tree portfast trunk
end


From sven at darkman.de  Wed Jan 13 01:03:32 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Wed, 13 Jan 2010 07:03:32 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any idea?
Message-ID: <4B4D6234.7050101@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

i'd like to use the pvlan feature from Cisco for two networks. I already read
a lot of documentation on the pvlan feature on ciscos page and mayn other blog
posts etc. and already know, that it seems not to be possible to use the pvlan
feature with etherchannel/port groups on any device. A part from no information
*why* this is not possible, i have no idea, how to complete the following setup:

I'd like to have my PVLAN connected to my "core" network in a kind of redundancy
and "more" bandwidth. The PVLAN has GBIT enabled devices, the uplink to the core
should be more than one GBIT (to ensure that no single device is able to fill
the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE Uplink
is not yet possble. As switches we have 3560G and the core is currently a 6509.
At least the redundancy is important, so i could try it with "backup-interface" on
the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
want.
Another problem is, that i currently plan to deploy two isolated pvlans on the
3560 switches, which "should" be no problem if i use two different primary vlans
(a primary may only carry one isolated pvlan at a time), but it seems to be not
possible to use one uplink/trunk port for two different isolated pvlan setups?
If thats true, i would need at least four ports (two for each isolated pvlan) just
to get the redundancy and would not have any uplink >1GigE...

Did i miss anything? is there a way to get the redundancy and the bandwidth? may
i use two isolated pvlans on the same uplink? Is there some way to use something
"like" etherchannel with pvlans? Or is there a way to change the setup in a way
i would get pvlan + more bandwidth + redundancy without all of these problems or
limitations? ;)

Thanks and regards,
Sven

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
=3btI
-----END PGP SIGNATURE-----

From td_miles at yahoo.com  Wed Jan 13 02:10:06 2010
From: td_miles at yahoo.com (Tony)
Date: Tue, 12 Jan 2010 23:10:06 -0800 (PST)
Subject: [c-nsp] Ethernet Network
In-Reply-To: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>
Message-ID: <499475.32176.qm@web110115.mail.gq1.yahoo.com>



--- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:

> 
> >> SNIP >>
> >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> byte 802.1q tag
> >+16 up to 4 labels = 1546?
> >
> >Why not just enable jumbos and set it as high as
> possible?
> 
> 
> 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> support, as
> I recall.
> 

PA-FE are limited to 1530. You're correct about 1546 for the switches though.

7204(config)#int fa4/0
7204(config-if)#mtu ?
  <1500-1530>  MTU size in bytes



      __________________________________________________________________________________
See what's on at the movies in your area. Find out now: http://au.movies.yahoo.com/session-times/


From ip at ioshints.info  Wed Jan 13 02:36:33 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Wed, 13 Jan 2010 08:36:33 +0100
Subject: [c-nsp] Ethernet Network
In-Reply-To: <499475.32176.qm@web110115.mail.gq1.yahoo.com>
References: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>
	<499475.32176.qm@web110115.mail.gq1.yahoo.com>
Message-ID: <001a01ca9423$226f34c0$674d9e40$@info>

The MTU on PA-FE (probably) does not include MAC header and definitely does not include CRC trailer. Otherwise the minimum value of 1500 wouldn't make sense.

> -----Original Message-----
> From: Tony [mailto:td_miles at yahoo.com]
> Sent: Wednesday, January 13, 2010 8:10 AM
> To: cisco-nsp at puck.nether.net; DonnLasher
> Subject: Re: [c-nsp] Ethernet Network
> 
> 
> 
> --- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:
> 
> >
> > >> SNIP >>
> > >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> > byte 802.1q tag
> > >+16 up to 4 labels = 1546?
> > >
> > >Why not just enable jumbos and set it as high as
> > possible?
> >
> >
> > 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> > support, as
> > I recall.
> >
> 
> PA-FE are limited to 1530. You're correct about 1546 for the switches
> though.
> 
> 7204(config)#int fa4/0
> 7204(config-if)#mtu ?
>   <1500-1530>  MTU size in bytes
> 
> 
> 
> 
> __________________________________________________________________________
> ________
> See what's on at the movies in your area. Find out now:
> http://au.movies.yahoo.com/session-times/
> 



From p.mayers at imperial.ac.uk  Wed Jan 13 04:18:21 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 13 Jan 2010 09:18:21 +0000
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <4B4D8FDD.2080708@imperial.ac.uk>

> While the event is occurring I have verified the ARP and CAM entry.  The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third.  I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.

Ugh.

>  
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement.  One more
> observation -- the errant port is the root of the bridge.
> 
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?

What module is the traffic coming in via? Which of the modules have DFCs?

Have you looked at:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00807347ab.shtml#dfc

...specifically the 1st item "Loss of Dynamic MAC Addresses with 
Distributed Switching" which could possibly be related, though that is a 
wild guess.

How long has this been happening for?

From gert at greenie.muc.de  Wed Jan 13 04:19:15 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 13 Jan 2010 10:19:15 +0100
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
Message-ID: <20100113091915.GX857@greenie.muc.de>

Hi,

On Tue, Jan 12, 2010 at 11:15:10PM +0800, Ian Henderson wrote:
> The new carrier has provisioned a 45Mbit clear channel service with a DS3 
> at the remote site, and a channelised STM1 at the head office. I can't 
> seem to find a combination of router/card/mux to make this work.

I'd ask the carrier to deliver clear channel DS3 on both ends.

After all, that's what you ordered ("give us a DS3!"), no?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100113/90ae8ee2/attachment.bin>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:27:03 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:27:03 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B4D6234.7050101@darkman.de>
References: <4B4D6234.7050101@darkman.de>
Message-ID: <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>

Hello Sven,

If I understood you correctly you can get around these limitations by
using the PVLAN feature on the end-user ports only and not on the
internal switch-to-switch links. On those links you can use normal
"trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
VLAN int.

Access layer example for end-user port somewhere in the deeps of the
switched fabric:
interface FastEthernet0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 10 100

Access layer trunk port:
interface GigabitEthernet0/1
 switchport mode trunk

On your distribution (6509) you configure:

interface Vlan10
 ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
gets sticky arp by default (for some unknown reason)
 no ip proxy-arp
 private-vlan mapping 100

and normal trunk port towards the switch fabric:
interface GigabitEthernet6/1
 switchport mode trunk

Yes this is probably suboptimal to what you would like to accoplish
however the end effect is that the end-user ports cannot communicate
with each other - which is probably what you want.

Another alternative is the "private-vlan trunk" feature which is
described over here
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
- the trouble is that AFAIK currently it works only on C4500.

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:03 AM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> i'd like to use the pvlan feature from Cisco for two networks. I already read
> a lot of documentation on the pvlan feature on ciscos page and mayn other blog
> posts etc. and already know, that it seems not to be possible to use the pvlan
> feature with etherchannel/port groups on any device. A part from no information
> *why* this is not possible, i have no idea, how to complete the following setup:
>
> I'd like to have my PVLAN connected to my "core" network in a kind of redundancy
> and "more" bandwidth. The PVLAN has GBIT enabled devices, the uplink to the core
> should be more than one GBIT (to ensure that no single device is able to fill
> the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE Uplink
> is not yet possble. As switches we have 3560G and the core is currently a 6509.
> At least the redundancy is important, so i could try it with "backup-interface" on
> the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
> want.
> Another problem is, that i currently plan to deploy two isolated pvlans on the
> 3560 switches, which "should" be no problem if i use two different primary vlans
> (a primary may only carry one isolated pvlan at a time), but it seems to be not
> possible to use one uplink/trunk port for two different isolated pvlan setups?
> If thats true, i would need at least four ports (two for each isolated pvlan) just
> to get the redundancy and would not have any uplink >1GigE...
>
> Did i miss anything? is there a way to get the redundancy and the bandwidth? may
> i use two isolated pvlans on the same uplink? Is there some way to use something
> "like" etherchannel with pvlans? Or is there a way to change the setup in a way
> i would get pvlan + more bandwidth + redundancy without all of these problems or
> limitations? ;)
>
> Thanks and regards,
> Sven
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
> rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
> =3btI
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:37:20 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:37:20 +0100
Subject: [c-nsp] GRE tunnel optimization
In-Reply-To: <4B4CE5A3.4040709@webjogger.net>
References: <4B4CE5A3.4040709@webjogger.net>
Message-ID: <323aca891001130137n1d3e1926gb09c5c4c3535dc54@mail.gmail.com>

Hi Adam,

The " ip tcp adjust-mss 1460" adjusts TCP traffic which IPsec is not,
so you can safely remove it.
Try to change the TCP MSS on the Sonicwalls - I suggest to something
conservative - 1390 for example.

If it won't help (or there is no knob for this on Sonicwalls) try to:
- ping across GRE tunnel on clear without IPSEC
- determine whether this is MTU size issue - by pinging with larger
and larger packets.

-pavel

On Tue, Jan 12, 2010 at 10:12 PM, Adam Greene <maillist at webjogger.net> wrote:
> Hi,
>
> I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with mixed
> results (some packet loss, high latency).
>
> Configs on both ends:
>
> ==========
> 2811, 12.4(21), traffic is sent over bonded DSL lines
> ==========
> interface Tunnel0
> ip address 172.16.16.9 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source x.x.x.x
> tunnel destination y.y.y.y
> !
> interface ATM0/0/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
> ?protocol ppp Virtual-Template1
> !
> interface ATM0/1/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
> ?protocol ppp Virtual-Template1
> !
> interface Virtual-Template1
> no ip address
> ppp multilink
> ppp multilink group 1
> !
> interface Multilink1
> ip address x.x.x.x z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ppp multilink
> ppp multilink group 1
>
> ==========
> 1841, 12.4(24)T2, traffic is sent over Cablevision link
> ===========
> interface Tunnel0
> ip address 172.16.16.10 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source y.y.y.y
> tunnel destination x.x.x.x
> !
> interface FastEthernet0/0/0
> description *** Cablevision ***
> ip address y.y.y.y z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ip tcp adjust-mss 1460
> duplex auto
> speed auto
>
> The VPN is being generated by Sonicwalls on both ends. I've set MTU to 1460
> on them as well.
>
> I had originally set MTU to 1400, but it was worse.
>
> Are there any obvious configurations I am missing to optimize this traffic?
> ?For example, is ?something like the following recommended on the Tunnel
> interfaces?
>
> hold-queue 1024 in
> hold-queue 1024 out
>
>
> Thanks for your help.
>
> Adam
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Wed Jan 13 04:43:02 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Wed, 13 Jan 2010 10:43:02 +0100
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>

Hello Frank,

Does not sound really healthy - if you have gathered good evidence
this is a good candidate for TAC. Anyway - you should probably upgrade
to something other then SRB4 as TAC will tell you probably the same
thing....

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:02 AM, Frank Bulk <frnkblk at iname.com> wrote:
> We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
> We have a VLAN (with four /24s) configured on three ports across two
> 10/100/1000 blades facing some FTTH transport equipment.
>
> Customers hanging off the FTTH equipment on the third port are complaining
> that several times per day they lose internet access. ?We've been able to
> correlate their complaints with failed ping attempts from our workstations
> and the 7609-S to their public IPs. ?What's interesting is that it's not all
> the traffic, and of the 4 IPs we are tracking, two of which are on separate
> /24s, the outages happen within the same /24. ?At the same time, while using
> Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
> traffic that should be going to one of the other two Ethernet interfaces.
> This is happening about a dozen times per day for 4 to 6 minutes at a time.
>
>
> While the event is occurring I have verified the ARP and CAM entry. ?The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third. ?I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.
>
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement. ?One more
> observation -- the errant port is the root of the bridge.
>
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?
>
> Frank
>
>
> interface Vlan10
> ?description FTTH network
> ?ip dhcp relay information trusted
> ?ip dhcp relay information option-insert none
> ?ip dhcp relay information policy-action keep
> ?ip address 67.22.a.1 255.255.255.0 secondary
> ?ip address 67.22.b.1 255.255.255.0 secondary
> ?ip address 67.22.c.1 255.255.255.0 secondary
> ?ip address 67.22.d.1 255.255.255.0
> ?ip helper-address e.f.g.h
> ?no ip redirects
> ?arp timeout 300
> end
>
> interface GigabitEthernet1/29 (and 3/39 and 3/45)
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 10
> ?switchport mode trunk
> ?switchport nonegotiate
> ?load-interval 30
> ?spanning-tree portfast trunk
> end
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From noc at phibee.net  Wed Jan 13 06:14:48 2010
From: noc at phibee.net (Phibee Network Operation Center)
Date: Wed, 13 Jan 2010 12:14:48 +0100
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID: <4B4DAB28.7030500@phibee.net>

Hi

anyone know if it's possible :

     When a user connect to my Cisco ASA in VPN IPSec, the ASA see the 
version
of the IPSec Client Software, i thinks.

     If this software are too old, the asa can sent a update automatiquely ?


Thanks
Jerome


From ziliomarcelo at gmail.com  Wed Jan 13 06:39:56 2010
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Wed, 13 Jan 2010 09:39:56 -0200
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <4B4DAB28.7030500@phibee.net>
References: <4B4DAB28.7030500@phibee.net>
Message-ID: <62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>

I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
(Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
Client Software Update.

I remember see this in older versions too. I never used it, but I think this
is you are looking for.

On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
noc at phibee.net> wrote:

> Hi
>
> anyone know if it's possible :
>
>    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> version
> of the IPSec Client Software, i thinks.
>
>    If this software are too old, the asa can sent a update automatiquely ?
>
>
> Thanks
> Jerome
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ayourtch at cisco.com  Wed Jan 13 08:11:07 2010
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Wed, 13 Jan 2010 14:11:07 +0100 (CET)
Subject: [c-nsp] ASA ipv6 + icmp types
In-Reply-To: <22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>
References: <alpine.DEB.1.00.1001111437140.6142@orbital.burn.net>
	<22317044-D722-4D04-BB9B-8699461DEEB8@wisc.edu>
Message-ID: <alpine.DEB.2.00.1001131345250.20667@ayourtch-lnx.stdio.be>



On Tue, 12 Jan 2010, Dale W. Carder wrote:

> On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:
>
>> So I'm playing around with ipv6 on the ASA.  I'm running the latest 
>>code (8.2(1)).  And in trying to get traceroutes and pings 'through' the 
>>ASA, I've found that icmp-types are translated to 'english' but using 
>>the ipv4 codes.  I.e. code 3 for ipv6 is time-exceeded but shows up in config 
>>as unreachable (because unreachable == 3 in ipv4).
>>
>> I'm guessing I should open a TAC case and complain ?  You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :(
>
>
> I would certainly open a tac case and insist on getting a bug id.

Yeah I asked Brandon unicast to open a new case and get me the #.

However: The issue comes from the icmp-type object group being a separate 
entity from an ACL, that is not context-aware ("www" is always 80), and 
it can not really be "fixed": if you were to use the same icmp-type OG in 
the IPv4 and IPv6 ACL- what should the type "3" correspond to in the 
running config within that object group ? There's not always 1:1 mapping 
between ICMPv4 and ICMPv6.

So it is not as black and white as printing IPv4 instead of IPv6, 
unfortunately...

Looks like the only approach might be creating a new object-group kind 
"icmp6-type" - and make the CLI not accept the "icmp-type" object group 
for the IPv6 ACLs.

cheers,
andrew

From timothy.arnold at uksolutions.co.uk  Wed Jan 13 07:31:56 2010
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Wed, 13 Jan 2010 12:31:56 +0000
Subject: [c-nsp] IPv6 ns-interval & 12.2(33)SRE & ASA 8.2(2)
Message-ID: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>

Hi Guys,
I'm hoping there is someone out there who knows a bit more about IPv6 that I do :)

Enabled ipv6 between the Cisco 7600 running 12.2(33)SRE and a pair of Cisco ASA firewalls running 8.2(2) (in HA). I get the following from the 7600

%IPV6-3-CONFLICT: Router FE80::21A:E2FF:FE68:50AA on Vlan2008 has conflicting ND settings

"show ipv6 routers" show the only real difference is the retransmit time. On the 7600, it is 0ms (which I understand to be "unspecified" rather than 0) and on the ASA the default is 1000.

cr1-sdf2.uk#show ipv6 routers vlan2008
Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min, CONFLICT
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

colofw1/act# show ipv6 routers
Router fe80::21b:dff:fee5:ae00 on outside, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  Reachable time 0 msec, Retransmit time 0 msec
  Prefix 2a02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

Adding the following configuration to the 7600 corrects the issue:

ipv6 nd ns-interval 1000

cr1-sdf2.uk(config-if)#do show ipv6 routers vlan2008
Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800

Both ends are now the same and no conflict occurs. Any ideas why it's complaining? I thought that the unspecified nature of ns-interval means that it would accept the 1000 milliseconds from the other end?

Thanks
Tim



Timothy Arnold
Senior Engineer, Operations (Network, Security & Facilities Group), UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: www.uksolutions.co.uk<http://www.uksolutions.co.uk/>
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer.html

From harbor235 at gmail.com  Wed Jan 13 08:45:44 2010
From: harbor235 at gmail.com (harbor235)
Date: Wed, 13 Jan 2010 08:45:44 -0500
Subject: [c-nsp] IPv6 ns-interval & 12.2(33)SRE & ASA 8.2(2)
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>
References: <F547661C26C5364D9FA0C481D395CCCE25B377C4C8@apps-1.uks.local>
Message-ID: <836bf1f91001130545h56dec6b3v38be6a5ddff1c073@mail.gmail.com>

Tim,

I got the following of from Cisco pertaining to your error message;


Explanation    Another router on the link has sent router advertisements
with parameters that conflict with this router.

Recommended Action    Verify that all IPv6 routers on the link have the same
parameters in the router advertisement for hop-limit, managed-config-flag,
other-config-flag, reachable-time and ns-interval. Also verify that
preferred and valid lifetimes for the same prefix advertised by several
routers are the same. Enter the *show ipv6 interface* command to list the
parameters per interface.
mike

On Wed, Jan 13, 2010 at 7:31 AM, Timothy Arnold <
timothy.arnold at uksolutions.co.uk> wrote:

> Hi Guys,
> I'm hoping there is someone out there who knows a bit more about IPv6 that
> I do :)
>
> Enabled ipv6 between the Cisco 7600 running 12.2(33)SRE and a pair of Cisco
> ASA firewalls running 8.2(2) (in HA). I get the following from the 7600
>
> %IPV6-3-CONFLICT: Router FE80::21A:E2FF:FE68:50AA on Vlan2008 has
> conflicting ND settings
>
> "show ipv6 routers" show the only real difference is the retransmit time.
> On the 7600, it is 0ms (which I understand to be "unspecified" rather than
> 0) and on the ASA the default is 1000.
>
> cr1-sdf2.uk#show <http://cr1-sdf2.uk/#show> ipv6 routers vlan2008
> Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min, CONFLICT
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  HomeAgentFlag=0, Preference=Medium
>  Reachable time 0 msec, Retransmit time 1000 msec
>  Prefix 2A02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> colofw1/act# show ipv6 routers
> Router fe80::21b:dff:fee5:ae00 on outside, last update 0 min
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  Reachable time 0 msec, Retransmit time 0 msec
>  Prefix 2a02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> Adding the following configuration to the 7600 corrects the issue:
>
> ipv6 nd ns-interval 1000
>
> cr1-sdf2.uk(config-if)#do show ipv6 routers vlan2008
> Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min
>  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
>  HomeAgentFlag=0, Preference=Medium
>  Reachable time 0 msec, Retransmit time 1000 msec
>  Prefix 2A02:298:0:4::/112 onlink autoconfig
>    Valid lifetime 2592000, preferred lifetime 604800
>
> Both ends are now the same and no conflict occurs. Any ideas why it's
> complaining? I thought that the unspecified nature of ns-interval means that
> it would accept the 1000 milliseconds from the other end?
>
> Thanks
> Tim
>
>
>
> Timothy Arnold
> Senior Engineer, Operations (Network, Security & Facilities Group),
> UKSolutions
>
> Telephone: 0845 004 1333, option 2
> Email: timothy.arnold at uksolutions.co.uk
> Web: www.uksolutions.co.uk<http://www.uksolutions.co.uk/>
> UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in
> England Number 3036806
> This email must be read in conjunction with the legal & service notices on
> http://www.uksolutions.co.uk/disclaimer.html
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From frnkblk at iname.com  Wed Jan 13 09:48:18 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 08:48:18 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<323aca891001130143l311c98c0r4d85182b71983ebc@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAw4JOZZuvGSqdj5eX8XLyoAQAAAAA=@iname.com>

I agree, I have some good evidence.  I'm not against upgrading if that will
resolve the issue.

Frank

> -----Original Message-----
> From: Pavel Skovajsa [mailto:pavel.skovajsa at gmail.com]
> Sent: Wednesday, January 13, 2010 3:43 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> Hello Frank,
> 
> Does not sound really healthy - if you have gathered good evidence
> this is a good candidate for TAC. Anyway - you should probably upgrade
> to something other then SRB4 as TAC will tell you probably the same
> thing....
> 
> -pavel skovajsa
> 
> On Wed, Jan 13, 2010 at 7:02 AM, Frank Bulk <frnkblk at iname.com> wrote:
> > We've been seeing some strange behavior on our 7609-S running
> 12.2(33r)SRB4.
> > We have a VLAN (with four /24s) configured on three ports across two
> > 10/100/1000 blades facing some FTTH transport equipment.
> >
> > Customers hanging off the FTTH equipment on the third port are
> complaining
> > that several times per day they lose internet access. ?We've been
> able to
> > correlate their complaints with failed ping attempts from our
> workstations
> > and the 7609-S to their public IPs. ?What's interesting is that it's
> not all
> > the traffic, and of the 4 IPs we are tracking, two of which are on
> separate
> > /24s, the outages happen within the same /24. ?At the same time,
> while using
> > Wireshark, I can see one of the Cisco interfaces sending out 1 to 2
> Mbps of
> > traffic that should be going to one of the other two Ethernet
> interfaces.
> > This is happening about a dozen times per day for 4 to 6 minutes at a
> time.
> >
> >
> > While the event is occurring I have verified the ARP and CAM entry.
> ?The CAM
> > entry is associated with one of the first two Ethernet interfaces,
> not the
> > third. ?I can clear the ARP and CAM entry from the CLI and they are
> > re-learned with the same information, yet the traffic continues to
> egress
> > the wrong Ethernet port.
> >
> > I've set the ARP timeout to 4 minutes so that it's less than the CAM
> table's
> > default configuration of 5 minutes, but there was no improvement.
> ?One more
> > observation -- the errant port is the root of the bridge.
> >
> > Any ideas why the 7609 would be sending traffic out an Ethernet port
> to a
> > device that the CAM table says is on a different Ethernet port?
> >
> > Frank
> >
> >
> > interface Vlan10
> > ?description FTTH network
> > ?ip dhcp relay information trusted
> > ?ip dhcp relay information option-insert none
> > ?ip dhcp relay information policy-action keep
> > ?ip address 67.22.a.1 255.255.255.0 secondary
> > ?ip address 67.22.b.1 255.255.255.0 secondary
> > ?ip address 67.22.c.1 255.255.255.0 secondary
> > ?ip address 67.22.d.1 255.255.255.0
> > ?ip helper-address e.f.g.h
> > ?no ip redirects
> > ?arp timeout 300
> > end
> >
> > interface GigabitEthernet1/29 (and 3/39 and 3/45)
> > ?switchport
> > ?switchport trunk encapsulation dot1q
> > ?switchport trunk allowed vlan 10
> > ?switchport mode trunk
> > ?switchport nonegotiate
> > ?load-interval 30
> > ?spanning-tree portfast trunk
> > end
> >
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From ewitkop at gmail.com  Wed Jan 13 10:01:54 2010
From: ewitkop at gmail.com (Erik Witkop)
Date: Wed, 13 Jan 2010 10:01:54 -0500
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
Message-ID: <4B4DE062.30504@gmail.com>

Hi Frank,

It sounds like you have already done a bit of research.

I thought I might pass on this link as future reference, or for anyone 
else that is interested.


http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

p.s. I know you are not on a 6000, but most of it should apply.


Frank Bulk wrote:
> We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
> We have a VLAN (with four /24s) configured on three ports across two
> 10/100/1000 blades facing some FTTH transport equipment.  
>
> Customers hanging off the FTTH equipment on the third port are complaining
> that several times per day they lose internet access.  We've been able to
> correlate their complaints with failed ping attempts from our workstations
> and the 7609-S to their public IPs.  What's interesting is that it's not all
> the traffic, and of the 4 IPs we are tracking, two of which are on separate
> /24s, the outages happen within the same /24.  At the same time, while using
> Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
> traffic that should be going to one of the other two Ethernet interfaces.
> This is happening about a dozen times per day for 4 to 6 minutes at a time.
>
>
> While the event is occurring I have verified the ARP and CAM entry.  The CAM
> entry is associated with one of the first two Ethernet interfaces, not the
> third.  I can clear the ARP and CAM entry from the CLI and they are
> re-learned with the same information, yet the traffic continues to egress
> the wrong Ethernet port.
>
> I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
> default configuration of 5 minutes, but there was no improvement.  One more
> observation -- the errant port is the root of the bridge.
>
> Any ideas why the 7609 would be sending traffic out an Ethernet port to a
> device that the CAM table says is on a different Ethernet port?
>
> Frank
>
>
> interface Vlan10
>  description FTTH network
>  ip dhcp relay information trusted
>  ip dhcp relay information option-insert none
>  ip dhcp relay information policy-action keep
>  ip address 67.22.a.1 255.255.255.0 secondary
>  ip address 67.22.b.1 255.255.255.0 secondary
>  ip address 67.22.c.1 255.255.255.0 secondary
>  ip address 67.22.d.1 255.255.255.0
>  ip helper-address e.f.g.h
>  no ip redirects
>  arp timeout 300
> end
>
> interface GigabitEthernet1/29 (and 3/39 and 3/45) 
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 10
>  switchport mode trunk
>  switchport nonegotiate
>  load-interval 30
>  spanning-tree portfast trunk
> end
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   

From frnkblk at iname.com  Wed Jan 13 09:48:51 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 08:48:51 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <4B4D8FDD.2080708@imperial.ac.uk>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>



> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: Wednesday, January 13, 2010 3:18 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> > While the event is occurring I have verified the ARP and CAM entry.
> The CAM
> > entry is associated with one of the first two Ethernet interfaces,
> not the
> > third.  I can clear the ARP and CAM entry from the CLI and they are
> > re-learned with the same information, yet the traffic continues to
> egress
> > the wrong Ethernet port.
> 
> Ugh.

Agreed.

> > I've set the ARP timeout to 4 minutes so that it's less than the CAM
> table's
> > default configuration of 5 minutes, but there was no improvement.
> One more
> > observation -- the errant port is the root of the bridge.
> >
> > Any ideas why the 7609 would be sending traffic out an Ethernet port
> to a
> > device that the CAM table says is on a different Ethernet port?
> 
> What module is the traffic coming in via? Which of the modules have
> DFCs?
> 
> Have you looked at:
> 
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
> e09186a00807347ab.shtml#dfc
> 
> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
> Distributed Switching" which could possibly be related, though that is
> a
> wild guess.

Thanks for reminding me about this article.  When I do a "sh
mac-address-table", am I looking at what's on the Supervisor or line card's
DFC?

When I turn it on, I get this message:

	Mutual_7609(config)#mac-address-table synchronize
	 % Current activity time is [160] seconds
	 % Recommended aging time for all vlans is at least three times the
activity interval

The aging time of the CAM?  By default it's 300 seconds, so working
backwards, I would want a "Current activity time" of 100 seconds, but that
doesn't appear to be an option.  So I've now increased the mac address-table
aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout also
to 480 seconds.

> How long has this been happening for?

We've had the first two interfaces in production for several months. We just
turned up this third interface two or three weeks, and started moving
customers on there and they started complaining last week, so extrapolating
from that I'm pretty confident it's been doing this the whole time.

Frank



From eng_mssk at hotmail.com  Wed Jan 13 10:33:13 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 13 Jan 2010 17:33:13 +0200
Subject: [c-nsp] Ethernet Network
In-Reply-To: <001a01ca9423$226f34c0$674d9e40$@info>
References: <C97F73E15F1F0D48A3AC0C423F8C221A02077EBB@rancor.ad.newedgenetworks.com>,
	<499475.32176.qm@web110115.mail.gq1.yahoo.com>,
	<001a01ca9423$226f34c0$674d9e40$@info>
Message-ID: <SNT134-w52EFD5E83CC313B3EA3746FA6B0@phx.gbl>


hi all 

thanks all for ur response

i checked where i can deploy MTU on my network
on the Cisco ME-C3750-24TE with IOS c3750me-i5-mz.122-35.SE5.bin
it has 4 G interfaces , 2 of them are MPLS enabled 
there is no command under the interface mode mtu 
but there is 
on the FE port
switch(config-if)#mpls mtu ?
  <64-1500>  MTU (bytes)
  override   Override mpls mtu maximum of interface mtu
on the GE port
ar6.HS-AMM-017(config-if)#mpls mtu ?
  <64-1512>  MTU (bytes)
  override   Override mpls mtu maximum of interface mtu

on the global mode:
switch(config)#system mtu ?
  <1500-1998>  MTU size in bytes
  jumbo        Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet interfaces
  routing      Set the Routing MTU for the system
on the cisco ME-C6524GT-8S
switch(config)#system jumbomtu ?
  <1500-9216>  Jumbo mtu size in Bytes, default is 9216





> From: ip at ioshints.info
> To: td_miles at yahoo.com; cisco-nsp at puck.nether.net; DLasher at newedgenetworks.com
> Date: Wed, 13 Jan 2010 08:36:33 +0100
> Subject: Re: [c-nsp] Ethernet Network
> 
> The MTU on PA-FE (probably) does not include MAC header and definitely does not include CRC trailer. Otherwise the minimum value of 1500 wouldn't make sense.
> 
> > -----Original Message-----
> > From: Tony [mailto:td_miles at yahoo.com]
> > Sent: Wednesday, January 13, 2010 8:10 AM
> > To: cisco-nsp at puck.nether.net; DonnLasher
> > Subject: Re: [c-nsp] Ethernet Network
> > 
> > 
> > 
> > --- On Wed, 13/1/10, Lasher, Donn <DLasher at newedgenetworks.com> wrote:
> > 
> > >
> > > >> SNIP >>
> > > >1500 bytes max data + 22 max header + 4 CRC trailer + 4
> > > byte 802.1q tag
> > > >+16 up to 4 labels = 1546?
> > > >
> > > >Why not just enable jumbos and set it as high as
> > > possible?
> > >
> > >
> > > 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will
> > > support, as
> > > I recall.
> > >
> > 
> > PA-FE are limited to 1530. You're correct about 1546 for the switches
> > though.
> > 
> > 7204(config)#int fa4/0
> > 7204(config-if)#mtu ?
> >   <1500-1530>  MTU size in bytes
> > 
> > 
> > 
> > 
> > __________________________________________________________________________
> > ________
> > See what's on at the movies in your area. Find out now:
> > http://au.movies.yahoo.com/session-times/
> > 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

From p.mayers at imperial.ac.uk  Wed Jan 13 11:18:34 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 13 Jan 2010 16:18:34 +0000
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
Message-ID: <4B4DF25A.5030008@imperial.ac.uk>

Frank Bulk - iName.com wrote:
>> Have you looked at:
>>
>> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
>> e09186a00807347ab.shtml#dfc
>>
>> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
>> Distributed Switching" which could possibly be related, though that is
>> a
>> wild guess.
> 
> Thanks for reminding me about this article.  When I do a "sh
> mac-address-table", am I looking at what's on the Supervisor or line card's
> DFC?

Well, on a 6500 under SXI, it shows me things like:

Module 1:
* 1740  0000.0c07.ac00   dynamic  Yes        160   Po1
* 1740  001e.2a6f.5c37   dynamic  Yes        220   Po1
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1
Module 2[FE 1]:
* 1740  0000.0c07.ac00   dynamic  Yes          0   Po1
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1
Module 2[FE 2]:
* 1740  0015.c706.8c00   dynamic  Yes        170   Po1

...leading me to believe it's querying all the forwarding engines on all 
the modules but NOT the PFC on the sup (module 5 in our case) - possibly 
because we've got DFCs in all slots? As the example shows, the module 
and even FE tables within a module can differ.

You can get the raw module local tables (and the PFC one) using:

remote command module N sh mac-address-table [dynamic] [vlan N]

If the active sup is in slot 5, these are equivalent:

remote command module 5
remote command switch

...and on the sup I see, using the above example:

Displaying entries from SP:
RM  PI_E RMA  Vlan   Destination Address   Address Type XTag LTL Index
---+----+---+------+---------------------+-------------+----+-------------
No  Yes  No   1740   3333.0000.0016        static          0   0x802 

No  Yes  No   1740   3333.0000.0001        static          0   0x802 

No  Yes  No   1740   3333.0000.000d        static          0   0x7FF8 

No   No  No   1740   0000.0c07.ac00        dynamic         0   0x340 

No  Yes  No   1740   0015.c70b.9000        static          1   0x380 

No   No  No   1740   001e.2a6f.5c37        dynamic         0   0x340 

No   No  No   1740   0015.c706.8c00        dynamic         0   0x340 


...which looks like an amalgam of the module MAC tables. We're not 
running mac sync or anything odd.

You can "remote command [switch|module N]" (or "attach N") and run

sh mac-address-table detail

...but based on the deafening silence in response to a query the other 
week, no-one knows what those flags mean - maybe you can see a pattern 
in your problematic entries though (yay I just love reverse engineering 
the 6500 forwarding architecture - thanks cisco!)

> 
> When I turn it on, I get this message:
> 
> 	Mutual_7609(config)#mac-address-table synchronize
> 	 % Current activity time is [160] seconds
> 	 % Recommended aging time for all vlans is at least three times the
> activity interval
> 
> The aging time of the CAM?  By default it's 300 seconds, so working
> backwards, I would want a "Current activity time" of 100 seconds, but that
> doesn't appear to be an option.  So I've now increased the mac address-table
> aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout also
> to 480 seconds.

Interestingly, at some point when I was testing either SXH or SXI, I 
recall this very time (480 seconds) magically popped into the nvgen 
without any input from me. I can't remember when, and it seems to not be 
there now. I've seen hints that VSS systems use the mac sync / move 
notify stuff behind the scenes to sync up MAC tables across chassis - of 
course since you're on a 7600 that should not be relevant.

sh mac- sync stat

...might be illuminating now that you've got it running, but I'm afraid 
the output baffles me...

From muyal at renater.fr  Wed Jan 13 11:05:59 2010
From: muyal at renater.fr (Simon Muyal)
Date: Wed, 13 Jan 2010 17:05:59 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
Message-ID: <4B4DEF67.5070008@renater.fr>

Hello all,

We have a network composed by Cisco equipment running IOS and IOS-XR.
We run RANCID to manage/backup our configurations.

Is anybody has experience on this software with both versions (IOS and 
IOS-XR)? We have difficulties to integrate both versions simultaneously 
in the same RANCID process (problem of "user" and "admin" mode execution)

Thanks,
Simon

From frnkblk at iname.com  Wed Jan 13 12:07:53 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 13 Jan 2010 11:07:53 -0600
Subject: [c-nsp] Unicast flooding?
In-Reply-To: <4B4DF25A.5030008@imperial.ac.uk>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADOsdrWvYPZRbrLu6GZ4VSEAQAAAAA=@iname.com>
	<4B4D8FDD.2080708@imperial.ac.uk>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKpGTRYKyoSJ8y9g3Pho56AQAAAAA=@iname.com>
	<4B4DF25A.5030008@imperial.ac.uk>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACJd/VrzTKiRrKlnBxi1P+3AQAAAAA=@iname.com>

Good news is that with the mac-address-table synchronize command things have
been stable for 2 hours, a new record.  More below.

Frank

> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: Wednesday, January 13, 2010 10:19 AM
> To: frnkblk at iname.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Unicast flooding?
> 
> Frank Bulk - iName.com wrote:
> >> Have you looked at:
> >>
> >>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_not
> >> e09186a00807347ab.shtml#dfc
> >>
> >> ...specifically the 1st item "Loss of Dynamic MAC Addresses with
> >> Distributed Switching" which could possibly be related, though that
> is
> >> a
> >> wild guess.
> >
> > Thanks for reminding me about this article.  When I do a "sh
> > mac-address-table", am I looking at what's on the Supervisor or line
> card's
> > DFC?
> 
> Well, on a 6500 under SXI, it shows me things like:
> 
> Module 1:
> * 1740  0000.0c07.ac00   dynamic  Yes        160   Po1
> * 1740  001e.2a6f.5c37   dynamic  Yes        220   Po1
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1
> Module 2[FE 1]:
> * 1740  0000.0c07.ac00   dynamic  Yes          0   Po1
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1
> Module 2[FE 2]:
> * 1740  0015.c706.8c00   dynamic  Yes        170   Po1

The output under SRB is a bit different:

Mutual_7609#sh mac-address-table
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
   280  0007.e96b.06fb   dynamic  Yes        295   Gi1/32
   150  0030.d700.1afe   dynamic  Yes        295   Gi3/35
   293  001e.e573.ee2e   dynamic  Yes          5   Gi1/39
   293  0023.69c4.d0a7   dynamic  Yes        295   Gi1/39
   572  0021.29d9.2dbb   dynamic  Yes        295   Gi3/47
   280  001e.e573.edda   dynamic  Yes        295   Gi1/32


> ...leading me to believe it's querying all the forwarding engines on all
> the modules but NOT the PFC on the sup (module 5 in our case) - possibly
> because we've got DFCs in all slots? 

Perhaps.

> As the example shows, the module
> and even FE tables within a module can differ.

There's times where I've seen nothing for "sh mac-address-table", but when I
specify a port, I do see it listed (notice that it mentions "Line card 3"):

Mutual_7609#sh mac-address-table int gi3/45
Displaying entries from Line card 3:

Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+----------------
*   10  0023.69c4.d0da   dynamic  Yes          5   Gi3/45
Etc.

> 
> You can get the raw module local tables (and the PFC one) using:
> 
> remote command module N sh mac-address-table [dynamic] [vlan N]
> 
> If the active sup is in slot 5, these are equivalent:
> 
> remote command module 5
> remote command switch
> 
> ...and on the sup I see, using the above example:
> 
> Displaying entries from SP:
> RM  PI_E RMA  Vlan   Destination Address   Address Type XTag LTL Index
> ---+----+---+------+---------------------+-------------+----+----------
> ---
> No  Yes  No   1740   3333.0000.0016        static          0   0x802
> 
> No  Yes  No   1740   3333.0000.0001        static          0   0x802
> 
> No  Yes  No   1740   3333.0000.000d        static          0   0x7FF8
> 
> No   No  No   1740   0000.0c07.ac00        dynamic         0   0x340
> 
> No  Yes  No   1740   0015.c70b.9000        static          1   0x380
> 
> No   No  No   1740   001e.2a6f.5c37        dynamic         0   0x340
> 
> No   No  No   1740   0015.c706.8c00        dynamic         0   0x340
> 
> 
> ...which looks like an amalgam of the module MAC tables. We're not
> running mac sync or anything odd.
> 
> You can "remote command [switch|module N]" (or "attach N") and run
> 
> sh mac-address-table detail
> 
> ...but based on the deafening silence in response to a query the other
> week, no-one knows what those flags mean - maybe you can see a pattern
> in your problematic entries though (yay I just love reverse engineering
> the 6500 forwarding architecture - thanks cisco!)

Those remote commands work for me here, but as you said, who knows what
those flags mean.
 
> >
> > When I turn it on, I get this message:
> >
> >   Mutual_7609(config)#mac-address-table synchronize
> >    % Current activity time is [160] seconds
> >    % Recommended aging time for all vlans is at least three times the
> > activity interval
> >
> > The aging time of the CAM?  By default it's 300 seconds, so working
> > backwards, I would want a "Current activity time" of 100 seconds, but
> that
> > doesn't appear to be an option.  So I've now increased the mac
> address-table
> > aging time for that VLAN to 480 seconds (3 x 160) and the arp timeout
> also
> > to 480 seconds.
> 
> Interestingly, at some point when I was testing either SXH or SXI, I
> recall this very time (480 seconds) magically popped into the nvgen
> without any input from me. I can't remember when, and it seems to not
> be
> there now. I've seen hints that VSS systems use the mac sync / move
> notify stuff behind the scenes to sync up MAC tables across chassis -
> of
> course since you're on a 7600 that should not be relevant.
> 
> sh mac- sync stat
> 
> ...might be illuminating now that you've got it running, but I'm afraid
> the output baffles me...


From ccie19804 at gmail.com  Wed Jan 13 12:21:58 2010
From: ccie19804 at gmail.com (swap m)
Date: Wed, 13 Jan 2010 22:51:58 +0530
Subject: [c-nsp] MPLS TE and PIM
In-Reply-To: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
References: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
Message-ID: <b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>

ask yourself this way -
1. are TE tunnels bi-directional? answer is no
2. can a TE tunnel receive traffic? again the answer is no.

A TE tunnel is for sending traffic, not for receiving. PIM neighborship
hence is established on physical interface, not on the TE interface coz you
need bidirectional flow between the neighbors.
RPF failures may happen when you receive multicast traffic via physical
interface while the routing table has a route via TE interface. Either "mpls
traffic-eng multicast-intact" or static mroutes can be used to solve these
RPF issues. Forwarding adj doesnt work with multicast-intact feature.

HTH

Swap
#19804

On Tue, Jan 12, 2010 at 11:38 PM, Ibrahim Abo Zaid <
ibrahim.abozaid at gmail.com> wrote:

> Hi
>
> I have a question about PIM , is PIM messages can flow across MPLS TE
> Tunnel
> ? why PIM neighborship can't be established over the tunnel ?
>
>
> thanks
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From sven at darkman.de  Wed Jan 13 14:41:03 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Wed, 13 Jan 2010 20:41:03 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
Message-ID: <4B4E21CF.10803@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Pavel,

first of all, thanks for your fast response!

Pavel Skovajsa schrieb:
> If I understood you correctly you can get around these limitations by
> using the PVLAN feature on the end-user ports only and not on the
> internal switch-to-switch links. On those links you can use normal
> "trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
> VLAN int.

Ah, okay, i thought i need the private-vlan trunk mode, and when i enabled
it, it just "crashed" my port channel (as in removed the port from it, which
was not what i wanted..).


> On your distribution (6509) you configure:
> 
> interface Vlan10
>  ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
> gets sticky arp by default (for some unknown reason)
>  no ip proxy-arp
>  private-vlan mapping 100
> 
> and normal trunk port towards the switch fabric:
> interface GigabitEthernet6/1
>  switchport mode trunk

Ah okay, then i'll try that one, i just limited the vlans a bit, of course ;)


> Yes this is probably suboptimal to what you would like to accoplish
> however the end effect is that the end-user ports cannot communicate
> with each other - which is probably what you want.

Why is that suboptimal? From what you described and what i unterstood, it
works like i want: having a etherchannel to my core and protected ports on
my edge. If the SVI is reachable from my edge, and other hosts are not, than
i have what i want. But maybe i missed something...?


> Another alternative is the "private-vlan trunk" feature which is
> described over here
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
> - the trouble is that AFAIK currently it works only on C4500.

That was what i thought i need, its available on the 3560 but it killed the
etherchannel... and pvlan documentation says "you cannot enable pvlans on
an etherchannel", which is "right" as if you enable any of the pvlan commands
on a etherchannel port, it gets removed from the etherchannel... but it seems
that normal trunks just work for that - great ;)

So, from what i know now, it should work like i want... just need to test if
it works with more than one switches etc. but at the moment it think it will
do so far.

Thanks again for your help :)

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktOIc8ACgkQQoCguWUBzBz48ACgjX54FYRh9fpzRmobTElDvXvv
8S8An1fyaboYKoWPuZErysZ6c9OH5Kyi
=O52n
-----END PGP SIGNATURE-----

From nullzero.route at gmail.com  Wed Jan 13 15:19:44 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:19:44 -0500
Subject: [c-nsp] BGP to OSPF redistribution
Message-ID: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>

I'm having a problem trying to figure out a way to get eBGP learned routes
(from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
routes learned via the provider are preffered over the internally learned
OSPF routes.

No matter where the BGP-->OSPF redistribution point is, if it's the PE or
CE, the routes will still show up (by default) as OSPF external, and will
never be prefferred.

The provider who's path we prefer will only run BGP.  We would like to use
OSPF everywhere if possible, for several reasons.

WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
Provider B's network is inferior at times and we use it as a backup.

The equipment where the eBGP peering relationsips exist is a mix of 7600,
3800, 2800, 1800, 6500, 3750, 3550.

We considered GRE over the providers network however we then wind up with
25+ tunnels at each location, and that just grows as each new site is added,
not to mention some potential issues regarding throughput with a GRE tunnel
in the path.

Is there a way to redistribute BGP into OSPF so that the routes can be
anything but OSPF external?

I have not found a way to do this yet, and was wondering if it's even
possible, or if I'm missing something obvious.  Any suggestions appreciated.

From cordmacleod at gmail.com  Wed Jan 13 15:31:41 2010
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Wed, 13 Jan 2010 12:31:41 -0800
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>


On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:

> I'm having a problem trying to figure out a way to get eBGP learned routes
> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
> routes learned via the provider are preffered over the internally learned
> OSPF routes.

> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?

I think you are looking for redistribution.  Make sure you have plenty of filters in the way of this, but that's what you are looking for.

router ospf xxx
redistribute bgp xxxx route-map blah

From saxon.jones at gmail.com  Wed Jan 13 15:34:29 2010
From: saxon.jones at gmail.com (Saxon Jones)
Date: Wed, 13 Jan 2010 13:34:29 -0700
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>

If I understand your question properly, why not just change the
administrative distance of the eBGP routes to something less than 110.
______________________________
Saxon Jones

Email: saxon.jones at gmail.com


2010/1/13 null zeroroute <nullzero.route at gmail.com>

> I'm having a problem trying to figure out a way to get eBGP learned routes
> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
> routes learned via the provider are preffered over the internally learned
> OSPF routes.
>
> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
> CE, the routes will still show up (by default) as OSPF external, and will
> never be prefferred.
>
> The provider who's path we prefer will only run BGP.  We would like to use
> OSPF everywhere if possible, for several reasons.
>
> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> Provider B's network is inferior at times and we use it as a backup.
>
> The equipment where the eBGP peering relationsips exist is a mix of 7600,
> 3800, 2800, 1800, 6500, 3750, 3550.
>
> We considered GRE over the providers network however we then wind up with
> 25+ tunnels at each location, and that just grows as each new site is
> added,
> not to mention some potential issues regarding throughput with a GRE tunnel
> in the path.
>
> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?
>
> I have not found a way to do this yet, and was wondering if it's even
> possible, or if I'm missing something obvious.  Any suggestions
> appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nullzero.route at gmail.com  Wed Jan 13 15:36:57 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:36:57 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
Message-ID: <bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>

I understand redistribution.  The problem is that when routes pass through a
BGP AS and then get redistributed into OSPF, they show up as OSPF external.
I'm looking for a way to make those internal, or prefferred, over the OSPF
routes learned via the rest of the network.

On Wed, Jan 13, 2010 at 3:31 PM, Cord MacLeod <cordmacleod at gmail.com> wrote:

>
> On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:
>
> > I'm having a problem trying to figure out a way to get eBGP learned
> routes
> > (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> > routes learned via the provider are preffered over the internally learned
> > OSPF routes.
>
> > Is there a way to redistribute BGP into OSPF so that the routes can be
> > anything but OSPF external?
>
> I think you are looking for redistribution.  Make sure you have plenty of
> filters in the way of this, but that's what you are looking for.
>
> router ospf xxx
> redistribute bgp xxxx route-map blah

From asturluismi at gmail.com  Wed Jan 13 15:37:12 2010
From: asturluismi at gmail.com (luismi)
Date: Wed, 13 Jan 2010 21:37:12 +0100
Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>
References: <1263313237.30768.2.camel@hal9000>
	<AFD31EAF2DD7F346AA17E164615555B0336642CB@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <1263415032.31592.1.camel@hal9000>

Yes, as well, different connectors.
We were able to enter over IP but we didn't see any configuration
related with the serial port console :-P

El mar, 12-01-2010 a las 13:11 -0600, Jason Shearer escribi?:
> Have you tried different baud rates?  I have found some 35xx MCUs come from the factory set at 115200.
> 
> Jason
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
> Sent: Tuesday, January 12, 2010 10:21 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IP/VC 3526 serial port is not showing anything
> 
> Hi all,
> 
> We take a Cisco IP/VC 3526 from one of our racks.
> We tried to access to it over the serial port with 9600 8N1 -as the
> documentation says- and it didn't work.
> We also have an alarm in the from but we were not able to find the
> relation with it in the documentation.
> 
> As far as we read the product is EoL/EoS but it will have support until
> 2011 or 2012, so what is the natural alternative to replace it?
> 
> Any comment is welcome, not neccesary should be Cisco.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***



From nullzero.route at gmail.com  Wed Jan 13 15:39:00 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 15:39:00 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
Message-ID: <bd2721bb1001131239m899aa56ucaa603d8f6a91a3d@mail.gmail.com>

That's what we currently do, however the problem is that we have other
routers and firewalls in our network which are only running OSPF, and they
need to know about the routes which pass through the eBGP network,  Since
those routes would become OSPF external, they would only be used if the
internal routes went away.

On Wed, Jan 13, 2010 at 3:34 PM, Saxon Jones <saxon.jones at gmail.com> wrote:

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>>  I'm having a problem trying to figure out a way to get eBGP learned
>> routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From saxon.jones at gmail.com  Wed Jan 13 15:39:08 2010
From: saxon.jones at gmail.com (Saxon Jones)
Date: Wed, 13 Jan 2010 13:39:08 -0700
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
Message-ID: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>

Actually I re-read your problem. Sham links may be a solution to look at, if
you control the right pieces of equipment. You can also mess with the AD of
OSPF external routes versus OSPF internal routes but this is probably a Bad
Idea(TM) (and my testing of this a few years ago showed it didn't have the
desired result).

______________________________
Saxon Jones

Email: saxon.jones at gmail.com
Telephone: (780) 669-0899
Toll-free: (866) 701-8022
United Kingdom: 0(1315)168664



2010/1/13 Saxon Jones <saxon.jones at gmail.com>

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>> I'm having a problem trying to figure out a way to get eBGP learned routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From swmike at swm.pp.se  Wed Jan 13 15:50:02 2010
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Wed, 13 Jan 2010 21:50:02 +0100 (CET)
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>

On Wed, 13 Jan 2010, null zeroroute wrote:

> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?

Change in what order routing protocols are selected (administrative 
distance):

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From nullzero.route at gmail.com  Wed Jan 13 16:03:29 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:03:29 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
Message-ID: <bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>

We only manage the CE devices, not the PE's.  I just reviewed the sham-link
documentation, and my understanding is that the provider needs to configure
sham links between each PE over their backbone.  I don't think they'll
support this.  I'm rather certain that they will only support BGP or
standard redistribution.

On Wed, Jan 13, 2010 at 3:39 PM, Saxon Jones <saxon.jones at gmail.com> wrote:

> Actually I re-read your problem. Sham links may be a solution to look at,
> if you control the right pieces of equipment. You can also mess with the AD
> of OSPF external routes versus OSPF internal routes but this is probably a
> Bad Idea(TM) (and my testing of this a few years ago showed it didn't have
> the desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> If I understand your question properly, why not just change the
>> administrative distance of the eBGP routes to something less than 110.
>> ______________________________
>> Saxon Jones
>>
>> Email: saxon.jones at gmail.com
>>
>>
>> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>>
>>> I'm having a problem trying to figure out a way to get eBGP learned
>>> routes
>>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
>>> the
>>> routes learned via the provider are preffered over the internally learned
>>> OSPF routes.
>>>
>>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>>> CE, the routes will still show up (by default) as OSPF external, and will
>>> never be prefferred.
>>>
>>> The provider who's path we prefer will only run BGP.  We would like to
>>> use
>>> OSPF everywhere if possible, for several reasons.
>>>
>>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>>> Provider B's network is inferior at times and we use it as a backup.
>>>
>>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>>> 3800, 2800, 1800, 6500, 3750, 3550.
>>>
>>> We considered GRE over the providers network however we then wind up with
>>> 25+ tunnels at each location, and that just grows as each new site is
>>> added,
>>> not to mention some potential issues regarding throughput with a GRE
>>> tunnel
>>> in the path.
>>>
>>> Is there a way to redistribute BGP into OSPF so that the routes can be
>>> anything but OSPF external?
>>>
>>> I have not found a way to do this yet, and was wondering if it's even
>>> possible, or if I'm missing something obvious.  Any suggestions
>>> appreciated.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>

From ccie19804 at gmail.com  Wed Jan 13 16:03:48 2010
From: ccie19804 at gmail.com (swap m)
Date: Thu, 14 Jan 2010 02:33:48 +0530
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<bd2721bb1001131236k26a7bed0q103fc32c4e42b5c3@mail.gmail.com>
Message-ID: <b48b7d091001131303r1115e2bdl7b0d2419712d28b9@mail.gmail.com>

you need to use OSPF Sham links. Tht'll make the other-CE's routes route as
internal on your local-CE crossing MP-BGP backbone.

Swap
#19804

On Thu, Jan 14, 2010 at 2:06 AM, null zeroroute <nullzero.route at gmail.com>wrote:

> I understand redistribution.  The problem is that when routes pass through
> a
> BGP AS and then get redistributed into OSPF, they show up as OSPF external.
> I'm looking for a way to make those internal, or prefferred, over the OSPF
> routes learned via the rest of the network.
>
> On Wed, Jan 13, 2010 at 3:31 PM, Cord MacLeod <cordmacleod at gmail.com>
> wrote:
>
> >
> > On Jan 13, 2010, at 12:19 PM, null zeroroute wrote:
> >
> > > I'm having a problem trying to figure out a way to get eBGP learned
> > routes
> > > (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> > the
> > > routes learned via the provider are preffered over the internally
> learned
> > > OSPF routes.
> >
> > > Is there a way to redistribute BGP into OSPF so that the routes can be
> > > anything but OSPF external?
> >
> > I think you are looking for redistribution.  Make sure you have plenty of
> > filters in the way of this, but that's what you are looking for.
> >
> > router ospf xxx
> > redistribute bgp xxxx route-map blah
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ATolstykh at integrysgroup.com  Wed Jan 13 15:40:08 2010
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Wed, 13 Jan 2010 14:40:08 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <3F3802329EC1534FBCEAB6DDC0BD807C01E675ED@DOB-BXVS3.integrysgroup.net>

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ospfshmk.
html

Using a Sham-Link to Correct OSPF Backdoor Routing

Although OSPF PE-CE connections assume that the only path between two
client sites is across the MPLS VPN backbone, backdoor paths between VPN
sites (shown in grey in Figure 2) may exist. If these sites belong to
the same OSPF area, the path over a backdoor link will always be
selected because OSPF prefers intraarea paths to interarea paths. (PE
routers advertise OSPF routes learned over the VPN backbone as interarea
paths.) For this reason, OSPF backdoor links between VPN sites must be
taken into account so that routing is performed based on policy.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of null zeroroute
Sent: Wednesday, January 13, 2010 2:20 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP to OSPF redistribution

I'm having a problem trying to figure out a way to get eBGP learned
routes
(from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
the
routes learned via the provider are preffered over the internally
learned
OSPF routes.

No matter where the BGP-->OSPF redistribution point is, if it's the PE
or
CE, the routes will still show up (by default) as OSPF external, and
will
never be prefferred.

The provider who's path we prefer will only run BGP.  We would like to
use
OSPF everywhere if possible, for several reasons.

WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
path.
WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
Provider B's network is inferior at times and we use it as a backup.

The equipment where the eBGP peering relationsips exist is a mix of
7600,
3800, 2800, 1800, 6500, 3750, 3550.

We considered GRE over the providers network however we then wind up
with
25+ tunnels at each location, and that just grows as each new site is
added,
not to mention some potential issues regarding throughput with a GRE
tunnel
in the path.

Is there a way to redistribute BGP into OSPF so that the routes can be
anything but OSPF external?

I have not found a way to do this yet, and was wondering if it's even
possible, or if I'm missing something obvious.  Any suggestions
appreciated.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From buz.dale at usg.edu  Wed Jan 13 16:19:38 2010
From: buz.dale at usg.edu (Harold 'Buz' Dale)
Date: Wed, 13 Jan 2010 16:19:38 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
Message-ID: <E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>

Can you stop learning routes from 'provider b' and add it back as a default?  Then everything should go to the more specific route and if 'provider a' goes down things will then go through 'provider b'?

Luck,
Buz

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
Sent: Wednesday, January 13, 2010 3:39 PM
To: null zeroroute
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP to OSPF redistribution

Actually I re-read your problem. Sham links may be a solution to look at, if
you control the right pieces of equipment. You can also mess with the AD of
OSPF external routes versus OSPF internal routes but this is probably a Bad
Idea(TM) (and my testing of this a few years ago showed it didn't have the
desired result).

______________________________
Saxon Jones

Email: saxon.jones at gmail.com
Telephone: (780) 669-0899
Toll-free: (866) 701-8022
United Kingdom: 0(1315)168664



2010/1/13 Saxon Jones <saxon.jones at gmail.com>

> If I understand your question properly, why not just change the
> administrative distance of the eBGP routes to something less than 110.
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
>
>
> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>
>> I'm having a problem trying to figure out a way to get eBGP learned routes
>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that the
>> routes learned via the provider are preffered over the internally learned
>> OSPF routes.
>>
>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>> CE, the routes will still show up (by default) as OSPF external, and will
>> never be prefferred.
>>
>> The provider who's path we prefer will only run BGP.  We would like to use
>> OSPF everywhere if possible, for several reasons.
>>
>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>> Provider B's network is inferior at times and we use it as a backup.
>>
>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>> 3800, 2800, 1800, 6500, 3750, 3550.
>>
>> We considered GRE over the providers network however we then wind up with
>> 25+ tunnels at each location, and that just grows as each new site is
>> added,
>> not to mention some potential issues regarding throughput with a GRE
>> tunnel
>> in the path.
>>
>> Is there a way to redistribute BGP into OSPF so that the routes can be
>> anything but OSPF external?
>>
>> I have not found a way to do this yet, and was wondering if it's even
>> possible, or if I'm missing something obvious.  Any suggestions
>> appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ras at e-gerbil.net  Wed Jan 13 16:20:44 2010
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Wed, 13 Jan 2010 15:20:44 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
Message-ID: <20100113212044.GI75640@gerbil.cluepon.net>

On Wed, Jan 13, 2010 at 12:31:41PM -0800, Cord MacLeod wrote:
> 
> I think you are looking for redistribution.  Make sure you have plenty
> of filters in the way of this, but that's what you are looking for.
> 
> router ospf xxx
> redistribute bgp xxxx route-map blah

Don't forget to double check your out of band and remote reboot power
strips for the day someone types "no redistribute bgp xxxx route-map
blah" thinking it will remote the entire line instead of just the 
route-map, 'cause that router will be going down in flames. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From nullzero.route at gmail.com  Wed Jan 13 16:21:07 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:21:07 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
	<E85B28C18298B947A2A5804647D74F390341D34CBA@exchmb-prod.uso.bor.usg.edu>
Message-ID: <bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>

We need provider A to carry the default.  Provider B is actually a layer-2
VPN MPLS provider, so the OSPF neighbors are our own routers.

On Wed, Jan 13, 2010 at 4:19 PM, Harold 'Buz' Dale <buz.dale at usg.edu> wrote:

> Can you stop learning routes from 'provider b' and add it back as a
> default?  Then everything should go to the more specific route and if
> 'provider a' goes down things will then go through 'provider b'?
>
> Luck,
> Buz
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
> Sent: Wednesday, January 13, 2010 3:39 PM
> To: null zeroroute
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP to OSPF redistribution
>
>  Actually I re-read your problem. Sham links may be a solution to look at,
> if
> you control the right pieces of equipment. You can also mess with the AD of
> OSPF external routes versus OSPF internal routes but this is probably a Bad
> Idea(TM) (and my testing of this a few years ago showed it didn't have the
> desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> > If I understand your question properly, why not just change the
> > administrative distance of the eBGP routes to something less than 110.
> > ______________________________
> > Saxon Jones
> >
> > Email: saxon.jones at gmail.com
> >
> >
> > 2010/1/13 null zeroroute <nullzero.route at gmail.com>
> >
> >> I'm having a problem trying to figure out a way to get eBGP learned
> routes
> >> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> >> routes learned via the provider are preffered over the internally
> learned
> >> OSPF routes.
> >>
> >> No matter where the BGP-->OSPF redistribution point is, if it's the PE
> or
> >> CE, the routes will still show up (by default) as OSPF external, and
> will
> >> never be prefferred.
> >>
> >> The provider who's path we prefer will only run BGP.  We would like to
> use
> >> OSPF everywhere if possible, for several reasons.
> >>
> >> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
> path.
> >> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> >> Provider B's network is inferior at times and we use it as a backup.
> >>
> >> The equipment where the eBGP peering relationsips exist is a mix of
> 7600,
> >> 3800, 2800, 1800, 6500, 3750, 3550.
> >>
> >> We considered GRE over the providers network however we then wind up
> with
> >> 25+ tunnels at each location, and that just grows as each new site is
> >> added,
> >> not to mention some potential issues regarding throughput with a GRE
> >> tunnel
> >> in the path.
> >>
> >> Is there a way to redistribute BGP into OSPF so that the routes can be
> >> anything but OSPF external?
> >>
> >> I have not found a way to do this yet, and was wondering if it's even
> >> possible, or if I'm missing something obvious.  Any suggestions
> >> appreciated.
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nullzero.route at gmail.com  Wed Jan 13 16:25:04 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:25:04 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <20100113212044.GI75640@gerbil.cluepon.net>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
Message-ID: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>

Very good suggestion, however the provider is not sending the internet
routing table, only our own internal network's routes.  Or are you
suggesting some providers make mistakes and send full internet tables to a
private VRF customer?  We already had our layer-2 VPN MPLS provider join our
network with someone else's, and we learned the hard way why you should
never ever ever connect a layer-2 switch to that provider, especically one
that doesn't support turning off VTP on an interface.  Oh yeah and using VTP
passwords doens't hurt either :)

On Wed, Jan 13, 2010 at 4:20 PM, Richard A Steenbergen <ras at e-gerbil.net>wrote:

> On Wed, Jan 13, 2010 at 12:31:41PM -0800, Cord MacLeod wrote:
> >
> > I think you are looking for redistribution.  Make sure you have plenty
> > of filters in the way of this, but that's what you are looking for.
> >
> > router ospf xxx
> > redistribute bgp xxxx route-map blah
>
> Don't forget to double check your out of band and remote reboot power
> strips for the day someone types "no redistribute bgp xxxx route-map
> blah" thinking it will remote the entire line instead of just the
> route-map, 'cause that router will be going down in flames. :)
>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>

From schilling2006 at gmail.com  Wed Jan 13 16:40:29 2010
From: schilling2006 at gmail.com (schilling)
Date: Wed, 13 Jan 2010 16:40:29 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<86b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com>
	<86b512c31001131239g2a1d28depb66f8898790929e3@mail.gmail.com>
	<bd2721bb1001131303g5e539a8fq89db7ed3b45c146@mail.gmail.com>
Message-ID: <bd3771a61001131340n7b2bdf4bl8b15b743e0186f3c@mail.gmail.com>

I don't think sham link will work in this case either.

You are running ebgp with provider A? You are only concerned that your
ibgp routes from other sites, right? change the ibgp administrative
distance to be lower than 110  might work for you.

Schilling

On Wed, Jan 13, 2010 at 4:03 PM, null zeroroute
<nullzero.route at gmail.com> wrote:
> We only manage the CE devices, not the PE's. ?I just reviewed the sham-link
> documentation, and my understanding is that the provider needs to configure
> sham links between each PE over their backbone. ?I don't think they'll
> support this. ?I'm rather certain that they will only support BGP or
> standard redistribution.
>
> On Wed, Jan 13, 2010 at 3:39 PM, Saxon Jones <saxon.jones at gmail.com> wrote:
>
>> Actually I re-read your problem. Sham links may be a solution to look at,
>> if you control the right pieces of equipment. You can also mess with the AD
>> of OSPF external routes versus OSPF internal routes but this is probably a
>> Bad Idea(TM) (and my testing of this a few years ago showed it didn't have
>> the desired result).
>>
>> ______________________________
>> Saxon Jones
>>
>> Email: saxon.jones at gmail.com
>> Telephone: (780) 669-0899
>> Toll-free: (866) 701-8022
>> United Kingdom: 0(1315)168664
>>
>>
>>
>> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>>
>> If I understand your question properly, why not just change the
>>> administrative distance of the eBGP routes to something less than 110.
>>> ______________________________
>>> Saxon Jones
>>>
>>> Email: saxon.jones at gmail.com
>>>
>>>
>>> 2010/1/13 null zeroroute <nullzero.route at gmail.com>
>>>
>>>> I'm having a problem trying to figure out a way to get eBGP learned
>>>> routes
>>>> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
>>>> the
>>>> routes learned via the provider are preffered over the internally learned
>>>> OSPF routes.
>>>>
>>>> No matter where the BGP-->OSPF redistribution point is, if it's the PE or
>>>> CE, the routes will still show up (by default) as OSPF external, and will
>>>> never be prefferred.
>>>>
>>>> The provider who's path we prefer will only run BGP. ?We would like to
>>>> use
>>>> OSPF everywhere if possible, for several reasons.
>>>>
>>>> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred path.
>>>> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
>>>> Provider B's network is inferior at times and we use it as a backup.
>>>>
>>>> The equipment where the eBGP peering relationsips exist is a mix of 7600,
>>>> 3800, 2800, 1800, 6500, 3750, 3550.
>>>>
>>>> We considered GRE over the providers network however we then wind up with
>>>> 25+ tunnels at each location, and that just grows as each new site is
>>>> added,
>>>> not to mention some potential issues regarding throughput with a GRE
>>>> tunnel
>>>> in the path.
>>>>
>>>> Is there a way to redistribute BGP into OSPF so that the routes can be
>>>> anything but OSPF external?
>>>>
>>>> I have not found a way to do this yet, and was wondering if it's even
>>>> possible, or if I'm missing something obvious. ?Any suggestions
>>>> appreciated.
>>>> _______________________________________________
>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>>
>>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From v.jones at networkingunlimited.com  Wed Jan 13 16:43:56 2010
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 13 Jan 2010 16:43:56 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
Message-ID: <1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>

On Wed, 2010-01-13 at 21:50 +0100, Mikael Abrahamsson wrote:
> On Wed, 13 Jan 2010, null zeroroute wrote:
> 
> > Is there a way to redistribute BGP into OSPF so that the routes can be
> > anything but OSPF external?
> 
> Change in what order routing protocols are selected (administrative 
> distance):
> 
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml
> 

Have you considered converting your current WAN OSPF links to BGP so you
can use standard BGP route preference controls to select the best route?

If that is not possible, another approach (albeit painful) is to use
route summarization/fragmentation so that the BGP routes are longer
prefixes than the remote OSPF routes. 

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


From nullzero.route at gmail.com  Wed Jan 13 16:52:02 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 16:52:02 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
	<1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
Message-ID: <bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>

Thanks for your suggestion.  We want to use OSPF because it will scale more
easily in our network.  For example, if we ran BGP over the layer-2
providers network, we would need (today) 25 neighbors at every site, every
time a new site is added new neighbors need to be created everywhere, etc to
keep the one hop away design.  Route-reflectors got too complicated.  It's
also very helpful to have firewalls running OSPF when there are multiple
egress points to extranet partner locations or the internet etc.

On Wed, Jan 13, 2010 at 4:43 PM, Vincent C Jones <
v.jones at networkingunlimited.com> wrote:

> On Wed, 2010-01-13 at 21:50 +0100, Mikael Abrahamsson wrote:
> > On Wed, 13 Jan 2010, null zeroroute wrote:
> >
> > > Is there a way to redistribute BGP into OSPF so that the routes can be
> > > anything but OSPF external?
> >
> > Change in what order routing protocols are selected (administrative
> > distance):
> >
> >
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml
> >
>
> Have you considered converting your current WAN OSPF links to BGP so you
> can use standard BGP route preference controls to select the best route?
>
> If that is not possible, another approach (albeit painful) is to use
> route summarization/fragmentation so that the BGP routes are longer
> prefixes than the remote OSPF routes.
>
> Good luck and have fun!
> --
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
>

From nullzero.route at gmail.com  Wed Jan 13 17:03:34 2010
From: nullzero.route at gmail.com (null zeroroute)
Date: Wed, 13 Jan 2010 17:03:34 -0500
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<alpine.DEB.1.10.1001132148340.15329@uplift.swm.pp.se>
	<1263419036.11618.143.camel@X61.NetworkingUnlimited.nul>
	<bd2721bb1001131352w474e7e8ew222e9182e1f8d458@mail.gmail.com>
Message-ID: <bd2721bb1001131403g17bf84f0vffb66b93b2cfc1@mail.gmail.com>

So far I like the idea of modifying the AD for ospf external routes under
the ospf config, or under the ospf config modify the AD for routes learned
only from the CE BGP->OSPF redistribution point router, with an ACL matching
specific (or all) routes.  That would probably give us quite a bit of
control.  I recall having mixed experiences with a similar config related to
BGP->EIGRP redistribution though,  I'll definitely need to lab it up because
it seems the metrics are calculated a bit differently based on what type of
OSPF route it becomes.  I need to brush up on my OSPF.

For example:

At the bgp->ospf redist border router...
router ospf 1
redistribute bgp <provider private ASN> blah
distance ospf external 19

Or...
access-list 100 permit <whatever prefixes we want to prefer>
router ospf 1
redistribute bgp <provider private ASN> blah
distance 19 <CE router ip> 0.0.0.0 100

Thanks to all for your suggestions!

From jshearer at amedisys.com  Wed Jan 13 17:20:35 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 13 Jan 2010 16:20:35 -0600
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com><86
	b512c31001131234s1746327aq15c23948d592cdd7@mail.gmail.com><86b512c310011312
	39g2a1d28depb66f8898790929e3@mail.gmail.com><E85B28C18298B947A2A5804647D74F
	390341D34CBA@exchmb-prod.uso.bor.usg.edu><bd2721bb1001131321t2e8b01a5tef46745cef4bedb@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664482@SVR-AMED-MAIL01.amedisys.com>

How about running a separate OSPF AS over the WAN and distributing it and your BGP into a "core" OSPF AS.  You could metric the "WAN" OSPF AS in with different values/tags.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of null zeroroute
Sent: Wednesday, January 13, 2010 3:21 PM
To: Harold 'Buz' Dale
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP to OSPF redistribution

We need provider A to carry the default.  Provider B is actually a layer-2
VPN MPLS provider, so the OSPF neighbors are our own routers.

On Wed, Jan 13, 2010 at 4:19 PM, Harold 'Buz' Dale <buz.dale at usg.edu> wrote:

> Can you stop learning routes from 'provider b' and add it back as a
> default?  Then everything should go to the more specific route and if
> 'provider a' goes down things will then go through 'provider b'?
>
> Luck,
> Buz
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Saxon Jones
> Sent: Wednesday, January 13, 2010 3:39 PM
> To: null zeroroute
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP to OSPF redistribution
>
>  Actually I re-read your problem. Sham links may be a solution to look at,
> if
> you control the right pieces of equipment. You can also mess with the AD of
> OSPF external routes versus OSPF internal routes but this is probably a Bad
> Idea(TM) (and my testing of this a few years ago showed it didn't have the
> desired result).
>
> ______________________________
> Saxon Jones
>
> Email: saxon.jones at gmail.com
> Telephone: (780) 669-0899
> Toll-free: (866) 701-8022
> United Kingdom: 0(1315)168664
>
>
>
> 2010/1/13 Saxon Jones <saxon.jones at gmail.com>
>
> > If I understand your question properly, why not just change the
> > administrative distance of the eBGP routes to something less than 110.
> > ______________________________
> > Saxon Jones
> >
> > Email: saxon.jones at gmail.com
> >
> >
> > 2010/1/13 null zeroroute <nullzero.route at gmail.com>
> >
> >> I'm having a problem trying to figure out a way to get eBGP learned
> routes
> >> (from a layer-3 VPN MPLS WAN provider) into our internal OSPF, so that
> the
> >> routes learned via the provider are preffered over the internally
> learned
> >> OSPF routes.
> >>
> >> No matter where the BGP-->OSPF redistribution point is, if it's the PE
> or
> >> CE, the routes will still show up (by default) as OSPF external, and
> will
> >> never be prefferred.
> >>
> >> The provider who's path we prefer will only run BGP.  We would like to
> use
> >> OSPF everywhere if possible, for several reasons.
> >>
> >> WAN provider A is a layer-3 VPN MPLS network, and is the prefferred
> path.
> >> WAN provider B is a layer-2 VPN MPLS network over which we run OSPF.
> >> Provider B's network is inferior at times and we use it as a backup.
> >>
> >> The equipment where the eBGP peering relationsips exist is a mix of
> 7600,
> >> 3800, 2800, 1800, 6500, 3750, 3550.
> >>
> >> We considered GRE over the providers network however we then wind up
> with
> >> 25+ tunnels at each location, and that just grows as each new site is
> >> added,
> >> not to mention some potential issues regarding throughput with a GRE
> >> tunnel
> >> in the path.
> >>
> >> Is there a way to redistribute BGP into OSPF so that the routes can be
> >> anything but OSPF external?
> >>
> >> I have not found a way to do this yet, and was wondering if it's even
> >> possible, or if I'm missing something obvious.  Any suggestions
> >> appreciated.
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From thegameiam at yahoo.com  Wed Jan 13 17:32:15 2010
From: thegameiam at yahoo.com (David Barak)
Date: Wed, 13 Jan 2010 14:32:15 -0800 (PST)
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
	<bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
Message-ID: <180124.98877.qm@web31802.mail.mud.yahoo.com>

----- Original Message ----
From: null zeroroute nullzero.route at gmail.com

> Very good suggestion, however the provider is not sending the internet
> routing table, only our own internal network's routes.? Or are you
> suggesting some providers make mistakes and send full internet tables to a
> private VRF customer?? We already had our layer-2 VPN MPLS provider join our
> network with someone else's, and we learned the hard way why you should
> never ever ever connect a layer-2 switch to that provider, especically one
> that doesn't support turning off VTP on an interface.? Oh yeah and using VTP
> passwords doens't hurt either :)



Why not just use site-to-site BGP across the VPLS provider instead of OSPF?? A simple prepend will make sure that the AS_PATHs work out right, and then?all of the ickiness which is redistribution?can be avoided.
?
David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com


      

From marklah at gmail.com  Wed Jan 13 18:08:53 2010
From: marklah at gmail.com (Mark Lah)
Date: Wed, 13 Jan 2010 18:08:53 -0500
Subject: [c-nsp] BGP to OSPF redistribution
Message-ID: <fbb6e2171001131508s1a1317bey69ff62d12e96cc2c@mail.gmail.com>

Well on the BGP-side network, the router/switch that connects the OSPF
networks, you could create 2 separate OSPF processes.  1 process for the
remote network that will neighbor up across the L2VPN, and the other process
for the OSPF network that has BGP redistributing into it (the local network
from this devices perspective).  On this router/switch, then redistribute
the OSPF networks between the two processes (as noted earlier, be sure to
prevent loops with route-maps).

Now all the OSPF routes are seen as External (not necessarily ideal, but it
works), and you can then set the OSPF metric (cost) higher on the neighbor
adjacency(s) than taking routes learned from the BGP redistro.  You could
also do some summarization here too, which would prefer the more specific
route from BGP (may or may not be possible with your design).

-Mark


Date: Wed, 13 Jan 2010 16:52:02 -0500
> From: null zeroroute <nullzero.route at gmail.com>
> To: Vincent C Jones <v.jones at networkingunlimited.com>
> Cc: cisco-nsp at puck.nether.net, Mikael Abrahamsson <swmike at swm.pp.se>
> Subject: Re: [c-nsp] BGP to OSPF redistribution
> Message-ID:
>        <bd2721bb1001131352w474e7e8ew222e9182e1f8d458 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanks for your suggestion.  We want to use OSPF because it will scale more
> easily in our network.  For example, if we ran BGP over the layer-2
> providers network, we would need (today) 25 neighbors at every site, every
> time a new site is added new neighbors need to be created everywhere, etc
> to
> keep the one hop away design.  Route-reflectors got too complicated.  It's
> also very helpful to have firewalls running OSPF when there are multiple
> egress points to extranet partner locations or the internet etc.
>

From ibrahim.abozaid at gmail.com  Wed Jan 13 19:33:52 2010
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 14 Jan 2010 02:33:52 +0200
Subject: [c-nsp] MPLS TE and PIM
In-Reply-To: <b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>
References: <a48927f71001121008k4c717ac6q9771c6ccc80b78a2@mail.gmail.com>
	<b48b7d091001130921s25c8a2b6i9b3259fc7a64f48@mail.gmail.com>
Message-ID: <a48927f71001131633j3a60784aqace0557f2ece2ea7@mail.gmail.com>

sorry if my question wasn't clear enough

i tried it with 2 tunnels between two PEs and enabled sparse-mode under
tunnels

so in this case , should traffic flows over the tunnel ?


thanks
swap


On Wed, Jan 13, 2010 at 7:21 PM, swap m <ccie19804 at gmail.com> wrote:

>  ask yourself this way -
> 1. are TE tunnels bi-directional? answer is no
> 2. can a TE tunnel receive traffic? again the answer is no.
>
> A TE tunnel is for sending traffic, not for receiving. PIM neighborship
> hence is established on physical interface, not on the TE interface coz you
> need bidirectional flow between the neighbors.
> RPF failures may happen when you receive multicast traffic via physical
> interface while the routing table has a route via TE interface. Either "mpls
> traffic-eng multicast-intact" or static mroutes can be used to solve these
> RPF issues. Forwarding adj doesnt work with multicast-intact feature.
>
> HTH
>
> Swap
> #19804
>
>   On Tue, Jan 12, 2010 at 11:38 PM, Ibrahim Abo Zaid <
> ibrahim.abozaid at gmail.com> wrote:
>
>>  Hi
>>
>> I have a question about PIM , is PIM messages can flow across MPLS TE
>> Tunnel
>> ? why PIM neighborship can't be established over the tunnel ?
>>
>>
>> thanks
>> --Ibrahim
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From kenny.sallee at gmail.com  Wed Jan 13 20:11:19 2010
From: kenny.sallee at gmail.com (Kenny Sallee)
Date: Wed, 13 Jan 2010 17:11:19 -0800
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
Message-ID: <4a80ecce1001131711y124e350dw7d2e0c20df07f29c@mail.gmail.com>

>
>
> Is there a way to redistribute BGP into OSPF so that the routes can be
> anything but OSPF external?
>
>
I thought (tho it's been a while and I don't have time to research) that you
could use a route-map to match external OSPF routes and set them to internal
BGP.  I think it would look something like this:

route-map bgp-to-ospf permit 10
 match route-type external type-1
 set metric-type internal

asr-egv(config-route-map)#match route-type ?
  external       external route (BGP, EIGRP and OSPF type 1/2)
  internal       internal route (including OSPF intra/inter area)
  level-1        IS-IS level-1 route
  level-2        IS-IS level-2 route
  local          locally generated route
  nssa-external  nssa-external route (OSPF type 1/2)

asr-egv(config-route-map)#match route-type external ?
  type-1  OSPF external type 1 route
  type-2  OSPF external type 2 route
  <cr>


asr-egv(config-route-map)#set metric-type internal

But I've not tested and memory is failing me on this right now but I swear I
did this in a lab once upon a time...

Kenny

From p.caci at seabone.net  Thu Jan 14 02:09:35 2010
From: p.caci at seabone.net (Pierfrancesco Caci)
Date: Thu, 14 Jan 2010 08:09:35 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
In-Reply-To: <4B4DEF67.5070008@renater.fr> (Simon Muyal's message of "Wed, 13
	Jan 2010 17:05:59 +0100")
References: <4B4DEF67.5070008@renater.fr>
Message-ID: <87iqb5p3gw.fsf@clarabella.noc.seabone.net>

:-> "Simon" == Simon Muyal <muyal at renater.fr> writes:

    > Hello all,
    > We have a network composed by Cisco equipment running IOS and IOS-XR.
    > We run RANCID to manage/backup our configurations.

    > Is anybody has experience on this software with both versions (IOS and
    > IOS-XR)? We have difficulties to integrate both versions
    > simultaneously in the same RANCID process (problem of "user" and
    > "admin" mode execution)


if you refer to rancid not being able to look at full show diag
because it requires admin mode, you can apply the following patch, the trick
being that you can use admin mode commands by using "run" and calling
the real executable (in this case "run show_diag admin"). The rest of
the patch quenches some constantly changing disk size output. 

--- rancid-original	2006-06-06 14:23:42.000000000 +0200
+++ rancid	2008-06-20 08:47:09.000000000 +0200
@@ -665,6 +665,8 @@
 	return(-1) if /(: device being squeezed|ATA_Status time out)/i; # busy
 	return(-1) if (/command authorization failed/i);
 	return(1) if /(Open device \S+ failed|Error opening \S+:)/;
+	s/\d+ bytes total \(\d+ bytes free\)/ <CRS harddisks sizes skipped> / if ($type =~ /CRS/ and $cmd =~ /(harddisk|bootflash|disk0)/);
+	s/.*(uptime|temp)_cont/! <CRS constantly changing $1_cont skipped> / if ($type =~ /CRS/ and $cmd =~ /(harddisk|bootflash|disk0)/);
 	# the pager can not be disabled per-session on the PIX
 	if (/^(<-+ More -+>)/) {
 	    my($len) = length($1);
@@ -1610,7 +1612,7 @@
 	    if (defined($ENV{'NOCOMMSTR'})) {
 		my($ip) = $1;
 		my($line) = "snmp-server host $ip";
-		my(@tokens) = split(' ', $');
+		my(@tokens) = split(' ', $');  #' (This comment fixes emacs fontification)
 		my($token);
 		while ($token = shift(@tokens)) {
 		    if ($token eq 'version') {
@@ -1753,7 +1755,7 @@
 	{'show controllers'		=> 'ShowContAll'},
 	{'show controllers cbus'	=> 'ShowContCbus'},
 	{'show diagbus'			=> 'ShowDiagbus'},
-	{'admin show diag'		=> 'ShowDiag'},
+	{'run show_diag admin'		=> 'ShowDiag'},
 	{'show diag'			=> 'ShowDiag'},
 	{'show module'			=> 'ShowModule'},	# cat 6500-ios
 	{'show spe version'		=> 'ShowSpeVersion'},



-- 


-------------------------------------------------------------------------------
 Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC
 p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/

From perc69 at gmail.com  Thu Jan 14 03:32:16 2010
From: perc69 at gmail.com (Per Carlson)
Date: Thu, 14 Jan 2010 09:32:16 +0100
Subject: [c-nsp] IOS, IOS-XR and RANCID
In-Reply-To: <4B4DEF67.5070008@renater.fr>
References: <4B4DEF67.5070008@renater.fr>
Message-ID: <746ca6da1001140032l312a16dcl973810160091b8c7@mail.gmail.com>

Hi.

> We have a network composed by Cisco equipment running IOS and IOS-XR.
> We run RANCID to manage/backup our configurations.
>
> Is anybody has experience on this software with both versions (IOS and
> IOS-XR)? We have difficulties to integrate both versions simultaneously in
> the same RANCID process (problem of "user" and "admin" mode execution)

Instead of trying to fix the existing IOS module, I created a new one
specific for IOS XR. The patch is avaliable through the RANCID
mailinglist, see:
http://www.shrubbery.net/pipermail/rancid-discuss/2009-November/004385.html

Features in this module are:
* Auto-enabled is default on XR devices (no more tweaking of the .clogin file)
* Time-stamps are disabled before extracting data (times-stamps are
default on since 3.8)
* Commands are run both from user and admin modes

-- 
Pelle

From tim at haitabu.net  Thu Jan 14 06:25:22 2010
From: tim at haitabu.net (tim)
Date: Thu, 14 Jan 2010 12:25:22 +0100
Subject: [c-nsp] Experiences with STM-16 to GE multiplexers/converters?
Message-ID: <20100114112522.GA20074@samstag.members.selfnet.de>

Hi all,

Does somebody has experiences with STM-16 to GE multiplexers/converters?

We have several links from a fiber distributor which expects STM-16
framing (there are some active WDMs etc.).  At the moment we have an SDH
overlay and SDH components at each POP.  They divide the STM-16 to at
least one time STM-4 (and the router handles the STM-4).

We want to get rid of the SDH components, and use GE at the router side.
Therefore, we want to split the STM-16 (2.5GBit/s) in 2x or 4x GE lines
(yes, 4x is oversubscribed, but for backup links ok).

We have found, for example, this SDH multiplexer:
http://www.pandacomdirekt.com/de/produkte/netztopologie/sdh/speed-dualmux-sfp-25.html

Does somebody has experiences and/or other verdors?

Thanks in anticipation,
Tim


From pavel.skovajsa at gmail.com  Thu Jan 14 07:50:47 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Thu, 14 Jan 2010 13:50:47 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
	any 	idea?
In-Reply-To: <4B4E21CF.10803@darkman.de>
References: <4B4D6234.7050101@darkman.de>
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>
	<4B4E21CF.10803@darkman.de>
Message-ID: <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>

Hi,

Glad it helped.

by suboptimal I meant the fact it is possible (simply by sending to
ffff.ffff.ffff) to flood the traffic from one isolated access switch
port through distribution layer, into the rest of the switching fabric
infra simply due to the fact that all uplink/downlink ports are
"switchport mode trunks". Obviously the traffic does not get into the
end-user ports, but still the trunk are utilized -> hence the
functionality is little different then the expected "pseudowire"
functionality.

One would expect to have some kind of feature configured on the
distribution layer that would not forward the traffic to the rest of
the switching fabric, just to the uplink port into the core layer ->
this is probably what the "private-vlan trunk" is trying to do.....

-pavel skovajsa

On Wed, Jan 13, 2010 at 8:41 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Pavel,
>
> first of all, thanks for your fast response!
>
> Pavel Skovajsa schrieb:
>> If I understood you correctly you can get around these limitations by
>> using the PVLAN feature on the end-user ports only and not on the
>> internal switch-to-switch links. On those links you can use normal
>> "trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
>> VLAN int.
>
> Ah, okay, i thought i need the private-vlan trunk mode, and when i enabled
> it, it just "crashed" my port channel (as in removed the port from it, which
> was not what i wanted..).
>
>
>> On your distribution (6509) you configure:
>>
>> interface Vlan10
>> ?ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
>> gets sticky arp by default (for some unknown reason)
>> ?no ip proxy-arp
>> ?private-vlan mapping 100
>>
>> and normal trunk port towards the switch fabric:
>> interface GigabitEthernet6/1
>> ?switchport mode trunk
>
> Ah okay, then i'll try that one, i just limited the vlans a bit, of course ;)
>
>
>> Yes this is probably suboptimal to what you would like to accoplish
>> however the end effect is that the end-user ports cannot communicate
>> with each other - which is probably what you want.
>
> Why is that suboptimal? From what you described and what i unterstood, it
> works like i want: having a etherchannel to my core and protected ports on
> my edge. If the SVI is reachable from my edge, and other hosts are not, than
> i have what i want. But maybe i missed something...?
>
>
>> Another alternative is the "private-vlan trunk" feature which is
>> described over here
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
>> - the trouble is that AFAIK currently it works only on C4500.
>
> That was what i thought i need, its available on the 3560 but it killed the
> etherchannel... and pvlan documentation says "you cannot enable pvlans on
> an etherchannel", which is "right" as if you enable any of the pvlan commands
> on a etherchannel port, it gets removed from the etherchannel... but it seems
> that normal trunks just work for that - great ;)
>
> So, from what i know now, it should work like i want... just need to test if
> it works with more than one switches etc. but at the moment it think it will
> do so far.
>
> Thanks again for your help :)
>
> Regards,
> Sven
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktOIc8ACgkQQoCguWUBzBz48ACgjX54FYRh9fpzRmobTElDvXvv
> 8S8An1fyaboYKoWPuZErysZ6c9OH5Kyi
> =O52n
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From sven at darkman.de  Thu Jan 14 08:15:00 2010
From: sven at darkman.de (Sven 'Darkman' Michels)
Date: Thu, 14 Jan 2010 14:15:00 +0100
Subject: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth),
 any 	idea?
In-Reply-To: <323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
References: <4B4D6234.7050101@darkman.de>	
	<323aca891001130127k9c079f0mef286ffa8041bfba@mail.gmail.com>	
	<4B4E21CF.10803@darkman.de>
	<323aca891001140450h26978ca6yd4ac65af1f9ad66c@mail.gmail.com>
Message-ID: <4B4F18D4.4030808@darkman.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

Pavel Skovajsa schrieb:
> by suboptimal I meant the fact it is possible (simply by sending to
> ffff.ffff.ffff) to flood the traffic from one isolated access switch
> port through distribution layer, into the rest of the switching fabric
> infra simply due to the fact that all uplink/downlink ports are
> "switchport mode trunks". Obviously the traffic does not get into the
> end-user ports, but still the trunk are utilized -> hence the
> functionality is little different then the expected "pseudowire"
> functionality.

Ah, okay. But that i try to limit with other features (things like limited
broadcast for a port etc.) so this should not be a big deal, should it?
The main goal is to prevent "local" attacks from one server to another,
like having a compromised host sniffing the rest after flooding the mac
table, or do some arp spoofing... or what so ever ;)

This should be still the case, even with the trunks, right?

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktPGNQACgkQQoCguWUBzBwD/ACeNDAYcSG91XlsE9cCRnW7ZQK1
2GkAnitdSGedsjhj+u+lBkTEKznPULqe
=/mF3
-----END PGP SIGNATURE-----

From jaitken at aitken.com  Thu Jan 14 08:16:00 2010
From: jaitken at aitken.com (Jeff Aitken)
Date: Thu, 14 Jan 2010 13:16:00 +0000
Subject: [c-nsp] BGP to OSPF redistribution
In-Reply-To: <bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
References: <bd2721bb1001131219r33582e23p997248439accf0e5@mail.gmail.com>
	<0CB25506-3D52-4787-A44D-9F515C7A5FC8@gmail.com>
	<20100113212044.GI75640@gerbil.cluepon.net>
	<bd2721bb1001131325w2d46eaex27c4f66a8b065a1@mail.gmail.com>
Message-ID: <20100114131600.GA7162@eagle.aitken.com>

On Wed, Jan 13, 2010 at 04:25:04PM -0500, null zeroroute wrote:
> Very good suggestion, however the provider is not sending the internet
> routing table, only our own internal network's routes.  Or are you
> suggesting some providers make mistakes and send full internet tables to a
> private VRF customer?  

What he's saying is that any time you redistribute BGP into $IGP, you are
playing with fire.  The likelihood of a mistake may be low but the cost of
a mistake is high.

One thing you'll definitely want to use is the 'redistribute maximum-prefix'
command:

    router ospf $PID
     redistribute maximum-prefix $LIMIT

This should help limit the damage if there's a redistribution "accident".


--Jeff


From mksmith at adhost.com  Thu Jan 14 12:16:06 2010
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Thu, 14 Jan 2010 09:16:06 -0800
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <20100113091915.GX857@greenie.muc.de>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
	<20100113091915.GX857@greenie.muc.de>
Message-ID: <17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>

Hello Ian:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Wednesday, January 13, 2010 1:19 AM
> To: Ian Henderson
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] DS3 over STM1
> 
> Hi,
> 
> On Tue, Jan 12, 2010 at 11:15:10PM +0800, Ian Henderson wrote:
> > The new carrier has provisioned a 45Mbit clear channel service with
a
> DS3
> > at the remote site, and a channelised STM1 at the head office. I
> can't
> > seem to find a combination of router/card/mux to make this work.
> 
> I'd ask the carrier to deliver clear channel DS3 on both ends.
> 
> After all, that's what you ordered ("give us a DS3!"), no?
> 
> gert
> --

I'm not sure what platform you have, but there are channelized STM-1
cards for the 7200, 7500 and the 1000 series routers.  You should be
able to peel off a single DS-3 on the STM-1 and get the right framing
and signaling to carry it through to your other location.

Google "channelized stm-1 cisco"

Regards,

Mike

From ecables at gmail.com  Thu Jan 14 12:31:55 2010
From: ecables at gmail.com (Eric Cables)
Date: Thu, 14 Jan 2010 09:31:55 -0800
Subject: [c-nsp] Cisco UCS
Message-ID: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>

Our local sales team has really been bombarding us with material on Cisco's
UCS (Unified Compute System) as of late, and I was wondering who on this
list has begun deployment of UCS.  If you have decided to deploy, how has
your experience been?  Also, I'd like to hear how you were able to convince
your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
hardware platform.

Thanks,

-- Eric Cables

From gert at greenie.muc.de  Thu Jan 14 12:40:41 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 14 Jan 2010 18:40:41 +0100
Subject: [c-nsp] DS3 over STM1
In-Reply-To: <17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>
References: <alpine.DEB.2.00.1001122238370.4800@highball.ianh.net.au>
	<20100113091915.GX857@greenie.muc.de>
	<17838240D9A5544AAA5FF95F8D52031607735286@ad-exh01.adhost.lan>
Message-ID: <20100114174041.GM857@greenie.muc.de>

Hi,

On Thu, Jan 14, 2010 at 09:16:06AM -0800, Michael K. Smith - Adhost wrote:
> I'm not sure what platform you have, but there are channelized STM-1
> cards for the 7200, 7500 and the 1000 series routers.  You should be
> able to peel off a single DS-3 on the STM-1 and get the right framing
> and signaling to carry it through to your other location.
> 
> Google "channelized stm-1 cisco"

If I understood the original poster correctly, none of them did "STM-1 and
DS3" - it's either "all the way down to E1" or "E3".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100114/d423efdd/attachment.bin>

From razor at meganet.net  Thu Jan 14 15:09:17 2010
From: razor at meganet.net (P.A)
Date: Thu, 14 Jan 2010 15:09:17 -0500
Subject: [c-nsp] cisco frame-relay termination without a frame switch
	-update
Message-ID: <01c001ca9555$735b1bf0$5a1153d0$@net>

Just putting this out there in case it helps someone.

 

This example shows a 7200 with two connected routers. I also got fram-relay
termination working with a 6500 but that platform does not seems to support
the command needed to create frame-relay PVC's the frame-relay route
command.

 

Another thing I found for some reason on the 7200 I had to disable
frame-relay inverse arp with the frame-relay map command for it to work. On
the 6500 this was not an issue. I also noticed on the 7200 that on some
interfaces for whatever reason, int ser5/0:1  I needed to have the
frame-relay map statement for 1.1.1.1 to be able to ping it. This again was
not an issue on the 6500. Also remember you will need frame-relay switching
command in global config mode for the router to be turned into a
frame-switch. Hope this helps someone.

 

Thanks, Paul

 

 

 

7200: config - c7200-p-mz.122-17a.bin

 

interface Serial5/0:1

 ip address 1.1.1.1 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay map ip 1.1.1.1 500

 frame-relay map ip 1.1.1.2 500

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay route 40 interface Serial5/1:1 40

!

interface Serial5/0:1.30 point-to-point

 ip address 1.1.1.9 255.255.255.252

 frame-relay interface-dlci 30

!

interface Serial5/1:1

 ip address 1.1.1.5 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay map ip 1.1.1.5 500

 frame-relay map ip 1.1.1.6 500

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay route 40 interface Serial5/0:1 40

 

site A:

 

interface Serial0

 ip address 1.1.1.2 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay interface-dlci 500

 frame-relay lmi-type ansi

!

interface Serial0.30 point-to-point

 ip address 1.1.1.10 255.255.255.252

 frame-relay interface-dlci 30

!

interface Serial0.40 point-to-point

 ip address 1.1.1.13 255.255.255.252

 frame-relay interface-dlci 40 IETF

!

 

Site B:

 

interface Serial0

 ip address 1.1.1.6 255.255.255.252

 encapsulation frame-relay IETF

 frame-relay interface-dlci 500

 frame-relay lmi-type ansi

!

interface Serial0.40 point-to-point

 description PRIVATE PVC back to 1st t1.

 ip address 1.1.1.14 255.255.255.252

 frame-relay interface-dlci 40 IETF

 

 

From: P.A [mailto:razor at meganet.net] 
Sent: Wednesday, January 06, 2010 2:41 PM
To: 'cisco-nsp at puck.nether.net'
Subject: cisco frame-relay termination without a frame switch

 

Hi, we have a frame-relay switch that is no longer working. we have 28 t1s
on a channelized T3. I was wondering if anyone knows how and if it's
possible to terminate frame lines on a cisco, either a 7200 or 6500 without
a frame switch.

I followed the example here, 

http://www.ciscopress.com/articles/article.asp?p=170741
<http://www.ciscopress.com/articles/article.asp?p=170741&seqNum=7>
&amp;seqNum=7

but this will not work for me as it assumes you have 2 different frame-relay
circuits on two different t1 ports. I'm using a PA MC T# canrd and I also
tried creating sub interfaces off the t1 channel, but when I use the
frame-relay route command I gives me an error that both DLCIs are on the
same interface L.



All I'm trying to do is terminate a frame-relay on a cisco without a
frame-relay switch. if this possible could someone give me an example or
point me in that direction.

thanks! paul


From gregpclark at gmail.com  Thu Jan 14 20:47:07 2010
From: gregpclark at gmail.com (Greg Clark)
Date: Thu, 14 Jan 2010 19:47:07 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>

We're considering running OSPF on handful of core ASA 5580 but our routing
table is somewhat large (roughly 10,000 routes).  Does anyone have any
experience running OSPF on an ASA platform with a large number of routes on
a production network.  Did you run into any limitations or issues.  We don't
plan on running mutiple context and will not have a large number of
peers/neighbors just a large routing table.

Thanks,

Greg

From jshearer at amedisys.com  Thu Jan 14 21:03:01 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 14 Jan 2010 20:03:01 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
In-Reply-To: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>
References: <44ae085f1001141747r5951bf09ka16e3cb239a9eb92@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664614@SVR-AMED-MAIL01.amedisys.com>

We run a 5540 with about 8500 routes with no real problems.  I do plan on doing some filtering just to minimize the size of its table for efficiency.

FYI - ASA in multicontext doesn't support dynamic routing protocols.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Greg Clark
Sent: Thursday, January 14, 2010 7:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF on ASA with large routing tables

We're considering running OSPF on handful of core ASA 5580 but our routing
table is somewhat large (roughly 10,000 routes).  Does anyone have any
experience running OSPF on an ASA platform with a large number of routes on
a production network.  Did you run into any limitations or issues.  We don't
plan on running mutiple context and will not have a large number of
peers/neighbors just a large routing table.

Thanks,

Greg
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From lists at nexus6.co.za  Thu Jan 14 21:32:30 2010
From: lists at nexus6.co.za (Andy Ashley)
Date: Fri, 15 Jan 2010 03:32:30 +0100
Subject: [c-nsp] RIB failure : Higher admin distance
Message-ID: <4B4FD3BE.3090803@nexus6.co.za>

Hi all,

We have two routers at site A and one at site B, both routers at site A 
have an uplink each to a transit provider. There are two Layer 3 core 
switches below the two routers.
The router at site B has an uplink to another transit provider and there 
is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link 
between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session 
runs over a GRE tunnel between site A and B so that if the private link 
breaks,
the traffic will go out over the transit providers and they will still 
talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 
longer prefixes (/21, /22 and /24). We want to use the /24 for site B 
and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a 
static in for the /24, it is not announced to our transit providers at 
site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network            Next Hop                      
RIB-failure                              RIB-NH Matches
X.X.X.X/20       (Layer 3 Core Switch)   Higher admin 
distance              n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP 
peer, RIB-failure(17))
  Not advertised to any peer
  (65003)
    (Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) 
(X.X.X.X)
      Origin IGP, metric 0, localpref 100, valid,  confed-internal, best
      Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
  Known via "ospf 100", distance 110, metric 20, type extern 2, forward 
metric 2
  Last update from (Site A Router Private Link Interface) on 
GigabitEthernet0/1.8, 5w5d ago
  Routing Descriptor Blocks:
  * (Site A Router Private Link Interface), from (Site B Router), 5w5d 
ago, via GigabitEthernet0/1.8
      Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From jasonleblanc at gmail.com  Thu Jan 14 22:57:16 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 14 Jan 2010 20:57:16 -0700
Subject: [c-nsp] OSPF Campus Design : Excessive SPF Runs
Message-ID: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>

Hello,

We currently have Layer 3 Routed Access configured at all of our Metro Campus locations.  There are a few obvious deviations from the best practice design guides.   The current setup is:

Core --> 	Datacenter Distribution --> | (fiber connect) | --> 	Building Distribution --> 	Access
(backbone)	(ABR)										(ASBR)					(OSPF enabled access switch)

The Cisco best practice is:

Core --> 	Distribution --> 	Access
(backbone)	(ABR)			(OSPF enabled access switch)

We are running NSSA with no-summary and the range command on the Datacenter Distribution routers.  Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router.  Vlans on each box on each floor are mutually exclusive.

Symptoms: 
Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives. 

router-a#sh ip ospf stat   
  Area 0.0.0.0: SPF algorithm executed 7865 times
  Area 192.8.208.0: SPF algorithm executed 386 times
  Area 192.70.0.0: SPF algorithm executed 563 times
  Area 192.100.0.0: SPF algorithm executed 93076 times


Questions:
Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
Should we be doing Totally NSSA's instead of NSSA's?
	If not is there a way to get the DR in NSSA to advertise a single route back as default route?
Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?


Any help advise is greatly appreciated!

Regards,

//LeBlanc

From randy_94108 at yahoo.com  Fri Jan 15 00:49:44 2010
From: randy_94108 at yahoo.com (Randy)
Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
Subject: [c-nsp] RIB failure : Higher admin distance
In-Reply-To: <4B4FD3BE.3090803@nexus6.co.za>
Message-ID: <34888.80577.qm@web80505.mail.mud.yahoo.com>

..sorry for the top posting..
Hi Andy,
You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
Regards
./Randy


--- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:


From: Andy Ashley <lists at nexus6.co.za>
Subject: [c-nsp] RIB failure : Higher admin distance
To: cisco-nsp at puck.nether.net
Date: Thursday, January 14, 2010, 6:32 PM


Hi all,

We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
Not advertised to any peer
(65003)
???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
? ???Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
Routing Descriptor Blocks:
* (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
? ???Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From stmagconsulting at gmail.com  Fri Jan 15 00:55:00 2010
From: stmagconsulting at gmail.com (Stephane MAGAND)
Date: Fri, 15 Jan 2010 06:55:00 +0100
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
References: <4B4DAB28.7030500@phibee.net>
	<62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
Message-ID: <c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mehdi.badreddine at fr.clara.net  Fri Jan 15 04:23:47 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Fri, 15 Jan 2010 09:23:47 -0000
Subject: [c-nsp] cisco users accounting and logging
Message-ID: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>

Hi, 

I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
Thanks in advance for your help.


Mehdi BADREDDINE

System&Network Admin
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS



From pavel.skovajsa at gmail.com  Fri Jan 15 04:32:32 2010
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Fri, 15 Jan 2010 10:32:32 +0100
Subject: [c-nsp] OSPF Campus Design : Excessive SPF Runs
In-Reply-To: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>
References: <04693863-0847-4C78-B389-49D77AE5F069@gmail.com>
Message-ID: <323aca891001150132t303f9a45l1e1c2870835f9069@mail.gmail.com>

Hi Jason,

see below

-pavel skovajsa

On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Hello,
>
> We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
>
> Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
>
> The Cisco best practice is:
>
> Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
>

The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true:  not following best practices -> bad design -> network
melts

> We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
>
> Symptoms:
> Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
>
> router-a#sh ip ospf stat
> ?Area 0.0.0.0: SPF algorithm executed 7865 times
> ?Area 192.8.208.0: SPF algorithm executed 386 times
> ?Area 192.70.0.0: SPF algorithm executed 563 times
> ?Area 192.100.0.0: SPF algorithm executed 93076 times

Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above "show ip ospf stat" and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
and "show ip ospf database database-sum" will help you.


>
>
> Questions:
> Should we be advertising (passively or non-passively) L3 Vlans into OSPF?

Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?

> Should we be doing Totally NSSA's instead of NSSA's?

Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.

> ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> Should we be sending each campus distribution router directly to the Core so that its the 3 hops?

As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs....

> Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?

Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.

>
>
> Any help advise is greatly appreciated!
>
> Regards,
>
> //LeBlanc
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Fri Jan 15 05:47:33 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 15 Jan 2010 11:47:33 +0100
Subject: [c-nsp] cisco users accounting and logging
In-Reply-To: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>
References: <70F55AD71714494087D3F5CF5ED1008305720B4D@EXVS02.claranet.local>
Message-ID: <1263552453.28844.4.camel@localhost>

On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> I've already installed tac_plus on BSD, though it doesn't provide
> users accounting, just authentication.

We use tac_plus with accounting, no problems there. The relevant
configuration is:

accounting file = /var/log/tacacs-accounting.log

or similar in the tac_plus.conf file, and then:

aaa accounting exec [method] start-stop group tacacs+
aaa accounting commands 0 [method] start-stop group tacacs+
aaa accounting commands 15 [method] start-stop group tacacs+
aaa accounting connection [method] start-stop group tacacs+

besides you normal AAA config on the Cisco devices.

I wouldn't know about Juniper or HP.

-- 
Peter




From scottowens12 at gmail.com  Fri Jan 15 08:24:56 2010
From: scottowens12 at gmail.com (scott owens)
Date: Fri, 15 Jan 2010 07:24:56 -0600
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID: <c0c598d51001150524n3f34a9b3l76da8abb9c3ae271@mail.gmail.com>

>
> Message: 5
> Date: Thu, 14 Jan 2010 19:47:07 -0600
> From: Greg Clark <gregpclark at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
>        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We're considering running OSPF on handful of core ASA 5580 but our routing
> table is somewhat large (roughly 10,000 routes).  Does anyone have any
> experience running OSPF on an ASA platform with a large number of routes on
> a production network.  Did you run into any limitations or issues.  We
> don't
> plan on running mutiple context and will not have a large number of
> peers/neighbors just a large routing table.
>
> Thanks,
>
> Greg
>
>
>
> I am certainly sure I do not know your network topology - but having 10,000
routes going to a firewall seems like you may want another pair or more of
eyes to check out that route summarization problem.  Ditto with the guy with
8,000+ routes.


I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
connectivity and I don't think we have more than 100 or 200 routes present.

From NMaio at guesswho.com  Fri Jan 15 08:29:00 2010
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Fri, 15 Jan 2010 08:29:00 -0500
Subject: [c-nsp] Cisco ASA and Update Cisco VPN Client
In-Reply-To: <c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>
References: <4B4DAB28.7030500@phibee.net>
	<62f79b511001130339h4f01adc3k32690f1999091477@mail.gmail.com>
	<c33829391001142155r684ee390v253dbd82c9a8af83@mail.gmail.com>
Message-ID: <2AA600764E54964491083B1E0EC81A3033D742DEB2@EXCLUS.nationala-1advertising.com>

I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.

client-access-rule 1 permit type WinNT version 5.0.0*
client-access-rule 2 permit type "Mac OS X" version 4.9.01*
client-access-rule 3 permit type Linux version "4.8.02 (0030)"
client-access-rule 4 deny type * version *

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Friday, January 15, 2010 12:55 AM
To: Marcelo Zilio
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Charles.Church at harris.com  Fri Jan 15 10:09:55 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Fri, 15 Jan 2010 10:09:55 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>

I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck


From moua0100 at umn.edu  Fri Jan 15 10:13:29 2010
From: moua0100 at umn.edu (Ge Moua)
Date: Fri, 15 Jan 2010 09:13:29 -0600
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <4B508619.8070500@umn.edu>

We are using infoblox over here; works pretty well.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
>
> Thanks in advance,
>
> Chuck
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From Michael.Robson at manchester.ac.uk  Fri Jan 15 11:32:06 2010
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 15 Jan 2010 16:32:06 +0000
Subject: [c-nsp] 2800s and L2TPv3
Message-ID: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>

I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?

Ta.

Michael.


From Bryan at bryanfields.net  Fri Jan 15 10:59:56 2010
From: Bryan at bryanfields.net (Bryan Fields)
Date: Fri, 15 Jan 2010 10:59:56 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <4B5090FC.5070607@bryanfields.net>

Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured
> someone on here has touched some DNS gear before.  Anyone work with
> Infoblox and Bluecat, and run across a significant reason to choose
> one over another?  I've googled, but most articles are 5 years or
> more old.  Off-line responses encouraged.  The planned use is for
> govt, so full access to the kernel is nice for
> hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
> which they both claim to have, as they're both based on recent bind.
> Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Can we keep it onlist? I'm interested to know as well.  Just had a sales
presentation from Info Blox yesterday, and would like some real world
experiences from users.


-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

From jared at puck.nether.net  Fri Jan 15 12:37:49 2010
From: jared at puck.nether.net (Jared Mauch)
Date: Fri, 15 Jan 2010 12:37:49 -0500
Subject: [c-nsp] 2800s and L2TPv3
In-Reply-To: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
References: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
Message-ID: <6220ECDA-9F09-4C96-906A-6369DA20D475@puck.nether.net>

I believe you need advipservices for this capability.

- Jared

On Jan 15, 2010, at 11:32 AM, Michael Robson wrote:

> I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?
> 
> Ta.
> 
> Michael.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From alasdairm at gmail.com  Fri Jan 15 14:10:57 2010
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Fri, 15 Jan 2010 19:10:57 +0000
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>

We use InfoBlox and it's pretty good.
We have a grid containing several pairs of HA nodes at various DCs, used for DNS, DHCP and IP Management. We're not using IPv6 though.


On 15 Jan 2010, at 15:09, Church, Charles wrote:

> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
> 
> Thanks in advance,
> 
> Chuck
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From A.L.M.Buxey at lboro.ac.uk  Fri Jan 15 15:41:21 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Fri, 15 Jan 2010 20:41:21 +0000
Subject: [c-nsp] cisco energywise 'feature'
Message-ID: <20100115204121.GF7558@lboro.ac.uk>

hi,

just a quick heads-up on this - see if anyone else has fallen foul
of it or got a registered bug ID before I chase this one further.

we have noted that with IOS 12.2(52)SE on both 2960 and 3750 platforms,
whenever you do a show running-config, the encrypted password (shared-secret)
for energywise (which is a method 7 encryption and not method 5 - natch)
that gets displayed changes. 

of course...this means that any software tools that check for changes to keep
revisions and alert our change system believe that there has been a change.
we use rancid and some home-brew stuff too....so we get a notice for every switch
which we have deployed energywise on.  which is nice.  :-(

those with ASA experience will see the similarities with an ASA 8.x bug that was 
fixed recently - we had the same sort of issue with that :-(

so - just a heads up for those who dont want to find this out themselves

PS there is a 'work around' - insert the shared-secret as plain text (method 0)
- but thats a nice way of letting casual eyes see the shared-secret - and that shared-secret
gives you access to some of the new energywise features - turn ports off/on etc.

alan

From Jason.Mishka at UToledo.Edu  Fri Jan 15 16:38:29 2010
From: Jason.Mishka at UToledo.Edu (Mishka, Jason)
Date: Fri, 15 Jan 2010 16:38:29 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
	<0DD058ED-CC36-447E-AF33-57B98ACCC243@gmail.com>
Message-ID: <A3E7037859B34541B7271243CA11EF804E8208@MSG01CV02.utad.utoledo.edu>

We inherited a cluster of Bluecat Adonis boxes a few years ago during a
merger.  They were terrible.  I've never seen an application so poorly
written that ran something as simple and dns and dhcp.  

I'll can tell three stores....

On one particular occasion we were applying updates to apply new tz
information as DST was changing by a few weeks.  I called for support
since everything was running slow and basically got blamed for waiting
too long to apply the patches.  Apparently they didn't have enough
capacity to handle the load since the patches were time sensitive.  

We also had a number problems with dynamic DNS.  The machines were
configured in a cluster which would fail from time to time for no
reason.  When this happened the DHCPID or txt records for the dynamic
client would get lost and the clients wouldn't be able to update their
own record later.

Lastly, if the client and appliances were running different version of
code the client could corrupt the config while applying changes.  A
number of time, we had other admins update to the latest client without
knowing that the server had to match.  Unfortunately, the thing wasn't
smart enough to check the client version and throw an error.

We moved back to a few redhat boxes and haven't had any trouble since.
I'd recommend against a bluecat appliance based on our experience.

Jason Mishka

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alasdair
McWilliam
Sent: Friday, January 15, 2010 2:11 PM
To: Church, Charles
Cc: nsp-cisco
Subject: Re: [c-nsp] OT - Infoblox vs. Bluecat

We use InfoBlox and it's pretty good.
We have a grid containing several pairs of HA nodes at various DCs, used
for DNS, DHCP and IP Management. We're not using IPv6 though.


On 15 Jan 2010, at 15:09, Church, Charles wrote:

> I apologize for this being fairly OT for a Cisco list, but I figured
someone on here has touched some DNS gear before.  Anyone work with
Infoblox and Bluecat, and run across a significant reason to choose one
over another?  I've googled, but most articles are 5 years or more old.
Off-line responses encouraged.  The planned use is for govt, so full
access to the kernel is nice for hardening/verification.  Also need
TSIG, DNSSEC, and IPv6 support, which they both claim to have, as
they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2,
and SSL would be nice.
> 
> Thanks in advance,
> 
> Chuck
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From brhedlun at cisco.com  Fri Jan 15 22:49:27 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 15 Jan 2010 21:49:27 -0600
Subject: [c-nsp] Cisco UCS
In-Reply-To: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
References: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
Message-ID: <95E6CE3F-C5F8-4A4B-AFC3-B5C70FEF1181@cisco.com>

Eric,

FWIW, here is a customer who has been blogging about his experience with implementing Cisco UCS:

http://healthitguy.wordpress.com/category/cisco-ucs/


--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org



On Jan 14, 2010, at 11:31 AM, Eric Cables wrote:

> Our local sales team has really been bombarding us with material on Cisco's
> UCS (Unified Compute System) as of late, and I was wondering who on this
> list has begun deployment of UCS.  If you have decided to deploy, how has
> your experience been?  Also, I'd like to hear how you were able to convince
> your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
> hardware platform.
> 
> Thanks,
> 
> -- Eric Cables
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From brhedlun at cisco.com  Fri Jan 15 23:11:02 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 15 Jan 2010 22:11:02 -0600
Subject: [c-nsp] Cisco UCS
In-Reply-To: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
References: <d5c7ccac1001140931j2ed025c6y283c8a6e539893f0@mail.gmail.com>
Message-ID: <64981BDC-520B-442B-B62C-062EC8761734@cisco.com>

One other thing-

In my position at Cisco I have been involved in many Cisco UCS deals, and in all of these engagements I have yet to see where the Network team needs to convince the Server team to buy Cisco UCS.
In every deal I have been involved in it has been the Server team deciding to move forward with UCS purely on its merits as a Data Center virtualization platform.  Rather, its usually the Network team that comes in towards the end and gives their stamp of approval with respect to how the system interconnects to the Data Center core.

In other words, if your Cisco account team is putting the pressure on you (the Network team) to convince the Server team to buy UCS, I can tell you from experience they are going about it all wrong :) 

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 14, 2010, at 11:31 AM, Eric Cables wrote:

> Our local sales team has really been bombarding us with material on Cisco's
> UCS (Unified Compute System) as of late, and I was wondering who on this
> list has begun deployment of UCS.  If you have decided to deploy, how has
> your experience been?  Also, I'd like to hear how you were able to convince
> your server folks to switch from <HP/Dell/IBM/etc.>, to a Cisco based
> hardware platform.
> 
> Thanks,
> 
> -- Eric Cables
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From randy_94108 at yahoo.com  Fri Jan 15 23:56:15 2010
From: randy_94108 at yahoo.com (Randy)
Date: Fri, 15 Jan 2010 20:56:15 -0800 (PST)
Subject: [c-nsp] Fw: Re: [Disarmed] Re: RIB failure : Higher admin distance
Message-ID: <70283.54674.qm@web80506.mail.mud.yahoo.com>



--- On Fri, 1/15/10, Randy <randy_94108 at yahoo.com> wrote:


From: Randy <randy_94108 at yahoo.com>
Subject: Re: [Disarmed] Re: [c-nsp] RIB failure : Higher admin distance
To: "Andy Ashley" <lists at nexus6.co.za>
Date: Friday, January 15, 2010, 8:47 PM







Hi Andy:
...I am taking a closer look at your first post and going *wait a second..*
What you are seeing is what one would expect to see in Router A site A:
?
>From the "show commands" in your first post:
?
Router A learns site B's /24 via the gre tunnel as an iBGP route with an AD?of 200.(as shown int your "sh ip bgp x.x.x.x/24" in question). Router A puts this route in it's BGP route table but does not advertise this route to any eBGP peer because iBGP routes are not injected into eBGP unless "redistribute internal" is explicitly configured.
Router A also learns site B's /24 via the private link as an OSPF route with an AD of 110(as shown in your?"sh ip route x.x.x.x/24)?and puts the route learned via ospf in this IP routing table and FIB since it has a better AD : 110 as opposed to 200.
As a result, the??same-/24 ?learned via iBGP that is in A's BGP route table; for obvious reasons suffers a RIB-failure because the same-route learned by A via OSPF with a better AD ?is already installed in A's ip route tabel and FIB.
?
Having explained the *normal-behavior* you are seeing in router A, my question is:
?
1) Are you trying to announce site B's /24 from site A to your upstreams
OR
2) You are trying to announce your site-B /24 *from site B and that is failing.
?
If your are trying to announce site B's /24 from site A to it's upstreams you already have the "answer" to make that work! (deploy a lot of outbound filters before you redistribute iBGP into eBGP)
?
If on the otherhand siteB's /24 is not being announced *By-SiteB* to it's eBGP peer, I would have to look at the config in site B's rtr.
?
Regards,
./Randy

From frnkblk at iname.com  Sat Jan 16 00:52:01 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Fri, 15 Jan 2010 23:52:01 -0600
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>

We've been using Bluecat for several years in a SP environment primarily for
DHCP and we've had a tough go of it, with the product, people, and support
(contact me off-list for more detail).  Based on our experience, I think
it's a better fit in an enterprise environment with a single DHCP/DNS
administrator.  A few months ago I had a web-based presentation and demo of
the Infoblox product and would probably buy their product the next time.

In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release
notes:
- DNS Service is not supported on XHA in IPv6 networks.
- Cannot configure an IPv6 address on an NIC.
When I asked about DHCPv6, this was the tech support person's response:
"What do you mean by DHCPv6?"  And this coming from a DHCP/DNS appliance
vendor.  When I pointed them to the Wikipedia article, they came back and
said they don't support it.  When I asked for an ETA, they wrote back "I am
sorry, but I don't have any ETA."  I then asked if the support DNS over
IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, January 15, 2010 9:10 AM
To: nsp-cisco
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone
on here has touched some DNS gear before.  Anyone work with Infoblox and
Bluecat, and run across a significant reason to choose one over another?
I've googled, but most articles are 5 years or more old.  Off-line responses
encouraged.  The planned use is for govt, so full access to the kernel is
nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
which they both claim to have, as they're both based on recent bind.  Secure
mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From Charles.Church at harris.com  Sat Jan 16 08:44:20 2010
From: Charles.Church at harris.com (Church, Charles)
Date: Sat, 16 Jan 2010 08:44:20 -0500
Subject: [c-nsp] OT - Infoblox vs. Bluecat
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>
References: <290EF89F13F04F4E924BB235A46D18F108C660EA3D@MLBMXUS2.cs.myharris.net>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADJeCYvZ8OWTbVJJg5nn5eZAQAAAAA=@iname.com>
Message-ID: <290EF89F13F04F4E924BB235A46D18F108C660EC2C@MLBMXUS2.cs.myharris.net>

Thank you all for your responses.  Doesn't seem like a real consensus, but at least I've got a few issues to bounce off the two vendors.

Chuck 

-----Original Message-----
From: Frank Bulk [mailto:frnkblk at iname.com] 
Sent: Saturday, January 16, 2010 12:52 AM
To: Church, Charles; nsp-cisco
Subject: RE: OT - Infoblox vs. Bluecat


We've been using Bluecat for several years in a SP environment primarily for
DHCP and we've had a tough go of it, with the product, people, and support
(contact me off-list for more detail).  Based on our experience, I think
it's a better fit in an enterprise environment with a single DHCP/DNS
administrator.  A few months ago I had a web-based presentation and demo of
the Infoblox product and would probably buy their product the next time.

In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release
notes:
- DNS Service is not supported on XHA in IPv6 networks.
- Cannot configure an IPv6 address on an NIC.
When I asked about DHCPv6, this was the tech support person's response:
"What do you mean by DHCPv6?"  And this coming from a DHCP/DNS appliance
vendor.  When I pointed them to the Wikipedia article, they came back and
said they don't support it.  When I asked for an ETA, they wrote back "I am
sorry, but I don't have any ETA."  I then asked if the support DNS over
IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, January 15, 2010 9:10 AM
To: nsp-cisco
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone
on here has touched some DNS gear before.  Anyone work with Infoblox and
Bluecat, and run across a significant reason to choose one over another?
I've googled, but most articles are 5 years or more old.  Off-line responses
encouraged.  The planned use is for govt, so full access to the kernel is
nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support,
which they both claim to have, as they're both based on recent bind.  Secure
mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From arla at rn.dk  Sat Jan 16 10:31:08 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sat, 16 Jan 2010 16:31:08 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup?s with out using direct fibers on layer 2
I would like the to sites to connect via our mpls cloud, so that vlan?s configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3  using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only useable on layer2.

/Arne


From lists at nexus6.co.za  Sat Jan 16 14:48:08 2010
From: lists at nexus6.co.za (Andy Ashley)
Date: Sat, 16 Jan 2010 19:48:08 +0000
Subject: [c-nsp] Fw: Re: [Disarmed] Re: RIB failure : Higher admin
	distance
In-Reply-To: <70283.54674.qm@web80506.mail.mud.yahoo.com>
References: <70283.54674.qm@web80506.mail.mud.yahoo.com>
Message-ID: <4B5217F8.4060702@nexus6.co.za>

>
>
> --- On *Fri, 1/15/10, Randy /<randy_94108 at yahoo.com>/* wrote:
>
>
>     Hi Andy:
>     ...I am taking a closer look at your first post and going *wait a
>     second..*
>     What you are seeing is what one would expect to see in Router A
>     site A:
>     From the "show commands" in your first post:
>     Router A learns site B's /24 via the gre tunnel as an iBGP route
>     with an AD of 200.(as shown int your "sh ip bgp x.x.x.x/24" in
>     question). Router A puts this route in it's BGP route table but
>     does not advertise this route to any eBGP peer because iBGP routes
>     are not injected into eBGP unless "redistribute internal" is
>     explicitly configured.
>
Correct, it wont advertise this route to our upstreams.We dont have 
"redistribute internal" configured.

>     Router A also learns site B's /24 via the private link as an OSPF
>     route with an AD of 110(as shown in your "sh ip route
>     x.x.x.x/24) and puts the route learned via ospf in this IP routing
>     table and FIB since it has a better AD : 110 as opposed to 200.
>     As a result, the  same-/24  learned via iBGP that is in A's BGP
>     route table; for obvious reasons suffers a RIB-failure because the
>     same-route learned by A via OSPF with a better AD  is already
>     installed in A's ip route tabel and FIB.
>
Yes, that is correct and I believe this is exactly what is happening - 
so it is in fact normal due to the AD rules.

>     Having explained the *normal-behavior* you are seeing in router A,
>     my question is:
>     1) Are you trying to announce site B's /24 from site A to your
>     upstreams
>
Yes, we want to announce site B's /24 from site A and B. We want site A 
to learn site B's /24 route via either OSPF or iBGP (over the tunnel or 
private link) and should the private link break, site A will withdraw 
the announcement to our upstreams there because it will no longer learn 
this route via OSPF or iBGP.
That should mean that site B stays online as the /24 is still announced 
via the transit provider there (and to exchange peers).
>
>     OR
>     2) You are trying to announce your site-B /24 *from site B and
>     that is failing.
>
We are trying to do this. When we withdraw the present /20 route at site 
A (keeping the /24 static in on the router at site B), the route isnt 
announced from site B, by site B.
I have made sure that the transit provider is accepting the longer 
prefix, etc but the rib failure prevents it even getting to the stage of 
trying to announce to the transit provider over the eBGP session.
>
>     If your are trying to announce site B's /24 from site A to it's
>     upstreams you already have the "answer" to make that work! (deploy
>     a lot of outbound filters before you redistribute iBGP into eBGP)
>
OK, so we should filter announcements of the /24 via the (tunnelled) 
iBGP session between sites, so that the route is learned only by OSPF 
over the private link and upstream transit?
(hopefully meaning if the private link breaks that the tunnel will 
re-establish over transit)
>
>     If on the otherhand siteB's /24 is not being announced *By-SiteB*
>     to it's eBGP peer, I would have to look at the config in site B's rtr.
>
Which bits of the config? It's quite long =)
>
>     Regards,
>     ./Randy
>
>
Thanks,
Regards,
Andy

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From avayner at cisco.com  Sat Jan 16 15:08:23 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 16 Jan 2010 21:08:23 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access
switches connected to both VSS nodes, which would require links from DC1
to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you
want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common
design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the
whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few
sessions about this, and a number of people in Meet the Engineer venue
which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen /
Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on
layer 2
I would like the to sites to connect via our mpls cloud, so that vlan's
configured on the boxes can reach each other on layer2 and be able top
announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to
connect these 2, and make them active/stanby to each other on layer3
using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only
useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From arla at rn.dk  Sun Jan 17 02:40:41 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 17 Jan 2010 08:40:41 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>

 Hi Arie.

Sorry for not explaining the setup in detail. But anyway this is the case.

layer2 sw  ---6500			6500 --- layer2 sw
 |        > vss1   - (MPLS-Core) -  vss2 < 
layer2 sw ----6500 			6500 --  layer2 sw


Each site has a full vss environment with it's own local layer 2 switches.
What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain. 
Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers. 
How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .

Arne

-----Oprindelig meddelelse-----
Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sendt: 16. januar 2010 21:08
Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
Emne: RE: [c-nsp] how to connect vss-setup via mpls core

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Sun Jan 17 05:06:22 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 17 Jan 2010 11:06:22 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6FFD352@XMB-AMS-101.cisco.com>

Arne,

In this case you would have a local VSS pair in each local site, and you
just wish to interconnect the different sites together with an end to
end Layer 2 support.

The most trivial solution would be to get a redundant point to point
Layer 2 service (2 layer 2 circuits) which would be used to connect the
6500 devices. As you are running VSS, the two links can be bundled into
a MEC (Multichassis EtherChannel), and then you can allow the specific
VLANs to be bridged across (and another VLAN for Layer 3 connectivity).

The disadvantage of this solution is that you carry the Spanning Tree
state across this link. If a link fails inside DC1, the TCN would be
carried to the other side as well, causing a MAC relearning event.
As you are on VSS, this is less critical, as you would most likely be
running MEC to the access layer switches as well.
You can also filter STP on the WAN link, but then you run into a
(slight) risk of a look due to some crazy failure scenario.

This option is described here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_p
aper_c11_493718.html#wp9000207

Be aware that this design is strictly proposed for dual DC designs. If
you need to introduce a 3rd DC into the topology, you can't just connect
it to other pair using the same solution. This would create a layer 2
loop across the DCs.
We have other (slightly more complex) solutions for >2 DC designs.

Arie

-----Original Message-----
From: Arne Larsen / Region Nordjylland [mailto:arla at rn.dk] 
Sent: Sunday, January 17, 2010 09:41
To: cisco-nsp at puck.nether.net
Cc: Arie Vayner (avayner)
Subject: SV: [c-nsp] how to connect vss-setup via mpls core


 Hi Arie.

Sorry for not explaining the setup in detail. But anyway this is the
case.

layer2 sw  ---6500			6500 --- layer2 sw
 |        > vss1   - (MPLS-Core) -  vss2 < 
layer2 sw ----6500 			6500 --  layer2 sw


Each site has a full vss environment with it's own local layer 2
switches.
What I'll like to able to do is, setup a few Vlan's on both sites that
can host servers on the same broadcast domain. 
Further more I'll like to able to announce the layer3 connection on the
Vlan via bgp to our costumers. 
How is it possible to enable a layer3 interface on the Vlan in each
local site and run eompls or vpls between the 2 sites on layer2 .

Arne

-----Oprindelig meddelelse-----
Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sendt: 16. januar 2010 21:08
Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
Emne: RE: [c-nsp] how to connect vss-setup via mpls core

Arne,

Why would you want to do that in such a way?
In order to get the real benefit of VSS you would need all the access
switches connected to both VSS nodes, which would require links from DC1
to DC2 per each access switch...
The same would apply to upstream Layer 3 connectivity...

If you do not plan to have this kind of a full mesh, then why would you
want to use VSS in the first place.

With regards to layer 2 interconnect between DCs, this is a very common
design nowadays, and MPLS is used in many solutions.
I suggest you take a look at this link:
http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the
whitepaper).

Also, there is a very good Cisco Press book about this whole subject:
http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926

In the coming Networkers event in Barcelona there would be a few
sessions about this, and a number of people in Meet the Engineer venue
which can help with this subject.

Arie
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen /
Region Nordjylland
Sent: Saturday, January 16, 2010 17:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] how to connect vss-setup via mpls core

Hi all.

I need an advice.
Is there a way to connect 2 vss-setup's with out using direct fibers on
layer 2 I would like the to sites to connect via our mpls cloud, so that
vlan's configured on the boxes can reach each other on layer2 and be
able top announce the layer3 network via bgp on both sites.
If vlan 200 is configured on both sites, is it possible to use eompls to
connect these 2, and make them active/stanby to each other on layer3
using vrrp or hsrp.
I been searching the cisco web for doc. But all I can find is only
useable on layer2.

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bob_arthurs at hotmail.co.uk  Sun Jan 17 07:53:34 2010
From: bob_arthurs at hotmail.co.uk (Bob Arthurs)
Date: Sun, 17 Jan 2010 12:53:34 +0000
Subject: [c-nsp] HWIC-4ESW (routed ports - basic question??)
Message-ID: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>


hi all,

I'm just about to install some HWIC-4ESW into our 3800s on some customer sites and I have a quick question - couldn't find a clear answer on cco.

Can I configure the Ethernet ports on the HWIC-4ESW as routed ports (no switchport)? Or do I have to configure SVIs and then assign the ports to the SVI associated VLANs?

I want to avoid the extra config with SVIs and keep it simple with routed ports if at all possible.

Thanks for any help in advance.




 		 	   		  
_________________________________________________________________
Send us your Hotmail stories and be featured in our newsletter
http://clk.atdmt.com/UKM/go/195013117/direct/01/

From gkg at gmx.de  Sun Jan 17 10:20:13 2010
From: gkg at gmx.de (Garry)
Date: Sun, 17 Jan 2010 16:20:13 +0100
Subject: [c-nsp] HWIC-4ESW (routed ports - basic question??)
In-Reply-To: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>
References: <BAY135-W2988786D7BBE7637B3B0A7D9670@phx.gbl>
Message-ID: <4B532AAD.3080301@gmx.de>

Bob Arthurs wrote:
> hi all,
> 
> I'm just about to install some HWIC-4ESW into our 3800s on some customer sites and I have a quick question - couldn't find a clear answer on cco.
> 
> Can I configure the Ethernet ports on the HWIC-4ESW as routed ports (no switchport)? Or do I have to configure SVIs and then assign the ports to the SVI associated VLANs?
> 
> I want to avoid the extra config with SVIs and keep it simple with routed ports if at all possible.

You will need to configure a VLAN access port, for which you can then
configure IP routing:

	int fa0
		switchport access vlan 2

	int vlan 2
		ip address ...

-garry

From brhedlun at cisco.com  Sun Jan 17 12:47:34 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Sun, 17 Jan 2010 11:47:34 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
Message-ID: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>

Arne,

Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.

6500---------EoMPLS---------6500   
vss      (port channel)     vss
6500---------EoMPLS---------6500

Cheers,
Brad
                      
--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:

> 
> Hi Arie.
> 
> Sorry for not explaining the setup in detail. But anyway this is the case.
> 
> layer2 sw  ---6500			6500 --- layer2 sw
> |        > vss1   - (MPLS-Core) -  vss2 < 
> layer2 sw ----6500 			6500 --  layer2 sw
> 
> 
> Each site has a full vss environment with it's own local layer 2 switches.
> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain. 
> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers. 
> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
> 
> Arne
> 
> -----Oprindelig meddelelse-----
> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
> Sendt: 16. januar 2010 21:08
> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
> 
> Arne,
> 
> Why would you want to do that in such a way?
> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
> The same would apply to upstream Layer 3 connectivity...
> 
> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
> 
> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
> I suggest you take a look at this link:
> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
> 
> Also, there is a very good Cisco Press book about this whole subject:
> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
> 
> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
> 
> Arie
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
> Sent: Saturday, January 16, 2010 17:31
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how to connect vss-setup via mpls core
> 
> Hi all.
> 
> I need an advice.
> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
> I been searching the cisco web for doc. But all I can find is only useable on layer2.
> 
> /Arne
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From kevinw at telnetww.com  Sun Jan 17 13:34:35 2010
From: kevinw at telnetww.com (Kevin Warwashana)
Date: Sun, 17 Jan 2010 13:34:35 -0500
Subject: [c-nsp] PA-MC-T3-EC
Message-ID: <002501ca97a3$b8333eb0$2899bc10$@com>

Can anyone confirm if the PA-MC-T3-EC card works in a 7206VXR w/NPE-G1 on
15.0M?  All the docs show 12.4T and above so that leaves me to believe it
will work, but using the software advisor I noticed the card isn't even
listed.

 

Thanks,

Kevin

 


From arla at rn.dk  Sun Jan 17 15:25:11 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sun, 17 Jan 2010 21:25:11 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>

Hi Brad.

Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
And yes we are using mpls software.
But I still can?t find out about the layer3 interfaces.
The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.

/Arne

________________________________________
Fra: Brad Hedlund [brhedlun at cisco.com]
Sendt: 17. januar 2010 18:47
Til: Arne Larsen / Region Nordjylland
Cc: cisco-nsp at puck.nether.net
Emne: Re: [c-nsp] how to connect vss-setup via mpls core

Arne,

Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.

6500---------EoMPLS---------6500
vss      (port channel)     vss
6500---------EoMPLS---------6500

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:

>
> Hi Arie.
>
> Sorry for not explaining the setup in detail. But anyway this is the case.
>
> layer2 sw  ---6500                    6500 --- layer2 sw
> |        > vss1   - (MPLS-Core) -  vss2 <
> layer2 sw ----6500                    6500 --  layer2 sw
>
>
> Each site has a full vss environment with it's own local layer 2 switches.
> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>
> Arne
>
> -----Oprindelig meddelelse-----
> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Sendt: 16. januar 2010 21:08
> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>
> Arne,
>
> Why would you want to do that in such a way?
> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
> The same would apply to upstream Layer 3 connectivity...
>
> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>
> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
> I suggest you take a look at this link:
> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>
> Also, there is a very good Cisco Press book about this whole subject:
> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>
> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>
> Arie
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
> Sent: Saturday, January 16, 2010 17:31
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how to connect vss-setup via mpls core
>
> Hi all.
>
> I need an advice.
> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>
> /Arne
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From brhedlun at cisco.com  Sun Jan 17 21:47:52 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Sun, 17 Jan 2010 20:47:52 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>
Message-ID: <BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>

Arne,

The VLANs extended between Data Centers can be configured with Layer 3 interfaces and services no different than any other VLAN.
SVI's can be configured, HSRP groups can be formed (within and between DCs), and the IP network for the VLANs can be announced by BGP (or any other protocol).
As you can imagine, thinking about how flows enter and leave the Data Centers can get quite interesting :-)

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org


On Jan 17, 2010, at 2:25 PM, Arne Larsen / Region Nordjylland wrote:

> Hi Brad.
> 
> Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
> And yes we are using mpls software.
> But I still can?t find out about the layer3 interfaces.
> The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
> Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.
> 
> /Arne
> 
> ________________________________________
> Fra: Brad Hedlund [brhedlun at cisco.com]
> Sendt: 17. januar 2010 18:47
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp at puck.nether.net
> Emne: Re: [c-nsp] how to connect vss-setup via mpls core
> 
> Arne,
> 
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.
> 
> 6500---------EoMPLS---------6500
> vss      (port channel)     vss
> 6500---------EoMPLS---------6500
> 
> Cheers,
> Brad
> 
> --
> Brad Hedlund, CCIE #5530
> Consulting Systems Engineer, Data Center
> bhedlund at cisco.com
> http://www.internetworkexpert.org
> 
> 
> 
> 
> On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:
> 
>> 
>> Hi Arie.
>> 
>> Sorry for not explaining the setup in detail. But anyway this is the case.
>> 
>> layer2 sw  ---6500                    6500 --- layer2 sw
>> |        > vss1   - (MPLS-Core) -  vss2 <
>> layer2 sw ----6500                    6500 --  layer2 sw
>> 
>> 
>> Each site has a full vss environment with it's own local layer 2 switches.
>> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
>> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
>> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>> 
>> Arne
>> 
>> -----Oprindelig meddelelse-----
>> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
>> Sendt: 16. januar 2010 21:08
>> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
>> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>> 
>> Arne,
>> 
>> Why would you want to do that in such a way?
>> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
>> The same would apply to upstream Layer 3 connectivity...
>> 
>> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>> 
>> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
>> I suggest you take a look at this link:
>> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>> 
>> Also, there is a very good Cisco Press book about this whole subject:
>> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>> 
>> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>> 
>> Arie
>> 
>> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
>> Sent: Saturday, January 16, 2010 17:31
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] how to connect vss-setup via mpls core
>> 
>> Hi all.
>> 
>> I need an advice.
>> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
>> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
>> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>> 
>> /Arne
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From robhass at gmail.com  Mon Jan 18 07:14:31 2010
From: robhass at gmail.com (Robert Hass)
Date: Mon, 18 Jan 2010 13:14:31 +0100
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
Message-ID: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>

Hi

I have to implement some Policy-Based Routing (PBR) route-map's on few
Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
route-map's are supported in hardware on PFC3B/DFC3B ?

route-map pbr2 permit 10
 set global
!
route-map pbr permit 10
 match ip address 160
 set vrf r2
!
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000

Thanks
Robert

From Michael.Robson at manchester.ac.uk  Mon Jan 18 08:15:47 2010
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Mon, 18 Jan 2010 13:15:47 +0000
Subject: [c-nsp] 2800s and L2TPv3
In-Reply-To: <4B50A3EE.9000708@whole.net.uk>
References: <C7C0BEDC-6C25-4D3E-A122-404ABB1975CF@manchester.ac.uk>
	<4B50A3EE.9000708@whole.net.uk>
Message-ID: <C34A15FA-6695-4BF4-AC47-CD6DF9003DFB@manchester.ac.uk>

On 15 Jan 2010, at 17:20, Pete Barnwell wrote:

> Michael Robson wrote:
>> I was convinced that our 2851s would support L2TPv3 and the ipbase version, but two different images (the newer being 124-18e ipbase) will not accept the xconnect command: what am I missing here?
>> 
>> Ta.
>> 
>> Michael.
>> 
> 
> According to software advisor it's not in ipbase - it shows Adv Ip
> services, advanced enterprise service, SP and enterprise but not base.
> 
Ah, obviously the Cisco Software Advisor is more reliable than the info. I got via Google ;)

Thanks to all that answered this for me.

Michael.
--

From b.mwlam at gmail.com  Mon Jan 18 08:31:13 2010
From: b.mwlam at gmail.com (b lam)
Date: Mon, 18 Jan 2010 21:31:13 +0800
Subject: [c-nsp] (no subject)
Message-ID: <51ef02931001180531g49e09409o7b91ed9ee369573a@mail.gmail.com>

hi,

did you use the command 'mls qos'?

my question is when i enter the command 'mls qos' there will be an
hardware counter and software counter , which one should I count? or
both?

pls help.

thx

paul

From flokuehn at googlemail.com  Mon Jan 18 10:17:21 2010
From: flokuehn at googlemail.com (=?UTF-8?Q?Florian_K=C3=BChn?=)
Date: Mon, 18 Jan 2010 16:17:21 +0100
Subject: [c-nsp] cisco 2801 and HWIC-2T
Message-ID: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>

Hi.

is there anything special i need to look for, while i want to confiugre an
hwic-2t, controller e1? on an 2801 with ios12.4(25b) iam not able to use,
either the
command controller e1 nor card type ... does anybody have a clue?

Further there are confusing information from cisco.
Following the mentioned link you will find the HWIC-2T supported by 2801.

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/datasheet_c78-491363.html

But, following this link you will find the HWIC-2T not explicitly supported.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_tech_note09186a00800b0858.shtml

Can anybody tell me if it is possible to use the HWIC-2T with the mentioned
IOS version and Hardware?

Thank you in advance

flokuehn

From rwest at zyedge.com  Mon Jan 18 10:39:13 2010
From: rwest at zyedge.com (Ryan West)
Date: Mon, 18 Jan 2010 15:39:13 +0000
Subject: [c-nsp] cisco 2801 and HWIC-2T
In-Reply-To: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
References: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>

Flokuehn,

> -----Original Message-----
> Sent: Monday, January 18, 2010 10:17 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] cisco 2801 and HWIC-2T
> 
> Hi.
> 
> is there anything special i need to look for, while i want to confiugre
> an
> hwic-2t, controller e1? on an 2801 with ios12.4(25b) iam not able to
> use,
> either the
> command controller e1 nor card type ... does anybody have a clue?
> 
> Further there are confusing information from cisco.
> Following the mentioned link you will find the HWIC-2T supported by
> 2801.
> 
> http://www.cisco.com/en/US/prod/collateral/modules/ps5949/datasheet_c78
> -491363.html
> 
> But, following this link you will find the HWIC-2T not explicitly
> supported.
> 
> http://www.cisco.com/en/US/products/hw/routers/ps274/products_tech_note
> 09186a00800b0858.shtml
> 
> Can anybody tell me if it is possible to use the HWIC-2T with the
> mentioned
> IOS version and Hardware?
> 

The card is supported on your platform, but it's a T1 only card, so controller e1 or card type won't work for it.

http://www.cisco.com/en/US/products/ps5854/products_relevant_interfaces_and_modules.html

Thanks,

-ryan

From arla at rn.dk  Mon Jan 18 10:59:03 2010
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Mon, 18 Jan 2010 16:59:03 +0100
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>,
	<BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>

Hi Brad 

Exactly my thinking about the announcement of the network on both sites.
But the problem is, I can?t configure eompls on a tagged interface.
If  I put an interface into a vrf  instance the switch won?t accept the eompls statements of the ip addresses.
Is this because that eompls is hard coded to use the global routing table and is there by not able to handle interfaces that are in vpn routing table.
Here is my error.:
aasnxc6-1(config-if)#xconnect 192.160.101.32 3300 encapsulation mpls 
Incompatible with ip address command on Vl3300 - command rejected.

The interface belong to vpn and the ip address in the xconnect statement is the loopback address off the peer vss-router.
I have tried to use addresses that are in the vpn routing table, but I get the same error.


/Arne

________________________________________
Fra: Brad Hedlund [brhedlun at cisco.com]
Sendt: 18. januar 2010 03:47
Til: Arne Larsen / Region Nordjylland
Cc: cisco-nsp at puck.nether.net
Emne: Re: SV: [c-nsp] how to connect vss-setup via mpls core

Arne,

The VLANs extended between Data Centers can be configured with Layer 3 interfaces and services no different than any other VLAN.
SVI's can be configured, HSRP groups can be formed (within and between DCs), and the IP network for the VLANs can be announced by BGP (or any other protocol).
As you can imagine, thinking about how flows enter and leave the Data Centers can get quite interesting :-)

Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org


On Jan 17, 2010, at 2:25 PM, Arne Larsen / Region Nordjylland wrote:

> Hi Brad.
>
> Thanks for your answers, the layer2 connection as you all mentioned I?m pretty sure about.
> And yes we are using mpls software.
> But I still can?t find out about the layer3 interfaces.
> The Vlans that distributed via eompls between the two sites can the have layer3 interfaces.
> Is it possible to make  Vlan 2 that is connected via eompls between the 2 sites, and further more setup an ip interface vlan2 on both sites using vrrp or hsrp to control the active standby function an the announcement of the network via bgp to the core network.
>
> /Arne
>
> ________________________________________
> Fra: Brad Hedlund [brhedlun at cisco.com]
> Sendt: 17. januar 2010 18:47
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp at puck.nether.net
> Emne: Re: [c-nsp] how to connect vss-setup via mpls core
>
> Arne,
>
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  Best practice would be to configure BPDU filtering on that port channel so you can keep your STP domains isolated between the two Data Centers.  This provides a loop free L2 topology between two DCs over almost any distance.
>
> 6500---------EoMPLS---------6500
> vss      (port channel)     vss
> 6500---------EoMPLS---------6500
>
> Cheers,
> Brad
>
> --
> Brad Hedlund, CCIE #5530
> Consulting Systems Engineer, Data Center
> bhedlund at cisco.com
> http://www.internetworkexpert.org
>
>
>
>
> On Jan 17, 2010, at 1:40 AM, Arne Larsen / Region Nordjylland wrote:
>
>>
>> Hi Arie.
>>
>> Sorry for not explaining the setup in detail. But anyway this is the case.
>>
>> layer2 sw  ---6500                    6500 --- layer2 sw
>> |        > vss1   - (MPLS-Core) -  vss2 <
>> layer2 sw ----6500                    6500 --  layer2 sw
>>
>>
>> Each site has a full vss environment with it's own local layer 2 switches.
>> What I'll like to able to do is, setup a few Vlan's on both sites that can host servers on the same broadcast domain.
>> Further more I'll like to able to announce the layer3 connection on the Vlan via bgp to our costumers.
>> How is it possible to enable a layer3 interface on the Vlan in each local site and run eompls or vpls between the 2 sites on layer2 .
>>
>> Arne
>>
>> -----Oprindelig meddelelse-----
>> Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com]
>> Sendt: 16. januar 2010 21:08
>> Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net
>> Emne: RE: [c-nsp] how to connect vss-setup via mpls core
>>
>> Arne,
>>
>> Why would you want to do that in such a way?
>> In order to get the real benefit of VSS you would need all the access switches connected to both VSS nodes, which would require links from DC1 to DC2 per each access switch...
>> The same would apply to upstream Layer 3 connectivity...
>>
>> If you do not plan to have this kind of a full mesh, then why would you want to use VSS in the first place.
>>
>> With regards to layer 2 interconnect between DCs, this is a very common design nowadays, and MPLS is used in many solutions.
>> I suggest you take a look at this link:
>> http://www.cisco.com/en/US/netsol/ns975/index.html (take a look at the whitepaper).
>>
>> Also, there is a very good Cisco Press book about this whole subject:
>> http://www.ciscopress.com/bookstore/product.asp?isbn=9781587059926
>>
>> In the coming Networkers event in Barcelona there would be a few sessions about this, and a number of people in Meet the Engineer venue which can help with this subject.
>>
>> Arie
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland
>> Sent: Saturday, January 16, 2010 17:31
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] how to connect vss-setup via mpls core
>>
>> Hi all.
>>
>> I need an advice.
>> Is there a way to connect 2 vss-setup's with out using direct fibers on layer 2 I would like the to sites to connect via our mpls cloud, so that vlan's configured on the boxes can reach each other on layer2 and be able top announce the layer3 network via bgp on both sites.
>> If vlan 200 is configured on both sites, is it possible to use eompls to connect these 2, and make them active/stanby to each other on layer3 using vrrp or hsrp.
>> I been searching the cisco web for doc. But all I can find is only useable on layer2.
>>
>> /Arne
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From p.mayers at imperial.ac.uk  Mon Jan 18 11:05:15 2010
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 18 Jan 2010 16:05:15 +0000
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>,
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4427@SRVEXC02.aas.its.nja.dk>,
	<BAABE8E7-F131-4E4C-BAEE-6E628E2CCDB6@cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156EBD4429@SRVEXC02.aas.its.nja.dk>
Message-ID: <4B5486BB.4010001@imperial.ac.uk>

On 18/01/10 15:59, Arne Larsen / Region Nordjylland wrote:
> Hi Brad
>
> Exactly my thinking about the announcement of the network on both sites.
> But the problem is, I can?t configure eompls on a tagged interface.
> If  I put an interface into a vrf  instance the switch won?t accept the eompls statements of the ip addresses.
> Is this because that eompls is hard coded to use the global routing table and is there by not able to handle interfaces that are in vpn routing table.
> Here is my error.:
> aasnxc6-1(config-if)#xconnect 192.160.101.32 3300 encapsulation mpls
> Incompatible with ip address command on Vl3300 - command rejected.

No, you can't do this.

You will need something like the following:

dc-rt1 == mpls-pe1 --- (mpls clouds) --- mpls-pe2 == dc-rt2
  |                                                    |
vlan3300                                             vlan3300

You cannot xconnect an SVI on plain-old 6500s. You can I believe do this 
on SPA/ES linecards, but it's expensive. You can only xconnect physical 
interfaces or un-routed sub-interfaces.

You could use the "loopback cable into the router itself" trick, that is 
pretty common.

dc-rt1:

int Gi1/1
   description connected back into Gi1/2
   switchport mode trunk
   switchport trunk allowed vlan 3300,xxxx

int Gi1/2
   description received vlans from Gi1/1
   xconnect ... ...

...and similarly on dc-rt2

From jckdaniels12 at gmail.com  Mon Jan 18 11:57:33 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Mon, 18 Jan 2010 22:27:33 +0530
Subject: [c-nsp] MPLS - CE to CE throughput
Message-ID: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards

From amsoares at netcabo.pt  Mon Jan 18 12:06:56 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:06:56 -0000
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
Message-ID: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>

Hello group,

I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:

pixfirewall(config)# show service-policy 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: OUTSIDE
    Class-map: CONNECTIONS
      Set connection policy: conn-max 123 
        current conns 0, drop 0
pixfirewall(config)#

The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
(ciscoUnifiedFirewallMIB) but they don't seem to have what i need.



Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt


From amsoares at netcabo.pt  Mon Jan 18 12:10:04 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:10:04 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
Message-ID: <61653F59D5844000AF55C5528E048F23@int.convex.pt>

Hello group,

I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
like to know if there is something more recent available.


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt


From rwest at zyedge.com  Mon Jan 18 12:20:54 2010
From: rwest at zyedge.com (Ryan West)
Date: Mon, 18 Jan 2010 17:20:54 +0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>

Antonio,


> -----Original Message-----
> Sent: Monday, January 18, 2010 12:10 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 7.2 Interim Releases
> 
> Hello group,
> 
> I see that the latest 7.2 interim release available on CCO is
> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> 

I have a lot of boxes with 7.2.4(33) and that is the latest publicly available interim release.  I expect that a 7.2.5 release is in the works though.  What was the cause for your TAC case?

Thanks,

-ryan

From amsoares at netcabo.pt  Mon Jan 18 12:46:20 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Mon, 18 Jan 2010 17:46:20 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
Message-ID: <E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>

Hello Ryan,

It was because of Bug CSCsv25041. I think you are safe. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: segunda-feira, 18 de Janeiro de 2010 17:21
To: Antonio Soares; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASA 7.2 Interim Releases

Antonio,


> -----Original Message-----
> Sent: Monday, January 18, 2010 12:10 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 7.2 Interim Releases
> 
> Hello group,
> 
> I see that the latest 7.2 interim release available on CCO is
> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> 

I have a lot of boxes with 7.2.4(33) and that is the latest publicly available interim release.  I expect that a 7.2.5 release is in
the works though.  What was the cause for your TAC case?

Thanks,

-ryan


From avayner at cisco.com  Mon Jan 18 12:47:28 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 18 Jan 2010 18:47:28 +0100
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>

Jack,

A very simple and dirty hack to fill a (relatively slow) link with one
way traffic is to run lots of pings with large packet size with timeout
delay  of 0. This would pump the ping requests into the link and would
fill it up...

For 2Mbps links you could also just run an FTP session...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
Sent: Monday, January 18, 2010 18:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS - CE to CE throughput

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From johnps at IowaTelecom.com  Mon Jan 18 13:50:48 2010
From: johnps at IowaTelecom.com (John P. Schneider)
Date: Mon, 18 Jan 2010 12:50:48 -0600
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
Message-ID: <F3BC59C2FF806E4492D24449727CBFA0040F5FF2@mail01.valhalla.iowatelecom.com>

I would suggest looking into iperf/jperf. It can be found at sourceforge.net/projects/iperf/ 


Thank You,
John 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner (avayner)
Sent: Monday, January 18, 2010 11:47 AM
To: jack daniels; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS - CE to CE throughput

Jack,

A very simple and dirty hack to fill a (relatively slow) link with one way traffic is to run lots of pings with large packet size with timeout delay  of 0. This would pump the ping requests into the link and would fill it up...

For 2Mbps links you could also just run an FTP session...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
Sent: Monday, January 18, 2010 18:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS - CE to CE throughput

Hi guys,

I want to check the throughout in scenario

CE1-----MPLS cloud ----CE2


CE1 link is 2 Mbps
CE2 link is 2Mbps

If CE1 pumps 2Mbps then want to check if CE2 recieves it.
Is there any s/w to genrate traffic at CE1 ?  OR any other method ?


Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From cm at n-home.ru  Mon Jan 18 14:49:37 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Mon, 18 Jan 2010 22:49:37 +0300
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
Message-ID: <9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>

iperf is the perfect solution for both transmit and receive speed checks

On Jan 18, 2010, at 7:57 PM, jack daniels wrote:

> Hi guys,
> 
> I want to check the throughout in scenario
> 
> CE1-----MPLS cloud ----CE2
> 
> 
> CE1 link is 2 Mbps
> CE2 link is 2Mbps
> 
> If CE1 pumps 2Mbps then want to check if CE2 recieves it.
> Is there any s/w to genrate traffic at CE1 ?  OR any other method ?
> 
> 
> Regards
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at Hughes.com.au  Mon Jan 18 16:46:28 2010
From: david at Hughes.com.au (David Hughes)
Date: Tue, 19 Jan 2010 07:46:28 +1000
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
Message-ID: <36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>


On 18/01/2010, at 3:47 AM, Brad Hedlund wrote:

> Arne,
> 
> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  

Brad

Is this still just port-based EoMPLS?  i.e do you still need to use "external loopback"  (i.e. a cross-over back to the same box) to present packets to the PW?


Thanks

David
...

From brhedlun at cisco.com  Mon Jan 18 17:16:11 2010
From: brhedlun at cisco.com (Brad Hedlund)
Date: Mon, 18 Jan 2010 16:16:11 -0600
Subject: [c-nsp] how to connect vss-setup via mpls core
In-Reply-To: <36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>
References: <8D68760F464FFD40A01BF2FB374E4A2802156EBD4423@SRVEXC02.aas.its.nja.dk>
	<FDD1CDB3FB499E4087CC7670BBCA22C6FFD2F6@XMB-AMS-101.cisco.com>
	<8D68760F464FFD40A01BF2FB374E4A2802156E27E714@SRVEXC02.aas.its.nja.dk>
	<5D5E5E35-2554-4E3A-9B60-D75E72FF7B58@cisco.com>
	<36DF3487-AA51-4A9A-9EDD-DD68BFC357D8@hughes.com.au>
Message-ID: <63E07724-D329-4C8D-9564-BCEF5C467AC9@cisco.com>

David,

It's same PFC port-based or VLAN-based EoMPLS you know and love from the 6500, only now it's also available in a VSS configuration.
Yes, the "external loopback" implementation option still applies.


Cheers,
Brad

--
Brad Hedlund, CCIE #5530
Consulting Systems Engineer, Data Center
bhedlund at cisco.com
http://www.internetworkexpert.org




On Jan 18, 2010, at 3:46 PM, David Hughes wrote:

> 
> On 18/01/2010, at 3:47 AM, Brad Hedlund wrote:
> 
>> Arne,
>> 
>> Since IOS version 12.2(33)SXI2 we now support MPLS in a VSS configuration.
>> This means you can now connect your VSS pair in Data Center 1 to the VSS pair in Data Center 2 with a port channel using EoMPLS.  
> 
> Brad
> 
> Is this still just port-based EoMPLS?  i.e do you still need to use "external loopback"  (i.e. a cross-over back to the same box) to present packets to the PW?
> 
> 
> Thanks
> 
> David
> ...


From jckdaniels12 at gmail.com  Mon Jan 18 22:53:59 2010
From: jckdaniels12 at gmail.com (jack daniels)
Date: Tue, 19 Jan 2010 09:23:59 +0530
Subject: [c-nsp] MPLS - CE to CE throughput
In-Reply-To: <9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<9482F7E1-1069-4404-BAE9-A08994B9347E@n-home.ru>
Message-ID: <8bb137f41001181953q4849983fn6d80ac00b2e7a51f@mail.gmail.com>

Thanks a lot for all replies they were very helpful to me .

Regards



On Tue, Jan 19, 2010 at 1:19 AM, Cyrill Malevanov <cm at n-home.ru> wrote:

> iperf is the perfect solution for both transmit and receive speed checks
>
> On Jan 18, 2010, at 7:57 PM, jack daniels wrote:
>
> > Hi guys,
> >
> > I want to check the throughout in scenario
> >
> > CE1-----MPLS cloud ----CE2
> >
> >
> > CE1 link is 2 Mbps
> > CE2 link is 2Mbps
> >
> > If CE1 pumps 2Mbps then want to check if CE2 recieves it.
> > Is there any s/w to genrate traffic at CE1 ?  OR any other method ?
> >
> >
> > Regards
>  > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From tvarriale at comcast.net  Mon Jan 18 23:08:40 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 18 Jan 2010 22:08:40 -0600
Subject: [c-nsp] ASA 7.2 Interim Releases
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local>
	<E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
Message-ID: <E312C7DB422A48519760AC8939E7D40E@flamdt01>

Would you clarify why you need something more recent?  There's tons of code 
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly 
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Mon Jan 18 23:13:51 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 18 Jan 2010 22:13:51 -0600
Subject: [c-nsp] PA-MC-T3-EC
References: <002501ca97a3$b8333eb0$2899bc10$@com>
Message-ID: <FBB4CD9517074C16A52FE90D1937E24A@flamdt01>

I would imagine it is as that's where the EC cards got their legs.  Axing 
that card in 15 would probably send serious cash over to J.

But, open a TAC case if you need to be sure (I don't have that load out to 
test).

Note there is a new FPD for 15.

tv
----- Original Message ----- 
From: "Kevin Warwashana" <kevinw at telnetww.com>
To: <cisco-nsp at puck.nether.net>
Sent: Sunday, January 17, 2010 12:34 PM
Subject: [c-nsp] PA-MC-T3-EC


> Can anyone confirm if the PA-MC-T3-EC card works in a 7206VXR w/NPE-G1 on
> 15.0M?  All the docs show 12.4T and above so that leaves me to believe it
> will work, but using the software advisor I noticed the card isn't even
> listed.
>
>
>
> Thanks,
>
> Kevin
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From alex.wilkinson at dsto.defence.gov.au  Mon Jan 18 23:18:57 2010
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Tue, 19 Jan 2010 12:18:57 +0800
Subject: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com> 
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
Message-ID: <20100119041857.GN35418@stlux503.dsto.defence.gov.au>


    0n Mon, Jan 18, 2010 at 06:47:28PM +0100, Arie Vayner (avayner) wrote: 

    >-----Original Message-----
    >From: cisco-nsp-bounces at puck.nether.net
    >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
    >Sent: Monday, January 18, 2010 18:58
    >To: cisco-nsp at puck.nether.net
    >Subject: [c-nsp] MPLS - CE to CE throughput
    >
    >Hi guys,
    >I want to check the throughout in scenario
    >CE1-----MPLS cloud ----CE2

How about using CHARGEN ?
[http://etherealmind.com/the-poor-mans-ios-traffic-generator/]

  -Alex

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.


From perc69 at gmail.com  Tue Jan 19 03:18:02 2010
From: perc69 at gmail.com (Per Carlson)
Date: Tue, 19 Jan 2010 09:18:02 +0100
Subject: [c-nsp] cisco 2801 and HWIC-2T
In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>
References: <627fa38b1001180717k77fd5124if1187f2c9ffb98c4@mail.gmail.com>
	<5DC4853C6CC3EE4788779E0726E034DD0A5726@zy-ex1.zyedge.local>
Message-ID: <746ca6da1001190018j5be7a429ycc2e40f5edf62441@mail.gmail.com>

On Mon, Jan 18, 2010 at 16:39, Ryan West <rwest at zyedge.com> wrote:
> The card is supported on your platform, but it's a T1 only card, so controller e1 or card type won't work for it.

No it's not. All "T" (H)WICs are for serial interfaces, which is *not*
the same as a T1/E1. To use this type of (H)WIC you need a serialized
interface from your leased line provider and a suitable cable. The
connector types commonly used on serial interaces are V.35 and X.21.

BTW, on serial interfaces there are no "controller e1" stanzas, see
http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_cfg_ser_if_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1012694

-- 
Pelle

From mehdi.badreddine at fr.clara.net  Tue Jan 19 04:05:09 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Tue, 19 Jan 2010 09:05:09 -0000
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
Message-ID: <70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>

Hi, 

Thanks for your responses.
A colleague of mine gave me this answer : 

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

But I still don't have accounting informations on my tac_plus server. 

What's your opinion ?


Mehdi BADREDDINE

Administrateur Syst?me et R?seaux
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS


-----Message d'origine-----
De?: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
Envoy??: vendredi 15 janvier 2010 14:30
??: cisco-nsp at puck.nether.net
Objet?: cisco-nsp Digest, Vol 86, Issue 48

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. Re: RIB failure : Higher admin distance (Randy)
   2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
   3. cisco users accounting and logging (Mehdi Badreddine)
   4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
   5. Re: cisco users accounting and logging (Peter Rathlev)
   6. OSPF on ASA with large routing tables (scott owens)
   7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)


----------------------------------------------------------------------

Message: 1
Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
From: Randy <randy_94108 at yahoo.com>
To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
Subject: Re: [c-nsp] RIB failure : Higher admin distance
Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

..sorry for the top posting..
Hi Andy,
You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
Regards
./Randy


--- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:


From: Andy Ashley <lists at nexus6.co.za>
Subject: [c-nsp] RIB failure : Higher admin distance
To: cisco-nsp at puck.nether.net
Date: Thursday, January 14, 2010, 6:32 PM


Hi all,

We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.

We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)

There is an issue:
We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.

(Site A Router)#sh ip bgp rib-failure
Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a

etc etc (there is a list of all of our static routes here)

(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
Not advertised to any peer
(65003)
???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
? ???Community: ASN:200 no-export

(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
Routing Descriptor Blocks:
* (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
? ???Route metric is 20, traffic share count is 1

The rib failure condition seems to be persistent.

Any ideas how to overcome this issue?

Thanks.
Andy.


-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------

Message: 2
Date: Fri, 15 Jan 2010 06:55:00 +0100
From: Stephane MAGAND <stmagconsulting at gmail.com>
To: Marcelo Zilio <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
	<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

Message: 3
Date: Fri, 15 Jan 2010 09:23:47 -0000
From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] cisco users accounting and logging
Message-ID:
	<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
Content-Type: text/plain;	charset="iso-8859-1"

Hi, 

I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
Thanks in advance for your help.


Mehdi BADREDDINE

System&Network Admin
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS




------------------------------

Message: 4
Date: Fri, 15 Jan 2010 10:32:32 +0100
From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
To: Jason LeBlanc <jasonleblanc at gmail.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
Message-ID:
	<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi Jason,

see below

-pavel skovajsa

On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Hello,
>
> We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
>
> Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
>
> The Cisco best practice is:
>
> Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
>

The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true:  not following best practices -> bad design -> network
melts

> We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
>
> Symptoms:
> Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
>
> router-a#sh ip ospf stat
> ?Area 0.0.0.0: SPF algorithm executed 7865 times
> ?Area 192.8.208.0: SPF algorithm executed 386 times
> ?Area 192.70.0.0: SPF algorithm executed 563 times
> ?Area 192.100.0.0: SPF algorithm executed 93076 times

Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above "show ip ospf stat" and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
and "show ip ospf database database-sum" will help you.


>
>
> Questions:
> Should we be advertising (passively or non-passively) L3 Vlans into OSPF?

Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?

> Should we be doing Totally NSSA's instead of NSSA's?

Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.

> ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> Should we be sending each campus distribution router directly to the Core so that its the 3 hops?

As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs....

> Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?

Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.

>
>
> Any help advise is greatly appreciated!
>
> Regards,
>
> //LeBlanc
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

Message: 5
Date: Fri, 15 Jan 2010 11:47:33 +0100
From: Peter Rathlev <peter at rathlev.dk>
To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cisco users accounting and logging
Message-ID: <1263552453.28844.4.camel at localhost>
Content-Type: text/plain; charset="UTF-8"

On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> I've already installed tac_plus on BSD, though it doesn't provide
> users accounting, just authentication.

We use tac_plus with accounting, no problems there. The relevant
configuration is:

accounting file = /var/log/tacacs-accounting.log

or similar in the tac_plus.conf file, and then:

aaa accounting exec [method] start-stop group tacacs+
aaa accounting commands 0 [method] start-stop group tacacs+
aaa accounting commands 15 [method] start-stop group tacacs+
aaa accounting connection [method] start-stop group tacacs+

besides you normal AAA config on the Cisco devices.

I wouldn't know about Juniper or HP.

-- 
Peter





------------------------------

Message: 6
Date: Fri, 15 Jan 2010 07:24:56 -0600
From: scott owens <scottowens12 at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID:
	<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

>
> Message: 5
> Date: Thu, 14 Jan 2010 19:47:07 -0600
> From: Greg Clark <gregpclark at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
>        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We're considering running OSPF on handful of core ASA 5580 but our routing
> table is somewhat large (roughly 10,000 routes).  Does anyone have any
> experience running OSPF on an ASA platform with a large number of routes on
> a production network.  Did you run into any limitations or issues.  We
> don't
> plan on running mutiple context and will not have a large number of
> peers/neighbors just a large routing table.
>
> Thanks,
>
> Greg
>
>
>
> I am certainly sure I do not know your network topology - but having 10,000
routes going to a firewall seems like you may want another pair or more of
eyes to check out that route summarization problem.  Ditto with the guy with
8,000+ routes.


I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
connectivity and I don't think we have more than 100 or 200 routes present.


------------------------------

Message: 7
Date: Fri, 15 Jan 2010 08:29:00 -0500
From: <NMaio at guesswho.com>
To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
	<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
	
Content-Type: text/plain; charset="us-ascii"

I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.

client-access-rule 1 permit type WinNT version 5.0.0*
client-access-rule 2 permit type "Mac OS X" version 4.9.01*
client-access-rule 3 permit type Linux version "4.8.02 (0030)"
client-access-rule 4 deny type * version *

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Friday, January 15, 2010 12:55 AM
To: Marcelo Zilio
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client

Hi

Thanks for this information.

Anyone have more detail ? anyone have use this function ?

Thanks
Stephane


2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>

> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> >    If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

End of cisco-nsp Digest, Vol 86, Issue 48
*****************************************

From asturluismi at gmail.com  Tue Jan 19 05:54:58 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 19 Jan 2010 11:54:58 +0100
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
	<70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
Message-ID: <1263898498.5534.3.camel@hal9000>

I have this and I have accounting:

aaa authentication attempts login 2
aaa authentication login default group tac-plus local-case
aaa authentication login console group tac-plus local-case
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization network default group tac-plus local 
aaa accounting send stop-record authentication failure vrf GestionIP
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting update newinfo periodic 1440
aaa accounting exec default start-stop group tac-plus
aaa accounting commands 0 default start-stop group tac-plus
aaa accounting commands 1 default start-stop group tac-plus
aaa accounting commands 15 default start-stop group tac-plus
aaa accounting network default start-stop group tac-plus
aaa accounting connection default start-stop group tac-plus
aaa accounting system default start-stop group tac-plus



El mar, 19-01-2010 a las 09:05 +0000, Mehdi Badreddine escribi?:
> Hi, 
> 
> Thanks for your responses.
> A colleague of mine gave me this answer : 
> 
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa session-id common
> 
> But I still don't have accounting informations on my tac_plus server. 
> 
> What's your opinion ?
> 
> 
> Mehdi BADREDDINE
> 
> Administrateur Syst?me et R?seaux
> CLARANET Paris
> 68, rue du Faubourg Saint-Honor?
> 75008 PARIS
> 
> 
> -----Message d'origine-----
> De : cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
> Envoy? : vendredi 15 janvier 2010 14:30
> ? : cisco-nsp at puck.nether.net
> Objet : cisco-nsp Digest, Vol 86, Issue 48
> 
> Send cisco-nsp mailing list submissions to
> 	cisco-nsp at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> 	cisco-nsp-request at puck.nether.net
> 
> You can reach the person managing the list at
> 	cisco-nsp-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: RIB failure : Higher admin distance (Randy)
>    2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
>    3. cisco users accounting and logging (Mehdi Badreddine)
>    4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
>    5. Re: cisco users accounting and logging (Peter Rathlev)
>    6. OSPF on ASA with large routing tables (scott owens)
>    7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
> From: Randy <randy_94108 at yahoo.com>
> To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
> Subject: Re: [c-nsp] RIB failure : Higher admin distance
> Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
> 
> ..sorry for the top posting..
> Hi Andy,
> You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
> Regards
> ./Randy
> 
> 
> --- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:
> 
> 
> From: Andy Ashley <lists at nexus6.co.za>
> Subject: [c-nsp] RIB failure : Higher admin distance
> To: cisco-nsp at puck.nether.net
> Date: Thursday, January 14, 2010, 6:32 PM
> 
> 
> Hi all,
> 
> We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
> The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.
> 
> We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
> There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
> the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)
> 
> There is an issue:
> We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
> However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.
> 
> (Site A Router)#sh ip bgp rib-failure
> Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
> X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a
> 
> etc etc (there is a list of all of our static routes here)
> 
> (Site A Router)#show ip bgp (Slash /24 in question)
> BGP routing table entry for (Slash /24 in question)/24, version 4317116
> Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
> Not advertised to any peer
> (65003)
> ???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
> ? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
> ? ???Community: ASN:200 no-export
> 
> (Site A Router)#show ip route (Slash /24 in question)
> Routing entry for (Slash /24 in question)/24
> Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
> Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
> Routing Descriptor Blocks:
> * (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
> ? ???Route metric is 20, traffic share count is 1
> 
> The rib failure condition seems to be persistent.
> 
> Any ideas how to overcome this issue?
> 
> Thanks.
> Andy.
> 
> 
> -- This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 15 Jan 2010 06:55:00 +0100
> From: Stephane MAGAND <stmagconsulting at gmail.com>
> To: Marcelo Zilio <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 15 Jan 2010 09:23:47 -0000
> From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] cisco users accounting and logging
> Message-ID:
> 	<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
> Content-Type: text/plain;	charset="iso-8859-1"
> 
> Hi, 
> 
> I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
> I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
> Thanks in advance for your help.
> 
> 
> Mehdi BADREDDINE
> 
> System&Network Admin
> CLARANET Paris
> 68, rue du Faubourg Saint-Honor?
> 75008 PARIS
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 15 Jan 2010 10:32:32 +0100
> From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
> To: Jason LeBlanc <jasonleblanc at gmail.com>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
> Message-ID:
> 	<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Jason,
> 
> see below
> 
> -pavel skovajsa
> 
> On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> > Hello,
> >
> > We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
> >
> > Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
> >
> > The Cisco best practice is:
> >
> > Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
> >
> 
> The best practices are exactly what it says - best practices - in real
> practice everybody finds hard to actually achieve that, due to
> geopolitical/other reasons. In other words the following implication
> is NOT true:  not following best practices -> bad design -> network
> melts
> 
> > We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
> >
> > Symptoms:
> > Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
> >
> > router-a#sh ip ospf stat
> > ?Area 0.0.0.0: SPF algorithm executed 7865 times
> > ?Area 192.8.208.0: SPF algorithm executed 386 times
> > ?Area 192.70.0.0: SPF algorithm executed 563 times
> > ?Area 192.100.0.0: SPF algorithm executed 93076 times
> 
> Well, that last area 192.100.0.0 seems to be the culprit - what about
> troubleshooting it for a while, instead of redesigning whole network?
> Use commands like above "show ip ospf stat" and looks for Seq# and LSA
> Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
> and "show ip ospf database database-sum" will help you.
> 
> 
> >
> >
> > Questions:
> > Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
> 
> Passively. Why would somebody do that in non-passive way and have
> miriads of neighbors per each vlan?
> 
> > Should we be doing Totally NSSA's instead of NSSA's?
> 
> Totally stubby (or totally not-so-stubby if you need ASBR) should be
> default design, only configure no-summary if you have specific reason.
> Also I don't understand the need for ASBR in your NSSA - but you
> probably have a reason for that.
> 
> > ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> > Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
> 
> As written above, if you have the funding to do this it will certainly
> make your network design nicer, but I don't see how doing this would
> actually massively decrement your SFP runs....
> 
> > Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?
> 
> Scale and speed are contradictory goals. Fast reaction to changes in
> network topology, tends to end up in a network that never converges
> and is unstable.
> 
> >
> >
> > Any help advise is greatly appreciated!
> >
> > Regards,
> >
> > //LeBlanc
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 15 Jan 2010 11:47:33 +0100
> From: Peter Rathlev <peter at rathlev.dk>
> To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] cisco users accounting and logging
> Message-ID: <1263552453.28844.4.camel at localhost>
> Content-Type: text/plain; charset="UTF-8"
> 
> On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> > I've already installed tac_plus on BSD, though it doesn't provide
> > users accounting, just authentication.
> 
> We use tac_plus with accounting, no problems there. The relevant
> configuration is:
> 
> accounting file = /var/log/tacacs-accounting.log
> 
> or similar in the tac_plus.conf file, and then:
> 
> aaa accounting exec [method] start-stop group tacacs+
> aaa accounting commands 0 [method] start-stop group tacacs+
> aaa accounting commands 15 [method] start-stop group tacacs+
> aaa accounting connection [method] start-stop group tacacs+
> 
> besides you normal AAA config on the Cisco devices.
> 
> I wouldn't know about Juniper or HP.
> 
> -- 
> Peter
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Fri, 15 Jan 2010 07:24:56 -0600
> From: scott owens <scottowens12 at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
> 	<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> >
> > Message: 5
> > Date: Thu, 14 Jan 2010 19:47:07 -0600
> > From: Greg Clark <gregpclark at gmail.com>
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] OSPF on ASA with large routing tables
> > Message-ID:
> >        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > We're considering running OSPF on handful of core ASA 5580 but our routing
> > table is somewhat large (roughly 10,000 routes).  Does anyone have any
> > experience running OSPF on an ASA platform with a large number of routes on
> > a production network.  Did you run into any limitations or issues.  We
> > don't
> > plan on running mutiple context and will not have a large number of
> > peers/neighbors just a large routing table.
> >
> > Thanks,
> >
> > Greg
> >
> >
> >
> > I am certainly sure I do not know your network topology - but having 10,000
> routes going to a firewall seems like you may want another pair or more of
> eyes to check out that route summarization problem.  Ditto with the guy with
> 8,000+ routes.
> 
> 
> I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
> connectivity and I don't think we have more than 100 or 200 routes present.
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Fri, 15 Jan 2010 08:29:00 -0500
> From: <NMaio at guesswho.com>
> To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.
> 
> client-access-rule 1 permit type WinNT version 5.0.0*
> client-access-rule 2 permit type "Mac OS X" version 4.9.01*
> client-access-rule 3 permit type Linux version "4.8.02 (0030)"
> client-access-rule 4 deny type * version *
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
> Sent: Friday, January 15, 2010 12:55 AM
> To: Marcelo Zilio
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 
> End of cisco-nsp Digest, Vol 86, Issue 48
> *****************************************
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From mehdi.badreddine at fr.clara.net  Tue Jan 19 06:39:56 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Tue, 19 Jan 2010 11:39:56 -0000
Subject: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48
In-Reply-To: <1263898498.5534.3.camel@hal9000>
References: <mailman.12209.1263562201.2123.cisco-nsp@puck.nether.net>
	<70F55AD71714494087D3F5CF5ED10083059862EB@EXVS02.claranet.local>
	<1263898498.5534.3.camel@hal9000>
Message-ID: <70F55AD71714494087D3F5CF5ED100830598632A@EXVS02.claranet.local>

Sorry for spamming, thanks for the information, I'll check out soon.

Mehdi


-----Message d'origine-----
De?: luismi [mailto:asturluismi at gmail.com] 
Envoy??: mardi 19 janvier 2010 11:55
??: Mehdi Badreddine
Cc?: cisco-nsp at puck.nether.net
Objet?: Re: [c-nsp] cisco-nsp Digest, Vol 86, Issue 48

I have this and I have accounting:

aaa authentication attempts login 2
aaa authentication login default group tac-plus local-case
aaa authentication login console group tac-plus local-case
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization network default group tac-plus local 
aaa accounting send stop-record authentication failure vrf GestionIP
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting update newinfo periodic 1440
aaa accounting exec default start-stop group tac-plus
aaa accounting commands 0 default start-stop group tac-plus
aaa accounting commands 1 default start-stop group tac-plus
aaa accounting commands 15 default start-stop group tac-plus
aaa accounting network default start-stop group tac-plus
aaa accounting connection default start-stop group tac-plus
aaa accounting system default start-stop group tac-plus



From p_ambedkar at rediffmail.com  Tue Jan 19 05:58:52 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 19 Jan 2010 10:58:52 -0000
Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode?=
Message-ID: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>

Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.


The following is the log:

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
Module 1 reported following ports unusable
port 1 bad
port 2 bad
port 3 bad
port 4 bad
inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete.

---------------------------------------------------------

I tried the following commands:
1.boot
2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.

please help me,
Thanks.bye

From andre.schoppmeier at telefonica.de  Tue Jan 19 06:25:30 2010
From: andre.schoppmeier at telefonica.de (Andre Schoppmeier)
Date: Tue, 19 Jan 2010 12:25:30 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
Message-ID: <20100119122530797.00000002356@wxpmlscop03mo>

Hello 

 

Just have a question regarding FIB errors during packet debugging:

 

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, input feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, input feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

 

Jan 19 12:17:48 MEZ: FIBipv4-packet-proc: route packet from Dialer3 src 172.31.55.194 dst 172.31.55.192

Jan 19 12:17:48 MEZ: FIBfwd-proc: Default:172.31.55.192/32 recieve entry

Jan 19 12:17:48 MEZ: FIBipv4-packet-proc: packet routing failed

 

Jan 19 12:17:48 MEZ: IP: tableid=0, s=172.31.55.194 (Dialer3), d=172.31.55.192 (Loopback13), routed via RIB

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, rcvd 4

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, stop process pak for forus packet

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000

Jan 19 12:17:48 MEZ: IP: s=172.31.55.194 (Dialer3), d=172.31.55.192, len 60, enqueue feature

Jan 19 12:17:48 MEZ:     UDP src=59668, dst=16000, TCP Adjust MSS(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jan 19 12:18:01 MEZ: %HWIC_SHDSL-5-DSLGROUP_UPDOWN: SHDSL 0/0/0 dsl-group(1) state changed to administratively down.

 

What does that mean, can?t find any infos at Cisco pages !!!

If you search for: FIBipv4-packet-proc: packet routing failed

 

Ciao Andre

Andre Schoppmeier

Telef?nica o2 Germany GmbH & Co. OHG


Andre.Schoppmeier at telefonica.de
www.telefonica.de 

Bitte finden Sie hier die handelsrechtlichen Pflichtangaben: www.telefonica.de/pflichtangaben.html <http://www.telefonica.de/pflichtangaben.html>  

 


From rdobbins at arbor.net  Tue Jan 19 07:24:01 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Tue, 19 Jan 2010 12:24:01 +0000
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <20100119122530797.00000002356@wxpmlscop03mo>
References: <20100119122530797.00000002356@wxpmlscop03mo>
Message-ID: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>


On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:

> Just have a question regarding FIB errors during packet debugging:

FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.  

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From andre.schoppmeier at telefonica.de  Tue Jan 19 07:39:51 2010
From: andre.schoppmeier at telefonica.de (Andre Schoppmeier)
Date: Tue, 19 Jan 2010 13:39:51 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
Message-ID: <20100119133951719.00000002356@wxpmlscop03mo>

Hello Roland, 

I know that, we are testing to configure IP-SLA udp-jitter via SNMP with Infovista.

But the ip sls statistic run into a timeout, so I did a debug ip packet with filter and the result was the output I send.

If the packet could not be routed, because of the FIB error, that I will understand the timeout of the udp-jitter.

Regards

Andre


-----Urspr?ngliche Nachricht-----
Von: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Dobbins, Roland
Gesendet: Dienstag, 19. Januar 2010 13:24
An: Cisco-nsp
Betreff: Re: [c-nsp] IP Packet Debug - FIB errors


On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:

> Just have a question regarding FIB errors during packet debugging:

FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From asturluismi at gmail.com  Tue Jan 19 07:41:50 2010
From: asturluismi at gmail.com (luismi)
Date: Tue, 19 Jan 2010 13:41:50 +0100
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
Message-ID: <1263904910.5534.5.camel@hal9000>

I dont think so, "debug ip packet" is ok if you use a very specific ACL,
IMHO.

I found very dangerous "debug ip nat detailed", I saw 7200 down because
of that command without too many nat :-P

El mar, 19-01-2010 a las 12:24 +0000, Dobbins, Roland escribi?:
> On Jan 19, 2010, at 6:25 PM, Andre Schoppmeier wrote:
> 
> > Just have a question regarding FIB errors during packet debugging:
> 
> FYI, IP packet debug is generally considered to be too dangerous for use on production boxes - it's a huge risk in terms of self-DoSing the router(s) in question.  
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
>     Injustice is relatively easy to bear; what stings is justice.
> 
>                         -- H.L. Mencken
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From rdobbins at arbor.net  Tue Jan 19 07:51:49 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Tue, 19 Jan 2010 12:51:49 +0000
Subject: [c-nsp] IP Packet Debug - FIB errors
In-Reply-To: <1263904910.5534.5.camel@hal9000>
References: <20100119122530797.00000002356@wxpmlscop03mo>
	<3E8F97A3-EE96-4521-B6BC-425BDC694152@arbor.net>
	<1263904910.5534.5.camel@hal9000>
Message-ID: <99024FAD-3A38-4FA8-9376-AC8D44B02C3C@arbor.net>


On Jan 19, 2010, at 7:41 PM, luismi wrote:

> I dont think so, "debug ip packet" is ok if you use a very specific ACL,
> IMHO.

I've seen even that send RP CPU to 100%, depending upon pps - YMMV, of course.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From ip at ioshints.info  Tue Jan 19 09:49:06 2010
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 19 Jan 2010 15:49:06 +0100
Subject: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
In-Reply-To: <20100119041857.GN35418@stlux503.dsto.defence.gov.au>
References: <8bb137f41001180857kf357958v311be8b8a40e9640@mail.gmail.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C60107BF91@XMB-AMS-101.cisco.com>
	<20100119041857.GN35418@stlux503.dsto.defence.gov.au>
Message-ID: <004d01ca9916$8e2c0420$aa840c60$@info>

Not nearly enough traffic. If you have reasonable-speed links, it's almost impossible to saturate them with low-end routers. We tried with several IOS-based options, including TTCP and had to fall back to embedded Linux-based solutions.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info


> -----Original Message-----
> From: Wilkinson, Alex [mailto:alex.wilkinson at dsto.defence.gov.au]
> Sent: Tuesday, January 19, 2010 5:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
> 
> 
>     0n Mon, Jan 18, 2010 at 06:47:28PM +0100, Arie Vayner (avayner) wrote:
> 
>     >-----Original Message-----
>     >From: cisco-nsp-bounces at puck.nether.net
>     >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
>     >Sent: Monday, January 18, 2010 18:58
>     >To: cisco-nsp at puck.nether.net
>     >Subject: [c-nsp] MPLS - CE to CE throughput
>     >
>     >Hi guys,
>     >I want to check the throughout in scenario
>     >CE1-----MPLS cloud ----CE2
> 
> How about using CHARGEN ?
> [http://etherealmind.com/the-poor-mans-ios-traffic-generator/]
> 
>   -Alex
> 
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the
> CRIMES ACT 1914.  If you have received this email in error, you are
> requested to contact the sender and delete the email.
> 



From amsoares at netcabo.pt  Tue Jan 19 10:28:30 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 15:28:30 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <E312C7DB422A48519760AC8939E7D40E@flamdt01>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
	<E312C7DB422A48519760AC8939E7D40E@flamdt01>
Message-ID: <E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>

Basically because i have customers that want to be always up to date. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code 
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly 
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From mtinka at globaltransit.net  Tue Jan 19 12:44:32 2010
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 20 Jan 2010 01:44:32 +0800
Subject: [c-nsp] BGP - Announcing routes to Internet providers.
In-Reply-To: <hi4pug$apk$1@ger.gmane.org>
References: <F3318834F1F89D46857972DD4B411D700181FF04EA@EXCHANGE.thenap.com>
	<hi4pug$apk$1@ger.gmane.org>
Message-ID: <201001200144.38879.mtinka@globaltransit.net>

On Thursday 07 January 2010 10:09:20 pm David Freedman 
wrote:

> When you add MPLS into the mix (for internet routing, not
>  just VPN) your border router becomes an LER and as such
>  you can't take advantage of the core routers and have
>  them MPLS only LSRs at the same time. One solution may
>  be to inject your supernets from your sources (i.e
>  reflectors), perhaps with a bogus next hop (i.e with
>  enough validity to be announced but not forwarding if it
>  ever became a valid route for traffic to follow at the
>  edge)

I'm guessing this is a pretty standard deployment in most 
(but perhaps not all) parts, regardless of whether MPLS is 
the sole forwarding engine in the core or not.

In our case (which an IPv4 BGP-free core), all aggregates 
are originated by our route reflectors, and they point to 
192.0.2.1 and 2001:db8::1. All our routers are configured to 
be adjacent to Null0 (IOS) or Discard (JUNOS) for those 
next-hop addresses. It works!

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/47b0ec64/attachment.bin>

From dwhitejr at cisco.com  Tue Jan 19 13:21:31 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 13:21:31 -0500
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
In-Reply-To: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
References: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
Message-ID: <4B55F82B.8000002@cisco.com>

Hi Antonio,

The "show service-policy" output is not available via SNMP.

Sorry,

David.

Antonio Soares wrote:
> Hello group,
>
> I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:
>
> pixfirewall(config)# show service-policy 
>
> Global policy: 
>   Service-policy: global_policy
>     Class-map: inspection_default
>       Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
>       Inspect: ftp, packet 0, drop 0, reset-drop 0
>       Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: netbios, packet 0, drop 0, reset-drop 0
>       Inspect: rsh, packet 0, drop 0, reset-drop 0
>       Inspect: rtsp, packet 0, drop 0, reset-drop 0
>       Inspect: skinny , packet 0, drop 0, reset-drop 0
>       Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
>       Inspect: sqlnet, packet 0, drop 0, reset-drop 0
>       Inspect: sunrpc, packet 0, drop 0, reset-drop 0
>       Inspect: tftp, packet 0, drop 0, reset-drop 0
>       Inspect: sip , packet 0, drop 0, reset-drop 0
>       Inspect: xdmcp, packet 0, drop 0, reset-drop 0
>
> Interface outside:
>   Service-policy: OUTSIDE
>     Class-map: CONNECTIONS
>       Set connection policy: conn-max 123 
>         current conns 0, drop 0
> pixfirewall(config)#
>
> The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
> (ciscoUnifiedFirewallMIB) but they don't seem to have what i need.
>
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From dwhitejr at cisco.com  Tue Jan 19 13:23:15 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 13:23:15 -0500
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
Message-ID: <4B55F893.20307@cisco.com>

Hi Antonio,

7.2(4.44) is the latest.  But you need a TAC case to get it, and an
associated bug that you are running into which would be resolved by
running 7.2(4.44).

Sincerely,

David.

Antonio Soares wrote:
> Hello group,
>
> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From amsoares at netcabo.pt  Tue Jan 19 13:34:11 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 18:34:11 -0000
Subject: [c-nsp] PIX/ASA OID for "show service-policy"
In-Reply-To: <4B55F82B.8000002@cisco.com>
References: <9C8FF20D386D4EF388BA7A772A2034BB@int.convex.pt>
	<4B55F82B.8000002@cisco.com>
Message-ID: <55A465468D8840998A61ED1C04AC03CF@int.convex.pt>

Thank you very much for this information. 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
Sent: ter?a-feira, 19 de Janeiro de 2010 18:22
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX/ASA OID for "show service-policy"

Hi Antonio,

The "show service-policy" output is not available via SNMP.

Sorry,

David.

Antonio Soares wrote:
> Hello group,
>
> I'm trying to find the OID that gives us the same type of information we see in the "show service-policy" output:
>
> pixfirewall(config)# show service-policy 
>
> Global policy: 
>   Service-policy: global_policy
>     Class-map: inspection_default
>       Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
>       Inspect: ftp, packet 0, drop 0, reset-drop 0
>       Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
>       Inspect: netbios, packet 0, drop 0, reset-drop 0
>       Inspect: rsh, packet 0, drop 0, reset-drop 0
>       Inspect: rtsp, packet 0, drop 0, reset-drop 0
>       Inspect: skinny , packet 0, drop 0, reset-drop 0
>       Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
>       Inspect: sqlnet, packet 0, drop 0, reset-drop 0
>       Inspect: sunrpc, packet 0, drop 0, reset-drop 0
>       Inspect: tftp, packet 0, drop 0, reset-drop 0
>       Inspect: sip , packet 0, drop 0, reset-drop 0
>       Inspect: xdmcp, packet 0, drop 0, reset-drop 0
>
> Interface outside:
>   Service-policy: OUTSIDE
>     Class-map: CONNECTIONS
>       Set connection policy: conn-max 123 
>         current conns 0, drop 0
> pixfirewall(config)#
>
> The best SNMP objects i was able to find are 1.3.6.1.4.1.9.9.147 (ciscoFirewallMIB) and 1.3.6.1.4.1.9.9.491
> (ciscoUnifiedFirewallMIB) but they don't seem to have what i need.
>
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From amsoares at netcabo.pt  Tue Jan 19 13:38:10 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Tue, 19 Jan 2010 18:38:10 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <4B55F893.20307@cisco.com>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<4B55F893.20307@cisco.com>
Message-ID: <C57B6E13DA3E42768540CF96512C0382@int.convex.pt>

I know that 7.2.4(43) is a good release so for me getting the list of bugs corrected in 7.2.4(44) would be enough. Can you provide
that information ? I know that i can open a TAC case but there a thing called Shared Support Metrics... :) 


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
Sent: ter?a-feira, 19 de Janeiro de 2010 18:23
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Hi Antonio,

7.2(4.44) is the latest.  But you need a TAC case to get it, and an
associated bug that you are running into which would be resolved by
running 7.2(4.44).

Sincerely,

David.

Antonio Soares wrote:
> Hello group,
>
> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
> like to know if there is something more recent available.
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From peter at rathlev.dk  Tue Jan 19 13:39:39 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 19 Jan 2010 19:39:39 +0100
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
In-Reply-To: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
References: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
Message-ID: <1263926379.5037.23.camel@localhost>

Hi Robert,

On Mon, 2010-01-18 at 13:14 +0100, Robert Hass wrote:
> I have to implement some Policy-Based Routing (PBR) route-map's on few
> Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
> 12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
> route-map's are supported in hardware on PFC3B/DFC3B ?
> 
> route-map pbr2 permit 10
>  set global
> !
> route-map pbr permit 10
>  match ip address 160
>  set vrf r2
> !
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000

A Sup720-10G running SXI will at least eat the commands. I'm afraid I
don't have enough of a setup to test throughput, but it doesn't give any
warnings at least.

I'm also no expert in Feature Manager output, but as far as I can see it
should be supported in hardware:

R1(config)#ip vrf r2
R1(config-vrf)#rd 1:1
R1(config-vrf)#exit
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 780
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 782
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 787
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 790
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 eq 796
R1(config)#access-list 160 permit tcp any 10.6.0.0 0.0.255.255 range 50000 51000
R1(config)#route-map pbr2 permit 10
R1(config-route-map)#set global
R1(config-route-map)#exit
R1(config)#route-map pbr permit 10
R1(config-route-map)#match ip address 160
R1(config-route-map)#set vrf r2
R1(config-route-map)#exit
R1(config)#interface Gi4/20
R1(config-if)#no shutdown
00094: Jan 19 19:10:39.653 CET: %LINK-3-UPDOWN: Interface GigabitEthernet4/20, changed state to down
R1(config-if)#
000095: Jan 19 19:10:39.656 CET: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/20, changed state to down
R1(config-if)#
000096: Jan 19 19:10:39.660 CET: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/20, changed state to down
R1(config-if)#ip addr 10.6.7.1 255.255.255.252
R1(config-if)#ip policy route-map pbr
000097: Jan 19 19:10:54.897 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface VRF_2_vlan4076, changed state to up
R1(config-if)#^Z
000098: Jan 19 19:11:54.169 CET: %SYS-5-CONFIG_I: Configured from console by someone on vty0 (x.x.x.x)
R1#
R1#sh fm features  bri | begin ^Interface: Gi.*4/20
Interface: GigabitEthernet4/20 IP is enabled
  hw_state[INGRESS] = not reduced, hw_state[EGRESS] = not reduced
  mcast = 0
  priority = 0
  flags = 0x4
  parent[INGRESS] = none
  inbound label: 36
    Feature PBR - Policy Based Routing:
      Route-Map : pbr
        Sequence 65536 	Result: FM_RESULT_PERMIT
        Sequence 10 	Result: FM_RESULT_ADJREDIRECT
        Sequence 65537 	Result: FM_RESULT_PERMIT
    Feature IPV4 Default Result Feature:

    Feature OTHER Default Result Feature:

[...]
R1#

The full output of "show fm interface Gi4/20" and "show fm fie interface
Gi4/20" also seem to support this being hardware switched.

HTH

-- 
Peter




From TLusty at csnstores.com  Tue Jan 19 13:04:18 2010
From: TLusty at csnstores.com (Tom Lusty)
Date: Tue, 19 Jan 2010 13:04:18 -0500
Subject: [c-nsp] ASA Failover without setting a Standby IP on an Interface
Message-ID: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>

Hey Everyone,

We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.

So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?

For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.

Is this sound?  Did I miss anything?
Thanks!
-Tom Lusty


From jshearer at amedisys.com  Tue Jan 19 14:21:15 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Tue, 19 Jan 2010 13:21:15 -0600
Subject: [c-nsp] ASA Failover without setting a Standby IP on an
	Interface
In-Reply-To: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
References: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664947@SVR-AMED-MAIL01.amedisys.com>

Correct.  Just for management.

Jason


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Lusty
Sent: Tuesday, January 19, 2010 12:04 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA Failover without setting a Standby IP on an Interface

Hey Everyone,

We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.

So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?

For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.

Is this sound?  Did I miss anything?
Thanks!
-Tom Lusty

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From cm at n-home.ru  Tue Jan 19 14:24:19 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Tue, 19 Jan 2010 22:24:19 +0300
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
References: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
Message-ID: <4FCE9955-18ED-411D-A8FE-09F69E4280E4@n-home.ru>

Try to remove and reinstall all modules in a switch.

On Jan 19, 2010, at 1:58 PM, ambedkar wrote:

> Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.
> 
> 
> The following is the log:
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
> Module 1 reported following ports unusable
> port 1 bad
> port 2 bad
> port 3 bad
> port 4 bad
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete.
> 
> ---------------------------------------------------------
> 
> I tried the following commands:
> 1.boot
> 2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
> 3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.
> 
> please help me,
> Thanks.bye
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mail4hh at pobox.com  Tue Jan 19 14:30:32 2010
From: mail4hh at pobox.com (Hector Herrera)
Date: Tue, 19 Jan 2010 11:30:32 -0800
Subject: [c-nsp] Router recommendation for load balancing setup
Message-ID: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>

Hello,

I'm looking for a router that can:

- handle load-balancing on two 100Mbps links with minimal cpu impact
- must have at least 4 ports, at least 2 of which should be GigE and
the other two must support FE or GigE
- BGP with 25,000 routes

My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.

I'm currently using a 3550-12t for the task, with the only drawback
that the cpu hits 99% load with a 5000 packets per sec./40Mbps
combined throughput on the load-balanced links.  The two 100Mbps
uplinks never reach more than 50% utilization because the router can't
handle the load.

I would like to be able to handle up to 80% utilization on the 100Mbps links.

Thank you for your suggestions,

Hector

From dwhitejr at cisco.com  Tue Jan 19 14:51:38 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 14:51:38 -0500
Subject: [c-nsp] ASA Failover without setting a Standby IP on an
	Interface
In-Reply-To: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
References: <B218CD6804D9B240983C69BED2AA3133013032A9ABE0@kite.csnzoo.com>
Message-ID: <4B560D4A.4020803@cisco.com>

Hi Tom,

If a standby IP is not assigned to the Outside interface, then that
interface will not be able to participate in failover monitoring. 
Meaning, the two ASAs will not be able to exchange 'hellos' out that
interface (as the Active unit will not have an IP to send the hello to
on the Standby).  Thus, if connectivity is lost between the two peers -
due to something other than an ASA interface failure - then failover
will not be able to react to it.

If you are only concerned with the ASA's outside interface failing, then
this will still work (assuming the interface failure triggers the
interface to transition to a down state).  As the interface state will
be exchanged with the peer on the failover LAN link.

If you choose to configure the ASAs this way, I would also suggest you
manually disable failover monitoring on the outside interface using the
command:

   no monitor-interface outside

Sincerely,

David.

Tom Lusty wrote:
> Hey Everyone,
>
> We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.
>
> So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?
>
> For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.
>
> Is this sound?  Did I miss anything?
> Thanks!
> -Tom Lusty
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From dwhitejr at cisco.com  Tue Jan 19 15:05:27 2010
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Tue, 19 Jan 2010 15:05:27 -0500
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <C57B6E13DA3E42768540CF96512C0382@int.convex.pt>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt>
	<4B55F893.20307@cisco.com>
	<C57B6E13DA3E42768540CF96512C0382@int.convex.pt>
Message-ID: <4B561087.8070203@cisco.com>

Answered off-line.

Sincerely,

David.

Antonio Soares wrote:
> I know that 7.2.4(43) is a good release so for me getting the list of bugs corrected in 7.2.4(44) would be enough. Can you provide
> that information ? I know that i can open a TAC case but there a thing called Shared Support Metrics... :) 
>
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
> Sent: ter?a-feira, 19 de Janeiro de 2010 18:23
> To: Antonio Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA 7.2 Interim Releases
>
> Hi Antonio,
>
> 7.2(4.44) is the latest.  But you need a TAC case to get it, and an
> associated bug that you are running into which would be resolved by
> running 7.2(4.44).
>
> Sincerely,
>
> David.
>
> Antonio Soares wrote:
>   
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>  
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
>
>
>   

From sethm at rollernet.us  Tue Jan 19 15:11:16 2010
From: sethm at rollernet.us (Seth Mattinen)
Date: Tue, 19 Jan 2010 12:11:16 -0800
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
Message-ID: <4B5611E4.3010600@rollernet.us>

Is there any way to disable SNMP traps for a subset of BGP neighbors
like there is for interfaces? I have a couple BGP sessions that are of
"don't care" priority and they don't need to send traps when they flap
(although rarely, it's always when I'm sleeping).

~Seth

From mhuff at ox.com  Tue Jan 19 15:17:26 2010
From: mhuff at ox.com (Matthew Huff)
Date: Tue, 19 Jan 2010 15:17:26 -0500
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>

Other than stackwise on the 3750-E, I haven't been able to discern a whole lot of differences between the two switches. Since the 3750-E is about 2 x the price of a similar 3560-E, I want to make sure I'm not missing anything. Does anyone know of any literature that compares the two? Anyone have any war stories?


----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139




From A.L.M.Buxey at lboro.ac.uk  Tue Jan 19 16:47:42 2010
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 19 Jan 2010 21:47:42 +0000
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
References: <20100119105852.38859.qmail@f4mail-235-246.rediffmail.com>
Message-ID: <20100119214742.GB17973@lboro.ac.uk>

hi,

rust, moisture, corrosion, dust?

I'd have a good look at each module and component.

alan

From peter at rathlev.dk  Tue Jan 19 17:01:14 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 19 Jan 2010 23:01:14 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
Message-ID: <1263938474.14083.6.camel@localhost>

On Tue, 2010-01-19 at 15:17 -0500, Matthew Huff wrote:
> Other than stackwise on the 3750-E, I haven't been able to discern a
> whole lot of differences between the two switches. Since the 3750-E is
> about 2 x the price of a similar 3560-E, I want to make sure I'm not
> missing anything. Does anyone know of any literature that compares the
> two? Anyone have any war stories?

I also can't tell the difference. We've been using pairs of 3560E's as
replacement for stacked pairs of 3750G's (non-E) and are very happy
about that.

They have almost the exact same specs according to the data sheets[0]
apart from the stacking thing. And in my eyes it's wrong to pay for
specific "low availability" features. ;-)

-- 
Peter

[0]: Links to data sheets for the two models:

Cisco Catalyst 3560-E Series Switches
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/product_data_sheet0900aecd805bac22.html

Cisco Catalyst 3750-E Series Switches Data Sheet
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7077/product_data_sheet0900aecd805bbe67.html



From tvarriale at comcast.net  Tue Jan 19 17:07:22 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 19 Jan 2010 16:07:22 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<1263938474.14083.6.camel@localhost>
Message-ID: <7170A47732B94D738DBA429264E0F5AA@flamdt01>


----- Original Message ----- 
From: "Peter Rathlev" <peter at rathlev.dk>
To: "Matthew Huff" <mhuff at ox.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 4:01 PM
Subject: Re: [c-nsp] Differences between 3750-E and 3560-E switches


> On Tue, 2010-01-19 at 15:17 -0500, Matthew Huff wrote:
>> Other than stackwise on the 3750-E, I haven't been able to discern a
>> whole lot of differences between the two switches. Since the 3750-E is
>> about 2 x the price of a similar 3560-E, I want to make sure I'm not
>> missing anything. Does anyone know of any literature that compares the
>> two?

I don't but they are the same switches other than the stackwise

>Anyone have any war stories?

Yes, but there are many long stories.  The best advise I could offer is 
understand how stackwise really works and understand packet flow.  This was 
more of an issue for the non-E.  The Es are fine.

tv 


From mhuff at ox.com  Tue Jan 19 17:11:22 2010
From: mhuff at ox.com (Matthew Huff)
Date: Tue, 19 Jan 2010 17:11:22 -0500
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <1263938474.14083.6.camel@localhost>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<1263938474.14083.6.camel@localhost>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9E2BC79F600@PUR-EXCH07.ox.com>

> I also can't tell the difference. We've been using pairs of 3560E's as
> replacement for stacked pairs of 3750G's (non-E) and are very happy
> about that.
> 
> They have almost the exact same specs according to the data sheets[0]
> apart from the stacking thing. And in my eyes it's wrong to pay for
> specific "low availability" features. ;-)
> 
> --
> Peter


I've read through the data sheets, and I also can't see any signficant differences. I was wondering if there was some hardware differences (like CAM table size, ethernet input/output buffer sizes), etc... 

From manisridhar at gmail.com  Tue Jan 19 17:29:50 2010
From: manisridhar at gmail.com (Sridhar)
Date: Tue, 19 Jan 2010 14:29:50 -0800
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?
Message-ID: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>

Hello!

Is OSPFv3 supported as a PE-CE protocol for 6VPE on IOS-XR? The Cisco
IOS-XR MPLS config guide only specifies BGP as the PE-CE protocol, and
I haven't been able to configure a VRF under OSPFv3.

thanks
sridhar

From cwu at ffn.com  Tue Jan 19 17:34:55 2010
From: cwu at ffn.com (Minzhi (Catherine) Wu)
Date: Tue, 19 Jan 2010 14:34:55 -0800
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?
In-Reply-To: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>
References: <bbfbf5611001191429jdcf0fa6xb14d69bbe8eae57b@mail.gmail.com>
Message-ID: <30B3DF511CEC5C4DAE4D0D29050475341B1C80A1B1@AAA.pmgi.local>

Only BGP and Static are supported for 6VPE per Cisco.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar
Sent: Tuesday, January 19, 2010 2:30 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPFv3 as PE-CE protocol for 6VPE on IOS-XR ?

Hello!

Is OSPFv3 supported as a PE-CE protocol for 6VPE on IOS-XR? The Cisco
IOS-XR MPLS config guide only specifies BGP as the PE-CE protocol, and
I haven't been able to configure a VRF under OSPFv3.

thanks
sridhar
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This message contains confidential information and is intended only for the individual named.  If you are not the named addressee, you are notified that reviewing, disseminating, disclosing, copying or distributing this e-mail is strictly prohibited.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any loss or damage caused by viruses or errors or omissions in the contents of this message, which arise as a result of e-mail transmission. [FriendFinder Networks, Inc., 220 Humbolt court, Sunnyvale, CA 94089, USA, FriendFinder.com

From cm at n-home.ru  Tue Jan 19 18:48:51 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Wed, 20 Jan 2010 02:48:51 +0300
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
Message-ID: <2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>

If you reduce the number of BGP routes to 12000 your 3550-12T will handle two GigE uplinks with no CPU impact. Just use the correct SDM template.

On Jan 19, 2010, at 10:30 PM, Hector Herrera wrote:

> Hello,
> 
> I'm looking for a router that can:
> 
> - handle load-balancing on two 100Mbps links with minimal cpu impact
> - must have at least 4 ports, at least 2 of which should be GigE and
> the other two must support FE or GigE
> - BGP with 25,000 routes
> 
> My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.
> 
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.
> 
> I would like to be able to handle up to 80% utilization on the 100Mbps links.
> 
> Thank you for your suggestions,
> 
> Hector
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From scottowens12 at gmail.com  Tue Jan 19 19:01:52 2010
From: scottowens12 at gmail.com (scott owens)
Date: Tue, 19 Jan 2010 18:01:52 -0600
Subject: [c-nsp] Router recommendation for load balancing setup
Message-ID: <c0c598d51001191601q53fb6329nbf73a989489b8ab3@mail.gmail.com>

>
>
> Message: 2
> Date: Tue, 19 Jan 2010 11:30:32 -0800
> From: Hector Herrera <mail4hh at pobox.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Router recommendation for load balancing setup
> Message-ID:
>        <c7ef7cf71001191130j57e02c75o4af5b004f4d29574 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> I'm looking for a router that can:
>
> - handle load-balancing on two 100Mbps links with minimal cpu impact
> - must have at least 4 ports, at least 2 of which should be GigE and
> the other two must support FE or GigE
> - BGP with 25,000 routes
>
> My budget is small (under $2,000) so I'm probably looking for EOL/EOS
> products.
>
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.
>
> I would like to be able to handle up to 80% utilization on the 100Mbps
> links.
>
> Thank you for your suggestions,
>
> Hector
>
>
> 7206 w/ np400 ?

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf


Platform            Process Switching         Fast/CEF Switching       EOS?
                            PPS    Mbps                PPS     Mbps
7500-RSP8           22,000 11.264              470,000 240.64
15-Dec-07
7500-RSP16         29,000 14.848              530,000 271.36
 15-Dec-07
7200-NPE300       20,000 10.24               353,000 180.74
 31-Dec-01
7200-NPE400       20,000 10.24               420,000 215.04
No

I might have one or two 7206s ( if I can add that ) for a fair price.

From cordmacleod at gmail.com  Tue Jan 19 19:15:40 2010
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Tue, 19 Jan 2010 16:15:40 -0800
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
	<2DD4F8A9-2F58-46C6-9875-7B1521A2D99C@n-home.ru>
Message-ID: <5268B0D2-3855-41C0-9D49-B6E9EFF78114@gmail.com>


On Jan 19, 2010, at 3:48 PM, Cyrill Malevanov wrote:

> If you reduce the number of BGP routes to 12000 your 3550-12T will handle two GigE uplinks with no CPU impact. Just use the correct SDM template.

Seconded. I use 3550s in my network.  24k is the maximum unicast route table limit that Cisco publishes, this is why your router is falling over.  If possible aggregate the routes.

> 
> On Jan 19, 2010, at 10:30 PM, Hector Herrera wrote:
> 
>> Hello,
>> 
>> I'm looking for a router that can:
>> 
>> - handle load-balancing on two 100Mbps links with minimal cpu impact
>> - must have at least 4 ports, at least 2 of which should be GigE and
>> the other two must support FE or GigE
>> - BGP with 25,000 routes
>> 
>> My budget is small (under $2,000) so I'm probably looking for EOL/EOS products.
>> 
>> I'm currently using a 3550-12t for the task, with the only drawback
>> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
>> combined throughput on the load-balanced links.  The two 100Mbps
>> uplinks never reach more than 50% utilization because the router can't
>> handle the load.
>> 
>> I would like to be able to handle up to 80% utilization on the 100Mbps links.
>> 
>> Thank you for your suggestions,
>> 
>> Hector
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From dsinn at dsinn.com  Tue Jan 19 19:18:51 2010
From: dsinn at dsinn.com (David Sinn)
Date: Tue, 19 Jan 2010 16:18:51 -0800
Subject: [c-nsp] Hardware PBR on Sup720/PFC3BXL
In-Reply-To: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
References: <526260cf1001180414y4267e453se2fac4b8e9d8dafb@mail.gmail.com>
Message-ID: <DC461292-DC30-4A39-9DAF-654C0B3E3E78@dsinn.com>

I've not done VRF Select PBR myself, but it would appear that it was first integrated in 12.2(33)SXH1, so you could be running into a bug, or not totally following the implementation guide as it would appear that you need to give a next hop when using the "set vrf [instance]" term in the route-map:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html

Hope that helps!

David

On Jan 18, 2010, at 4:14 AM, Robert Hass wrote:

> Hi
> 
> I have to implement some Policy-Based Routing (PBR) route-map's on few
> Catalyst 6500. We currently using Sup720/PFC3BXL with IOS
> 12.2(33)SXH6, but we can migrate to SXI if it helps. Are below PBR
> route-map's are supported in hardware on PFC3B/DFC3B ?
> 
> route-map pbr2 permit 10
> set global
> !
> route-map pbr permit 10
> match ip address 160
> set vrf r2
> !
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 780
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 782
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 787
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 790
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 eq 796
> access-list 160 permit tcp any x.x.0.0 0.0.255.255 range 50000 51000
> 
> Thanks
> Robert
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Tue Jan 19 23:10:55 2010
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 19 Jan 2010 22:10:55 -0600
Subject: [c-nsp] ASA 7.2 Interim Releases
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt>
	<E312C7DB422A48519760AC8939E7D40E@flamdt01>
	<E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>
Message-ID: <CCFC35D943834930BDC37F55A5871789@flamdt01>

With engineering code that hasn't had 1 ounce of regression testing?

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 9:28 AM
Subject: RE: [c-nsp] ASA 7.2 Interim Releases


Basically because i have customers that want to be always up to date.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From lists at hojmark.org  Wed Jan 20 01:13:03 2010
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Wed, 20 Jan 2010 07:13:03 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
Message-ID: <am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>

On Tue, 19 Jan 2010 15:17:26 -0500, you wrote:

> Other than stackwise on the 3750-E, I haven't been able to discern a
> whole lot of differences between the two switches. 

That *is* the only difference.

-A

From chris.garzon at gmail.com  Wed Jan 20 02:22:04 2010
From: chris.garzon at gmail.com (Dracul)
Date: Wed, 20 Jan 2010 15:22:04 +0800
Subject: [c-nsp] on Bogons and default bgp routes
Message-ID: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>

Hi list,

i have several BGP networks that only use default routes from a couple of
ISPs. Is it necessary for us to implement bogon lists or just
leave it up to our upstreams? Although we put the basic martian list, we
don't have fullroutes implemented as we only use bgp for redundancy
purposes.

thanks!
chris

From p_ambedkar at rediffmail.com  Wed Jan 20 02:11:39 2010
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 20 Jan 2010 07:11:39 -0000
Subject: [c-nsp] =?utf-8?q?cisco_6509_rommon_mode?=
Message-ID: <20100120071139.983.qmail@f4mail206.rediffmail.com>


Hi, i cleaned the modules of 6509 and reinstalled, it shows


inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin

System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.

Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot: failed, BOOT string is empty
rommon 1 >
rommon 1 >

After this, if i execute the command BOOT, once again it is showing old log as below.

thanks, bye.





------------------------------------------------------------------------
Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.


The following is the log:

Currently running ROMMON from S (Gold) region
Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
Module 1 reported following ports unusable
port 1 bad
port 2 bad
port 3 bad
port 4 bad
inband gmac link did not come up: reseting the system
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 262144 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"

Self decompressing the image : ##############################################################################################################]


System Power On Diagnostics
DRAM Size ..........................256 MB
Testing DRAM .......................Passed
Verifying Text Segment .............Passed
NVRAM Size .........................512 KB
Level2 Cache .......................Present
Level3 Cache .......................Present
System Power On Diagnostics Complete.

---------------------------------------------------------

I tried the following commands:
1.boot
2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.

please help me,
Thanks.bye

From soonkian.wong at gmail.com  Wed Jan 20 04:09:16 2010
From: soonkian.wong at gmail.com (Soon Kian)
Date: Wed, 20 Jan 2010 17:09:16 +0800
Subject: [c-nsp] IOS Recommendations for Voice Application
Message-ID: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>

Dear All,

Any recommendations for a stable  *IOS* supporting Voice
application on Cisco2811 and 3845

Thanks in advance!

From simon at pitwood.org  Wed Jan 20 05:18:23 2010
From: simon at pitwood.org (simon at pitwood.org)
Date: Wed, 20 Jan 2010 10:18:23 -0000 (GMT)
Subject: [c-nsp] IOS Recommendations for Voice Application
In-Reply-To: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>
References: <371cac6a1001200109u730efaefl6e1a8f5f0726392e@mail.gmail.com>
Message-ID: <8522.193.42.252.4.1263982703.squirrel@webmail.daily.co.uk>

You can try this, it should answer some questions.
http://www.ciscosystems.com/en/US/products/hw/routers/ps259/products_tech_note09186a00800e73f6.shtml

Regards
Simon

Dear All,

Any recommendations for a stable  *IOS* supporting Voice
application on Cisco2811 and 3845

Thanks in advance!
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




From amsoares at netcabo.pt  Wed Jan 20 06:09:57 2010
From: amsoares at netcabo.pt (Antonio Soares)
Date: Wed, 20 Jan 2010 11:09:57 -0000
Subject: [c-nsp] ASA 7.2 Interim Releases
In-Reply-To: <CCFC35D943834930BDC37F55A5871789@flamdt01>
References: <61653F59D5844000AF55C5528E048F23@int.convex.pt><5DC4853C6CC3EE4788779E0726E034DD0A5CBF@zy-ex1.zyedge.local><E5BCCD36610144F293A9684D6868FDF9@int.convex.pt><E312C7DB422A48519760AC8939E7D40E@flamdt01><E523B4988A2F40B7B171A9F517C809BF@int.convex.pt>
	<CCFC35D943834930BDC37F55A5871789@flamdt01>
Message-ID: <0EC3BC41F5BB4B858067E811C4F29A57@int.convex.pt>

Some prefer to take that risk instead of being exposed to some security holes. Sometimes the only alternative is to make a major
upgrade what is not necessarily a good thing.


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: quarta-feira, 20 de Janeiro de 2010 4:11
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

With engineering code that hasn't had 1 ounce of regression testing?

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, January 19, 2010 9:28 AM
Subject: RE: [c-nsp] ASA 7.2 Interim Releases


Basically because i have customers that want to be always up to date.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: ter?a-feira, 19 de Janeiro de 2010 4:09
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 7.2 Interim Releases

Would you clarify why you need something more recent?  There's tons of code
where your bug is fixed including (43) that you state you have.

tv
----- Original Message ----- 
From: "Antonio Soares" <amsoares at netcabo.pt>
To: "'Ryan West'" <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, January 18, 2010 11:46 AM
Subject: Re: [c-nsp] ASA 7.2 Interim Releases


> Hello Ryan,
>
> It was because of Bug CSCsv25041. I think you are safe.
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com]
> Sent: segunda-feira, 18 de Janeiro de 2010 17:21
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA 7.2 Interim Releases
>
> Antonio,
>
>
>> -----Original Message-----
>> Sent: Monday, January 18, 2010 12:10 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA 7.2 Interim Releases
>>
>> Hello group,
>>
>> I see that the latest 7.2 interim release available on CCO is
>> 7.2.4(33). I have with me 7.2.4(43) because of a TAC case. I would
>> like to know if there is something more recent available.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>
> I have a lot of boxes with 7.2.4(33) and that is the latest publicly
> available interim release.  I expect that a 7.2.5 release is in
> the works though.  What was the cause for your TAC case?
>
> Thanks,
>
> -ryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From vijaygore27 at gmail.com  Wed Jan 20 06:30:59 2010
From: vijaygore27 at gmail.com (vijay gore)
Date: Wed, 20 Jan 2010 17:00:59 +0530
Subject: [c-nsp] Fiber converter
Message-ID: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>

dear all.

types of fiber converters ????

From gert at greenie.muc.de  Wed Jan 20 07:38:36 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 20 Jan 2010 13:38:36 +0100
Subject: [c-nsp] Router recommendation for load balancing setup
In-Reply-To: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
References: <c7ef7cf71001191130j57e02c75o4af5b004f4d29574@mail.gmail.com>
Message-ID: <20100120123836.GK857@greenie.muc.de>

Hi,

On Tue, Jan 19, 2010 at 11:30:32AM -0800, Hector Herrera wrote:
> I'm currently using a 3550-12t for the task, with the only drawback
> that the cpu hits 99% load with a 5000 packets per sec./40Mbps
> combined throughput on the load-balanced links.  The two 100Mbps
> uplinks never reach more than 50% utilization because the router can't
> handle the load.

"something is seriously wrong there" - a 3550 should never see CPU load,
even with all ports running at full speed, as the packets are forwarded
in hardware (nb: don't call a 3550 a "router"...).

Now, there are situations where the CPU needs to touch the packets, and
then the performance goes seriously down the drain...

As for "why is it CPU-switching the packets", I don't have much expertise
with the 3550s - usually it's some feature (ICMP redirects, packets going
in and out over the same interface, too many routes for TCAM, ...) that
kills hardware forwarding.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/49172d6f/attachment.bin>

From scottowens12 at gmail.com  Wed Jan 20 08:19:27 2010
From: scottowens12 at gmail.com (scott owens)
Date: Wed, 20 Jan 2010 07:19:27 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
Message-ID: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>

>
> Message: 1
> Date: Tue, 19 Jan 2010 17:11:22 -0500
> From: Matthew Huff <mhuff at ox.com>
> To: "'Peter Rathlev'" <peter at rathlev.dk>
> Cc: "'cisco-nsp at puck.nether.net'" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Differences between 3750-E and 3560-E switches
> Message-ID:
>        <483E6B0272B0284BA86D7596C40D29F9E2BC79F600 at PUR-EXCH07.ox.com>
> Content-Type: text/plain; charset="utf-8"
>
> > I also can't tell the difference. We've been using pairs of 3560E's as
> > replacement for stacked pairs of 3750G's (non-E) and are very happy
> > about that.
> >
> > They have almost the exact same specs according to the data sheets[0]
> > apart from the stacking thing. And in my eyes it's wrong to pay for
> > specific "low availability" features. ;-)
> >
> > --
> > Peter
>
>
> I've read through the data sheets, and I also can't see any signficant
> differences. I was wondering if there was some hardware differences (like
> CAM table size, ethernet input/output buffer sizes), etc...
>
> That stacking feature IS the cool thing.  If you don't need it; skip it,
maybe even look at the 295x or 296x platform unless you possibly need POE as
well - the "2"s don't support it.  But the ability to team/etherchannel
servers via LACP and use BOTH teamed links at the same time instead of
single links due to spanning-tree blocking is a great thing.  It is one
reason GLBP is not available on the 3750s - its not needed to get load
balanced routing either.

Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

From steve at ibctech.ca  Wed Jan 20 08:22:10 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 20 Jan 2010 08:22:10 -0500
Subject: [c-nsp] on Bogons and default bgp routes
In-Reply-To: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>
References: <876789291001192322t1c6c1062o2c3038c1a1628517@mail.gmail.com>
Message-ID: <4B570382.9090502@ibctech.ca>

Dracul wrote:
> Hi list,
> 
> i have several BGP networks that only use default routes from a couple of
> ISPs. Is it necessary for us to implement bogon lists or just
> leave it up to our upstreams? Although we put the basic martian list, we
> don't have fullroutes implemented as we only use bgp for redundancy
> purposes.

Don't trust what your upstreams may or may not be doing.

If you configure your network with BOGON lists, you can block that
traffic inbound at your edge, and more importantly, rest assured that
you won't expend resources on other networks if they don't happen to filter.

Team Cymru has an easy-to-set-up BGP peering route-server to keep up to
date automatically:

http://www.team-cymru.org/Services/Bogons/routeserver.html

Steve

From rwest at zyedge.com  Wed Jan 20 08:31:31 2010
From: rwest at zyedge.com (Ryan West)
Date: Wed, 20 Jan 2010 13:31:31 +0000
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
References: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0ACE7C@zy-ex1.zyedge.local>

Scott,

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Differences between 3750-E and 3560-E switches
> 
> maybe even look at the 295x or 296x platform unless you possibly need
> POE as
> well - the "2"s don't support it.  

Maybe you were thinking of routing capabilities?  Several of the 2 series lines have PoE models. 

http://www.cisco.com/en/US/products/ps6406/prod_models_comparison.html

-ryan



From eng_mssk at hotmail.com  Wed Jan 20 09:19:09 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 20 Jan 2010 16:19:09 +0200
Subject: [c-nsp] ip route cache flow
Message-ID: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>


hi all i have metro ethernet 3750 
i want to enable cache flow in order to monitor some traffic on our leased line customers


i enabled under the vlan interface
ip route-cache flow

but nothing appeard even when i enabled ip cef accounting non-recursive
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From rdobbins at arbor.net  Wed Jan 20 09:19:17 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 14:19:17 +0000
Subject: [c-nsp] 2009 Worldwide Infrastructure Security Report available for
 download.
Message-ID: <4B52BF03-CB71-4C59-A50B-B4117CB7B53F@arbor.net>



[Apologies for any duplication if you've seen this notification on other lists.]

We've just posted the 2009 Worldwide Infrastructure Security Report for download at this URL:

<http://www.arbornetworks.com/report>

This year's WWISR is based upon the broadest set of survey data collected by Arbor to date, with the number of respondents doubling from 66 to 132, and much greater input from non-USA/non-EMEA, regional providers.  The WWISR is based upon input from the global operational community, and as such, is unique in its focus on the operational security aspects of public-facing networks.

Many of you contributed to the survey which forms the foundation of the report; as always, we're grateful for your insight and participation, and welcome your feedback and comments.

Thanks much!

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From rdobbins at arbor.net  Wed Jan 20 09:31:25 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 14:31:25 +0000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
Message-ID: <560C86A5-E14D-4964-A951-3993D2B8C0E0@arbor.net>


On Jan 20, 2010, at 9:19 PM, Mohammad Khalil wrote:

> but nothing appeard even when i enabled ip cef accounting non-recursive

I don't think 3750s support NetFlow.

Also, that's the old syntax; the new syntax is ip flow ingress/egress on newer platforms/trains/revisions, FYI.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From dwcarder at wisc.edu  Wed Jan 20 10:13:48 2010
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Wed, 20 Jan 2010 09:13:48 -0600
Subject: [c-nsp] Fiber converter
In-Reply-To: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>
References: <31533f201001200330w5247458bx81fb2fdc2e4e2755@mail.gmail.com>
Message-ID: <CAA94F29-7B5E-4B36-A1D3-DAD27CE83D3A@wisc.edu>



On Jan 20, 2010, at 5:30 AM, vijay gore wrote:
> dear all.
> 
> types of fiber converters ????

Hi Vijay,

Here are some links that describe common 1G modules:

http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet09186a008014cb5e.html

Dale

From Jeff.Wojciechowski at midlandpaper.com  Wed Jan 20 10:37:42 2010
From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski)
Date: Wed, 20 Jan 2010 09:37:42 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
Message-ID: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>

Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).

-Jeff

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 8:19 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ip route cache flow


hi all i have metro ethernet 3750 
i want to enable cache flow in order to monitor some traffic on our leased line customers


i enabled under the vlan interface
ip route-cache flow

but nothing appeard even when i enabled ip cef accounting non-recursive
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From geoff at pendery.net  Wed Jan 20 10:47:00 2010
From: geoff at pendery.net (Geoffrey Pendery)
Date: Wed, 20 Jan 2010 09:47:00 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
Message-ID: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>

That's correct.  I believe that NONE of the fixed switches support
Netflow, even the 4900s, which are basically fixed form 4500's.
Amongst the 4500's, only the Sup V 10 GE supports it natively, though
there is a daughter card you can buy to support it on the regular Sup
V (IIRC).  Sup 6E does not.

On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
routers" (ISR, ASR, etc)

-Geoff

On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
<Jeff.Wojciechowski at midlandpaper.com> wrote:
> Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
>
> -Jeff
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, January 20, 2010 8:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ip route cache flow
>
>
> hi all i have metro ethernet 3750
> i want to enable cache flow in order to monitor some traffic on our leased line customers
>
>
> i enabled under the vlan interface
> ip route-cache flow
>
> but nothing appeard even when i enabled ip cef accounting non-recursive
>
> _________________________________________________________________
> Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andrew.gabriel at sanmina-sci.com  Wed Jan 20 10:51:40 2010
From: andrew.gabriel at sanmina-sci.com (Andrew Gabriel)
Date: Wed, 20 Jan 2010 21:21:40 +0530
Subject: [c-nsp] ip route cache flow
In-Reply-To: <D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
Message-ID: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>

Netflow is on only supported on the 4500 with the newer Supervisor Engines,
and on the 6500 platform.

Regards,
Andrew Gabriel.
Network Engineer,
Enterprise Data Services.
+91 44 42 22 88 75 (Direct)
+91 98 41 41 40 19 (Mobile)
www.sanmina-sci.com
Sanmina-SCI India Pvt. Ltd.
A51, 2nd Avenue, Anna Nagar,
Chennai - 600 102, INDIA.




On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
Jeff.Wojciechowski at midlandpaper.com> wrote:

> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
> that we can monitor NetFlow are at router interfaces and I am pretty sure
> that you need a chassis based switch before NetFlow is supported (someone
> please correct me if I am wrong).
>
> -Jeff
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, January 20, 2010 8:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ip route cache flow
>
>
> hi all i have metro ethernet 3750
> i want to enable cache flow in order to monitor some traffic on our leased
> line customers
>
>
> i enabled under the vlan interface
> ip route-cache flow
>
> but nothing appeard even when i enabled ip cef accounting non-recursive
>
> _________________________________________________________________
> Windows Live: Make it easier for your friends to see what you're up to on
> Facebook.
>
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

From eng_mssk at hotmail.com  Wed Jan 20 10:57:45 2010
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 20 Jan 2010 17:57:45 +0200
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
Message-ID: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> 
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
> 
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
> 
> -Geoff
> 
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From rdobbins at arbor.net  Wed Jan 20 11:00:28 2010
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 20 Jan 2010 16:00:28 +0000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <340AED39-408C-4277-8992-245E2A4ACF00@arbor.net>


On Jan 20, 2010, at 10:51 PM, Andrew Gabriel wrote:

> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.

It's also important to note that 4500 NetFlow has the same caveats as 6500/7600 NetFlow with a Sup2.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From zivl at gilat.net  Wed Jan 20 11:11:10 2010
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 20 Jan 2010 18:11:10 +0200
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
	<SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
Message-ID: <EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>

Is it "ip accounting" an option for you?

Not as useful as netflow but it might just give you what you need


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 5:58 PM
To: geoff at pendery.net; jeff.wojciechowski at midlandpaper.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip route cache flow


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> 
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
> 
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
> 
> -Geoff
> 
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From jshearer at amedisys.com  Wed Jan 20 11:10:34 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Wed, 20 Jan 2010 10:10:34 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>,<D6D1A486355A184C9
	BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>,
	<d6966e4b1001200747m3126e1
	3exa245a81ff48c022@mail.gmail.com><SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664A35@SVR-AMED-MAIL01.amedisys.com>

You could use a probe or span your traffic to an analyzer.  This is what I do to monitor some links that traverse devices that do not support NetFlow.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, January 20, 2010 9:58 AM
To: geoff at pendery.net; jeff.wojciechowski at midlandpaper.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip route cache flow


what is the alternative for that ?
is it supported on ME 6524 ??

> Date: Wed, 20 Jan 2010 09:47:00 -0600
> Subject: Re: [c-nsp] ip route cache flow
> From: geoff at pendery.net
> To: Jeff.Wojciechowski at midlandpaper.com
> CC: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> That's correct.  I believe that NONE of the fixed switches support
> Netflow, even the 4900s, which are basically fixed form 4500's.
> Amongst the 4500's, only the Sup V 10 GE supports it natively, though
> there is a daughter card you can buy to support it on the regular Sup
> V (IIRC).  Sup 6E does not.
>
> On 6500, both Sup 32 and Sup 720 support it, as do all the "proper
> routers" (ISR, ASR, etc)
>
> -Geoff
>
> On Wed, Jan 20, 2010 at 9:37 AM, Jeff Wojciechowski
> <Jeff.Wojciechowski at midlandpaper.com> wrote:
> > Our WS-C3750G-48TS don't support NetFlow. The only points on our network that we can monitor NetFlow are at router interfaces and I am pretty sure that you need a chassis based switch before NetFlow is supported (someone please correct me if I am wrong).
> >
> > -Jeff
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Wednesday, January 20, 2010 8:19 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ip route cache flow
> >
> >
> > hi all i have metro ethernet 3750
> > i want to enable cache flow in order to monitor some traffic on our leased line customers
> >
> >
> > i enabled under the vlan interface
> > ip route-cache flow
> >
> > but nothing appeard even when i enabled ip cef accounting non-recursive
> >
> > _________________________________________________________________
> > Windows Live: Make it easier for your friends to see what you're up to on Facebook.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From psirt at cisco.com  Wed Jan 20 11:09:20 2010
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 20 Jan 2010 11:09:20 -0500
Subject: [c-nsp] Cisco Security Advisory: Cisco IOS XR Software SSH Denial
	of Service Vulnerability
Message-ID: <201001201110.xr-ssh@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service
Vulnerability

Advisory ID: cisco-sa-20100120-xr-ssh

Revision 1.0

For Public Release 2010 January 20 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

The SSH server implementation in Cisco IOS XR Software contains a
vulnerability that an unauthenticated, remote user could exploit to
cause a denial of service condition.

An attacker could trigger this vulnerability by sending a crafted SSH
version 2 packet that may cause a new SSH connection handler process to
crash. Repeated exploitation may cause each new SSH connection handler
process to crash and lead to a significant amount of memory being
consumed, which could introduce instability that may adversely impact
other system functionality. During this event, the parent SSH daemon
process will continue to function normally.

Cisco has released free software updates that address this
vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml.

Affected Products
=================

Vulnerable Products
+------------------

This vulnerability affects Cisco IOS XR systems that are running an
affected version of Cisco IOS XR Software and have the SSH server
feature enabled. A system with the SSH server feature enabled will
have the command ssh server [v2] present in its configuration. Refer
to the "Cisco IOS XR System Security Configuration Guide" at
http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/security/configuration/guide/sc39ssh.html#wp1044523
for additional details regarding configuration of the SSH server in Cisco
IOS XR Software.

The SSH server can only be enabled in Cisco IOS XR Software if
the "security" Package Information Envelope (PIE) is installed.
Administrators can issue the show install summary command to confirm
if the security PIE is installed. This command will display an active
package similar to "<platform>-k9sec-<version>" or, for example,
"c12k-k9sec-3.6.1" if the security PIE is installed.

Refer to the "Software Version and Fixes" section of this advisory for
information on specific affected software versions.

Products Confirmed Not Vulnerable
+--------------------------------

SSH server implementations in Cisco IOS Software and Cisco IOS XE
Software are not affected by this vulnerability.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

Cisco IOS XR Software is a member of the Cisco IOS Software family that
uses a microkernel-based distributed operating system infrastructure.
Cisco IOS XR Software runs on the Cisco CRS-1 Carrier Routing System,
Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation
Services Routers. More information on Cisco IOS XR Software is available
at http://www.cisco.com/en/US/products/ps5845/index.html.

The SSH protocol was developed as a secure replacement for the Telnet,
FTP, rlogin, remote shell (rsh), and Remote Copy Protocol (RCP)
protocols, which allow for remote device access. SSH varies from
these older protocols in that it provides strong authentication and
confidentiality and uses encrypted transactions.

The SSH server implementation in Cisco IOS XR Software contains a
vulnerability that an unauthenticated, remote user could exploit to
cause a denial of service condition.

The vulnerability is triggered when a new SSH handler process handles
a crafted SSH version 2 packet, which may cause the process to crash.
During this event, a significant amount of memory may be consumed.
Repeated exploitation may impact other system functionality, depending
upon the size of the available memory and the duration of attack.

Although exploitation of this vulnerability does not require user
authentication, the TCP three-way handshake must be completed, and some
SSH protocol negotiation must occur.

The SSH service will continue to function normally during an after an
attack.

During exploitation of this vulnerability, the system may generate the
following messages:

    RP/0/RP1/CPU0:Jan 14 16:56:34.885 : dumper[59]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 407 for process pkg/bin/sshd_child_handler
    RP/0/RP1/CPU0:Jan 14 16:56:34.897 : dumper[59]: %OS-DUMPER-7-SIGSEGV : Thread 1 received SIGSEGV
    RP/0/RP1/CPU0:Jan 14 16:56:34.901 : dumper[59]: %OS-DUMPER-7-BUS_ADRERR : Accessed BadAddr 50199000 at PC 4a280c64
    RP/0/RP1/CPU0:Jan 14 16:56:34.906 : dumper[59]: %OS-DUMPER-4-CRASH_INFO : Crashed pid = 21733716 (pkg/bin/sshd_child_handler)

This vulnerability is documented in Cisco bug ID CSCsu10574 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0137.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss


* CSCsu10574 ("sshd_child_handler crashes with crafted SSHv2 packet")

CVSS Base Score - 7.8
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 6.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Impact
======

Successful exploitation of the vulnerability described in this advisory
could result in a crash of the SSH connection handler process. Repeated
exploitation may impact other system functionality, depending upon the
size of the available memory and the duration of attack.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

This vulnerability can be addressed by applying the appropriate
Software Maintenance Upgrade (SMU), per the table below.
Installation of the appropriate SMU does not require a system
reload. Refer to the document "Guidelines for Cisco IOS XR Software"
(http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html)
for additional information on Cisco IOS XR Software and SMUs.

+---------------------------------------------------------------------------------+
| Cisco   | SMU Name and SMU ID                                                   |
|IOS XR   |-----------------------------------------------------------------------|
| Release | CRS-1                      | XR12000                     | ASR 9000   |
|         |                            |                             | (*)        |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.1.CSCsu10574 | c12k-k9sec-3.4.1.CSCsu10574 | Not        |
| 3.4.1   |                            |                             | applicable |
|         | AA03509                    | AA03532                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.2.CSCsu10574 | c12k-k9sec-3.4.2.CSCsu10574 | Not        |
| 3.4.2   |                            |                             | applicable |
|         | AA03510                    | AA03531                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.4.3.CSCsu10574 | c12k-k9sec-3.4.3.CSCsu10574 | Not        |
| 3.4.3   |                            |                             | applicable |
|         | AA03511                    | AA03530                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.2.CSCsu10574 | c12k-k9sec-3.5.2.CSCsu10574 | Not        |
| 3.5.2   |                            |                             | applicable |
|         | AA03512                    | AA03529                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.3.CSCsu10574 | c12k-k9sec-3.5.3.CSCsu10574 | Not        |
| 3.5.3   |                            |                             | applicable |
|         | AA03513                    | AA03528                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.5.4.CSCsu10574 | c12k-k9sec-3.5.4.CSCsu10574 | Not        |
| 3.5.4   |                            |                             | applicable |
|         | AA03514                    | AA03527                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.6.0.CSCsu10574 | c12k-k9sec-3.6.0.CSCsu10574 | Not        |
| 3.6.0   |                            |                             | applicable |
|         | AA03515                    | AA03526                     |            |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.6.1.CSCsu10574 | c12k-k9sec-3.6.1.CSCsu10574 | Not        |
| 3.6.1   |                            |                             | applicable |
|         | AA03516                    | AA03525                     |            |
|---------+----------------------------+-----------------------------+------------|
| 3.6.2   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
| 3.6.3   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
|         | hfr-k9sec-3.7.0.CSCsu10574 | c12k-k9sec-3.7.0.CSCsu10574 | Not        |
| 3.7.0   |                            |                             | applicable |
|         | AA03519                    | AA03522                     |            |
|---------+----------------------------+-----------------------------+------------|
| 3.7.1   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
|---------+----------------------------+-----------------------------+------------|
| 3.7.2   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
|---------+----------------------------+-----------------------------+------------|
| 3.8.x   | Not affected               | Not affected                | Not        |
|         |                            |                             | applicable |
|---------+----------------------------+-----------------------------+------------|
| 3.9.x   | Not affected               | Not affected                | Not        |
|         |                            |                             | affected   |
+---------------------------------------------------------------------------------+

(*) Not all Cisco IOS XR Software versions are supported by the Cisco
ASR 9000 Aggregation Services Routers.

Workarounds
===========

There are no workarounds for this vulnerability. Network administrators
are advised to apply mitigation techniques to help limit exposure to the
vulnerability. Mitigation techniques consist of allowing only legitimate
devices to connect to the routers.

These access restrictions can be accomplished by using interface
access control lists (ACLs) or the Management Plane Protection (MPP)
feature that is available in Cisco IOS XR Software Release 3.5 and
later. For information on MPP, refer to the configuration guide
at
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8/security/configuration/guide/sc38mpp.html
and the MPP command reference at
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.8/security/command/reference/sr38mpp.html.
Infrastructure ACLs (iACLs) are also a useful technique to mitigate
potential exploitation of this vulnerability.

For more information on these mitigations, consult the Cisco
Guide to Harden Cisco IOS XR Devices, which is available at
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html.

Note that access classes in line templates applied to VTY pools are not
an effective mitigation for this vulnerability.

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was discovered by Cisco during internal testing.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0  | 2010-January-20  | Initial public release  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008-2010 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Jan 20, 2010                             Document ID: 111459
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktXJ54ACgkQ86n/Gc8U/uAIqgCfaWWIDTslxxJspwldh8PiHYJD
WUcAn3jmQ+LHb8nCfKdp6fxuI4LZptpd
=4zi1
-----END PGP SIGNATURE-----

From psirt at cisco.com  Wed Jan 20 11:15:00 2010
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 20 Jan 2010 11:15:00 -0500`
Subject: [c-nsp] Cisco Security Advisory: CiscoWorks Internetwork
	Performance Monitor CORBA GIOP Overflow Vulnerability
Message-ID: <201001201115.ipm@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor
CORBA GIOP Overflow Vulnerability

Advisory ID: cisco-sa-20100120-ipm

Revision 1.0

For Public Release 2010 January 20 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

CiscoWorks Internetwork Performance Monitor (IPM) versions 2.6 and
earlier for Microsoft Windows operating systems contain a buffer
overflow vulnerability that could allow a remote unauthenticated
attacker to execute arbitrary code. There are no workarounds for this
vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml

Affected Products
=================

Vulnerable Products
+------------------

CiscoWorks IPM versions 2.6 and earlier for Windows operating systems
are affected.

Products Confirmed Not Vulnerable
+--------------------------------

CiscoWorks IPM version 2.x for Sun Solaris and CiscoWorks IPM version
4.x for Windows and Solaris operating systems are not affected. No
other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

CiscoWorks IPM is a troubleshooting application that gauges network
response time and availability. CiscoWorks IPM is available as a
component within the CiscoWorks LAN Management Solution (LMS) bundle.
CiscoWorks IPM versions 2.6 and earlier for Windows contain a buffer
overflow vulnerability when processing Common Object Request Broker
Architecture (CORBA) GIOP requests. By sending a crafted CORBA GIOP
request, a remote, unauthenticated attacker may be able to trigger
the buffer overflow condition and execute arbitrary code with SYSTEM
privileges on affected Windows systems. This vulnerability is
documented in Cisco Bug ID CSCsv62350 and has been assigned the
Common Vulnerabilities and Exposures (CVE) CVE-2010-0138.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsv62350 - Malformed CORBA GIOP request causes crash

CVSS Base Score - 10

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Complete
Integrity Impact        - Complete
Availability Impact     - Complete

CVSS Temporal Score - 9.5

Exploitability          - Functional
Remediation Level       - Unavailable
Report Confidence       - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in the
ability to execute arbitrary code with SYSTEM privileges on affected
Windows systems.

Software Versions and Fixes
===========================

Ciscoworks IPM versions 2.6 and earlier for Windows contain a
vulnerable third-party component that is no longer supported. Cisco
is unable to provide updated software for affected CiscoWorks
versions. Consult the "Obtaining Fixed Software" section of this
advisory for instructions on how to address vulnerable systems.

Workarounds
===========

There are no workarounds for this vulnerability. It is possible to
mitigate this vulnerability by restricting network access to TCP
ports on an affected Windows system running IPM versions 2.6 and
earlier to trusted systems.

Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20100120-ipm.shtml

Obtaining Fixed Software
========================

Ciscoworks IPM versions 2.6 and earlier for Windows contain a
vulnerable third-party component that is no longer supported. Cisco
is unable to provide updated software for affected CiscoWorks
versions.

Customers with active software licenses for the IPM component of
CiscoWorks versions 2.6 and earlier for Windows should send email to
the following address for instructions on migrating to non-vulnerable
software:

ipm-corba-fix at cisco.com

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was discovered and reported to Cisco by
TippingPoint. Cisco would like to thank TippingPoint for reporting
this vulnerability to us and for working with us on a coordinated
disclosure.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2010-January-20 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.

This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----

iD8DBQFLVyd986n/Gc8U/uARAmqKAJ4stu5goWKa8rPjt20IJNirQ3DLQQCeLeGN
SZmNQcg8O+mfC61WXL0oRRI=
=CVJH
-----END PGP SIGNATURE-----

From bacon at walleyesoftware.com  Wed Jan 20 11:17:39 2010
From: bacon at walleyesoftware.com (Jeff Bacon)
Date: Wed, 20 Jan 2010 10:17:39 -0600
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
References: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
Message-ID: <5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>

> > I've read through the data sheets, and I also can't see any
signficant
> > differences. I was wondering if there was some hardware differences
(like
> > CAM table size, ethernet input/output buffer sizes), etc...

Is the packet buffering on the -Es significantly better than on the
non-Es? It would seem that the buffering capabilities of a non-E are at
best limited, based on my experience - granted we have bursty server
loads that we were attempting to condense down into 4-port
etherchannels, but I would have expected the 3560Gs to do better than
they did. 

I suppose it's possible that if I split the ports up amongst the ASICs
better it might be better, but it seemed like there was only one TX
queue buffer for the entire switch, which if you did "mls qos" you could
split up some but you still had a limited choke that everything went
through. 

I really don't want to go buy a -E to find out. 

I never could get an answer from cisco as to the actual design of the
internals of the 3560/3750s. Is the information around anywhere?

(And why the heck does Cisco keep it such a secret?) 

> Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

Now _that_ is hard to imagine. :)


From BBlackford at nwresd.k12.or.us  Wed Jan 20 11:28:04 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Wed, 20 Jan 2010 08:28:04 -0800
Subject: [c-nsp] C3750G Interface Counters
Message-ID: <6069A203FD01884885C037F81DD750801742DA1107@wsc-mail-01.intra.nwresd.k12.or.us>

Hello all,

I am observing a strange issue where I have an interface that is showing zero packets/sec. The packets input and packets output are incrementing. My SNMP collector is graphing. This is one of two interconnect ports to a customer peering up with two BGP sessions using multipath. The other port's packets/sec counters are behaving as expected.

WS-C3750G-24TS-E1U
12.2(50)SE3


My_3750#sh int gi1/0/21
GigabitEthernet1/0/21 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0015.2bxx.xxxx (bia 0015.2bxx.xxxx)
  Description: CustA Port1
  Internet address is x.x.x.x/30
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 0/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:19, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:14:20
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4073
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     743069 packets input, 209425595 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     911587 packets output, 955053286 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
My_3750#sh int gi1/0/22
GigabitEthernet1/0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0015.2bxx.xxxx (bia 0015.2bxx.xxxx)
  Description: CustA Port2
  Internet address is x.x.x.x/30
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 31/255, rxload 2/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:02, output 00:00:25, output hang never
  Last clearing of "show interface" counters 00:14:22
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5710
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 937000 bits/sec, 864 packets/sec
  30 second output rate 12324000 bits/sec, 1292 packets/sec
     578583 packets input, 145713935 bytes, 0 no buffer
     Received 91 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 91 multicast, 0 pause input
     0 input packets with dribble condition detected
     919361 packets output, 991069241 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


Thank you,

-b

--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

this message was composed using 100% recycled electrons


From kloch at kl.net  Wed Jan 20 11:32:54 2010
From: kloch at kl.net (Kevin Loch)
Date: Wed, 20 Jan 2010 11:32:54 -0500
Subject: [c-nsp] cisco 6509 rommon mode
In-Reply-To: <20100120071139.983.qmail@f4mail206.rediffmail.com>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
Message-ID: <4B573036.3050600@kl.net>

Have you tried replacing the lithium battery on the sup2?
Hopefully you have a newer board with a socket.

- Kevin

ambedkar wrote:
> Hi, i cleaned the modules of 6509 and reinstalled, it shows
> 
> 
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> 
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> 
> Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot: failed, BOOT string is empty
> rommon 1 >
> rommon 1 >
> 
> After this, if i execute the command BOOT, once again it is showing old log as below.
> 
> thanks, bye.
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> Hi, i am using cisco 6509 switch. This switch is not power ON for last one year, now after switch ON,It is going to ROMMON mode.
> 
> 
> The following is the log:
> 
> Currently running ROMMON from S (Gold) region
> Boot image: bootflash:cat6000-sup2cvk9.8-3-2.bin
> Module 1 port ASIC 0 failed: Pinnacle Packet Buffer Error
> Module 1 reported following ports unusable
> port 1 bad
> port 2 bad
> port 3 bad
> port 4 bad
> inband gmac link did not come up: reseting the system
> System Bootstrap, Version 7.1(1)
> Copyright (c) 1994-2001 by cisco Systems, Inc.
> c6k_sup2 processor with 262144 Kbytes of main memory
> 
> Autoboot executing command: "boot bootflash:cat6000-sup2cvk9.8-3-2.bin"
> 
> Self decompressing the image : ##############################################################################################################]
> 
> 
> System Power On Diagnostics
> DRAM Size ..........................256 MB
> Testing DRAM .......................Passed
> Verifying Text Segment .............Passed
> NVRAM Size .........................512 KB
> Level2 Cache .......................Present
> Level3 Cache .......................Present
> System Power On Diagnostics Complete.
> 
> ---------------------------------------------------------
> 
> I tried the following commands:
> 1.boot
> 2.boot bootflash:cat6000-sup2cvk9.8-3-2.bin
> 3.I thought ios may be damaged, so i used XMODEM to upload IOS image, but after some time, it is also failing.
> 
> please help me,
> Thanks.bye
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From geoff at pendery.net  Wed Jan 20 11:43:59 2010
From: geoff at pendery.net (Geoffrey Pendery)
Date: Wed, 20 Jan 2010 10:43:59 -0600
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <d6966e4b1001200843v4b58ea3al466b894d8114e089@mail.gmail.com>

Just to be clear, it is only supported with the *second* newest, the
Sup V 10GE.  NetFlow is NOT supported on the newest, the Sup 6E.  So
it was actually removed from the 4500's going forward.  At this time
the "E" series 4500 stuff, the latest-and-greatest, does NOT support
NetFlow.

I just rolled out 48 of them.  The QoS is also a bit tricky - good,
but different from previous 4500 or 6500 QoS.

-Geoff

On Wed, Jan 20, 2010 at 9:51 AM, Andrew Gabriel
<andrew.gabriel at sanmina-sci.com> wrote:
> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.
>
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
>
>
>
>
> On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
> Jeff.Wojciechowski at midlandpaper.com> wrote:
>
>> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
>> that we can monitor NetFlow are at router interfaces and I am pretty sure
>> that you need a chassis based switch before NetFlow is supported (someone
>> please correct me if I am wrong).
>>
>> -Jeff
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
>> Sent: Wednesday, January 20, 2010 8:19 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ip route cache flow
>>
>>
>> hi all i have metro ethernet 3750
>> i want to enable cache flow in order to monitor some traffic on our leased
>> line customers
>>
>>
>> i enabled under the vlan interface
>> ip route-cache flow
>>
>> but nothing appeard even when i enabled ip cef accounting non-recursive
>>
>> _________________________________________________________________
>> Windows Live: Make it easier for your friends to see what you're up to on
>> Facebook.
>>
>> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. ?If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. ?Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Wed Jan 20 12:39:01 2010
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 20 Jan 2010 18:39:01 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
References: <c0c598d51001200519t865bfd1ia476884959126571@mail.gmail.com>
Message-ID: <1264009141.21532.5.camel@localhost>

On Wed, 2010-01-20 at 07:19 -0600, scott owens wrote:
> That stacking feature IS the cool thing.  If you don't need it; skip
> it, maybe even look at the 295x or 296x platform unless you possibly
> need POE as well - the "2"s don't support it.  But the ability to
> team/etherchannel servers via LACP and use BOTH teamed links at the
> same time instead of single links due to spanning-tree blocking is a
> great thing.  It is one reason GLBP is not available on the 3750s -
> its not needed to get load balanced routing either.
> 
> Just think of the 3750s as baby VSS-6500s or Nexus 7Ks  :)

IMHO the problem with StackWise is that you can't do a software upgrade
without rebooting both units. Compare this to two seperate switches and
RSTP, with which can do almost "zero touch" upgrades.

In my eyes StackWise stacks are in all aspects to be treated as a single
unit. When looking at "single points of failure" I consider a 3750 stack
(E or non-E) a single unit no matter how many members in the stack.

The VSS might have the same problem, haven't touched it.

-- 
Peter



From bitkraft at gmail.com  Wed Jan 20 14:27:28 2010
From: bitkraft at gmail.com (Brian Spade)
Date: Wed, 20 Jan 2010 11:27:28 -0800
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>
References: <483E6B0272B0284BA86D7596C40D29F9E2BC79F5FE@PUR-EXCH07.ox.com>
	<am7dl51mnvqlvqorkpc14e5b2v4bbaqmmj@hojmark.net>
Message-ID: <505b616c1001201127k5f797092gc4bb49b959241767@mail.gmail.com>

If you use WCCP (i.e., wan acceleration/WAAS), the 3750-E supports denies in
the redirect ACL whereas the 3560-E does not.  Apparently this feature will
be added to the 3560-E this Spring.  It maybe minor but it's very annoying
have to create an entire ACL based on permits to control your redirected
traffic on the 3560-E.

/bs

On Tue, Jan 19, 2010 at 10:13 PM, Asbjorn Hojmark - Lists <lists at hojmark.org
> wrote:

> On Tue, 19 Jan 2010 15:17:26 -0500, you wrote:
>
> > Other than stackwise on the 3750-E, I haven't been able to discern a
> > whole lot of differences between the two switches.
>
> That *is* the only difference.
>
> -A
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From gert at greenie.muc.de  Wed Jan 20 14:34:57 2010
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 20 Jan 2010 20:34:57 +0100
Subject: [c-nsp] ip route cache flow
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>
References: <d6966e4b1001200747m3126e13exa245a81ff48c022@mail.gmail.com>
	<SNT134-w645CD4E22793A10A6C3C64FA640@phx.gbl>
	<EC993E87D960A541A66BF21D62AA42A62416ADD922@exch2k7.gilat.local>
Message-ID: <20100120193457.GM857@greenie.muc.de>

Hi,

On Wed, Jan 20, 2010 at 06:11:10PM +0200, Ziv Leyes wrote:
> Is it "ip accounting" an option for you?

Not supported on 3750 either.

These things are *switches*, with some l3 support added.  Fast, but dumb.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100120/90ede9a4/attachment.bin>

From avayner at cisco.com  Wed Jan 20 16:10:40 2010
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 20 Jan 2010 22:10:40 +0100
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors
In-Reply-To: <4B5611E4.3010600@rollernet.us>
References: <4B5611E4.3010600@rollernet.us>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C60107CBC7@XMB-AMS-101.cisco.com>

Seth,

I would say that the right approach for this would be to tune the logic
of your NMS system to ignore these events, or make them low-priority
events, and have a rule that alerts you about low-priority events only
during work hours...

Another approach (but only relatively new IOS versions) would be to use
the EEM SNMP Notification event detector. This would allow you to catch
specific traps and block them on the router (or modify them to a
different event).
In older IOS versions the same can be accomplished for Syslog, so if you
can turn off SNMP traps and use Syslog events, you can accomplish this
on most IOS versions.

The reference for the SNMP Notification EEM event detector is here:
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_06.html
#wp1178594

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
Sent: Tuesday, January 19, 2010 22:11
To: cisco-nsp
Subject: [c-nsp] Disabling SNMP for certain BGP neighbors

Is there any way to disable SNMP traps for a subset of BGP neighbors
like there is for interfaces? I have a couple BGP sessions that are of
"don't care" priority and they don't need to send traps when they flap
(although rarely, it's always when I'm sleeping).

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From david at hughes.com.au  Wed Jan 20 18:18:59 2010
From: david at hughes.com.au (David Hughes)
Date: Thu, 21 Jan 2010 09:18:59 +1000
Subject: [c-nsp] ip route cache flow
In-Reply-To: <d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
References: <SNT134-w361B311F03B3C7BC7963C1FA640@phx.gbl>
	<D6D1A486355A184C9BED921D26153A4A1B0DBBBA5F@XBOX.midlandpaper.com>
	<d06fb6b31001200751y4398b56i5c2cef0da67d3ebe@mail.gmail.com>
Message-ID: <7EB9DC8B-696D-4714-A444-AD24383BECA3@hughes.com.au>


And "supported on 6500" doesn't equate to "works as you'd expect on 6500".  It's better in SXI (per interface support at least) but it's still got major limitations.  We only have netflow on Cat6k left in one location and that's being moved to routers real soon now.


David
...


On 21/01/2010, at 1:51 AM, Andrew Gabriel wrote:

> Netflow is on only supported on the 4500 with the newer Supervisor Engines,
> and on the 6500 platform.
> 
> Regards,
> Andrew Gabriel.
> Network Engineer,
> Enterprise Data Services.
> +91 44 42 22 88 75 (Direct)
> +91 98 41 41 40 19 (Mobile)
> www.sanmina-sci.com
> Sanmina-SCI India Pvt. Ltd.
> A51, 2nd Avenue, Anna Nagar,
> Chennai - 600 102, INDIA.
> 
> 
> 
> 
> On Wed, Jan 20, 2010 at 9:07 PM, Jeff Wojciechowski <
> Jeff.Wojciechowski at midlandpaper.com> wrote:
> 
>> Our WS-C3750G-48TS don't support NetFlow. The only points on our network
>> that we can monitor NetFlow are at router interfaces and I am pretty sure
>> that you need a chassis based switch before NetFlow is supported (someone
>> please correct me if I am wrong).
>> 
>> -Jeff
>> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
>> Sent: Wednesday, January 20, 2010 8:19 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ip route cache flow
>> 
>> 
>> hi all i have metro ethernet 3750
>> i want to enable cache flow in order to monitor some traffic on our leased
>> line customers
>> 
>> 
>> i enabled under the vlan interface
>> ip route-cache flow
>> 
>> but nothing appeard even when i enabled ip cef accounting non-recursive
>> 
>> _________________________________________________________________
>> Windows Live: Make it easier for your friends to see what you're up to on
>> Facebook.
>> 
>> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gk at ax.tc  Wed Jan 20 18:45:20 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 00:45:20 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
Message-ID: <4B579590.6050506@ax.tc>


I'am looking for a good solution to separate multiple branches from each
other by using a central firewall setup. The overall view looks like that:


Branch-1       Branch-n
(PC1)          (PCn)
  |              |
(SW1)          (SWn)
  |              |
 CPE1   ...    CPEn
  |              |
:::::::::::::::::::::
    DSL-CLOUD/PPP
:::::::::::::::::::::
  |              |
LNSa/PE        LNSb/PE
  |              |
=====================
   MPLS-BACKBONE
=====================
  |              |
RTRa/PE        RTRb/PE
  |              |
 SWa------------SWb
  |              |
(FW-prim)----(FW-standby)
  |              |
,,,,,,,,,,,,,,,,,,,,,
      INTERNET
,,,,,,,,,,,,,,,,,,,,,

 - each branch has 1-3 IPv4 networks
 - PPP-Sessions are terminated on the LNS via L2TP
   and configured via RADIUS
 - LNSs & RTRs are C7200 Systems
 - firewalls have VLAN capabilities

The () components will be under control of the customer, all other
systems are managed by us. The main goals are
 1) separate the branches in general but allow the firewalladministrator
to route between the branches so the customer is able to control his
internal traffic as well as his internet traffic
 2) provide redundancy for all of our components

At the moment we're providing only ordinary Layer3-MPLS VPNs but in this
case this isn't enough - unless if we plan to implement a dedicated VRF
for each branch. But because the customer has 100+ branches, I dont like
to 'waste' so much VRF instances for one customer. Exist other
approaches/BCPs for those kind of setups? Currently I investigate L2VPN,
AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
far, especially because I have to deal with a lot of dynamically
generated Virtual-Interfaces.

For now I see 3 options for us:

a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
Firewall-Ethernet Interface (how? bad idea?)
c) some other brilliant approach... ;-)

Any hints and thoughts are welcome.

Thx,
Gerald

From koug at intracom.gr  Thu Jan 21 01:43:26 2010
From: koug at intracom.gr (John Kougoulos)
Date: Thu, 21 Jan 2010 08:43:26 +0200 (EET)
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <4B579590.6050506@ax.tc>
References: <4B579590.6050506@ax.tc>
Message-ID: <alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>



On Thu, 21 Jan 2010, Gerald Krause wrote:
> For now I see 3 options for us:
>
> a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
> b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
> Firewall-Ethernet Interface (how? bad idea?)
> c) some other brilliant approach... ;-)
>


GRE or Ipsec or whatever tunnel from the CPE to (or near) the firewall?

From oboehmer at cisco.com  Thu Jan 21 02:10:35 2010
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 21 Jan 2010 08:10:35 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <4B579590.6050506@ax.tc>
References: <4B579590.6050506@ax.tc>
Message-ID: <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>

> I'am looking for a good solution to separate multiple branches from
each
> other by using a central firewall setup. The overall view looks like
that:
> 
[...]
> 
> The () components will be under control of the customer, all other
> systems are managed by us. The main goals are
>  1) separate the branches in general but allow the
firewalladministrator
> to route between the branches so the customer is able to control his
> internal traffic as well as his internet traffic
>  2) provide redundancy for all of our components
> 
> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
this
> case this isn't enough - unless if we plan to implement a dedicated
VRF
> for each branch. But because the customer has 100+ branches, I dont
like
> to 'waste' so much VRF instances for one customer. Exist other
> approaches/BCPs for those kind of setups? Currently I investigate
L2VPN,
> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
> far, especially because I have to deal with a lot of dynamically
> generated Virtual-Interfaces.

you might want to look at the "Half-Duplex VRF" feature, which allows to
build a hub & spoke VPN setup without having to put each "branch" on the
same PE into a different VRF. HD VRF will assign a different VRF for
upstream and downstream traffic, so packets entering the LNS from the
branch will only see the Hub routes, and not the other branches' routes.

check out
http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html

	oli

From md at bts.sk  Thu Jan 21 02:15:35 2010
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Thu, 21 Jan 2010 08:15:35 +0100
Subject: [c-nsp] Differences between 3750-E and 3560-E switches
In-Reply-To: <5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>
References: <mailman.12967.1263993635.2123.cisco-nsp@puck.nether.net>
	<5A69C25361FED34F83ABF05F5047524507F05C97@wally.walleyetrading.net>
Message-ID: <20100121070932.M18969@bts.sk>

On Wed, 20 Jan 2010 10:17:39 -0600, Jeff Bacon wrote
> > > I've read through the data sheets, and I also can't see any
> signficant
> > > differences. I was wondering if there was some hardware differences
> (like
> > > CAM table size, ethernet input/output buffer sizes), etc...
> 
> Is the packet buffering on the -Es significantly better than on the
> non-Es? It would seem that the buffering capabilities of a non-E are at
> best limited, based on my experience - granted we have bursty server
> loads that we were attempting to condense down into 4-port
> etherchannels, but I would have expected the 3560Gs to do better than
> they did.

In fact, 3560Es perform worse in the default configuration than 3560Gs.
Buffers might be tweaked via mls qos commands, but still, the buffering
is insufficient - have a look at: 

http://puck.nether.net/pipermail/cisco-nsp/2009-March/058758.html

    M.

From gk at ax.tc  Thu Jan 21 04:41:07 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 10:41:07 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>
References: <4B579590.6050506@ax.tc>
	<6E4D2678AC543844917CA081C9D6B33F0109B68D@XMB-AMS-103.cisco.com>
Message-ID: <4B582133.5030002@ax.tc>

Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb:
>> I'am looking for a good solution to separate multiple branches from
> each
>> other by using a central firewall setup. The overall view looks like
> that:
> [...]
>> The () components will be under control of the customer, all other
>> systems are managed by us. The main goals are
>>  1) separate the branches in general but allow the
> firewalladministrator
>> to route between the branches so the customer is able to control his
>> internal traffic as well as his internet traffic
>>  2) provide redundancy for all of our components
>>
>> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
> this
>> case this isn't enough - unless if we plan to implement a dedicated
> VRF
>> for each branch. But because the customer has 100+ branches, I dont
> like
>> to 'waste' so much VRF instances for one customer. Exist other
>> approaches/BCPs for those kind of setups? Currently I investigate
> L2VPN,
>> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
>> far, especially because I have to deal with a lot of dynamically
>> generated Virtual-Interfaces.
> 
> you might want to look at the "Half-Duplex VRF" feature, which allows to
> build a hub & spoke VPN setup without having to put each "branch" on the
> same PE into a different VRF. HD VRF will assign a different VRF for
> upstream and downstream traffic, so packets entering the LNS from the
> branch will only see the Hub routes, and not the other branches' routes.
> 
> check out
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html

Ok, that sounds interesting. I'll check the docs.

Gerald


From gk at ax.tc  Thu Jan 21 04:39:18 2010
From: gk at ax.tc (Gerald Krause)
Date: Thu, 21 Jan 2010 10:39:18 +0100
Subject: [c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
In-Reply-To: <alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>
References: <4B579590.6050506@ax.tc>
	<alpine.DEB.1.10.1001210841070.22278@samoyed.gix.gr>
Message-ID: <4B5820C6.6090503@ax.tc>

Am 21.01.2010 07:43, John Kougoulos schrieb:
> 
> 
> On Thu, 21 Jan 2010, Gerald Krause wrote:
>> For now I see 3 options for us:
>>
>> a) implement dedicated VRFs for each branch and map VRFn<->VLANn on
>> the RTRs
>> b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
>> Firewall-Ethernet Interface (how? bad idea?)
>> c) some other brilliant approach... ;-)
>>
> 
> 
> GRE or Ipsec or whatever tunnel from the CPE to (or near) the firewall?

Jep, that might be a way, even not "beautiful" for us. We're moving this
customer from an ugly partial/fully IPSec-tunnel meshed setup with many
firewalls and IPSec tunnels and I don't want to implement and manage a
bunch of IPSec tunnels again.
I thought already about some pseudowire or other basic tunnel service
(like GRE) from the CPEs to the firewall but I have to deal with
redundant tunnel-endpoints as well - the tunneling setup must have an
fail-over/redundancy concept. That makes me think about implementing 2
tunnels from each CPE on to 2 additional tunnel-endpoints (between RTR
and FW) and configure a basic routing protokoll on top of the tunnels...

Hm, that "is" an solution but I'll check further if I have other options
before going that way.

Gerald

From asturluismi at gmail.com  Thu Jan 21 06:27:45 2010
From: asturluismi at gmail.com (luismi)
Date: Thu, 21 Jan 2010 12:27:45 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
Message-ID: <1264073265.17015.10.camel@hal9000>

Hi all,

I am looking for a Radius solution to configure on it the user accounts
of the users of the VPN Concentrator 3030 we have here -that is the
primary goal-. In the future I would like to use the same radius for
802.1x in the wireless network and maybe some captive portals or
similar.

The radius solution should support HA and a web interface to configure
the users, do some diagnostics and stats and similar.

The solution should run over linux.

I was checking radiator and freeradius, but I didn't find any details
regarding the integration experience over internet.
So I would like to hear from experiences there.

Thanks


From frederic.loui at renater.fr  Thu Jan 21 07:40:17 2010
From: frederic.loui at renater.fr (Frederic LOUI)
Date: Thu, 21 Jan 2010 13:40:17 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <1264073265.17015.10.camel@hal9000>
References: <1264073265.17015.10.camel@hal9000>
Message-ID: <4B584B31.3030207@renater.fr>

Hi Luismi,

Freeradius is a good alternative and can be used to cover all the needs 
you mentioned.
Coupled with openldap, you can benefit from having all the LDAP 
Directory GUI for user creation.
In addition, you can use MySQL backend for accounting purposes.

As far as I could find, Freeradius is very popular so that's the reason 
why we decided to go for it.

Finally, the whole solution can run on LINUX. Netherveless, I agree with 
you that the learning curve is quite difficult.
And the documentation is quite "sparse" so that makes things more 
difficuklt to grasp.

But the time spent on learning the system.is worth the result.

Hope this helps,
Cheers,

-- 
Frederic LOUI / GIP RENATER

Pilotage & Suivi du R?seau
Network Backbone Engineering & Planning

Tel: +33 1 53 94 20 40 / Fax: +33 1 53 94 20 31
loui at renater.fr http://www.renater.fr 



luismi a ?crit :
> Hi all,
>
> I am looking for a Radius solution to configure on it the user accounts
> of the users of the VPN Concentrator 3030 we have here -that is the
> primary goal-. In the future I would like to use the same radius for
> 802.1x in the wireless network and maybe some captive portals or
> similar.
>
> The radius solution should support HA and a web interface to configure
> the users, do some diagnostics and stats and similar.
>
> The solution should run over linux.
>
> I was checking radiator and freeradius, but I didn't find any details
> regarding the integration experience over internet.
> So I would like to hear from experiences there.
>
> Thanks
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From steve at ibctech.ca  Thu Jan 21 08:16:04 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 21 Jan 2010 08:16:04 -0500
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B584B31.3030207@renater.fr>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
Message-ID: <4B585394.4000606@ibctech.ca>

Frederic LOUI wrote:
> Hi Luismi,
> 
> Freeradius is a good alternative and can be used to cover all the needs
> you mentioned.
> Coupled with openldap, you can benefit from having all the LDAP
> Directory GUI for user creation.
> In addition, you can use MySQL backend for accounting purposes.
> 
> As far as I could find, Freeradius is very popular so that's the reason
> why we decided to go for it.

It supports HA for itself and its database back-ends, and has a web gui
(dialupadmin) for those so inclined, that does everything that the OP
required out of it.

> Finally, the whole solution can run on LINUX.

Most Unix-like OSs have pre-built packages that can be installed via its
packaging system. The documentation explains very clearly on how to
install it onto a myraid of systems.

> And the documentation is quite "sparse" so that makes things more
> difficuklt to grasp.

Actually, the documentation for FreeRADIUS is quite good. Even the
configuration files are full of notes explaining exactly what each
config variable does, and how to set it.

Also, FreeRADIUS has an extremely active mailing list, where I don't
think I've seen a day go by in years where the primary developer (Alan
DeKok) hasn't responded to at least one thread.

http://freeradius.org
http://wiki.freeradius.org

Steve

From frederic.loui at renater.fr  Thu Jan 21 08:27:35 2010
From: frederic.loui at renater.fr (Frederic LOUI)
Date: Thu, 21 Jan 2010 14:27:35 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B585394.4000606@ibctech.ca>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
	<4B585394.4000606@ibctech.ca>
Message-ID: <4B585647.2000104@renater.fr>

Hi Steve,
> It supports HA for itself and its database back-ends, and has a web gui
> (dialupadmin) for those so inclined, that does everything that the OP
> required out of it.
>
>   
>> Finally, the whole solution can run on LINUX.
>>     
>
> Most Unix-like OSs have pre-built packages that can be installed via its
> packaging system. The documentation explains very clearly on how to
> install it onto a myraid of systems.
>   

Thanks for the clarification :-)

>> And the documentation is quite "sparse" so that makes things more
>> difficuklt to grasp.
>>     
>
> Actually, the documentation for FreeRADIUS is quite good. Even the
> configuration files are full of notes explaining exactly what each
> config variable does, and how to set it.
>   
Ah great !
Do you have, by any chance some "cookbooks/pointers" related to  
FreeRADIUS+OPENLDAP+CISCO IOS / IOS-XR set-up ?

> Also, FreeRADIUS has an extremely active mailing list, where I don't
> think I've seen a day go by in years where the primary developer (Alan
> DeKok) hasn't responded to at least one thread.
>
> http://freeradius.org
> http://wiki.freeradius.org
>
> Steve
>   
Thanks for pointing that.
Regards / Frederic


From alex.wilkinson at dsto.defence.gov.au  Thu Jan 21 08:35:59 2010
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Thu, 21 Jan 2010 21:35:59 +0800
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <4B573036.3050600@kl.net>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com> 
	<4B573036.3050600@kl.net>
Message-ID: <20100121133559.GA56085@stlux503.dsto.defence.gov.au>


    0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote: 

    >> Warning: Rommon NVRAM area is corrupted. Initialize the area to default values
    >> c6k_sup2 processor with 262144 Kbytes of main memory

I've been bitten by this exact same bug. You have hit a hardware bug. Please see
the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html

Had to do an RMA for the SUP to solve this problem (hope you have a support
contract in place) :)

  -Alex

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.


From mehdi.badreddine at fr.clara.net  Thu Jan 21 09:43:17 2010
From: mehdi.badreddine at fr.clara.net (Mehdi Badreddine)
Date: Thu, 21 Jan 2010 14:43:17 -0000
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <mailman.13175.1264081433.2123.cisco-nsp@puck.nether.net>
References: <mailman.13175.1264081433.2123.cisco-nsp@puck.nether.net>
Message-ID: <70F55AD71714494087D3F5CF5ED100830598655C@EXVS02.claranet.local>

Hi all,

Can you advise me a good vpn ssl solution for accessing Office LAN from my desktop computer without having to install a client software ?
We should be able to access machines with ssh, http, imap and https.

Are cisco asa appliances a good solution for this purpose ? In this case, what bundle would one choose for about 50 users ?

I've already tried adito, which is a good open source product, it forked into a proprietary solution, SSL Explorer.

Regards,


Mehdi BADREDDINE

System&Network Administrator

CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS
FRANCE



From ulici at teleson.ro  Thu Jan 21 09:28:36 2010
From: ulici at teleson.ro (Ulici Alexandru)
Date: Thu, 21 Jan 2010 16:28:36 +0200
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <20100121133559.GA56085@stlux503.dsto.defence.gov.au>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
	<4B573036.3050600@kl.net>
	<20100121133559.GA56085@stlux503.dsto.defence.gov.au>
Message-ID: <ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>

Had the same problem, and the same solution (RMA).
alex
>
>     0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote:
>
>     >> Warning: Rommon NVRAM area is corrupted. Initialize the area to
> default values
>     >> c6k_sup2 processor with 262144 Kbytes of main memory
>
> I've been bitten by this exact same bug. You have hit a hardware bug.
> Please see
> the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html
>
> Had to do an RMA for the SUP to solve this problem (hope you have a
> support
> contract in place) :)
>
>   -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the
> CRIMES ACT 1914.  If you have received this email in error, you are
> requested to contact the sender and delete the email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From asturluismi at gmail.com  Thu Jan 21 10:16:04 2010
From: asturluismi at gmail.com (luismi)
Date: Thu, 21 Jan 2010 16:16:04 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <4B584B31.3030207@renater.fr>
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
Message-ID: <1264086964.17015.20.camel@hal9000>

Yes, FreeRadius could be a solution, but I don't want to expend 2 or
more weeks learning how to get the best from the software and how to
integrate it in the network without problems.

In the other hand, Radiator looks to be great too. The paid support
behind gives me some relax. I dont need to put focus of software bugs,
integration problems -if it is supported, it must work- and all those
things.

The global idea is to cover the technical goals, as well, very small
time to deploy it and put it into production.
If freeradius installation+configuration+tuning+web ui+read the oreilly
book is more than 2 weeks... it is not acceptable for me -we don't have
free physical time for that-, we will go for radiator. And, maybe in the
future we could move to freeradius doing previously a proof of concept.

For me, right now, I think it could be faster -with the same features
and results- the Radiator solution. But as I told in my first email I am
still doing a research to take the best decision :D




El jue, 21-01-2010 a las 13:40 +0100, Frederic LOUI escribi?:
> Hi Luismi,
> 
> Freeradius is a good alternative and can be used to cover all the needs 
> you mentioned.
> Coupled with openldap, you can benefit from having all the LDAP 
> Directory GUI for user creation.
> In addition, you can use MySQL backend for accounting purposes.
> 
> As far as I could find, Freeradius is very popular so that's the reason 
> why we decided to go for it.
> 
> Finally, the whole solution can run on LINUX. Netherveless, I agree with 
> you that the learning curve is quite difficult.
> And the documentation is quite "sparse" so that makes things more 
> difficuklt to grasp.
> 
> But the time spent on learning the system.is worth the result.
> 
> Hope this helps,
> Cheers,
> 



From me at falz.net  Thu Jan 21 11:08:31 2010
From: me at falz.net (Chris Wopat)
Date: Thu, 21 Jan 2010 10:08:31 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
Message-ID: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris

From jasonleblanc at gmail.com  Thu Jan 21 11:47:24 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 21 Jan 2010 09:47:24 -0700
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
Message-ID: <B92831A7-A3D8-45F5-B762-C762B940E1EA@gmail.com>


On Jan 21, 2010, at 9:08 AM, Chris Wopat wrote:

>> Hi all,
>> 
>> Can you advise me a good vpn ssl solution for accessing Office LAN
>> from my desktop computer without having to install a client software ?
>> We should be able to access machines with ssh, http, imap and https.
>> 
>> Are cisco asa appliances a good solution for this purpose ? In this
>> case, what bundle would one choose for about 50 users ?
>> 
>> I've already tried adito, which is a good open source product, it
>> forked into a proprietary solution, SSL Explorer.
> 
> If you need only a client VPN that tunnels to your network. ASA with
> Anyconnect Essentials license works well and is inexpensive. If you a
> more advanced setup that will give your VPN users a "Portal" with
> links to things such as intranet pages, remote desktop sessions, file
> shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
> (IVE) devices as they are incredible boxes:
> 
> http://www.juniper.net/in/en/products-services/security/sa-series/
> 
> The downside is that these devices are only SSLVPN endpoints, not firewalls.
> 
> --Chris

This is exactly right.  I agree 100%.

//LeBlanc
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jshearer at amedisys.com  Thu Jan 21 11:47:58 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 21 Jan 2010 10:47:58 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From BBlackford at nwresd.k12.or.us  Thu Jan 21 12:03:15 2010
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Thu, 21 Jan 2010 09:03:15 -0800
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <6069A203FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>

I believe there is additional costs for the SSL licensing on the asa5520 and it fairly high.

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Shearer
Sent: Thursday, January 21, 2010 8:48 AM
To: Chris Wopat; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jshearer at amedisys.com  Thu Jan 21 12:10:36 2010
From: jshearer at amedisys.com (Jason Shearer)
Date: Thu, 21 Jan 2010 11:10:36 -0600
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <6069A203FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com><AF
	D31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com><6069A2
	03FD01884885C037F81DD750801742DA111F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <AFD31EAF2DD7F346AA17E164615555B033664BE9@SVR-AMED-MAIL01.amedisys.com>

For "traditional" clientless SSL that is right.  It is a per user cost.  With 8.2.1 there is a new license you can purchase called AnyConnect Essentials.  It is a flat license with no per user count.  If you have it installed you can ONLY run AnyConnect and not clientless SSL.

Jason

-----Original Message-----
From: Bill Blackford [mailto:BBlackford at nwresd.k12.or.us]
Sent: Thursday, January 21, 2010 11:03 AM
To: Jason Shearer; Chris Wopat; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] A good SSL VPN Solution ?

I believe there is additional costs for the SSL licensing on the asa5520 and it fairly high.

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Shearer
Sent: Thursday, January 21, 2010 8:48 AM
To: Chris Wopat; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

Keep in mind that Cisco's AnyConnect solution requires a client to be installed.  It has a pretty small footprint but a client nonetheless.  As Chris stated it is cheap.  Like an additional $750 list for a 5520 which will support 750 concurrent sessions.

Jason

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: Thursday, January 21, 2010 10:09 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] A good SSL VPN Solution ?

> Hi all,
>
> Can you advise me a good vpn ssl solution for accessing Office LAN
> from my desktop computer without having to install a client software ?
> We should be able to access machines with ssh, http, imap and https.
>
> Are cisco asa appliances a good solution for this purpose ? In this
> case, what bundle would one choose for about 50 users ?
>
> I've already tried adito, which is a good open source product, it
> forked into a proprietary solution, SSL Explorer.

If you need only a client VPN that tunnels to your network. ASA with
Anyconnect Essentials license works well and is inexpensive. If you a
more advanced setup that will give your VPN users a "Portal" with
links to things such as intranet pages, remote desktop sessions, file
shares, etc you should definitely check out Juniper's SSLVPN SA-XXXX
(IVE) devices as they are incredible boxes:

http://www.juniper.net/in/en/products-services/security/sa-series/

The downside is that these devices are only SSLVPN endpoints, not firewalls.

--Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

From rwest at zyedge.com  Thu Jan 21 12:12:14 2010
From: rwest at zyedge.com (Ryan West)
Date: Thu, 21 Jan 2010 17:12:14 +0000
Subject: [c-nsp] A good SSL VPN Solution ?
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
References: <a62d17301001210808r789f4880x88af5187954935fd@mail.gmail.com>
	<AFD31EAF2DD7F346AA17E164615555B033664BD6@SVR-AMED-MAIL01.amedisys.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0B1687@zy-ex1.zyedge.local>

> -----Original Message-----
> To: Chris Wopat; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] A good SSL VPN Solution ?
> 
> Keep in mind that Cisco's AnyConnect solution requires a client to be
> installed.  It has a pretty small footprint but a client nonetheless.
> As Chris stated it is cheap.  Like an additional $750 list for a 5520
> which will support 750 concurrent sessions.
> 

It retails at $250 for the 750 user license, but yeah cheap.

-ryan

From cm at n-home.ru  Thu Jan 21 15:31:17 2010
From: cm at n-home.ru (Cyrill Malevanov)
Date: Thu, 21 Jan 2010 23:31:17 +0300
Subject: [c-nsp] cisco 6509 rommon mode [SEC=UNCLASSIFIED]
In-Reply-To: <ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>
References: <20100120071139.983.qmail@f4mail206.rediffmail.com>
	<4B573036.3050600@kl.net>
	<20100121133559.GA56085@stlux503.dsto.defence.gov.au>
	<ddbfef6ca8e289173ec7604276db09a9.squirrel@mail.teleson.ro>
Message-ID: <6500AF15-D707-4D2E-82AB-AB35C9EA4045@n-home.ru>

SUP2 costs $400. So even he doesn't have smartnet, this would be not very expensive.


On Jan 21, 2010, at 5:28 PM, Ulici Alexandru wrote:

> Had the same problem, and the same solution (RMA).
> alex
>> 
>>    0n Wed, Jan 20, 2010 at 11:32:54AM -0500, Kevin Loch wrote:
>> 
>>>> Warning: Rommon NVRAM area is corrupted. Initialize the area to
>> default values
>>>> c6k_sup2 processor with 262144 Kbytes of main memory
>> 
>> I've been bitten by this exact same bug. You have hit a hardware bug.
>> Please see
>> the field notice: http://www.cisco.com/en/US/ts/fn/200/fn27595.html
>> 
>> Had to do an RMA for the SUP to solve this problem (hope you have a
>> support
>> contract in place) :)
>> 
>>  -Alex
>> 
>> IMPORTANT: This email remains the property of the Australian Defence
>> Organisation and is subject to the jurisdiction of section 70 of the
>> CRIMES ACT 1914.  If you have received this email in error, you are
>> requested to contact the sender and delete the email.
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From bjorn at mork.no  Thu Jan 21 15:00:24 2010
From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=)
Date: Thu, 21 Jan 2010 21:00:24 +0100
Subject: [c-nsp] Radius solution for VPN Concentrator and 802.1x
In-Reply-To: <1264086964.17015.20.camel@hal9000> (luismi's message of "Thu, 21
	Jan 2010 16:16:04 +0100")
References: <1264073265.17015.10.camel@hal9000> <4B584B31.3030207@renater.fr>
	<1264086964.17015.20.camel@hal9000>
Message-ID: <87y6jr9qjr.fsf@nemi.mork.no>

luismi <asturluismi at gmail.com> writes:

> Yes, FreeRadius could be a solution, but I don't want to expend 2 or
> more weeks learning how to get the best from the software and how to
> integrate it in the network without problems.
>
> In the other hand, Radiator looks to be great too. The paid support
> behind gives me some relax. I dont need to put focus of software bugs,
> integration problems -if it is supported, it must work- and all those
> things.

Just trying to make your decision more difficult :-) You can get paid
support for FreeRADIUS as well: http://networkradius.com/support/


Bj?rn

From david.freedman at uk.clara.net  Thu Jan 21 18:46:16 2010
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 21 Jan 2010 23:46:16 -0000
Subject: [c-nsp] Mysterious ASIC
Message-ID: <7B8B0D6F623C3A40A0D0A80A66756E2B2C343E@EXVS01.claranet.local>

Look at this:

#sh ver | in cisco WS-
cisco WS-C2960G-48TC-L (PowerPC405) processor (revision E0) with 0K/4088K bytes of memory.

#sh platform port-asic version

Port-Asic Version Info: 
========================
ASIC-0: Version:1 DeviceType:0x2CA 
ASIC-1: Version:1 DeviceType:0x2CA 
ASIC-2: Version:1 DeviceType:0x2CA 
ASIC-3: Version:1 DeviceType:0x2CA 
ASIC-4: Version:1 DeviceType:0x2CA 
ASIC-5: Version:1 DeviceType:0x2CA 
ASIC-6: Version:1 DeviceType:0x2CA 
ASIC-7: Version:1 DeviceType:0x2CA 
ASIC-8: Version:1 DeviceType:0x2CA 
ASIC-9: Version:1 DeviceType:0x2CA 
ASIC-10: Version:1 DeviceType:0x2CA 
ASIC-11: Version:1 DeviceType:0x2CA 

So, the WS-C2960G-48TC-L has 12 Port ASICs , for a published 39Mpps of throughput. 

But now look at this, the 2960-24TC-L Advertised at 6.5Mpps:

#sh ver | in cisco WS-
cisco WS-C2960-24TC-L (PowerPC405) processor (revision H0) with 65536K bytes of memory.

#sh platform port-asic version 

Port-Asic Version Info: 
========================
ASIC-0: Version:8 DeviceType:0x2C1 

Yes, a single 6.5Mpps forwarding ASIC, type 0x2C1

Does anybody know what this new ASIC may be and what else it is used in?



------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From globichen at gmail.com  Thu Jan 21 19:28:37 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 01:28:37 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
References: <Acp6flbCebDbqc5ARyiMkFq2LB1+bw==>
	<F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
Message-ID: <d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>

Hi,

I just fell over this thread while doing a little reseach to solve a
similar situation.

Hardware:

- 6509 with SUP720-3BXL on both ends
- SXF15a
- Uptime: 46 weeks

Problem:

- OSPF (for the loopback between cores) and BGP (mostly customers whom
we send the full table) going up and down all the time:

%OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
FULL to DOWN, Neighbor Down: Dead timer expired
%OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
LOADING to FULL, Loading Done
%BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
%BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
%BGP-5-ADJCHANGE: neighbor y.y.y.14 Up

This keeps going on for several hours, and suddenly it stabilizes itself.

Furthermore I use cacti to generate graphs from the core router via
SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
router console becomes rather unresponsive and OSPF starts to behave
strangely.

What I can rule out is the fiber capacity. I have multiple circuits
and different paths and operators. The OSPF issue happens on all
circuits, not just a specific one. No 10 GE link is used more than
60%. In fact, traffic from inside my backbone to any place outside
remains unaffected (thank God), but the core router itself is pretty
useless. Pinging the core's loopback or any ip loaded on that box
results in a 40-60% packet loss.

CPU usage is not high, it's stable. No unusual processes, just IP
Input and BGP Scanner. More than 50% memory is still free at that
time.

I've had this many times recently, but it really just happens when my
core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
GBPS for 2 years and it never happaned at that time. Now all this mess
happens almost daily, rendering important billing graphs useless and
annoying full table BGP customers.

Is this a memory issue, due to the router's long uptime? Would
reloading the router help in this case? That's the last thing I would
want to do, but if it helps...

Cheers,

Andy

On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> Howdy all,
>
> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>
> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>
> Two of the three iBGP sessions randomly dropped with:
>
> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>
> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>
> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>
> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>
> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>
> thanks,
> -Drew
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jasonleblanc at gmail.com  Thu Jan 21 19:53:18 2010
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Thu, 21 Jan 2010 17:53:18 -0700
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
References: <Acp6flbCebDbqc5ARyiMkFq2LB1+bw==>
	<F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
Message-ID: <B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>

Can you send your <snipped> OSPF config?

On Jan 21, 2010, at 5:28 PM, Andy B. wrote:

> Hi,
> 
> I just fell over this thread while doing a little reseach to solve a
> similar situation.
> 
> Hardware:
> 
> - 6509 with SUP720-3BXL on both ends
> - SXF15a
> - Uptime: 46 weeks
> 
> Problem:
> 
> - OSPF (for the loopback between cores) and BGP (mostly customers whom
> we send the full table) going up and down all the time:
> 
> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
> FULL to DOWN, Neighbor Down: Dead timer expired
> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
> LOADING to FULL, Loading Done
> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
> 
> This keeps going on for several hours, and suddenly it stabilizes itself.
> 
> Furthermore I use cacti to generate graphs from the core router via
> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
> and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
> router console becomes rather unresponsive and OSPF starts to behave
> strangely.
> 
> What I can rule out is the fiber capacity. I have multiple circuits
> and different paths and operators. The OSPF issue happens on all
> circuits, not just a specific one. No 10 GE link is used more than
> 60%. In fact, traffic from inside my backbone to any place outside
> remains unaffected (thank God), but the core router itself is pretty
> useless. Pinging the core's loopback or any ip loaded on that box
> results in a 40-60% packet loss.
> 
> CPU usage is not high, it's stable. No unusual processes, just IP
> Input and BGP Scanner. More than 50% memory is still free at that
> time.
> 
> I've had this many times recently, but it really just happens when my
> core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
> GBPS for 2 years and it never happaned at that time. Now all this mess
> happens almost daily, rendering important billing graphs useless and
> annoying full table BGP customers.
> 
> Is this a memory issue, due to the router's long uptime? Would
> reloading the router help in this case? That's the last thing I would
> want to do, but if it helps...
> 
> Cheers,
> 
> Andy
> 
> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
>> Howdy all,
>> 
>> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>> 
>> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>> 
>> Two of the three iBGP sessions randomly dropped with:
>> 
>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>> 
>> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>> 
>> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>> 
>> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>> 
>> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>> 
>> thanks,
>> -Drew
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From globichen at gmail.com  Thu Jan 21 20:06:53 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 02:06:53 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
Message-ID: <d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>

Hi,

here we go:

Core router that is causing headaches:

interface Loopback0
 ip address x.x.x.130 255.255.255.255

interface TenGigabitEthernet9/1
 ip address y.y.y.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no cdp enable

router ospf 1
 router-id x.x.x.130
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface TenGigabitEthernet8/1
 no passive-interface TenGigabitEthernet9/1
 no passive-interface TenGigabitEthernet9/2
 network y.y.y.0 0.0.0.3 area 0
 network y.y.y.4 0.0.0.3 area 0
 network y.y.y.8 0.0.0.3 area 0


Adjacent router (one of them):

interface Loopback0
 ip address x.x.x.131 255.255.255.255

interface TenGigabitEthernet4/1
 ip address y.y.y.2 255.255.255.252
 no ip redirects
 no ip proxy-arp

router ospf 1
 router-id x.x.x.131
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface TenGigabitEthernet4/1
 network y.y.y.0 0.0.0.3 area 0


I hope this helps...

Andy


On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Can you send your <snipped> OSPF config?
>
> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>
>> Hi,
>>
>> I just fell over this thread while doing a little reseach to solve a
>> similar situation.
>>
>> Hardware:
>>
>> - 6509 with SUP720-3BXL on both ends
>> - SXF15a
>> - Uptime: 46 weeks
>>
>> Problem:
>>
>> - OSPF (for the loopback between cores) and BGP (mostly customers whom
>> we send the full table) going up and down all the time:
>>
>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1 from
>> FULL to DOWN, Neighbor Down: Dead timer expired
>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1 from
>> LOADING to FULL, Loading Done
>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time expired) 0 bytes
>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>
>> This keeps going on for several hours, and suddenly it stabilizes itself.
>>
>> Furthermore I use cacti to generate graphs from the core router via
>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>> and as soon as I hit more than 15 GBPS, no more graphs are drawn, core
>> router console becomes rather unresponsive and OSPF starts to behave
>> strangely.
>>
>> What I can rule out is the fiber capacity. I have multiple circuits
>> and different paths and operators. The OSPF issue happens on all
>> circuits, not just a specific one. No 10 GE link is used more than
>> 60%. In fact, traffic from inside my backbone to any place outside
>> remains unaffected (thank God), but the core router itself is pretty
>> useless. Pinging the core's loopback or any ip loaded on that box
>> results in a 40-60% packet loss.
>>
>> CPU usage is not high, it's stable. No unusual processes, just IP
>> Input and BGP Scanner. More than 50% memory is still free at that
>> time.
>>
>> I've had this many times recently, but it really just happens when my
>> core goes beyond +- 15 GBPS of traffic (outbound). We've been below 15
>> GBPS for 2 years and it never happaned at that time. Now all this mess
>> happens almost daily, rendering important billing graphs useless and
>> annoying full table BGP customers.
>>
>> Is this a memory issue, due to the router's long uptime? Would
>> reloading the router help in this case? That's the last thing I would
>> want to do, but if it helps...
>>
>> Cheers,
>>
>> Andy
>>
>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
>>> Howdy all,
>>>
>>> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>>>
>>> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>>>
>>> Two of the three iBGP sessions randomly dropped with:
>>>
>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>>>
>>> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>>>
>>> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>>>
>>> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>>>
>>> Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>>>
>>> thanks,
>>> -Drew
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From madunix at gmail.com  Fri Jan 22 01:57:17 2010
From: madunix at gmail.com (madunix)
Date: Fri, 22 Jan 2010 08:57:17 +0200
Subject: [c-nsp] mysql update
Message-ID: <4d3f56c91001212257j20bb9160kb2c083097627f05f@mail.gmail.com>

I have the following update procedure that update mySQL DB over the
internet between source Linux Centos (local machine on my net behind a
DMZ with real IP A.B.C.D) and target Linux fedora (web server
www.myweb.com) every day on a specific time 18:00 through a crontab on
my source linux server

server(source) ---DMZ---ASA---Router-----Internet----HostingCompany---Myweb(target)
[root at source]# mysql -u updatex -p -h www.myweb.com test < sample.SQL


[root at source]$ mysql -u updatex -p -h www.myweb.com test < sample.SQL
Enter password: *****
CURTIME()
19:41:44
CURTIME()
19:50:09

[root at source]$ mysql -u updatex -p -h www.myweb.com test < sample.SQL
Enter password:*****
CURTIME()
08:26:08
CURTIME()
08:26:34

I did the above procedure multiple times in different times in the
day. the duration of this procedure takes from 22sec to 10min
see above...., before a while it was running constant with duration of
30sec. I checked with my ISP, hosting company and network nothing been
changed from the structure/configuration.....

[root at source]# lsof -i -P | grep 3306
mysqld     3806   mysql   11u  IPv4  10926       TCP *:3306 (LISTEN)
mysql     15150    user    3u  IPv4 297528       TCP
192.168.10.5:8376->www.myweb.com:3306 (ESTABLISHED)

[root at target]# netstat -a |grep mysql
tcp        0      0 *:mysql                     *:*
     LISTEN
tcp        0      0 www.myweb.:mysql A.B.C.D:8366 TIME_WAIT
tcp        0     11 www.myweb.:mysql A.B.C.D:8372 ESTABLISHED
also i attached tcp connection between the nodes as above from source
and target,
can any one help why i have this behavior and how can i fix the delay,
thinking doing QoS or clean up and remoteexcution at that time ...

Thanks

From skoal at skoal.name  Fri Jan 22 03:07:42 2010
From: skoal at skoal.name (Gergely Antal)
Date: Fri, 22 Jan 2010 09:07:42 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
Message-ID: <20100122090742.565d4609@roadrunner.skoal.name>


just a thought :
sh ip bgp neighbors | i Datagrams

maybe one router tries to negotiate the session with low datagram size
and the update storm floods the connection.


On Fri, 22 Jan 2010 02:06:53 +0100
"Andy B." <globichen at gmail.com> wrote:

>Hi,
>
>here we go:
>
>Core router that is causing headaches:
>
>interface Loopback0
> ip address x.x.x.130 255.255.255.255
>
>interface TenGigabitEthernet9/1
> ip address y.y.y.1 255.255.255.252
> no ip redirects
> no ip proxy-arp
> no cdp enable
>
>router ospf 1
> router-id x.x.x.130
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> passive-interface default
> no passive-interface TenGigabitEthernet8/1
> no passive-interface TenGigabitEthernet9/1
> no passive-interface TenGigabitEthernet9/2
> network y.y.y.0 0.0.0.3 area 0
> network y.y.y.4 0.0.0.3 area 0
> network y.y.y.8 0.0.0.3 area 0
>
>
>Adjacent router (one of them):
>
>interface Loopback0
> ip address x.x.x.131 255.255.255.255
>
>interface TenGigabitEthernet4/1
> ip address y.y.y.2 255.255.255.252
> no ip redirects
> no ip proxy-arp
>
>router ospf 1
> router-id x.x.x.131
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> passive-interface default
> no passive-interface TenGigabitEthernet4/1
> network y.y.y.0 0.0.0.3 area 0
>
>
>I hope this helps...
>
>Andy
>
>
>On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
><jasonleblanc at gmail.com> wrote:
>> Can you send your <snipped> OSPF config?
>>
>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>
>>> Hi,
>>>
>>> I just fell over this thread while doing a little reseach to solve a
>>> similar situation.
>>>
>>> Hardware:
>>>
>>> - 6509 with SUP720-3BXL on both ends
>>> - SXF15a
>>> - Uptime: 46 weeks
>>>
>>> Problem:
>>>
>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>> whom we send the full table) going up and down all the time:
>>>
>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>> from LOADING to FULL, Loading Done
>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>
>>> This keeps going on for several hours, and suddenly it stabilizes
>>> itself.
>>>
>>> Furthermore I use cacti to generate graphs from the core router via
>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>> core router console becomes rather unresponsive and OSPF starts to
>>> behave strangely.
>>>
>>> What I can rule out is the fiber capacity. I have multiple circuits
>>> and different paths and operators. The OSPF issue happens on all
>>> circuits, not just a specific one. No 10 GE link is used more than
>>> 60%. In fact, traffic from inside my backbone to any place outside
>>> remains unaffected (thank God), but the core router itself is pretty
>>> useless. Pinging the core's loopback or any ip loaded on that box
>>> results in a 40-60% packet loss.
>>>
>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>> Input and BGP Scanner. More than 50% memory is still free at that
>>> time.
>>>
>>> I've had this many times recently, but it really just happens when
>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>> all this mess happens almost daily, rendering important billing
>>> graphs useless and annoying full table BGP customers.
>>>
>>> Is this a memory issue, due to the router's long uptime? Would
>>> reloading the router help in this case? That's the last thing I
>>> would want to do, but if it helps...
>>>
>>> Cheers,
>>>
>>> Andy
>>>
>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>> <drew.weaver at thenap.com> wrote:
>>>> Howdy all,
>>>>
>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>> SUP7203-BXL.
>>>>
>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>> also running OSPF.
>>>>
>>>> Two of the three iBGP sessions randomly dropped with:
>>>>
>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>> dropped with Neighbor Down: Dead timer expired
>>>>
>>>> and then re-established, and then failed again, and
>>>> re-established, and failed again, and so-on, and so-on.
>>>>
>>>> I checked the physical interfaces between this 6500 and the two
>>>> GSR 12000s it peers with and there were no errors, there was also
>>>> no obvious spike in traffic that would account for latency that
>>>> might cause the hold timers to expire. I remember when this system
>>>> first came online it took a really long time for it to download
>>>> the full internet tables from the upstream GSRs and also during
>>>> that time there was a lot of CPU time being eaten up, I am
>>>> wondering if maybe the first session failing caused sort of a
>>>> 'performance' domino effect which then caused everything else to
>>>> fail, the issue eventually corrected itself and stabilized.
>>>>
>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>> to believe it is a software bug.
>>>>
>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>> issue altogether and also how I can make it so that if a session
>>>> does go down and re-establish it doesn't totally nail the CPU
>>>> while it's trying to re-establish/download the routes? A long time
>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>> can make BGP tables download faster, I don't know if that's true
>>>> or not, has anyone else found that?
>>>>
>>>> thanks,
>>>> -Drew
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100122/0aee0d24/attachment.bin>

From bandwidth.user at gmail.com  Fri Jan 22 05:00:49 2010
From: bandwidth.user at gmail.com (roy)
Date: Fri, 22 Jan 2010 18:00:49 +0800
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <20100122090742.565d4609@roadrunner.skoal.name>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
	<20100122090742.565d4609@roadrunner.skoal.name>
Message-ID: <4B597751.5020600@gmail.com>

We had a somewhat similar problem with ospf/bgp which was eventually 
resolved by making link mtu uniform across the links. Let me know if 
this helps.

On Friday, 22 January, 2010 04:07 PM, Gergely Antal wrote:
>
> just a thought :
> sh ip bgp neighbors | i Datagrams
>
> maybe one router tries to negotiate the session with low datagram size
> and the update storm floods the connection.
>
>
> On Fri, 22 Jan 2010 02:06:53 +0100
> "Andy B."<globichen at gmail.com>  wrote:
>
>> Hi,
>>
>> here we go:
>>
>> Core router that is causing headaches:
>>
>> interface Loopback0
>> ip address x.x.x.130 255.255.255.255
>>
>> interface TenGigabitEthernet9/1
>> ip address y.y.y.1 255.255.255.252
>> no ip redirects
>> no ip proxy-arp
>> no cdp enable
>>
>> router ospf 1
>> router-id x.x.x.130
>> log-adjacency-changes
>> redistribute connected subnets
>> redistribute static subnets
>> passive-interface default
>> no passive-interface TenGigabitEthernet8/1
>> no passive-interface TenGigabitEthernet9/1
>> no passive-interface TenGigabitEthernet9/2
>> network y.y.y.0 0.0.0.3 area 0
>> network y.y.y.4 0.0.0.3 area 0
>> network y.y.y.8 0.0.0.3 area 0
>>
>>
>> Adjacent router (one of them):
>>
>> interface Loopback0
>> ip address x.x.x.131 255.255.255.255
>>
>> interface TenGigabitEthernet4/1
>> ip address y.y.y.2 255.255.255.252
>> no ip redirects
>> no ip proxy-arp
>>
>> router ospf 1
>> router-id x.x.x.131
>> log-adjacency-changes
>> redistribute connected subnets
>> redistribute static subnets
>> passive-interface default
>> no passive-interface TenGigabitEthernet4/1
>> network y.y.y.0 0.0.0.3 area 0
>>
>>
>> I hope this helps...
>>
>> Andy
>>
>>
>> On Fri, Jan 22, 2010 at 1:53 AM, Jason LeBlanc
>> <jasonleblanc at gmail.com>  wrote:
>>> Can you send your<snipped>  OSPF config?
>>>
>>> On Jan 21, 2010, at 5:28 PM, Andy B. wrote:
>>>
>>>> Hi,
>>>>
>>>> I just fell over this thread while doing a little reseach to solve a
>>>> similar situation.
>>>>
>>>> Hardware:
>>>>
>>>> - 6509 with SUP720-3BXL on both ends
>>>> - SXF15a
>>>> - Uptime: 46 weeks
>>>>
>>>> Problem:
>>>>
>>>> - OSPF (for the loopback between cores) and BGP (mostly customers
>>>> whom we send the full table) going up and down all the time:
>>>>
>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.130 on TenGigabitEthernet4/1
>>>> from FULL to DOWN, Neighbor Down: Dead timer expired
>>>> %OSPF-5-ADJCHG: Process 1, Nbr x.x.x.131 on TenGigabitEthernet9/1
>>>> from LOADING to FULL, Loading Done
>>>> %BGP-5-ADJCHANGE: neighbor y.y.y.14 Down BGP Notification sent
>>>> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.14 4/0 (hold time
>>>> expired) 0 bytes %BGP-5-ADJCHANGE: neighbor y.y.y.14 Up
>>>>
>>>> This keeps going on for several hours, and suddenly it stabilizes
>>>> itself.
>>>>
>>>> Furthermore I use cacti to generate graphs from the core router via
>>>> SNMP. I have one VLAN that has around 15 GBPS traffic at peak times,
>>>> and as soon as I hit more than 15 GBPS, no more graphs are drawn,
>>>> core router console becomes rather unresponsive and OSPF starts to
>>>> behave strangely.
>>>>
>>>> What I can rule out is the fiber capacity. I have multiple circuits
>>>> and different paths and operators. The OSPF issue happens on all
>>>> circuits, not just a specific one. No 10 GE link is used more than
>>>> 60%. In fact, traffic from inside my backbone to any place outside
>>>> remains unaffected (thank God), but the core router itself is pretty
>>>> useless. Pinging the core's loopback or any ip loaded on that box
>>>> results in a 40-60% packet loss.
>>>>
>>>> CPU usage is not high, it's stable. No unusual processes, just IP
>>>> Input and BGP Scanner. More than 50% memory is still free at that
>>>> time.
>>>>
>>>> I've had this many times recently, but it really just happens when
>>>> my core goes beyond +- 15 GBPS of traffic (outbound). We've been
>>>> below 15 GBPS for 2 years and it never happaned at that time. Now
>>>> all this mess happens almost daily, rendering important billing
>>>> graphs useless and annoying full table BGP customers.
>>>>
>>>> Is this a memory issue, due to the router's long uptime? Would
>>>> reloading the router help in this case? That's the last thing I
>>>> would want to do, but if it helps...
>>>>
>>>> Cheers,
>>>>
>>>> Andy
>>>>
>>>> On Fri, Dec 11, 2009 at 5:22 PM, Drew Weaver
>>>> <drew.weaver at thenap.com>  wrote:
>>>>> Howdy all,
>>>>>
>>>>> Last night I had an interesting encounter on one of my 6509s /w
>>>>> SUP7203-BXL.
>>>>>
>>>>> This switch has 3x iBGP sessions with full internet tables and is
>>>>> also running OSPF.
>>>>>
>>>>> Two of the three iBGP sessions randomly dropped with:
>>>>>
>>>>> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time
>>>>> expired) 0 bytes, I also noticed that during this period OSPF
>>>>> dropped with Neighbor Down: Dead timer expired
>>>>>
>>>>> and then re-established, and then failed again, and
>>>>> re-established, and failed again, and so-on, and so-on.
>>>>>
>>>>> I checked the physical interfaces between this 6500 and the two
>>>>> GSR 12000s it peers with and there were no errors, there was also
>>>>> no obvious spike in traffic that would account for latency that
>>>>> might cause the hold timers to expire. I remember when this system
>>>>> first came online it took a really long time for it to download
>>>>> the full internet tables from the upstream GSRs and also during
>>>>> that time there was a lot of CPU time being eaten up, I am
>>>>> wondering if maybe the first session failing caused sort of a
>>>>> 'performance' domino effect which then caused everything else to
>>>>> fail, the issue eventually corrected itself and stabilized.
>>>>>
>>>>> This particular box is running 12.2(18)SXF17 so I am less likely
>>>>> to believe it is a software bug.
>>>>>
>>>>> Does anyone have any tips on both how I can avoid the hold timer
>>>>> issue altogether and also how I can make it so that if a session
>>>>> does go down and re-establish it doesn't totally nail the CPU
>>>>> while it's trying to re-establish/download the routes? A long time
>>>>> ago I also read that increasing the MTU on both ends of a circuit
>>>>> can make BGP tables download faster, I don't know if that's true
>>>>> or not, has anyone else found that?
>>>>>
>>>>> thanks,
>>>>> -Drew
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From globichen at gmail.com  Fri Jan 22 05:26:39 2010
From: globichen at gmail.com (Andy B.)
Date: Fri, 22 Jan 2010 11:26:39 +0100
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <4B597751.5020600@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
	<d626d8701001211628r57bce728t4741a801d4ac483b@mail.gmail.com>
	<B3954AAF-C84B-4FC9-812A-E213A8ABEAFC@gmail.com>
	<d626d8701001211706y3aade58fs6025c32a508f647@mail.gmail.com>
	<20100122090742.565d4609@roadrunner.skoal.name>
	<4B597751.5020600@gmail.com>
Message-ID: <d626d8701001220226r47cad153i27981421ff30c4d2@mail.gmail.com>

MTU is 1500 on all links:

Core 1:

#sh int te9/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te9/2 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

#sh int te8/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 2:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 3:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 4:

#sh int te4/1 | i MTU
 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

Core 1 is physically connected to 2,3 and 4 (star topology).

BGP is fully meshed - no route reflector.

Andy

On Fri, Jan 22, 2010 at 11:00 AM, roy <bandwidth.user at gmail.com> wrote:
> We had a somewhat similar problem with ospf/bgp which was eventually
> resolved by making link mtu uniform across the links. Let me know if this
> helps.
>
> On Friday, 22 January, 2010 04:07 PM, Gergely Antal wrote:
>>
>> just a thought :
>> sh ip bgp neighbors | i Datagrams
>>
>> maybe one router tries to negotiate the session with low datagram size
>> and the update storm floods the connection.
>>
>>
>> On Fri, 22 Jan 2010 02:06:53 +0100
>> "Andy B."<globichen at gmail.com> ?wrote:
>>
>>> Hi,
>>>
>>> here we go:
>>>
>>> Core router that is causing headaches:
>>>
>>> interface Loopback0
>>> ip address x.x.x.130 255.255.255.255
>>>
>>> interface TenGigabitEthernet9/1
>>> ip address y.y.y.1 255.255.255.252
>>> no ip redirects
>>> no ip proxy-arp
>>> no cdp enable
>>>
>>> router ospf 1
>>> router-id x.x.x.130
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> passi