Re: [c-nsp] Upgrading 12K IOS XR from 3.6 to 4.2
On 05-03-13 16:48, ibogzipper iboge wrote: Thanks Grzegorz, down time window is the problem to go for 2 steps . rommon upgrades are in the FPD package but if i want to do the turboboot there is no way that i can install the new pie c12k-fpd.pie-4.2.4 on 3.6.2 and upgrade the rommon . is there any package that i can copy and upgrade the rommon like CRS .Cisco document mention about 3.x to 4.x with c12k-upgrade.pie-4.2.4 package but still confusing about direct 4.2 upgrade. I believe that according to Cisco docs and in order to have reasonably safe software version, you need at least three full reboots plus at least one switch-over. The upgrade pie doesn't contain any rommon updates, they are in fpd pie. You can't install fpd pie from 4.X onto 3.X. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading 12K IOS XR from 3.6 to 4.2
On 05-03-13 14:01, ibogzipper iboge wrote: Hi, I'm in the process of upgrading 12K IOS XR from 3.6 to 4.2. But according to cisco upgrade path its seems to be from 3.6 - 3.9 , 3.9 - 4.2 ( http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html#XR12000) . therefore i'm wondering that whether i can do turboboot . but there is no reference regarding the minimum rommon required to load the 4.2 IOS XR in turboboot ( min required is 1.24) . Also to upgrade the rommon there is no package available on the download section ( archive also doesn't have package) . Anyone having previous experience on 3.6 - 4.2 upgrade ? As far as I remember you may need to repartition in order to the the upgrade and/or upgrade your flash. We didn't do as big step as you plan to do, and indeed the intermediate upgrade to 3.9 may be necessary. Please check the Cisco upgrade procedure, they are very good in describing what you can and what you can't. The rommon upgrades are in the fpd package, it is also very well described in Cisco docs. Please note some important SMU's for 4.2, some of them are reboot SMU's. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOSXR 4.2.3
On 27-01-13 02:23, Jason Lixfeld wrote: No new problems that I have observed, although having to repartition the flash drives on the RSPs in order to install is certainly annoying. Jason, Special repartition for 4.2.3? Which flash did you have? Was it 2G or 4G? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR next-hop self with reflected routes
I have encountered a problem configuring route announcements on IOS-XR. In just a plain IOS (c6500 ie) setting next-hop self at the bgp peer doesn't affect reflected routes, however it can be overwritten with the outgoing route-map. In IOS-XR the route-policy with set next-hop self doesn't seem to affect at all reflected routes. I know I can overwrite it on the receiving side, but any way to change the next-hop of reflected routes in IOS-XR? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR next-hop self with reflected routes
On 19-06-12 16:02, chip wrote: add ibgp policy out enforce-modifications in the global bgp config Thanks, that is it! Unfortunately the command name is a little bit confusing, I was trying to find it, but I was checking the commands starting with bgp, no idea why they called it so different. Cisco doc's are really not helpful: http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.1/routing/command/reference/b_routing_cr41crs_chapter_01.html#wp473953414 Do you know which other attributes it allows to change except the next-hop? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Replacing route policies in IOS XR
On 07-03-12 05:17, John Neiberger wrote: I'm relatively new to route policies in IOS XR. I have a route policy on a production router that needs to be replaced. The documentation doesn't exactly make it clear how to do this properly. Is it as simple as pasting an entirely new route policy in config mode and committing it? I see that there are methods for editing the policy directly from the CLI, but that doesn't seem like what I want or need. Since route policies don't use line numbering, I'm worried that I might end up with some weird merged policy. If we're just replacing the entire thing, is it a simple paste and commit? John, In the configuration mode you just replace the whole policy. Remember you can always use commit confirmed if you are unsure. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NSR in ASR 9000
On 03-12-11 18:30, Prashanth kumar wrote: I am new to ASR 9000 family. We are migrating some of the border routers to ASR 9000. These have 2 RSP ( Route Switch Processor) one is active and other standby. it is in production, We have RSP synched and RSP1 is showing NSR ready (see below). Does the ASR RP swichover seamless, i.e the OSPF and BGP ( tcp) session get carried over to standby RP or will the neighbor relation get reset. The neigbor routers does not support Gracefull restart (GR). The impact of the switchover depends how you configured your protocols on this ASR and on the other sides. For OSPFv2 and BGP you may have full NSR (no support from the other side required), for OSPFv3 you may have graceful restart only (and the other side has to support it). We dont have NSR turned on for routing protocols BGP and OSPF. I have 2 quesions will the turning on NSR under OSPF cause ospf neigbor relaionship to be reset and for BGP I think I need to reset the neighbor sessions to kick in. Turning on NSR or graceful switchover for this protocol will have no impact (no session flaps), but remember that graceful so is something that you negotiate, so you have to reset your OSPF sessions to enable graceful so. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 CoPP + IPv6 fragments
On 29-06-11 17:04, Bernhard Schmidt wrote: I have a few 6500 Sup720/3BXL boxes running various releases of 12.2(33)SXI and SXJ that seem to drop all IPv6 fragments in transit as soon as CoPP is enabled. There are no CoPP drops logged. Even when I remove all police lines from the policy-map the packets still get dropped. As soon as I disble CoPP the packets get through. Bernhard, We have had the same issue for last ~week, however our v6 copp has been quite good for last couple of months. We also saw transit traffic being dropped. Had to remove the default copp class-map to get things working. When did you install v6 copp? Have you had the issue since the very beginning or just recently? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 CoPP + IPv6 fragments
On 29-06-11 21:31, Bernhard Schmidt wrote: Is your CoPP similarly structured to mine? More or less it is. Richard Gallagher's suggestion about CSCsa78144 was really helpful in our case and helped. Thanks! -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 CoPP + IPv6 fragments
On 29-06-11 23:08, Bernhard Schmidt wrote: FWIW, platform ipv6 acl fragment hardware forward fixed the drop for me as well. But I still cannot see why it dropped before, since CoPP was not dropping a single packet according to show policy-map control-plane. According to Wikipedia there can be no fragmented packets on IPv6. So what is the whole issue about? What can be the source of v6 fragments? Can they be safely dropped? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR: Permanent set default-afi all
There is a handy command on the IOS-XR: set default-afi all (it makes the output of show ip bgp summary more juniper like), but it affects only the current session though. Any ways to make it default? Can it be somehow set in your username settings? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP scalabilty
On 02-03-11 10:08, jack daniels wrote: Dear Experts, If we want to configure gateway for 1000 Vlans on Cisco 7600 (HSRP will be a issue as it supports only 256 HSRP groups) . Any soltion for the same - I have though of two solutions but don't know whether they will scale or workout , please help me in suggesting - Solution 1 - ( I heard there is something called Follow up) can you guide me any solution document for this. Solution 2Another solution for the same I think is if - There are incoming 4 vlans (Vlan1 , Vlan 2 , Vlan 3, Vlan 4 -IP address subnet same on all four vlans ) and if I Translate on Layer 2 medium these four vlans to Vlan 5 and configure IP address ( Gateway IP address on which HSRP will run ) on this VLAN 5 .Is this thing possible on Layer 2 medium - if I use VLAN translation or use fundamentals of imposing S tag. Please suggest how this will work. Solution 3 - HSRP version 2, up to 4096 groups: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthsrpv2.html We use it with SXI, works well. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Combining v4 and v6 Route-Maps for BGP Peers
On 04-02-11 23:06, Devon True wrote: route-map foo permit 10 match ip next-hop foo match ipv6 next-hop bar Would that match v4 or v6, depending on the address type? haven't checked in the lab, but strictly speaking, the above map would require both conditions to be met, which is not possible for any given prefix ;-) so I doubt this works. I was able to test it in a lab after I sent the email, and it did not work. I ended up using the route-map example you show below as a work-around. For me it worked on 6500 SXI afair. For sure it works on IOS XR. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Warm reload in Cisco 6500
There is a nice feature in Cisco IOS: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/warm_reload.html According to Cisco software advisor (Find software with the features I need), it is available in 12.2 for C6500/SUP720 in all releases of trains SXH and SXI. However none of our C6500 with SXI (even the latest one SXI5) seems to accept the commands for warm reload. Do you see it enabled on your SXH or SXI? Has anyone used it with C6500? Thanks for any hints. Kind regards, -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE?
On 09-12-10 22:22, Gert Doering wrote: On Thu, Dec 09, 2010 at 08:54:27PM +0100, Arie Vayner (avayner) wrote: I was just updated by the BU that this feature is now listed in FN... Confirmed! HSRP for IPv6 is now listed for IOS XE 3.1S Please pay attention whether this is HSRP on link-local addresses only, or the better one on global addresses as well. One may get disappointed with being forced to use link-local IP's as gateways. At least on the normal IOS they were implemented separately. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7609_uRFP Performance Impact
On 19-11-10 17:58, Nick Hilliard wrote: On 18/11/2010 20:02, Victor Lyapunov wrote: I am examining the prospect of enabling urfp in a cisco 7609 / RSP 720 platform, for subscriber facing interfaces. Just be aware that enabling ipv6 urpf on an interface will cause that ipv6 traffic to be forwarded in software. I guess it is also a case with 6500 sup720, isn't it? Does it depend on software version? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI4a or SXI5
On 14-11-10 05:26, Randy McAnally wrote: For the record, the upgrade from SXF to SXI5 was smooth and painless. Upgraded standby, failed over, reboot primary, back to SSO. Please note, according to release notes, you are supposed to upgrade rommon of your 67xx blades to at least 12.2(18r)S1. However unintentionally we had some blades running earlier rommon and SXI with no problems at all. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI4a
On 15-10-10 10:00, Phil Mayers wrote: On 10/14/2010 07:33 PM, Grzegorz Janoszka wrote: On 14-10-10 09:40, Alexander Clouter wrote: SXI4a is working fine on one of our 6500's and I updated from SXI3 to SXI4a on the other two on Tuesday. No problems so far, although: Just discovered an interesting bug on SXI4. Take an interface, run standby version 2 there, create an IPv6 HSRP address, ie: standby XXX ipv6 2001:db8:1:2::1/64 then, (not earlier) create an IP from this subnet on the interface: int GiX/Y ipv6 address 2001:db8:1:2::2/64 after that run: show ipv6 route 2001:db8:1:2::3 interesting, huh? I'm not seeing anything interesting under SXI4a. Can you be more specific about what you're seeing? The route was not inserted into routing table. Maybe on SXI4a it has been corrected. Cisco often doesn't publish all the bugs they fix. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI4a
On 14-10-10 09:40, Alexander Clouter wrote: SXI4a is working fine on one of our 6500's and I updated from SXI3 to SXI4a on the other two on Tuesday. No problems so far, although: Just discovered an interesting bug on SXI4. Take an interface, run standby version 2 there, create an IPv6 HSRP address, ie: standby XXX ipv6 2001:db8:1:2::1/64 then, (not earlier) create an IP from this subnet on the interface: int GiX/Y ipv6 address 2001:db8:1:2::2/64 after that run: show ipv6 route 2001:db8:1:2::3 interesting, huh? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preferring OSPF over BGP
On 14-8-2010 1:46, Andrew Miehs wrote: Actually, I think he said that it was learned via OSPF and eBGP, and that these routers were preferring the eBGP route. Correct. What I don't understand is why the OSPF route is not more specific? Or is this another case of announcing /24s (or even smaller blocks) via eBGP? It is just the same /24 route belonging to one internet exchange. Most IX prefixes are forbidden to be announced, but this one is unfortunately the exception :/ -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preferring OSPF over BGP
On 14-8-2010 1:07, sth...@nethelp.no wrote: Well now. Cisco has for many years recommended having the *same* administrative distance for iBGP and eBGP, as in distance bgp 200 200 200 Wouldn't this accomplish what you need? Steinar, Could you point me to any link with such recommendations? And if they, as you say, have recommended it for many years, why IOS XR still has the same unchanged default values of administrative distance, while it has many other IOS defaults updated? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Preferring OSPF over BGP
If a router has different sources (different routing protocols) for the same route, it chooses the one with the smallest administrative distance: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml The problem in short: there is a pretty big network with many routers, Cisco only. One of them has a network connected which it redistributes to OSPF. All other routers see the route via OSPF and via eBGP. Because of default administrative distance values, eBGP route always wins, so the traffic to that network from all routers but the one connected, always chooses external carriers, not the internal network. One of the solutions is to change globally administrative distance for OSPF or BGP. However it is pretty dangerous to do it for all the routes on the core routers and Cisco even advices: a change in the administrative distance can lead to routing loops and black holes. So, use caution if you change the administrative distance. I thought about setting lower administrative distance in a route-map/route-policy, but it seems impossible. Right now we have filtered such prefixes from eBGP peers, but it leeds to total unavailability when the connected route goes down. Do you know any solutions to prefer the route (connected on another router) over eBGP? The only solution that comes to my mind is to redistribute connected to iBGP with higher local-preference than eBGP, but maybe you know some better way to achieve the goal. Thanks for any advices. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problems with dot1q trunk over EoMPLS with WS-X6148-GE-TX
On 8-8-2010 13:02, Marco Matarazzo wrote:
Router1
6506 w/VS-S720-10G IOS 12.2(33)SXI2
Customer facing blade: WS-X6148-RJ-45
Hi,
Afair SXI2 has memory leaks, please check if you are affected by them.
Router1##sh mpls l2 vc 71172104 det
Local interface: Fa2/32 up, line protocol up, Ethernet up
Destination address: x.y.z.56, VC ID: 71172104, VC status: up
Output interface: Te5/5, imposed label stack {700}
Preferred path: not configured
Default path: active
Next hop: x.y.z.14
Create time: 03:32:35, last status change time: 03:32:35
Signaling protocol: LDP, peer x.y.z.56:0 up
Targeted Hello: x.y.z.40(LDP Id) - x.y.z.56
MPLS VC labels: local 969, remote 700
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
If you are unable to rise MTU on fa2/32 (as well as on the other side)
to 1998 or sth higher than 1500, then you cannot pass vlans and keep
1500 MTU inside them.
--
Grzegorz Janoszka
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6: HSRP vs Anycast
On 26-7-2010 23:52, Billy Guthrie wrote: I came across a site that discussed IPv6, HSRP, and Anycast. http://www.clarksys.com/blog/2009/03/12/howto-subnet-ipv6/ It seems to be an old one. so when the time comes to implement IPv6 and HSRP (There is anycast). Is anyone using IPv6 Anycast in replace of HSRP? We use just HSRP with a global unicast IPv6 address. It emerged recently in SXI4 and was also a surprise for us. We already prepared a scenario with a link-local HSRP gateway but (because of lack of elegance in it) we were quite lazy with deploying it. Luckily SXI4 appeared earlier and during routine 'release notes' review I discovered HSRP IPv6 global unicast address. It works really well, just as it should do. http://www.cisco.com/en/US/docs/ios/12_2sx/12_2sxi/12_2_33_sxi4_newfeatlist.html http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-fhrp.html -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] smaller PI
On 30-6-2010 14:28, Sascha Pollok wrote: It is like it is. RIPE NCC allocates PI according to the demand within 12 months. If it is a /26, you'll get a /26. RIPE NCC does not guarantee that the block they allocate is routable. Tricky eh? There is a policy proposal to make PI blocks at least /24 in case it is planned to announce them to the DFZ. It has been changed recently, now your needs will be meet only for 9 months. It is the run out fairly policy. In a couple of months it will be 6 months, eventually 3. And then the IP's will be over. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Centos upload speed slower on 1000m than 100m over WAN links
On 27-6-2010 8:03, Paul wrote: If I set the port speed to 100 megabits full duplex on the switch and server , the clients that get 1-5MB/s now get 11MB/s which is approximately the limit of the 100mbit port. Totally stumped here, tried different nics, servers, even 4 different switches. Is a very interesting problem and I'm probing to see if anyone else has encountered it. So far the only OS i have tried is centos, but different versions and kernels and hardware. We had the same issue with Centos, Broadcom NIC and Cisco switches. We discovered that other distros helped, downgrading Centos kernel could probably help as well. We solved it reinstalling all affected Centos servers to Debian. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 Hardware
On 23-4-2010 8:04, Pratap Reddy wrote: As per Cisco's documentation Multi Services Card should always be paired with Interface Module. Does this mean for each Line card one Multi Service card is required at the back of the chassis and Line card can not be used without it. Correct, you always use them in pairs. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiprotocol BGP with Cisco
On 17-4-2010 11:59, Per Carlson wrote: It sure does, here's a v4+v6 over v4 example. router bgp 1 neighbor-group v4v6 remote-as 1 update-source Loopback0 address-family ipv4 unicast ! address-family ipv6 unicast ! ! neighbor 172.16.1.2 use neighbor-group v4v6 ! end RP/0/7/CPU0:xr12k#sh bgp neighbor 172.16.1.2 BGP neighbor is 172.16.1.2 Remote AS 1, local AS 1, internal link Remote router ID 172.16.1.2 BGP state = Established, up for 00:07:32 Neighbor capabilities: Route refresh: advertised and received Graceful Restart (GR Awareness): received 4-byte AS: advertised and received Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received For Address Family: IPv4 Unicast 9 accepted prefixes, 7 are bestpaths Prefix advertised 30, suppressed 0, withdrawn 0, maximum limit 524288 For Address Family: IPv6 Unicast 3 accepted prefixes, 0 are bestpaths Prefix advertised 4, suppressed 0, withdrawn 0, maximum limit 131072 Can you do it for v6 peer? It is not possible to do it within the neighbor configuration, when I create a v4v6 neighbor group I get: Failed to commit one or more configuration items during an atomic operation !!% Change would result in neighbor (X:Y:W::Z) being activated with an invalid address family So, Cisco IOS-XR on CRS-1 cannot receive v4 prefixes on v6 BGP session. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiprotocol BGP with Cisco
On 19-4-2010 14:17, Per Carlson wrote: Can you do it for v6 peer? Yes. The same neighbor-group can be applied to a IPv6 peer: Just a summary to archives (for posterity): You can tunnel v6 prefixes on a v4 BGP session on a Cisco (iBGP and eBGP). You can tunnel v4 prefixes on a v6 iBGP session, you cannot on a v6 eBGP session, at least with IOS-XR. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multiprotocol BGP with Cisco
Does anybody know how to receive both v4 and v6 prefixes onto one BGP session? There is a RFC document about it RFC2858 which is quite old (10 years). I know some other vendors support it, as we have just got a peer which feeds us with both families prefixes on one BGP session, at least it tries, as we always see only one type of addresses - v4 either v6, never both. Any tricks to do it with Cisco? We use IOS XR (CRS-1's), but we may also get this feed on a normal IOS (6500). -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiprotocol BGP with Cisco
On 16-4-2010 20:47, Steve Bertrand w rote: You just have to activate the neighbor in both address-family, and have the appropriate prefix lists and other policy config applied in both. For a common IOS I could imagine doing it in the way you described. The only problem is I am trying to achieve it with IOS XR (Cisco CRS-1). The syntax here is a little bit different - you activate address-family within the neighbor configuration and there is no way to activate v6 family on v4 peer and v4 family on v6 peer. I opened a TAC case and the engineer first answered me of course you can, then no, you cannot, and then I have to escalate it ;) -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXH7 funny
On 8-4-2010 15:01, Shimol Shah wrote: The bug was an internal dev-test bug, hence the recovery/workaround. Am surprised why no one in the field had hit this in SXH till now. Now that it is, it is time to make it external and get the fix in SXH. Is it normal to hide all the bugs at Cisco? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
On 30-3-2010 17:54, Rodney Dunn wrote: SXF17a? What you sent me shows: 05:04:11: %C6K_PLATFORM-2-PEER_RESET: RP is being reset by the SP %Software-forced reload = Start of Crashinfo Collection (14:12:13 UTC Wed Sep 6 2000) == For image: Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2) Sorry, that was the only crashinfo we had. I just assumed it had to be the correct one and I did not any further checks. So, in this case, SXF17a has not written any crashinfo, despite the messages on the console. There is no any other crashinfo on any available filesystem on both route-processor and switch-processor. List: anyone successfully running SXF17a? Anyone with 6504-E chassis? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
On 24-3-2010 17:00, Cisco Systems Product Security Incident Response Team wrote: Cisco Security Advisory: Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability Advisory ID: cisco-sa-20100324-ldp +---+ | Major| Availability of Repaired Releases| | Release | | |+-+| | 12.2SXF| 12.2(18)SXF17a | 12.2(18)SXF17a | |+-+| Has anyone tried SXF17a with a C6504-E chassis? I got: 00:00:04: %C6K_PLATFORM-0-UNKNOWN_CHASSIS: The chassis type is not known.(0x4002) %Software-forced reload Unexpected exception, CPU signal 23, PC = 0x401A4578 And traceback followed. Yes, I did check MD5 of the file on the router before rebooting. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] /31 on a PTP Ethernet interface
On 8-3-2010 18:02, Manu Chao wrote: You needn't /30 anymore, rfc3021 is well suported for a while ;) And what with ospf and /31? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 nd ra suppress broken on SXI3?
We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon after the upgrade one of our customers complained that he started to see RA messages. From the beginning on his interface we have ipv6 nd ra suppress, I added ipv6 nd ra mtu suppress, but the customer says he still sees that. Has anyone seen broken ra suppression on SXI3? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS to IOS XR Conversion
Eduard Gheorghiu wrote: There is an automatic translator tool but only available internally to Cisco SE. It does a good job. We have been using this tool, but its output was not fully accepted by our CRS-1 routers. It was at the beginning of 2009 and it is possible they fixed it. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 etherchannel
Dmitry Kiselev wrote: Could anybody answer me, is the etherchannel feature supported on CRS-1 with 4-10GE modules (either, ports on single card or cross-cards aggregation)? I plan to use 4 10G ports as layer2 trunk and subinterfaces on it. Is it possible on CRS-1? On CRS-1 it is called bundle-ethernet. You can do it on set of ports within all the linecards you have. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] instabilities with SXI2?
Morten Skriver wrote 12.2(33)SXI2a was released on cisco.com yesterday. Yes, I saw it yesterday, but does anyone know what they changed/fixed/broke? http://www.ciscopaw.org/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html does not mention SXI2a. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Mohacsi Janos wrote: I disagree. Not worst than DHCP. By the way how do you distribute parameters for local links? DHCP fake offers are better filterable I think. With v6 we now use mostly static IP addressing. Still working for DHCP over v6. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Phil Mayers wrote: Grzegorz Janoszka wrote: Yes, unfortunately it is only link-local. I am just trying to figure it out how to marry link-local with our global ipv6 assignments. That's now the way it works AFAICT. Basically, the routers still send router-advertisments. However, the link-local address in the next-hop is the HSRPv6 virtual IP, and floats between the active backup. So you only *need* the link-local. No, my routers do NOT send ra. I disable it as an incredibly insecure mechanism. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Daniel Verlouw wrote: No real experience with HSRP though, can anyone shed some light on that? I understand it only works for link-local addresses? Yes, unfortunately it is only link-local. I am just trying to figure it out how to marry link-local with our global ipv6 assignments. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Phil Mayers wrote: Grzegorz Janoszka wrote: Daniel Verlouw wrote: No real experience with HSRP though, can anyone shed some light on that? I understand it only works for link-local addresses? Yes, unfortunately it is only link-local. I am just trying to figure it out how to marry link-local with our global ipv6 assignments. That's now the way it works AFAICT. Basically, the routers still send router-advertisments. However, the link-local address in the next-hop is the HSRPv6 virtual IP, and floats between the active backup. So you only *need* the link-local. But it is strange indeed. We tell everyone that v6 is just the same as v4, but just the issues as above makes our customers scary. So, we assign 2001:0db8:85a3:08d3::/64 on a customer port, with a gateway fe80:0db8:85a3:08d3::1 - how does it look? Is it the same as we do with v4? :) Do you have any plans for such IP division? I just thought about replacing first 16 bits of public v6 address with fe80, but maybe you have better ideas. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Phil Mayers wrote: Do you have any plans for such IP division? I just thought about replacing first 16 bits of public v6 address with fe80, but maybe you have better ideas. I don't understand; all link-local IPs are fe80::/64 i.e. link-local are always fe80::::the mac You can't change this I think. Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my network just by replacing first 16 bits of our public IP's. Can anyone say whether this is bad or wrong idea? :) -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Daniel Verlouw wrote: On Thu, 2009-08-27 at 12:51 +0200, Grzegorz Janoszka wrote: Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my network just by replacing first 16 bits of our public IP's. Can anyone say whether this is bad or wrong idea? :) VRRPv6 (on Junos at least) requires you to statically configure link-local addresses. We use the following scheme for each subnet: fe80::group id:1/64 = virtual fe80::2/64 = first router fe80::3/64 = second router (all done using a commit script btw, so no addt'l manual labour involved) We don't use HSRP (yet), but I guess you could employ this in an HSRP environment as well and just tell -all- your customers to point to fe80::X:1 as default gateway. Yes, but I wanted to have the LL addresses unique in our whole network. I can take group id, but what if you move a customer from one router to another and the given hsrp group id is already occupied? Yes, a solution would be to have hsrp groups totally unique in our network, but AFAIK the group id can be only 0-255, so it is way too little. I planed to use sth unique and I wanted to make link-local out of the main v6 of the interface. Why did they make v6 so complicated? What is wrong with public IP's on vrrp/hsrp? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Daniel Verlouw wrote: On Thu, 2009-08-27 at 14:13 +0200, Grzegorz Janoszka wrote: Why did they make v6 so complicated? What is wrong with public IP's on vrrp/hsrp? VRRPv6 -does- use global unicast addresses, so you can just tell your clients to point to the global unicast address. Could you please point me a cisco.com webpage confirming that? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Phil Mayers wrote: Hmm. So in theory you can configure a router to advertise fe80:something::/64 as the link prefix? Ok; why would you want to? Link-local prefixes are still link-local, it just requires an extra link of config to make bits 11-64 the same as the unicast prefix. You cannot have the same link-local IP's on different ifaces, can you? But maybe for IPv6 of 64-bit-network-prefix::/64 you may create fe80::64-bit-network-prefix as a gateway? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
Daniel Verlouw wrote: On Thu, 2009-08-27 at 14:45 +0200, Grzegorz Janoszka wrote: You cannot have the same link-local IP's on different ifaces, can you? sure you can, that's what link-local is for. dan...@jun1. show interfaces | match fe80::2$ | count Count: 16 lines So, can I have just fe80::1 as a virtual gateway on all interfaces in my network? I thought it was not possible. Does someone have such setup with Cisco? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LACP on high latency links
Hi, Anyone running LACP on links with latency about 10 ms or higher? With local links and latency ~1 ms we have no problems at all, it just works perfect, however recently we ran into strange issues with CRS-1 (IOS-XR 3.6.2) and LACP on remote links with latency 10 ms or higher. When we try to add a link into a bundle (CRS-1's name of the port-channel) which has already had an interface assigned and up, the whole bundle stops sending packets. The bundle-ether interface is up, however it does not send any packets. The only thing that helps is to deassign all ifaces from the bundle, shut them down, then enable then and add them to the bundle again. Does anyone know any cisco bugs with LACP and IOS-XR? Any help would be appreciated, regards, -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Freezing counters at 6500
Kevin Loch wrote: Try adjusting 'service counters max age' to zero if you haven't already. As others have pointed out a delay of 3-4 minutes is not normal What does your SP (not RP) cpu usage look like? Try disabling netflow if your SP cpu usage is maxing out. Are there any snmp oids we can use to have access to the real counters, not the 'soft' ones? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Freezing counters at 6500
Gert Doering wrote: Well, I think this is just the way this architecture works. The hardware does the actual counting, and every now and then a low-prio process grabs all the counters from the hardware and fills in SNMP variables. Hi, thanks for the answer. Is there any way to somehow slightly increase priority of this process? Please note that 'show int' also has 'frozen' data. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Freezing counters at 6500
Kevin Loch wrote: Try adjusting 'service counters max age' to zero if you haven't already. It has not changed anything. As others have pointed out a delay of 3-4 minutes is not normal What does your SP (not RP) cpu usage look like? Try disabling netflow if your SP cpu usage is maxing out. Disabling netflow helps. But the SP is not so heavily loaded: #remote command switch sh proc cpu | i seco CPU utilization for five seconds: 19%/1%; one minute: 41%; five minutes: 40% #remote command switch sh proc cpu | i NDE 269 64 1 64000 0.00% 0.00% 0.00% 0 Netflow NDE Task 4702128 1711723 12463 3.19% 5.75% 5.67% 0 NDE - IPV4 4711120 95010 11 0.00% 0.00% 0.00% 0 NDE - MPLS 472 792 95010 8 0.00% 0.00% 0.00% 0 NDE - L2 473 805240158391 5083 0.00% 0.00% 0.00% 0 NDE - IPV6 -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Freezing counters at 6500
Grzegorz Janoszka wrote: We have several 6500's, some of them heavily loaded. We use snmp to graph traffic on all interfaces - just the simplest solution. Since some time we have had an issue with the interface counters. When the CPU box is really loaded (usually synchronization of BGP sessions), the counters just freeze. The important thing is that only the displaying freezes, the counters are still counting. Both snmp and 'show interface' data is frozen and does not update for various time - from 30 seconds to 3-4 minutes. As the result we have spikes on graphs - there is always spike down, when snmp gives frozen data from the past, and after that spike up, when the counters unlock and start displaying correct data. Just forgot to add - we have this issue with SXF14, 15, 16 and SXI1. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Freezing counters at 6500
Hi, We have several 6500's, some of them heavily loaded. We use snmp to graph traffic on all interfaces - just the simplest solution. Since some time we have had an issue with the interface counters. When the CPU box is really loaded (usually synchronization of BGP sessions), the counters just freeze. The important thing is that only the displaying freezes, the counters are still counting. Both snmp and 'show interface' data is frozen and does not update for various time - from 30 seconds to 3-4 minutes. As the result we have spikes on graphs - there is always spike down, when snmp gives frozen data from the past, and after that spike up, when the counters unlock and start displaying correct data. Have you had similar problems? It is not the big issue, only the graphs look not so nice with the rows of spikes down/up. If there is a simple solution to the problem we would like to know it. Kind regards, -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netflow sampling
Marlon Duksa wrote: I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor) or deployment (network) where all traffic is accounted for? What would you normally use for a more accurate accounting/billing?Thanks, You can set sampling parameters not to loose any flow. But the amount of the data will be so huge, that you will be unable to store/process it. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3/11 (invalid or corrupt AS path)
Ozar wrote: I am starting to see random BGP neighbor messages from multiple neighbors on different boxes. %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or corrupt AS path) 516 bytes I dont see much documentation on this, and we are in the process of opening a TAC case, just curious if anyone else has seen these and may be able to shed some light. No, it is not software error, it is extremly long as-path: AS path: 3356 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 I -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How to match local IP address?
Is there a way to automatically match local (static, connected) IP subnets and deny ospf/bgp routes? Something like: route-map name permit 10 match connected I use soft SHX or SXF. We tried something like: 1. match route-type external 2. permit any but it did not work. Thanks in advance for your help. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
David Prall wrote: What exactly are you trying to do? Redistribute connected and redistribute static only match those, no need for a route-map. Or are you attempting to advertise these to a particular BGP peer? Announce connected network with no-export community - it may be lot of smaller prefixes. The big aggregate prefixes will be announced statically in other places. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
Marko Milivojevic wrote: How about something like this? route-map Connected-Routes set community no-export ! router bgp XXX address-family ipv4 redistribute connected route-map Connected-Routes ! If you wish to assign community for only specific interfaces only, you can do something like: route-map Connected-Routes permit 10 match interface XXX match interface YYY set community no-export ! route-map Connected-Routes permit 999 It is a kind of idea, however it is rather complicated setup. The biggest disadvantage is that the interface list has to be updated. Let's say I insert a new blade to a free slot, then I have to update the route-map. Another disadvantage may be length of the route-map - if I have 4x48 ports, then it has almost 200 match entries - I do not know if Cisco allows for so many match entries. However it is a way to do it. I think I would slightly modify it and use, thanks. If you have another idea I will appreciate it. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
David Prall wrote: How are the connected prefixes getting into BGP? Is it redis connected, network statements, or redis of IGP? Should be able to set a community via route-map on a redistribution, I've never tried NO-EXPORT though. Is the below possible? route-map redistribute-connected permit 10 match ip address prefix-list ABC set community no-export ! router bgp XYZ redistribute connected subnets route-map redistribute-connected Is it possible to set the bgp community in the redistribute route-map? Will this community be sent to the transit (of course if not overwritten by peer outgoing route-map)? Someone tried such setup? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Modifying ACLs on production router
Justin Shore wrote: The simplest thing is to prepare a file containing no acl XXX and then redefinition of the acl, put it of tftp server and load it using: copy tftp://I.P.I.P/acl running-config You do not need any extra tricks to do it, like temporary acl's and do on. I don't believe that this is instantaneous. This still has the problem of blocking at least some traffic while the lines of config are loaded. While this may not be perceived as a big problem for some networks and some traffic patterns, this will kill TCP sessions when the either end receives a TCP reset. I suspect that it will also jack with SIP and MGCP sessions when an ICMP port unreachable is sent in response to reject RTP datagrams. That wouldn't be good. So, configure the port not to send any icmp, not tcp rst packets and you will not loose any connection. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Modifying ACLs on production router
Matlock, Kenneth L wrote: So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in. The simplest thing is to prepare a file containing no acl XXX and then redefinition of the acl, put it of tftp server and load it using: copy tftp://I.P.I.P/acl running-config You do not need any extra tricks to do it, like temporary acl's and do on. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
