[c-nsp] ACL is not working properly on 7600s
Hi, I have issues with applying ACL on 7606s. Most of the time I cannot see matching packets to the ACL entries and the ACLs are not working as expected. For testing I have two access-lists Extended IP access list 156 10 permit icmp any any log 20 permit ip any any log Extended IP access list 157 10 permit icmp any any 20 permit ip any any When acl 156 applied to the interface (in) it is not possible to ping inside from outside. However with ACL 157 pings are successfull. Is there any known issues with the ALCS applied on 7600s? Thanks in Advance ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL is not working properly on 7600s
On (2010-09-29 10:08 +0300), sinan akyıldız wrote: Hey Sinan, I have issues with applying ACL on 7606s. Most of the time I cannot see matching packets to the ACL entries and the ACLs are not working as expected. Those are software counters, you should see hardware counters in 'show tcam interface X acl in|out ip' For testing I have two access-lists Extended IP access list 156 10 permit icmp any any log 20 permit ip any any log Extended IP access list 157 10 permit icmp any any 20 permit ip any any When acl 156 applied to the interface (in) it is not possible to ping inside from outside. However with ACL 157 pings are successfull. Is there any known issues with the ALCS applied on 7600s? 157 would be abstracted away when compiled, as it doesn't do anything. One reason 156 could break if you are running CoPP also, as log is punted rate limited to control-plane and in control-plane likely your rules do not permit arbitrary packets. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] can I use | pipe line such as | inc xxx and regexp such as regexp ^$ both , when I execute show bgp
On Wed, 2010-09-29 at 10:35 +0800, Mark Tinka wrote: On Friday, September 24, 2010 01:28:24 am Peter Rathlev wrote: Way to go Cisco. Of course IOS XR isn't really a platform for serious networking and/or BGP. :-) What leads you to conclude this? Just the lack of clarity in documentation and/or lack of features when using show bgp I don't know the platform myself, I was just surprised that a thing like combining regexp/quote-regexp and an include doesn't work in at least 3.6.3. From what I hear in other places the CRS-1 is a nice box. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco MPLS AutoBandwidth Allocator
On Wed, 2010-09-29 at 09:30 +0530, jack daniels wrote: If you don't have overlapping TE tunnels ? what is meaning of this If none of your MPLS TE LSPs use the same underlying links you will never have any need for prioritisation, and thus never have any need for AutoBandwidth. An example: We (not ISP but enterprise) currently only use MPLS TE for redundant L2 pseudowires that _have_ to use different paths in the network. If we didn't use MPLS TE (in this case explicit-path) we would risk that two different pseudowires that were supposed to be a redundant pair took the same path. In this case there's nothing to be gained from AutoBandwidth. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP Groups on ASR1k
Interestingly, I've tried applying a similar config to a physical built-in GE port on a lab ASR1k, and I don't see the same issue after creating 25 sub-ifs, each using two HSRP groups. Therefore, I wonder whether this is something specific to port-channels on this platform? Cheers, Matt On 28 September 2010 21:17, Benjamin Lovell belov...@cisco.com wrote: On Sep 28, 2010, at 3:18 PM, Matthew Melbourne wrote: Yes, I too expected the MAC to be the same to a given group number, unless there are other factors at play here, e.g. per-VLAN/VRF/platform limitations. I expected only two MACs to be used (one for each group). -Original Message- Message: 1 Date: Tue, 28 Sep 2010 17:48:16 +0100 From: Phil Mayers p.may...@imperial.ac.uk To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] HSRP Groups on ASR1k Message-ID: 4ca21c50.9090...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 28/09/10 17:35, Benjamin Lovell wrote: I haven't looked into this on the ASR1K but what the message is telling you is that the NIC can only program 28 MAC addresses and you have used up the limit. If you add more sub-interfaces with HSRP then bad things will start to happen. Drops, punt to CPU, not sure as I have not looked into it on this platform but nothing good. Is this right? Isn't the HSRP MAC the same for a given group number, regardless of which sub-int? We run all our interfaces (not ASR1k though) in standby group 0 Yes but it's possible that sub-int requires a filter so 30 groups on 30 sub-ints require 30 MAC filters, etc. As I said this is all platform dependent stuff that I don't know for the AST 1K. If you want to keep adding sub-interfaces and HSRP group you really should have the TAC guys look into this. The platform may just reject with error anything over the limit but it may do worse things. This could be a software limitation that was addressed or is planed to be addressed in later code releases or it could be a hard limit of the NIC used on the SPAs. I would open a case with the TAC to have them talk to the devs about this and see if it will be important to you. BTW - not clear on the part where you said you are using HSRP groups 1 and 2 on the customer sub-ints. You should use a unique standby group for each HSRP instance. If you are not this *may have something to do with your problem. Why? Using a different standby group per sub-int will surely definitely run you over the mac receive filter size limit? What's the problem using the same group number on different interfaces? Was an off hand thought, but if you really are using only two group IDs everywhere then the error message is proof that it's not as simple as number of MAC filters = number of HSRP group IDs. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Matthew Melbourne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP invalid next-hop
Hi all, Is there an easy way to see which iBGP routes are not being selected due to next-hop not being in IGP? Before and after IGP route added shown below, note both are marked as valid.. -- BEFORE IGP-- AS5000_LA#show ip bgp BGP table version is 5, local router ID is 10.0.0.5 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * i100.10.0.0/1610.0.0.100100 0 2000 3000 ? * 10.0.0.6 0 1000 3000 3000 ? -- AFTER IGP-- AS5000_LA#show ip bgp BGP table version is 6, local router ID is 10.0.0.5 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path *i100.10.0.0/1610.0.0.100100 0 2000 3000 ? * 10.0.0.6 0 1000 3000 3000 ? Cheers Heath ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] auto-backup tunnels
Oliver, Yes I will open a TAC case then. And yes, I know it would be removed but not in my case due to mpls traffic-eng auto-tunnel backup timers removal unused 3600 0. Ok, thank you for supporting me!!! -Original Message- From: ext Oliver Boehmer (oboehmer) [mailto:oboeh...@cisco.com] Sent: Tuesday, September 28, 2010 8:20 PM To: Koltsov, Aleksey (NSN - DE/Dusseldorf); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] auto-backup tunnels Aleksey, And if I crash all links of R3 and R2, and then restore them, I can see that following backup tunnels appeared (I replaced IPs with hostnames): ... All of them seems to be correct except Tunnel8003 and 8004 which point to NNNHOP instead NHOP and NNHOP. The routers have IOS 12.2(33)SRD3. Looks strange indeed. Can you work with TAC to troubleshoot this further? I guess you are aware that these tunnels will eventually be removed as they are not being used as backup for any LSP (by default after one hour)? tx, oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco MPLS AutoBandwidth Allocator
why would we have overlapping TE tunnels ? On Wed, Sep 29, 2010 at 3:03 PM, Peter Rathlev pe...@rathlev.dk wrote: On Wed, 2010-09-29 at 09:30 +0530, jack daniels wrote: If you don't have overlapping TE tunnels ? what is meaning of this If none of your MPLS TE LSPs use the same underlying links you will never have any need for prioritisation, and thus never have any need for AutoBandwidth. An example: We (not ISP but enterprise) currently only use MPLS TE for redundant L2 pseudowires that _have_ to use different paths in the network. If we didn't use MPLS TE (in this case explicit-path) we would risk that two different pseudowires that were supposed to be a redundant pair took the same path. In this case there's nothing to be gained from AutoBandwidth. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C892 PPPoE on VLANs
Hi, just wondering, as we haven't had any of these yet and I don't want to get surprised if I order one ... I was looking at the 892 mainly due to the rather high throughput rating if 50+ MBit/s (compared to ~16MBit on the 870 series). Looks to be nice, just want to ensure it does handle its switch ports (it has 8 FE-TX ports) as the 870/880 series does ... I need to hook up something like 2-3 PPPoE-connections to the router, which we usually do using vlan 2 through n and then configuring each vlan interface for doing the actual dialup through a dialer interface ... I would expect the 890 series to work the same ... anybody happen to have any experience yet? Or is there a limitation to the number of vlans? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to bring one link down if another related link goes down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/09/2010 12:38, Alan Buxey wrote: its trunk failover of link-state tracking. dont seem to have solidified the name - appeared in IOS 12.2(25) - but has been around in the blade switches for a little longer...and is in Nexus platform too for added bonus I'm thinking of a scenarios...a nice real scenario...where this would be useful rather than using spanning-tree and normal backup links.. I think we had one a while ago with the Microsoft NLB (Load Balancing). From what I recall heartbeats are not checked on all interfaces (in Server 2008). So if an upstream link on a top of rack switch goes down NLB will keep the local servers in the hash-pool causing dropped packets for connections hashing to those servers. This kind of link state tracking might improve on that by taking down the links to the servers, too. I didn't test it, though. I think Server 2010 might be smarter so it was either a self shaving Yak, or SEP to fix ;-) regards, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyjb18ACgkQ2NPq7pwWBt6QmwCeL5eYACPhUa0TGo061OwBwG1z aHYAoMI56i39MN2d27Iqwen5U2u3XSxd =8olD -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Proper Multicast group assignment for SSM/Source Specific Multicast?
When assigning administratively scoped multicast groups for SSM/Source Specific multicast usage, what is the appropriate range to use? I know 232.0.0.0/8 is a general SSM range, but is there a subsection that is best used for administratively-scoped or internal-use only addresses? In the ASM model, this was typically within different subsections of the 239/8 range. I can't seem to find this issue addressed in the appropriate RFCs for SSM. Additionally, I know Cisco equipment permits the usage of SSM on non-standard multicast ranges. Are there any particular drawbacks or benefits to using SSM methodology on a 239/8 address instead of 232/8? However, I assume one drawback of me choosing to use a proper 232 SSM address is it becomes no longer possible to use ASM to the first router with SSM-mapping converting it to a SSM join. Is this true? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to bring one link down if another related link goes down
Hi, So if an upstream link on a top of rack switch goes down NLB will keep the local servers in the hash-pool causing dropped packets for connections hashing to those servers. This kind of link state tracking might improve on that by taking down the links to the servers, too. I didn't test it, though. I think Server 2010 might be smarter so it was either a self shaving Yak, or SEP to fix ;-) ooh yes - that might have some mileage. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS VPN over mGRE - PMTUD?
Hi List, Apologies if this is hidden in the list somewhere, but I've done a bit of Googling and can't find too much.. so here goes! I'm looking at implementing an MPLS VPN over mGRE solution to facilitate routing instance segregation across multiple, geographically separate sites, across a third party Layer 3 infrastructure. (12.2SRE for 7200, IOS-XE 3 for ASR1k and looks to be coming into ISR G2 in 15.1T.) However given the mix of GRE encapsulation to provide the PE-PE connectivity, I'm a bit worried that apps might have a hissy fit. My question is, does anyone know if it's possible to enable PMTUD with this feature? I've got it setup in a lab and the Tunnel0 and Tunnel1 interfaces cannot be directly modified from the CLI (they don't appear in config either...) The next best thing I can see would be Dynamic L3 VPNs over mGRE, but that isn't available on the platforms I use, and I really don't want to go as far as to enable full blown MPLS over point to point GRE tunnels if I can at all avoid it! Any tips? :-) Cheers Al ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN over mGRE - PMTUD?
If you are looking to do this for setting the MPLS MTU dynamically then I don't think this will help as starting with our forwarding infrastructure rewrite in 12.4(20)T (I would need to check to be sure when/if in other code trains) we lost the ability to set the MPLS MTU on tunnel interfaces. See CSCth11646. ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ On Sep 29, 2010, at 3:17 PM, Alasdair McWilliam wrote: Hi List, Apologies if this is hidden in the list somewhere, but I've done a bit of Googling and can't find too much.. so here goes! I'm looking at implementing an MPLS VPN over mGRE solution to facilitate routing instance segregation across multiple, geographically separate sites, across a third party Layer 3 infrastructure. (12.2SRE for 7200, IOS-XE 3 for ASR1k and looks to be coming into ISR G2 in 15.1T.) However given the mix of GRE encapsulation to provide the PE-PE connectivity, I'm a bit worried that apps might have a hissy fit. My question is, does anyone know if it's possible to enable PMTUD with this feature? I've got it setup in a lab and the Tunnel0 and Tunnel1 interfaces cannot be directly modified from the CLI (they don't appear in config either...) The next best thing I can see would be Dynamic L3 VPNs over mGRE, but that isn't available on the platforms I use, and I really don't want to go as far as to enable full blown MPLS over point to point GRE tunnels if I can at all avoid it! Any tips? :-) Cheers Al ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL is not working properly on 7600s
which IOS? El 29/09/10 09:08, sinan akyıldız escribió: Hi, I have issues with applying ACL on 7606s. Most of the time I cannot see matching packets to the ACL entries and the ACLs are not working as expected. For testing I have two access-lists Extended IP access list 156 10 permit icmp any any log 20 permit ip any any log Extended IP access list 157 10 permit icmp any any 20 permit ip any any When acl 156 applied to the interface (in) it is not possible to ping inside from outside. However with ACL 157 pings are successfull. Is there any known issues with the ALCS applied on 7600s? Thanks in Advance ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C892 PPPoE on VLANs
On 2010-09-29 16:14, Garry wrote: I was looking at the 892 mainly due to the rather high throughput rating if 50+ MBit/s (compared to ~16MBit on the 870 series). Looks to be nice, just want to ensure it does handle its switch ports (it has 8 FE-TX ports) as the 870/880 series does ... I need to hook up something like 2-3 PPPoE-connections to the router, which we usually do using vlan 2 through n and then configuring each vlan interface for doing the actual dialup through a dialer interface ... I would expect the 890 series to work the same ... anybody happen to have any experience yet? Or is there a limitation to the number of vlans? It works the same with regards to switch ports, however the WLAN AP is autonomous. You can configure up to 14 VLANs (Table 3): http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-519930.html -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN over mGRE - PMTUD?
Thanks for the heads up on that. My 'PE' routers will be 7200-NPE400 FE in/out or ASR1k GbE in/out (and possibly ISR 3945s if/when the feature is available..) all with standard 1500MTU. Inside LAN interfaces will be subinterfaces (one per VRF) and outside WAN interfaces will be access ports running IGP into IP core. Providing I can ensure ICMP Unreachables through the client/server end to end path, I guess I should be OK. Would you recommend setting anything like mss adjust on the inside sub-interfaces if I can't? (Or as well as?!) Do you (or anyone...) think there would be any noticeable performance penalty (latency, throughput) with this scenario? I have not yet investigated the possibility of simply increasing the MTU on all my outside core interfaces but that is most likely out of my control! Any help/comments/suggestions appreciated! :-) Cheers Al On 29 Sep 2010, at 21:40, Benjamin Lovell wrote: If you are looking to do this for setting the MPLS MTU dynamically then I don't think this will help as starting with our forwarding infrastructure rewrite in 12.4(20)T (I would need to check to be sure when/if in other code trains) we lost the ability to set the MPLS MTU on tunnel interfaces. See CSCth11646. ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ On Sep 29, 2010, at 3:17 PM, Alasdair McWilliam wrote: Hi List, Apologies if this is hidden in the list somewhere, but I've done a bit of Googling and can't find too much.. so here goes! I'm looking at implementing an MPLS VPN over mGRE solution to facilitate routing instance segregation across multiple, geographically separate sites, across a third party Layer 3 infrastructure. (12.2SRE for 7200, IOS-XE 3 for ASR1k and looks to be coming into ISR G2 in 15.1T.) However given the mix of GRE encapsulation to provide the PE-PE connectivity, I'm a bit worried that apps might have a hissy fit. My question is, does anyone know if it's possible to enable PMTUD with this feature? I've got it setup in a lab and the Tunnel0 and Tunnel1 interfaces cannot be directly modified from the CLI (they don't appear in config either...) The next best thing I can see would be Dynamic L3 VPNs over mGRE, but that isn't available on the platforms I use, and I really don't want to go as far as to enable full blown MPLS over point to point GRE tunnels if I can at all avoid it! Any tips? :-) Cheers Al ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP/ASA/Internet Edge Design Question
Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
If I'm understanding you correctly, the ISP in question should give you a separate /30 for the interconnect to them. Then you announce your /24 to the world and do what you want with the space behind your router. -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Donald Darko Sent: Wednesday, September 29, 2010 5:02 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP/ASA/Internet Edge Design Question Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
You can use private addressing if you like, but your provider can also assign you a /29 for the segment between your ASA and edge. Try asking them for the extra allocation. Sent from handheld On Sep 29, 2010, at 8:08 PM, Donald Darko donald.dar...@gmail.com wrote: Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
Correct...The Edge Internet Router will connect to the ISP with a /30... But what subnet will I utilize between the Edge Internet router and the ASA outside interface? Would't it need to be in my provider independent block?.. On Wed, Sep 29, 2010 at 8:09 PM, Bill Blackford bblackf...@nwresd.k12.or.us wrote: If I'm understanding you correctly, the ISP in question should give you a separate /30 for the interconnect to them. Then you announce your /24 to the world and do what you want with the space behind your router. -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Donald Darko Sent: Wednesday, September 29, 2010 5:02 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP/ASA/Internet Edge Design Question Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
I guess what I'm looking at is thisIf I bring another ISP into the mix. ISP 1 connects to Router1 via a /30 assigned by ISP1 ISP 2 connects to Router2 via a /30 assigned by ISP2 Router1 would then need to connect to the ASA outside interface via a public IP subnet? The ASA outside interface is where outbound browsing traffic is NAT'd...so it would have to be on a public network. Correct? On Wed, Sep 29, 2010 at 8:23 PM, Ryan West rw...@zyedge.com wrote: You can use private addressing if you like, but your provider can also assign you a /29 for the segment between your ASA and edge. Try asking them for the extra allocation. Sent from handheld On Sep 29, 2010, at 8:08 PM, Donald Darko donald.dar...@gmail.com wrote: Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
The outside interface ip of the asa has no requirement to be on net with anything having to do with your pi addresses whether you are nat'ing on the asa or not. You could use rfc1918 addresses as suggested by others. Sent via BlackBerry from T-Mobile -Original Message- From: Donald Darko donald.dar...@gmail.com Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 29 Sep 2010 20:27:03 To: Ryan Westrw...@zyedge.com Cc: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question I guess what I'm looking at is thisIf I bring another ISP into the mix. ISP 1 connects to Router1 via a /30 assigned by ISP1 ISP 2 connects to Router2 via a /30 assigned by ISP2 Router1 would then need to connect to the ASA outside interface via a public IP subnet? The ASA outside interface is where outbound browsing traffic is NAT'd...so it would have to be on a public network. Correct? On Wed, Sep 29, 2010 at 8:23 PM, Ryan West rw...@zyedge.com wrote: You can use private addressing if you like, but your provider can also assign you a /29 for the segment between your ASA and edge. Try asking them for the extra allocation. Sent from handheld On Sep 29, 2010, at 8:08 PM, Donald Darko donald.dar...@gmail.com wrote: Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
Sorry, just confused here... So on the outside interface of the ASA...connecting into the Internet Router I could use private addresses? I'd think that I would want my outbound Internet web traffic to be sourced from my Provider Independant IP subnet. How would that work? On Wed, Sep 29, 2010 at 8:48 PM, jkre...@usinternet.com wrote: The outside interface ip of the asa has no requirement to be on net with anything having to do with your pi addresses whether you are nat'ing on the asa or not. You could use rfc1918 addresses as suggested by others. Sent via BlackBerry from T-Mobile -Original Message- From: Donald Darko donald.dar...@gmail.com Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 29 Sep 2010 20:27:03 To: Ryan Westrw...@zyedge.com Cc: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question I guess what I'm looking at is thisIf I bring another ISP into the mix. ISP 1 connects to Router1 via a /30 assigned by ISP1 ISP 2 connects to Router2 via a /30 assigned by ISP2 Router1 would then need to connect to the ASA outside interface via a public IP subnet? The ASA outside interface is where outbound browsing traffic is NAT'd...so it would have to be on a public network. Correct? On Wed, Sep 29, 2010 at 8:23 PM, Ryan West rw...@zyedge.com wrote: You can use private addressing if you like, but your provider can also assign you a /29 for the segment between your ASA and edge. Try asking them for the extra allocation. Sent from handheld On Sep 29, 2010, at 8:08 PM, Donald Darko donald.dar...@gmail.com wrote: Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Found a device, please recommend.
Hi, I want order Cisco device (Layer 3) with 8 SFP ports, i want RUN BGP (4-5 fullview) in it.. so i think 512 - 1024 Mb RAM needed. Device Should be 1U. Please recommend which device will be optimal for this request? Regards, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/ASA/Internet Edge Design Question
The address on the asa does not control your source addresses of your protected hosts. Couple of options, you use your pi space behind the asa exclusively and not nat with static (inside,outside) pi pi netmask 255.255.255.0 or use pi on the outside of asa and nat to inside private addresses. Using rfc 1918 on the outside interface of the asa means its not going to be able to be a vpn endpoint with remote internet hosts Sent via BlackBerry from T-Mobile -Original Message- From: Donald Darko donald.dar...@gmail.com Date: Wed, 29 Sep 2010 20:51:27 To: jkre...@usinternet.com Cc: Ryan Westrw...@zyedge.com; cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question Sorry, just confused here... So on the outside interface of the ASA...connecting into the Internet Router I could use private addresses? I'd think that I would want my outbound Internet web traffic to be sourced from my Provider Independant IP subnet. How would that work? On Wed, Sep 29, 2010 at 8:48 PM, jkre...@usinternet.com wrote: The outside interface ip of the asa has no requirement to be on net with anything having to do with your pi addresses whether you are nat'ing on the asa or not. You could use rfc1918 addresses as suggested by others. Sent via BlackBerry from T-Mobile -Original Message- From: Donald Darko donald.dar...@gmail.com Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 29 Sep 2010 20:27:03 To: Ryan Westrw...@zyedge.com Cc: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question I guess what I'm looking at is thisIf I bring another ISP into the mix. ISP 1 connects to Router1 via a /30 assigned by ISP1 ISP 2 connects to Router2 via a /30 assigned by ISP2 Router1 would then need to connect to the ASA outside interface via a public IP subnet? The ASA outside interface is where outbound browsing traffic is NAT'd...so it would have to be on a public network. Correct? On Wed, Sep 29, 2010 at 8:23 PM, Ryan West rw...@zyedge.com wrote: You can use private addressing if you like, but your provider can also assign you a /29 for the segment between your ASA and edge. Try asking them for the extra allocation. Sent from handheld On Sep 29, 2010, at 8:08 PM, Donald Darko donald.dar...@gmail.com wrote: Hi All, I have a scenario where I would like to perform BGP with my current ISP and am in need of a Internet Edge router; as currently my ASA connects directly to them. The IP subnet assignment that I'm using from my provider in my DMZ will be my provider independent addresses. My question isI'll need to put a new subnet between my ASA and my new Internet router...it can't be a private subnet, because the Outside interface of the ASA is where my web traffic is coming from. What are my options here?...try to subnet the already in use /24 provider independent subnet in my DMZ and use a /29 as a connector subnet between the ASA Outside interface and the Internet Edge router? Thanks Donald ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN over mGRE - PMTUD?
The problem with ICMP frag needed is some apps(read Microsoft) just flat out fail when frag happens and set the DF bit to be sure it does not. ICMP frag needed or not they will just fail over and over. They may have gotten better with this since the last time I cared(somewhere in between one and two years ago). Increasing the MTU on core will not help if you can't raise the tunnel MTU to match core interface minus encap overhead. You will still frag on tunnel ingress. I can see one of two possible ways to get around this, each with their own caveats. tcp mss-adj is one which obviously only useful for TCP connections. The other caveat is that mss-adj will cause the first packet in each direction to be punted to CPU so large number of session setup could be an issue. I can't remember the exact details as I only had 2nd hand involvement in the MPLS MTU thing, they made a quick change which, for technical implementation reasons, only lets you set MPLS MTU to MAX(like 9K or 44K or something huge). You could do this and assume that post fragmentation is your best bet if you are using IPSEC and have IPSEC platform that can handle the frag reassembly load which will then cause everything to be reassembled before hitting the GRE / MPLS / app layer. GRE and IPSEC take a performance hit with frag but this is better than MPLS frag which is explicitly disallowed and not supported in a number of specs and implementations. Caveats and trade offs can be quite different from platform to platform so I would recommend some validation testing whichever way you decide to go. -Ben ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ On Sep 29, 2010, at 7:15 PM, Alasdair McWilliam wrote: Thanks for the heads up on that. My 'PE' routers will be 7200-NPE400 FE in/out or ASR1k GbE in/out (and possibly ISR 3945s if/when the feature is available..) all with standard 1500MTU. Inside LAN interfaces will be subinterfaces (one per VRF) and outside WAN interfaces will be access ports running IGP into IP core. Providing I can ensure ICMP Unreachables through the client/server end to end path, I guess I should be OK. Would you recommend setting anything like mss adjust on the inside sub- interfaces if I can't? (Or as well as?!) Do you (or anyone...) think there would be any noticeable performance penalty (latency, throughput) with this scenario? I have not yet investigated the possibility of simply increasing the MTU on all my outside core interfaces but that is most likely out of my control! Any help/comments/suggestions appreciated! :-) Cheers Al On 29 Sep 2010, at 21:40, Benjamin Lovell wrote: If you are looking to do this for setting the MPLS MTU dynamically then I don't think this will help as starting with our forwarding infrastructure rewrite in 12.4(20)T (I would need to check to be sure when/if in other code trains) we lost the ability to set the MPLS MTU on tunnel interfaces. See CSCth11646. ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ On Sep 29, 2010, at 3:17 PM, Alasdair McWilliam wrote: Hi List, Apologies if this is hidden in the list somewhere, but I've done a bit of Googling and can't find too much.. so here goes! I'm looking at implementing an MPLS VPN over mGRE solution to facilitate routing instance segregation across multiple, geographically separate sites, across a third party Layer 3 infrastructure. (12.2SRE for 7200, IOS-XE 3 for ASR1k and looks to be coming into ISR G2 in 15.1T.) However given the mix of GRE encapsulation to provide the PE-PE connectivity, I'm a bit worried that apps might have a hissy fit. My question is, does anyone know if it's possible to enable PMTUD with this feature? I've got it setup in a lab and the Tunnel0 and Tunnel1 interfaces cannot be directly modified from the CLI (they don't appear in config either...) The next best thing I can see would be Dynamic L3 VPNs over mGRE, but that isn't available on the platforms I use, and I really don't want to go as far as to enable full blown MPLS over point to point GRE tunnels if I can at all
Re: [c-nsp] Found a device, please recommend.
On 9/29/2010 17:52, Sheremet Roman wrote: Hi, I want order Cisco device (Layer 3) with 8 SFP ports, i want RUN BGP (4-5 fullview) in it.. so i think 512 - 1024 Mb RAM needed. Device Should be 1U. Please recommend which device will be optimal for this request? The obvious choice would be an ASR1002 with a 5 port SPA (4 onboard), but it's 2U. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Found a device, please recommend.
For 8SFPs of the top of my head you are looking at something like an ASR 1K or 7600. For 4-5 full route tables 1G wil be cutting it close or just be not enough. BGP mem usage is hard to gauge as we take a lot of effort to use pointers to reduce mem usage when prefixes / attributes overlap. Without kowning how much overlap there is between your feeds it's hard to know how much mem they will use but 2GB would be a safe amount. -Ben On Sep 29, 2010, at 8:52 PM, Sheremet Roman wrote: Hi, I want order Cisco device (Layer 3) with 8 SFP ports, i want RUN BGP (4-5 fullview) in it.. so i think 512 - 1024 Mb RAM needed. Device Should be 1U. Please recommend which device will be optimal for this request? Regards, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Found a device, please recommend.
I missed the 1 RU part. I can't think of a platform that will do 8SFPs in 1RU. -Ben On Sep 29, 2010, at 9:44 PM, Seth Mattinen wrote: On 9/29/2010 17:52, Sheremet Roman wrote: Hi, I want order Cisco device (Layer 3) with 8 SFP ports, i want RUN BGP (4-5 fullview) in it.. so i think 512 - 1024 Mb RAM needed. Device Should be 1U. Please recommend which device will be optimal for this request? The obvious choice would be an ASR1002 with a 5 port SPA (4 onboard), but it's 2U. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ~ .. Benjamin Lovell || AS Video Practice ||| ||| Cisco Customer Advocacy .|. .|. Research Triangle Park, NC .:|:..:|:.Email: belov...@cisco.com ciscodesk:919.392.8255 cell:203.509.1562 ~ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Found a device, please recommend.
On 9/29/10 6:47 PM, Benjamin Lovell wrote: I missed the 1 RU part. I can't think of a platform that will do 8SFPs in 1RU. The most powerful 1U router I can think of is the 7201. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 and Cat 6500
Mostly I lurk on the list and read and learn. There are so many smart people on here that even if I don't read the emails every day, I know I'm getting smarter just having them in my inbox :) I am looking at a new setup and wondering what is the minimum setup that a Cat6500 can do IOS/BGP things on IPv6 and IPv4? As long as I am setting up a new setup I may as well learn how to handle the IPv4 and IPv6 dual battle of the bits. Can a Sup2 handle that or?? Thanks a bunchly, CJ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Found a device, please recommend.
If you can compromise the full-views requirement, ME6524-GT-8S has 8 SFP ports and 24 BASE-T ports, ME6524-GS-8S has 32 SFP ports (8 unsubscribed, 24 1:3 oversubscribed). You could receive full-views and filter them out to fit the reduced FIB. Device is 1.5U and fits nicely into small spaces. DC power is also an option. On J-land, MX-80 (not the 48T variant) could have a 20-port SFP line card and eat 5 full-views for breakfast. 2RU. Rubens On Wed, Sep 29, 2010 at 9:52 PM, Sheremet Roman ro...@kharkov.org.ua wrote: Hi, I want order Cisco device (Layer 3) with 8 SFP ports, i want RUN BGP (4-5 fullview) in it.. so i think 512 - 1024 Mb RAM needed. Device Should be 1U. Please recommend which device will be optimal for this request? Regards, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 and Cat 6500
Hi CJ, On Sep 29, 2010, at 9:23 PM, CJ wrote: I am looking at a new setup and wondering what is the minimum setup that a Cat6500 can do IOS/BGP things on IPv6 and IPv4? As long as I am setting up a new setup I may as well learn how to handle the IPv4 and IPv6 dual battle of the bits. Can a Sup2 handle that or?? Sup2 would implement IPv6 routing (if it does at all) in software. That might be ok for test purposes, but not appreciable workloads. Otherwise, you would want a sup720. Then you will need to know how many routes you will have to decide whether you need an XL size PFC or not. Read this thread too: http://puck.nether.net/pipermail/cisco-nsp/2009-May/060466.html Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/