Re: [nsp] [nsp] VIP if-con and IOS switching (was: Monitoring DoS

From: Eric Osborne (eosborne@cisco.com)
Date: Mon May 28 2001 - 15:06:53 EDT


> > the "if-con" command is not listed int the 7513 help. I need it
> > to check our VIP2-50's CPU and memory. I'm still looking for possible
> > caveats if any.
> > Found one only for 12.0T for possible router reload if the "show line"
> > command is issued.
>
> Be very careful here. As with all undocumented IOS commands, there
> are risks with each revision of the IOS code.

I couldn't agree more. If you are the type of customer who likes to
know caveats for each command and needs documentation for every
command you could type, then if-con is not for you. If you want to
see traffic flows on the VIP, export netflow data to a collector and
examine the collector data.

However, if-con has proven extremely useful for a few things - mainly
troubleshooting, but also checking netflow cache without having to
export to a collector first.

From experience, if-con works just fine for show commands. As long as
you limit your interaction with the VIP to asking it questions, and
don't try things like changing the config (VIPs don't have NVRAM, and
get their config from the RSP) or reloading the VIP, then you're fine.
And work is being done to allow you to gather the VIP's netflow cache
information without having to if-con. I suspect this will be via
something like 'show controller vip slot <x> route-cache' or
thereabouts, but I'm not sure.

eric

From jared@puck.nethÔõÅ;et
Received: (from jared@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4SJ8JB14387
        for cisco-MíÅ;pu
Resent-Message-Id: <200105281908.f4SJ8JB14387@puck.nÔõÅ;r.
ReCeived: (from slist@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4QFNs201069
        for jared; Sat, 26 May 2001 11:2ÔõÅ; -
        (Envelope-from cisco-nsp-request@puck.nether.net)
Date: Sat, 26 May 2001 11:23:54 -0400
X-From_: BGinman@iSolve.com MíÅ; M
        isolveexch2.isolve.com ([63.208.121.126])
        by puck.nether.net ÔõÅ;1.
        for <cisco-nsp@puck.nether.net>; Sat, 26 May 2001 11:23:53 -0400
        (envelope-from BGinÔõÅ;iS
Received-Date: Sat, 26 May 2001 11:23:53 -0400
Received: by isolveexch2.isolve.com with Internet
        Id <LRX2BY6H>; Sat, 26 May 2001 11:23:47 -0400
Message-ID: <05B8F53F99E
FroÔõÅ;ry
To: "'cisco-nsp@puck.nether.net'" <cisco-nsp@puck.nether.net>
Subject: RE: [nsp] OSPF not dMíÅ;ib
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21ÔõÅ;nt
        charset="iso-8859-1"
X-Diagnostic: Not on the accept list
X-Envelope-To: cisco-nsp
Resent-From: jarÔõÅ;uc
Resent-Date: Mon, 28 May 2001 15:08:18 -0400
Resent-To: cisco-nsp@puck.nether.net

The reason that this is noÔõÅ;ef
type 2 route with a much higher AD and does not increase its metric through
theÔõÅ;a.
and definitely is not as clean. In and of itself this isÔõÅ; n
"evil", however in large networks with multiple redundant paths, etc this is
not "best practice" the best practÔõÅ;is
the passive state that you do not want to actively participate in IGP
conversations.
MíÅ;an
203-388-3566

-----Original Message-----
From: DavÔõÅ;ur
Sent: Friday, May 25, 2001 2:38 PM
To: cisco-nsp@puck.nether.net
Cc: cisco-nsp@puck.nether.net
SÔõÅ;ct

By what other method, short of a static routes, which to a dynamic
protocoÔõÅ;e
interfaces? IMHO it's a very useful comand when you want all youÔõÅ;te
them. Or, for that matter, interfaces that run other IGÔõÅ;
I
it is such an "evil" command?

-David Curran

On 24 ÔõÅ;20
> I just shudder at the fact that people are even thinking about using
> 'redist conÔõÅ;ed
> interfaces into OSPF. Bug or not, I've never been in a situation ÔõÅ;e
> the nsp mailing list) it's an evil command aÔõÅ;ea
> sane config that requires its use where there wasn't a better way of
> getting those interfaces intÔõÅ;ur
>
> I'd be quite happy if csco got rid of it...
>
> Thanks,
>
> Chris
>
> >
> > > Having the interface IP matchÔõÅ; n
> > > interface to run ospf, this is separate issue from passing that
> > > specific connectÔõÅ;ou
> > > into ospf.
> >
> > It sounds like you are disagreeing with what Ken said,ÔõÅ;
> > is correct. When a network statement matches an interface's
> > subnet, that
> > subnet will get dÔõÅ;d
> > area route. If
> > you 'redistribute connected', you shove it in as an external r
 >
>

From jared@puck.nethÔõÅ;et
Received: (from jared@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4SJ8N514431
        for cisco-MíÅ;pu
Resent-Message-Id: <200105281908.f4SJ8N514431@puck.nÔõÅ;r.
ReCeived: (from slist@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4Q1pe326043
        for jared; Fri, 25 May 2001 21:5ÔõÅ; -
        (Envelope-from cisco-nsp-request@puck.nether.net)
Date: Fri, 25 May 2001 21:51:40 -0400
X-From_: BGinman@iSolve.com MíÅ; M
        isolveexch2.isolve.com ([63.208.121.126])
        by puck.nether.net ÔõÅ;1.
        Fri, 25 May 2001 21:51:39 -0400
        (envelope-from BGinman@iSolve.com)
Received-Date: FÔõÅ;25
Received: by isolveexch2.isolve.com with Internet Mail Service (5.5.2650.21)
        id <LRX2BYW5>; Fri,ÔõÅ;Ma
Message-ID: <05B8F53F99E0D311B2DC00508B6BF625799964@ISOLVEEXCH1>
From: Bryan Ginman <BGinman@iSolve.ÔõÅ;
T
   "'cisco-nsp@puck.nether.net '"
         <cisco-nsp@puck.nether.net>
Cc: "'cisco-nsp@puck.ÕõÅ;er
Subject: RE: [nsp] OSPF not distributing 1 interface
Old-Date: Fri, 25
MIME Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Typ
        charset="iso-8859-1"
X-DiagnÕõÅ;c:
X-Envelope-To: cisco-nsp
Resent-From: jared@puck.nether.net
Resent-Date: Mon, 28 May 2001 15:08:22ÕõÅ;00

The reason that this is not preferable is that it injects it as a External
type 2 rÕõÅ; w
the area. This can cause problems in large networks if you aÕõÅ;ot
and definitely is not as clean. In and of itself this is not necessarily
"evil", however in large networks with mÕõÅ;pl
not "best practice" the best practice is to run the IGP on all interfaces in
the passive stÕõÅ;th
conversations.

Bryan Ginman
iSolve.com
Vice-President, Network ServicÕõÅ;bg
203-388-3566

-----Original Message-----
From: David Curran
To: cisco-nsp@puck.nether.net
Cc: cisco-nsÕõÅ;ck
Sent: 5/25/01 2:38 PM
Subject: RE: [nsp] OSPF not distributing 1 interface

By what other method, short of a sÕõÅ;c
protocol are just as bad, do you insert routes for all your connected
interfaces? IMHO it's a ÕõÅ; u
interfaces to be advertised but do not necessarily run OSPF on all of
them. Or, for tÕõÅ;ma

I've never heard of this being an issue, I'd be interested to hear why
it is such aÕõÅ;vi

-David Curran

On 24 May 2001 06:04:53 -0400, Chris Whyte wrote:
> I just shudder at the fact that people areÕõÅ;n
> 'redist connected' as an option to get routes associated with
connected
> interfaces into OSPF. BugÕõÅ;no
I
> had to result to using this approach. In large networks (since this
is
> the ÕõÅ;ma
> sane config that requires its use where there wasn't a bettÕõÅ;ay
> gEtting those interfaces into your igp.
>
> I'd be quite happy if csco got rid of it...
>
> Thanks,
>
> Chris
>
ÕõÅ;
>
> > > interface to run ospf, this is separate issue ÕõÅ; p
> > > specific connected route or other routes from the routing table
> > > into ospf.
> >
> > It sounds likeÕõÅ; a
> > what Ken said
> > is correct. When a network statement matches an interface'sÕõÅ;>
> > subnet will get dumped into the routing table as an intra
> > area route. If
> > you 'redistribute connÕõÅ;d'

> >
> >
>

From jared@puck.nethÕõÅ;et
Received: (from jared@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4SJ8fD14624
        for cisco-ÕõÅ;pu
        (envelope-from jared)
Resent-Message-Id: <200105281908.f4SJ8fD14624@puck.nÕõÅ;r.
ReCeived: (from slist@localhost)
        by puck.nether.net (8.11.1/8.9.3) id f4PJJRw18868
        for jared; Fri, 25 May 2001 15:1ÕõÅ; -
        (Envelope-from cisco-nsp-request@puck.nether.net)
Date: Fri, 25 May 2001 15:19:27 -0400
X-From_: BGinman@iSolve.com MíÅ; M
        isolveexch2.isolve.com ([63.208.121.126])
        by puck.nether.net ÕõÅ;1.
        for <cisco-nsp@puck.nether.net>; Fri, 25 May 2001 15:19:26 -0400
        (envelope-from BGinÕõÅ;iS
Received-Date: Fri, 25 May 2001 15:19:26 -0400
Received: by isolveexch2.isolve.com with Internet
        Id <LRX2BYQ8>; Fri, 25 May 2001 15:19:21 -0400
Message-ID: <05B8F53F99E
FroÕõÅ;ry
To: "'David Curran'" <dm@nuvox.net>, cisco-nsp@puck.nether.net
Subject: RE: [nsp] OSPF not ÕõÅ;ri
Old-Date: Fri, 25 May 2001 15:19:19 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.2ÕõÅ;on
        charset="iso-8859-1"
X-Diagnostic: Not on the accept list
X-Envelope-To: cisco-nsp
Resent-From: jaÕõÅ;pu
Resent-Date: Mon, 28 May 2001 15:08:39 -0400
Resent-To: cisco-nsp@puck.nether.net

The reason that this is nÕõÅ;re
type 2 route with a much higher AD and does not increase its metric through
thÕõÅ;ea
and definitely is not as clean. In and of itself this iÕõÅ;t
"evil", however in large networks with multiple redundant paths, etc this is
not "best practice" the best pracÕõÅ; i
the passive state that you do not want to actively participate in IGP
conversations.ÕõÅ;ya
iSolve.com
Vice-President, Network Services
bginman@iSolve.com
203-388-3566

-----Original Message-----
From: DaÕõÅ;Cu
Sent: Friday, May 25, 2001 2:38 PM
To: cisco-nsp@puck.nether.net
Cc: cisco-nsp@puck.nether.net
ÕõÅ;ec

By what other method, short of a static routes, which to a dynamic
protocÕõÅ;re
interfaces? IMHO it's a very useful comand when you want all yoÕõÅ;nt
them. Or, for that matter, interfaces that run other IÕõÅ;

it is such an "evil" command?

-David Curran

On 24MíÅ; 2
> 'redist coÕõÅ;te
> interfaces into OSPF. Bug or not, I've never been in a situationÕõÅ;re
> haD to result to using this approach. In large networks (since this is
> the nsp mailing list) it's an evil command ÕõÅ;re
> sane config that requires its use where there wasn't a better way of
> getting those interfaces inÕõÅ;ou

> I'd be quite happy if csco got rid of it...
>
> Thanks,
>
> Chris
>
> >
> > > Having the interface IP matcÕõÅ;e
> > > interface to run ospf, this is separate issue from passing that
> > > specific connecÕõÅ;ro
> > > into ospf.
> >
> > It sounds like you are disagreeing with what Ken saidÕõÅ;t
> > is correct. When a network statement matches an interface's
> > subnet, that
> > subnet will get ÕõÅ;ed
> > area route. If
> > you 'redistribute connected', you shove it in as an external
> >
> >
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT