Re: [c-nsp] 6500/SRA: vpnv4 vs. equal-cost multipath ?
Alexandre Snarskii wrote on Monday, January 21, 2008 7:15 PM: Hi! Summary: looks like IOS 12.2(33)SRA* can't handle vpnv4 routes which comes from peer reachable via two equal paths. Have you verified that all links run LDP and everything is setup correctly? A PE can load-share via equal-cost core paths just fine, so something is wrong in your setup.. [...] this route is not installed in MPLS Forwarding table (at least not installed in correct way): RouterA#show mpls forwarding-table vrf LOCAL 192.168.103.120 detail Local Outgoing PrefixBytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface None 535 192.168.103.120/29[V] \ 0 Recursive paths, Label Stack{535} 00217000 VPN route: LOCAL No output feature configured - you see, no outgoing interface mentioned in output, and label stack is just incorrect - it consists only from one (final) label... On the ingress PE, you want to look into the CEF table (the LFIB is only consulted for tagged packets), but even there you will only see one label (the vpn label). the IGP/LDP label and outgoing interface will be resolved at forwarding time, based on the result of the CEF hash. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate-limiting traffic on 3500
I don't think you can do Per-Port Per-VLAN QoS on 3550 or VLAN-Based QoS on 3560 on the egress direction. Just on ingress. -- Tassos Michael Malitsky wrote on 22/1/2008 2:25 πμ: Hello, I am trying to figure out a way to set up some traffic limiters. Specific situation is: I have several VLANs in a 802.1q trunk on one port. I need to control the _outbound_ traffic rate with a different CIR for each VLAN. Traffic-shaping would be nice, but I don't think it's supported. I'll settle for policing or even CAR, but so far haven't been able to figure it out. I need this done on several switches, all are either 3550 or 3560 models. Any suggestions appreciated. If this can't be done, what's the minimum level of hardware necessary? Thanks, Michael Malitsky ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3560 layer3 performance
Mark, a) So this is a layer 2 switching vs layer 3 switching performance issue. Yes (not that I'ld expect them to be comparable, although the 4948 does amazingly well in this regard). c3560 can do L3 in h/w. I suggest you open a TAC case with Cisco. while there are plenty of clueful folks on cisco-nsp, if this is causing issues in your network, TAC may be able to assist you in finding the root cause remediating it; after all, that's what the TAC is there for. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3560 layer3 performance
Check out this thread http://puck.nether.net/pipermail/cisco-nsp/2007-May/040374.html I had a similar issue with a 3750, the cause was redirected traffic Even though ip redirects were disabled on the vlan interface they were being punted to the cpu and then dropped. Try a 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886230815 0 0 0 0 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886236301 0 0 0 0 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886239093 0 0 0 0 To see if thet are increasing. The only way I was able to resolve this was by moving the traffic so that it was routed between two seperate interfaces. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis Sent: martedì 22 gennaio 2008 4.53 To: Mark Kent; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco 3560 layer3 performance Are both models the WS-C3560G-48TS-S version? The first device you mentioned, is it running layer 2 only, into the L2 access switchport and then out to the L2 trunk? From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Mark Kent [EMAIL PROTECTED] Sent: Monday, January 21, 2008 10:31 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 3560 layer3 performance Hello, I've got a cisco 3560 (WS-C3560G-48TS-S) pulling in (80Mbs, 6500pps) on one switch port, and sending it out a trunk... cpu load is 5%. Another cisco 3560, pulling in that same traffic on a trunk and sending it out a layer3 point-to-point gigE is running at 70 to 80% (cpu hog is IP Input). In fact, the cpu load is roughly the same as the Mbs load. 50Mbs = 50%. Now, I know it's a small switch in the cisco line. But wouldn't we expect it to do a fair bit better than this? It looks like it will crap out at 100Mbs of layer3 traffic. Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP exams while working full time?
On Tue, 2008-01-22 at 09:15 +, Mohamed Ahmad wrote: Hi everyone, I just wanted to see how many of you guys took some CCNP exams (and studied for them :)) while in full time employment? Don't know if CCIP counts, but if it does I can say yes. I am thinking of taking the first exam but was wondering if someone would like to share their experiences? Any advice (e.g. did you take time off work (used your holidays for that, or spoke to your employer to get some 'extra time off'?). Our employer technically gives us time off for studying, but most of the studying was in spare time in weekends and evenings. It all depends on whether your employer understands what benefit your exam is for their business. Also I'm not quite sure how much time I will need for the first exam, if I were to do a bit of studying after work each day (which is going to be fun :)). Let me know if you've gone through it. Thanks I took two of the four exams as self study and used a couple of weeks of intensive reading before each exam. I'd recommend taking the courses if you can find someone to pay for it; even though it's not dirt cheap it's well worth the money. (As long as it's not my own money! ;-) I found it invaluable to be able to use long stretches of time, e.g. weekends, for reading. For me the one hour here, one hour there doesn't really work, but YMMV. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP exams while working full time?
Hi Mohamed, On Jan 22, 2008 8:15 PM, Mohamed Ahmad [EMAIL PROTECTED] wrote: I just wanted to see how many of you guys took some CCNP exams (and studied for them :)) while in full time employment? It's definitely possible and I suspect the majority of people do it this way. I self-studied my way through CCNP (no instructor led courses), hitting the books after work most week nights - I typically studied less on the weekends. I guess it probably took me a few months (elapsed) from start to finish. I don't know your background and experience, but don't over-estimate CCNP. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem with 7204VXR and ATM PA-A3
Hello everyone, we are currently migrating our leased lines from an 7500 router to an 7200VXR NPE-G1 with PA-A3-OC3MM. After changing the router, several customers complained about bad connectivity, and some investigation revealed that the downstream (us/Internet - customer) was nearly perfect, but the upstream (customer -us/Internet) was at best 70% of the line capacity. If the downstream is saturated, the upstream gets even worse, down to 20% of the line. Yesterday, we undid the change, and on the 7500 we are back to ideal. The problem is that we made the change to be able to terminate new circuits by l2tp, which the 7500 is not suited for. We tried several IOS versions, c7200-is-mz.123-24a.bin, c7200- advipservicesk9-mz.124-15.T1.bin and c7200-p-mz.123-24a.bin, with no change. Another assumption was that the multipoint may cause problems on the 7200, but a test-L2TP-Session over the point-to-point PVC 4/511 showed the same problems. Any suggestions/ideas why this problem might exist? Thanks in advance, Phil Slot 1: ATM WAN OC3 (MM) Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 1w4d ago EEPROM contents at hardware discovery: Hardware revision 2.0 Board revision A0 Serial number Part number73-2430-04 FRU Part Number PA-A3-OC3MM= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 EEPROM contents (hex): 0x00: 01 59 02 00 01 9E C4 62 49 09 7E 04 00 00 00 00 0x10: 50 56 70 00 01 11 02 00 FF FF FF FF FF FF FF FF 0x20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x30: FF FF FF FF FF FF FF FF FF FF FF FF ! interface ATM1/0 no ip address no ip mroute-cache no atm ilmi-keepalive end ! interface ATM1/0.1 multipoint ip address 192.168.71.1 255.255.255.0 ip access-group 103 in ip access-group 102 out no ip mroute-cache no snmp trap link-status pvc 4/32 class-vc customer protocol ip 192.168.71.32 no oam-pvc manage encapsulation aal5snap ! pvc 4/33 class-vc customer protocol ip 192.168.71.33 oam-pvc manage 30 encapsulation aal5snap ! pvc 4/34 class-vc customer protocol ip 192.168.71.34 oam-pvc manage 30 ! pvc 4/35 class-vc customer protocol ip 192.168.71.35 oam-pvc manage 30 ! pvc 4/36 class-vc customer protocol ip 192.168.71.36 no oam-pvc manage ! pvc 4/37 class-vc customer protocol ip 192.168.71.37 oam-pvc manage 30 ! pvc 4/38 class-vc customer protocol ip 192.168.71.38 oam-pvc manage 30 ! pvc 4/39 class-vc customer protocol ip 192.168.71.39 oam-pvc manage 30 ! pvc 4/43 class-vc customer protocol ip 192.168.71.43 oam-pvc manage 30 ! pvc 4/44 class-vc customer protocol ip 192.168.71.44 oam-pvc manage 30 ! pvc 4/45 class-vc customer protocol ip 192.168.71.45 oam-pvc manage 30 ! pvc 4/48 class-vc customer protocol ip 192.168.71.48 oam-pvc manage 30 ! pvc 4/49 class-vc customer protocol ip 192.168.71.49 oam-pvc manage 30 ! pvc 4/50 class-vc customer protocol ip 192.168.71.50 oam-pvc manage 30 ! pvc 4/51 class-vc customer protocol ip 192.168.71.51 oam-pvc manage 30 ! pvc 4/52 class-vc customer protocol ip 192.168.71.52 oam-pvc manage 30 ! pvc 4/53 class-vc customer protocol ip 192.168.71.53 oam-pvc manage 30 ! pvc 4/54 class-vc customer protocol ip 192.168.71.54 oam-pvc manage 30 ! pvc 4/56 protocol ip 192.168.71.56 oam-pvc manage 30 encapsulation aal5snap ! pvc 4/58 class-vc customer protocol ip 192.168.71.58 oam-pvc manage 30 ! pvc 4/59 class-vc customer protocol ip 192.168.71.59 oam-pvc manage 30 ! pvc 4/60 class-vc customer protocol ip 192.168.71.60 oam-pvc manage 30 ! pvc 4/61 class-vc customer protocol ip 192.168.71.61 oam-pvc manage 30 ! pvc 4/62 class-vc customer protocol ip 192.168.71.62 oam-pvc manage 30 ! pvc 4/63 class-vc customer protocol ip 192.168.71.63 oam-pvc manage 30 ! pvc 4/64 class-vc customer protocol ip 192.168.71.64 oam-pvc manage 30 ! pvc 4/66 class-vc customer protocol ip 192.168.71.66 oam-pvc manage 30 ! pvc 4/68 class-vc customer protocol ip 192.168.71.68 oam-pvc manage 30 ! pvc 4/69 class-vc customer protocol ip 192.168.71.69 oam-pvc manage 30 ! pvc 4/70 class-vc customer protocol ip 192.168.71.70 oam-pvc manage 30 ! pvc 4/71 class-vc customer protocol ip 192.168.71.71 oam-pvc manage 30 ! pvc 4/72 class-vc customer protocol ip 192.168.71.72 oam-pvc manage 30 ! pvc 4/73 class-vc customer protocol ip 192.168.71.73 oam-pvc manage 30 ! pvc 4/74 class-vc customer protocol ip 192.168.71.74 oam-pvc manage 30 ! pvc 4/75 class-vc customer protocol ip 192.168.71.75 oam-pvc manage 30 ! pvc 4/76 class-vc customer protocol
[c-nsp] GRP and GRP-B compatibility
Hello everyone, Can I run SSO using GRP and a GRP-B in a 12000 platforms, Thanks, Eliran ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of eliran h [EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 5:15 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] GRP and GRP-B compatibility Hello everyone, Can I run SSO using GRP and a GRP-B in a 12000 platforms, Thanks, Eliran ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP exams while working full time?
Hello, On 1/22/08, Mohamed Ahmad [EMAIL PROTECTED] wrote: Hi everyone, I just wanted to see how many of you guys took some CCNP exams (and studied for them :)) while in full time employment? I am thinking of taking the yes, this is possible for CCNP exams. Also I think that many of the CCIEs were prepared for their lab during full time employment. David first exam but was wondering if someone would like to share their experiences? Any advice (e.g. did you take time off work (used your holidays for that, or spoke to your employer to get some 'extra time off'?). Also I'm not quite sure how much time I will need for the first exam, if I were to do a bit of studying after work each day (which is going to be fun :)). Let me know if you've gone through it. Thanks Mo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISDN backup for MPLS CE Router
Hi Friends, Most of my branches connect to MPLS service provider using a ETH port on my CE. I am thinking of having a ISDN Backup for the MPLS VPN Link. Since ETH its very rare that the interface go down, So I have to look for the default route that ISP gives to my CE and if not available I will have to start ISDN. Please help me with some of your experience or documentation. ALI RIJAS Network - Consultant Barclays Bank PLC 1st Floor, Building 4, Emaar Business Park, Sheikh Zayed Road, PO Box. 1891, Dubai, UAE (Dir): +971 4 3626703 (Mob): +971 50 6525497 (Fax): +971 4 3663133 (Email): [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Weekend: Friday Saturday Registered Office in England: Registered No. 1026167, Registered Office: 1 Churchill Place London E145HP This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP exams while working full time?
Unless you are new to networking and Cisco equipment CCNP is easy to attain - but your mileage may vary I just read the Cisco press books during spare time and passed with flying colors I've had my CCNP for almost 9 years nos Mohamed Ahmad wrote: Hi everyone, I just wanted to see how many of you guys took some CCNP exams (and studied for them :)) while in full time employment? I am thinking of taking the first exam but was wondering if someone would like to share their experiences? Any advice (e.g. did you take time off work (used your holidays for that, or spoke to your employer to get some 'extra time off'?). Also I'm not quite sure how much time I will need for the first exam, if I were to do a bit of studying after work each day (which is going to be fun :)). Let me know if you've gone through it. Thanks Mo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate-limiting traffic on 3500
Classifying Traffic on a Per-Port Per-VLAN Basis by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. To further classify the traffic flow, the class map defines the matching criteria to use. To define packet classification on a per-port per-VLAN basis, follow these guidelines: * https://mail.team.emerge.net.au/i/templates/blank.gif You must use the match-all keyword with the class-map global configuration command. * https://mail.team.emerge.net.au/i/templates/blank.gif Per-port per-VLAN classification is a per-port feature and does not work on redundant links. It is supported only on an ingress port configured as a trunk or as a static-access port. * https://mail.team.emerge.net.au/i/templates/blank.gif The class map must have two match commands in this order: one match vlan vlan-list class-map configuration command and one match class-map class-map-name class-map configuration command. The class map specified in the match class-map class-map-name command must be predefined and cannot contain the match vlan vlan-list and the match class-map class-map-name commands. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swqos.html#wp1145280 From: [EMAIL PROTECTED] on behalf of Tassos Chatzithomaoglou Sent: Tue 1/22/2008 5:16 PM To: Michael Malitsky Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Rate-limiting traffic on 3500 I don't think you can do Per-Port Per-VLAN QoS on 3550 or VLAN-Based QoS on 3560 on the egress direction. Just on ingress. -- Tassos Michael Malitsky wrote on 22/1/2008 2:25 ??: Hello, I am trying to figure out a way to set up some traffic limiters. Specific situation is: I have several VLANs in a 802.1q trunk on one port. I need to control the _outbound_ traffic rate with a different CIR for each VLAN. Traffic-shaping would be nice, but I don't think it's supported. I'll settle for policing or even CAR, but so far haven't been able to figure it out. I need this done on several switches, all are either 3550 or 3560 models. Any suggestions appreciated. If this can't be done, what's the minimum level of hardware necessary? Thanks, Michael Malitsky ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EzVPN drops packets after first data burst
Hi list, I have a Cisco 1841 router, IOS 12.4(12), Adv. IP Services. I'm using it for an EzVPN server where clients can VPN into a VRF which contains a local network. Clients can connect and start to use eg. Remote Desktop to a computer on the inside network, but as soon as some traffic starts flowing (like opening a browser in Remote Desktop), the session hangs and, according to the show crypto session remote peer detail, no new outbound (from the VPN server) packets come and I start seeing dropped inbound packets (dec'ed). Sample output: Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: x.x.x.x port 4406 fvrf: (none) ivrf: xx Phase1_id: Desc: (none) IKE SA: local x.x.x.x/4500 remote x.x.x.x/4406 Active Capabilities:CXN connid:233 lifetime:07:58:49 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.210.158 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 279 drop 69 life (KB/Sec) 4587796/86332 Outbound: #pkts enc'ed 432 drop 0 life (KB/Sec) 4587562/86332 Whatever the user tries to do on the VPN, the only thing that changes (apart from time) is the dec'ed drop packets. The number of packets dec'ed/enc'ed is not exactly consistant, but this always happens at the first burst of data across the link. The counters go to a few hundred, then this happens. The VPN connection stays up, nothing unusual in the client. It says transparent tunneling: active on UDP port 4500, so it probably doesn't matter that the client is behind NAT, right? The problem only depends on data going over the link, not time. If I'm just using ping, traceroute and SSH terminal access, there is no problem. As soon as I put a burst on the link, it hangs and does not recover. We have a few customers on the router, each using a different profile (pretty much same configuration) and different VRFs for inside networks. Same problem for all of them. Thanks in advance, Kristo Here's the relevant configuration: aaa group server radius RADIUS-XX server-private x.x.x.x auth-port 1645 acct-port 1646 key xxx ip vrf forwarding xx aaa authentication login AAA-XX group RADIUS-XX aaa authorization network vpn local ip vrf xx description xx rd 65365:7 route-target export 65365:7 route-target import 65365:7 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group key x dns x.x.x.x pool xx acl xx group-lock save-password max-users 50 netmask 255.255.255.255 ! crypto isakmp profile vrf xx self-identity address match identity group client authentication list AAA-XX isakmp authorization list vpn client configuration address respond initiate mode aggressive local-address FastEthernet0/0 ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac ! ! dynamic-map vpn 1-6 and 8-... are other customers who also have the same problem ! crypto dynamic-map vpn 7 set transform-set vpn set isakmp-profile reverse-route ! crypto map vpn 65535 ipsec-isakmp dynamic vpn ! interface FastEthernet0/0 description Uplink ip address x.x.x.x 255.255.255.128 duplex auto speed auto crypto map vpn ! interface FastEthernet0/1.930 encapsulation dot1Q 930 ip vrf forwarding xx ip address 10.9.8.2 255.255.255.252 ! ! The RIP is to advertise the host routes to the VPN clients to another router on the inside (and receive routes from there) ! router rip version 2 ! address-family ipv4 vrf xx redistribute connected redistribute static network 10.0.0.0 network 192.168.0.0 network 192.168.124.0 no auto-summary version 2 exit-address-family ! ip local pool xx 10.10.210.100 10.10.210.200 group xx ! ip access-list extended xx (lots of networks) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN Spoke Communication
Hey guys, I am having an issue trying to get VPN spokes to communicate with other spokes over the same ASA outside interface. It seems any communication via the VPN endpoints back out the same outside interface is dropped. I have included the necessary configuration for hair pinning or U-turn which should allow the traffic to pass and I do not see any drops in the logs. Has anyone had similar issues before? Platform ASA 5520 v 7.2 Many thanks, Aaron. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISDN backup for MPLS CE Router
The CE will have ISDN WIC and it should dial out to my Head Office ISDN Aggregator (Cisco 3845) when the default route from ISP is missing. After this if at all there is a problem in MPLS cloud ( either ETH going down / route missing )from service provider data will flow Via ISDN . ALI RIJAS -Original Message- From: Zitouni Rachid [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 5:19 PM To: Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ISDN backup for MPLS CE Router Just to make sure I understand your topology : ISDN will be CE-PE or CE-CE ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ali, Rijas: BB UAE (IT) Envoyé : mardi 22 janvier 2008 14:05 À : cisco-nsp@puck.nether.net Objet : [c-nsp] ISDN backup for MPLS CE Router Hi Friends, Most of my branches connect to MPLS service provider using a ETH port on my CE. I am thinking of having a ISDN Backup for the MPLS VPN Link. Since ETH its very rare that the interface go down, So I have to look for the default route that ISP gives to my CE and if not available I will have to start ISDN. Please help me with some of your experience or documentation. ALI RIJAS This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact give it a rest as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
If I'm not much mistaken, VLAN will be up if you have any trunks that contain it up. Are you sure that you are not running unliminted trunks on the switch, causing SVI to be up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: 22. janúar 2008 14:27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact give it a rest as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
Could you verify absence of negotiated trunks by running show int trunk? It is sometimes easy to miss trunks that should have not been trunks... -Original Message- From: Drew Weaver [mailto:[EMAIL PROTECTED] Sent: 22. janúar 2008 14:41 To: Marko Milivojevic; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. I apologize I should've clarified that we aren't doing any kind of trunking. Pretty much all of the VLANs we're doing are very simple switchport, switchport access vlan x type VLAN/interface configurations. Thanks, -Drew -Original Message- From: Marko Milivojevic [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 9:23 AM To: Drew Weaver; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. If I'm not much mistaken, VLAN will be up if you have any trunks that contain it up. Are you sure that you are not running unliminted trunks on the switch, causing SVI to be up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: 22. janúar 2008 14:27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact give it a rest as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRP and GRP-B compatibility
eliran h wrote on Tuesday, January 22, 2008 11:15 AM: Hello everyone, Can I run SSO using GRP and a GRP-B in a 12000 platforms, yes, this should work.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
Drew, Did you look at spanning-tree and confirm that the vlan was no longer in spanning-tree? The switch will not turn the vlan interface down if the vlan is still in use in spanning-tree. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Drew Weaver [EMAIL PROTECTED] Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact give it a rest as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down.
I apologize I should've clarified that we aren't doing any kind of trunking. Pretty much all of the VLANs we're doing are very simple switchport, switchport access vlan x type VLAN/interface configurations. Thanks, -Drew -Original Message- From: Marko Milivojevic [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 9:23 AM To: Drew Weaver; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. If I'm not much mistaken, VLAN will be up if you have any trunks that contain it up. Are you sure that you are not running unliminted trunks on the switch, causing SVI to be up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: 22. janúar 2008 14:27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L3 VLAN showing up but no physical interface bound or physical interface down. Hi there. We have seen this issue on two separate Catalyst 6500s in the past two weeks or so, we've noticed that on occasion either with a Layer 3 VLAN with no FastEthernet/GigabitEthernet port attached to it, or with one attached to it which is either down or administratively shutdown that the Layer 3 VLAN refuses to notice that it should in fact give it a rest as they say. Has anyone seen anything similar to this in the past. We aren't running VTP or any multi-switch/campus wide VLANs. All of our VLANs are contained intra-switch. Both switches are running the same version of code. The only remedy we've found for solving this issue is to simply blow away the VLAN (which is usually what we're trying to do when we notice this anyway), but we are a little concerned by what could be the cause. Thanks. -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Two access-list questions..for Internet router
My ISP gave me a 1.1.1.64/27 range. 1.1.1.65 will be the inside ethernet interface of the router. 1) Does anyone see any issue with ONLY allowing 1.1.1.65 /27 range into my network since that is my only Public IP Range? 2) Is it best practice (performance-wise) to put my hardened access-list which includes the statment above on the s0/2 interface for the gigabit ethernet interface? Thank you, - Never miss a thing. Make Yahoo your homepage. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP load sharing accross 2 different providers
On Cisco-land, best way is probably using OER (Optimized Edge Routing): http://www.cisco.com/go/oer Be aware that OER has changed a lot in the recent versions, so if you don't have maintenance contract it would probably better to do manually. Rubens On Jan 22, 2008 2:30 PM, Mohamed Ahmad [EMAIL PROTECTED] wrote: Hi everyone, I was wondering what's the best way of load sharing traffic across 2 bgp sessions with 2 different isp's (different AS numbers) but same bandwidth (1 Gbps). I found this article but not sure if anyone has tried this before: http://www.ccnalab.net/load_sharing_bgp.php I have also found this Cisco article which uses a different method: http://www.cisco.com/warp/public/459/40.html#conf4 Any thoughts? Thanks, Mo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SNMP Community Question
With management applications becoming more of the norm with things like the Vframe product from Cisco, is there a way to limit from the network device side, what interfaces a particular community string can access. For instance, if you have a server that has RW access to a switch, can you limit it by SNMP community string as to what interfaces that string can control, for instance limit the server to control interfaces on blade 9 only using community string x? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP load sharing accross 2 different providers
On Tue, 22 Jan 2008, Mohamed Ahmad wrote: I was wondering what's the best way of load sharing traffic across 2 bgp sessions with 2 different isp's (different AS numbers) but same bandwidth (1 Gbps). I found this article but not sure if anyone has tried this before: http://www.ccnalab.net/load_sharing_bgp.php Maybe I'm just old-school, but I think configuring speed and duplex negotiation on fast ethernet interfaces on routers, if they're connecting to other routers and switches, is a bad idea, but I digress... The article does make two important points: 1. you will need your own AS number, registered with whatever Internet Registry serves your area. 2. you will need at least a /24 of routable address space to advertise to your upstreams. This can be assigned from an upstream, or if you have your own provider independent assignments already, that will work too. I have also found this Cisco article which uses a different method: http://www.cisco.com/warp/public/459/40.html#conf4 You can do load sharing to two different upstreams using BGP - this is a pretty common design. It's important to note that load sharing will in all likelihood not result in a perfect 50-50 distribution of inbound and outbound traffic across both links, nor should you expect this. Also note that to achieve some level of load sharing, you will need to take more than just a default route from your upstreams. You don't necessarily need to take full routes from your upstreams, unless you're providing full BGP routes to downstream customers. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3560 layer3 performance
Take a look at what the SDM says, with show sdm prefer. If you're running a vlan only template, all L3-traffic is process switched. It that case you should change it to default or whatever suits your needs. show sdm prefer The current template is desktop default template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes:1K number of IPv4 unicast routes:8K number of directly-connected IPv4 hosts:6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K We're not near any of these limits... but I'll scroll through all the options and record the changes. Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ADSL
I *really* wish Cisco had made an ADSL PA. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] access-list question
I think it will limit the whole group. You could try to create 5 access-lists, one for each IP, and have 5 rate-limits, one for each IP. -lmn On Jan 22, 2008 11:13 AM, Richey [EMAIL PROTECTED] wrote: If I do the following will it rate-limit each IP to 1.8Mb or will it limit the group of IPs to 1.8Mb? I want for each IP to get 1.8Mb. interface Ethernet1/1 description EB1 - Wireless ip address 69.18.x.x 255.255.255.224 rate-limit input access-group 199 180 337500 675000 conform-action transmit exceed-action drop rate-limit output access-group 199 180 337500 675000 conform-action transmit exceed-action drop half-duplex access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP load sharing accross 2 different providers
Hi everyone, I was wondering what's the best way of load sharing traffic across 2 bgp sessions with 2 different isp's (different AS numbers) but same bandwidth (1 Gbps). I found this article but not sure if anyone has tried this before: http://www.ccnalab.net/load_sharing_bgp.php I have also found this Cisco article which uses a different method: http://www.cisco.com/warp/public/459/40.html#conf4 Any thoughts? Thanks, Mo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] access-list question
It will rate-limit traffic matching the ACL. Not individual flows or ips. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Richey [EMAIL PROTECTED] If I do the following will it rate-limit each IP to 1.8Mb or will it limit the group of IPs to 1.8Mb? I want for each IP to get 1.8Mb. interface Ethernet1/1 description EB1 - Wireless ip address 69.18.x.x 255.255.255.224 rate-limit input access-group 199 180 337500 675000 conform-action transmit exceed-action drop rate-limit output access-group 199 180 337500 675000 conform-action transmit exceed-action drop half-duplex access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Two access-list questions..for Internet router
Jacob, I think you need to talk to the ISP to see why they are NATing you being such an odd address space. That range isn't routable (reserved by IANA still). If the router they gave you is NATing, you need to find the real address space you're NATing to if you want to write an ACL correctly for it. If they're not NATing you, don't bother with an ACL, because no one will be able to get to you anyway... :) Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jacob c Sent: Tuesday, January 22, 2008 11:46 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Two access-list questions..for Internet router My ISP gave me a 1.1.1.64/27 range. 1.1.1.65 will be the inside ethernet interface of the router. 1) Does anyone see any issue with ONLY allowing 1.1.1.65 /27 range into my network since that is my only Public IP Range? 2) Is it best practice (performance-wise) to put my hardened access-list which includes the statment above on the s0/2 interface for the gigabit ethernet interface? Thank you, - Never miss a thing. Make Yahoo your homepage. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN
Hi, PIM considers source of multicast to perform load splitting when the command ip multicast multipath is entered. When using multicast over L3 MPLS VPN, the source IP is the IP of PEx for any customer group connected to PEx. Any way to overcome this limitation and achieve load splitting of multicast over L3 MPLS VPN? For example, consider this scenario: Sender for group G1 and G2---CE1-PE1--P1-PE2CE2receiver of G1 and G2 | | |___P2__| The goal is having one G1 taking path PE1--P1--PE2 and G2 taking path PE1--P2--PE2. (but without using GRE encapsulation to have multicast encapsulated into unicast) Thanks, Alaerte ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP Community Question
You can provide some form of filtering using snmp views. http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hnm_c/htnmsnmp.htm#wp1026473 I haven't used this functionality specifically for filtering access to interfaces, but i guess i would work. -- Tassos Mike Louis wrote on 22/1/2008 6:47 μμ: With management applications becoming more of the norm with things like the Vframe product from Cisco, is there a way to limit from the network device side, what interfaces a particular community string can access. For instance, if you have a server that has RW access to a switch, can you limit it by SNMP community string as to what interfaces that string can control, for instance limit the server to control interfaces on blade 9 only using community string x? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3560 layer3 performance
Mark Kent wrote: Take a look at what the SDM says, with show sdm prefer. If you're running a vlan only template, all L3-traffic is process switched. It that case you should change it to default or whatever suits your needs. show sdm prefer The current template is desktop default template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes:1K number of IPv4 unicast routes:8K number of directly-connected IPv4 hosts:6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K We're not near any of these limits... but I'll scroll through all the options and record the changes. Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Mark, You would be surprised as to how close you really are in utilizing tcam space. A show platform tcam utilization may open your eyes. We have been battling this cpu issue for months and it does all come back to tcam hardware resources. Manolo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP Community Question
On Tue, 22 Jan 2008, Mike Louis wrote: With management applications becoming more of the norm with things like the Vframe product from Cisco, is there a way to limit from the network device side, what interfaces a particular community string can access. For instance, if you have a server that has RW access to a switch, can you limit it by SNMP community string as to what interfaces that string can control, for instance limit the server to control interfaces on blade 9 only using community string x? It's been awhile, but I don't think the granularity of control you're looking for is possible using plain old SNMPv1. You might be able to do this with views in v2/v2c and similar controls in v3. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP Community Question
You could try to create an snmp view: snmp-server view fast00 oid-tree of fast00 included then snmp-server comm fast00 view fast00 RW -lmn On Jan 22, 2008 11:47 AM, Mike Louis [EMAIL PROTECTED] wrote: With management applications becoming more of the norm with things like the Vframe product from Cisco, is there a way to limit from the network device side, what interfaces a particular community string can access. For instance, if you have a server that has RW access to a switch, can you limit it by SNMP community string as to what interfaces that string can control, for instance limit the server to control interfaces on blade 9 only using community string x? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP Community Question
Thanks for the feedback. That makes sense. mike From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 12:09 PM To: Mike Louis Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMP Community Question You could try to create an snmp view: snmp-server view fast00 oid-tree of fast00 included then snmp-server comm fast00 view fast00 RW -lmn On Jan 22, 2008 11:47 AM, Mike Louis [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: With management applications becoming more of the norm with things like the Vframe product from Cisco, is there a way to limit from the network device side, what interfaces a particular community string can access. For instance, if you have a server that has RW access to a switch, can you limit it by SNMP community string as to what interfaces that string can control, for instance limit the server to control interfaces on blade 9 only using community string x? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL
And Whats wrong with PA-FE-TX + ISR? Dave. Sridhar Ayengar wrote: I *really* wish Cisco had made an ADSL PA. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EzVPN drops packets after first data burst
I dont see your crypto isakmp nat-keepalive statement. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123tsr/sec_c2gt.htm#wp1203839 Dave. Kristofer Sigurdsson wrote: Hi list, I have a Cisco 1841 router, IOS 12.4(12), Adv. IP Services. I'm using it for an EzVPN server where clients can VPN into a VRF which contains a local network. Clients can connect and start to use eg. Remote Desktop to a computer on the inside network, but as soon as some traffic starts flowing (like opening a browser in Remote Desktop), the session hangs and, according to the show crypto session remote peer detail, no new outbound (from the VPN server) packets come and I start seeing dropped inbound packets (dec'ed). Sample output: Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: x.x.x.x port 4406 fvrf: (none) ivrf: xx Phase1_id: Desc: (none) IKE SA: local x.x.x.x/4500 remote x.x.x.x/4406 Active Capabilities:CXN connid:233 lifetime:07:58:49 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.210.158 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 279 drop 69 life (KB/Sec) 4587796/86332 Outbound: #pkts enc'ed 432 drop 0 life (KB/Sec) 4587562/86332 Whatever the user tries to do on the VPN, the only thing that changes (apart from time) is the dec'ed drop packets. The number of packets dec'ed/enc'ed is not exactly consistant, but this always happens at the first burst of data across the link. The counters go to a few hundred, then this happens. The VPN connection stays up, nothing unusual in the client. It says transparent tunneling: active on UDP port 4500, so it probably doesn't matter that the client is behind NAT, right? The problem only depends on data going over the link, not time. If I'm just using ping, traceroute and SSH terminal access, there is no problem. As soon as I put a burst on the link, it hangs and does not recover. We have a few customers on the router, each using a different profile (pretty much same configuration) and different VRFs for inside networks. Same problem for all of them. Thanks in advance, Kristo Here's the relevant configuration: aaa group server radius RADIUS-XX server-private x.x.x.x auth-port 1645 acct-port 1646 key xxx ip vrf forwarding xx aaa authentication login AAA-XX group RADIUS-XX aaa authorization network vpn local ip vrf xx description xx rd 65365:7 route-target export 65365:7 route-target import 65365:7 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group key x dns x.x.x.x pool xx acl xx group-lock save-password max-users 50 netmask 255.255.255.255 ! crypto isakmp profile vrf xx self-identity address match identity group client authentication list AAA-XX isakmp authorization list vpn client configuration address respond initiate mode aggressive local-address FastEthernet0/0 ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac ! ! dynamic-map vpn 1-6 and 8-... are other customers who also have the same problem ! crypto dynamic-map vpn 7 set transform-set vpn set isakmp-profile reverse-route ! crypto map vpn 65535 ipsec-isakmp dynamic vpn ! interface FastEthernet0/0 description Uplink ip address x.x.x.x 255.255.255.128 duplex auto speed auto crypto map vpn ! interface FastEthernet0/1.930 encapsulation dot1Q 930 ip vrf forwarding xx ip address 10.9.8.2 255.255.255.252 ! ! The RIP is to advertise the host routes to the VPN clients to another router on the inside (and receive routes from there) ! router rip version 2 ! address-family ipv4 vrf xx redistribute connected redistribute static network 10.0.0.0 network 192.168.0.0 network 192.168.124.0 no auto-summary version 2 exit-address-family ! ip local pool xx 10.10.210.100 10.10.210.200 group xx ! ip access-list extended xx (lots of networks) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP Community Question
On Tue, January 22, 2008 5:09 pm, Luan Nguyen wrote: You could try to create an snmp view: snmp-server view fast00 oid-tree of fast00 included then snmp-server comm fast00 view fast00 RW The difficult part here is that the MIB trees are typically built the other way out: mib.stuff.interfacething.0 mib.stuff.interfacething.1 mib.stuff.interfacething.2 mib.stuff.otherinterfacething.0 mib.stuff.otherinterfacething.1 mib.stuff.otherinterfacething.2 Rather than: mib.interfaces.0.stuff.interfacething mib.interfaces.0.stuff.otherinterfacething mib.interfaces.1.stuff.interfacething ... I'm not sure if you can wildcard in the middle of a view, e.g.: deny mib.stuff.*.0 permit mib.stuff.*.1 deny mib.stuff.*.2 Otherwise, it's going to be quite a long-winded view definition... Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL
David Freedman wrote: And Whats wrong with PA-FE-TX + ISR? It requires MSS clamping in the configuration to work right because people tend to ignore proper guidelines and block all ICMP. Peace... Sridhar Sridhar Ayengar wrote: I *really* wish Cisco had made an ADSL PA. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SXH1 - lab tested/live router
Has anyone other than cisco lab tested or put SXH1 into production yet? I am still waiting on approval for lab time. The bug fixes most relevant to me are: DOM support for older XENPAKs (supposedly fixed) Stability Improvements (a number of bug fixes) Insertion of a line into an active BGP loopback group leading to uneven traffic distribution requiring hard bgp reset to rectify. memory/cpu usage tracking via SNMP in the modular version. The DOM support had kept us from considering upgrading to SXH. The SNMP cpu usage tracking kept us from considering modular versions. My understanding from the docs is that both of these are fixed. Has anyone confirmed (not that cisco documentation is ever inaccurate)? Any notes on oddities encountered would be helpful to everyone on the list considering upgrading. The cisco people lurking in the background might also be interested in practical experiences. -- LR Mack McBride Network Administrator Alpha Red, Inc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RTBH - anyone using this?
I’m following this guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf if anyone knows of a better one please do enlighten me ☺ Everything works a lot better than I imagined it would except for one issue and one question. Question: There is simply no reason to be exporting the routes from the edge routers to the triggers if I am reading this document correctly. Rather than using prefix or filter lists, is there a handy way to make the edge routers not send routes to the trigger server (using a command in that peer-group?) The issue I am having is kind of strange and I’ve never ran across it before like many of my issues….. RTBH has you add a static route on the edge routers which acts as a next-hop for the routes which are sent by the trigger server/router. For whatever reason the routes sent by the trigger server/router aren’t being entered into my routing table on the Edge routers because it is giving me RIB failures: LAB01#sh ip bgp nei 10.1.0.11 routes BGP table version is 476702490, local router ID is 10.1.0.9 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path riblocked/28 192.0.2.10200 0 i LAB01#sh ip route 192.0.2.1 Routing entry for 192.0.2.1/32 Known via static, distance 1, metric 0 (connected) Tag 50 Redistributing via ospf 1 Routing Descriptor Blocks: * directly connected, via Null0 Route metric is 0, traffic share count is 1 Route tag 50 Clearly there is a route to 192.0.2.1 with a destination of Null so it does appear to be a valid route, yet bgp refuses to add the “blocked/28” route to the routing table. Has anyone ran into this before? Thanks! -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Two access-list questions..for Internet router
[mailto:[EMAIL PROTECTED] On Behalf Of jacob c Sent: Tuesday, January 22, 2008 8:46 AM 1) Does anyone see any issue with ONLY allowing 1.1.1.65 /27 range into my network since that is my only Public IP Range? Make sure that you include your interface IP (if you have a routed block), but I think that's a pretty common configuration. 2) Is it best practice (performance-wise) to put my hardened access-list which includes the statment above on the s0/2 interface for the gigabit ethernet interface? Put it on S0/2; drop the traffic as early as you can. To the other poster regarding the 1.1.1.x addresses; I think that was just an attempt to keep the question generic. Thanks, Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RTBH - anyone using this?
You need to add disable-connected-check to the peer's bgp configuration. (I know the documentation doesn't say so but that's what makes it work for me.) On Tue, 22 Jan 2008, Drew Weaver wrote: Iâm following this guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf if anyone knows of a better one please do enlighten me âş Everything works a lot better than I imagined it would except for one issue and one question. Question: There is simply no reason to be exporting the routes from the edge routers to the triggers if I am reading this document correctly. Rather than using prefix or filter lists, is there a handy way to make the edge routers not send routes to the trigger server (using a command in that peer-group?) The issue I am having is kind of strange and Iâve never ran across it before like many of my issuesâŚ.. RTBH has you add a static route on the edge routers which acts as a next-hop for the routes which are sent by the trigger server/router. For whatever reason the routes sent by the trigger server/router arenât being entered into my routing table on the Edge routers because it is giving me RIB failures: LAB01#sh ip bgp nei 10.1.0.11 routes BGP table version is 476702490, local router ID is 10.1.0.9 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path riblocked/28 192.0.2.10200 0 i LAB01#sh ip route 192.0.2.1 Routing entry for 192.0.2.1/32 Known via static, distance 1, metric 0 (connected) Tag 50 Redistributing via ospf 1 Routing Descriptor Blocks: * directly connected, via Null0 Route metric is 0, traffic share count is 1 Route tag 50 Clearly there is a route to 192.0.2.1 with a destination of Null so it does appear to be a valid route, yet bgp refuses to add the âblocked/28â route to the routing table. Has anyone ran into this before? Thanks! -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS/OSPF covergence ISIS packets authentication
Hi Suzan - Not sure if anybody has replied - On your first question below: You have not indicated which platform/hardware information along with the IOS that these are running for FC. As a good starting point, you can take a look at the following info. http://www.nanog.org/mtg-0310/filsfils.html http://www.nanog.org/mtg-0405/vemulapalli.html [later part of the presentation covers some FC topics] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fstfld.html http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsisiadv.html More information can be gleaned from the www.cisco.com. On your second question: Domain password: is for IS-IS level-2 Area password: is for IS-IS level-1 The following URL should be able to answer the other questions on configuration piece. http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_ chapter09186a00804557c7.html Hope it helps. /Shankar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Suzan S. Sent: Sunday, January 20, 2008 12:20 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: [c-nsp] ISIS/OSPF covergence ISIS packets authentication Dears, What are the commands used for fast convergence for the ISIS OSPF when link fails, adjacency rebuild with less CPU, bandwidth recalculation. For the ISIS authentication when to use the domain area password commands , how to authenticate adjacency how to authenticate the ISIS packets. Thank you Suzan - Looking for last minute shopping deals? Find them fast with Yahoo! Search. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. I believe that the source-interface command is silently dropped if the interface doesn't exist. Not sure if that's what you hit, but it's caught me on several occasions. Thanks, Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
Yes, I saw it there, its just no longer under global configuration. That's what I was asking. -Original Message- From: Tassos Chatzithomaoglou [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 2:34 PM To: Mike Louis Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3560/3750 12.2(44) There have been some cases reported here (for other IOS), that this command might have moved under the aaa group xxx for tacacs. -- Tassos Higham, Josh wrote on 22/1/2008 8:11 μμ: [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. I believe that the source-interface command is silently dropped if the interface doesn't exist. Not sure if that's what you hit, but it's caught me on several occasions. Thanks, Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
Its not being dropped from the configuration, its not available in the global configuration. (config)# -Original Message- From: Higham, Josh [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 1:12 PM To: Mike Louis; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 3560/3750 12.2(44) [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. I believe that the source-interface command is silently dropped if the interface doesn't exist. Not sure if that's what you hit, but it's caught me on several occasions. Thanks, Josh Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
There have been some cases reported here (for other IOS), that this command might have moved under the aaa group xxx for tacacs. -- Tassos Higham, Josh wrote on 22/1/2008 8:11 μμ: [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. I believe that the source-interface command is silently dropped if the interface doesn't exist. Not sure if that's what you hit, but it's caught me on several occasions. Thanks, Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bug Toolkit on CSCsj08713
I've filled the feedback form on bug toolkit for CSCsj08713, the bug that someone here on cisco-nsp pointed out for BFD x BVI support. They simply doesn't get it that the bug isn't something that wasn't working before, is that it's now disabled, they think it's now working on fixed versions. Someone clueful at Cisco could try fixing this from the inside, please ? It's already very frustrating that the boxes don't do what most of the nsp community needs, and then the support knowledge is reverse documented ? Too bad. Rubens -- Forwarded message -- From: Bug Toolkit Support [EMAIL PROTECTED] Date: Jan 21, 2008 11:40 PM Subject: RE: Feedback Submitted for Bug Toolkit To: , btk-support(mailer list) [EMAIL PROTECTED] Cc: rne-feedback (mailer list) [EMAIL PROTECTED] Please work with TAC on this. They need to communicate your needs to the development teams directly. The data looks correct on this end. Bug Toolkit Support -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 12:13 PM To: btk-support(mailer list) Cc: rne-feedback (mailer list) Subject: Re: Feedback Submitted for Bug Toolkit Actually it's the other way around: updating from 12.2(18)ZU2, which had support for BFD BVI, to 12.2(33)SXH(main or SXH1), which hasn't, disable BFD BVI. The same happened with 12.2(33)SRC, which no longer has BFD BVI support, and previous 7600 IOS versions, which had. The solution was to disable a very useful feature. Rubens On Jan 21, 2008 2:25 PM, Bug Toolkit Support [EMAIL PROTECTED] wrote: It's not supported because it's a bug in the software (it should work). Please update your IOS to a version containing the fix. Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following: . This status of this bug is fixed. The problem described in the bug report is fixed-in all release versions targeted to be fixed, and all changes have been successfully tested. . Check for a software release later than these listed in the Fixed-in versions in software download center. . The fixed-in version may not be available for download yet until all the other bugs targeted to be fixed for that major release are processed. No release date information is available to Bug Toolkit. Please check the software download section frequently to look for a new version. . Sometimes the bug details, when available, contain the fixed-in version information or link to the upgrade or patch. . Always check the software release notes before performing any upgrade to understand new functionality and open bugs not yet fixed. . Any workaround listed in the bug details section is generally provided as a way to circumvent the bug until the code fix has been completed; often in lieu of downgrading to a non-affected version of code. . In certain rare circumstances, we are unable to fix the bug in all versions in which it is found. The bug will still have a 'fixed' status. Please open a service request with the Technical Assistance Center if you are being impacted by a bug in this condition. . Obscure version references are usually internal builds and may never be posted as a full release. Please watch for a release version later than the interim build displayed. -Original Message- From: FeedbackTool [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 12:25 PM To: rne-feedback (mailer list) Subject: Feedback Submitted for Bug Toolkit Bug ID: CSCsj08713 Doc Url: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet chBugDetailsbugId=CSCsj08713 Please rate this release note: 1 This release note solved my problem: no Suggestions for improvement: The details on why BFD is not supported on SVI interfaces are lacking. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7304-NSE100 ICMP messages originated from 0.0.0.0
Yes, that is a known bug of PXF, EC and SB IOS. CSCsj02377 ICMP messages generated on port channels use 0.0.0.0 address (from phy) Release-note: = Symptom: ICMP unreach messages generated by c10k when port channels in use Conditions: when the port channel is obliged to generate an icmp unreach Workaround: none. === We're waiting for a fix in next SB release (according to the DE). If you disable PXF, it should work fine. -- Tassos Michiel Van Opstal wrote on 22/1/2008 11:50 μμ: Dear Colleagues, I have a cisco 7304 with Dual NSE100 in SSO config running 12.2(31)SB10 and I am observing ICMP messages being sent from 0.0.0.0 as source address. Did anyone observe this behaviour before? I am suspecting this meight be related to port-channel configuration on this specific 7304. future# traceroute www.google.be traceroute: Warning: www.google.be has multiple addresses; using 66.249.93.147 traceroute to www.l.google.com (66.249.93.147), 30 hops max, 40 byte packets 1 193.202.9.1 (193.202.9.1) 0.413 ms 0.311 ms 0.285 ms 2 * * * 3 ge-4-0.bb1.bru2.be.gbxs.net (193.27.64.50) 34.700 ms 198.130 ms 6.055 ms 4 so-7-0-0-0.bb1.ams3.nl.gbxs.net (83.143.243.18) 5.168 ms 4.950 ms 4.976 ms 5 core2.ams.google.com (195.69.145.100) 5.403 ms 5.203 ms 5.186 ms 6 209.85.254.90 (209.85.254.90) 5.834 ms 5.587 ms 5.606 ms 7 72.14.232.141 (72.14.232.141) 8.466 ms 15.522 ms 8.153 ms 8 72.14.233.83 (72.14.233.83) 8.592 ms 8.360 ms 8.243 ms 9 66.249.94.54 (66.249.94.54) 8.917 ms 18.335 ms 17.992 ms 10 ug-in-f147.google.com (66.249.93.147) 9.133 ms 9.215 ms 9.738 ms 21:39:01.096148 IP 193.202.9.1 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:01.097391 IP 193.202.9.1 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:01.097788 IP 193.202.9.1 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:01.098675 IP 0.0.0.0 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:06.099358 IP 0.0.0.0 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:11.100158 IP 0.0.0.0 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.134864 IP ge-4-0.bb1.bru2.be.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 148 21:39:16.334467 IP ge-4-0.bb1.bru2.be.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 148 21:39:16.340555 IP ge-4-0.bb1.bru2.be.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 148 21:39:16.345534 IP so-7-0-0-0.bb1.ams3.nl.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.351504 IP so-7-0-0-0.bb1.ams3.nl.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.356497 IP so-7-0-0-0.bb1.ams3.nl.gbxs.net future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.361742 IP core2.ams.google.com future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.382117 IP core2.ams.google.com future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.387332 IP core2.ams.google.com future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.392948 IP 209.85.254.90 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.625195 IP 209.85.254.90 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.630835 IP 209.85.254.90 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.639089 IP 72.14.232.141 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.740594 IP 72.14.232.141 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.748776 IP 72.14.232.141 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.757164 IP 72.14.233.83 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.939347 IP 72.14.233.83 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.947625 IP 72.14.233.83 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:16.956294 IP 66.249.94.54 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:17.136511 IP 66.249.94.54 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:17.154543 IP 66.249.94.54 future.as3322.net: ICMP time exceeded in-transit, length 36 21:39:17.163454 IP ug-in-f147.google.com future.as3322.net: ICMP ug-in-f147.google.com udp port 33462 unreachable, length 36 21:39:17.340377 IP ug-in-f147.google.com future.as3322.net: ICMP ug-in-f147.google.com udp port 33463 unreachable, length 36 21:39:17.350141 IP ug-in-f147.google.com future.as3322.net: ICMP ug-in-f147.google.com udp port 33464 unreachable, length 36 Kind Regards, Michiel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at