Re: [c-nsp] DCEF and CPP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I am not sure on this, but on 7500 only dCEF is supported, and dCEF runs only on the linecards, and not on the RSP. Control plane policing should take place on the RSP, which in turn don't have any congestion mgmt/avoidance function at all. regards, Gabor Networkers wrote: Hi I am trying to turn on control-plane policing on a 7500 with RSP4 and VIP2/50's running 12.2(25)S12, and I have/get this: ip cef distributed ! class-map match-all TrustedControlAddresses match access-group 153 ! policy-map AllowTrustedControlAddresses class TrustedControlAddresses police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop router(config)#control-plane router(config-cp)#service input AllowTrustedControlAddresses service-policy is supported only on VIP interfaces with DCEF enabled error: failed to install policy map AllowTrustedControlAddresses I already have ip cef distributed in the config, and I did an ip route-cache dist under the fast ethernet, ATM and DS3 interfaces installed in the router. What am I missing? Thanks, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQTvYDiqVI6Xm21MRAqGAAKCYbRDkhbVB0+o2Gk3GvmF5ByEznwCgmHUm F1hz3915AWdTcx9R3R2RXAA= =8Ybm -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Invalid packet (too small) length=0
Dear Oli! Oliver Boehmer (oboehmer) i'rta: Nemeth Laszlo wrote on Saturday, November 17, 2007 9:47 PM: I received this messages yesterday: Nov 16 21:57:23: Invalid packet (too small) length=0 The router is a 7606 with Sup720-3BXL, ios: s72033-adventerprisek9_wan-mz.122-18.SXF6.bin Any suggestions? Hmm, could this have been an attack on your router/infrastructure or a broken NIC sending these frames? Could be tricky to analyze (if you want, you would need to set up span port and work from there, but enable no mls verify ip length minimum to actually forward these illegal packets). You can also investigate using Control plane policing to protect the RP.. oli I don't know whitch was the source interface, i have lot of SVI and ethernet interfaces so i think i can't do this monitoring :( This incident happened now so first simply, and since then not. I saw nothing on my MRTG graphs (for example: big incomming packets or other interesting things...). I'll try this MLS command. Thank You! Laci ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Invalid packet (too small) length=0
Dear Oli! Oliver Boehmer (oboehmer) i'rta: Nemeth Laszlo wrote on Saturday, November 17, 2007 9:47 PM: I received this messages yesterday: Nov 16 21:57:23: Invalid packet (too small) length=0 The router is a 7606 with Sup720-3BXL, ios: s72033-adventerprisek9_wan-mz.122-18.SXF6.bin Any suggestions? Hmm, could this have been an attack on your router/infrastructure or a broken NIC sending these frames? Could be tricky to analyze (if you want, you would need to set up span port and work from there, but enable no mls verify ip length minimum to actually forward these illegal packets). You can also investigate using Control plane policing to protect the RP.. oli I don't know whitch was the source interface, i have lot of SVI and ethernet interfaces so i think i can't do this monitoring :( This incident happened now so first simply, and since then not. I saw nothing on my MRTG graphs (for example: big incomming packets or other interesting things...). I'll try this MLS command. Thank You! Laci ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird Error Message in 'sho ver' on GSR after upgrade
Michael, Please try issuing the test mbus clear-jam-counts [slot] command. This should clear the warnings. If they reappear, it means that you have a problem on these cards. Then you should try to reseat the cards, and if it still keeps reappearing, RMA them... I strongly suggest you follow the whole procedure with a TAC case and direct guidance from TAC. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael K. Smith - Adhost Sent: Thursday, November 15, 2007 11:28 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Weird Error Message in 'sho ver' on GSR after upgrade Hello All: I just upgraded from 12.0(28)S to 12.0(32)S8 on a 12008 and I'm now see this message in a show version. WARNING: Non-zero CAN jam reset counter in slot 18 WARNING: Non-zero CAN jam reset counter in slot 19 WARNING: Non-zero CAN jam reset counter in slot 20 Those are the Switch Fabric Cards. I've searched on CCO but there's nothing that matches. Does anyone know what these mean? Regards, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 60, Issue 60
Hi Oli, We have a scenario as below; (LSR) ( LER) [ A ]-[ B ]==[ C ] (LER) | | [ D ] ( LER ) Following are the 2 signalled LSP's, LSP1: A---B---C : with X bandwidth. LSP2: D---B---C : with Y bandwidth. These two LSP's are sharing the same link between LSR [B] and LER [c], Now, 1: We want to gaurantee LSP1 with X bandwidth, and LSP2 with Y bandwidth. At LSR [B] how this bandwidths are gauranteed? Is there any scheduler applied for this, if so, how? what exactly reservation of bandwidth means? 2: If LSP1 is not utilizing its X bandwidth, then we want LSP2 to get that bandwidth utilized. How to implement these in Cisco Router what are the features required? Thanks in advance, Padma. On Nov 19, 2007 2:17 PM, [EMAIL PROTECTED] wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Invalid packet (too small) length=0 (Oliver Boehmer (oboehmer)) 2. Re: OSPF summarization (Oliver Boehmer (oboehmer)) 3. Re: QoS on 6724/6148 (Oliver Boehmer (oboehmer)) 4. Re: same Qos on multiple vlans (Oliver Boehmer (oboehmer)) 5. Re: WRR between LSP's (Oliver Boehmer (oboehmer)) 6. Re: DCEF and CPP (Gabor Ivanszky) 7. Re: Invalid packet (too small) length=0 (Nemeth Laszlo) 8. Re: Invalid packet (too small) length=0 (Nemeth Laszlo) 9. Re: Weird Error Message in 'sho ver' on GSR after upgrade (Arie Vayner (avayner)) -- Message: 1 Date: Mon, 19 Nov 2007 08:30:35 +0100 From: Oliver Boehmer (oboehmer) [EMAIL PROTECTED] Subject: Re: [c-nsp] Invalid packet (too small) length=0 To: Nemeth Laszlo [EMAIL PROTECTED], cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Nemeth Laszlo wrote on Saturday, November 17, 2007 9:47 PM: I received this messages yesterday: Nov 16 21:57:23: Invalid packet (too small) length=0 Nov 16 21:57:35: Invalid packet (too small) length=0 Nov 16 21:57:48: Invalid packet (too small) length=0 Nov 16 21:57:49: Invalid packet (too small) length=0 Nov 16 21:57:57: Invalid packet (too small) length=0 Nov 16 21:58:00 MET: %BGP-5-ADJCHANGE: neighbor xxx.xxx.xxx.4 Down BGP Notification sent Nov 16 21:58:00 MET: %BGP-3-NOTIFICATION: sent to neighbor xxx.xxx.xxx.4 4/0 (hold time expired) 0 bytes [..] The cpu usage went up to 100% a couple of seconds, and the router lost some BGP peers. The router is a 7606 with Sup720-3BXL, ios: s72033-adventerprisek9_wan- mz.122-18.SXF6.bin Any suggestions? Hmm, could this have been an attack on your router/infrastructure or a broken NIC sending these frames? Could be tricky to analyze (if you want, you would need to set up span port and work from there, but enable no mls verify ip length minimum to actually forward these illegal packets). You can also investigate using Control plane policing to protect the RP.. oli -- Message: 2 Date: Mon, 19 Nov 2007 08:34:33 +0100 From: Oliver Boehmer (oboehmer) [EMAIL PROTECTED] Subject: Re: [c-nsp] OSPF summarization To: Michael Malitsky [EMAIL PROTECTED], cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Michael Malitsky wrote on Monday, November 19, 2007 2:04 AM: Hello, Looking for help with summarizing routes in OSPF. I have a VPN headend which populates a bunch of host routes into OSPF. The routes are contiguous, so I want to aggregate them. The headend itself lacks such functionality, so I am trying to do this on the next OSPF-capable device, which is a PIX v.7.2(2)23. PIX and VPN headend are in area 1, everything else is area 0. On the PIX the host routes show up as O E2 - OSPF external type 2. I've tried configuring an interarea summary: area 0 range 192.168.3.0 255.255.255.0 That doesn't seem to do anything at all. I've also tried an external summary: summary-address 192.168.3.0 255.255.255.0 Also does nothing. you can only summarize external routes on the ASBR. Depending on the topology, you could split the OSPF domain in two and use two different OSPF processes, redistributing between each other. But I would only consider this if the pain is too high. How many externals do you inject? oli
Re: [c-nsp] WRR between LSP's
Padmavathi Chilukoori wrote on Monday, November 19, 2007 1:16 PM: Hi Oli, We have a scenario as below; (LSR) ( LER) [ A ]-[ B ]==[ C ] (LER) | | [ D ] ( LER ) Following are the 2 signalled LSP's, LSP1: A---B---C : with X bandwidth. LSP2: D---B---C : with Y bandwidth. These two LSP's are sharing the same link between LSR [B] and LER [c], Now, 1: We want to gaurantee LSP1 with X bandwidth, and LSP2 with Y bandwidth. At LSR [B] how this bandwidths are gauranteed? Is there any scheduler applied for this, if so, how? what exactly reservation of bandwidth means? 2: If LSP1 is not utilizing its X bandwidth, then we want LSP2 to get that bandwidth utilized. How to implement these in Cisco Router what are the features required? Ah, now I understand. Well, RSVP TE is a pure signalling protocol. We will perform admission control based on reserved bandwidth, but we will not enforce the BW reservation using any Per-Hop Behaviour (i.e. no queues will actually be programmed). This is still a DiffServ QoS architecture, so you will need to work with regular MPLS QoS with EXP-bits and see how you can implement this on the intermediate hops. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Basic QoS/Rate limiting
Is there an easy way on a 2800 to enforce per client speed limits for ethernet connected clients? Ideally I would like to control them to X kbps down and Y kbps up. The switches the clients are connected to don't have any rate limiting capability. If this isn't possible is there a simple way to enforce some fairness per client? dave ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF, summarization, areas etc.
Hi guys Before I go back to books and try to find out this hard way, I'm hoping someone can jump for help, and support my laziness :) Due to some legacy reasons we had pretty bad OSPF setup here. Now I finally started to move things further, but I have few problems. Or maybe they are not problems, but just misunderstanding. Until recently we had all our network in one single area (not area 0). Now I moved our backbone to area 0, while keeping most of spokes in old area (area 100). I will be moving these spokes to different areas later on, but I would like to clarify few things first. So currently our config looks like this: router A -- area 100 - Router B - area 0 - Router C - area 200 - Router D router E -- area 100 - | Now my question. I understood all this so, that on Router D (in area 200) I wouldn't see all subnets in area 100, but summarized networks or even no area 100 networks. Obviously I'm wrong, or I'm doing something wrong, since I still see same amount of routes on router D as I did before, when whole network was in same area (area 100), even if I do summarization on Router B for networks behind Router A and/or E. If I'm just doing something wrong, then I would appreciate any suggestion how to limit routes to same area only, and preferably keep only routes of area 200 and default route on Router D. Just for info, because I think it does matter. All routes are inserted into OSPF from static or connected routes on end routers. PS: Config for OSPF is really simple standar thing... router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets network x.x.x.x 0.0.0.0 area 0 network y.y.y.y 0.0.0.0 area 100 network z.z.z.z 0.0.0.0 area 100 ! ! and for summarization on router B area 100 range 10.10.0. 255.255.0.0 Thanks for help in advance Have fun, Primoz Jeroncic Support - IP Connectivity Routing --- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF, summarization, areas etc.
On Mon, 19 Nov 2007, Primoz Jeroncic wrote: Until recently we had all our network in one single area (not area 0). Now I moved our backbone to area 0, while keeping most of spokes in old area (area 100). I will be moving these spokes to different areas later on, but I would like to clarify few things first. So currently our config looks like this: router A -- area 100 - Router B - area 0 - Router C - area 200 - Router D router E -- area 100 - | Now my question. I understood all this so, that on Router D (in area 200) I wouldn't see all subnets in area 100, but summarized networks or even no area 100 networks. Obviously I'm wrong, or I'm doing something wrong, since I still see same amount of routes on router D as I did before, when whole network was in same area (area 100), even if I do summarization on Router B for networks behind Router A and/or E. PS: Config for OSPF is really simple standar thing... router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets network x.x.x.x 0.0.0.0 area 0 network y.y.y.y 0.0.0.0 area 100 network z.z.z.z 0.0.0.0 area 100 ! ! and for summarization on router B area 100 range 10.10.0. 255.255.0.0 Assuming most of your network's routes come from redistribution of static and connected, these are type 2 external routes and will be sent into all regular areas. Summarization of these types of routes can only be done on the routers that redistribute them into OSPF, and based on the config you posted, you're not doing that. If you were to make areas 100 and 200 into NSSA's you would see a reduction of OSPF routes in those areas and still be able to redistribute static and connected from them into their respective areas and the backbone. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Symmetric load-splitting with CEF
Hi all, I am aware that symmetric load splitting to transparent stateful devices (such as IPS, SCE etc...) is possible with EtherChanneling (with some careful balancing algorithm design), and is available on c6k5 for some time. But - c6k5 do not support cross-chassis EtherChannels with current supervisors; so if topological redundancy is required, L2-based LB is not the way to go. I've noticed someone somewhere saying this is also possible with CEF at L3, but I can find no reference for such solutions. Can anyone advise me please... thanks much -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Symmetric load-splitting with CEF
Yes, interchassis EtherChannel is now supported with Cisco's VSS technology. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Tomas Daniska Sent: Monday, November 19, 2007 9:06 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Symmetric load-splitting with CEF Hi all, I am aware that symmetric load splitting to transparent stateful devices (such as IPS, SCE etc...) is possible with EtherChanneling (with some careful balancing algorithm design), and is available on c6k5 for some time. But - c6k5 do not support cross-chassis EtherChannels with current supervisors; so if topological redundancy is required, L2- based LB is not the way to go. I've noticed someone somewhere saying this is also possible with CEF at L3, but I can find no reference for such solutions. Can anyone advise me please... thanks much -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic QoS/Rate limiting
Yes, You could create a vlan for each client/clients and then have rate limiting done on sub interface vlan interface on your router. Aman On 11/19/07, Dave Weis [EMAIL PROTECTED] wrote: Is there an easy way on a 2800 to enforce per client speed limits for ethernet connected clients? Ideally I would like to control them to X kbps down and Y kbps up. The switches the clients are connected to don't have any rate limiting capability. If this isn't possible is there a simple way to enforce some fairness per client? dave ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] etherchannel problems
We just got bitten by a serious etherchannel problem : we have an 2 gig etherchannel link between 2 campus. Someone on the other end misconfigured an interface (typed 6/1 instead of 1/6) and had overwritten the allowed vlans on one of the interfaces. As a result of this, the interface was thrown out of the bundle (at that side only) BUT the interface stayed UP. On the other campus, both interfaces stayed in the bundle with very big problems as a result : the 6500 at that side considered both lines as valid and distributed the packets over both interfaces, sending half of the traffic in 'space'. If the interface had gone down as a result of the unbundling, there would have been no problem. We only use static channel settings, so not etherchannel negotiations between switches. Can this be solved with dynamic etherchannel bundling ? Or someone has another solution for this problem ? Wim Holemans Networkservices University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Symmetric load-splitting with CEF
Tomas Daniska wrote on Monday, November 19, 2007 3:06 PM: Hi all, I am aware that symmetric load splitting to transparent stateful devices (such as IPS, SCE etc...) is possible with EtherChanneling (with some careful balancing algorithm design), and is available on c6k5 for some time. Right, but I would not call this symmetric. You always need a sufficiently large number of flows to achieve symmetric load. But - c6k5 do not support cross-chassis EtherChannels with current supervisors; so if topological redundancy is required, L2-based LB is not the way to go. I've noticed someone somewhere saying this is also possible with CEF at L3, but I can find no reference for such solutions. Yes, regular CEF load-balancing also achieves a similar result, with the same caveat as above. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] etherchannel problems
If you were using LACP then this should have taken the remote side out of the Etherchannel as well. There is no knob to take the interface down during these conditions, but dynamic negotiation should solve the issue. Phil On Nov 19, 2007, at 11:11 AM, Holemans Wim wrote: We just got bitten by a serious etherchannel problem : we have an 2 gig etherchannel link between 2 campus. Someone on the other end misconfigured an interface (typed 6/1 instead of 1/6) and had overwritten the allowed vlans on one of the interfaces. As a result of this, the interface was thrown out of the bundle (at that side only) BUT the interface stayed UP. On the other campus, both interfaces stayed in the bundle with very big problems as a result : the 6500 at that side considered both lines as valid and distributed the packets over both interfaces, sending half of the traffic in 'space'. If the interface had gone down as a result of the unbundling, there would have been no problem. We only use static channel settings, so not etherchannel negotiations between switches. Can this be solved with dynamic etherchannel bundling ? Or someone has another solution for this problem ? Wim Holemans Networkservices University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forwarding Netflow traffic to multiple collectors
Lancope sells a Flow Replicator for those that want a commercial solution... http://www.lancope.com/products/replicator.aspx It can do both passive replication via packet capture or you can send directly to the IP of the replicator itself. The source IP is maintained while the destination IP and port is rewritten based on the rules configured. Very similar to UDP Replicator just with reporting, high performance, appliance-based, support, higher price tag, etc. On 11/17/07 2:41 PM, Church, Charles [EMAIL PROTECTED] wrote: It's UDP, and I don't believe acknowledged any higher up. So would it be possible to make the destination a directed broadcast address, assuming your collectors are (or could be) on the same subnet? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Bezzina Sent: Saturday, November 17, 2007 9:46 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Forwarding Netflow traffic to multiple collectors Hi, I am running 12.2SRB on my 7600s and I currently need to export Netflow to 3 collectors. Obviously I cannot because the IOS only Supports upto 2 collectors. Now, I have heard that there is a Linux solution that can transparently, Forward netfow to multiple collectors. Anybody is using it and can advise Me about it? Thanks in advance Regards Gordon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 f. 678.302.8744 e. [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fail-Over solution
Hi, we've got several customers who have 2 connections to our backbone. Mostly a connection with 10 mbit/s and a smaller backup connection with up to 2 mbit/s. Currently the second router will be connected with the LAN in case the primary connection fails. We would like to implement a solution where the second connection will be used automatically if the primary one fails. My first thought was to implement BGP on the customer side with a private ASN and install a peering with our router. But the hardware doesn't support BGP. We've got two scenarios: 1. The customer is connected with a 10 MBit/s LAN Extension and a 2 Mbit/s D2MS. The 2 Mbit/s is connected with a Cisco 2600 Series router on the customer side. But the LAN Extension is directly connected to a switch. Our Backbone Router is the default router for the customer network. Because of the costs we don't want to install another router on the customer side. So BGP isn't working. 2. The customer is connected with a E3 or more and a 2 MBit/s SDSL. For the E3 we've got a Cisco 2800 Series Router. But the SDSL Connection is handled by a cisco 878 wich doesn't support BGP. Any ideas? Regards Sebastian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Limits - 2821/3825
11:10am Paul Stewart said: Trying to find out what the maximum VLAN's on a 2821 or 3825 is? Configuration is router + NM-16ESW card and we'd like to use them as a small distribution router at remote sites and assign each port to it's own VLAN - I know there's a limit but can't find documentation to back it up... What does this say? show vtp status | incl ^Max ../C ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic QoS/Rate limiting
On Mon, 19 Nov 2007, Aman Chugh wrote: Yes, You could create a vlan for each client/clients and then have rate limiting done on sub interface vlan interface on your router. There's about 100 clients on the network, I was hoping to avoid anything that requires individual configurations. That is an option though. On 11/19/07, Dave Weis [EMAIL PROTECTED] wrote: Is there an easy way on a 2800 to enforce per client speed limits for ethernet connected clients? Ideally I would like to control them to X kbps down and Y kbps up. The switches the clients are connected to don't have any rate limiting capability. If this isn't possible is there a simple way to enforce some fairness per client? dave ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] etherchannel problems
I does seem like dynamic would be more risky, but in practice I have found that running LACP is alot better than channel mode on. It takes a few seconds longer to start up, but does a very good job of protecting against unbound interfaces. Holemans Wim wrote: We just got bitten by a serious etherchannel problem : we have an 2 gig etherchannel link between 2 campus. Someone on the other end misconfigured an interface (typed 6/1 instead of 1/6) and had overwritten the allowed vlans on one of the interfaces. As a result of this, the interface was thrown out of the bundle (at that side only) BUT the interface stayed UP. On the other campus, both interfaces stayed in the bundle with very big problems as a result : the 6500 at that side considered both lines as valid and distributed the packets over both interfaces, sending half of the traffic in 'space'. If the interface had gone down as a result of the unbundling, there would have been no problem. We only use static channel settings, so not etherchannel negotiations between switches. Can this be solved with dynamic etherchannel bundling ? Or someone has another solution for this problem ? Wim Holemans Networkservices University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christopher E. Brown [EMAIL PROTECTED] desk (907) 550-8393 cell (907) 632-8492 IP Engineer - ACS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Limits - 2821/3825
On Mon, 2007-11-19 at 13:05 -0800, Curtis Doty wrote: Trying to find out what the maximum VLAN's on a 2821 or 3825 is? Configuration is router + NM-16ESW card and we'd like to use them as a small distribution router at remote sites and assign each port to it's own VLAN - I know there's a limit but can't find documentation to back it up... What does this say? show vtp status | incl ^Max That probably doesn't help much on a router. :-) Instead take a look at this page: http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd802a9470.shtml#wp9000578 http://www.tinyurl.dk/2251 The VLANS Supported per Platform says that a 2821 with NM-16ESW supports up to 32 VLANs. Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic QoS/Rate limiting
On Mon, 2007-11-19 at 06:44 -0600, Dave Weis wrote: Is there an easy way on a 2800 to enforce per client speed limits for ethernet connected clients? Ideally I would like to control them to X kbps down and Y kbps up. The switches the clients are connected to don't have any rate limiting capability. If this isn't possible is there a simple way to enforce some fairness per client? You can enable fair-queue on the interface, either directly or via an existing policy map. This treats each flow in a fair equal way, but doesn't treat each host equally. Otherwise I think you can use traffic-shape group w/ per host access-lists, though it would look a little funny in your interface configuration. There's probably some nice 2-line configuration you can use, but only that really smart people know it. :-) Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Limits - 2821/3825
Thanks very much... yes, that answers my concerns ;) I knew the limits weren't overly high but for our use (one VLAN per port) this works quite well... Thanks again, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Monday, November 19, 2007 5:39 PM To: cisco-nsp Subject: Re: [c-nsp] VLAN Limits - 2821/3825 On Mon, 2007-11-19 at 13:05 -0800, Curtis Doty wrote: Trying to find out what the maximum VLAN's on a 2821 or 3825 is? Configuration is router + NM-16ESW card and we'd like to use them as a small distribution router at remote sites and assign each port to it's own VLAN - I know there's a limit but can't find documentation to back it up... What does this say? show vtp status | incl ^Max That probably doesn't help much on a router. :-) Instead take a look at this page: http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd802a94 70.shtml#wp9000578 http://www.tinyurl.dk/2251 The VLANS Supported per Platform says that a 2821 with NM-16ESW supports up to 32 VLANs. Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat3750 crash 12.2(40)SE
Hi all, Has anyone seen this crash? Happened on a 2-member Cat3750-12S-E stack. All I did was change the IP address on a Port-channel interface and it died on me. I literally just went: conf t, int po1, ip address a.b.c.d 255.255.255.0 enter and it fell over. First it crashed the stack master (switch 1), then I logged in again and tried exactly the same thing and it crashed the master (switch 2). I wasn't game to try it again. Bug Toolkit wasn't helpful. Nov 20 13:22:47: %PLATFORM-1-CRASHED: System previously crashed with the following message: Nov 20 13:22:47: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3) Nov 20 13:22:47: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc. Nov 20 13:22:47: %PLATFORM-1-CRASHED: Compiled Fri 24-Aug-07 00:53 by myl Nov 20 13:22:47: %PLATFORM-1-CRASHED: Nov 20 13:22:47: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Nov 20 13:22:47: %PLATFORM-1-CRASHED: Nov 20 13:22:47: %PLATFORM-1-CRASHED: SRR0 = 0x013E6CF4 SRR1 = 0x00029230 SRR2 = 0x005BA610 SRR3 = 0x00021000 Nov 20 13:22:47: %PLATFORM-1-CRASHED: ESR = 0x DEAR = 0x TSR = 0x8C00 DBSR = 0x0100 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Nov 20 13:22:47: %PLATFORM-1-CRASHED: CPU Register Context: Nov 20 13:22:47: %PLATFORM-1-CRASHED: Vector = 0x2000 PC = 0x00CF4A50 MSR = 0x00029230 CR = 0x2044 Nov 20 13:22:47: %PLATFORM-1-CRASHED: LR = 0x00CEA954 CTR = 0x00CC3A44 XER = 0x6004 Nov 20 13:22:47: %PLATFORM-1-CRASHED: R0 = 0x00CEA954 R1 = 0x0424C048 R2 = 0x R3 = 0x042029CC Nov 20 13:22:47: %PLATFORM-1-CRASHED: R4 = 0x R5 = 0x0001 R6 = 0x R7 = 0x Nov 20 13:22:47: %PLATFORM-1-CRASHED: R8 = 0x03F14174 R9 = 0x0003 R10 = 0x R11 = 0x Nov 20 13:22:47: %PLATFORM-1-CRASHED: R12 = 0x041DD5E0 R13 = 0x0011 R14 = 0x010205B4 R15 = 0x Nov 20 13:22:47: %PLATFORM-1-CRASHED: R16 = 0x R17 = 0x R18 = 0x025B R19 = 0x025A8F78 Nov 20 13:22:47: %PLATFORM-1-CRASHED: R20 = 0x025B R21 = 0x025B R22 = 0x025B R23 = 0x042A42CC Nov 20 13:22:47: %PLATFORM-1-CRASHED: R24 = 0x041DD418 R25 = 0x041DF534 R26 = 0x R27 = 0x0001 Nov 20 13:22:47: %PLATFORM-1-CRASHED: R28 = 0x041DF534 R29 = 0x R30 = 0x042029CC R31 = 0x Nov 20 13:22:47: %PLATFORM-1-CRASHED: Nov 20 13:22:47: %PLATFORM-1-CRASHED: Stack trace: Nov 20 13:22:47: %PLATFORM-1-CRASHED: PC = 0x00CF4A50, SP = 0x0424C048 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 00: SP = 0x0424C070PC = 0x Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 01: SP = 0x0424C0A8PC = 0x00CEA954 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 02: SP = 0x0424C0D0PC = 0x00CE81EC Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 03: SP = 0x0424C0F8PC = 0x01045488 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 04: SP = 0x0424C110PC = 0x010455A0 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 05: SP = 0x0424C148PC = 0x010245E8 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 06: SP = 0x0424C1A8PC = 0x0102099C Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 07: SP = 0x0424C1B0PC = 0x0092220C Nov 20 13:22:47: %PLATFORM-1-CRASHED: Frame 08: SP = 0xPC = 0x00918EE0 Nov 20 13:22:47: %PLATFORM-1-CRASHED: Nov 20 13:23:56: %STACKMGR-4-SWITCH_REMOVED: Switch 2 has been REMOVED from the stack Nov 20 13:23:56: %STACKMGR-4-MASTER_ELECTED: Switch 1 has been elected as MASTER of the stack Nov 20 13:23:56: %CFGMGR-6-APPLYING_RUNNING_CFG: as new master Nov 20 13:23:56: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:23:56 AEDT Tue Nov 20 2007 to 13:23:56 AEDT Tue Nov 20 2007, configured from console by vty0. Nov 20 13:23:56: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:23:56 AEDT Tue Nov 20 2007 to 13:23:56 AEDT Tue Nov 20 2007, configured from console by vty0. Nov 20 13:23:57: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY Nov 20 13:23:58: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up Nov 20 13:23:58: %LINK-3-UPDOWN: Interface Port-channel2, changed state to up Nov 20 13:23:58: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down Nov 20 13:23:58: %LINK-3-UPDOWN: Interface Vlan20, changed state to up Nov 20 13:23:58: %LINK-3-UPDOWN: Interface Vlan100, changed state to up Nov 20 13:23:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up Nov 20 13:23:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to up Nov 20 13:23:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up Nov 20 13:23:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up Nov 20 13:24:52: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state UP Nov 20 13:24:52: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(293) 500: Neighbor 10.61.8.122 (Vlan100) is up: new adjacency
Re: [c-nsp] Basic QoS/Rate limiting
Hi, I've done this before very well by inserting bwmanager box as a bridge (fortunately it's ethernet type). As Cisco didn't give any better optioan rather than create per IP customer access-list to match again rate-limit / traffic shape on the interface. BWmanager box was : ETINC and now replaced with MIKROTIK and running dynamic bandwidth rule. rgs, a. rahman isnaini r. sutan [EMAIL PROTECTED] - Original Message - From: Dave Weis [EMAIL PROTECTED] To: Aman Chugh [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Tuesday, November 20, 2007 4:59 AM Subject: Re: [c-nsp] Basic QoS/Rate limiting On Mon, 19 Nov 2007, Aman Chugh wrote: Yes, You could create a vlan for each client/clients and then have rate limiting done on sub interface vlan interface on your router. There's about 100 clients on the network, I was hoping to avoid anything that requires individual configurations. That is an option though. On 11/19/07, Dave Weis [EMAIL PROTECTED] wrote: Is there an easy way on a 2800 to enforce per client speed limits for ethernet connected clients? Ideally I would like to control them to X kbps down and Y kbps up. The switches the clients are connected to don't have any rate limiting capability. If this isn't possible is there a simple way to enforce some fairness per client? dave ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/