[c-nsp] OT: 871W config - Digest, Vol 78, Issue 63
Thilak T
thilak.t at gmail.com
Thu May 21 10:58:10 EDT 2009
On Thu, May 21, 2009 at 5:50 AM, <cisco-nsp-request at puck.nether.net> wrote:
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
> 1. Re: Bandwidth displayed on Tunnel interfaces (Steve Bertrand)
> 2. OT: 871W config (Justin Shore)
> 3. Re: OT: 871W config (Ray Burkholder)
> 4. ebgp load balancing using maxiumu-paths TCAM impact on
> Sup720-3BXL? (Peter Kranz)
> 5. Re: WS-X6724-SFP & SXI = high cpu usage? (Tassos Chatzithomaoglou)
> 6. Dynamic NAT on router and ASA (Ibrahim Abo Zaid)
> 7. Re: ebgp load balancing using maxiumu-paths TCAM impact on
> Sup720-3BXL? (Kevin Hodle)
> 8. Re: Limits of STP/RSTP/REP? (?????? ????????)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 20 May 2009 19:42:53 -0400
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Bandwidth displayed on Tunnel interfaces
> To: Jay Hennigan <jay at west.net>
> Cc: Cisco-NSP Mailing List <cisco-nsp at puck.nether.net>
> Message-ID: <4A14957D.3090703 at ibctech.ca>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Jay Hennigan wrote:
> > Steve Bertrand wrote:
>
> >> If I understand the Cisco documentation correctly, the "BW" is used
> >> exclusively for link metric/cost, but it also shows up in my MRTG graphs
> >> and skews the percentage results.
> >>
> >> Since these tunnels operate on top of the same underlying connection
> >> type as the IPv4 infrastructure, I'd like to set the bandwidth manually
> >> to the same setting as the interface type the tunnel is connected over
> >> (or better yet, set it globally for all tunnel interfaces).
> >>
> >> AFAICT, doing this won't have any operational impact other than what it
> >> would normally have on an IGP (which is fine, because all IGP is over
> >> direct Ethernet), and fixing my graphing/statistical applications.
> >>
> >> Can I get some feedback on whether my thinking is correct? Tunnel
> >> bandwidth should be 100Mb:
> >>
> >> pe2-fibre#sh int tun5
> >> Tunnel5 is up, line protocol is up
> >> Hardware is Tunnel
> >> Description: IPv6 BGP Tunnel to he.net
> >> MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
> >> reliability 255/255, txload 18/255, rxload 163/255
> >> Encapsulation TUNNEL, loopback not set
> >> Keepalive not set
> >> Tunnel source 208.70.111.131, destination 216.218.229.118
> >> Tunnel protocol/transport IPv6/IP
> >> Tunnel TTL 255
> >> Fast tunneling enabled
> >> Tunnel transmit bandwidth 8000 (kbps)
> >> Tunnel receive bandwidth 8000 (kbps)
> >
> > Correct.
> >
> > conf t
> > int tu5
> > bandwidth 100000
> > ^Z
> > wr
>
> Much, MUCH better!
>
> Now my quick graphs actually account for proper v6 throughput.
>
> Thanks!
>
> Steve
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3233 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> https://puck.nether.net/pipermail/cisco-nsp/attachments/20090520/84bf30cc/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 2
> Date: Wed, 20 May 2009 20:55:57 -0500
> From: Justin Shore <justin at justinshore.com>
> Subject: [c-nsp] OT: 871W config
> To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
> Message-ID: <4A14B4AD.2090003 at justinshore.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I've got an off-topic plea. I'm trying to configure a simple little
> 871W as a CE that I need to deploy next week. The wifi on this thing is
> kicking my ass. 881Ws are completely different than their 871W
> ancestors. 881Ws have a logically separate internal AP that you
> basically session into. The 871W's radio is integrated into the
> router's config itself. I can't for the life of me get wifi sub-ints to
> bridge onto the SVIs that I'm using on the wired side (3x VLANs: data,
> voice, and guest).
>
> I found a config guide online that showed SVIs configured with nothing
> but the bridge-group commands, BVIs corresponding to those bridge-groups
> where all the L3 config now resides, and then normal Dot11Radio sub-ints
> with matching bridge-groups. However doing this and putting the
> bridge-group commands on the SVIs breaks the wired connectivity (and
> doesn't make wifi work anyway).
>
> Does anyone have a working config for a 871W that they wouldn't mind
> sharing off-list? This should be a trivially minor config and for some
> reason it's thoroughly stumping me.
>
> Thanks
> Justin
>
Here is one of the sample config from one of our production AP.
!
dot11 ssid andromeda
vlan 997
authentication open eap xxxxxxxx
authentication network-eap xxxxxxx
authentication key-management wpa
accounting xxxxxxxxxxx
guest-mode
mbssid guest-mode
!
dot11 ssid infrastructure
vlan 999
authentication open
authentication network-eap wireless
authentication client username xxxxxx password xxxxxxxxxxxx
infrastructure-ssid
!
dot11 ssid minutemen
vlan 996
authentication open eap xxxxxxxxxx
authentication network-eap xxxxxxxxxxxxx
accounting xxxxxxxxxxxx
!
dot11 ssid rainbow
vlan 998
authentication open
accounting xxxxxxxxxxx
dot11 network-map
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 1
dot11 priority-map avvid
!
crypto pki trustpoint TP-self-signed-3162012866
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3162012866
revocation-check none
rsakeypair TP-self-signed-3162012866
!
!
crypto ca certificate chain TP-self-signed-3162012866
certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer
!
!
class-map match-any VOICE-CONTROL
match access-group name VOICE-CONTROL
match any
class-map match-any VOICE
match access-group name VOICE
match any
!
!
policy-map WLAN_QOS
class VOICE-CONTROL
set cos 3
class VOICE
set cos 5
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip route-cache
!
encryption vlan 997 mode ciphers tkip
!
encryption vlan 999 mode wep mandatory mic key-hash
!
encryption vlan 996 mode wep mandatory
!
ssid andromeda
!
ssid infrastructure
!
ssid minutemen
!
ssid rainbow
!
mbssid
traffic-class best-effort cw-min 3 cw-max 4 fixed-slot 2
parent 1 000d.29f0.a601
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
power local cck 100
power local ofdm 30
channel 2462
station-role root fallback shutdown
rts threshold 2312
beacon period 97
dot11 qos class best-effort
transmit-op 1504
!
dot11 extension power native
world-mode dot11d country US both
no cdp enable
dot1x reauth-period server
!
interface Dot11Radio0.996
encapsulation dot1Q 996
service-policy input WLAN_QOS
service-policy output WLAN_QOS
no ip route-cache
bridge-group 253
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
!
interface Dot11Radio0.997
encapsulation dot1Q 997
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
!
interface Dot11Radio0.998
encapsulation dot1Q 998
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 port-protected
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
!
interface Dot11Radio0.999
encapsulation dot1Q 999 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.996
encapsulation dot1Q 996
no ip route-cache
bridge-group 253
no bridge-group 253 source-learning
bridge-group 253 spanning-disabled
!
interface FastEthernet0.997
encapsulation dot1Q 997
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
!
interface FastEthernet0.998
encapsulation dot1Q 998
ip helper-address 152.135.148.226
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
!
interface FastEthernet0.999
encapsulation dot1Q 999 native
ip dhcp relay information trusted
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
description Wireless Management Network
ip address 10.100.127.23 255.255.255.128
no ip route-cache
!
ip default-gateway 10.100.127.1
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http secure-client-auth
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
!
ip access-list extended VOICE
permit udp any any range 16384 32767
ip access-list extended VOICE-CONTROL
permit tcp any any range 2000 2002
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
logging history debugging
logging trap debugging
logging facility local2
logging 152.135.171.55
radius-server attribute 32 include-in-access-req format %h
radius-server host XXXXXXXauth-port 1645 acct-port 1646 key 7
075D2F7B1D280A12410632
radius-server timeout 15
radius-server deadtime 1
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
wlccp ap username scla_wds password 7 xxxxxxxxxxxx
wlccp authentication-server infrastructure amat_wireless
wlccp authentication-server client leap amat_wireless
wlccp authentication-server client any amat_wireless
banner motd �CCCCC
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 20 May 2009 23:32:27 -0300
> From: "Ray Burkholder" <ray at oneunified.net>
> Subject: Re: [c-nsp] OT: 871W config
> To: "'Justin Shore'" <justin at justinshore.com>, "'Cisco-nsp'"
> <cisco-nsp at puck.nether.net>
> Message-ID: <0C4FF5425DEE44C58DB6398BD9E62179 at oneunified.local>
> Content-Type: text/plain; charset="us-ascii"
>
> >
> > Does anyone have a working config for a 871W that they
> > wouldn't mind sharing off-list? This should be a trivially
> > minor config and for some reason it's thoroughly stumping me.
> >
>
> http://www.oneunified.net/blog/Cisco/Cisco871Wireless.article
>
> Done with the CLI. In addition 12.4(15)T8 works. 12.4(20) doesn't do
> wireless well.
>
>
> --
> Scanned for viruses and dangerous content at
> http://www.oneunified.net and is believed to be clean.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 20 May 2009 19:40:20 -0700
> From: "Peter Kranz" <pkranz at unwiredltd.com>
> Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact
> on Sup720-3BXL?
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <010201c9d9bd$7c072860$74157920$@com>
> Content-Type: text/plain; charset="us-ascii"
>
> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also
> like
> to load balance the outbound traffic.. I've considered adding
> 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
> FIB TCAM usage: Total Used
> %Used
>
> 72 bits (IPv4, MPLS, EoM) 524288 285506
> 54%
>
> 144 bits (IP mcast, IPv6) 262144 5
> 1%
>
>
>
> Peter Kranz
> <http://www.UnwiredLtd.com> www.UnwiredLtd.com
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
> <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 21 May 2009 11:52:00 +0300
> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
> Subject: Re: [c-nsp] WS-X6724-SFP & SXI = high cpu usage?
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Message-ID: <4A151630.1040400 at forthnet.gr>
> Content-Type: text/plain; charset=ISO-8859-7; format=flowed
>
>
> For everyone interested, the outcome is that WS-X6724-SFP or WS-X6748-SFP
> need to have a lot (~15-20) of SFPs connected
> in order for the cpu to increase.
>
> CSCsr21196: x6724/x6748 SFP enhanced link detection method
> The link background aggressively polls 24 ports at a poll. There is no
> toggle to turn it on or off.
>
> --
> Tassos
>
> Tassos Chatzithomaoglou wrote on 02/04/2009 08:13:
> > Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing
> > high cpu usage due to the fw_lcp process?
> >
> >
> > 6500#remote command module 1 sh proc cpu sort | exc 0.00
> >
> > CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes:
> > 31%
> > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> > 187 1949496 613964 3175 31.19% 30.47% 30.45% 0 fw_lcp
> > process
> >
> >
> > 6500#sh platform hardware capacity cpu
> > CPU Resources
> > CPU utilization: Module 5 seconds 1 minute 5
> > minutes
> > 1 28% / 0%
> > 28% 28%
> > 6 RP 1% / 1%
> > 1% 1%
> > 6 SP 18% / 0%
> > 15% 14%
> > 6500#sh mod
> > Mod Ports Card Type Model
> > Serial No.
> > --- ----- -------------------------------------- ------------------
> > -----------
> > 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
> > XXXXXXXXXXX
> > 6 2 Supervisor Engine 720 (Active) WS-SUP720-3B
> > XXXXXXXXXXX
> >
> >
> > SXH, SXF do not seem to have this problem.
> >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 21 May 2009 13:58:07 +0300
> From: Ibrahim Abo Zaid <ibrahim.abozaid at gmail.com>
> Subject: [c-nsp] Dynamic NAT on router and ASA
> To: cisco_nsp <cisco-nsp at puck.nether.net>
> Message-ID:
> <a48927f70905210358y164ad7dfl815eabfb328c79f7 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi All
>
> i have NAT and PAT configured on ASA 5520 and it works as expcted from ASA
> ,
> NAT all incoming connection 1:1 untill NAT pool is depepated than PAT all
> next connections
>
> but actually , NAT pool never get depelated and ASA started to use PAT pool
> although there are free IPs in NAT pool and that is strange
>
> so i think to transfer NAT to the edge router and use dynamic NAT instead
> of
> dynmic NAT on ASA but i need to know is dynamic NAT on router will do that
>
> 1- configure NAT pool with N global address
> 2- NAT first N connection to NAT pool 1:1
> 3- for next connections , begin from start again so N+1 connection will get
> the same translation as first connection
>
> that seems like "Rotatary" NAT but it works for outside connection not
> inside , does anyone has practical experience it will work as described
> above ?
>
>
> best regards
> --Ibrahim
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 21 May 2009 07:35:35 -0500
> From: Kevin Hodle <kevin.hodle at gmail.com>
> Subject: Re: [c-nsp] ebgp load balancing using maxiumu-paths TCAM
> impact on Sup720-3BXL?
> To: cisco-nsp at puck.nether.net
> Message-ID:
> <9639597a0905210535k16458411nebac7a6b2ab2936a at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Peter,
>
> Another option for load balancing outbound traffic in your scenario
> would be to do some netflow analysis on your upstream ports and have a
> look at what the top destination ASNs your outbound traffic is flowing
> toward. Using this data, you can construct as-path ACLs which you can
> utilize in your inbound route-map on each upstream BGP session to set
> a higher local-preference for 'preferred' routes on each session (ie
> routes from ASXXX get a local-preference 1 higher than your standard
> upstream route local-preference), and accept the rest of the full
> table on each session with your normal local-preference. Using your
> netflow analysis you should be able to achieve a fairly equal traffic
> split (as you will be able to see what % of your total outbound
> traffic is going to which ASNs, use this data to come up with an
> approximated 50/50 outbound traffic split) and you will still have
> redundancy in place for all routes if one of the sessions drop. It
> would take a little more effort than simply turning on multi-pathing,
> but in your scenario it might be more ideal as you won't have to worry
> about 3bxl TCAM constraints with this method.
>
> Cheers,
> Kevin Hodle
>
> On Wed, May 20, 2009 at 9:40 PM, Peter Kranz <pkranz at unwiredltd.com>
> wrote:
> > Setup is as follows; 2 edge routers, each with a BGP session receiving
> full
> > routes to the same provider router. The provider is load balancing
> inbound
> > traffic to our AS nicely, 50/50 between the edge routers.. I would also
> like
> > to load balance the outbound traffic.. I've considered adding
> 'maximum-paths
> > 2' to install the two equal paths, but an concerned about FIB TCAM
> impacts.
> > Will adding this command cause each equal cost route to take one
> additional
> > TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC
> meltdown?
> >
> >
> >
> > Current FIB TCAM:
> >
> > L3 Forwarding Resources
> >
> > ? ? ? ? ? ? FIB TCAM usage: ? ? ? ? ? ? ? ? ? ? Total ? ? ? ?Used
> > %Used
> >
> > ? ? ? ? ? ? ? ? ?72 bits (IPv4, MPLS, EoM) ? ? 524288 ? ? ?285506
> > 54%
> >
> > ? ? ? ? ? ? ? ? 144 bits (IP mcast, IPv6) ? ? ?262144 ? ? ? ? ? 5
> > 1%
> >
> >
> >
> > Peter Kranz
> > ?<http://www.UnwiredLtd.com> www.UnwiredLtd.com
> > Desk: 510-868-1614 x100
> >
> > Mobile: 510-207-0000
> > ?<mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> || Kevin Hodle
> ||
> || 913-780-3959 (Primary)
> || 913-626-7197 (Mobile)
>
> PGP KeyID [0xBBDE8ED7]
> fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 21 May 2009 12:25:44 +0300
> From: ?????? ???????? <ratio+nsp at invalid.org.ua<ratio%2Bnsp at invalid.org.ua>
> >
> Subject: Re: [c-nsp] Limits of STP/RSTP/REP?
> To: Ross Vandegrift <ross at kallisti.us>
> Cc: c-nsp <cisco-nsp at puck.nether.net>
> Message-ID:
> <4f909a820905210225m76dd8727o35da241ff124015 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> > Definitely not more than 20 in a ring. ?As far as I know, IOS limits
> > the value of max-hops to 20. ?This means you can't have a BPDU
> > traverse more than 20 hops without being thrown away. ?If one pair of
> > switches in the ring experienced a total cut, your network would have
> > a diameter of 20, end to end.
>
> this is STP limitation: MaxAge is by default 20 hops.
> for IOS, you can change this value:
>
> Switch(config)#spanning-tree vlan 1 max-age ?
> <6-40> maximum number of seconds the information in a BPDU is valid
> or for MST
> Switch(config)#spanning-tree mst max-age ?
> <6-40> maximum number of seconds the information in a BPDU is valid
>
> value 40 is maximum bpdu hopcount for 3560 switch, for other models
> there can be other upper limit.
>
> --
> wbr
> sergey khalavchuk
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 78, Issue 62
> *****************************************
>
More information about the cisco-nsp
mailing list