Re: [c-nsp] Load-sharing with two links to the same ISP
This might help: http://www.nil.com/ipcorner/LoadBalancingBGP/ Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Matthew Melbourne [mailto:m...@melbourne.org.uk] Sent: Friday, February 05, 2010 12:33 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Load-sharing with two links to the same ISP Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip sla echo vrf with df-bit set?
Just guessing: Local policy routing that sets DF bit on ICMP ECHO traffic between two known IP addresses with the set ip df 1 command within the route-map. Let me know if it works ;) Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Christopher Hunt [mailto:dharmach...@gmail.com] Sent: Thursday, January 28, 2010 12:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ip sla echo vrf with df-bit set? I'm trying to setup a mechanism for ensuring end-to-end MTU in our L3 MPLS VPN network. I'd like to use ip sla tracking to do so and I have setup a monitor: ip sla monitor 99 type echo protocol ipIcmpEcho x.x.x.x request-data-size 1500 vrf XYZ Unfortunately, I cannot find any way to set the DF bit using ip sla monitor. Anyone know if it's available anywhere or coming soon? Can anyone else think of another strategy? I'm currently running 12.4(22)T on a series of 7200VXRs. Cheer, Christopher Hunt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
OK, it looks like I've over-engineered the solution ;) The best solution (if you can make it work) would be to run BGP over the backup links and use BGP attributes to make backup links a less desirable BGP path. Running OSPF on backup links and BGP on MPLS VPN can be made to work ... barely. I did a workshop once using almost exactly the same network. Each site was fully redundant with two routers, one connected to Internet, the other one to MPLS VPN network. I was able to make it work after a lot of tweaking and two-way redistribution, but I'm not sure anyone in the audience got all the details ;) Your situation might be easier as you're using default routing from the central site, but do try to go for BGP everywhere. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Jason LeBlanc [mailto:jasonlebl...@gmail.com] Sent: Wednesday, January 27, 2010 11:12 PM To: Ivan Pepelnjak Cc: 'Luan Nguyen'; 'Cisco-nsp' Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Exactly. This is a secondary form of calling back home if the MPLS Link or BGP breaks. We have static routes at the remote site pointing traffic over the IPSEC tunnel if it fails. If MPLS is lost we want the remote campus to be able to communicate with the main datacenter which is also where the main MPLS router exists. We currently have a VPN devices at the Datacenter that runs OSPF on the home end. MPLS Router 7200--- {ATT MPLS Cloud} -- / \ Core 6500 -- Distribution Router 6500 -- -- Campus Router Cisco or Juniper SSG \ / Site to site VPN Juniper ISG-1000 -- {ISP IPSEC VPN} On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote: Jason, are you trying to solve only the remote site problem? Is the main campus receiving specific routes for each remote site through the MPLS VPN cloud? -Original Message- From: Jason LeBlanc [mailto:jasonlebl...@gmail.com] Sent: Wednesday, January 27, 2010 1:48 AM To: Luan Nguyen Cc: 'Cisco-nsp' Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Current topology is pretty simple. ATT drops an MPLS circuit either PPP Multilink Bundled T1's or an Ethernet hand off. On another interface we generally have an ethernet hand off from another ISP. We run BGP to move all the traffic around on one 172.x.x.x/30's and then our LAN is on 10.x.x.x. We have an outside IP address on another ethernet port which is the IPSEC termination point. BGP from our main campus injects a default route which we receive. Currently we just manually added static 0.0.0.0 routes out the tunnel interfaces with a metric of 32000. So when BGP drops off we will route over the IPSEC VPN Tunnel back home. Headquarters 172.1.1.1/30 -- ATTMPLS 172.1.1.2/30 -- ATTMPLS 172.2.2.1/30 -- Remote Campus 172.2.2.2/30 (running BGP) -- 10.1.1.1/24 ISP-X Ethernet 200.1.1.1/30 -- Remote Campus 200.1.1.2/30 -- IPSEC VPN Tunnel.1 10.1.1.20/24 -- Headquarters Tunnel.1 10.1.1.21/24 BGP Provides default route Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000 It is my assumption that if the traffic cant get to its destination because BGP has lost it our backup link the IPSEC VPN with the higher metric will become the new default route. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
* Configure EBGP sessions over IPSec between remote sites and central site. * On remote sites use EEM to detect MPLS VPN EBGP neighbor loss (either default route is gone or you might rely on SNMP traps) * When the MPLS VPN EBGP neighbor is down, enable IPSec tunnel. Only then will the EBGP session be established and you'll get more specific routes over IPSec. This will ensure that the IPSec tunnel on remote sites is operational only when the connectivity with the MPLS VPN cloud is gone and so the central site uses default route into MPLS VPN cloud unless it has a more specific one over IPSec due to failure at one of the remote sites. Note: You might want to use something else to detect MPLS VPN failure, for example IP SLA between remote router and central router. This will detect a failure anywhere in the end-to-end path. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Jason LeBlanc [mailto:jasonlebl...@gmail.com] Sent: Tuesday, January 26, 2010 10:20 PM To: Cisco-nsp Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Team, This questions was put out there before in another chain but I wasn't able to figure out the best solution. We have multiple campuses connecting to an MPLS VPN cloud running BGP internally. At some locations we have backup ISP services and an IPSec VPN tunnel over that. Currently BGP provides a default route to each campus as external BGP / Pref 40 / Metric 0. Our backup IPSec is in as a Static / Pref 20 / Metric 32000. When we lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the campus and our main datacenter. What is the best way to achieve this? Thanks, //LeBlanc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
The problem is that the session stays active. I want the session to be lost. I believe the rules should be adhered to a bit more strictly. The session DOES NOT stay active. The phone is stupid. It should have realized there's no reply and restart the session. If the current matching nat statement would result in a different value for the inside global address, than a new translation should be called for. It isnt actually all that hard to check for, conceptually. And then you'd complain about the CPU load. What do you think is cheaper: checking the NAT table or NAT rules (including route maps) for every packet? (What would you expect to happen when the DHCP client address changes on the egress interface? Or if you change the ip address on an interface referenced by the ip nat statement?) You'd lose all sessions, obviously. What else would you expect? Apparently, the end stations dont change the source port for new attempts. Proves my point. The phone is stupid ;) There's a reason every new client session should use a new dynamic port number. This behavior has very disruptive end user symptoms. Many stupid implementations have disruptive end-user symptoms. Microsoft Network Load Balancing with unknown unicast MAC addresses immediately comes to mind ;) Ivan Pepelnjak blog.ioshints.info / www.ioshints.info ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
Just did a few tests with 12.4(24)T. IOS NAT is extra stupid when it comes to clearing NAT translation table. Even though you have NAT rules tied to an interface (ip nat inside ... interface) they are not cleared when the interface IP address is lost or when the interface is shut down. So (I guess) the best you can do is to catch changes in tracked object's state with an EEM applet that clears all NAT translations. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info So what is the bottom line? Is this the best that can be done with simple end site redundancy with object tracking and without dynamic routing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
Whenever the NAT outside IP address changes, the session has to be killed and restarted as the NAT device cannot signal to the remote end that the outside source IP address has changed. EEM clear ip nat trans * is probably the cleanest method. You might want to get more specific and use clear ip nat translation outside address to kill only the NAT translations tied to the failed IP address. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Sunday, January 24, 2010 5:06 PM To: cisco-nsp Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions Hey All, So as is commonly talked about, I have seen a number of end user sites with simple redundancy service using IOS routers. Multiple lines, coulds be the same provider, could be different providers, no dynamic routing, different source addresses, uRPF/SAV at the provider(s) is to be presumed. CBAC IOS firewall is also in place. All this with event object tracking with policy routing and nat based on egress works just fine EXCEPT. Long lived NAT sessions, especially the UDP ones dont seem to become inactive when the egress changes. So the VOIP handsets are out of service after either a failover or failback. Obviously this is the visible problem symptom. I have seen this for ICMP as well for continuous pings. I have in place the workaround of using EEM with clear ip nat trans * Is there some better way to approach it, other than using dynamic routing and routable addresses to eliminate NAT? c1700-adventerprisek9-mz.124-25b.bin Thanks in advance. Any and all feedback is most welcome. Best, Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
After the routing and egress changes, the router should be well aware that continued traffic no longer matches the ip nat inside source route-map ISPA Di1 overload and now matches the ip nat inside source route-map ISPB Di2 overload for a simplistic example. So the old translations are no longer valid with the new egress. They should be abandoned and new ones created. Obviously the router does NOT check the ip nat rules if it gets a match in the NAT translation table. This behavior makes sense; if you'd change the NAT parameters of a live session, you'd lose the session anyway. And I would be quite happy clearing just the translations for the wrong global for all local inside translations, but syntax does not seem to allow that. Write a Tcl script that does show ip nat translations and kills only the relevant ones ;) Ivan Pepelnjak blog.ioshints.info / www.ioshints.info ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disabling SNMP for certain BGP neighbors
You need EEM 3.1 to catch outbound SNMP traps. EEM 3.1 is (at the moment) only available in IOS release 15.0M. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Wednesday, January 20, 2010 10:11 PM To: Seth Mattinen; cisco-nsp Subject: Re: [c-nsp] Disabling SNMP for certain BGP neighbors Seth, I would say that the right approach for this would be to tune the logic of your NMS system to ignore these events, or make them low-priority events, and have a rule that alerts you about low-priority events only during work hours... Another approach (but only relatively new IOS versions) would be to use the EEM SNMP Notification event detector. This would allow you to catch specific traps and block them on the router (or modify them to a different event). In older IOS versions the same can be accomplished for Syslog, so if you can turn off SNMP traps and use Syslog events, you can accomplish this on most IOS versions. The reference for the SNMP Notification EEM event detector is here: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_06.html #wp1178594 Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen Sent: Tuesday, January 19, 2010 22:11 To: cisco-nsp Subject: [c-nsp] Disabling SNMP for certain BGP neighbors Is there any way to disable SNMP traps for a subset of BGP neighbors like there is for interfaces? I have a couple BGP sessions that are of don't care priority and they don't need to send traps when they flap (although rarely, it's always when I'm sleeping). ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED]
Not nearly enough traffic. If you have reasonable-speed links, it's almost impossible to saturate them with low-end routers. We tried with several IOS-based options, including TTCP and had to fall back to embedded Linux-based solutions. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Wilkinson, Alex [mailto:alex.wilkin...@dsto.defence.gov.au] Sent: Tuesday, January 19, 2010 5:19 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS - CE to CE throughput [SEC=UNCLASSIFIED] 0n Mon, Jan 18, 2010 at 06:47:28PM +0100, Arie Vayner (avayner) wrote: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of jack daniels Sent: Monday, January 18, 2010 18:58 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS - CE to CE throughput Hi guys, I want to check the throughout in scenario CE1-MPLS cloud CE2 How about using CHARGEN ? [http://etherealmind.com/the-poor-mans-ios-traffic-generator/] -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Network
The MTU on PA-FE (probably) does not include MAC header and definitely does not include CRC trailer. Otherwise the minimum value of 1500 wouldn't make sense. -Original Message- From: Tony [mailto:td_mi...@yahoo.com] Sent: Wednesday, January 13, 2010 8:10 AM To: cisco-nsp@puck.nether.net; DonnLasher Subject: Re: [c-nsp] Ethernet Network --- On Wed, 13/1/10, Lasher, Donn dlas...@newedgenetworks.com wrote: SNIP 1500 bytes max data + 22 max header + 4 CRC trailer + 4 byte 802.1q tag +16 up to 4 labels = 1546? Why not just enable jumbos and set it as high as possible? 1546 = largest MTU the 355x/356x switches, PA-FE, etc, will support, as I recall. PA-FE are limited to 1530. You're correct about 1546 for the switches though. 7204(config)#int fa4/0 7204(config-if)#mtu ? 1500-1530 MTU size in bytes __ See what's on at the movies in your area. Find out now: http://au.movies.yahoo.com/session-times/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] customizing snmp-traps (interface description as well as physical name)
Solution#1 (ugly): syslog messages can be sent as SNMP traps. You'll get the whole syslog message on your NMS. Solution#2: use EEM to match syslog UP/DOWN messages, extract interface description and generate a custom SNMP trap. You can do it with EEM applets if your IOS supports EEM 3.0 (12.4(late)T, 12.5, 12.2SRE), otherwise you have to use a Tcl EEM policy (pre-EEM 3.0 applets are too dumb). These posts could be useful: http://blog.ioshints.info/2009/12/send-snmp-trap-from-eem-applet.html http://blog.ioshints.info/2009/10/report-interface-loss-based-on-ospf.html You can generate custom SNMP trap from an EEM applet with action snmp-trap command (I haven't covered that one yet in my blog). Hope it helps Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Walter Keen [mailto:walter.k...@rainierconnect.net] Sent: Friday, January 08, 2010 1:43 AM To: 'Cisco-nsp' Subject: [c-nsp] customizing snmp-traps (interface description as well as physical name) Is customizing snmp-traps possible through rmon or some other means so that the delivered message not only has the physical name (gi0/1, etc) but also the description of that port as named in the interface config? Dealing mostly with 2960's and 7600's, and trying to figure out if this is possible. Even if I have to specify an rmon entry per physical interface, I'm dealing with small enough numbers that would work. Something like 'int-name int-descr is down/up' or similar would be ideal. Going to want to have this for link up/down initially, and then also setup some traps for taking on interface errors, etc. -- Walter Keen Network Technician Rainier Connect ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP ip addresses re-route to specific link
Are you trying to do destination-based routing (packet TO specific address should go over specific link) or source-based routing (packet FROM specific /28 should go over specific upstream link)? -Original Message- From: Dracul [mailto:chris.gar...@gmail.com] Sent: Tuesday, January 05, 2010 8:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP ip addresses re-route to specific link Hi there, I was wondering if you could do a segregate route, for specfic ip addresses under BGP going only to a specific link. for example if I have /24 default route BGP pool and I want only /28 ip addresses using upstream1 and not by any account go through upstream2. The rest would still be using the usual BGP routing behavior. THanks! regards, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP ip addresses re-route to specific link
Inbound traffic: advertise /28 to upstream2. It will not get very far, though, so it's questionable whether it will leak over to upstream1 and influence the return traffic coming from upstream1. Outbound traffic: policy routing seems to be the quickest (and the dirtiest ;) solution. Getting it to work if the exit points are too far apart is a nightmare. If you're OK with the /28 being very tightly bound to the specific uplink (i.e. no connectivity when the uplink is down), there are a few MPLS VPN tricks you could use. Ivan -Original Message- From: Dracul [mailto:chris.gar...@gmail.com] Sent: Tuesday, January 05, 2010 5:17 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP ip addresses re-route to specific link you can use BGP Conditional Route Injection to generate the /28. (it shud be a child subnet out of the parent /24). then filter the prefixes so select which all upstreams shud receive this injected subnet. thanks swap will explore your suggestion. Be aware that many (most) ISPs would filter subnets longer than /24, so your /28 would be most likely filtered (even if you direct upstream would send it through). Arie Thanks arie, will keep it in mind. On Tue, Jan 5, 2010 at 5:00 PM, Ivan Pepelnjak i...@ioshints.info wrote: Are you trying to do destination-based routing (packet TO specific address should go over specific link) or source-based routing (packet FROM specific /28 should go over specific upstream link)? Hi Ivan, I guess both. i just want to have a specific ip block traffic contained to a specific link ( the ip addresses are broadcast under BGP) regards, Chris -Original Message- From: Dracul [mailto:chris.gar...@gmail.com] Sent: Tuesday, January 05, 2010 8:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP ip addresses re-route to specific link Hi there, I was wondering if you could do a segregate route, for specfic ip addresses under BGP going only to a specific link. for example if I have /24 default route BGP pool and I want only /28 ip addresses using upstream1 and not by any account go through upstream2. The rest would still be using the usual BGP routing behavior. THanks! regards, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS Ethertype
This might help: http://wiki.nil.com/IS-IS_in_OSI_protocol_stack The drafts you've found deal with the fact that LLC1 packets (those that don't use Ethertypes) cannot use the length field higher than 1500 (otherwise the differentiation between LLC1 and Ethernet-II breaks down). Ivan -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Tuesday, January 05, 2010 5:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IS-IS Ethertype Hey guys. I hope you all had a good holiday break. Does anyone know for sure what the Ethertype is for the CLNS packets? I've found a couple IEFT drafts that talk about it it to a degree: http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01 http://tools.ietf.org/html/draft-ietf-isis-ext-eth-01 They imply that for packet sizes under 1500 that CLNS uses the standard IEEE 802.3 ethertypes. The drafts specifically address packets over 1500 bytes though. One suggests 0x8872 and the other suggests 0x8870. I can't find anything definitive though. I'm trying to think what all could affect the Ethertype for IS-IS. MPLS won't. LAGs might (I can't find anything about Ethertype for PAgP or LACP either). Nothing else comes to mind though. Can anyone tell me for sure what the Ethertype is on IS-IS packets? Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - Announcing routes to Internet providers.
Let's back a step and ask the questions we should have been asking in the first place: * Are you an end-user or a Service Provider (somewhat reliable answer could be gleaned from Drew's e-mail address)? * What's the size of your network? * How many uplinks do you have? * How far apart are your uplinks? If it turns out Drew's uplinks are close together, all the beautiful design ideas presented here are a huge overkill. And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D Ivan -Original Message- From: Scott Granados [mailto:gsgrana...@comcast.net] Sent: Monday, January 04, 2010 10:03 PM To: Drew Weaver; Cisco-nsp Subject: Re: [c-nsp] BGP - Announcing routes to Internet providers. Drew, network statements are for the weak.:) (I'm kidding of course) but there is a better way. You should use community tagging in combination with prefix lists and route maps. The idea is that you announce routes according to a tag and the behavior of the announcements depends on the specific tag applied. For example, you could tag routes as peers, transits, global announce, etc and formulate the type of feeds you give your customers by filtering against communities so a customer wants peers and customers only you could match the two appropriate community tags. This also allows you to tag the communities you globally announce uniquely and make the announcements in a unified way at your edges. If you accompany this method with the appropriate redistribute static, redistribute connected, etc and use route maps to control this behavior you can remove the need for network statements completely and greatly decrease the things you need to modify and as a result the possible mistakes. The other upside here is you can mark your more specifics as do not export and better control traffic internally better directing the traffic in your example. It also allows you to accept communities from your customers and have automatic actions taken based on the tags they apply. Let me know if you need some configuration examples. - Original Message - From: Drew Weaver drew.wea...@thenap.com To: Cisco-nsp cisco-nsp@puck.nether.net Sent: Monday, January 04, 2010 12:35 PM Subject: [c-nsp] BGP - Announcing routes to Internet providers. Howdy, I am trying to figure out if there is a different/newer/better(?) way to announce our public IP ranges to our Internet providers, currently we are declaring our subnets in 'network statements' in the BGP configuration, we have static routes setup like ip route x.x.x.x 255.255.224.0 Null0 254 and then we have a extended access-list applied to each peer with our net blocks listed in them. It appears that because of the network statements, the supernet routes (/18s, /19s, etc) are being distributed via BGP to the rest of the network which is by design(I assume). This doesn't seem ideal because if traffic is sent to an IP address that doesn't have a more specific route than say /18, or /19 it travels all the way through the network to the edge before stopping. I might be blowing the impact of this out of proportion, but it just seems like a waste of resources. Does anyone know of a seemingly more sensible way of doing this? -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Have I Gone Mad? (OSPF NSSA)
ABR's appear to be injecting both the type 3 and type 7. AHave I gone mad, or I need to hit back the books? It depends :) Actually you've asked for it. The no-summary part of NSSA statement generates type-3 default and the default-information originate generates type-7 default. See the Not-so-stubby-areas section of this article: http://www.nil.com/ipcorner/OSPFDefaultMysteries/ It could be that the previous software releases were smarter and did not insert type-7 default when they've inserted type-3 default (which would take precedence over type-7 anyway), but it doesn't hurt you either. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large networks
Generally, putting each customer into a dedicated layer 3 network segment is a good idea - because half of the attacks that a hacked server belonging to customer 1 might do to a server from customer 2 (ARP spoofing, IP address spoofing [- blaim goes to customer 2], HSRP attacks to the shared router, etc.) suddenly are no longer relevant at all. The only disadvantage of this approach is that you waste up to 75% of the address space (assuming you have one server per customer). If you want to do some really weird things you could configure mismatched subnet masks on servers and routers, use host routes to point toward the servers ... This will reclaim almost all the address space, but result in somewhat more complex addressing and routing. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large networks
RPF check? -Original Message- From: Mikael Abrahamsson [mailto:swm...@swm.pp.se] Sent: Wednesday, August 26, 2009 3:53 PM To: Gert Doering Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Large networks On Wed, 26 Aug 2009, Gert Doering wrote: So how do you prevent customer A from sending out packets with an IP address belonging to customer B? (For whatever reason). Antispoofing ACL on vlan interface? Or if you have an access layer, you can do your L2.5 access lists there on ingress. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Have I Gone Mad? (OSPF NSSA)
Actually... It did hurt somewhat :-/. Previous IOS that we were running (7600 SXx and SRBx) were injecting type 7. However, that behaviour changed with SRD2 and it injects both. Naturally, type 3 wins. I wrote the article more than a year ago and the 12.4T behavior at that time was the same as what you've described. Obviously you were running somewhat older code :) I wonder why the behaviour changed... Then again, my fault for misconfiguring the darn thing to begin with :-) Well, it makes sense to advertise type-3 default for summary-only as there are no other type-3 LSAs (to make totally-NSSA identical to totally-stubby area in this aspect), although this particular behavior is not part of OSPF RFC. Someone with more than just a few boxes probably made a lot of noise asking for the behavior to change :)) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large networks
On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote: RPF check? won't help for customer A is 10.0.0.1, customer B is 10.0.0.2, your router interface is 10.0.0.254/24. This is debatable as the host routes point to various L3 interfaces ... I guess it's time to start another test lab :)) Will post the results (unless someone else has more spare time than I do :). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large networks
Well, I think that it's reckless to spend 4 globally routable IP addresses instead of 1 per customer, when all you do is save a few minutes of time per installation. As I said: our customers usually use many more IP addresses than just one. And, of course, you're welcome to join us in IPv6 land where this sort of last century thinking does not need to worry us any longer :-) Some of us still have to live with reality where IPv6 deployment is negligible :) ... And don't forget some IBM mainframes are still forced to run operating systems emulating 80-column card reader :D ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 in general was Re: Large networks
There will be Lots Of Fun when IPv4 runs out, and whole new markets of DSL customers (as in India, China, Arabia...) will not be able to access web sites from vendors that have no IPv6 reachability. Goodby, sales to that region... Not gonna happen. Unfortunately there's so much stuff on the Internet that's only reachable via IPv4 (including www.wikipedia.org) that the few vendor sites don't matter at all. All those new DSL (I hope not) markets will have to have some sort of IPv4 connectivity (Carrier Grade NAT raises its ugly head). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dns resolution not working with vrfs
ip name-server VRF name address specifies the DNS server to use for operations in the specified VRF (for example, when doing traceroute, telnet or ping on the PE-router within the VRF). A bit more is written here: http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/tvrfdn s.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: luismi [mailto:asturlui...@gmail.com] Sent: Tuesday, August 25, 2009 3:03 PM To: Phil Mayers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] dns resolution not working with vrfs #ping vrf FW2INET www.google.es Translating www.google.es...domain server (199.45.32.40) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 64.233.169.99, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/119/120 ms quite interesting... Thanks for that point of view ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA / EEM Scripting
Running the telnet command does not work too well (although it might work a bit better from Tcl EEM policy than from tclsh). http://blog.ioshints.info/2007/10/you-cannot-start-telnet-session-from.html However, you can open a TCP socket (to telnet port) from Tcl and issue the commands. You could write Tcl EEM policy and do it from there or use a simple EEM applet that runs a tclsh command. I try to avoid Tcl EEM policies as they are a nightmare to edit/test. Last but not least, EEM applet can send a SNMP trap to your NMS (or execute a SSH command) and the NMS can then reset the modem. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Aaron Riemer [mailto:arie...@wesenergy.com.au] Sent: Friday, August 21, 2009 3:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP SLA / EEM Scripting Hey Guys, I am hoping to use a combination of IP SLA and EEM to run a script when a certain event occurs. For example we have a cellular router that sometimes requires a reset. We have a backup link so I would like to automate this reset process. What I would like to do is to monitor the cellular device with IP SLA icmp probes and after a certain number of failures run a script that can telnet to the device via the back door and issue commands to reset. I have done some digging but I am unable to see if EEM supports the ability for a router to actually telnet to another device and issue commands. I may have to use our network monitoring app to run the script. Could Cacti do this? Thanks for any suggestions. Aaron. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Global to FVRF
I've tried all manner of options but have yet to be successful NAT'ing between the global inside and outside FVRF. Did you use classic NAT (ip nat inside ... commands) or NAT Virtual Interface (ip nat enable ... commands)? NVI works better in VRF environment. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS partition avoidance
The router still belongs to the same area as it did before and would thus advertise the area's prefix into L2 due to its own NET. Remember the major difference between OSPF and IS-IS: A router (not an interface) belongs to an area and a router (not an interface) has a NET. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Ibrahim Abo Zaid [mailto:ibrahim.aboz...@gmail.com] Sent: Thursday, August 20, 2009 4:51 AM To: cisco_nsp; ci...@groupstudy.com Subject: [c-nsp] ISIS partition avoidance Hi All Does any one knows why ISIS partition avoidance is needed ? according to DocCD To cause an Intermediate System-to-Intermediate System (IS-IS) Level 1-2 border router to stop advertising the Level 1 area prefix into the Level 2 backbone when full connectivity is lost between the border router, all adjacent Level 1 routers, and end hosts but that occur automatically without enabling the feature so what extra benefit it provide ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP throughput /WAN delay simulation with back to back routers
http://wanem.sourceforge.net/ You can download an ISO image that boots off the CD. It can be used on a PC with two interfaces (emulating a router) or with a bit of static-route trickery on the end hosts. Worked perfectly for me when I had to do similar tests. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Thilak T [mailto:thila...@gmail.com] Sent: Wednesday, August 19, 2009 9:18 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers Hello Folks , I am trying to test TCP throughput with different variables. I want to simulate a delay of aprox 45msec between two test PCs connected two bat to back routers . How do we introduce an artificial delay where in the actual delay is on 2-3 msec.Using cisco routers.? Thilak ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT-ON-A-STICK for VRF Traffic
It's probably easier to use the NAT Virtual Interface (ip nat enable instead of ip nat inside|outside) in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Andy Saykao [mailto:andy.say...@staff.netspace.net.au] Sent: Monday, August 17, 2009 2:59 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using NAT-ON-A-STICK. Is this possible? Easy enough to do when it's IP traffic using policy-based routing as per this article: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ note09186a 0080094430.shtml Just wondering how you would apply the article in relation to when the traffic is MPLS/VRF based. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shape users over quota
First of all, you should use policing, not shaping. Although it's not as user-friendly, it's not CPU-intensive (shaping is). See this article for potential drawbacks: http://wiki.nil.com/Policing_vs_shaping A very simple implementation would push the policing rules to virtual access interfaces through RADIUS groups (and you'd just switch the user between groups when they exceed their quota). Obviously, some people prefer that you'd use a dedicated box, myself included (as we offer SCE training :) http://www.nil.com/ls/NIL_SCEO10 In a large-scale environment it makes sense to use SCE, more so as it was developed to address the exact needs you have (whereas anything you're doing on a router is by necessity a kludge). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Sunday, August 16, 2009 12:20 PM To: Ed Lazerus; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Shape users over quota Ed, The best approach for this kind of services (and even more advanced, like different policies for different protocols even if quota is exceeded) could be implemented with the Cisco SCE product: http://www.cisco.com/en/US/products/ps9591/index.html smaller scale can be achieved with the SCE2020: http://www.cisco.com/en/US/products/ps6151/index.html Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ed Lazerus Sent: Sunday, August 16, 2009 12:53 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Shape users over quota Dear All, We currently use 7300's as LNS's, we have for a few years worked on user pays excess, like all businesses things change and so must we, we are looking to offer new plans of use quota then we shape you down top 64/64kbps. We have 3 PoPs, each have approximately 25-30K users, we would expect around 10K users each PoP will need shaping based on current usage (which is only increasing). Is this an easy task on the 7300 LNS's? Or should we be looking more towards dedicated special hardware for this task, if it helps, we are soon replace 7300 LNS's in at least one PoP with a ESR10K, the LNS's also perform netflow for traffic accounting, the CPU's average around %50 each router. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Route redistribution and selection
@Luan: Thanks for the link :)) @Joe: if you have EBGP sessions with the core MPLS VPN network, you're losing the BGP cost community (resulting in the EIGRP-related redistribution issues). It might be possible to tweak the WEIGHT attribute on the PE routers (the routes redistributed into BGP have very high weight and are thus never replaced by other BGP routes), but you'd probably need access-lists to select the backup routes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Luan Nguyen [mailto:l...@netcraftsmen.net] Sent: Thursday, August 13, 2009 3:44 PM To: 'Joe Maimon'; 'cisco-nsp' Subject: Re: [c-nsp] Route redistribution and selection You might want to check this link out: http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP Regards, --- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Thursday, August 13, 2009 9:04 AM To: cisco-nsp Subject: [c-nsp] Route redistribution and selection We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Event Manager question
Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or inform. The details are here (although the article describes a slightly different task): http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs However, are you absolutely positive there is no other way to get what you need? In many cases you could use a smart routing design instead of the PBR. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Manaf Al Oqlah [mailto:man...@hotmail.com] Sent: Thursday, August 13, 2009 4:31 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Event Manager question Hi all, Can I configure event manager to be started when it gets notification from another router. for example, I want router1 to be configured with policy based routing on a specific interface once the bgp peer on router2 is down. I don't want to permanently configure the PBR since it is consume very high CPU utilizing on router1 Thank you, Manaf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM applets and conditional statements
You can do it with EEM 3.0 (12.4(22)T if I'm not mistaken). Unfortunately I haven't been writing about this feature yet, but here's a sample applet that compares DHCP-acquired address to the previously-acquired one, maybe it will come handy: event manager applet DetectDHCPChange event syslog pattern DHCP-6-ADDRESS_ASSIGN action 1.0 regexp Interface (.*) assigned DHCP address ([0-9.]+) $_syslog_msg match interface ipaddress action 2.0 context retrieve key DHCP_address variable addr action 2.3 set oldip $addr action 2.4 set addr $ipaddress action 2.5 context save key DHCP_address variable addr action 8.0 if $ipaddress ne $oldip action 9.1 info type routername action 9.2 mail server $_mail_smtp to $_mail_rcpt from $_info_routern...@$_mail_domain subject DHCP address on $interface changed to $ipaddress body \n$_syslog_msg action 9.3 syslog msg address changed to $ipaddress, e-mail sent to the operator action 9.4 else action 9.5 syslog msg DHCP address on $interface still $ipaddress action 9.9 end ! event manager applet SetDHCPKey event syslog pattern SYS-5-RESTART action 1.0 set addr action 1.1 context save key DHCP_address variable addr This article has a sample applet that uses command output (in $_cli_result variable) http://wiki.nil.com/Send_a_list_of_high-CPU_processes_on_CPU_overload Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Rodney Dunn [mailto:rod...@cisco.com] Sent: Wednesday, August 12, 2009 4:04 AM To: Justin Shore Cc: 'Cisco-nsp' Subject: Re: [c-nsp] EEM applets and conditional statements I don't think you can do it with an EEM applet to compare data in the output. I think you need to do it via a TCL script where you can save the variables. Rodney Justin Shore wrote: I'm having trouble figuring out how to use the conditional capabilities of EEM applets to do something fairly simple. I'd like to check for DHCP conflicts on a schedule and if any exist I'd like to generate a syslog message and send an email. What I can't figure out how to do is parse the output of 'sh ip dh con' and if then perform an action if there are any conflicts (ie, more than just the single header line in the output). I've gone through some of the EEM community scripts but they all seem to be full blown TCL scripts. I'm thinking that I can handle this with a simple applet. The applets have if, for, and while capabilities but I haven't figured out how to apply them to parsing command output? Any suggestions or pointers? Example scripts that demonstrate how to use the EEM logic capabilities would be fine too. I can build off that to do what I need. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HIDE AS BGP
Much easier: run multihop EBGP session between Customer and ISP2 (plus the regular EBGP session Customer-ISP1). Just make sure something reachable within ISP1 is announced as the next-hop. -Original Message- From: jack daniels [mailto:jckdaniel...@gmail.com] Sent: Monday, August 10, 2009 5:01 PM To: Marko Milivojevic Cc: Cisco-NSP Subject: Re: [c-nsp] HIDE AS BGP Hi Mark, can you please put more light on the example you proposed . Thanks and Regards J.Daniels On 8/10/09, Marko Milivojevic mar...@markom.info wrote: You can use CSC in ISP1 and run BGP directly between Customer and ISP2. On Mon, Aug 10, 2009 at 11:59, jack danielsjckdaniel...@gmail.com wrote: Hi , Just to be more specific on the solution requirement - Customer---ISP1---ISP2---Internet Internet should not see ISP1 AS number . I 'm looking for L3 solution. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Deny Default Route Propagation
Just make sure you configure the distribute-list in on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Gergely Antal [mailto:sk...@skoal.name] Sent: Thursday, August 06, 2009 2:24 PM To: Manaf Al Oqlah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Deny Default Route Propagation http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html Manaf Al Oqlah wrote: hello, In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. Thank you, Manaf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Deny Default Route Propagation
No, you cannot control the LSA flooding (apart from blocking the flooding over a particular interface). All LSAs still get to all the routers (this is what you've asked for: OSPF is a link-state protocol :), but you can control which of the best OSPF routes get inserted in the IP routing table with the distribute-list in. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Jeremiah Best [mailto:jb...@zyedge.com] Sent: Thursday, August 06, 2009 6:13 PM To: Ivan Pepelnjak; sk...@skoal.name; 'Manaf Al Oqlah' Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Deny Default Route Propagation Can't you do a distribute-list out on the ABR/ASBR whichever the router is? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ivan Pepelnjak Sent: Thursday, August 06, 2009 12:01 PM To: sk...@skoal.name; 'Manaf Al Oqlah' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Deny Default Route Propagation Just make sure you configure the distribute-list in on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Gergely Antal [mailto:sk...@skoal.name] Sent: Thursday, August 06, 2009 2:24 PM To: Manaf Al Oqlah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Deny Default Route Propagation http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html Manaf Al Oqlah wrote: hello, In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. Thank you, Manaf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP unnumbered vlan subinterfaces question
OSPF does not work across unnumbered VLAN subinterfaces. http://wiki.nil.com/Unnumbered_Ethernet_VLAN_interfaces#Limitations Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Michael Ulitskiy [mailto:mulits...@acedsl.com] Sent: Monday, August 03, 2009 5:10 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP unnumbered vlan subinterfaces question Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
Gentlemen, you forgot about IDRP (http://www.javvin.com/protocolIDRP.html). You can already transport IPv4 and IPv6 over CLNS, this is the next logical step :D -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Tuesday, July 28, 2009 6:57 PM To: Hank Nussbacher Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Humor: Cisco announces end of BGP Hank Nussbacher wrote: I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank Full tables in IS-IS of course! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite to do L3 passthru
is it really that simple? Will VRF-lite work without actually using BGP or MPLS? Are there docs somewhere in the Cisco spiderweb which are clearer on the topic than the ones which are part of the SX doc train? Yes, it's that simple. You don't need MP-BGP or MPLS for VRF lite to work. You need MP-BGP only if you want to leak routes between VRFs (as the leaking is based on route targets and has to go through MP-BGP). Just make sure CEF is enabled (which is not an issue on a 6500). (Warning: self-promotion in the next sentence) You'll find very good coverage of the VRF lite topic in the MPLS VPN Architectures, Volume II. Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF question
It's actually quite simple: you need an EEM applet that triggers on X occurences of a well-known SYSLOG message (OSPF neighbor going down) within Y seconds, modifies the configuration (to insert passive-interface X into the router ospf Y) and alerts the operators via an e-mail. You'll find a few similar applets in my blog and my wiki: http://wiki.nil.com/Category:EEM_applet http://blog.ioshints.info/search/label/EEM Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Tony Baade [mailto:t...@bobbroadband.com] Sent: Friday, July 24, 2009 6:01 PM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF question Does anyone know if it's available in another IGP? Or does anyone have any sample scripts I might able to try out? Anthony J Baade Network Engineer Business Only Broadband, LLC O (630) 590-6011 C (630) 340-0696 t...@bobbroadband.com www.bobbroadband.com -Original Message- From: Rodney Dunn [mailto:rod...@cisco.com] Sent: Thursday, July 23, 2009 9:33 PM To: Tony Baade Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF question Tony Baade wrote: We experienced an issue on our network where we have a link between 2 cisco ME6524s. There was packet loss across the link, but the interfaces on either side never actually dropped. The packet loss however was severe enough to cause problems w/ our OSPF (the neighbor session kept dropping up and down) and as a result this caused our iBGP hellos to timeout, causing an outage affecting several routers. My question is there some way to dampen a flapping neighbor in OSPF? Not natively. I tried to get that in a few years ago but couldn't make it happen. If you wanted it bad enough you could code it up with EEM and a TCL script to watch for a neighbor flap and passive that interface for some time. Interface event dampening covers the link flap but just for the OSPF transport we don't do it. The enhancement request to track it was: CSCsi29746Routing protocol neighbor dampening request So if the interface doesn't actually go down, but there is X amount of packet loss in Y amount of time (or if the neighbor goes up and down a certain number of times) the switch will recognize this issue and stop using that link? We are already using IP Event Dampening, which didn't kick in because the interfaces never actually went down. If there's no way in OSPF to do this, is there support for this in another IGP, or is there any other workaround for this kind of situation? Any advice is appreciated, thanks in advance, t. baade ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP failover for two traffic types
Are the VOICE and DATA traffic going to distinct servers? If that's the case, you can tweak the BGP route selection policy on the CE router. See this article for an example (not too far off from what you're looking for): http://www.nil.com/ipcorner/ScalablePolicyRouting/ If you cannot distinguish VOICE and DATA based on destination addresses, policy routing is the next obvious option (we all love to hate). OER might also work, but I haven't worked with it enough to have an informed opinion (another technology way too long on my to-do list). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Adam Greene [mailto:maill...@webjogger.net] Sent: Thursday, July 23, 2009 1:55 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP failover for two traffic types Hi, I have a CE router doing eBGP peering with two of my PE routers over distinct WAN circuits. The CE router services two netblocks on its LAN interface: one is for VOICE, the other (secondary IP address) is for DATA. I want the customer's DATA traffic to flow to/from PE1 by default, and voice traffic to flow to/from PE2 by default. In the event of an outage on one of the circuits, I want all traffic to flow over the circuit that's still up. I already know how to manipulate the traffic inbound to the CE router in this way, using conditional BGP advertisements. However, I can't figure out how to make the customer's outbound traffic prefer one link or another depending on whether it's DATA or VOICE, except by using route-maps, and those don't play nice as far as failing over to a backup link if the primary link is down. I've toyed with the idea of trying to use VRF for this application, but I'm pretty new to it and don't know if it's really a viable approach. Interested in ideas ... should I attempt a solution based on VRF? Or maybe there is a simpler solution thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF NSSA question
Hi! You gave me a good reason to finally test this command and document what it does and how it's used in a hub-and-spoke environment: http://wiki.nil.com/OSPF_flooding_filters_in_hub-and-spoke_environment It's exactly what's needed to solve the original problem (but of course you need a static default route on the spoke routers as they lose all OSPF information). Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Ruben Alvarez [mailto:r...@opusnet.com] Sent: Wednesday, July 22, 2009 5:17 PM To: 'Mateusz Blaszczyk'; 'Ivan Pepelnjak' Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OSPF NSSA question I'm not sure filtering 'out' would work. Three routers all have one interface, each connecting to the ABR (which has four interfaces, three to the routers in area 1 and one in area 0.) If I'm filtering out, The ABR wouldn't know which routes are on each of the three routers. Right? The three routers have thousands of single host routes spread out over each router. The ABR knows which router has each host and summarizes to area 0. -Original Message- From: Mateusz Blaszczyk [mailto:blah...@gmail.com] Sent: Wednesday, July 22, 2009 1:10 AM To: Ivan Pepelnjak Cc: Ruben Alvarez; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF NSSA question 2009/7/22 Ivan Pepelnjak i...@ioshints.info: You're probably looking for the ip ospf database-filter all out command. And how the summary LSA with 0/0 would get to the spoke router if that is filtered out? (assuming nssa scenario in OP's hub n'spoke topology) Best Regards, -mat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Default route from ospf to bgp
Just configure network 0.0.0.0 0.0.0.0 in your BGP process. Whenever there's a default route in the IP routing table, BGP will advertise it. More details in: http://wiki.nil.com/BGP_default_route http://blog.ioshints.info/2007/11/bgp-default-route.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Alex Moya [mailto:alexm...@bellsouth.net] Sent: Thursday, July 23, 2009 3:42 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Default route from ospf to bgp I need to redistribute my default route from my ospf process to my bgp.do I use a route map to just allow my default ? Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCLsh + Ping TOS
Tcl doesn't have expect but it does have typeahead which you can probably use to feed the input to Ping command. http://wiki.nil.com/Insert_responses_to_command_prompts_in_Tclsh http://wiki.nil.com/Tclsh_on_Cisco_IOS_tutorial Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Ziv Leyes [mailto:z...@gilat.net] Sent: Tuesday, July 21, 2009 8:51 AM To: .[Gardener] .; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TCLsh + Ping TOS That's interesting indeed, the one line ping command seems to not be able to include the extended commands, so I wonder, does the tcsh support expect Because that could be a solution for this kind of need. Regarding the command running from other place you could use an alias exec, e.g. alias exec multiping tclsh disk2:file.tcl Hope this helps Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of .[Gardener] . Sent: Monday, July 20, 2009 7:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] TCLsh + Ping TOS Hi to everyone. Please i need some advice to create a little script to make Ping with TOS i found on several webpages, things like this. R1#tclsh R1(tcl)#foreach address { +(tcl)#172.12.23.2 +(tcl)#172.12.23.3 +(tcl)#172.12.23.4 +(tcl)#172.12.23.6 +(tcl)#172.12.23.7 +(tcl)#} { ping $address re 10 si 1500 +(tcl)#} This is my problem, i can not make the complete command on ONE line (becouse i don't have TOS ). I need to create script to execute things like this. R1#ping Protocol [ip]: Target IP address: 172.16.123.1 Repeat count [5]: 1000 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback0 Type of service [0]: 96 Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: The other impossibility that i have i can not create or bring from other place the file.tcl, all this script has to be applied on-line on the router. Thank you. Andres P. Spano ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ** ** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ** ** ** ** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ** ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF NSSA question
You're probably looking for the ip ospf database-filter all out command. And there can be more than one router in the OSPF stub area. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ Ok thanks. that answers my question. It's not a big deal, I just was wondering. As for the one who suggested totally stubby or stub, I understood a stub area can only have one OSPF router. -Original Message- From: Mateusz Blaszczyk [mailto:blah...@gmail.com] Sent: Tuesday, July 21, 2009 12:34 PM To: Ruben Alvarez Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF NSSA question Ruben, All routers in an OSPF area have to have the same OSPF topology database. So unless you put each router in its own area there is no really a good way around it. Best Regards, -mat 2009/7/21 Ruben Alvarez r...@opusnet.com: Hello, I have a question. I have recently setup a second OSPF area. The ABR has three routers connected to it (area 1) in a hub and spoke configuration. The routers get a default route to the ABR via default information originate. Now the ABR has all the N2 routes for the three routers. But so do all three routers, which isn't needed. They only have one interface and a default route. Is there a way I can ignore all routes in the area except the default route coming from the ABR? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Block https
You cannot block HTTPS on the router with anything but the IP-based access lists because (by definition) the HTTP request (which the URL filter, content filter or NBAR recognizing HTTP uses) is encrypted. If you want to block HTTPS requests for particular hosts, you need a HTTP proxy which intercepts the CONNECT requests and allows/denies them. You could force the users to go through a proxy by blocking direct Internet access for ports 80 through 443. However, to block HTTPS access to Facebook, the easiest thing to do is this: * do a DNS lookup for www.facebook.com * do a WHOIS query for the IP address * at the moment facebook does not use distributed CDN, so the IP address is within the IP address range allocated to Facebook Inc. * block the whole address range assigned to them. ... And keep in mind that this is a whack-a-mole game ;) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: mas...@nexlinx.net.pk [mailto:mas...@nexlinx.net.pk] Sent: Wednesday, July 15, 2009 1:03 PM To: Kevin Barrass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Block https Man, thts pretty straightforward. all u needed is http://www.cisco.com/en/US/products/ps5855/products_configurat ion_example09186a0080ab4ddb.shtml if i am remembering correctly, you can block https using proxy/cache server; If it is Squid thn i can help you. Regards, Masood Hi One I used a while ago to test was the below ip urlfilter allow-mode on ip urlfilter exclusive-domain deny www.theregister.co.uk is a while since ive used this but you can check the Cisco Docs for the ip urlfilter feature, if you want to block based on IP just use access lists as normal to block traffic to that IP. Regards Kev [] [] Kev Barrass | YHMAN Operations Team [][www.yhm an.net.uk] -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: 15 July 2009 08:44 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block https I want to block the url https://www.facebook.com Without using NBAR Using access-lists ?? And if I want to block based on the IP address it has a lot of IP addresses ( i dont want to block a whole class) And the cache only blocks based on HTTP port 80 _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends .aspxmkt=en-us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
This is good advice for newer machines but I've got a UBR 924 with 12.1T code on it - 'no service password-recover' isn't an option for me. Which config-register setting will do what I need? None. You cannot disable break during the first minute (or so) with a config register. Seems like maybe 0x8102 would do it The disable break 0x0100 disables break after the initial one-minute (or so) window. Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CE routes
CE-PE subnets are part of VRF and thus cannot be inserted into the core IGP, only in MP-BGP. It's way easier (and more scalable) to redistribute them than to list them in the per-VRF BGP configuration. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: harbor235 [mailto:harbor...@gmail.com] Sent: Tuesday, July 14, 2009 6:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CE routes I was just reading best practices for MPLS implementations regarding CE to CE connectivity issues, specifically, CE to CE pings. The document stated that redistributing connected PE routes into BGP was the preferred method to ensure CE to CE ping success as well as other connectivity issues. This will inject the route for the PE to CE interface into BGP.I am not sure I agree, why not explicitly define which networks to advertise in the IGP, an IGP in MPLS networks is supposed to hold all infrastructure routes anyway. Are these interfaces considered infrstructure or customer interfaces? One reason may be to reduce the number of infrastructure routes in the IGP because of the potential for many CE to PE interfaces, let BGP handle the large number of routes? I am curious which method is employed in the wild, also I am not sure all connected routes should be advertised from the PE, e.g. management/infrastructure interfaces etc ... What are your thoughts and how is it being done? mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
Just make sure you test the feature (for each ROMMON release you're using) with a known enable password first. It's somewhat impossible to break into some ROMMON versions. http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Monday, July 13, 2009 11:31 PM To: 'neal rauhauser'; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] disable break on boot for IOS?? If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpw d.html completely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_not e 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] backup cpe
More specifically ... SOHO multihoming solutions (includes object tracking and reliable static routing) http://wiki.nil.com/Small_site_multihoming More reliable static routing tricks: http://blog.ioshints.info/search?q=reliable+static More DHCP-related tricks: http://blog.ioshints.info/search/label/DHCP EEM applet that enables/disables an interface (just tie it to a track object, not a timer): http://wiki.nil.com/Time-based_wireless_interface_activity More sample EEM applets: http://wiki.nil.com/Category:EEM_applet More EEM usage guidelines and tips: http://blog.ioshints.info/search/label/EEM Ufff ... I'm obviously writing too much :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Sunday, July 12, 2009 12:13 PM To: Mohammad Khalil; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] backup cpe Mohammad, Take a look here: Enhanced Object Tracking http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guid e/fthsrptk .html Reliable Static Routing Backup Using Object Tracking http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/ guide/dbac kupx.html Embedded Event Manager (EEM) http://www.cisco.com/en/US/products/ps6815/products_ios_protoc ol_group_h ome.html I think this should give you some ideas... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, July 12, 2009 11:28 To: cisco-nsp@puck.nether.net Subject: [c-nsp] backup cpe hi all i have a router with 2 ethernet interfaces one is connected to a microwave device (Leased Line) and the other is connected to a WiMAX CPE now if the leased line went down how im going to activate the cpe automatically ?? there is no dialing in the CPE it obtain a DHCP ip address from the BS once the LOS is there Thanks _ More than messages-check out the rest of the Windows Live(tm). http://www.microsoft.com/windows/windowslive/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP SoO question
You'll probably find enough details here: http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP If that's not the case, let me know and I'll fix the article. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Derick Winkworth [mailto:dwinkwo...@att.net] Sent: Sunday, July 12, 2009 9:38 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP SoO question I'm trying to wrap my head around how this works. There is BGP SOO. This is where routes are tagged as they are redistributed into BGP so that other PEs attached to the same customer site do not push the routes back into the site. This accounts for the PE - CE direction. In the opposite direction, it seems there are actually two different mechanisms. There is a) EIGRP SOO. This is an EIGRP extension/tag that the PE uses so it does not re-introduce a route back into the PE iBGP cloud. Routes are tagged going into a site, and if the site is dual-homed and the route comes back to another PE that is appropriately configured, this other PE will see the tag and not re-advertise that route back into BGP. b) BGP cost community. This attribute carries the EIGRP metric of the route that is being redistributed into BGP. At another PE (presumable a PE attached to a multihomed site), this attribute tells BGP to compare the EIGRP cost embedded in the attribute directly to an EIGRP route learned from the CE. This attribute is compared before any other BGP attribute. So I guess why do we need both (a) and (b)? The documentation for this is shoddy. Derick Winkworth CCIE #15672 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 iBGP Route Reflector
This scheme also doesn't work. I added next-hop-self on rtr2_RR for both peers with rtr3 and rtr4. I haven't been following this thread too closely, but it's worth mentioning that the next-hop is not changed on reflected routes (even if you configure next-hop-self on the neighbor). See Notes and Warnings at the end of this section: http://wiki.nil.com/BGP_route_reflectors#Route_Reflector_rules Ivan http://www.ioshints.info/about http://blog.ioshints.info/ address-family ipv6 redistribute connected no synchronization neighbor 2001:1020:100::3 activate neighbor 2001:1020:100::3 inherit peer-policy rr-clients-v6 neighbor 2001:1020:100::3 next-hop-self neighbor 2001:1020:100::4 activate neighbor 2001:1020:100::4 inherit peer-policy rr-clients-v6 neighbor 2001:1020:100::4 next-hop-self exit-address-family I tryed add route-map on out for change next-hop, but it doesn't help. neighbor 2001:1020:100::4 route-map NextHopPE4 out neighbor 2001:1020:100::3 route-map NextHopPE3 out route-map NextHopPE3 permit 10 set ipv6 next-hop 2001:1020:7000::1 route-map NextHopPE4 permit 10 set ipv6 next-hop 2001:1020:8000::1 I think the problem in link-local address received from OSPFv3. With ipv4 addresses this scheme work. -- Alexandr Gurbo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Delay BGP peer session
You'll find a lot of information about IP Event Dampening here: http://www.nil.com/ipcorner/IncreaseStability/ I haven't tried it in the EBGP scenario ... Jon, thanks for the pointer. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ Is there any way to force a delay on a BGP session from establishing when a link comes up? Say, for example, if a link flaps and fast-external-fallover takes it down we should wait X minutes before trying to bring the session back up. I would guess that flap dampening would be the proper solution. I don't think it can dampen the whole table and suppress announcements, can it? I've never tried that. I believe IP Event Dampening is the knob you seek. Very interesting. I'll have to play around with that. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR BFD
I've been planning to document the shortcomings of Fast Peering Session Deactivation for a long time; thanks for the nudge. Summary: following an interface loss (on the BGP router) in an OSPF or IS-IS network, you might lose the route toward your BGP neighbor until SPF is run, resulting in BGP session loss. I've written an article in our wiki for those of you who want to know more: http://wiki.nil.com/Aggressive_BGP_fall-over_behavior Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Mateusz Blaszczyk [mailto:blah...@gmail.com] Sent: Tuesday, July 07, 2009 4:31 PM To: Ivan Pepelnjak Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS XR BFD Ivan, BTW, even the more traditional fast convergence techniques (internal BGP fast fallover) might be too aggressive and do more harm than good. Could you elaborate little more on that? I thought it would be a good idea (e.g. neighbor X fall-over route-map) to drop BGP session with a neighbour that suddenly dissapeared from the network. In my scenario I am concerned that the scanner doesn't invalidate the routes because I have catch-all aggregate covering all my NHs floating there (I can't have full table so I have 0/0 from upstreams so I need the aggregate for my routes) so in other words it takes 3 minutes to close the broken session. Best Regards, -mat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multi-site single AS architecture
Almost identical setup has been discussed on Nanog mailing list in the beginning of June. Search the archives. XCONNECT probably won't work over the Internet without MPLS/GRE/IP setup and then you'll hit the MTU issues. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Andy Ashley [mailto:li...@nexus6.co.za] Sent: Wednesday, July 08, 2009 6:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Multi-site single AS architecture Hi, Apologies for this long post, I am hoping to explain in full: (there was a similar thread recently but Im looking for slighly different info) Background: We currently have a primary site which has two 7206 border routers, each has an uplink and ebgp session over that into our primary transit provider. These border routers are also plugged into our two 6500 core switches (3BXL holding the full table). There is also a metro ethernet circuit which is plugged into one of the core switches. This circuit goes to another site (plugged into another 7206 there) on the other side of the city where we pick up some backup transit and peers at an exchange. All routers peer with one another in the ibgp mesh, the two seperate sites are in a confederation with different private AS numbers and externally are announced as the same AS. Presently all prefixes are announced via the primary site (tagged statics). We need to make sure that this secondary site is visible should the metro ethernet break or the primary site is unavailable. What we proposed to do was firstly re-address the second site to use seperate prefixes (few smaller /22 and /23 out of a larger aggregate announced from the primary site) Then to put a route in at the secondary site to ensure that the prefix in use there would would still be announced via the backup transit provider and peers should the primary site or metro link have a problem. We also need to be able to reach services at the secondary site from the primary should the metro link go down. This raises the problem of our routers not accepting thier own AS in the AS path. I would prefer not to use the method of telling the routers to accept thier own AS in the path if possible. To get around this, we were thinking of using an xconnect tunnel to create a virtual backnet between border routers at each site. This should hopefully allow the ibgp sessions to stay up over this tunnel via the Internet instread of over the usually preferred direct connection. We are using xconnect statements at the moment to extend some VLAN's across the metro link between sites (router loopbacks are the end points). The MTU is set high at 9216 on the metro link and this works fine. My questions: 1. Will the xconnect (encapsulation mpls) come up if connecting via the Internet instead of over a VLAN on the metro link? 2. What interface would be best to configure the xconnect from and to on each end? 3. Should we tell ibgp to peer with this interface instead of the loopbacks on each border router? 4. How reliable/recommended is this method? Im wary of imlementing something flaky.. Any comments or hints you may have to offer would be most welcome! Thanks. Andy. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CBWFQ with LLQ on Cisco 876
The problem you have is that there's no outbound queue forming on the Dialer interface (PPPoE is too fast, as it goes over outside Ethernet). http://blog.ioshints.info/2009/06/adsl-qos-basics.html You have to apply shaping to force a queue to form. The shaping has to be configured on the physical interface (outside Ethernet), not on the dialer ... http://blog.ioshints.info/2009/07/not-all-interfaces-are-created-equal.html ... and then you'll hit another jitter problem (see comments in the previous post) I'm working on describing the whole problem (and the potential workarounds), but it will take time. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Jean Gervers [mailto:j...@gervers.com] Sent: Wednesday, July 08, 2009 12:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CBWFQ with LLQ on Cisco 876 Hi, does anybody know if the Cisco 876 is supporting LLQ on Dialer Interfaces (PPPoE over ATM)? The Packets are classified correctly by NBAR: Class-map: ef (match-all) 21 packets, 5124 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: dscp ef (46) Priority: 33% (304 kbps), burst bytes 7600, b/w exceed drops: 0 and the dialer and corresponding virtual-access interface use Class- based queueing as queueing strategy: Dialer1 is up, line protocol is up (spoofing) Interface is bound to Vi1 Output queue: 0/1000/0 (size/max total/drops) Virtual-Access1 is up, line protocol is up Queueing strategy: Class-based queueing But I still expiernce a huge Jitter/Delay when I start other high volume TCP Connections. Thanks in advance, Jean ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR BFD
And my question is not how I should be in this situation. What is the logical explanation that BFD does not work in internal neighbors? because it hasn't been developed to work in this scenario under XR, which is likely due because it's not a commonly deployed setup. ... because most Service Provider designs use IGP to address next-hop reachability issues and convergence and BGP solely to transport reachability information (which IP prefix is reachable through which next-hop). And, lacking the infinite development resources, Cisco (and all other vendors) usually implement what people that buy lots of boxes use in their networks (that's why the IS-IS implementation is so good). BTW, even the more traditional fast convergence techniques (internal BGP fast fallover) might be too aggressive and do more harm than good. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. This sounds like what I'm planning on doing.GRE for the routing protocolswe are on the CE end. If you could, please elaborate on the routing that is involved, thanks! The simplest thing would be to run BGP everywhere and make the paths over the GRE tunnels less preferred (for example, by using lower local preference). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. If you're the provider (using MPLS between your BGP routers to offer whatever services), you can run MPLS over GRE over IPSec on the backup link (just watch for MTU issues). We built a pretty large network using it and after the initial kinks it works perfectly. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Peter Rathlev [mailto:pe...@rathlev.dk] Sent: Tuesday, June 30, 2009 11:51 PM To: ChrisSerafin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote: I have a few MPLS routers running BGP as the routing protocol. I added a public IP'ed interface on a free ports on the same router, and I'm able to get to it and use it for Internet bound traffic if I wish. I would like to configure an IPSEC VPN to provide backup if the MPLS provider fails. I'm having a hard time with Cisco TAC on this, mainly them getting back to me. dumb'ed down diagram is at: http://chrisserafin.com/design.jpg I just want a basic split tunnel VPN in the event the primary MPLS/BGP link goes down. I'm assuming let BGP take care of the MPLS side and add static routes with a very high weight for the VPN failover? And the VPN-link needs to carry MPLS traffic too? MPLSoGRE could be an option, but support is very limited AFAIK. Otherwise some extra equipment doing L2TPv3 might work. Performance limitations might very well rule this out. If MPLS isn't needed a simple GRE tunnel would of course do. You could even create a new tunnel per VRF if you need reachability in several of these. It scales bad concerning administration though. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Simulator - world feed
Is there anything like this out there? Or do I have to get my programmers to knock it up? ;-) Dump the BGP table, process it with PERL, generate Quagga configuration and you're done ... and don't forget to post the script when it works ;) Here's a sample very simple Quagga configuration: http://wiki.nil.com/Use_Quagga_to_generate_BGP_routes Best regards Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] passive-interface on VRF-specific OSPF process
while configuring an OSPF process for a VRF on a Cisco 3550-12G (running 12.2(25)SE) I notice that the command passive-interface is unavailable. How can this be? Interesting ... Is there another way I can suppress routing updates on an interface? Sure - filter inbound OSPF packets. If there's no adjacency (and there will be none if you are not receiving HELLO packets), there are no routing updates. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] passive-interface on VRF-specific OSPF process
while configuring an OSPF process for a VRF on a Cisco 3550-12G (running 12.2(25)SE) I notice that the command passive-interface is unavailable. How can this be? Is there another way I can suppress routing updates on an interface? You can put actual network commands in ospf configuration section. For example: network 172.16.8.1 0.0.0.0 network 172.17.0.30 0.0.0.0 network 172.17.0.242 0.0.0.0 It will activate interfaces in the target VRF only. You can redistribute any other routes you need to announce. ... And we're back to the neverending question: ignoring the obvious implications for stub areas, is it better to advertise connected subnets as parts of router (type-1) LSA or as individual external (type-5) routes? Any thoughts or preferences? Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] passive-interface on VRF-specific OSPF process
Getting way off topic ... Transit interface (more than one router) = Type 2 LSA Stub interface (no OSPF neighbors) = stub network within Type 1 LSA Ivan http://www.ioshints.info/about http://blog.ioshints.info/ _ From: Manu Chao [mailto:linux.ya...@gmail.com] Sent: Friday, June 26, 2009 3:52 PM To: Ivan Pepelnjak Cc: Roman A. Nozdrin; Lukas Garberg; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] passive-interface on VRF-specific OSPF process type-2 ;) On Fri, Jun 26, 2009 at 3:32 PM, Ivan Pepelnjak i...@ioshints.info wrote: while configuring an OSPF process for a VRF on a Cisco 3550-12G (running 12.2(25)SE) I notice that the command passive-interface is unavailable. How can this be? Is there another way I can suppress routing updates on an interface? You can put actual network commands in ospf configuration section. For example: network 172.16.8.1 0.0.0.0 network 172.17.0.30 0.0.0.0 network 172.17.0.242 0.0.0.0 It will activate interfaces in the target VRF only. You can redistribute any other routes you need to announce. ... And we're back to the neverending question: ignoring the obvious implications for stub areas, is it better to advertise connected subnets as parts of router (type-1) LSA or as individual external (type-5) routes? Any thoughts or preferences? Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Reload without confirmation
I wanted to propose the EEM solution :) How about Tclsh with typeahead command? http://wiki.nil.com/Insert_responses_to_command_prompts_in_Tclsh Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: David Freedman [mailto:david.freed...@uk.clara.net] Sent: Wednesday, June 24, 2009 2:26 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Reload without confirmation Am trying to reload a low end IOS device (c800 in this case) without displaying a confirmation prompt. My issue is that the platform needing to issue the command can not see the VTY output so could not be expected to respond to a confirmation prompt, looked in vain for some kind of /noconfirm flag but didn't find one... Does not appear to be possible with SNMP (even though it accepts the snmp-server shutdown command). My current solution is to use an EEM applet called manually with a single action of reload , unfortunately this only applies to 800 images with EEM (I would guess ADV images only) Anybody come up with a better solution? TIA Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF
Are you talking about OSPF reconverge time it the situation? If you are, the answer is 4 x OSPF hello timer configured on interfaces.( by default: 40 secs for broadcast-multiaccess and point-to-point and 120 secs for NBMA links). Plus (worst case) the LSA origination timer (default: 5 seconds) + LSA flooding timer + SPF interval (which could be exponential, default maximum value is 10 seconds). In most cases, unless you've tuned your network, you can add a few seconds to the hello timers calculation due to initial SPF delay (default: 5 seconds) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipv4 link-local for eigrp
You could use unnumbered Ethernet VLAN subinterfaces assuming your IOS release supports them (or you could get your gear upgraded to a release that does ... I am utterly confused when faced with Catalyst IOS releases): http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtunvlan.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Alexander Clouter [mailto:a...@digriz.org.uk] Sent: Saturday, June 20, 2009 2:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ipv4 link-local for eigrp Hi, After an organisational switch refresh last year we have been fortunately enough to end up with surrounded by nothing but 3750 stacks (c3750-ipbasek9-mz.122-50.SE1.bin) at the edge of the network; the core is made up by a pair of 6509's (s72033-ipservicesk9-mz.122-33.SXI.bin). [...] The biggest issue is all the rfc1918 usage used in the /30 used to force the L3 routes out to the edge of the network which make traceroutes ugly. I really do not want to put aside publicly routable addresses that are just used to pass EIGRP data around, as that would involve soaking up over 50 /30's, a bit of a waste. So what to use, I am pretty keen to use link-local IPv4 addresses (169.254.0.0/16) much like I plan to for IPv6 to build up the L3 point-to-point links and they are perfect for this situation. The downside is that I run into the following issues: 1. 169.254.0.0/16 can start to appear in the distributed EIGRP listings 2. traceroutes have 169.254.0.0/16 addresses in them 3. 169.254.0.0/16 is pingable by edge hosts as the switch they are plugged into knows of at least one 169.254.0.0/16 address. These addresses should never escape the local subnet Now apparently I can solve the first issue by properly fixing up the way we use EIGRP, possibly involving liberal use of 'ip prefix-list' filtering or something similar? There is *very* little online about if the second issue can even be solved on Cisco kit, but I did stumble on a suggestion to use NAT/route-map's (that would work perfectly for us as the Loopback0 interface on are kit is a non-rfc1918 address): https://cisco.hosted.jivesoftware.com/message/4910 I could not get this to work, but I was only tinkering with it for a couple of hours. If only IOS had a 'ip icmp source interface...' command :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] the ospf 0*E2 route type can not be redistributedbetween two ospf process
See also http://wiki.nil.com/OSPF_default_routes for more details. Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Geoffrey Pendery [mailto:ge...@pendery.net] Sent: Friday, June 19, 2009 2:36 PM To: ying-xiang Cc: cisco-nsp Subject: Re: [c-nsp] the ospf 0*E2 route type can not be redistributedbetween two ospf process Well if you're talking default-information originate, then the route in question is 0.0.0.0/0, default. It's special - you can't just tell an OSPF process to redistribute 0.0.0.0/0. If you want both processes to distribute default, then they both need the default-information originate command. -Geoff On Thu, Jun 18, 2009 at 11:58 PM, ying-xiangying-xi...@163.com wrote: hi,folk anyone knows the reason why i can not redistribute the O*E2 route which generated by one ospf router using default-information originate command to another ospf process? ___ cisco-nsp mailing list  cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redirects / hair-pinning traffic vs. performance
Just guessing: for PBR you need netflow-like TCAM entries, so the first packet in the flow is always processor-switched and then the subsequent packets can be hardware-switched. Does this make sense to the switching gurus? Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Rodney Dunn [mailto:rod...@cisco.com] Sent: Thursday, June 18, 2009 8:35 PM To: Peter Rathlev Cc: cisco-nsp Subject: Re: [c-nsp] Redirects / hair-pinning traffic vs. performance Curious..I don't know that platform forwarding architecture. But what does 'sh int stat' give you? Also, sh ip traffic a couple times once you start the traffic. On Thu, Jun 18, 2009 at 07:13:02PM +0200, Peter Rathlev wrote:lso On Thu, 2009-06-18 at 00:01 +, Peter Rathlev wrote: I have the need to introduce some PBR to solve a hopefully temporary problem. Some of the traffic being routed will leave the same interface as it arrives on. My worry is if this would have any performance impact the traffic arrives on and leaves from the same interface. I could imagine that some forwarding implementations might penalize this scenario. Follow up: We've tested this and it works fine. It seems to have some CPU impact when the unit policy routes, but not much. When pushing 100 mbps traffic through the CPU rises to ~25-30% for a few seconds (spent on interrupt switching) and then falls down ~5% again. This might be PBR-specific and have nothing to do with the traffic arriving on and exiting the same interface though. We will be doing some more (production) testing soon, with more flows and more bandwidth. I can't see why the number of flows should matter since the 3560 AFAIK just pushes packets, but I also can't see why the start of a TCP session should matter. The ip route-cache hasn't been disabled of course; I assume this would have a detrimental effect on performance. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Global Route Leaking on same PE
The last time I've seen discussion on this topic, you had to have an external back-to-back connection between a VRF interface and a global interface. -Original Message- From: Clue Store [mailto:cluest...@gmail.com] Sent: Tuesday, June 16, 2009 4:18 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Global Route Leaking on same PE Hi All, Looked through the archives but couldn't find anything about this specific issue. I'm trying to leak a route from the global table on a PE to an iterface that is on the same PE but I get the folowwing when I try to just point it to a loopback. ip route vrf test 64.193.x.x 255.255.255.248 192.168.222.1 global %Invalid next hop address (it's this router) Also tried to point it to just the interface and it says vpn routes have to be pointed to next-hop addresses. Anyone have some clue how to get this to work where the traffic never leaves the same PE and makes a look around the network?? TIA ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A question about TACACS+ and controlling command use
The obvious answer is to restrict the use of the shutdown command. Unfortunately the technicians that often make the mistakes have to be able to use the command to shut down Serial or Ethernet interfaces in the course of their work. Something along the lines of this EEM Tcl policies: http://wiki.nil.com/Display_configuration_sections_while_configuring_the_rou ter Write one Tcl policy that recognizes the interface name and saves it with appl_setinfo. The other Tcl policy should recognize the shutdown command, retrieve the saved interface name and check it. Not too elegant, but working. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM - action syslog working but action cli command working
Could be yet another prompt-related EEM bug. See http://blog.ioshints.info/2008/02/fix-bugs-in-eem-action-cli.html http://blog.ioshints.info/2007/12/execute-cli-commands-with-prompts-in.html Use the EEM debugging (debug event man action cli) to verify what's going on. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Rishi Kochar [mailto:irsk@gmail.com] Sent: Saturday, June 13, 2009 12:20 AM To: cisco-nsp Subject: [c-nsp] EEM - action syslog working but action cli command working Hi I am trying to develop a small EEM applet to test shut a port when an event on the port occurs. The script i have written is event manager applet EMSHUT event syslog occurs 1 pattern my pattern action 1.0 syslog priority emergencies msg HELLO action 1.1 cli command enable action 1.2 cli command conf t action 1.3 cli command voice-port 0/1/1 action 1.4 cli command shut This script is printing HELLO in syslogs but wont shut down the voice-port. Any help on this will be highly appreciated Thanks Inder ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policy Based Routing on Cisco 6500
PBR by its nature is operationally brittle and ugly; if there's another way to accomplish one's goal, it's generally best to pursue an alternate method, if at all possible. Absolutely forcefully agree :) While this is a bit off-topic here's an example of what you can do with a distance-vector routing protocol: http://www.nil.com/ipcorner/ScalablePolicyRouting/ MPLS + BGP or MPLS TE can also solve numerous issues for which people tend to use PBR. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS content filtering
Haven't tried the server-based configuration yet (it only works on ISRs), here's what you can do locally: http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Monday, June 08, 2009 8:33 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco IOS content filtering I am trying out for the first time the IOS content filtering feature. Detail documentation seems little lacking. One thing I can't find references to is what exactly does each security categories and productivity categories includes. For example, UNBLEMISHED, what web sites does that include? Anyone have any info on this? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ICMP replay from egress PE
The only reason I could see for this behavior is the per-platform specific IP packet processing on the egress PE router. Obviously the difference between the 7300 and the ASR is the exact moment at which the TTL is decrememented in the switching path. Based on your description, ASR decrements TTL before LFIB lookup is performed and thus decrements the label TTL, whereas the 7301 decrements TTL after the LFIB lookup causes the VPN label to be popped exposing the IP packet and thus decrements IP TTL. I am not sure you can get what you used to have with the ASRs. You could still, though, ping the PE2/PE3 in-VRF IP address from CE1 to verify that the PE-CE links are up (and I'm positive you know all this), but obviously cannot perform end-to-end path verification if CE2/CE3 block traceroute probes. How about inspecting the VRF routing table on PE1? Do you have access to it? Interesting behavior, thanks for sharing it! Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Pshem Kowalczyk [mailto:pshe...@gmail.com] Sent: Wednesday, June 03, 2009 4:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ICMP replay from egress PE Hi, Recently we've upgraded some of our 7301 to ASR (1004). Config remained pretty much the same (from L3VPNs perspective), but it looks like the behaviour of both platforms is somewhat different. I'm not sure if it's a feature or a bug yet. We have a typical setup, like this: CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 | | + --- PE3 --- CE3 So customers site is multihomed via PE2 and PE3 and has internal connection between CE2 and CE3 With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 (egress interface from the vrf), after the upgrade to ASRs - all we can see is PE1's IP and then straight CE2/CE3, but since customer drops icmp packets - we can't really see which way it's really going. Is there a way to get an ICMP reply from the egress ASR? I understand it switches the packets out through the interface without actually doing any lookups, but even after forcing 'label-per-vrf' we can't see the last hop. Any ideas if this behaviour can be corrected? kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS
Absolutely agree with Bruce. For your particular setup, it would be best to use two pseudowires (A-B and B-C) and run your own routing protocol over them. This would (worst case, try to avoid) also allow you to transport non-IP LAN data between sites (I don't know what DS8100 can do). However, keep in mind that VPWS or VPLS are not 100% reliable (you might experience packet drops, jitter or congestion), so check what's acceptable with your SAN vendor. As for security: don't rely on the MPLS/VPN is secure pamphlets published by vendors and independent labs. MPLS VPN is undoubtedly infinitely better than public Internet, but if you need true security, use IPSEC. More details here: http://blog.ioshints.info/2009/04/true-or-false-mpls-vpns-offer.html Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Bruce Pinsky [mailto:b...@whack.org] Sent: Friday, May 29, 2009 6:27 PM To: madunix Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 madunix wrote: I have 3x sites with DS8100 SAN Storage at each side, I will be replicating data from one side to another (A - B, synchronous, distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use MPLS based on IP-VPN since its secure and not visible to other customers or internet. Out of your experience ...what do you think about ? Well, it's not secure, it's simply routing isolated. If you want security, as in encryption, you will need to do that on your own. If you need low convergence times, MPLS/VPN is probably not your best choice. I don't know of many (if any) providers who will guarantee the convergence times through their network. You should expect convergence times in the 10's of seconds or more for certain types of failures. You may want to consider getting an L2VPN solution such as VPWS or VPLS and running your own routing protocol and failure detection methods. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr 0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP =Cr6s -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Remove BGP AS path number number from an AS PATH
Let's be more precise. There is no publicly known way to remove a non-private AS number from AS-path on a device running Cisco IOS ... but you could always adapt Quagga source code to your needs. As pointed out by previous replies, tweaking AS-PATH is a really bad idea. BGP has numerous other tools. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: mas...@nexlinx.net.pk [mailto:mas...@nexlinx.net.pk] Sent: Thursday, May 28, 2009 6:56 PM To: Varaillon Jean Christophe Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Remove BGP AS path number number from an AS PATH yup, you can't remove public AS from AS path. would you please share the idea why you wana remove it :) there are many other attributes to tweak bgp, y not u use them. BR\\ Masood I doubt that you can do that... but if this is to influence your outgoing traffic, then I would use local-preferences. Christophe -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Michalis Palis Sent: Thursday, May 28, 2009 9:49 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Remove BGP AS path number number from an AS PATH Hello All Is their a way to remove the first AS number (not private) from an AS path? For example we are receiving a route with AS PATH 123 456 456 456 and we want to remove the 123 AS and put in the BGP table the route with AS 456 456 456 . Thanks for your reply ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET Smart Security, version of virus signature database 4112 (20090528) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4112 (20090528) __ The message was checked by ESET Smart Security. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual homed but no BGP
Pointers to everything you've ever wanted to know (and probably a lot of what you don't want to know :) http://wiki.nil.com/Small_site_multihoming Hope it helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Roy [mailto:r.engehau...@gmail.com] Sent: Thursday, May 21, 2009 5:56 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dual homed but no BGP Does anyone have an example of a dual homed router without BGP but with NAT? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] network simulator
Dynamips (which is under the hood of GNS3) could be used to emulate IOS switching behavior as long as what you're trying to do is supported on the routers. If you're testing standard spanning tree, Dynamips should be just fine (you'll just configure routers as bridges). OPNET is a great network simulation tool. I've used it years ago and I was deeply impressed. They might have academic or test licenses. You might also want to consider Cisco's PacketTracer: http://www.cisco.com/web/learning/netacad/course_catalog/PacketTracer.html Some other tools are listed here: http://www.idsia.ch/~andrea/sim/simnet.html Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ I'm looking for a (free) network simulator that allows me to simulate a small network (20 switches) with different vlans on it. I want to test different scenario's : what happens if this switch goes down or that link goes down, how do the packets flow in each scenario for the different vlans... Anyone has a good reference to such a product ? Free would be nice but is no absolute condition. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Config
I absolutely agree with Charles ... although not on the provider will give you the necessary details part. I've seen some service providers that were somewhat inadequate in that respect (trying to be diplomatic :). You might find some of the links/videos on my BGP resource center useful: http://wiki.nil.com/BGP The next starting point is Cisco's BGP page: http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protoc ol_home.html Hope this helps! Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Charles Wyble [mailto:char...@thewybles.com] Sent: Monday, May 18, 2009 11:22 PM To: Alain Camille Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Config This should be provided by your ISP. Lots of BGP docs on the net. if your asking for help on the c-nsp list with an ultra generic topic please please please please get some training and do some reading. Again your provider will give you the necessary details. Alain Camille wrote: My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 High Cpu IP Input
Your CPU is @ 70%, 25% of those spent in interrupt (CEF) packet switching (the difference between 68% and 43% in the five-second figures), yet the IP Input uses only 16%. There might be something else going on? Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Peter Rathlev [mailto:pe...@rathlev.dk] Sent: Thursday, April 23, 2009 10:01 PM To: Chris Lane Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750 High Cpu IP Input On Thu, 2009-04-23 at 13:51 -0400, Chris Lane wrote: Having a high cpu with my 3750 not in stack. sh proc cpu | exclude 0.00 CPU utilization for five seconds: 68%/43%; one minute: 69%; five minutes: 70% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 16840336940 92166921437 15.49% 15.76% 15.97% 0 IP Input WS-C3750-48TS 12.2(35)SE2 C3750-ADVIPSERVICESK According to some old threads this was a bug in some older IOS which was fixed in 12.2(25) Egress port is quiet: 5 minute input rate 11171000 bits/sec, 1353 packets/sec 5 minute output rate 2821000 bits/sec, 681 packets/sec Sure i can upgrade IOS! Looking to know WHY this box is so hot! When you see the box spending processor time in IP Input it's because it cannot hardware switch the traffic it moves. This is (almost) always a bad thing when you're looking at a L3 switch. There can be several reasons for this. Features not supported in hardware (= most features, e.g. GRE or NAT) is one possible thing. TCAM starvation/overflow could also make the box do software switching. It depends on your configuration. Has it always done this? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] two ISPs, two routers, one firewall - bgp question
Outbound traffic traverses the DMZ segment twice (FW - R2 - R1). Inbound traffic traverses the DMZ segment once (R2 - FW). The difference is that FW has no idea where to send the traffic (follows default route), whereas R2 knows the internal network is reachable through the FW. Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Rossella Mariotti-Jones [mailto:rosse...@chemeketa.edu] Sent: Monday, April 06, 2009 6:22 PM To: cisco-nsp@puck.nether.net Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] two ISPs, two routers, one firewall - bgp question Hello all, I have a question regarding this scenario: http://www.cisco.com/en/US/tech/tk365/technologies_configurati on_example 09186a00800945bf.shtml#conf5 My R2 link to ISP is 100M R1 link to ISP is a DS3 If my firewall has a default route of 192.168.21.2 and I have a 10M download going with AS300, my firewall is going to send out my traffic through its default gateway which is 192.168.21.2, R2 knows through iBGP that R1 is the best path to AS300, so it sends the traffic to R1, traffic coming back goes through R1, R2, firewall to get to the client, so basically in this case the link between my firewall and R2 is taken up twice. Am I understanding this correctly? Thanks everyone in advance. rossella -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jon Lewis Sent: Monday, April 06, 2009 8:12 AM To: Rick Ernst Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 On Mon, 6 Apr 2009, Rick Ernst wrote: I'm planning on collapsing the border/core into a pair of 7600/Sup720-3BXLs, and it looks like they will be almost idle with this amount of load. That really depends on the features you enable. Try doing full netflow on a sup720 doing a few hundred mbit's of traffic, and they're suddenly not so mighty. The problem I am running into is spec'ing the aggregation layer. Almost all of our traffic is ethernet now, and all the interfaces need bi-drectional rate-limiting/traffic-shaping/policing. We have a variable bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and 10Mbs connections are common, and 20,50,100Mbs connections exist with a 200Mbs pipe in process. We've been using 3550's for years for this, as they have the ability to police in both directions, per port, at whatever granularity you like. The 3560, which was supposed to be an improvement/replacement for the 3550 lost this ability, which really shocked me when I configured my first one. It can do per-port output shaping, but the granularity kind of blows. You're limited to 1/N * port rate, where N is an integer from 0 to 65535. This gives plenty (actually a huge waste of range) of granularity at the low end of bandwidth, but at the high end, you're limited to full rate, 50%, 33%, 25%, 20%, etc. If I'm wrong here, I'd love to hear it and be told how to limit a 100mbit port to say 40mbit/s. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM event-manager and event none question.
An EEM applet can be triggered only by a single condition. If you want to trigger it from the command line (with the event man run command), it cannot be triggered by anything else, so it must have event none pseudo-trigger. The event none is used to indicate that no trigger is actually what you want to do (as opposed to I forgot to specify the trigger). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: luismi [mailto:asturlui...@gmail.com] Sent: Monday, April 06, 2009 6:18 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EEM event-manager and event none question. I have this code... event manager applet A-EU-UP event track 10 state up action 1.0 syslog msg Track 10 Up. Houston we don't have a problem action 2.0 cli command enable action 3.0 cli command conf t action 4.0 cli command some commands here I tried to execute... # event manager run A-EU-UP Embedded Event Manager policy EU-ACEL-BACKUP-OFF not registered with event none Event Detector What is the reason for that message? Looks like the EEM code is not running. As far as I can read at documentation found with google, I need event none at the beginning of the applet, but, what is the reason for it? When event none must be used? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how to filter some specific logging message
The drops keyword expects a regular expression. You should use fem instead of *fem (or maybe .*fem). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Manu Chao [mailto:linux.ya...@gmail.com] Sent: Wednesday, April 01, 2009 12:26 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] how to filter some specific logging message Is it possible to filter some specific syslog message with logging filter command or with logging discriminator? There are some cosmetic bugs that I need to filter... Example: i don't want the specific message message including fem to be sent to my remote syslog server. I try that configuration but no way :( may be a syntax problem may be not possible to filter? logging discriminator nolog msg-body drops *fem logging host x.x.x.x discriminator nolog Thanks for your help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subnet Traffic
If you put each subnet in a VLAN, you could use interface counters. Unfortunately, life is rarely so simple. -Original Message- From: char...@thewybles.com [mailto:char...@thewybles.com] Sent: Monday, March 30, 2009 10:15 PM To: Mohammad Khalil; cisco-nsp-boun...@puck.nether.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Subnet Traffic Put each subnet in its own vlan and use netflow? --Original Message-- From: Mohammad Khalil Sender: cisco-nsp-boun...@puck.nether.net To: cisco-nsp@puck.nether.net Subject: [c-nsp] Subnet Traffic Sent: Mar 30, 2009 12:53 PM Hey all , we have multiple international links , and we have multiple customers with their own subnets in addition to our subnets is there a way to know how much each subnet consumes traffic ? is there any way to draw this traffic /per subnet ? thanks in advance Best Regards, Mohammad Khalil _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent via BlackBerry from T-Mobile ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP Neighbor tracking
If all you need is to track whether you can ping the directly connected IP address and react on the tracked object down status, you can use EEM with the event track X state up|down trigger. See the Not so very static routes section in this article http://www.nil.com/ipcorner/SmallSiteMultiHoming/ for the SLA and tracking object configuration. The Monitoring reliable static routing section in the same article has the EEM examples. If you happen to be running EIGRP on the link (as your message subject would indicate), you can use syslog event detector in EEM to detect when the EIGRP neighbor goes down. EEM is also able to generate SNMP traps if that's what you prefer to receive. If you need more EEM sample code (for example, how to send an e-mail), check my EEM posts (http://blog.ioshints.info/search/label/EEM) or EEM sample scripts in our wiki (http://wiki.nil.com/Category:EEM). Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Ryan Hughes [mailto:rshug...@gmail.com] Sent: Thursday, March 26, 2009 5:36 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP Neighbor tracking Hi, Just wondering if anyone on list has run into issues where their routed Metro-E links will sometimes stay up as the mux isn't properly downing the interface ( cheap gear without interface tracking per se) when the circuit goes down. Pinging the interface doesn't really apply in this situation as there is routed dark fiber links for backup connectivity. I was thinking along the lines of an EEM script to source pings from the connected interface and see if its up and send an SNMP but I haven't had time to script it. I really don't need to accomlish anything fancy - just an alarm so the NOC can see it and report it to us. Researching the SNMP MIB but there didn't seem to be anything available. I had run into this issue in the past but I was doing BGP over the link which obviously offers the neighbor down snmp trap.Honestly, I'd prefer to have the provider resolve the issue on their gear but given the aggressive pricing of the circuit I'm not sure I have much recourse. Appreciate the feedback. Ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Needs some help with QOS
I have crafted and applied some rules which I thought would prioritize traffic from an 871w (via ADSL) to one specific host. The idea is that any traffic destined to this host should be prioritized over all other traffic. What is your upstream connection? If you're using PPPoE, you won't be able to do any output queuing, as the outbound LAN interface is never saturated (the bottleneck is experienced by the DSL modem). Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Needs some help with QOS
Exactly true ... That would be my next answer :) However, the problem is that it's somewhat hard to estimate what the shaping bandwidth should be in DSL environments (you have the cell tax on top of PPPoE plus unknown amount of oversubscription in the SP network) if you want to squeeze as much out of the DSL line as possible. Best regards Ivan -Original Message- From: Tim Franklin [mailto:t...@pelican.org] Sent: Tuesday, March 24, 2009 1:57 PM To: Ivan Pepelnjak Cc: 'John Lange'; 'Cisco NSP' Subject: Re: [c-nsp] Needs some help with QOS On Tue, March 24, 2009 12:12 pm, Ivan Pepelnjak wrote: What is your upstream connection? If you're using PPPoE, you won't be able to do any output queuing, as the outbound LAN interface is never saturated (the bottleneck is experienced by the DSL modem). If you know what your upstream bandwidth is, you can wrap a shaper around the queueing policy to provide the back-pressure. Useful for all sorts of 'ethernet hand-off' type services where the circuit provider has some other device upstream of your router. Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Needs some help with QOS
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note0918 6a00800b2d29.shtml Basically, the virtual interfaces do not implement the back-pressure algorithm necessary to signal that excess packets should be queued by the Layer 3 (L3) queueing system. Ok, so I'm going to have to implement a new solution based on that document. So just a final question, would the solution have worked if it was on a regular interface? I just want to make sure I had the right idea. Yes, assuming that your outgoing interface is the bottleneck. For example, if you have a point-to-point uplink, it's usually the bottleneck and the queuing works as expected. But if you have a Fast Ethernet link into the SP network which polices you @ 2 Mbps, the output queue will never form at your output FE interface. Yet again, you'll have to configure shaping to introduce an artificial bottleneck. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem
Did some tests on the NON-EXIST-MAP with 12.2SRC. I was spreading wrong rumors, time to fix them: * The route-map checks the routes in the BGP table (_not_ in the IP routing table). Dale was right. * It can take a while for the routes to be advertised/withdrawn; the non-exist-map is checked only at the BGP scan intervals (60 seconds by default, can be adjusted). * You can use a combination of an access-list and AS-path access-list in the route-map. The handling of standard access-lists used in the match ip address route-map condition is a bit weird, though: * permit any does _NOT_ work. * permit prefix 0.0.0.0 (which gets translated into permit prefix in standard ACL) does _NOT_ work. * fancy wildcard tests (for example permit 0.0.0.0 127.255.255.255) do _NOT_ work It looks like: * the IP prefix in the BGP table must match the address in the ACL exactly (wildcard bits are ignored). * ... but you still need the wildcard bits (inverted netmask) for the match to work. For example: if you want to match 10.8.8.0/24, you have to use permit 10.8.8.0 0.0.0.255. permit 10.8.8.0 or permit 10.8.0.0 0.0.255.255 do _NOT_ work. Left to do: tests with the ip prefix-list instead of IP access list (and no, I will NOT test extended ACL :). Hope this helps Ivan -Original Message- From: Dale Shaw [mailto:dale.shaw+cisco-...@gmail.com] Sent: Sunday, March 15, 2009 11:33 PM To: Burak Dikici Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem Hi Burak, On Mon, Mar 16, 2009 at 12:06 AM, Burak Dikici bdik...@gmail.com wrote: i am trying to use BGP conditional advertisemet configuration. I have got a problem with NON-EXIST route map's access-list. In the NON-EXIST router map i am using the commands which is written below ; Here are some notes I made recently when playing with BGP conditional advertising. I hope it helps. 1.) prefixes matched in advertise-map and exist/non-exist map must exist (or not) in the *BGP* table however: they do not need to be locally originated (e.g. R1 can match routes received from R2 and advertise (or not) to R3 and: the validity of the prefix in the BGP table (i.e. RIB-failure) doesn't matter. if there's there, and using exist-map, the condition is met. 2.) when using 'exist' map, prefixes matched by advertise-map are advertised when exist-map condition is met example: advertise 1.0.0.0/8 (advertise-map) from BGP table when 3.20.20.0/24 (exist-map) exists in BGP table 3.) when exist 'non-exist' map, prefixes matched by advertise-map are advertised when non-exist-map condition is met example: advertise 1.0.0.0/8 (advertise-map) from BGP table when 3.20.20.0/24 (non-exist-map) does NOT exist in BGP table 4.) prefixes matched in advertise-map are the only prefixes affected -- other prefixes that may exist are advertised (or not) as normal 5.) when dealing with conditional advertisement tasks, always consider what will happen normally (without any config) I'd be happy to be corrected, but I think the first point is contrary to what Ivan said. Also consider point #4 -- BGP conditional advertising is not strictly a route filtering mechanism, although it can be configured to achieve similar results. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem
You can't use permit any because it would match any route in the IP routing table (including the connected interfaces). The access list used in NON-EXIST-MAP is used on the IP routing table, not on the BGP table (that's why the AS path doesn't work either). Ivan -Original Message- From: Burak Dikici [mailto:bdik...@gmail.com] Sent: Sunday, March 15, 2009 7:16 PM To: Mateusz Blaszczyk Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem Hi Mateusz , For better understanding , i have attached the topology screenshot and the router's configuration files. (By the way , this is a lab config.) In the attached Router's configuration , access-list 65 permit 172.16.1.0 0.0.0.255 command is used and with this command bgp conditional advertisement is working fine. But when i use , access-list 65 permit any command , the conditional advertisement doesn't work. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem
That's the problem everyone has with the NON-EXIST-MAP :) Usually the IP prefix used to address the ISP-1 infrastructure is the best bet. The match as-path statement in the NON-EXIST-MAP is irrelevant (unless I'm totally wrong about the match being made with the routes in the IP routing table :). Ivan _ From: Burak Dikici [mailto:bdik...@gmail.com] Sent: Sunday, March 15, 2009 8:19 PM To: Ivan Pepelnjak Cc: Mateusz Blaszczyk; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem Hi Ivan , Ok than , what should i use for NON-EXIST route-map's access-list ? Which prefix should i trust from ISP-1 (Primary ISP) ? Is it necessary to use match ip address and match as-path statements together in the NON-EXIST route-map ? On Sun, Mar 15, 2009 at 8:46 PM, Ivan Pepelnjak i...@ioshints.info wrote: You can't use permit any because it would match any route in the IP routing table (including the connected interfaces). The access list used in NON-EXIST-MAP is used on the IP routing table, not on the BGP table (that's why the AS path doesn't work either). Ivan -Original Message- From: Burak Dikici [mailto:bdik...@gmail.com] Sent: Sunday, March 15, 2009 7:16 PM To: Mateusz Blaszczyk Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem Hi Mateusz , For better understanding , i have attached the topology screenshot and the router's configuration files. (By the way , this is a lab config.) In the attached Router's configuration , access-list 65 permit 172.16.1.0 0.0.0.255 command is used and with this command bgp conditional advertisement is working fine. But when i use , access-list 65 permit any command , the conditional advertisement doesn't work. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: TCL Book recommendation for Cisco EEM
Tcl/TK: A developer's guide http://www.msen.com/~clif/DevGuide.html A bit more advanced book when you want to go slightly beyond the basics. I wasn't too happy with it, but it did the job. Ivan -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Friday, March 06, 2009 4:29 PM To: 'Cisco-nsp' Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM Does anyone have any suggestions on a good book on TCL scripting for Cisco's EEM? As a complete TCL novice, a good TCL intro would be good. I can probably use existing EEM examples to learn the intricacies of using TCL for Cisco I think, unless someone knows of a book that covers that too. http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guid e/nm_eem_overview.html Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how can I know which process takes over CPU and memory?
Your original message indicated you had a router. Based on Cisco's documentation tclsh doesn't work on most Catalyst switches. Best regards Ivan _ From: Deric Kwok [mailto:deric.kwok2...@gmail.com] Sent: Tuesday, March 03, 2009 2:22 PM To: Ivan Pepelnjak Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] how can I know which process takes over CPU and memory? Hi Ivan Thank you. I try to do it in my switch but it won't work What wrong I did? Thank you switch#dir Directory of flash:/ 4 drwx 704 Feb 28 1993 19:08:20 html 18 -rwx1142 Mar 03 2009 08:14:33 top.tcl 3612672 bytes total (357888 bytes free) switch#config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)#alias exec top tclsh flash:top.tcl switch(config)#exit switch#top tclsh flash:top.tcl ^ % Invalid input detected at '^' marker. switch# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how can I know which process takes over CPU and memory?
Your IOS is too old, tclsh was introduced in 12.3(2)T. Cisco recommends using at least 12.3(14)T; 12.4 might be even better. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html If you want to know when a particular command (for example, tclsh) was introduced in Cisco IOS, the Command Lookup Tool is a great place to start; you can even install it in your browser's toolbar. Best regards Ivan _ From: Deric Kwok [mailto:deric.kwok2...@gmail.com] Sent: Tuesday, March 03, 2009 9:26 PM To: Ivan Pepelnjak Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] how can I know which process takes over CPU and memory? Hi Ivan Now I am trying on the router but it won't work also What wrong I did? Thank you router#dir Directory of flash:/ 1 -rw- 8624196 Mar 5 1993 00:05:02 +00:00 c3725-i-mz.123-6e.bin 2 -rw-1142 Mar 3 2009 15:05:26 +00:00 top.tcl 31936512 bytes total (23306240 bytes free) router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#alias exec top tclsh flash:top.tcl router(config)#exit router#top Translating top...domain server (202.64.2.36) (202.64.3.5) Translating top...domain server (202.64.2.36) (202.64.3.5) (202.64.2.36) (202.64.3.5)% Unknown command or computer name, or unable to find computer address ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how can I know which process takes over CPU and memory?
To get the top CPU consumers, use the show proc cpu sorted command. You're probably experiencing increase in interrupt CPU usage (packet forwarding), which is the second number in the CPU utilization for five seconds field in the top line. To get continuous CPU utilization display (similar to the Unix top command), use this Tclsh script: http://wiki.nil.com/Continuous_display_of_top_CPU_processes Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Deric Kwok [mailto:deric.kwok2...@gmail.com] Sent: Saturday, February 28, 2009 6:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] how can I know which process takes over CPU and memory? Hi All I am trying to add access rule to prevent outside accessing to one host. I realize the router CPU (R700 CPU at 240MHz) graph rising from 70% to 80% How can I know which process used up how many CPU and memory? I use show memory but don't understand the listing Thank you for your help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] show mBGP vpn advertized routes
ok. Thanks. Well, I just miss the way Juniper shows things, the level of details. Juniper would display the next hop that it is carried in the BGP Update message.Marlon Different EBGP neighbors might receive different next-hops in their updates. Cisco IOS always displays what's in its BGP table, not what's sent to the neighbors. What's correct is everyone's personal opinion :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/