Re: [c-nsp] Ds3 Issues
An entity claiming to be Robert Boyle ([EMAIL PROTECTED]) wrote: : At 10:07 PM 5/16/2007, Mark Rogaski wrote: : : Attenuation issues do not generally cause LCVs. This is an issue somewhere : between the interface and the last device to regenerate the signal (either : the mux or any media converter in-line). Most LCVs are caused by bad : cabling or a bad DSX. You may want to exercise all the connectors between : the router and the telco mux. : : I respectfully disagree. We have seen on every PA-MC-* we use : anywhere in the country that a hot signal from any Adtran OC3-DS3 mux : gear will cause constant LCVs until we add 10-12db of attenuation on : the receive side. Once this is done, all of the LCVs go away for : good. I don't know that is his problem here, but when a hard loop : shows good, I suspect a bad card or a LBO/attenuation issue. : I'm used to looking at existing production circuits. LBO issues are pretty rare with what we're looking at, and when we do see them they are usually too cold. I'd agree that LBO would be as likely if not more for a new turn-up. Mark -- []| I often reflect that if privileges had been [] Mark Rogaski | called responsibilities or duties, I would have [] [EMAIL PROTECTED] | saved thousands of hours explaining to people why [] [EMAIL PROTECTED] | they were only gonna get them over my dead body. []| -- Lee K. Gleason in comp.org.decus signature.asc Description: Digital signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic question on 6509 switchport module
Hi, On Wed, May 16, 2007 at 09:12:47AM -0700, Rick Kunkel wrote: Here's the bonehead part. Would the standard way to deal with routing between these be to make a VLAN Interface on the 6509? I made a VLAN 12 interface and gave it the IP address 2.2.2.1. Works great. That's the way to do it :) The vlan interface is the routing module's connection into the L2 VLAN (otherwise you'd just have a switched VLAN, and no connection to the router side of this box). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast source question
In trying to troubleshoot a multicast problem, I have discovered that I don't fully understand part of the multicast process and so would be grateful if I could get an answer to the following. When a client streams traffic out to a multicast group, I had assumed that it would treat the traffic as any other unicast traffic in that it would see the destination IP as outside its subnet (i.e. a CLass D address) and so send it onto its gateway (with the source and destination MAC at the layer 2 being set to the server and router MACs respectively) - no IGMP joining happens because it is a source only. Is this true, or does the server set the destination MAC to the multicast MAC that corresponds to the multicast IP (which an ethereal capture seems to be suggesting)? If this is true, then what is the process that gets the stream to the router, i.e. how does the switch determine that it should add the corresponding multicast MAC to the port facing the router? Could any answers please be copied to my direct email as well as the list, as I only get digests. Thanks, Michael. -- Michael Robson, | Tel: 0161 275 6113 Networks, | Fax: 0161 275 6040 University of Manchester. | Email: [EMAIL PROTECTED] Youth and skill are no match for experience and treachery. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Feedback on: Security Advice for Routers and Switches
Matthew Lange [EMAIL PROTECTED] writes: * Implement blackhole routing on the Internet interface, using the Bogon list[3] Actually, I would put static bogon lists in the common but bad advice section, right there with turning off ICMP (sorry, RobT!). Why? Well, except for certain networks that are likely to be reserved in perpetuity (for instance, 0/8, 255/8, 1918 space...), _every last one of them_ is gonna end up getting assigned within the next four years [1]. Are *you* going to be around to monitor the bogon list and update it every few months? If not you then who? Have you done a threat analysis and figured out what the marginal risk is of allowing bogons from unassigned or reserved IP address space vs. allowing bogons from hijacked or supernet-sucked address space (against which you have no effective recourse)? I don't run bogon lists and I encourage others to not use them either. The downsides outweigh the benefits. I handle spam and other such nuisances at the application layer. ---Rob [1] http://www.potaroo.net/presentations/2007-05-09-ripe54-ipv4.pdf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] When to switch to DFC3BXL
On 5/16/07, Chris Woodfield [EMAIL PROTECTED] wrote: show platform hardware capacity gives you some pretty good data that may be useful in this situation. I think SXD was the first minor rev to support it, but I could be wrong. -C Thanks for the info. FWIW, I've got it in 12.2(18)SXF4 but not 12.2(18)SXE5. Cheers, Janet Plato ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 12.3.22 lawful intercept on 7206 - DHCP bug eats 2, 000+ customers
I have a 7206 with NPE-G1, upgraded from 12.2.15T11 last night to 12.3.22 lawful intercept and simultaneously taking from 256m to 1024m of memory. The system has BGP peers and a couple of thousand DSL customers attached (I know, I know, OS and memory upgrade are part of me splitting it for this customer). We watched 2,100 ARP entries appear for the ATM PVCs this morning and all seemed well but the onboard DHCP was sick. We do a 'show run' and it'll fail with a try later or it'll run but it takes several minutes to generate anything. We're on the phone with TAC now and we've got someone clueful but this is incredibly painful for the customer - anyone seen this thing before? Suggestions? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.3.22 lawful intercept on 7206 - DHCP bug eats 2, 000+ customers
So, you're turning up a new connection with 2100 customers on it (or ARP entries at least) and DHCP is slowing right down? If I understand this right, this is normal behaviour on one of our cable routers (CTMS router) when we do maintenance and bring 500+ customers back online, it takes a good 20 minutes for all those customers to get an IP address again. Once we're beyond that initial startup it works great though Does that seem similiar to your situation or does DHCP just choke all together? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Neal Rauhauser Sent: Thursday, May 17, 2007 11:32 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 12.3.22 lawful intercept on 7206 - DHCP bug eats 2,000+ customers I have a 7206 with NPE-G1, upgraded from 12.2.15T11 last night to 12.3.22 lawful intercept and simultaneously taking from 256m to 1024m of memory. The system has BGP peers and a couple of thousand DSL customers attached (I know, I know, OS and memory upgrade are part of me splitting it for this customer). We watched 2,100 ARP entries appear for the ATM PVCs this morning and all seemed well but the onboard DHCP was sick. We do a 'show run' and it'll fail with a try later or it'll run but it takes several minutes to generate anything. We're on the phone with TAC now and we've got someone clueful but this is incredibly painful for the customer - anyone seen this thing before? Suggestions? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] qos on 2960 cannot apply service-policy
I disabled auto qos and I still cannot apply the service policy. Any other ideas? Dan. Phil Bedard wrote: Having auto qos enabled won't allow you to use a user-defined output policy on that interface. Phil On May 17, 2007, at 11:33 AM, Dan wrote: c2960-lanbasek9-mz.122-37.SE/c2960-lanbasek9-mz.122-37.SE.bin I'm trying to apply the service-policy to an interface and for some reason it will not let me do so on incoming or outgoing. When I try on outgoing it says this: Switch(config-if)#service-policy output out Warning: Assigning a policy map to the output side of an interface not supported Service Policy attachment failed Warning: Assigning a policy map to the output side of an interface not supported When i try input it says this: Switch(config-if)#service-policy input out Service Policy attachment failed config: mls qos aggregate-policer 1mbit-video-out 100 8000 exceed-action policed-dscp-transmit mls qos aggregate-policer 1mbit-voice-out 100 8000 exceed-action policed-dscp-transmit mls qos aggregate-policer 28mbit-default-out 2800 8000 exceed-action drop ! ! class-map match-all data match ip dscp default class-map match-any voice-signal match ip dscp cs3 match ip dscp af31 class-map match-all video match ip dscp af41 class-map match-all voice match ip dscp ef ! ! policy-map out class data police aggregate 28mbit-default-out class video police aggregate 1mbit-video-out class voice police aggregate 1mbit-voice-out class voice-signal police aggregate 1mbit-voice-out ! ! interface FastEthernet0/1 switchport access vlan 500 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 mls qos trust cos auto qos voip trust ! Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Phil Bedard [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HIgh CPU7606
post output of show tech would be a start...remove passwords of course. My magic wand that I use to conjure up explanations without any info broke last week. Or contact Cisco on your support contract. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eghoenisech Ghoenatorich Sent: Tuesday, May 15, 2007 9:19 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] HIgh CPU7606 DA, One of our pe hitting high CPU util causing by LFDp Input Proc, any advise on how ot troubleshoot this problem? Any advice will be appreciated. regards, EG PE#sh processes cpu sorted | ex 0.00 CPU utilization for five seconds: 85%/45%; one minute: 82%; five minutes: 83% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 26420879900 14466914 1443 34.15% 34.88% 35.14% 0 LFDp Input Proc 466 1199684 85939 13959 4.47% 1.53% 1.42% 0 BGP Router 291 147856 43535 3396 0.31% 0.16% 0.17% 0 HIDDEN VLAN Proc 192 152608 1005110151 0.31% 0.16% 0.20% 0 IP Input 24 204196320770636 0.23% 0.10% 0.07% 0 IPC Seat Manager 239 46748 18698 2500 0.15% 0.05% 0.05% 0 IP RIB Update 467 200972 6163 32609 0.07% 0.16% 0.20% 0 BGP Scanner 52 42056 87205482 0.07% 0.04% 0.05% 0 Per-Second Jobs 10 72724213360340 0.07% 0.07% 0.07% 0 ARP Input PE#sh stacks 264 Process 264: LFDp Input Proc Stack segment 0x535738FC - 0x5357506C FP: 0x53574FC0, RA: 0x4127F970 FP: 0x53575000, RA: 0x41902978 __ __You snooze, you lose. Get messages ASAP with AutoCheck in the all-new Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_html.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Smartnet Sales Rep??
There is no business out there to want. Go to whoever sold you the Cisco hardware. The margins on smartnet contracts are virtually zero, and the amount of work that Cisco requires the reseller to do to register them now, costs much more than the margin. Also once you get a contract, you can renew it from your login, without involving the reseller. Thus what little margin the reseller would get for a renewal, they get cut out of. And the renewals were the only chance for the reseller to make any profit on them anyway. Note also that unless you buy the contract within 30 days of purchase of the new device, you can't use it for hardware replacement anyway. If you got the stuff off Ebay then maybe someone like DatacommWhorehouse might sell you one. Good luck with it. We tell all new cisco device customers of ours that if they don't buy the service contract as part of the purchase, we won't sell it to them later on. Of course, that isn't really true because we would in fact sell it to them - if they had bought the devices from us in the beginning, of course - but it usually prompts them to pay the extra for the contract. Which is, of course, exactly how Cisco wants all this to play out. And frankly, look it from the resellers POV. It costs a couple hours of top tier tech time to properly spec out the devices that the customer needs for their environment, to even put the quote together. While your in the Cisco website doing all this, it is only a few extra seconds to select the service contract box for the devices. If a customer comes to you months or years later, you have to re-do all of this work to quote them a service contract that your lucky enough to maybe clear about 2% on. And of course, if the customer is looking for contracts for used gear - which is most of the people who are in this boat - they aren't going to agree to pay for Used Gear Relicensing, they just want the service contract, which means they are not ever going to buy anything significant from you, like a new router for example, they will just go back to Ebay. And this doesen't even address the issue with the rampant counterfeiting. Cisco, you should know, requires the reseller to supply the product serial number when the contract is registered. Do you know what would happen to us as a reseller if you bought a service contract from us for a device you got off Ebay, we registered it and the serial number turned out to be counterfeit? We would be very lucky not to find ourselves being sued, and if you didn't fully disclose who you got the gear from, you would be sued. And of course, you would have to surrender all the gear you bought as part of a settlement, Cisco would insist on that. All of the decent used Cisco gear resellers out there also sell Cisco service contracts. They also check serial numbers of used gear they get, with Cisco to make sure it's not fake. But there's a huge number of them that you see on Ebay all of the time who are selling counterfeit stuff and naturally they are not going to sell service contracts. Sorry to have to spell out the facts of the problem for you, but you are going to have to engage a reseller for more than just a few miserable low-margin sales, to build up the level of trust needed. Find a local dealer, meet with them, get to know them. Buy some devices from them, that means, spend some serious money with them. Then bring up the issue of service contracts for your devices. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deepak Jain Sent: Wednesday, May 16, 2007 10:03 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco Smartnet Sales Rep?? I need a couple of referrals for reps that would sell small smartnet contracts (1 at a time, for CPE equipment like 2600s). Our other rep(s) don't seem to want the business. Thanks in advance, DJ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco VPN Client + ASA 5505
TCIS List Acct wrote: The Cisco VPN Client is included with all models of Cisco VPN 3000 Series concentrators and Cisco ASA 5500 Series security appliances (excluding ASA 5505), and most Cisco PIX 500 security appliances I couldn't find any other mention of the excluding ASA 5505 verbage anywhere else. Does this mean that I can't use the Cisco VPN client w/the ASA 5505 (and be within the license)? Hm ... I'm puzzled ... we just quoted one of our customers with a 5505, and checking with our Cisco reseller we were told that the VPN client was part of the 5505 ... Worst case I guess is you have to shell out another $50 or so for the VPN Client license ... I guess I will re-check with our reseller and get confirmation ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720/SRB in production?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I got problems with SRB when deployed to production. The BGP Router process constantly eats ~70% cpu, versus 10% with SRA3. Same config, doing a lot of ipv4 BGP, some ipv6 BGP, IPv4 Multicast BGP, and some VPNv4. Haven't been able to reproduce it in lab. We are waiting for SRB1 over here. I will order my first RSP next month though. Sincerely Peter Salanki CTO Bahnhof AB (AS8473) www.bahnhof.se Office: +46855577132 Cell: +46709174932 16 maj 2007 kl. 21.16 skrev Christian Bering: Hi, I've heard from some colleagues that there are some major bugs still with the RSP720 IOS (eg, enabling remote authentication will cause it to crash upon login). There is a SS bug on SRB for that. I'm having a hard time going back to find it right now. SRB1 will be out soon and most likely SRB will be deferred as soon as that comes out. I'd wait for SRB1. We got struck by CSCsb85982 which sounds similar but we're affected on SUP720 and not RSP720. There aren't many details on the bug but it seems severe enough to defer - we got struck 4 times in ten days on the same box. Still not entirely sure why. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) iD4DBQFGTKlgiQKhdiFGiogRAjnHAJdzXWuTRNNuZTVEczj+HIW7FM37AKCYX6qe l86mQEGpgeh6PTVO3R7Bsg== =swkU -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] qos on 2960 cannot apply service-policy
Do you have an example of egress queing? Thanks, Dan. Brian Turnbow wrote: As far I know you cannot police outbound traffic on the ports of the 2960. You can play with the egress queing on the port to limit the bandwidth. Check out the qos part in the configuration guide. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Sent: giovedì 17 maggio 2007 17.34 Cc: cisco-nsp Subject: [c-nsp] qos on 2960 cannot apply service-policy c2960-lanbasek9-mz.122-37.SE/c2960-lanbasek9-mz.122-37.SE.bin I'm trying to apply the service-policy to an interface and for some reason it will not let me do so on incoming or outgoing. When I try on outgoing it says this: Switch(config-if)#service-policy output out Warning: Assigning a policy map to the output side of an interface not supported Service Policy attachment failed Warning: Assigning a policy map to the output side of an interface not supported When i try input it says this: Switch(config-if)#service-policy input out Service Policy attachment failed config: mls qos aggregate-policer 1mbit-video-out 100 8000 exceed-action policed-dscp-transmit mls qos aggregate-policer 1mbit-voice-out 100 8000 exceed-action policed-dscp-transmit mls qos aggregate-policer 28mbit-default-out 2800 8000 exceed-action drop ! ! class-map match-all data match ip dscp default class-map match-any voice-signal match ip dscp cs3 match ip dscp af31 class-map match-all video match ip dscp af41 class-map match-all voice match ip dscp ef ! ! policy-map out class data police aggregate 28mbit-default-out class video police aggregate 1mbit-video-out class voice police aggregate 1mbit-voice-out class voice-signal police aggregate 1mbit-voice-out ! ! interface FastEthernet0/1 switchport access vlan 500 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 mls qos trust cos auto qos voip trust ! Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco PIX IPSEC remote access vpn stability
Hey list! We currently use PIX running 7.2.2 as our vpn end point for our remote access users and lan2lan connections. The LAN2LAN connections seem to remain stable while we get 3 to 4 complaints about the remote access VPN disconnecting users. Looking at the syslog reports seem to be DPD disconnects. If it was just one user on a certain ISP I wouldn't even ask the list but have any of you noticed that the remote access IPSec vpn seems to be VERY latency sensitive. Thanks all! Joseph Jackson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/