Re: [c-nsp] logging traffic
Thanks for help. For now i get traffic connections from ASA 5520 logged to syslog server. In future i wil use NetFlow. Can anyone recommend good free netflow tools? Pagarbiai, Eimantas Zdanevičius Tinklo administratorius UAB Oslo products Žirmūnų g. 27, LT-09105, Vilnius Tel.: +370 5 276 2002 Faksas: +370 5 270 0204 Mob.: +370 685 18 864 E-paštas: [EMAIL PROTECTED] www.occ.lt Rodney Dunn wrote: Please use #1. #3 causes process switching and that's a very bad thing to do. Rodney On Thu, Aug 30, 2007 at 04:41:58PM +0800, Lincoln Dale (ltd) wrote: I need to log traffic going trougth cisco 3825 router to syslog server. Not all traffic data, i only need to log new connections. How can i do this? there's a few ways you could accomplish this, but I'd recommend option (1): 1. NetFlow export 2. IP accounting 3. an ACL with 'log', something like: access-list 101 permit tcp any any established access-list 101 permit tcp any any log access-list 101 permit ip any any cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging LFI fragmentation
Leonardo Souza wrote on Thursday, August 30, 2007 8:53 PM: Correct. I sent ping packets with 1500 bytes . My problem is that on the other side, I see no debug output for MLP (events, fragments etc...). By the way, it´s a C10K. It seems a bug. I dont know... As the 10k processes the traffic in hardware, I don't think you can see them using these debug commands. You could monitor the packet counters on the interfaces involved, i.e. if you send 1000 packets, you should see a 1000 packets on the bundle master, and 1000 packets on each of the bundle members (i.e. 2000 total on the bundle members). This would show you that fragmentation is working. Which PRE are you using? I think the PRE1 doesn't support MLP fragmentation (at least it didn't when I worked with this platform a few years ago). oli Regards. Oliver Boehmer (oboehmer) [EMAIL PROTECTED] escreveu: Leonardo Souza wrote on Thursday, August 30, 2007 4:23 PM: Hi mates. Maybe somebody can help me. I configured MLPoATM and LFI. According this debug, can I be sure both the routers are doing fragmentation? Router# *Mar 1 18:27:12.420: Vi3 MLP: I frag C041 size 49 encsize 2 *Mar 1 18:27:12.420: Vi3 MLP: O frag C064 size 57 encsize 10 *Mar 1 18:27:12.476: Vi3 MLP: I frag C042 size 48 encsize 2 *Mar 1 18:27:12.564: Vi3 MLP: I frag C043 size 49 encsize 2 *Mar 1 18:27:12.572: Vi3 MLP: O frag C065 size 57 encsize 10 *Mar 1 18:27:12.864: Vi3 MLP: I frag C044 size 48 encsize 2 *Mar 1 18:27:12.960: Vi3 MLP: I frag C045 size 50 encsize 2 *Mar 1 18:27:12.968: Vi3 MLP: O frag C066 size 58 encsize 10 Does I frag stand for Input fragmented packet and O frag stand for Output fragmented packet? well, I frag means input fragment. Whether this is actually a fragment L3 packet cannot be deducted here, I think, any piece of data MLP sends is a fragment. In general, we don't fragment packets smaller than 84 bytes. Send a large ping packet (1000 bytes) and take a look at the debug.. oli Flickr agora em português. Você clica, todo mundo vê. Saiba mais. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] My sham-links disappeared?
On 8/31/07, Code Monkey [EMAIL PROTECTED] wrote: I just upgraded a 7206 NPE 300 router running IOS (C7200-JK9S-M), Version 12.2(15)T17 to an NPE G1 running (C7200-JK9S-M), Version 12.4(16). ... I was sure the new one had all that the old one had, I had tested it, and almost everything is perfect -- except that the OSPF sham-links with the other routers won't establish themseves. I hadn't checked *that*, of course. ... Is there a compatibility issue between the IOSes? What can I do? Thanks for any help. I panic-downgraded to the old IOS on the new hardware and everything came up smooth as you please. Any ideas? Known bug? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] logging traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nfsen ntop Eimantas Zdanevičius wrote: Thanks for help. For now i get traffic connections from ASA 5520 logged to syslog server. In future i wil use NetFlow. Can anyone recommend good free netflow tools? Pagarbiai, Eimantas Zdanevičius Tinklo administratorius UAB Oslo products Žirmūnų g. 27, LT-09105, Vilnius Tel.: +370 5 276 2002 Faksas: +370 5 270 0204 Mob.: +370 685 18 864 E-paštas: [EMAIL PROTECTED] www.occ.lt Rodney Dunn wrote: Please use #1. #3 causes process switching and that's a very bad thing to do. Rodney On Thu, Aug 30, 2007 at 04:41:58PM +0800, Lincoln Dale (ltd) wrote: I need to log traffic going trougth cisco 3825 router to syslog server. Not all traffic data, i only need to log new connections. How can i do this? there's a few ways you could accomplish this, but I'd recommend option (1): 1. NetFlow export 2. IP accounting 3. an ACL with 'log', something like: access-list 101 permit tcp any any established access-list 101 permit tcp any any log access-list 101 permit ip any any cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG19blDiqVI6Xm21MRAk3uAJ0dysrcV0JkKEDCPo/OtiJgSXt1AACfQyou YF4XulzuYAWifKUMsGHh00M= =2NTC -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 32bit ASNs on 12.0S
Hi list, does or will the 12.0S-Train support 32bit AS-numbers? Judging by the 'router bgp x' command, it's 16bit here. Best regards, sven03 -- Mit freundlichen Gruessen i. A. Sven Juergensen Fachbereich Informationstechnologie KielNET GmbH Gesellschaft fuer Kommunikation Preusserstr. 1-9, 24105 Kiel Telefon : 0431 / 2219-053 Telefax : 0431 / 2219-005 E-Mail : [EMAIL PROTECTED] Internet: http://www.kielnet.de AS# 25295 Key fingerprint: 65B6 90FC 010A 39CE DCA5 336D 9C45 3B7A B02D E132 Geschaeftsfuehrer Eberhard Schmidt HRB 4499 (Amtsgericht Kiel) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2 interworking on 7600 RSP720
Hi I was trying Layer 2 interworking for ATM to Ethernet on cisco 7600 RSP-7203C software SRB1 advanced ip services e.g. interface GigabitEthernet5/2.20 encapsulation dot1Q 20 end interface ATM9/1/0 no ip address no atm enable-ilmi-trap pvc 0/400 l2transport encapsulation aal5 ! end Then typing this command: connect atm_to_vlan atm9/1/0 0/400 g5/2.20 interworking ethernet I get %CONN: invalid connection can someone suggest to me what i'm doing wrong? atm-to-atm local switching is working fine. Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32bit ASNs on 12.0S
Hi, On Fri, Aug 31, 2007 at 12:18:53PM +0200, Sven Juergensen (KielNET) wrote: does or will the 12.0S-Train support 32bit AS-numbers? It doesn't (and neither does any other IOS version publically available). Rumors say that 32 bit ASN support will appear early next year. (IOS XR *does* have 32-bit ASN, as far as I have been told). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32bit ASNs on 12.0S
Hi Folks 2007/8/31, Gert Doering [EMAIL PROTECTED]: It doesn't (and neither does any other IOS version publically available). Rumors say that 32 bit ASN support will appear early next year. (IOS XR *does* have 32-bit ASN, as far as I have been told). Status for ASN Integration in different hardware/software can be found on the experiment report from SwissIX ASN32 Project [1] IOS will support ist starting at 12.5.T Early to late 2008 [2] and IOS XR it's already implemented [3] Cheers Marco [1] http://www.swissix.ch/asn32/ [2] http://www.swissix.ch/asn32/doku.php?id=ios [3] http://www.swissix.ch/asn32/doku.php?id=ios_xr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 IOS SLB and 'log' keyword?
Hello, We have a 6509-E(single Sup720/MSFC3/PFC3) are running modular 12.2(18)SXF4 ADVANCEDIP on 2 x 6509-E(single Sup720/MSFC3/PFC3). We would like to implement IOS SLB (no CSM, as yet). ! ip slb serverfarm WEB nat server real 192.168.30.11 weight 1 inservice ! ! ip slb vserver WEB-WWW virtual 192.168.16.239 tcp www serverfarm WEB inservice ! ! interface Vlan226 description client ip address 192.168.26.60 255.255.255.128 ip access-group VLAN226_OUTBOUND out ommitted... ! ! The real servers in VLAN 600(192.168.30.0/27) are behind the FWSM: ! firewall module 6 vlan-group 1 firewall vlan-group 1 remaining vlans ommitted,600 ! ip route 192.168.30.0 255.255.255.224 192.168.1.196FWSM ! We have found that we can SLB to the VIP, 192.168.16.239, from any VLAN configured on the MSFC, for example, VLAN 226 but only when we remove the ACL from VLAN226, VLAN226_OUTBOUND, or insert a 'log' statement somewhere into the ACL. A snippet of this ACL: remark . remark ** Established TCP permit tcp any any established ...output ommitted... remark ** SLB workaround deny tcp any gt 1023 any log remark ** DENY everything else ... deny ip any any May this have anything to do with 'log' matches being punted to the MSFC? Also, a 'show fm summary' outputs: Interface: Vlan226 is up TCAM screening for features: ACTIVE inbound TCAM screening for features: ACTIVE outbound This is despite the fact that I don't have an inbound ACL configured on that SVI. Weird? What's going on? Thanks, Mark Mark Tohill UTV Internet T:+44 (0)28 90 262196 M:+44 (0)7786 278716 E:[EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IP SLA - DHCP and VRFs
All, Peter Hicks wrote: I'm attempting to use IP SLA on an 877W with IOS 12.4(11)XJ3 to run DHCP requests from a specific VRF. I'm setting rttMonEchoAdminVrfName to the correct VRF, but when performing a set operation, I get NOSUCHINSTANCE returned. I found the issue. Not all the SLA probes are VRF-capable[1]. Peter [1] http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00802d5efe.shtml -- Peter Hicks | e: [EMAIL PROTECTED] | g: 0xE7C839F4 | w: www.poggs.com A: Because it destroys the flow of the conversation Q: Why is top-posting bad? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GSR 12008 temp issue
Hello We have a GSR12008 and we just inserted a single 3 port GigE card. Since insertion i keep getting this error %ENV_MON-2-TEMP: Hotpoint temp sensor(slot 2) temperature has reached CRITICAL level at 70(C) I have searched the doc's and the all point to this: Error Message %ENV_MON-2-TEMP : [chars] temperature has reached [chars] level at [dec](C) ExplanationThe temperature sensor specified has reached a warning or critical level and has reached or exceeded a condition that is outside its acceptable range. Recommended ActionAttempt to resolve the temperature problem. If the problem cannot be resolved, contact your Cisco technical support representative for assistance. here is the environmental output cr.nyc2.ny# show environment temperatures Slot # Hot Sensor Inlet Sensor (deg C) (deg C) 1 55.541.5 2 71.041.0 3 59.544.5 4 59.045.5 6 56.543.0 7 53.042.5 Does anyone have a suggestion? Thank Chris Lane -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR 12008 temp issue
Check your AC? 40 degree inlet temperature is kind of disturbing... -- 8 -- Issue 1: GSR 12008 Cooling If the ambient (room) air temperature is above 40° C (104° F), some existing Cisco GSR 12008s may not be able to adequately cool themselves. This is true regardless of the Cisco GSR 12008 configuration (types and numbers of cards, AC or DC power, and so on). Cisco normally certifies its equipment up to 50° C (122° F). Ambient air temperature above 40° C is most likely be associated with an air conditioning equipment failure affecting the entire room or building. If ambient air temperature remains below 40° C, the Cisco GSR 12008 is able to adequately cools itself regardless of configuration. -- 8 -- http://www.cisco.com/en/US/products/hw/routers/ps167/products_field_notice09186a0080094886.shtml ~Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lane Sent: Friday, August 31, 2007 8:32 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] GSR 12008 temp issue Hello We have a GSR12008 and we just inserted a single 3 port GigE card. Since insertion i keep getting this error %ENV_MON-2-TEMP: Hotpoint temp sensor(slot 2) temperature has reached CRITICAL level at 70(C) I have searched the doc's and the all point to this: Error Message %ENV_MON-2-TEMP : [chars] temperature has reached [chars] level at [dec](C) ExplanationThe temperature sensor specified has reached a warning or critical level and has reached or exceeded a condition that is outside its acceptable range. Recommended ActionAttempt to resolve the temperature problem. If the problem cannot be resolved, contact your Cisco technical support representative for assistance. here is the environmental output cr.nyc2.ny# show environment temperatures Slot # Hot Sensor Inlet Sensor (deg C) (deg C) 1 55.541.5 2 71.041.0 3 59.544.5 4 59.045.5 6 56.543.0 7 53.042.5 Does anyone have a suggestion? Thank Chris Lane -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204vxr freeze-up question
You did a sh controller for 3/0 but your 'sh int' was from 2/0. It's hard to know all those controller counters without going and looking at the code for that driver. But, suffice to say that the interface should never lock up and have to be bounced to forward traffic or receive traffic. If it does it's a bug. Now, also have to make sure the bounce isn't causing some other device to clear and not this one. I'd suggest capturing a 'sh controller' before a couple of times and then after we think it's hung. Capture it multiple times after. Was this in a lab? Can you trigger it every time? Rodney On Wed, Aug 22, 2007 at 02:43:56PM -0400, Adam Greene wrote: Here's output from a sh controller during the outage state: Interface GigabitEthernet3/0(idb 0x6363B6DC) Hardware is WISEMAN 2.1, network connection mode is auto network link is up loopback type is none startup time: 176602 usec GBIC type is 1000BaseSX idb-lc_ip_turbo_fs=0x606372F4, ip_routecache=0x11(dfs=0/mdfs=0), max_mtu=1528 fx1000_ds(tx)=0x6363CE6C(0x6363CE6C), registers(tx)=0x3D80(0x3D80), cu rr_intr=0 rx cache size=2000, rx cache end=1872, rx_nobuffer=0 FX1000 registers: CTRL =0x18180005, STATUS=0x000F FCAL =0x00C28001, FCAH =0x0100, FCT =0x8808, FCTTV =0x16E3 RCTL =0x00428032, RDBAL0=0x2000B000, RDBAH0=0x, RDLEN0=0x0800 RDH0 =0x0038, RDT0 =0x0037, RDTR0 =0x, IMS =0x02D6 TCTL =0x000400FA, TIPG =0x00A0080A, TQC =0x, TDBAL =0x2000C000 TDBAH =0x, TDLEN =0x1000, TDH =0x00BA, TDT =0x00BA TXCW =0xC1A0, RXCW =0xCC0041A0, FCRTL =0x80001200, FCRTH =0xAFF0 RDFH =0x14D7, RDFT =0x14D7, TDFH =0x03A7, TDFT =0x03A7 RX=normal, enabled TX=normal, enabled Device status=full-duplex, link up, tx clock, rx clock AN status=done(RF:0 , PAUSE:3 ), SYNC'ed, rx idle stream, rx invalid symbols, rx idle char GBIC registers: Register 0x00: 01 07 01 00 00 00 01 00 Register 0x08: 00 00 00 01 0D 00 00 00 Register 0x10: 32 16 00 00 41 47 49 4C Register 0x18: 45 4E 54 20 20 20 20 20 Register 0x20: 20 20 20 20 00 00 00 00 Register 0x28: 51 46 42 52 2D 35 36 38 Register 0x30: 39 20 20 20 20 20 20 20 Register 0x38: 30 30 30 30 00 00 00 58 Register 0x40: 00 1A 00 00 30 31 31 30 Register 0x48: 31 36 30 38 32 36 34 31 Register 0x50: 38 36 34 35 30 31 31 30 Register 0x58: 31 36 30 30 00 00 00 D8 PartNumber: QFBR-5689 PartRev: F SerialNo: 0110160826418645 Options: 0 Length(9um/50um/62.5um): 000/500/220 Date Code: 01101600 Gigabit Ethernet Codes: 1 PCI configuration registers: bus_no=6, device_no=0 DeviceID=0x1000, VendorID=0x8086, Command=0x0116, Status=0x0200 Class=0x02/0x00/0x00, Revision=0x03, LatencyTimer=0xFC, CacheLineSize=0x10 BaseAddr0=0x4904, BaseAddr1=0x, MaxLat=0x00, MinGnt=0xFF SubsysDeviceID=0x1000, SubsysVendorID=0x8086 Cap_Ptr=0x Retry/TRDY Timeout=0x PMC=0x00210001 PMCSR=0x Software MAC address filter(hash:length/addr/mask/hits): need_af_check = 0 0x00: 0 .. .. 0 0xC0: 0 0100.0ccc. .. 0 0xD0: 0 0007.8420.e854 .. 0 FX1000(type=0x98) Internal Statistics: rxring(128)=0x2000B000, shadow=0x6363D310, head=56, rx_buf_size=512 txring(256)=0x2000C000, shadow=0x6363D53C, head=186, tail=186 tx_int_txdw=0, tx_int_txqe=0, rx_int_rxdmt0=0, rx_int_rxt0=0 tx_count=0, txring_full=0, rx_max=0, filtered_pak=0 rx_overrun=0, rx_seq=0, reg_read=0, reg_write=0 rx_count=128, throttled=1, enabled=1, disabled=1 rx_no_enp=0, rx_discard=0, link_reset=0, pci_rev=3 tbl_overflow=0, chip_state=2, tx_nonint_done=0, tx_limited=0 reset=5(init=0, check=0, restart=4, pci=0), auto_restart=1 tx_carrier_loss=1, fatal_tx_err=0, tx_stucks_count=1 isl_err=0, wait_for_last_tdt=0, ctrl=1885, ctrl0=1895 rx_stucks_count=2, rdtr_fpd=3 HW addr filter: 0x6363DD68, ISL disabled, Promiscuous mode multicast Entry= 0: Addr=0007.8420.E854 Entry= 1: Addr=.. Entry= 2: Addr=.. Entry= 3: Addr=.. Entry= 4: Addr=.. Entry= 5: Addr=.. Entry= 6: Addr=.. Entry= 7: Addr=.. Entry= 8: Addr=.. Entry= 9: Addr=.. Entry=10: Addr=.. Entry=11: Addr=.. Entry=12: Addr=.. Entry=13: Addr=.. Entry=14: Addr=.. Entry=15: Addr=.. FX1000 Statistics (PA3) CRC error0 Symbol error 0 Missed Packets 0 Single Collision 0 Excessive Coll 0 Multiple Coll0 Late Coll0
Re: [c-nsp] BGP path preference
* [EMAIL PROTECTED] (Jon Lewis) [Thu 30 Aug 2007, 17:13 CEST]: On Wed, 29 Aug 2007, Andy Dills wrote: Don't forget that you can prepend incoming announcements as well as outgoing announcements. This is what I'd do (and have done before) to even things out. Some would argue that when prepending received routes in a route-map, you should prepend with your own ASN. Once you pass that route to an iBGP speaker, it'll drop it as it sees its own ASN in the path -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP path preference
Niels Bakker wrote on Friday, August 31, 2007 3:22 PM: * [EMAIL PROTECTED] (Jon Lewis) [Thu 30 Aug 2007, 17:13 CEST]: On Wed, 29 Aug 2007, Andy Dills wrote: Don't forget that you can prepend incoming announcements as well as outgoing announcements. This is what I'd do (and have done before) to even things out. Some would argue that when prepending received routes in a route-map, you should prepend with your own ASN. Once you pass that route to an iBGP speaker, it'll drop it as it sees its own ASN in the path well, IOS only performs the loop check when receiving paths from external neighbors. But you would set the as-path prepend on your outbound external sessions, little need of doing this within your AS, usually.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR 12008 temp issue
:- Chris == Chris Lane [EMAIL PROTECTED] writes: cr.nyc2.ny# show environment temperatures Slot # Hot Sensor Inlet Sensor (deg C) (deg C) 1 55.541.5 2 71.041.0 3 59.544.5 4 59.045.5 6 56.543.0 7 53.042.5 Does anyone have a suggestion? Your inlet temperatures are too high to start with. Start by cleaning your filters, then talk with your colo provider to get more airconditioning. -- --- Pierfrancesco Caci | Network System Administrator - INOC-DBA: 6762*PFC [EMAIL PROTECTED] | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ Linux clarabella 2.6.12-10-686-smp #1 SMP Fri Sep 15 16:47:57 UTC 2006 i686 GNU/Linux ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204vxr freeze-up question
Rodney, Thanks. I appreciate the follow-up. The show int was from g2/0 because it was originally freezing up while the card was in that slot. We moved it to g3/0 and it kept on freezing up. I took the show controller reading after we had moved it to that slot. I can consistently trigger this error by performing the load test for about 90 seconds or longer (enough time for traffic to build up to pretty high levels). I have not been able to upgrade the router to 12.4(16) yet because I don't have a large enough flash card for the image. I still think that will be a good test. Unfortunately, the router is in production, which limits my ability to perform testing. However, since the router was recently acquired, I have gotten a replacement 7204VXR from the vendor and will do some tests with that to see if the problem duplicates itself. As soon as I have more results to share, I will. Best regards, Adam - Original Message - From: Rodney Dunn [EMAIL PROTECTED] To: Adam Greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Friday, August 31, 2007 9:23 AM Subject: Re: [c-nsp] 7204vxr freeze-up question You did a sh controller for 3/0 but your 'sh int' was from 2/0. It's hard to know all those controller counters without going and looking at the code for that driver. But, suffice to say that the interface should never lock up and have to be bounced to forward traffic or receive traffic. If it does it's a bug. Now, also have to make sure the bounce isn't causing some other device to clear and not this one. I'd suggest capturing a 'sh controller' before a couple of times and then after we think it's hung. Capture it multiple times after. Was this in a lab? Can you trigger it every time? Rodney On Wed, Aug 22, 2007 at 02:43:56PM -0400, Adam Greene wrote: Here's output from a sh controller during the outage state: Interface GigabitEthernet3/0(idb 0x6363B6DC) Hardware is WISEMAN 2.1, network connection mode is auto network link is up loopback type is none startup time: 176602 usec GBIC type is 1000BaseSX idb-lc_ip_turbo_fs=0x606372F4, ip_routecache=0x11(dfs=0/mdfs=0), max_mtu=1528 fx1000_ds(tx)=0x6363CE6C(0x6363CE6C), registers(tx)=0x3D80(0x3D80), cu rr_intr=0 rx cache size=2000, rx cache end=1872, rx_nobuffer=0 FX1000 registers: CTRL =0x18180005, STATUS=0x000F FCAL =0x00C28001, FCAH =0x0100, FCT =0x8808, FCTTV =0x16E3 RCTL =0x00428032, RDBAL0=0x2000B000, RDBAH0=0x, RDLEN0=0x0800 RDH0 =0x0038, RDT0 =0x0037, RDTR0 =0x, IMS =0x02D6 TCTL =0x000400FA, TIPG =0x00A0080A, TQC =0x, TDBAL =0x2000C000 TDBAH =0x, TDLEN =0x1000, TDH =0x00BA, TDT =0x00BA TXCW =0xC1A0, RXCW =0xCC0041A0, FCRTL =0x80001200, FCRTH =0xAFF0 RDFH =0x14D7, RDFT =0x14D7, TDFH =0x03A7, TDFT =0x03A7 RX=normal, enabled TX=normal, enabled Device status=full-duplex, link up, tx clock, rx clock AN status=done(RF:0 , PAUSE:3 ), SYNC'ed, rx idle stream, rx invalid symbols, rx idle char GBIC registers: Register 0x00: 01 07 01 00 00 00 01 00 Register 0x08: 00 00 00 01 0D 00 00 00 Register 0x10: 32 16 00 00 41 47 49 4C Register 0x18: 45 4E 54 20 20 20 20 20 Register 0x20: 20 20 20 20 00 00 00 00 Register 0x28: 51 46 42 52 2D 35 36 38 Register 0x30: 39 20 20 20 20 20 20 20 Register 0x38: 30 30 30 30 00 00 00 58 Register 0x40: 00 1A 00 00 30 31 31 30 Register 0x48: 31 36 30 38 32 36 34 31 Register 0x50: 38 36 34 35 30 31 31 30 Register 0x58: 31 36 30 30 00 00 00 D8 PartNumber: QFBR-5689 PartRev: F SerialNo: 0110160826418645 Options: 0 Length(9um/50um/62.5um): 000/500/220 Date Code: 01101600 Gigabit Ethernet Codes: 1 PCI configuration registers: bus_no=6, device_no=0 DeviceID=0x1000, VendorID=0x8086, Command=0x0116, Status=0x0200 Class=0x02/0x00/0x00, Revision=0x03, LatencyTimer=0xFC, CacheLineSize=0x10 BaseAddr0=0x4904, BaseAddr1=0x, MaxLat=0x00, MinGnt=0xFF SubsysDeviceID=0x1000, SubsysVendorID=0x8086 Cap_Ptr=0x Retry/TRDY Timeout=0x PMC=0x00210001 PMCSR=0x Software MAC address filter(hash:length/addr/mask/hits): need_af_check = 0 0x00: 0 .. .. 0 0xC0: 0 0100.0ccc. .. 0 0xD0: 0 0007.8420.e854 .. 0 FX1000(type=0x98) Internal Statistics: rxring(128)=0x2000B000, shadow=0x6363D310, head=56, rx_buf_size=512 txring(256)=0x2000C000, shadow=0x6363D53C, head=186, tail=186 tx_int_txdw=0, tx_int_txqe=0, rx_int_rxdmt0=0, rx_int_rxt0=0 tx_count=0, txring_full=0, rx_max=0, filtered_pak=0 rx_overrun=0, rx_seq=0, reg_read=0, reg_write=0 rx_count=128, throttled=1, enabled=1,
Re: [c-nsp] Debugging LFI fragmentation
Comments inline... Oliver Boehmer (oboehmer) [EMAIL PROTECTED] escreveu:Leonardo Souza wrote on Thursday, August 30, 2007 8:53 PM: Correct. I sent ping packets with 1500 bytes . My problem is that on the other side, I see no debug output for MLP (events, fragments etc...). By the way, it´s a C10K. It seems a bug. I dont know... As the 10k processes the traffic in hardware, I don't think you can see them using these debug commands. Does It happen only for MLP? So I can suppose if I issue a debug ip packet I won't see anything as well. You could monitor the packet counters on the interfaces involved, i.e. if you send 1000 packets, you should see a 1000 packets on the bundle master, and 1000 packets on each of the bundle members (i.e. 2000 total on the bundle members). This would show you that fragmentation is working. Which PRE are you using? I think the PRE1 doesn't support MLP fragmentation (at least it didn't when I worked with this platform a few years ago). I am using a PRE2. oli Thanks for the useful informations. Flickr agora em português. Você clica, todo mundo vê. Saiba mais. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging LFI fragmentation
Leonardo Souza wrote on Friday, August 31, 2007 4:59 PM: Comments inline... Oliver Boehmer (oboehmer) [EMAIL PROTECTED] escreveu: Leonardo Souza wrote on Thursday, August 30, 2007 8:53 PM: Correct. I sent ping packets with 1500 bytes . My problem is that on the other side, I see no debug output for MLP (events, fragments etc...). By the way, it´s a C10K. It seems a bug. I dont know... As the 10k processes the traffic in hardware, I don't think you can see them using these debug commands. Does It happen only for MLP? So I can suppose if I issue a debug ip packet I won't see anything as well. guess you will only see traffic sent from or to the RP itself (much like on other platforms). debug ip packet generally only show process-switched packets (at least in all but very recent IOS'). You could monitor the packet counters on the interfaces involved, i.e. if you send 1000 packets, you should see a 1000 packets on the bundle master, and 1000 packets on each of the bundle members (i.e. 2000 total on the bundle members). This would show you that fragmentation is working. Which PRE are you using? I think the PRE1 doesn't support MLP fragmentation (at least it didn't when I worked with this platform a few years ago). I am using a PRE2. PRE2 is ok, I recall.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP hardware requirements
I agree on Mark's assessment for memory upgrade. If you are concerned about cost, you can find third party memory from kingston or some other well-known manufacturers. It is good idea to upgrade memory to max, so you don't have to shutdown the router to upgrade it again. Also, BGP may use lots of memory with BGP prefix number increase, and/or sudden BGP routing leakage from public Internet. So it's good to have memory upgrade to max when you have a chance. Hyun Mark Tinka wrote: On Thursday 30 August 2007 17:51, Dracul wrote: 1. My 2851 is already ok for 2x 2MB link BGP Right. 2. I need to upgrade my 256MB memory to 512 MB I would say take the full 1GB. It's always best to max. out the memory on the routers so you have one less problem to worry about, especially if the price differential between 50% and 100% capacity is minimal. 3. I need to replace my IOS to support a higher feature of BGP possibly this: ADVANCED ENTERPRISE SERVICESc2800nm-adventerprisek9-mz.124-16.binhttp://tools. cisco.com/ITDIT/CFN/Dispatch?act=featureimageid=840591plat formFamily=268featureSet=6featureSelected=93,74,89,102ava ilSoftwares=IOS Right, would be best. are my assumptions correct? By the way there would be no issues if the links are transported through v.35 or fastethernet from the ISPs right? Nope; as long as there are no link errors and the links are up :-). Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Error Msgs
Hi there... Cisco 3825 showing the following errors - looking for input... Aug 31 13:13:36: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 Aug 31 13:15:35: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 Aug 31 13:19:19: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 A google and cisco.com search came up with nothing Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Error Msgs
How much free memory do you have and what is the size of the largest block of it? malloc() fails typically show up when the router is very low on free memory or the free memory is so fragmented that IOS has trouble allocating new chunks when requested. jms On Fri, 31 Aug 2007, Paul Stewart wrote: Hi there... Cisco 3825 showing the following errors - looking for input... Aug 31 13:13:36: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 Aug 31 13:15:35: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 Aug 31 13:19:19: %SYS-4-CHUNKMALLOCFAIL: Could not allocate chunks for CEF: arp throt Total free: 0, Total inuse: 500, Cause : Not a dynamic chunk -Process= interrupt level, ipl= 1, pid= 87 -Traceback= 0x612B36C4 0x6002CA54 0x6002CAB8 0x615F1CD0 0x6005E8D8 0x60057CD0 0x60A15770 0x60A18448 0x602CD374 0x60AFD9B8 A google and cisco.com search came up with nothing Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/private and public ASN mix trick
64001 is not a Private AS, you need to use 64512 to 65535. Then use remove-private-as on external connections. David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kraal Sent: Saturday, August 25, 2007 10:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP/private and public ASN mix trick Dear all, I have a tricky/creative arrangement here to provide to a customer. [1] The customer has their own prefixes [a.b.c.d/20], but no ASN. [2] We plan to run private BGP with the customer to receive this prefix, and for us to announce the global routing table. [3] Objective is to then announce this prefix as originating from AS111 to all AS111 public BGP peers. [4] Sample configuration at the end of this e-mail. Any potential traps here? [5] Prefix list [TUN-CUST-CIDR-BLOCK] is then used in route-maps with other BGP peers. Are removing private-as and the inbound route-map sufficient for BGP to pick this prefix up and announce it as AS111? Thanks in advance, -nick/ == Current configuration: router bgp 111 neighbor 200.100.1.10 remote-as 64001 ! address-family ipv4 neighbor 203.100.1.10 activate neighbor 203.100.1.10 next-hop-self neighbor 203.100.1.10 remove-private-as neighbor 200.100.1.10 soft-reconfiguration inbound neighbor 200.100.1.10 route-map TUN-CUST-FILTER-IN in neighbor 200.100.1.10 route-map TUN-CUST-FILTER-OUT out ! route-map TUN-CUST-FILTER-IN permit 5 match ip address TUN-CUST-CIDR-BLOCK set origin igp ! route-map TUN-CUST-FILTER-OUT permit 10 match as-path 75 ! ip prefix-list TUN-CUST-CIDR-BLOCK seq 5 permit a.b.c.d/20 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging LFI fragmentation
I realize nowthat's ok. I'll do a test, configuring a access-list x.x.x.x log-input to punt these packets to RP. Maybe it works. Regards. Flickr agora em português. Você clica, todo mundo vê. Saiba mais. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] protecting cisco switches
A site I manage has top-of-rack HP switches redundantly connected to two cisco 4948 switches, and those 4948 switches are interconnected with a trunk. Every now and then an HP switch appears to do something stupid and this impacts the cisco switches, sometimes fatally. This can happen with no one stirring the pot. The last event was a bunch of %C4K_EBM-4-HOSTFLAPPING which crushed the c4948 in short order. This happened with no concurrent human activity... the offending loop (yes, there was a loop, different than the desired redundancy loop described above) was installed about ten days prior. What can I do on the cisco switches to protect them and yet still leave them functional enough to achieve the desired redundancy? (and I'm not looking for social engineering solutions) Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] protecting cisco switches
On Aug 31, 2007, at 12:28 PM, Mark Messier wrote: What can I do on the cisco switches to protect them and yet still leave them functional enough to achieve the desired redundancy? There are various layer-2 features such as Loop Guard (sounds most relevant to this particular issue), Root Guard, BPDU Guard, and Spantree Portfast which are recommended BCPs for Cisco switches. A quick search on cisco.com for those phrases should find the relevant docs; if you've difficulty locating them, ping me 1:1 and I'll go dig out the URLs. I hope this helps! --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice I don't sound like nobody. -- Elvis Presley ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM blocking multicast traffic between two hosts in sameVlan?
Is the FWSM your default gateway. If so you need something to act as the PIM Router in order for IGMP Snooping to work correctly. I'm not sure if the FWSM can do this. You could also configure your switch as an IGMP snooping queurier if no PIM Router is present. David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joann Deng Sent: Friday, August 31, 2007 5:22 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] FWSM blocking multicast traffic between two hosts in sameVlan? Hi, We have hosts in the same Vlan, which connects to FWSM (routed mode). These two hosts run WebLogic, which uses multicast address 237.155.155.2 to communicate. But somehow, when run ping 237.155.155.2 on one host, cannot see response back from the other. So, is it possible that FWSM is doing something fancy, like blocking multicast traffic, and we need to add some configs? Any input is highly appreciated. Thanks, Joann __ __ Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos more. http://mobile.yahoo.com/go?refer=1GNXIC ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP path preference
On Fri, 31 Aug 2007, Oliver Boehmer (oboehmer) wrote: On Wed, 29 Aug 2007, Andy Dills wrote: Don't forget that you can prepend incoming announcements as well as outgoing announcements. This is what I'd do (and have done before) to even things out. Some would argue that when prepending received routes in a route-map, you should prepend with your own ASN. Once you pass that route to an iBGP speaker, it'll drop it as it sees its own ASN in the path well, IOS only performs the loop check when receiving paths from external neighbors. But you would set the as-path prepend on your outbound external sessions, little need of doing this within your AS, usually.. Not necessarily, and not in the case the original poster was trying to solve (prepending received routes to even things up between tier 1 and not quite tier 1 transits and balance outgoing traffic). -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
