Re: [c-nsp] Migration from vlan 1 for core.
Hi, On Tue, Jun 05, 2007 at 02:40:47PM -0400, Jeff Crowe wrote: I am planning on migrating a legacy network that utilizes VLAN 1 on Cisco devices for it's core network to another VLAN ID (100 in this case). Is there any gotcha's that I should be aware of? All the switches and routers have IP addresses that reside in vlan 1, so this may cause me some concern and grief... I'd start by cross-cabling a port currently located in vlan 1 to a port in vlan 100 - so vlan 1 and vlan 100 effectively form a single big LAN. Then you can move your devices port by port to the new VLAN (don't forget spanning-tree portfast and enabling vlan 100 on all trunk ports). If you need to do IP renumbering, this part is a bit more tricky, as you'd need to do it in a way that your IGP routing will be happy with - maybe having one router with two different interfaces to the same LAN, one in the vlan 1 and one in the vlan 100 number space, and then renumber routers one by one (losing adjacency to the vlan 1 interface and forming one to vlan 100). Finally, remove the cross cable between the vlan 1 and vlan 100 ports... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Stable 12.3T for 7k2 router?
Hi, as we need the RTR/Track feature from the 12.3T for a project, I was wondering which relase would be considered safe for production use ... I did the preliminary tests with the 12.3.8T11 release, but saw there's a -14.T7 out ... or should I move over to the regular 12.4 release instead? Tnx for your input, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How many DSL L2TP-tunnels on a 3825?
I'm currently looking into a replacement for our redundant set of 7200 routers (non-VXR) that are doing our DSL l2tp-Tunnels ... currently, both routers run at around 20-25% CPU load (peak). We possibly will get a large batch of additional dial-ins soon, which would probably be too much for the two to handle (especially should one of the two fail), so I thought about getting two 3825 to replace them - the two GBit-ethernets on the routers being a big plus. How many real life DSL sessions should I expect a single 3825 to handle comfortably w/o performance issue? Dialups are a healthy mix of anything between 1M/128k through 6M/512k, with some percentage of SDSL in between (2M) Thanks for you input, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stable 12.3T for 7k2 router?
Garry wrote on Wednesday, June 06, 2007 9:48 AM: Hi, as we need the RTR/Track feature from the 12.3T for a project, I was wondering which relase would be considered safe for production use ... I did the preliminary tests with the 12.3.8T11 release, but saw there's a -14.T7 out ... or should I move over to the regular 12.4 release instead? 12.3T is End-of-life, please move to 12.4.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disable some routing
I don't know if I have understood your scenario properly. But based on your description it looks like you also have one ip address from the office network in the router. Now as u correctly said it's a normal behavior and if you want to stop this u have two options. 1. Put the office vlan interface in a different VRF (Virtual Routing Forwarding) instance - Incase you don't need an Internet access out of this Office. For Intranet depending on your number of prefix you can do a route leaking. 2. Use ACL to block traffic from Office LAN segment to management segment. Let me know if it answers your question. Thanks Regards, Jyotirmay Samanta. Network Engineering Google Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernd Ueberbacher Sent: Wednesday, June 06, 2007 3:17 PM To: cisco-nsp Subject: [c-nsp] Disable some routing Hi there! I've got a bit of a strange question... I have a small Cisco Router with some VLANs and a Catalyst behind. If I connect one office to the switch in a seperate VLAN with an official IP address, the person can reach everything, but in my case (or the general case?) a bit too much. One VLAN on the switch and the Router is for management, with 10.0.0.0/24, but as the router is doing what it is supposed to do, he routes everything for this network, as the router also has an IP in this network. A person in the office can now ping, telnet, ... into my management network. If I remove the IP address from the routers VLAN, the problem is solved, but not the way I want it to be solved *G* I hope you understand my problem, because it's somehow hard to explain and even harder to search for in google ;-) Thanks and have a nice day, Bernd ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disable some routing
On Wed, 6 Jun 2007, Bernd Ueberbacher wrote: I've got a bit of a strange question... I have a small Cisco Router with some VLANs and a Catalyst behind. If I connect one office to the switch in a seperate VLAN with an official IP address, the person can reach everything, but in my case (or the general case?) a bit too much. One VLAN on the switch and the Router is for management, with 10.0.0.0/24, but as the router is doing what it is supposed to do, he routes everything for this network, as the router also has an IP in this network. A person in the office can now ping, telnet, ... into my management network. If I remove the IP address from the routers VLAN, the problem is solved, but not the way I want it to be solved *G* I hope you understand my problem, because it's somehow hard to explain and even harder to search for in google ;-) In other words - you want to prevent one of your networks from reaching another one of your networks, correct? Time to write an ACL! :) | nate carlson | [EMAIL PROTECTED] | http://www.natecarlson.com | | depriving some poor village of its idiot since 1981| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum-routes Routes on 7600 with SUP2/PFC2
Mohacsi Janos wrote: On Mon, 4 Jun 2007, Zahid Hassan wrote: Dear All, I am carrying full feed Internet (219K) plus VPNv4 routes (1K) on an OSR-7609 with SUP-2/PFC2. I seems to be getting intermittent packets drops and loss of connectivity from CPEs terminating on this OSR. I wondering if has anything to do with the maximum of routes that can be programmed in the hardware allowed per protocol. The actual usage can be seen with the following command: show platform hardware capacity forwarding Does anyone know the maximum number of routes a SUP-2/PFC2 can carry ? Have a look at table at the end of this page: http://www.cisco.com/en/US/products/hw/routers/ps368/prod_eol_notice0900aecd8022200b.html To add to Zahid's question with a question of my own, does anyone have any OIDs for monitoring TCAM usage via SNMP? I have a pair of 3BXLs with full tables that I'd like to keep an eye on. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4503 switches design issue
hi i have two 4503 switches which are connected eachother as trunk via wireless. switch A (user As) Layer 2 vlans vlan 1, vlan 10, vlan 20, vlan 100, vlan 200 layer3 vlan interfacesvlan 10: 192.168.10.0 (default gateway for PCs in network A ) vlan 100: 192.168.100.1 other vlan ips omitted switch B (User Bs)Layer 2 vlans vlan 1, vlan 10, vlan 20, vlan 100, vlan 200 layer3 vlan interfacesvlan 20: 192.168.20.0 (default gateway for PCs in network B ) vlan 100: 192.168.100.101 users stay mixed based on vlan design. I route networks over vlan 100 for example in switch B ip route 192.168.10.0/24 192.168.100.1 in switch A ip route 192.168.20.0/24 192.168.100.101 Do you think instead of the routing via vlan100, should i redesign like below? in switch Aint vlan20: 192.168.20.250/24 (an empty ip from vlan 20) in switch Bint vlan10: 192.168.10.250/24(an empty ip from vlan 10) and removing ip route over vlan100 , can i have more accurate desing? any idea ? Thanks Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545433 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Policing switch ports on 1811
Hi everyone. I'm trying to find a way to rate-limit or police to 3Mbps two of the switch ports on an 1811 router. I have configured both FE ports as follows: interface FastEthernet2 switchport access vlan 10 load-interval 30 ! interface FastEthernet9 switchport access vlan 10 load-interval 30 Now since these are basically layer 2 ports, I can't come up with a policy map or ACL to police them down to the 3Mbps value I want. Everything I try does not get matched. The router doesn't seem to support aggregate policing either so I'm kinda stuck. Are there any other options that would work? FYI, I'm running 12.4(6)T7 Advanced IP Services code. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disable some routing
HI, why don't you try ACL or VRF ... Hope this help Cheers -- Paolo Riviello Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail msn: [EMAIL PROTECTED] Skype: pao_rivi If men could get pregnant, abortion would be a sacrament. -H- From: Bernd Ueberbacher [EMAIL PROTECTED] To: cisco-nsp cisco-nsp@puck.nether.net Subject: [c-nsp] Disable some routing Date: Wed, 06 Jun 2007 11:47:22 +0200 Hi there! I've got a bit of a strange question... I have a small Cisco Router with some VLANs and a Catalyst behind. If I connect one office to the switch in a seperate VLAN with an official IP address, the person can reach everything, but in my case (or the general case?) a bit too much. One VLAN on the switch and the Router is for management, with 10.0.0.0/24, but as the router is doing what it is supposed to do, he routes everything for this network, as the router also has an IP in this network. A person in the office can now ping, telnet, ... into my management network. If I remove the IP address from the routers VLAN, the problem is solved, but not the way I want it to be solved *G* I hope you understand my problem, because it's somehow hard to explain and even harder to search for in google ;-) Thanks and have a nice day, Bernd ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _ Scarica Windows Live Messenger e chiama gratis in tutto il mondo! http://www.messenger.it/connessione.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-C3560G-48TS-S per port ACLs?
Tom Zingale (tomz) wrote: Yes on a vlan or port you can allow/deny tcp/ip traffic. See the docs http://www.cisco.com/en/US/partner/products/hw/switches/ps5528/products_ configuration_guide_chapter09186a008081da63.html Does this same feature (per port IP ACLs on a L2 interface) work on the 2960G line as well? The command reference seems to say it does, but it is unclear if it happens in hardware or software on that platform. --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] sub-interface inheritance of main interface properties
I'm looking for ways to simplify some large router configs that have many sub-interfaces either for specific DLCIs, VCs, or VLANs. Is there a document somewhere that describes which properties or attributes of a main interface are automatically inherited by its sub-interfaces? So far, searching the cisco site on 'inheritance' and 'cascade' keywords turns up only some limited info. In particular I'm looking for ways to apply certain default policies, ACLs, traffic-shaping, etc. globally to all sub-interfaces of a main-interface without having to repeat the config for every sub-interface. Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multilink PPP (MLPPP) Asymmetrical Throughput Problem NxT1
On Tue, Jun 05, 2007 at 11:02:07PM -0400, Sean Shepard wrote: Thank you for the reply on this. We did exactly what you mention here (trying to isolate channels) and found the performance metrics didn't change very much except that there seemed to be little impairment with just a single T-1. Good test. We do not believe that variance in latency exists to the point that we should be having a severe issue and it has since reoccurred on a couple of other bundled connections (on this same particular router - see below). Fair enough. There were a lot of MLPPP bugs in older releases too. MLPPP can be pretty complicated too becuase there are a lot of dependencies on the driver code to report backpressure correctly to the bundle. There is no queueing on the interface level so if the driver code doesn't put the backpressure to the MLPPP virtual interface correctly you will have probelems. None of the T-1s seem to take errors in any of the bundles. We do see a lot of output queue drops on the Multilink interfaces but not sure how concerning that really is. That's a problem. If they are valid drops you are overrunning the bundle member links. The only difference between this device and similar ones on our network is that we have exceeded the number of fast interfaces (4 vs. recommended 3 - but the card in question is in the middle and should be getting its SRAM allotment okay) and we do terminate some ATM/PPPoE/L2TP sessions on this device. The system is: I'd be amazed if that had anything to do with it. Did you disable MLPPP fragmentation no ppp multilink fragmentation or it's one with the disable CLI. We changed it at some point along the way. 7206 (non-VXR) NPE-200 with IO-FE IOS 12.2(31) [bootldr 12.0(13)S] (is there perhaps an issue in 12.2(31) with MLPPP? I'd like to go to a 12.3 release but need to verify Support for the CT3/4T1 for two of our boxes). We're using the older CT3/4T1 cards on this edge device and haven't had problems with MLPPP in the past on a similar system (running 12.2(23)c). See above. There are driver dependencies for each card for MLPPP to work. Can you get 'sh controller' just to see if it shows anything interesting that's different between the two? Download speed continues to perform okay in most tests but uploads get woefully bad and we start losing packets above 1.6 to 2.0 mbps (2% observed today as things crept over 2mbps) regardless of the number of bundled trunks [2 or 3]. It seems that performance improves in the evenings when there is less traffic going through the device, it's lightly loaded even during the day (maybe a total of 10 mbps being handled on this one system). To really isolate that you first need to determine direction of loss/latency and then narrow down the debugging. That's easier said than done. I considered tweaking the buffers, but if it's an issue of emptying the queues fast enough (perhaps because it's servicing one too many high speed interfaces?) than putting more in the buffers that it can't get to might just make things worse. My experience would say that's pretty much surely not the case. But I've been wrong before. I don't know if we even have CEF support for MLPPP back that far. In 'sh int stat' what does it look like for the bundle interface? We have several customers utilizing VoIP and have some policy-maps on those interfaces, none of them using MLPPP [yet] but a few on the same box and even the same card in question here. No complaints about lost packets or voice quality there so the overall system seems sound and CPU utilization is generally in the low double digits. Various debug outputs don't seem to barking either. It gets complicated but you would have to get the multilink debugs and compare to see if you are seeing loss/delay for the fragments. does sh ppp multilink show anything when you are doing a transfer that is slow? Any suggestions are appreciated. I think I'm close to just dropping another chassis in with this DS3 on it and seeing if the problem cleans up. Get some upgraded code (late 12.3 or 12.4) would be a good recommendation. ADDITIONAL OUTPUTS 7206#show int multilink3 Multilink3 is up, line protocol is up Hardware is multilink group interface Internet address is xx.xx.xx.xx/30 MTU 1500 bytes, BW 3072 Kbit, DLY 10 usec, reliability 255/255, txload 10/255, rxload 189/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) DTR is pulsed for 2 seconds on reset LCP Open, multilink Open Open: IPCP Last input 15:29:57, output never, output hang never Last clearing of show interface counters 20:35:24 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32796 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 2278000 bits/sec, 236 packets/sec 30 second output rate 131000 bits/sec, 139 packets/sec 7130649 packets input, 312942772
Re: [c-nsp] channelized 12000 cards
Peder @ NetworkOblivion wrote on Wednesday, June 06, 2007 4:39 PM: Does anybody know of an easy way to tell if a 12000 card is channelized? I am new to the 12000 series and we are looking to buy an oc12 that channelizes to DS1 level. We keep running across people selling things like: 4oc12/pos-ir-sc, 4oc12x/pos-i-sc-b, and OC-12/STM-4 SM IR POS. If you ask if they are channelized, they don't know. The last thing I want to do is buy a card that we can't use. On the 7200/7500 for CDS3 it was either PA-MC or CT3, so it was easy to tell. On the 12000, it seems to be a secret. Thanks. the channelized linecards are summarized at http://www.cisco.com/en/US/products/hw/routers/ps167/products_relevant_i nterfaces_and_modules.html, they all have a CH in the product code, for example 2CHOC3/STM1-IR-SC, CHOC12/DS1-IR-SC, etc.. 4oc12/pos-ir-sc, 4oc12x/pos-i-sc-b are not channelized, not sure which LC you refer to with OC-12/STM-4 SM IR POS.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow config on 6500 720-3B
On Wed, 2007-06-06 at 10:24 -0400, Jeff Fitzwater wrote: New to list... Could anyone on this list help with the correct config for NETFLOW EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running 12.2.18-SXF. We are trying to export the flows to a QRadar device but the date we are seeing does not come close to what we see with our MRTG data. I understand that flows are not every packet but the flow data does contain the count and QRadar can show the flows in bits per second and packets per second. It appears that only routed (RP) flows are pushed out, and according to the doc you don't need the MLS configs (SP/PFC) You need: mls nde sender for version 9. We also do not have bridged flows. All data is routed except for some monitoring ports. I could use version 5 but 9 has TCP connection info. I have already discussed this with CISCO, but they never give me the same answer twice. The doc is extremely confusing when it comes to the 7203B running 12.2.18SXF version 5 or 9. Maybe it's working correct and I just don't know it. This is what I have setup ip flow-cache timeout inactive 10 ip flow-cache timeout active 5 Not sure about if the following is needed ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001 On all vlan interfaces I have the following... ip route-cache flow You don't need that. You need: ip flow ingress ...on each VLAN interface. ip flow-export source Loopback2 ip flow-export version 9 ip flow-export template options export-stats ip flow-export template options timeout-rate 1 ip flow-export template timeout-rate 1 ip flow-export destination host IP 2055 ip flow-aggregation cache protocol-port export version 9 export template timeout-rate 1 export destination host IP 2055 enabled -- Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec tunnel up but no Traffic
Can you post the related parts of the configs you're using. I recently went down this road and it might help. - Original Message - From: Voll, Scott [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Wednesday, June 06, 2007 9:47 AM Subject: [c-nsp] IPSec tunnel up but no Traffic I have a 2801 setup to a VPN Concentrator 3005 setup using a IPSec tunnel. Everything looks like the tunnel is up But no traffic is passing through the tunnel. Any idea where to start troubleshooting? Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec tunnel up but no Traffic
2801 config below. I don't think it's on the concentrator side as I've done other Lan-to-Lan's on them without problems. Scott ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp key 6 ### address a.b.c.41 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set vpn esp-aes 256 esp-md5-hmac ! crypto map PittockVoice 100 ipsec-isakmp set peer a.b.c.41 set transform-set vpn match address 130 ! ! ! ! interface FastEthernet0/0 ip address a.b.c.34 255.255.255.224 ip pim sparse-dense-mode duplex auto speed auto crypto map PittockVoice ! interface FastEthernet0/1 ip address a.b.c.9 255.255.255.252 ip pim sparse-dense-mode duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 a.b.c.33 ! ! ! access-list 130 permit ip a.b.c.8 0.0.0.3 10.0.0.0 0.0.0.255 -- ethernet 0/1 network to inside network of concentrator ! ! ! -Original Message- From: Scott Granados [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 9:57 AM To: Voll, Scott; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPSec tunnel up but no Traffic Can you post the related parts of the configs you're using. I recently went down this road and it might help. - Original Message - From: Voll, Scott [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Wednesday, June 06, 2007 9:47 AM Subject: [c-nsp] IPSec tunnel up but no Traffic I have a 2801 setup to a VPN Concentrator 3005 setup using a IPSec tunnel. Everything looks like the tunnel is up But no traffic is passing through the tunnel. Any idea where to start troubleshooting? Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco equivalent of juniper hardware
Hi, I'm looking for info on what would be technically equivalent to one redundant juniper m120 configuration in terms of cisco hardware. Requirements are : - redundant PSU - redundant routing engine - ability to take 4 full BGP views and about 25 peers - 10 interfaces, gigabit ethernet type - ability to scale to 10 GB ethernet in near future without too much re-investment outside interface cards . Could somebody point me to the right range of models ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MTU sub-interface command
Hello, I would like to know if is possible to configure different MTU size per sub-interface in the same interface from a router. Thanks A.A.A.A. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multilink PPP (MLPPP) Asymmetrical Throughput Problem NxT1
Resolution was indeed increasing the output queue size. Looks like around 160 to 240 (for bonded 2xT1 and 3xT1) seemed to do the trick. Testing today has been tremendously positive. CEF does appear to be okay on MLPPP that far back (woo-hoo!). Thanks for your assistance and feedback! Sean -Original Message- From: Rodney Dunn [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 10:51 AM To: Sean Shepard Cc: 'Rodney Dunn'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Multilink PPP (MLPPP) Asymmetrical Throughput Problem NxT1 On Tue, Jun 05, 2007 at 11:02:07PM -0400, Sean Shepard wrote: Thank you for the reply on this. We did exactly what you mention here (trying to isolate channels) and found the performance metrics didn't change very much except that there seemed to be little impairment with just a single T-1. Good test. We do not believe that variance in latency exists to the point that we should be having a severe issue and it has since reoccurred on a couple of other bundled connections (on this same particular router - see below). Fair enough. There were a lot of MLPPP bugs in older releases too. MLPPP can be pretty complicated too becuase there are a lot of dependencies on the driver code to report backpressure correctly to the bundle. There is no queueing on the interface level so if the driver code doesn't put the backpressure to the MLPPP virtual interface correctly you will have probelems. None of the T-1s seem to take errors in any of the bundles. We do see a lot of output queue drops on the Multilink interfaces but not sure how concerning that really is. That's a problem. If they are valid drops you are overrunning the bundle member links. The only difference between this device and similar ones on our network is that we have exceeded the number of fast interfaces (4 vs. recommended 3 - but the card in question is in the middle and should be getting its SRAM allotment okay) and we do terminate some ATM/PPPoE/L2TP sessions on this device. The system is: I'd be amazed if that had anything to do with it. Did you disable MLPPP fragmentation no ppp multilink fragmentation or it's one with the disable CLI. We changed it at some point along the way. 7206 (non-VXR) NPE-200 with IO-FE IOS 12.2(31) [bootldr 12.0(13)S] (is there perhaps an issue in 12.2(31) with MLPPP? I'd like to go to a 12.3 release but need to verify Support for the CT3/4T1 for two of our boxes). We're using the older CT3/4T1 cards on this edge device and haven't had problems with MLPPP in the past on a similar system (running 12.2(23)c). See above. There are driver dependencies for each card for MLPPP to work. Can you get 'sh controller' just to see if it shows anything interesting that's different between the two? Download speed continues to perform okay in most tests but uploads get woefully bad and we start losing packets above 1.6 to 2.0 mbps (2% observed today as things crept over 2mbps) regardless of the number of bundled trunks [2 or 3]. It seems that performance improves in the evenings when there is less traffic going through the device, it's lightly loaded even during the day (maybe a total of 10 mbps being handled on this one system). To really isolate that you first need to determine direction of loss/latency and then narrow down the debugging. That's easier said than done. I considered tweaking the buffers, but if it's an issue of emptying the queues fast enough (perhaps because it's servicing one too many high speed interfaces?) than putting more in the buffers that it can't get to might just make things worse. My experience would say that's pretty much surely not the case. But I've been wrong before. I don't know if we even have CEF support for MLPPP back that far. In 'sh int stat' what does it look like for the bundle interface? We have several customers utilizing VoIP and have some policy-maps on those interfaces, none of them using MLPPP [yet] but a few on the same box and even the same card in question here. No complaints about lost packets or voice quality there so the overall system seems sound and CPU utilization is generally in the low double digits. Various debug outputs don't seem to barking either. It gets complicated but you would have to get the multilink debugs and compare to see if you are seeing loss/delay for the fragments. does sh ppp multilink show anything when you are doing a transfer that is slow? Any suggestions are appreciated. I think I'm close to just dropping another chassis in with this DS3 on it and seeing if the problem cleans up. Get some upgraded code (late 12.3 or 12.4) would be a good recommendation. --history snip-- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco equivalent of juniper hardware
Best bang for the buck is going to be the 7600 w/SUP720 or RSP720. The XR12000 (GSR) models will work as well, but the Ethernet cost on those is going to be high. Not as high as on a M120, but higher than the 7600. Phil On Jun 6, 2007, at 12:59 PM, Auquier Benoit wrote: Hi, I'm looking for info on what would be technically equivalent to one redundant juniper m120 configuration in terms of cisco hardware. Requirements are : - redundant PSU - redundant routing engine - ability to take 4 full BGP views and about 25 peers - 10 interfaces, gigabit ethernet type - ability to scale to 10 GB ethernet in near future without too much re-investment outside interface cards . Could somebody point me to the right range of models ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Phil Bedard [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco equivalent of juniper hardware
I think you have missed some important factors: Do you need totally non-overbooked linecards? What are your QoS requirements, will LAN type QoS (small buffers and few queues) suffice for your needs, or do you need hierarchical shaping and deep buffers? Also - is the fact that VLANs are global on the 6500/7600, at least for LAN type cards, a significant limitation? Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco equivalent of juniper hardware
If you do choose the 7600, make sure you get the 720-BXL, it supports double the flow table size and larger TCAM for fast switching. We use 720-3B with 3Full BGPs but had to increase TCAM allotment for IP V4 flows vs IP v6 and Multicast, to reduce route processor CPU load due to flows being software switched instead of in the PFC (hardware switched). http://www.cisco.com/en/US/products/hw/modules/ps2797/products_data_sheet09186a0080159856.html Jeff Fitzwater OIT Network Systems Princeton University Phil Bedard wrote: Best bang for the buck is going to be the 7600 w/SUP720 or RSP720. The XR12000 (GSR) models will work as well, but the Ethernet cost on those is going to be high. Not as high as on a M120, but higher than the 7600. Phil On Jun 6, 2007, at 12:59 PM, Auquier Benoit wrote: Hi, I'm looking for info on what would be technically equivalent to one redundant juniper m120 configuration in terms of cisco hardware. Requirements are : - redundant PSU - redundant routing engine - ability to take 4 full BGP views and about 25 peers - 10 interfaces, gigabit ethernet type - ability to scale to 10 GB ethernet in near future without too much re-investment outside interface cards . Could somebody point me to the right range of models ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Phil Bedard [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Low activity systems lose net connectivity
Thanks everyone for your help with this problem: I have a very simple network with about 5 linux servers, a cisco 3500XL switch and a 2600 router. There is a problem with servers that have very little or no traffic. The network interfaces on the low traffic servers seems to become non-response after a very short period of time (as low at 15 seconds of inactivity), and then existing connections timeout (such as SSH sessions). Several helpful people on this list requested my switch config, but I was unable to get into my switch to get the current config. I ended up doing a password recovery on it. Then I configured it from scratch. And now my problems have gone away. I've attached my old config and my new config in case anyone wants to compare them. If you see anything blatantly missing in the new config, please let me know. I'm suspicious that it was the mac-address-table setting or the keepalive or the spanning-tree settings that were causing the problem. I'm posting this in case it helps anyone with a similar problem in the future. Thanks again for the help, Tauren On 6/5/07, Phil Mayers [EMAIL PROTECTED] wrote: Tauren Mills wrote: Phil, Thanks for the suggestion. However, changing the arp timeout to 300 doesn't seem to have helped. Hmm. Re-reading your email, it doesn't sound like that was the problem anyway. Can you supply more detail on the physical topo? Does the router hang off the switch on only one physical port? Are you using subinterfaces on the router (and corresponding vlans on the switch)? If it takes as little as 15 seconds for quiet servers to fall off the network, then logically something rapid is happening that's breaking their connectivity. Is is possible you've got an inter-vlan loop or similar and the mac addresses in the FDB are flip-flopping between the real ports and the port with the loop? Or maybe a device with proxy arp enabled which is stealing the IP addresses of the valid servers? Get a server into the failed state then do a: sh ip arp macaddress ...on the router for the clients MAC address and a: sh mac-address-table address macaddress ...on the switch. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WAN optimization in IP carrier
Hi all, I'm quite newbie in this field. So far, in my current company, I've done some PoC using Cisco WAAS and Packeteer PacketShaperXpress (the one with Acceleration Compression module). For your requirements, how much WAN bandwidth do you have? What is each connection type? Is it a fiberoptic, gigabit ethernet, or fair ethernet? If may, please describe your network profile, what's main application traverse your WAN? Also, is there any requirement for Server consolidation? Thank you. Indra A. Simalango Associate Consultant, BSS/OSS PT. Packet Systems Indonesia www.dmxtechnologies.com On 5/25/07, Pak Tong Poy [EMAIL PROTECTED] wrote: Hi group, Anyone knows if there is any WAN optimization product for IP carrier environment? I know there are product for entreprise environment. If so there are, anyone knows any IP carrier use them? Many thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco vs. Turin
I am looking to replace my 7513's that I use for T1 aggregation with something like a Turin Networks TPE1200R and connect them to our 6500's via 802.1q and gig ethernet. The TPE1200 will terminate 12 Channelized DS3s and connect to the 6500 via dot1q for termination of the traffic. I like the idea since my 6500s are running the 720-3bxl and are at about 10% capacity, and the Turin box is 1U vs. an entire rack for 2 x 7513s. I was wondering if Cisco had something similar or if anyone was using some other hardware they could recommend for the same thing... Thanks -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Richard J. Sears CCNP/CCDP/F5SE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP with 2 LAN switches
You could do it with event manager combined with ip sla, not sure if your equipment supports it though. Ben Scott Dunn wrote: Hi Group, I had 2 x 3835 running eBGP for WAN redundancy (primary/shadow) and running HSRP for LAN failover to 1 switch. I've recently added a second switch, so now each 3825 is connected to 1 switch. The HSRP is working except for a the LAN interfaced failure (unplugged) on a 3825, the BGP continues to route but the traffic has nowhere to go. If there a way to tear down the external BGP if the LAN interface goes down? I've looked at Enhanced Object Tracking, but that seems only to apply to the HSRP and can't take any action on BGP Thanks for the help Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Ben Steele Cisco Field Engineer Cisco Systems Engineer Corporate Projects Team Internode Systems Pty Ltd Ph: 08 8228 2968 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
