[c-nsp] CRS-3: FC140/S, FP140 & 14X10GBE (Emanuel Popa)
Андрей Нуштаев
andrey.nushtaev at gmail.com
Mon Apr 25 09:58:11 EDT 2011
>
> Today's Topics:
>
> 1. Re: CRS-3: FC140/S, FP140 & 14X10GBE (Emanuel Popa)
> (Tassos Chatzithomaoglou)
> 2. Re: VRF-ish solution for L2 interfaces? (David Paul Zimmerman)
> 3. ASA VPN support (Scott Voll)
> 4. Re: Safer DDOS drops (Peter Kranz)
> 5. Re: Small network Route Reflectors? (Peter Rathlev)
> 6. Re: ASA VPN support (Peter Rathlev)
> 7. Question for LACP/LAG gurus (Dmitry Kiselev)
> 8. 2950 and multicast, a cpu issue? (LM)
> 9. Re: 2950 and multicast, a cpu issue? (LM)
>
>
> ---------- Пересылаемое сообщение ----------
> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
> To: cisco-nsp at puck.nether.net
> Date: Mon, 11 Apr 2011 20:10:30 +0300
> Subject: Re: [c-nsp] CRS-3: FC140/S, FP140 & 14X10GBE (Emanuel Popa)
>
> Андрей Нуштаев wrote on 11/04/2011 13:49:
>
>> Hi, Emanuel.
>>
>> Hope that information will be still usefull for you.
>>
>> a. FP140/MSC40 works well together.
>> b. Unfortunately, I didn't use 3rd party XFP.
>> c. No problem with IOS-XR 4.0.1-px on P router (ISIS/LDP) and AS border
>> router (BGP IPv4/IPv6).
>> d. No support of L3/L2 VPN forwarding when you have FP140 card in the
>> current version (4.0.1), no QoS support per subinterface for FP140
>> (including classification/remarking).
>>
>>
>
> Is the note about unsupported qos features on subinterfaces documented
> somewhere?
>
> --
> Tassos
>
No, it was answer from Cisco TAC team.
BR, Andrey
>
> Andrey
>>
>> From: Emanuel Popa<emanuel.popa at gmail.com>
>>
>>
>>> To: Cisco Mailing list<cisco-nsp at puck.nether.net>
>>> Date: Thu, 10 Feb 2011 12:05:54 +0200
>>> Subject: [c-nsp] CRS-3: FC140/S, FP140& 14X10GBE
>>> hi everybody,
>>>
>>> we will soon upgrade our 16 slot CRS-1 to CRS-3, which means going
>>> from 40Gbps/slot to 140Gbps/slot. afterwards, we will install a couple
>>> of 14X10GBE PLIMs with FP140 in the back. this will grant us more 10GE
>>> ports in an almost full chassis.
>>>
>>> anyways, this process comes with high adrenaline level and huge risk
>>> because we have to carry out the upgrade in several steps:
>>>
>>> 1. upgrade from IOS XR 3.8.4 to IOS XR 4.0.1-px with downtime
>>>
>>> 2. upgrade fabric from FC40/S to FC140/S without downtime
>>>
>>> 3. migrate 10GE ports from 8-10GBE/MSC40 cards to 14X10GBE/FP140 cards
>>>
>>> we are concerned about quite a few things:
>>>
>>> a. how will the mix of MSC40 and FP140 within the same chassis work out?
>>>
>>> b. one of the datasheets we found about the new PLIMs says:
>>>
>>> "The XFP power dissipation is different for each vendor and range.
>>> Cisco Transceiver
>>> Module Group has released new "-L" class XFPs, XFP10GLR-192SR-L (10km)
>>> and
>>> XFP10GER-192IR-L (40km), for low power and low EMI to coincide with CRS-3
>>> PLIMs. They are 1.5W and 2.5W respectively and the only 10km and 40km XFP
>>> types
>>> supported on CRS-3 XGE PLIMs. Standard XFPs like XFP10GLR-192SR are not
>>> supported on the CRS-3 XGE PLIMs. There is a strict UDI compliance check
>>> when an
>>> XFP is inserted or the LC has booted with XFPs. Non-supported XFPs
>>> won’t be powered
>>> on."
>>>
>>> we only use 3rd party optics, of course. just curious if anybody has
>>> experience with these PLIMs and the optics that work with them.
>>>
>>> c. what about the new IOS XR 4.0.1-px? did anybody ran into any kind
>>> of problems regarding a P router with this version?
>>>
>>> d. anything else that might be helpful with the new hardware above?
>>>
>>> thanks in advance and best regards,
>>> manu
>>>
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: David Paul Zimmerman <David.Zimmerman at flysfo.com>
> To: randal k <cisconsp at data102.com>, "cisco-nsp at puck.nether.net" <
> cisco-nsp at puck.nether.net>
> Date: Mon, 11 Apr 2011 10:41:51 -0700
> Subject: Re: [c-nsp] VRF-ish solution for L2 interfaces?
> One other idea is that, depending on the details of what you're facing,
> you could do QinQ for the ports in question. Then you could effectively
> have VRF-like separation between them.
>
> dp
>
> -----Original Message-----
> From: randal k <cisconsp at data102.com>
> Date: Wed, 6 Apr 2011 09:16:15 -0700
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] VRF-ish solution for L2 interfaces?
>
> NSP'ers,
>
> For unfortunate reasons I am asking the collective if there is a way to do
> VRF-lite style segragation for layer-2 interfaces. Situation is that I have
> a 6509, and I need to make a single blade on the chassis have a completely
> separate VLAN database from the rest of the chassis, effectively letting me
> use a VLAN twice on the chassis without allowing them to talk to each
> other.
>
> I dig that this can be done with protected ports or PVLANs, but am hoping
> for a more "assign all the ports to a new VRF"-style solution.
>
> Thanks in advance!
> Randal
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: Scott Voll <svoll.voip at gmail.com>
> To: cisco-nsp at puck.nether.net
> Date: Mon, 11 Apr 2011 14:55:32 -0700
> Subject: [c-nsp] ASA VPN support
> on ASA 5520's running 8.2 code.
>
> Can you have VPN connections terminate on one external
> interface(non-default
> route) and return on a different external interface(default route out)?
>
> If not, will the VPN tunnel default to sending the return traffic out the
> same interface in came in on?
>
> TIA
>
> Scott
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: "Peter Kranz" <pkranz at unwiredltd.com>
> To: "'Drew Weaver'" <drew.weaver at thenap.com>
> Date: Mon, 11 Apr 2011 18:37:38 -0700
> Subject: Re: [c-nsp] Safer DDOS drops
> We verified that UDP fragments were not required by anything it was doing
> so
> it was straight forward... so after initially filtering UDP fragments, in
> the end we just blocked UDP completely to the device under attack.
>
> -peter
>
> -----Original Message-----
> From: Drew Weaver [mailto:drew.weaver at thenap.com]
> Sent: Friday, April 08, 2011 6:44 PM
> To: 'Peter Kranz'
> Subject: RE: [c-nsp] Safer DDOS drops
>
> Peter,
>
> What did you end up using to filter fragments?
>
> We see a lot of these UDP 0 looking attacks and we've been reluctant to
> drop
> all fragments because it breaks all kinds of legitimate protocols.
>
> thanks,
> -Drew
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Kranz
> Sent: Friday, April 08, 2011 6:45 PM
> To: 'Peter Rathlev'
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Safer DDOS drops
>
> Brandon, Peter, Phil thanks..
>
> I removed 'ip accounting access-violations', used the fragments filter, and
> changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' ..
> another >5Gbps attack in progress currently, but router CPU is happy and
> customer still in service.
>
> -peter
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: Peter Rathlev <peter at rathlev.dk>
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Date: Tue, 12 Apr 2011 11:14:37 +0200
> Subject: Re: [c-nsp] Small network Route Reflectors?
> On Fri, 2011-03-18 at 13:49 +0100, Peter Rathlev wrote:
> > Thank you all for input. We'll try a couple of ISR 2901s with IP Base
> > and see how it goes. If I run into any problems I'll make sure to update
> > the list.
>
> One last question popped up. We might soon roll out enterprise wide
> multicast, and the question is if ISR 2901 with IP Base supports
> Multicast VPN, i.e. the MDT SAFI i BGP. As far as I can tell from FN it
> does, but if anyone would know otherwise I'd love to hear.
>
> The price tag for a DATA license isn't that bad, so any other good
> reasons are welcome. It seems IPv6 MP-BGP is supported in IP Base also.
>
> --
> Peter
>
>
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: Peter Rathlev <peter at rathlev.dk>
> To: Scott Voll <svoll.voip at gmail.com>
> Date: Tue, 12 Apr 2011 11:41:26 +0200
> Subject: Re: [c-nsp] ASA VPN support
> On Mon, 2011-04-11 at 14:55 -0700, Scott Voll wrote:
> > on ASA 5520's running 8.2 code.
> >
> > Can you have VPN connections terminate on one external interface
> > (non-default route) and return on a different external interface
> > (default route out)?
>
> I believe that the "route ... tunnelled" command fits the description.
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1793355
>
> I haven't used it though.
>
> --
> Peter
>
>
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: Dmitry Kiselev <dmitry at dmitry.net>
> To: cisco-nsp at puck.nether.net
> Date: Tue, 12 Apr 2011 14:49:24 +0300
> Subject: [c-nsp] Question for LACP/LAG gurus
> Hello!
>
> While building several new LAGs on IOS XR I found strange behaviour of
> Cisco IOSes for "system priority" LACP parameter. Most of classic IOSes
> allow to set value from 0 to 65535, but IOS XR does not:
>
> 12.2(55)SE2 Switch(config)#lacp system-priority ?
> <0-65535> Priority value
>
> 12.2(54)SG Switch(config)#lacp system-priority ?
> <0-65535> Priority value
>
> 12.2(33)SRE Router(config)#lacp system-priority ?
> <0-65535> Priority value
>
> IOS XE 12.2(33)XNF2 Router(config)#lacp system-priority ?
> <0-65535> Priority value
>
> IOS XR 4.0.1 Router(config)#lacp system priority ?
> <1-65535> Priority for this system. Lower value is higher priority.
>
> Moreover, IOS XR does not form the LAG if received partner system priority
> is zero.
> In this case each bundle port shows the error message "Partner System
> ID/Key
> do not match that of the Selected links" and remain "configured" state.
>
> It would remain a theoretical nuance, but Extreme Networks switches
> advertise
> priority=0 by default on all LAGs cousing some troubles in setup.
> Interesting
> fact thats in the same time zero is invalid value in Extreme switch
> configuration :) :)
>
> Extreme# configure sharing 7 lacp system-priority ?
> <system_priority> System Priority (1..65535)
>
> I take a short look inside IEEE 802.1AX-2008 standart and IEEE 802.3-2005
> clause 43
> and does not see any special case for priority=0. Does anybody in the list
> familar
> enough with LACP to explain me why Cisco IOS XR does not like zero here?
>
> Thanks
>
> --
> Dmitry Kiselev
>
>
>
> ---------- Пересылаемое сообщение ----------
> From: LM <asturluismi at gmail.com>
> To: cisco-nsp at puck.nether.net
> Date: Tue, 12 Apr 2011 16:36:31 +0200
> Subject: [c-nsp] 2950 and multicast, a cpu issue?
> sw2950 running c2950-i6q4l2-mz.121-22.EA13
> Is normal the cpu behaviour? I attached an image, I hope it wont be removed
> switch is just managing multicast traffic
>
>
> ---------- Пересылаемое сообщение ----------
> From: LM <asturluismi at gmail.com>
> To: cisco-nsp at puck.nether.net
> Date: Tue, 12 Apr 2011 17:08:00 +0200
> Subject: Re: [c-nsp] 2950 and multicast, a cpu issue?
> Here is the link, thanks to let me know.
> http://postimage.org/image/2hp8nccw4/
>
> El 12/04/11 16:44, Pierre Emeriaud escribió:
>
>> 2011/4/12 LM<asturluismi at gmail.com>:
>>
>>> sw2950 running c2950-i6q4l2-mz.121-22.EA13
>>> Is normal the cpu behaviour? I attached an image, I hope it wont be
>>> removed
>>>
>> it has been removed...
>>
>> switch is just managing multicast traffic
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
More information about the cisco-nsp
mailing list