[c-nsp] cisco-nsp Digest, Vol 107, Issue 89

medegier medegier at xs4all.nl
Fri Oct 28 16:13:58 EDT 2011 

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

    1. Re: VPLS/Layer2 Egress Policing (ar)
    2. Re: Smaller MPLS/EoMPLS capable router (Christophe Lucas)
    3. Re: Smaller MPLS/EoMPLS capable router (Lars Christensen)
    4. Re: "Strange" Cisco ASA5520 errors - Connection	limit
       exceeded (David White, Jr. (dwhitejr))
    5. 3750E as backup edge router default only (Jeffrey G. Fitzwater)
    6. Re: 3750E as backup edge router default only (-Hammer-)
    7. Re: 3750E as backup edge router default only (-Hammer-)


----------------------------------------------------------------------

Message: 1
Date: Fri, 28 Oct 2011 17:46:48 +0800 (SGT)
 From: ar <ar_djp at yahoo.com>
To: Pavel Skovajsa <pavel.skovajsa at gmail.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] VPLS/Layer2 Egress Policing
Message-ID:
	<1319795208.20549.YahooMailNeo at web78209.mail.sg1.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Thanks. So is there a way to do egress police on the WS cards?



________________________________
 From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
To: ar <ar_djp at yahoo.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Thursday, October 27, 2011 4:45 AM
Subject: Re: [c-nsp] VPLS/Layer2 Egress Policing

This is by design since the WS-6748 cards are for LAN environment. You
would need to use either a SPA module, or better the ES cards:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-49152.html

-pavel

On Tue, Oct 25, 2011 at 10:14 AM, ar <ar_djp at yahoo.com> wrote:
> Hi Guys.
>
> I am searching for a good docs for Layer2 or VPLS Egress Policing 
> (PE-to-CE). Any one knows how to do this? I'm using 7600 with WS-6748 
> line card. Egress policing facing is not allowed.
>
>
> thanks
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

------------------------------

Message: 2
Date: Fri, 28 Oct 2011 11:33:56 +0200
 From: Christophe Lucas <c.lucas at infosat-telecom.fr>
To: cisco-nsp at puck.nether.net, andrew at vianet.ca
Subject: Re: [c-nsp] Smaller MPLS/EoMPLS capable router
Message-ID: <4EAA7704.5030900 at infosat-telecom.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Le 27/10/2011 20:41, Andrew K. a ?crit :
> I've been waiting for my SE to get back to me on this but I wanted to
> ping the community to see what has been successfully used in the 
> field.
>
> Proving WAN services in a remote rural area we have several small POP
> sites providing minimal customers (some 10 or less).
>
> We are looking to run MPLS in these area for loop prevention.
>
>   From my digging around the smallest device I can see supporting 
> these
> features would be a 2811.
>
> Anyone use anything smaller?
>
>
>
> Thanks in advance for any input.
> Andrew.

Hi,

ME3750 is able to do this.

Best regards,
-- 
Christophe Lucas - Network Engineer - c.lucas at infosat-telecom.fr
Tel : +33(0)974.762.595 - Fax : +33(0)09.72.19.53.58

"Ce message et toutes les pieces jointes sont etablis a l'attention
exclusive de ses destinataires et sont confidentiels. L'internet ne
permettant pas d'assurer l'integrite de ce message, le contenu de ce
message ne represente en aucun cas un engagement de la part de notre
societe. Si vous recevez ce message par erreur, merci de le detruire et
d'en avertir immediatement l'expediteur.

This message contains privileged and confidential information. Given
that the internet does not allow us to make sure of the communication's
integrity, the content of this message does not represent in any case a
commitment from our company. If you are not the intended recipient,
please notify us immediately and delete this e-mail (including any
attachments) from your system."


------------------------------

Message: 3
Date: Fri, 28 Oct 2011 15:04:13 +0200
 From: Lars Christensen <perseusdk at gmail.com>
To: Christophe Lucas <c.lucas at infosat-telecom.fr>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Smaller MPLS/EoMPLS capable router
Message-ID: <7333239211811024957 at unknownmsgid>
Content-Type: text/plain; charset=ISO-8859-1

Me3750 has been announced EoS a few months ago. Therefore I don't
recommend for new installations.

BR
Lars



Den 28/10/2011 kl. 12.31 skrev Christophe Lucas 
<c.lucas at infosat-telecom.fr>:

> Le 27/10/2011 20:41, Andrew K. a ?crit :
>> I've been waiting for my SE to get back to me on this but I wanted 
>> to
>> ping the community to see what has been successfully used in the 
>> field.
>>
>> Proving WAN services in a remote rural area we have several small 
>> POP
>> sites providing minimal customers (some 10 or less).
>>
>> We are looking to run MPLS in these area for loop prevention.
>>
>>  From my digging around the smallest device I can see supporting 
>> these
>> features would be a 2811.
>>
>> Anyone use anything smaller?
>>
>>
>>
>> Thanks in advance for any input.
>> Andrew.
>
> Hi,
>
> ME3750 is able to do this.
>
> Best regards,
> --
> Christophe Lucas - Network Engineer - c.lucas at infosat-telecom.fr
> Tel : +33(0)974.762.595 - Fax : +33(0)09.72.19.53.58
>
> "Ce message et toutes les pieces jointes sont etablis a l'attention 
> exclusive de ses destinataires et sont confidentiels. L'internet ne 
> permettant pas d'assurer l'integrite de ce message, le contenu de ce 
> message ne represente en aucun cas un engagement de la part de notre 
> societe. Si vous recevez ce message par erreur, merci de le detruire et 
> d'en avertir immediatement l'expediteur.
>
> This message contains privileged and confidential information. Given 
> that the internet does not allow us to make sure of the communication's 
> integrity, the content of this message does not represent in any case a 
> commitment from our company. If you are not the intended recipient, 
> please notify us immediately and delete this e-mail (including any 
> attachments) from your system."
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



------------------------------

Message: 4
Date: Fri, 28 Oct 2011 09:21:52 -0400
 From: "David White, Jr. (dwhitejr)" <dwhitejr at cisco.com>
To: Peter Adkins <peter.adkins at kernelpicnic.net>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] "Strange" Cisco ASA5520 errors - Connection	limit
	exceeded
Message-ID: <4EAAAC70.3050103 at cisco.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi Peter,

It looks like you are running into known bug CSCtl23397, which is fixed
in 8.2.5.6 and higher images.

I would recommend upgrading to 8.2.5.13, which is currently posted to
Cisco.com

http://www.cisco.com/cisco/software/release.html?mdfid=279916878&flowid=4819&softwareid=280775065&release=8.2.5%20Interim&rellifecycle=&relind=AVAILABLE&reltype=all

Sincerely,

David.


Peter Adkins wrote:
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Adkins
>> Sent: Friday, 28 October 2011 3:13 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] "Strange" Cisco ASA5520 errors - Connection limit 
>> exceeded
>>
>> Hi all,
>>
>> The scenario is that we have two 5520s for this environment 
>> configured for
>> fail-over, these devices currently terminate a whopping 2x L2L IPSec 
>> VPNs
>> and a handful of SSL VPN sessions.
>>
>> This morning we encountered a strange issue which was originally 
>> believed
>> to
>> be due to ACLs not permitting traffic; effectively, if I were to log 
>> in to
>> one of the configured SSL VPNs I was unable to connect to any 
>> services
>> configured to be permitted through the VPN filter.  As a last ditch 
>> effort
>> to work out what was wrong I permitted ANY IP traffic through to the
>> required network, however, this still didn't fix the issue.
>>
>> As an example of what we were seeing, when attempts to telnet into 
>> TCP port
>> 1433 were failing, the following was found in the logs:
>>
>>    ...
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>>    %ASA-3-201011: Connection limit exceeded -35/5000 for input 
>> packet from
>> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>>    ...
>>
>> The Cisco website indicates that these sorts of messages would be 
>> presented
>> if the configured connection limits were, well, exceeded. However, I 
>> am
>> slightly perplexed as to the current count staying at -35 for all 
>> reported
>> messages -- as there was a large number of them.
>>
>>    ...
>>    Interface outside:
>>      Service-policy: CONNS
>>        Class-map: CONNS
>>          Set connection policy: conn-max 5000 embryonic-conn-max 30
>>            current embryonic conns 0, current conns -35, drop 5622
>>          Set connection timeout policy:
>>            embryonic 0:40:00 half-closed 0:20:00 idle 2:00:00
>>            DCD: enabled, retry-interval 0:00:15, max-retries 5
>>            DCD: client-probe 530, server-probe 0, conn-expiration 
>> 106
>>    ...
>>
>> I could understand if we were reaching a session limit, however, 
>> with only
>> two clients connected and a max of 5000 I don't believe this to be 
>> the
>> case.
>> Also, as mentioned, the current session index being 'stuck' at -35 
>> concerns
>> me slightly.
>>
>> In the end, we had failed over to the redundant node which did not 
>> exhibit
>> this issue. However, as soon as we failed back the problem came 
>> straight
>> back. The only way to resolve the issue was a reload.
>>
>> I'm trying to work out whether anyone has encountered this issue 
>> before on
>> an ASA55x0 running 8.2(4). Mainly to determine whether this was 
>> something
>> strange, or me just being daft. As much as I'd like to log a TAC 
>> case for
>> this one, this particular device does not have a valid support 
>> contract.
>> However, for my sanity I'd like to establish whether this is / was a
>> potential code issue, or a problem with the device itself.
>>
>> Regards,
>> Peter Adkins
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> Members save 1%* p.a. on car loan rates with no ongoing fees. Apply 
>> today
>> at http://www.racq.com.au/promotions/racq_car_loans
>>
>> Please Note: If you are not the intended recipient, please delete 
>> this
>> email as its use is prohibited.  RACQ does not warrant or represent 
>> that
>> this email is free from viruses or defects.  If you do not wish to 
>> receive
>> any further commercial electronic messages from RACQ please e-mail
>> unsubscribe at racq.com.au or contact RACQ on 13 19 05.
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


------------------------------

Message: 5
Date: Fri, 28 Oct 2011 13:31:28 +0000
 From: "Jeffrey G. Fitzwater" <jfitz at Princeton.EDU>
To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: [c-nsp] 3750E as backup edge router default only
Message-ID:
	<E27573AA-F07A-45CD-BF82-874AB02CD90F at exchange.princeton.edu>
Content-Type: text/plain; charset="us-ascii"

We would like to try a 3750E as a backup router should we have a 
catastrophic failure of our current 6500 that has 3 ISP attached.  This 
would only be used as a temp ISP backup.

The 3750E would only need to connect to one ISP at 1G and only need 
DEFAULT to peer.


Is there any issues with it acting as a router with apron. 16 subnets?

If I run the 3750E in ROUTER mode vs VLAN mode will there be an issue 
with the MAC table size being only 3K ROUTE vs 16K VLAN mode?


We are concerned with the size of the ARP and BRIDGING tables possibly 
maxing out.   Maybe it's not really an issue, but just asking for 
advise.



We would be using a 3750E because we already have them used elsewhere.



Thanks for any advise.



Jeff Fitzwater
OIT Networking & Communications Systems
Princeton University


------------------------------

Message: 6
Date: Fri, 28 Oct 2011 08:52:04 -0500
 From: -Hammer- <bhmccie at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 3750E as backup edge router default only
Message-ID: <4EAAB384.9080100 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Just default route? No big route table? Sure it can be done. I wouldn't
recommended but I'm not in your shoes. Remember that some security
features you would use to protect yourself may not be on the switch IOS
in the same way they are on a router IOS. CoPPs for example...

https://supportforums.cisco.com/thread/2015437

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 10/28/2011 08:31 AM, Jeffrey G. Fitzwater wrote:
> We would like to try a 3750E as a backup router should we have a 
> catastrophic failure of our current 6500 that has 3 ISP attached.  This 
> would only be used as a temp ISP backup.
>
> The 3750E would only need to connect to one ISP at 1G and only need 
> DEFAULT to peer.
>
>
> Is there any issues with it acting as a router with apron. 16 
> subnets?
>
> If I run the 3750E in ROUTER mode vs VLAN mode will there be an issue 
> with the MAC table size being only 3K ROUTE vs 16K VLAN mode?
>
>
> We are concerned with the size of the ARP and BRIDGING tables 
> possibly maxing out.   Maybe it's not really an issue, but just asking 
> for advise.
>
>
>
> We would be using a 3750E because we already have them used 
> elsewhere.
>
>
>
> Thanks for any advise.
>
>
>
> Jeff Fitzwater
> OIT Networking&  Communications Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

Message: 7
Date: Fri, 28 Oct 2011 09:16:36 -0500
 From: -Hammer- <bhmccie at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 3750E as backup edge router default only
Message-ID: <4EAAB944.1010401 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Also I'm struggling with your ARP concerns. You will be "routing" on
this device right? How much local (broadcast domain) activity will you
have where you would be building up a large ARP cache? Would this be a
stack with a bunch of flat stuff staggered off it as will as performing
the routing function?

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 10/28/2011 08:31 AM, Jeffrey G. Fitzwater wrote:
> We would like to try a 3750E as a backup router should we have a 
> catastrophic failure of our current 6500 that has 3 ISP attached.  This 
> would only be used as a temp ISP backup.
>
> The 3750E would only need to connect to one ISP at 1G and only need 
> DEFAULT to peer.
>
>
> Is there any issues with it acting as a router with apron. 16 
> subnets?
>
> If I run the 3750E in ROUTER mode vs VLAN mode will there be an issue 
> with the MAC table size being only 3K ROUTE vs 16K VLAN mode?
>
>
> We are concerned with the size of the ARP and BRIDGING tables 
> possibly maxing out.   Maybe it's not really an issue, but just asking 
> for advise.
>
>
>
> We would be using a 3750E because we already have them used 
> elsewhere.
>
>
>
> Thanks for any advise.
>
>
>
> Jeff Fitzwater
> OIT Networking&  Communications Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

End of cisco-nsp Digest, Vol 107, Issue 89
******************************************

More information about the cisco-nsp mailing list