Re: [c-nsp] L3VPN over RSVP
On Wed, Jun 9, 2010 at 18:20, Arie Vayner (avayner) wrote: > In older releases, where this command is not available you can apply a > route-map on the output direction of the BGP session to the RR, match > the RT of the VRF, and set a different next-hop. It would do the same as > above but without the custom made command. It can be done in the inbound direction, too. Couple of weeks ago I wrote a blog article that tweaks next-hop of the incoming VPNv4 update as a workaround for broken LSP. The same solution can be used to force the traffic via TE tunnel. Here is the link: http://blog.ipexpert.com/2010/05/31/next-hop-in-mpls-vpns/ -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert YES! We include 400 hours of REAL rack time with our Blended Learning Solution! Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Web: http://www.ipexpert.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 Multicast
On Tue, Jun 1, 2010 at 16:14, Rens wrote: > I have tested this setup with a different 7206VXR running > c7200-adventerprisek9-mz.124-4.T1.bin and I have the same problem. Are you trying to run PIM on the same interface that you have xconnect configured on? Can you please post the relevant configuration? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert YES! We include 400 hours of REAL rack time with our Blended Learning Solution! Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Web: http://www.ipexpert.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] software advice for sup720 on Cisoc 6500 and 7600
On Sun, Jan 10, 2010 at 21:16, Arne Larsen / Region Nordjylland wrote: > Hi all. > > Can someone give me an advice about what software to use. > We are current using TDP and would like to migrate to LDP in our MPLS network. > Which release off software does support enabling off both at the same time. > I've tried 5 or 6 different that supports both, but can't enable both at the > same time. > We have some different types off Sup720.: WS-SUP720-3BXL, RSP720-3C-GE, > WS-SUP720-3CXL, WS-SUP720-3C Silly question, but I have to ask it... Have you tried enabling "mpls label protocol both", either globally or on interfaces that you want to run both LDP and TDP? I believe that pretty much every IOS supports running both. I'm yet to see one that supports both, but can't run them concurrently. -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Peer Group drawbacks???
> Seems to me that peer/session templates would allow you to get more granular > with your BGP configuration then peer-groups due to > their inheritance feature. So it makes sense to me. > > I don't think scale is the only deciding factor between peer group and > templates. I think it also depends on the complexity of your routing policy > and # of prefix's etc...I guess a question could be - why wouldn't you use > templates - even for a simple BGP config? Any ISP ops on the list - do you > use templates, peer-groups - or both? > > To the original poster - perhaps you can decide for yourself? See here: > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpct.html#wp1027129 > and > a good explanation here with configurations > http://cciethebeginning.wordpress.com/2009/01/09/358/ Well... comparing peer-groups and templates is just a little bit like comparing apples and oranges. They were meant to solve different problems. When they were introduced, peer-groups were used to optimize the updates sent to neighbors. I.e. using peer-groups had impact on your CPU in such a way that members of the same peer group shared the same update that was only replicated. Non-peer-group peers had to have their updates built separately, even though it may end up being the same. The fact that the peer-groups had this nice side effect of being able to group configuration and make deployments somewhat easier, was never their primary purpose in life... and that shows, as they look unnatural and are not very flexible. Naturally, over the years, Cisco found the way to optimize updates automatically (using update-groups) and the only purpose of peer-groups was to group commands together. Since they were not doing that as well as one would hope (whoever configured peer-groups in multiple address-families probably knows how ... "intuitive" that is), another solution needed to be made. This is how we got templates, whose only purpose is to group configurations and they do pretty good job at that. All that said, for all new deployments, I would suggest using templates and not peer-groups... they could disappear at any time. -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree bpdufilter leaks
On Fri, Jan 8, 2010 at 18:16, Joe Maimon wrote: > > > Bill Blackford wrote: >> >> Do you have any details? >> Models? Code vers? >> >> -b > > 3524XL, 12.0(5)WC17 Oh. You should perhaps look for something newer... This model has been end-of-life since 2002. I am curious though - when do leaks occur? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree bpdufilter leaks
On Fri, Jan 8, 2010 at 04:00, Joe Maimon wrote: > > Apparently, bpdufilter leaks sometimes on some switches, and I have > the packet traces to prove it. The switches are probably not supported, > so replacements are likely in order. Did you have it enabled globally for portfast enabled interfaces or individually on each interface? If it was the first option, did you have portfast enabled globally, or again, per interface? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU Mismatch
On Mon, Dec 28, 2009 at 16:00, Mohammad Khalil wrote: > > i have checked the mtu on 3750 > sh system mtu > > System MTU size is 1500 bytes > System Jumbo MTU size is 1512 bytes > Routing MTU size is 1500 bytes > > but there is no such command on the 6523 Different beast, but at least you get the explanation. As far as routing processes go, MTU on 3750 is 1500. On 6500 you can set it per interface (depending on the LC). -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU Mismatch
> The problem is that the OSPF is running and functioning well , how does the > OSPF neighbor relation > is up and there is an MTU mismatch ? What is the routing MTU on 3750? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how to clear a pseudowire?
On Fri, Nov 27, 2009 at 08:15, Tassos Chatzithomaoglou wrote: > Is there an easy way to clear/reset a eompls pseudowire? > > The only (not affecting other services of the same interface) way i have > found is to remove the xconnect config from both sides, but i was hoping > that a clear command would exist. Can't you simply shut down the subinterface where xconnect is configured? -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange CDP Observation
On Sun, Nov 29, 2009 at 08:46, Scott Morris wrote: > While not normal, think about what makes it occur. > > If it REALLY WAS your own CDP frame, then your link should be down due > to loopguard. Even with a hub there, a hub is a repeater, so is ti > feasible to see your own stuff? Well, not really - otherwise it would be pretty hard to do "external loopback" solutions, as well as testing links using Ethernet loopback - which is still doable. I haven't seen "looped" status on Ethernet for a long time. I think there are several explanations for this problem: 1. Most obvious is that there is a simple loop somewhere. That needs to be investigated in MW configuration. 2. Don't forget that CDP is Cisco proprietary protocol. Other equipment usually doesn't have any special processing for these multicast frames. Furthermore, I have seen really bad multicast implementations where multicast frames would be flooded on all ports - including the one it was received from. This is what could be happening to you - MW is simply returning you back your multicast traffic. It *shouldn't* but it does. 3. You could be having some more creative problem, like Y-loop (you have A-to-B communication, but you are also getting this traffic back to A - A-to-A). In any case, I would focus my investigation on what's going on in the microwave part of the setup. -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: mar...@ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: http://www.ipexpert.com/chat eFax: +1.810.454.0130 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Xconnect on Portchannel interface [EoMPLS]
> Yes, it's works but only from cisco side. On other side of port-chanell we > have Force10 device and when I configure mode on, I have port-channel UP. on > cisco device, but "down" on Force10. The question is, why it's works when > xconnect is configured on subinterface with tagged vlan? Maybe is it > conflict with LACP/MPLS signalization? I had another thought after my original reply, but for some reason I didn't send you follow-up. Have you tried not enabling EC on Cisco doing xconnect (PE) at all and simply having it just on end-nodes: A===PE1---PE2===B Enable EC just on A and B and do simple xconnect from all interfaces on PE1 and PE2? My knowledge is very rusty, but it could be that LACP will be carried over in port mode. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Xconnect on Portchannel interface [EoMPLS]
2009/10/16 Lukasz Trabinski : > Hello > > I have problem with xconnect on portchannel interface. [...] > How to do xconnect from untagged portchanel interface? Have you tried disabling LACP on the EC interface and have it statically configured (mode on)? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ibgp TTL
On Wed, Oct 14, 2009 at 12:10, Oliver Boehmer (oboehmer) wrote: > yes, only supported for ebgp. Would be interested about the "very > specific design" and why Manu requires this functionality? I'm not sure what Manu has in mind, but I had a need to use similar feature to prevent iBGP working over less-desirable IGP path. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 7206 VXR router
On Tue, Sep 29, 2009 at 13:13, jack daniels wrote: > I'm a bit confused on - > "Also, don't assume that because you can add 8 100Mbit interfaces, that > you can use them at full speed.." NPE-G1 can't really pass more that 300-400 Mb/s of traffic without experiencing serious CPU load. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(18)SXD to 12.2(33)SRB|C|D
I know this probably doesn't help you (or anyone on the list), but it helps my current state of mind about 7600... The best upgrade path for any 7600 is OFF train. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Have I Gone Mad? (OSPF NSSA)
On Wed, Aug 26, 2009 at 12:52, Ivan Pepelnjak wrote: > It could be that the previous software releases were smarter and did not > insert type-7 default when they've inserted type-3 default (which would take > precedence over type-7 anyway), but it doesn't hurt you either. Actually... It did hurt somewhat :-/. Previous IOS that we were running (7600 SXx and SRBx) were injecting type 7. However, that behaviour changed with SRD2 and it injects both. Naturally, type 3 wins. In one place we had distribution configured that was configured to redistribute only type 7 default into BGP elsewhere - which no longer worked after upgrade... I wonder why the behaviour changed... Then again, my fault for misconfiguring the darn thing to begin with :-) -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Have I Gone Mad? (OSPF NSSA)
Hello, My understanding of OSPF is being challenged by recent upgrade of some of our 7600's (running SRD2a now). Pairs of 7600's are ABR's to totally stubby NSSA areas (area X nssa no-summary default-information originate). This is supposed to prevent all external and summary routes reaching NSSA area, as well as originate type 7 default. However, I'm seeing something else. This is from one of the internal routers (.227 and .228 are ABR's): OSPF Router with ID (xxx.yyy.zzz.24) (Process ID 1) Router Link States (Area 9) Link ID ADV Router Age Seq# Checksum Link count xxx.yyy.zzz.24 xxx.yyy.zzz.24 245 0x80009C45 0x006365 2 xxx.yyy.zzz.25 xxx.yyy.zzz.25 15960x80009C3F 0x008347 2 xxx.yyy.zzz.26 xxx.yyy.zzz.26 15600x80009C3D 0x009B2D 2 xxx.yyy.zzz.27 xxx.yyy.zzz.27 663 0x80009C3C 0x00B114 2 xxx.yyy.zzz.227 xxx.yyy.zzz.227 224 0x8000933F 0x00F96C 1 xxx.yyy.zzz.228 xxx.yyy.zzz.228 133 0x80005CBB 0x00A479 1 Net Link States (Area 9) Link ID ADV Router Age Seq# Checksum xxx.yyy.zzz.130 xxx.yyy.zzz.228 11290x816A 0x00258A Summary Net Link States (Area 9) Link ID ADV Router Age Seq# Checksum 0.0.0.0 xxx.yyy.zzz.227 224 0x8165 0x007943 0.0.0.0 xxx.yyy.zzz.228 133 0x8167 0x006F4A Type-7 AS External Link States (Area 9) Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 xxx.yyy.zzz.227 224 0x8165 0x004DEA 0 0.0.0.0 xxx.yyy.zzz.228 133 0x8166 0x0045F0 0 ABR's appear to be injecting both the type 3 and type 7. AHave I gone mad, or I need to hit back the books? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between subinterface and physical interface
> What I am not sure is whether the 7600 would even allow you to put an > access port on the same VLAN used on the sub-if. No quick way for me to > test it right now. I can answer that... It won't allow it. This solution with LAN line cards would require VLAN mapping, which isn't pretty, at all. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between subinterface and physical interface
On Tue, Aug 18, 2009 at 13:32, Marko Milivojevic wrote: > Have you tried to use native VLAN on 7600-1 for the subinterface? Mind > you, I'm not 100% sure if you can actually xconnect native VLAN, but > you may give it a go... Sorry, I meant to say on 7600-2. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between subinterface and physical interface
Have you tried to use native VLAN on 7600-1 for the subinterface? Mind you, I'm not 100% sure if you can actually xconnect native VLAN, but you may give it a go... -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ On Tue, Aug 18, 2009 at 09:19, Tassos Chatzithomaoglou wrote: > Arie, > > I'm actually trying something strange in the lab, but i wanted to ask > opinions before > trying all the alternatives. > > More specifically i want to transfer double tagged traffic from multiple > subifs of a local MUX-UNI interface to multiple remote physical interfaces, > where the outer tag would be removed. > > CPE <===> 3750 <===> 7600-1 <= MPLS-network => 7600-2 <===> CPE-x > > > Something like: > > 7600-1 > -- > int gi1/1 > desc conn to 3750 > switch mode trunk ! these are single-tagged vlans following > another path > int gi1/1.100 > enc dot 100 ! this is double-tagged that needs to be > tunneled > xconnect x2.x2.x2.x2 y1 > int g1/1.200 > enc dot 200 ! this is double-tagged that needs to be > tunneled > xconnect x2.x2.x2.x2 y2 > > 7600-2 > -- > int gi1/1 > desc conn to CPE-1 > xconnect x1.x1.x1.x1 y1 > int gi1/2 > desc conn to CPE-2 > xconnect x1.x1.x1.x1 y2 > > So double-tagged traffic having an outer vlan of 100, would get transfered > from 7600-1 gi1/1.100 to 7600-2 gi1/1, where it would/should have the outer > vlan removed. It's actually like many L2 VPNs starting from one port on > 7600-1 and ending at many ports (each one on its own) on 7600-2. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HIDE AS BGP
You can use CSC in ISP1 and run BGP directly between Customer and ISP2. On Mon, Aug 10, 2009 at 11:59, jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NPE-G2 - Cat 3750 sfp issue
> I use > 1000BASE-LX/LH (GLC-LH-SM), on both Catalyst and 7206 NPE-G2, interface and > protocol are up but I cannot do anything, what am I missing? How are your speed negotiation settings on both ends? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3/11 (invalid or corrupt AS path)
On Mon, Feb 16, 2009 at 20:32, Rodney Dunn wrote: > We are working on that. I'll let you know once I have more. We've got one of these on our node running SRB3. It was trigerred on only one session when being announced to a customer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Determine SFP type through CLI
On Fri, Jan 2, 2009 at 18:20, Jeff Wojciechowski wrote: > Sort of... > > NAME: "GigabitEthernet2/0/3", DESCR: "10/100/1000BaseTX SFP" > PID: , VID: , SN: xx > > Doesn't show the exact model number (GLC-T, GLC-T=, etc) Is there a > difference between the 2? Not really... "=" at the end of the Cisco part numbers usually identifies "spare part". It has something to do with ordering, sales and prices an absolutely nothing to do with technology :-). -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Determine SFP type through CLI
On Fri, Jan 2, 2009 at 17:36, Jeff Wojciechowski wrote: > Is there an easy way to determine the model of an SFP installed on a 3560 > through the CLI? > > Ideally I want to match what I have installed in another 3560 that's in > production. > I want to add a gigabit Ethernet (copper) trunk port to another 3560 so > should I > be using the GLC-T, GLC-T= or something else? Have you tried "show inventory"? Is that the information that you are looking for? -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550 routing performance
On Fri, Dec 19, 2008 at 08:01, Tony wrote: > > I should have included that in my original post, I had already set SDM to > routing extended-match. If you don't you get a warning when you add a VRF to > prompt you to do it. > > Unfortunately not something that obvious. I'm a bit slow in reading the mailing lists :-). Did you reload the switch after you applied new SDM template? Also, are you sure that you are not experiencing "duplex mismatch" or some similar issue? Do interface counters show anything unusual? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Trace Logs on ASR1000
Has anyone found a "scalable"* way to disable trace logging to hard disk on ASR1000? Our RANCID is not very happy with constant changes on the hard disk... * Scalable = one that doesn't require at least 20 commands that may or may not survive reload, as they are exec-level statements. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(33)SRC2 running 7600
On Thu, Dec 11, 2008 at 11:13, Saku Ytti <[EMAIL PROTECTED]> wrote: > On (2008-12-10 20:57 +0000), Marko Milivojevic wrote: > >> > I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in >> > VPNv4 RR functionality there is such. (RR thinks it has sent update, >> > while it has not). >> >> We are being hit hard with this one in SRB3. Does anyone know if this >> has been fixed up to SRB5? > > Do you have bugID for this? Cisco has not yet confirmed our suspicions, > since they were unable to recreate it in their lab. Unfortunately not. I'm also sure they were unable to reproduce it. It's very sporadic. We are still trying to work out what triggers the problem. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(33)SRC2 running 7600
On Wed, Dec 10, 2008 at 20:42, Saku Ytti <[EMAIL PROTECTED]> wrote: > I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in > VPNv4 RR functionality there is such. (RR thinks it has sent update, > while it has not). We are being hit hard with this one in SRB3. Does anyone know if this has been fixed up to SRB5? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] System MTU on 4948
On Sat, Dec 6, 2008 at 01:12, chloe K <[EMAIL PROTECTED]> wrote: > Just wandering why it needs to reboot after changing the mtu > > Even linux, it just uses the command "ifconfig eth0 mtu 9000" > > The cisco should be better than linux In the same sense as cargo planes should be considerably better than blueberries, I absolutely agree with your statement. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] System MTU on 4948
On Fri, Dec 5, 2008 at 21:31, Sergio D. <[EMAIL PROTECTED]> wrote: > Hello, > Does anyone know if a reload is needed after setting the system mtu on a > 4948 running cat4500-ipbase-mz.122-31.SGA4.bin? I am not 100% sure about the exact IOS, but I don't remember having to reload 4948's for the system MTU change. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7602VXR NPE-G1
On Thu, Dec 4, 2008 at 11:03, E. Versaevel <[EMAIL PROTECTED]> wrote: > Hello, > > I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve > the VC's over an STM-1 and terminate them into various vrf's (for VPN) or > into the global routing table (for internet). > We are currently experiencing high cpu load (>80%) and some slow CLI access. > We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s >From personal experience, what you are seeing are the limits of G1 in that role. You can "fix" slow CLI by toying around with "scheduler allocate", but performance-wise that's about it... -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2VPN Interworking
On Tue, Nov 11, 2008 at 08:27, Mohammad Khalil <[EMAIL PROTECTED]> wrote: > > the success rate is about (930/1000) and as i told u the MTU is configured on > the ATM link to be 1500 > the physical links are not congested > what else can i add or modify to solve this issue ?? What about ATM traffic shaping? Are you sure that packets are not being dropped by the ATM network in-between? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shape withing policy map
You made a small configuration mistake. > Enter configuration commands, one per line. End with CNTL/Z. > JID_CORE_Router(config)#policy-map CMS > JID_CORE_Route(config-pmap-c)#shape average 100 > JID_CORE_Route(config-pmap-c)# > > It takes the command just fine. You need to aply shape command under the class, not under the policy-map: policy-map CMS class CMS shape average ... ! ! Note that shape uses Kb/s and not b/s. However, you may find that this may not work on an ATM interface. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] downloads broken?
>the only luck I usually get is when I point out that the documentation > is wrong, then i get a canned reply saying we "we're gonna fix it". Doesn't > help me much since I don't know which one of the parts of the docs are being > corrected. Oh, you mean something like trying to interpret: http://cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/qos.html#wp1234827 and http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/command/reference/int_sess.html#wp1978612 as "does not always work on trunk ports"? ;-) Marko. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Identifying device(s) connected to cisco L2-only switch
On Mon, Nov 3, 2008 at 20:11, Tomas Daniska <[EMAIL PROTECTED]> wrote: > Wrong. There are appliances/applications that are quiet enough not to > populate (or timeout) the mac tables, just sittin' there and receiving > traffic. And even though there is no mac entry for that address, the switch > simply floods the traffic (by default... unless you configure > block-unknown-unicast) to all ports, including the one with the quiet black > box I stand corrected about the listen-only device. I must admit it didn't cross my mind :-). -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Identifying device(s) connected to cisco L2-only switch
On Sun, Nov 2, 2008 at 13:04, Mateusz Błaszczyk <[EMAIL PROTECTED]> wrote: > My friends suggestion in such a problem is shut the port and wait for > someone to start screamin.. > If none, you can disconnect the cable :) Given that no mac addresses are learned on the port, there is probably no traffic there and shutting it down shouldn't do any real damage. ... unless it's some really weird (Ericsson?) device that uses that port to stay alive or some similar nonsense. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Switch Managment over Trunk Interfaces?
On the other device, do you have a native vlan configured? What device is it? On Fri, Oct 31, 2008 at 19:16, cp <[EMAIL PROTECTED]> wrote: > Thanks for replying. I'm trying to pass any(icmp at the moment) traffic > from a vlan interface through the trunk port via /30. It's a /30 so no > return route needed. Yes, I created vlan 106. Yes I shut / no shut > vlan106 interface. Yes, the device on the other side accepts tagged > frames. > > Other traffic such as non vlan interface traffic passes fine. There > isn't an arp or mac-address table entry for the remote IP of the /30, > which leaves me to believe traffic is being block by ME's overall > uni/eni/nni port-type design. Anyone else have a similar experience? > When I switch the port from trunk to access mode and only test the vlan > 106 it works fine. > > -Chip > > . > > > > -Original Message- > From: Marko Milivojevic [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2008 2:40 PM > To: cp > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] ME Switch Managment over Trunk Interfaces? > > On Fri, Oct 31, 2008 at 17:06, cp <[EMAIL PROTECTED]> wrote: >> I'm new to Cisco ME switches, so please bare with my basic question. I >> am having a difficult time trying to manage the device over trunk >> interface. It doesn't work. My management IP lives on a vlan > interface. >> Below is my configuration. I tried vlan1 without luck too. Do I > really >> have to burn a port for management? I'm probably missing something >> simple. Any assistance is appreciated. > > Could you be a little bit more specific as to what exactly does not > work? > > Some questions: > > * Did you create VLAN 106? > * Did you enable Vlan interface (no shut)? > * Do you have a route back to your management station? > * Is the device on the other end configured to accept tagged frames? > > -- > Marko > CCIE #18427 (SP) > My network blog: http://cisco.markom.info/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Switch Managment over Trunk Interfaces?
On Fri, Oct 31, 2008 at 17:06, cp <[EMAIL PROTECTED]> wrote: > I'm new to Cisco ME switches, so please bare with my basic question. I > am having a difficult time trying to manage the device over trunk > interface. It doesn't work. My management IP lives on a vlan interface. > Below is my configuration. I tried vlan1 without luck too. Do I really > have to burn a port for management? I'm probably missing something > simple. Any assistance is appreciated. Could you be a little bit more specific as to what exactly does not work? Some questions: * Did you create VLAN 106? * Did you enable Vlan interface (no shut)? * Do you have a route back to your management station? * Is the device on the other end configured to accept tagged frames? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
On Fri, Oct 24, 2008 at 11:31, David Curran <[EMAIL PROTECTED]> wrote: > We use them as a sort of "port replicator" for routers like the 7206 where > we need a few more ethernet ports. Rock solid little box. The UNI/NNI port > configuration is slightly odd but I can see the benefit in a metro > application. We're using the ME6524 for our metro stuff though. Doesn't > have the same restrictions as the ME-3400. Speaking of ME-6500. Does it have LAN or WAN ports? In other words, does it have decent QoS? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
On Thu, Oct 23, 2008 at 15:44, MKS <[EMAIL PROTECTED]> wrote: > Hi does anyone have experience with ME3400 switches. How are the performing? > What about the stability We have a dozen or so in production. So far, rock solid and no major issues with them. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
> i believe the OP wants to advertise these prefixes to his eBGP neighbors > w/ no-export set. this way, his provider(s) have the more specifics for > each site and his larger prefix is advertised to the world at large. > > ``A Framework for Inter-Domain Route Aggregation'' > http://www.ietf.org/rfc/rfc2519.txt > > hence, NO_EXPORT must be set on the outbound route-map of the neighbors. > the OP could tag the routes or add his own local community and use an > outbound route-map to set NO_EXPORT on the announced prefix. Oh, right. I didn't quite get that from his messages, but that's easily done. In that case, he will just have to use some locally significant community of his choice on the redistributed routes. On eBGP sessions, he would "translate" these into no-export. If he sets no-export as I suggested, these won't be exported to eBGP... -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
Here, I had a few minutes to play in the lab: interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface Loopback1 ip address 10.1.0.1 255.255.255.0 ! interface Loopback2 ip address 10.2.0.1 255.255.255.0 ! interface Loopback3 ip address 10.3.0.1 255.255.255.0 ! router bgp 100 bgp log-neighbor-changes ! address-family ipv4 redistribute connected route-map rc no auto-summary no synchronization exit-address-family ! ip prefix-list AAA seq 5 permit 10.0.0.0/8 ge 24 le 24 ! route-map rc permit 10 match ip address prefix-list AAA set community no-export ! R1#sh ip bgp BGP table version is 9, local router ID is 10.3.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path *> 10.0.0.0/24 0.0.0.0 0 32768 ? *> 10.1.0.0/24 0.0.0.0 0 32768 ? *> 10.2.0.0/24 0.0.0.0 0 32768 ? *> 10.3.0.0/24 0.0.0.0 0 32768 ? R1#sh ip bgp 10.0.0.0 BGP routing table entry for 10.0.0.0/24, version 8 Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer) Flag: 0x8A0 Not advertised to any peer Local 0.0.0.0 from 0.0.0.0 (10.3.0.1) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Community: no-export -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
> Is the below possible? > > route-map redistribute-connected permit 10 > match ip address prefix-list ABC > set community no-export > ! > router bgp XYZ > redistribute connected subnets route-map redistribute-connected > > Is it possible to set the bgp community in the redistribute route-map? It is absolutely possible to set community in redistribute route-map - I would have not otherwise suggest it as a solution for your problem :-) However, you BGP syntax is a bit off. BGP doesn't have "subnets" keyword. > Will this community be sent to the transit (of course if not overwritten by > peer > outgoing route-map)? Someone tried such setup? Communities will be sent to eBGP neighbors if you have "send-community" configured for that neighbor (except for no-export, which will not be sent). Note that the same applies for iBGP neighbors. And finally, yes, there are probably quite a few of us who use this setup :-) -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
If you need to cover all ports, just apply the first route-map I listed. That one will cover all connected routes... Another approach, if your connected routes can be summarized is to match based on that (prefix-lists, for example). On Tue, Oct 21, 2008 at 15:14, Grzegorz Janoszka <[EMAIL PROTECTED]> wrote: > Marko Milivojevic wrote: >> >> How about something like this? >> >> route-map Connected-Routes >> set community no-export >> ! >> router bgp XXX >> address-family ipv4 >> redistribute connected route-map Connected-Routes >> ! >> >> If you wish to assign community for only specific interfaces only, you >> can do something like: >> >> route-map Connected-Routes permit 10 >> match interface XXX >> match interface YYY >> set community no-export >> ! >> route-map Connected-Routes permit 999 > > It is a kind of idea, however it is rather complicated setup. The biggest > disadvantage is that the interface list has to be updated. Let's say I > insert a new blade to a free slot, then I have to update the route-map. > Another disadvantage may be length of the route-map - if I have 4x48 ports, > then it has almost 200 match entries - I do not know if Cisco allows for so > many match entries. > > However it is a way to do it. I think I would slightly modify it and use, > thanks. If you have another idea I will appreciate it. > > -- > Grzegorz Janoszka > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
> Announce connected network with no-export community - it may be lot of > smaller prefixes. > The big aggregate prefixes will be announced statically in other places. How about something like this? route-map Connected-Routes set community no-export ! router bgp XXX address-family ipv4 redistribute connected route-map Connected-Routes ! If you wish to assign community for only specific interfaces only, you can do something like: route-map Connected-Routes permit 10 match interface XXX match interface YYY set community no-export ! route-map Connected-Routes permit 999 -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF over PPPoATM
> The 2800 is also connected to the 7200 via a frame-relay to ATM PVC on which > OSPF is running fine (but not IPv6, but that's another story). > > What is happening to those hello packets? Who is eating them? Before I accuse intermediate DSLAM filtering them, could you post relevant interface and OSPF process configurations from both routers, please? -- Marko CCIE #18427 My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS terminating on PE?
I don't think that routed pseudowire would work for you, but I could
be mistaken. However, external loop may work. If I understand your
problem well, this is what you want (horrible ascii art follows):
[CE]---{ATM PVC}--->[PE]---[P]---[PE]
| >{L3}
| |
+---xconnect---+
If I understood that correctly, and you are willing to play with
external loopbacks (since you own 7600, you definitely are, btw.) read
on.
> Most definitely one-off, but what kind of loop cable would that be ? An ATM
> one?
Yes, you can loop, for example ATM3/0/0 to ATM3/0/1 on rightmost PE.
Have xconnect from 3/0/0 to leftmost PE and L3 interface on 3/0/1. If
you have available and unused ATM interfaces, this is the easiest
thing to do. It's a little bit expensive, IMHO.
> I'm thinking that I could terminate the aal5snap pvc into a VLAN on
> some convenient third PE router, and then run a straight 802.1q into
> the PE router I want the termination on, but mightn't there be some
> kind of encapsulation problem? All the examples I've seen do xconnects
> between VLANs or between PVCs, not between a VLAN on one hand and a
> PVC on the other hand.
This could be on the right track, though. I'm not entirely sure about
support on 7600, but you could have xconnect between ATM and 802.1Q
interface using IP interworking.
Another approach, without 3rd party router would be to loop two
GigabitEthernet inerfaces on rightmost PE using an external cable and
do exactly the same thing as described with ATM loopback above. You
would xconnect from one and have L3 on the other one. Note that if you
are using LAN cards for this excercise, you will need to configure
VLAN mapping, as VLAN's are global. It's still a little bit cheaper
than using ATM interfaces, albeit messier.
> (Anxiously waiting to see if anyone has insights on my service provider
> network design
> question from a few days ago, no one's taken me up so far ;-))
( it was a little bit unclear :-) )
HTH.
--
Marko
CCIE #18427
My network blog: http://cisco.markom.info/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Possible List Troll/Spammer..
> Couldn't resist. > > 4. Do you think it is important that all mailing list members should be > informed of your absence via an auto responder when you take a day off? In our defense (yes, I'm one of those people), some of us may not have a choice. When we leave for vacation, we must configure auto responder, if we are using work e-mail for mailing list subscriptions... Some are willing to change (once again, I'm one of those people) e-mail used for mailing lists and others don't, because they rightfully consider this to be part of their job. The rest of us have to live with occasional delete of auto responses... On a lighter note, I'm one of those who like to know when Oli or Rodney are away ;-). Almost makes no point in writing an email otherwise *grin*. -- Marko CCIE #18427 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
I think that you need to use SVI's (interface vlan xxx) combined with trunks on these boxes. They don't support subinterfaces, as far as I recall. On Wed, Jul 9, 2008 at 15:35, Nick Griffin <[EMAIL PROTECTED]> wrote: > I am thinking that I should be able to create sub-interfaces on these > devices to be used for multiple vrf's, but maybe I'm confused. I have some > routed core/dist links I need to maintain as well as extended some services > via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable > to configure a subinterface. Am I missing something, does this require a > 3750E? > > interface fas 1/0/1 > no switch > ip address 1.1.1.1 255.255.255.0 > > int fas 1/0/1.100, etc > ip vrf VRF1 forwarding > ip address 2.2.2.2 255.255.255.0 > > Hope this makes sense, thanks in advance, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS L2 VPN any to any
This is a little bit software-dependent - not all IOS's will support the configuration. Did you configure interworking in pseudowire configuration? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsinterw.html#wp1055162 On Wed, Jul 9, 2008 at 13:32, Mohammad Khalil <[EMAIL PROTECTED]> wrote: > > Hey all > i have a problem in a setup > we have 2 Cisco routers acting as MPLS PE routers , one is 7609 and the > other is 7206 > we are trying to implement MPLS L2 VPN between ATM sub interface on one > router and Giga ethernet (also sub interface) on the other router > but the xconnect never came up > can anyone help in regard?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-Lite & Multicast question
I think this cold be a little bit more complicated case than just that, since this is esentially "interprovider multicast" :-). What is configured as RP on C? If it's not the same as in A-B, you need to configure MSDP between C and whatever is RP in A-B. Even if it is the same, you may need static mroute or multicast AF BGP between B and C to make it work. Not a simplest scenario to start with :-) Kind regards, Marko. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mihai Tanasescu > Sent: Tuesday, July 08, 2008 20:55 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] VRF-Lite & Multicast question > > Hello all, > > > > I have just started studying multicast for accomplishing a task that > I've been giving and don't know where / what I am doing wrong. > > > My setup is something like the following: > > > RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) > > > between Router B and Router C I have 5 links (4 are vrf-lite in Router > C, the 5th is in the global table and use for MPLS ldp). > > > I have configured on each router: > ip multicast-routing (in C for example for both global and VRF) , ip pim > > sparse-dense-mode on interfaces and the RP. > > > If I connect with a cable in Router A I can view the multicast stream. > Same if I connect in Router B. > > > But in Router C it doesn't work (neither in the global table, neither in > > the VRFs from vrf-lite implementation). > > > Can you help with an advice or what I could be doing wrong ? (I'm just a > > beginner/newbie when it comes to mcast) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 'multiplexing" netflow?
You should be able to configure two export destinations on a router. If you need more than that, you indeed need a netflow procy of the sorts. Have you checked if flow-tools package has something that you could use for this purpose? On Thu, Jul 3, 2008 at 11:18, Drew Weaver <[EMAIL PROTECTED]> wrote: >Hi there, we have equipment at our edge that requires us to > export our netflow to it in order for it to function but we would also like > our NetFlow stats to be exported somewhere else for analysis. > > Does anyone know of a product that you can export your netflow to that will > then in turn export it to multiple destinations (that works well and is easy > to use/reliable) ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Default-Information Originate
If the route is in BGP already, then answer to both of your questions is no. You will need it only on a router that is "injecting" it into the BGP from some other protocol. You will also need it on a router that has a full routing table, but for some reason you wish it to advertise subset+default to neighbors. On Thu, Jul 3, 2008 at 08:34, Michael Robson <[EMAIL PROTECTED]> wrote: > I used to think that I had a handle on when the default information > originate command was needed, but I have recently seen working config. that > pokes a finger in my eye of understanding, where some bad Ciscco document > caused further blurring; and so some questions > > - Should the default-information originate command be needed within BGP > configuration of a router to cause a default route that has been learnt from > an eBGP peer to be advertised by this router to its iBGP peers? > > - Similarly, should this command be needed to cause a default route that has > been learnt from an iBGP peer to be advertised by the router to an eBGP > peer? > > Ta. > > Michael. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ideal LNS/LAC Router
Apparently, the new ASR 1000 series promises to be the future platform from Cisco for that purpose... On Thu, Jul 3, 2008 at 01:07, Kris Amy <[EMAIL PROTECTED]> wrote: > Hi, > > Currently we are using 7301's for LAC/LNS purposes and was wondering what is > the next platform that we should be looking to move towards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206VXR
> *g* - GD is "general deployment", which sort of means "this IOS train > has seen enough testing by customers and so we assume that there are not > too many nasty bugs left", or so. Usually not that many useful new features, either ;-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
Could you verify absence of negotiated trunks by running "show int trunk"? It is sometimes easy to miss trunks that should have not been trunks... -Original Message- From: Drew Weaver [mailto:[EMAIL PROTECTED] Sent: 22. janúar 2008 14:41 To: Marko Milivojevic; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. I apologize I should've clarified that we aren't doing any kind of trunking. Pretty much all of the VLANs we're doing are very simple switchport, switchport access vlan x type VLAN/interface configurations. Thanks, -Drew -Original Message- From: Marko Milivojevic [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 9:23 AM To: Drew Weaver; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. If I'm not much mistaken, VLAN will be up if you have any trunks that "contain" it up. Are you sure that you are not running unliminted trunks on the switch, causing SVI to be up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: 22. janúar 2008 14:27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact "give it a rest" as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
If I'm not much mistaken, VLAN will be up if you have any trunks that "contain" it up. Are you sure that you are not running unliminted trunks on the switch, causing SVI to be up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: 22. janúar 2008 14:27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact "give it a rest" as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NBAR on 2800
NBAR will not handle encrypted BitTorrent, as far as I know. For that purpose, you may wish to look into something like SCE from Cisco, or similar deviuce (NetEnrorcer series from Allot, for example). Alternatively, you may wish to talk to your service provider and see if they can offer assistance in this regard. I am sure they will be willing to cooperate to some extent ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kristofer Sigurdsson Sent: 10. janúar 2008 13:18 To: Cisco NSP Subject: [c-nsp] NBAR on 2800 Hi list, I'm looking for words of wisdom on NBAR on the 2800s. The main link is 100 Mbit/s (at present maxing in 60 Mbit/s bursts, average 30 Mbit/s). We will implement a 20 Mbit/s backup link in the next few weeks. Both links are delivered as fastethernet links on copper. We would like to be able to block P2P, or at least most of the P2P. We will use a 2821 (currently in use for the main link without NBAR) for the backup link, which I believe is more than enough, but I'm a bit puzzled about the main one It will be a separate router, the bean counters will push for a 2821, but I believe that will not be enough. How about a 2851? Another thing. How good is NBAR these days? I have zero experience with it. Can it effectively block P2P? Can we mark and even prioritize VoIP? In short: does it work? Thanks in advance, Kristo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Current CCNA tests
Yes and no. If memory serves me well, Windows still doesn't like being assigned .0 and .255 as an IP address. Plenty of applications out there are way too confused with these to make them useful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 8. janúar 2008 23:18 To: Peter Rathlev Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Current CCNA tests Hi, > I may be pedantic now (it' getting late!), but "ip subnet-zero" doesn't > change the number of hosts you can cram into an unsubnetted /24 > network, class C or otherwise, does it? As I understand it, it just pretty much right - it allows you to use some freaky /24's within your available space - but its more important when using /23's and the like where you can use .0 and .255 addresses within the space. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Scheduling daily reload
That doesn't really help, because it's usually CPE that is unaware that it had been cut-off. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: 2. janúar 2008 12:46 To: 'Gert Doering'; 'Eric Helm' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload Why the heck your service provider (upstream ISP) not using ppp keepalives. They should use ppp keepalives on their BRAS. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, January 02, 2008 2:54 PM To: Eric Helm Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload Hi, On Tue, Jan 01, 2008 at 09:13:23PM -0600, Eric Helm wrote: > I've seen this happen with PPPoX connections when either the ISP makes > a config change that causes the BRAS to disconnect the PPP session and > for whatever reason the CPE doesn't receive the disconnect message so > the PPP session remains active and thus never re-negotiates a new session. PPP keepalives will nicely take care of this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interesting Problem - MPBGP Filtering
R1 is 7400 running 12.4.16a. PE's are 7600 running 12.2.18SXF and I am also seeing those routes on pair of 6500's with same IOS train. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: 12. nóvember 2007 12:53 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Interesting Problem - MPBGP Filtering Marko Milivojevic wrote: > I think you could be misreading. Entry below is /19 summary - and yes, I want > to receive this one with RD AS:1. However, problem are those other /32 entries that do not have AS:1 route-target atached - hence, they should be filtered out. Yes, I can see that now, I can't think of a good reason why you are importing these prefixes with that map in place, just out of interest, what IOS are you running? Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interesting Problem - MPBGP Filtering
That was my thinking exactly - but the problem is that multicast routing is not enabled on R1 and it doesn't have any MVPN configuration. Like I said in my original e-mail - it's not a major problem, but I would just like to understand why am I seeing what I'm seeing :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: 12. nóvember 2007 13:11 To: cisco-nsp Subject: Re: [c-nsp] Interesting Problem - MPBGP Filtering Marko Milivojevic wrote: > BGP routing table entry for 2:AS:4:PE.PE.PE.225/32, version 67 > Paths: (2 available, best #2, no table, not advertised to EBGP peer) > Not advertised to any peer > Local > PE.PE.PE.225 (metric 101) from PE.PE.PE.226 (PE.PE.PE.226) > Origin incomplete, metric 0, localpref 100, valid, internal, > mdt, no-import > Extended Community: RT:AS:4 MDT:AS:239.232.4.1 > Originator: PE.PE.PE.225, Cluster list: 0.0.0.1 > mpls labels in/out nolabel/3 > Local > PE.PE.PE.225 (metric 101) from PE.PE.PE.225 (PE.PE.PE.225) > Origin incomplete, metric 0, localpref 100, valid, internal, > mdt, no-import, best > Extended Community: RT:AS:4 MDT:AS:239.232.4.1 > mpls labels in/out nolabel/3 I know next to nothing about MVPN, but maybe there's a connection between your unwanted prefixes and the "mdt" and "no-import" attributes. Maybe you simply can't filter out the PE-nodes in the MDT, as long as R1 is part of the MVPN network. So maybe "no" is the answer, you can't get rid of them. Just a guess though, I have no clue, and I should probably just keep quiet... :-) Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interesting Problem - MPBGP Filtering
I think you could be misreading. Entry below is /19 summary - and yes, I want to receive this one with RD AS:1. However, problem are those other /32 entries that do not have AS:1 route-target atached - hence, they should be filtered out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: 12. nóvember 2007 12:36 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Interesting Problem - MPBGP Filtering Marko Milivojevic wrote: > Sure thing. > > PE1 - PE.PE.PE.225 > PE2 - PE.PE.PE.226 > > R1#sh ip bgp vpn all PE.PE.PE.225 > BGP routing table entry for AS:1:X.X.X.X.0/19, version 57 > Paths: (2 available, best #1, table Internet) > Not advertised to any peer > Local > PE.PE.PE.225 (metric 101) from PE.PE.PE.225 (PE.PE.PE.225) > Origin IGP, metric 0, localpref 1000, valid, internal, best > Community: AS:0 > Extended Community: RT:AS:1 > mpls labels in/out nolabel/55 Well, this is your problem then, you are tagging your PE /32s with extcommunity AS:1 and standard community AS:0, the combination of which are permitted in the first entry of your route-map. ! ip extcommunity-list standard AS-Internet permit rt AS:1 ip community-list standard AS-Originated-Routes permit AS:0 ! route-map PE-in permit 5 ! match extcommunity AS-Internet match community AS-Originated-Routes ! Unless I'm misreading this? Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interesting Problem - MPBGP Filtering
Sure thing.
PE1 - PE.PE.PE.225
PE2 - PE.PE.PE.226
R1#sh ip bgp vpn all PE.PE.PE.225
BGP routing table entry for AS:1:X.X.X.X.0/19, version 57
Paths: (2 available, best #1, table Internet)
Not advertised to any peer
Local
PE.PE.PE.225 (metric 101) from PE.PE.PE.225 (PE.PE.PE.225)
Origin IGP, metric 0, localpref 1000, valid, internal, best
Community: AS:0
Extended Community: RT:AS:1
mpls labels in/out nolabel/55
Local
PE.PE.PE.226 (metric 101) from PE.PE.PE.226 (PE.PE.PE.226)
Origin IGP, metric 0, localpref 1000, valid, internal
Community: AS:0
Extended Community: RT:AS:1
mpls labels in/out nolabel/53
BGP routing table entry for 2:AS:4:PE.PE.PE.225/32, version 67
Paths: (2 available, best #2, no table, not advertised to EBGP peer)
Not advertised to any peer
Local
PE.PE.PE.225 (metric 101) from PE.PE.PE.226 (PE.PE.PE.226)
Origin incomplete, metric 0, localpref 100, valid, internal, mdt,
no-import
Extended Community: RT:AS:4 MDT:AS:239.232.4.1
Originator: PE.PE.PE.225, Cluster list: 0.0.0.1
mpls labels in/out nolabel/3
Local
PE.PE.PE.225 (metric 101) from PE.PE.PE.225 (PE.PE.PE.225)
Origin incomplete, metric 0, localpref 100, valid, internal, mdt,
no-import, best
Extended Community: RT:AS:4 MDT:AS:239.232.4.1
mpls labels in/out nolabel/3
BGP routing table entry for 2:AS:1125:PE.PE.PE.225/32, version 24
Paths: (2 available, best #1, no table, not advertised to EBGP peer)
Not advertised to any peer
Local
PE.PE.PE.225 (metric 101) from PE.PE.PE.225 (PE.PE.PE.225)
Origin incomplete, metric 0, localpref 100, valid, internal, mdt,
no-import, best
Extended Community: RT:AS:1125 MDT:AS:239.232.4.2
mpls labels in/out nolabel/3
Local
PE.PE.PE.225 (metric 101) from PE.PE.PE.226 (PE.PE.PE.226)
Origin incomplete, metric 0, localpref 100, valid, internal, mdt,
no-import
Extended Community: RT:AS:1125 MDT:AS:239.232.4.2
Originator: PE.PE.PE.225, Cluster list: 0.0.0.1
mpls labels in/out nolabel/3
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman
Sent: 12. nóvember 2007 11:28
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Interesting Problem - MPBGP Filtering
Can you post a full
sh ip bgp vpn all PE.PE.PE.1 ?
from R1?
Dave.
Marko Milivojevic wrote:
> I have discovered one interesting issue today. It could be expected
> behaviour, or it could be a bug. It doesn't appear to be very dangerous,
> but I would still like to understand it a little bit better. And get rid
> of the side effects. This is a little bit longer post, so stay with me
> :-).
>
>
>
> I have setup that's similar to this:
>
>
>
> {mpls cloud}
>
> ||
>
> [PE1][PE2]
>
> ||
>
> +--[R1]--+
>
>
>
> There are two PE's that have full mesh MPBGP peerings in the MPLS cloud.
> There is a fair mix of L3VPN, Internet and MVPN in the BGP table. All in
> all some 300k prefixes. To make things more fun, Internet prefixes are
> also in the VPN.
>
>
>
> Router R1 is some "special-purposes" router, that needs just selected
> subset of Internet routes. Due to restrictions on iBGP peering from VRF,
> R1 is doing VPNv4 peering with PE1 and PE2, which are in turn configured
> as route reflectors for it. Fairly simple stuff. And it seems to work.
> Except for one thing.
>
>
>
> Our "Internet route-target" is AS:1, where AS is our AS number. There is
> following configured on R1:
>
>
>
> ip extcommunity-list standard AS-Internet permit rt AS:1
>
> ip community-list standard AS-Originated-Routes permit AS:0
>
> ip community-list standard AS-Customer-Routes permit AS:10
>
>
>
> ip prefix-list Internet-Allow permit x.x.x.x/yy
>
>
>
> route-map PE-in permit 5
>
> match extcommunity AS-Internet
>
> match community AS-Originated-Routes
>
> !
>
> route-map PE-in permit 10
>
> match extcommunity AS-Internet
>
> match community AS-Customer-Routes
>
> !
>
> route-map PE-in permit 90
>
> match extcommunity AS-Internet
>
> no match community Internet-Allow
>
> match ip address prefix-list Internet-Allow
>
> !
>
> route-map PE-in deny 999
>
>
>
> router bgp AS
>
> template peer-policy PE-Policy
>
> route-map PE-in in
>
> send-community both
>
> exit-peer-policy
>
> !
>
> template peer-session PE-Session
>
> remote-as AS
>
> password
>
> update-source Loopback0
>
> version 4
>
> exit-peer-session
>
> !
>
> bgp router-id x.x.x.x
>
> no bgp default ipv4-unica
[c-nsp] Interesting Problem - MPBGP Filtering
I have discovered one interesting issue today. It could be expected
behaviour, or it could be a bug. It doesn't appear to be very dangerous,
but I would still like to understand it a little bit better. And get rid
of the side effects. This is a little bit longer post, so stay with me
:-).
I have setup that's similar to this:
{mpls cloud}
||
[PE1][PE2]
||
+--[R1]--+
There are two PE's that have full mesh MPBGP peerings in the MPLS cloud.
There is a fair mix of L3VPN, Internet and MVPN in the BGP table. All in
all some 300k prefixes. To make things more fun, Internet prefixes are
also in the VPN.
Router R1 is some "special-purposes" router, that needs just selected
subset of Internet routes. Due to restrictions on iBGP peering from VRF,
R1 is doing VPNv4 peering with PE1 and PE2, which are in turn configured
as route reflectors for it. Fairly simple stuff. And it seems to work.
Except for one thing.
Our "Internet route-target" is AS:1, where AS is our AS number. There is
following configured on R1:
ip extcommunity-list standard AS-Internet permit rt AS:1
ip community-list standard AS-Originated-Routes permit AS:0
ip community-list standard AS-Customer-Routes permit AS:10
ip prefix-list Internet-Allow permit x.x.x.x/yy
route-map PE-in permit 5
match extcommunity AS-Internet
match community AS-Originated-Routes
!
route-map PE-in permit 10
match extcommunity AS-Internet
match community AS-Customer-Routes
!
route-map PE-in permit 90
match extcommunity AS-Internet
no match community Internet-Allow
match ip address prefix-list Internet-Allow
!
route-map PE-in deny 999
router bgp AS
template peer-policy PE-Policy
route-map PE-in in
send-community both
exit-peer-policy
!
template peer-session PE-Session
remote-as AS
password
update-source Loopback0
version 4
exit-peer-session
!
bgp router-id x.x.x.x
no bgp default ipv4-unicast
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor pe1.pe1.pe1.pe1 inherit peer-session PE-Session
neighbor pe2.pe2.pe2.pe2 inherit peer-session PE-Session
!
address-family vpnv4
neighbor pe1.pe1.pe1.pe1 activate
neighbor pe1.pe1.pe1.pe1 send-community both
neighbor pe1.pe1.pe1.pe1 inherit peer-policy PE-Policy
neighbor pe2.pe2.pe2.pe2 activate
neighbor pe2.pe2.pe2.pe2 send-community both
neighbor pe2.pe2.pe2.pe2 inherit peer-policy PE-Policy
exit-address-family
!
address-family ipv4 vrf Internet
no synchronization
network X.X.X.X mask 255.255.255.255 route-map R1-Internet-Loopback
exit-address-family
!
Idea above is that we wish to receive only Internet routes (permitting
only that route-target) and only our own originated routes and customer
routes - controlled by appropriate communities. All works, I can see the
subset of the routes I need plus something else.
No matter what sort of extended community filtering I do inbound on R1
or outbound on PE1 and PE2, I receive all PE loopbacks in all VPN's
configured for MVPN! For example, we have VPN that is using RD AS:4
globally, this is what I see on R1:
R1#sh ip bgp vpn all | b ^Route.*4$
Route Distinguisher: 2:AS:4
* iPE.PE.PE.1/32
PE.PE.PE.1 0100 0 ?
*>i PE.PE.PE.1 0100 0 ?
*>iPE.PE.PE.2/32
PE.PE.PE.2 0100 0 ?
* i PE.PE.PE.2 0100 0 ?
* iPE.PE.PE.3/32
PE.PE.PE.3 0100 0 ?
*>i PE.PE.PE.3 0100 0 ?
* iPE.PE.PE.4/32
PE.PE.PE.4 0100 0 ?
*>i PE.PE.PE.4 0100 0 ?
* iPE.PE.PE.5/32
PE.PE.PE.5 0100 0 ?
*>i PE.PE.PE.5 0100 0 ?
* iPE.PE.PE.6/32
PE.PE.PE.6 0100 0 ?
*>i PE.PE.PE.6 0100 0 ?
... and so on for every other MVPN.
Can I get rid of these somehow, without going through the nightmare of
setting up VRF iBGP peering?
Kind regards,
Marko.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] iBGP between PE and CE
Correct. We have this hack^Wsetup in production for some time now. Route maps need to be on the receiving router, or they won't change next-hop. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Bering Sent: 19. október 2007 06:29 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] iBGP between PE and CE Hi, >The route-map didn't work. We've set the route-map: [snip] >But it doesn't seem to make any difference (and yes we reset >the session). >The IOS complained: >% Warning: Next hop address is our address Set it as in incoming route-map at the other end of the link instead. I did some tests on that and it appeared to work just fine. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about the CCNA and CCNP certification
Hi guys, sorry for rude intrusion, but can I kindly ask you to continue this discussion on some forum more suitable for certification talk. There are few excellent ones on GroupStudy.com, for example. Let's keep this discussion list for what its meant. Thanks. Kind regards, Marko (CC this and that #18427). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quinn Kuzmich Sent: 10. september 2007 12:16 To: Raymond Macharia Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Question about the CCNA and CCNP certification THIS RIGHT HERE. I'm working on my CCSP, and I've noticed that each test builds on what you learned in the prior test. Not so much on the CCNP, but do NOT skip something even if you find it boring. You _will_ see the material again, and you dont want that sinking feeling in your stomach during an exam. Q On 9/10/07, Raymond Macharia <[EMAIL PROTECTED]> wrote: > A hint on doing the Cisco certification exams and passing!!, > > Do not skip any exam, yes its boring doing binary and hex while you should > be building some complex network solution with BGP etc but something I have > learnt is that with each exam passed the next one is usually easier just by > the fact that you get to understand Cisco's way on answering the questions. > Also items covered in the more advanced exam usually has the groundwork set > in the earlier exam and this goes all the way to CCIE. > Moral of the story, there are no short cuts. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible Stupid Questions Alert - Combining VLAN's
Don't be too happy about it. VLAN translations are not done per-port, rather per-port-group, where port-group is group of ports handled by the same ASIC. On most of 10/100/1000 line cards, that's 1/2 of the line card :-(. > From: Gert Doering <[EMAIL PROTECTED]> > Date: Mon, 25 Jun 2007 21:40:08 +0200 > To: Tassos Chatzithomaoglou <[EMAIL PROTECTED]> > Cc: Gert Doering <[EMAIL PROTECTED]>, 'Cisco-nsp' > > Subject: Re: [c-nsp] Possible Stupid Questions Alert - Combining VLAN's > > Hi, > > On Mon, Jun 25, 2007 at 09:46:37PM +0300, Tassos Chatzithomaoglou wrote: >> Isn't it the same as vlan translation that ME-3750 support? > > thanks, that's the keyword combination I was looking for :-) > > - and this URL describes how to configure this on a 6500 with 12.2SX* > > http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_g > uide_chapter09186a0080160a7c.html#wp1044990 > > gert > > -- > USENET is *not* the non-clickable part of WWW! >//www.muc.de/~gert/ > Gert Doering - Munich, Germany [EMAIL PROTECTED] > fax: +49-89-35655025[EMAIL PROTECTED] > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Trunking problem
> I am having problems with a new trunk that I am setting up. Here are the > details: > > Switch A (vlans 1, 48) (transparent lan)---Switch B (vlans 1,48) [snip] > Any ideas why I cannot pass traffic on VLAN 1 but I can pass traffic on VLAN > 48? Does that "transparent LAN" forward untagged traffic? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 switch with MPLS support
> PS: c6500 is out of question for two reason... one it's too expensive > and even if not (refurbished), it's too big sometimes. In small pops > where we have let's say 10 clients, c6500 is really overkill. There is a smaller ME6500 version that would fit your needs size-wise. It's probably too expensive still. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1q trunking from cat6509 to 2950T-24
Why do you insist on tagging native VLAN? If there is no special reason to do it, don't :-) Solution for your problem is to make some other (unused) VLAN native on the 2950. That way, it will tag VLAN 1 over the trunk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tohill Sent: fimmtudagur, 3. maí 2007. 09:38 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 802.1q trunking from cat6509 to 2950T-24 Hi, I am having difficulty establishing 802.1q trunk to 2950 switch. I am only (initailly) trying to establish VLAN1 across trunk. I have 'vlan dot1q tag native' configured on the 6509 side but I dont have a similar command on 2950T-24 or a way to untag the native on a per trunk basis on the 6509. Configs below: 6509: ! vtp mode transparent vlan dot1q tag native ! interface GigabitEthernet1/14 description 802.1q Switch1 Access switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-599,601-4094 switchport mode trunk switchport nonegotiate no ip address logging event link-status 2950T-24: ! vtp mode transparent ! interface GigabitEthernet0/1 description 802.1q<-->-6509-01[Gig1/14] switchport trunk allowed vlan 1-599,601-4094 switchport mode trunk switchport nonegotiate no ip address Am I missing something? Thanks, Mark Mark Tohill UTV Internet T:+44 (0)28 90 262196 M:+44 (0)7786 278716 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp and update-source
> neighbor xxx.xxx.xxx.xxx update-source FastEthernet0/0 > > Would bgp take the stanby ip or the physical ip of the interface? Physical interface address. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
