[c-nsp] Cisco ACE Context

robbie.jacka at regions.com robbie.jacka at regions.com
Fri Aug 22 14:40:45 EDT 2008


I'd second the experience. From my knowledge, the TenG interfaces are
absolutely not supposed to be configured, and in fact, in at least 12.2
(18)SXF8, cannot be modified at all (configuration attempts result in a "%
This interface cannot be modified" message).

I'd recommend moving both 6500s to the same code (it sounds like one is on
a revision that allows TenG interface modifications) and starting from
scratch, with regards to applying the svclc assignments and interface
configurations. Removal/reapplication after setting the synthetic TenG
interfaces to default configurations could possibly straighten this out.
--
robbie




The second story has to do with the special 10G internal interfaces.  We
had a couple SMEs out to install and configure a pair of IPSec SPAs in
the SSC-400 carriers in our 7600s.  The SMEs manually configured the 2
internal GigE ints on the SPAs with the VLANs that they thought so be on
them.  The virtual ints were 1Q trunks.  A few months later after
battling extremely weird problems (traffic from VLAN x appearing on VLAN
y with a significant delay in the middle, dupe frames, packet loss,
7600s crashing, etc) I found a TAC engineer who could explain how the
IPSec SPA ints were supposed to be configured.  As it turns out you are
not supposed to touch the virtual ints when running in VRF Mode, period.
  Under no circumstances do you touch the ints when in VRF Mode.  The
inside and outside VLANs are configured automatically as you configure
VRF in crypto statements.  Turns out that the SMEs had configured
numerous VLANs on both virtual ints and in many cases the VLANs
overlapped.  Ie, you had the same VLANs on both sides of the SPA, both
the encrypted side and the unencrypted side.  The auto config stopped as
soon as they modified the interface config manually.  My TAC engineer (a
VPN specialist) couldn't believe it actually worked, even a little.  He
helped me fix the problem though.  I had to pull the SPAs, reboot both
7600s, reinsert the SPAs, and reconfigure crypto from the ground up
without touching the 1 GigE internal ints.  I mention this story in case
these internal 10G ints aren't supposed to be manually configured but
are instead supposed to be configured automatically based on the svclc
group commands.  None of this may be related though.  Good luck.

FYI
  Justin





More information about the cisco-nsp mailing list