[c-nsp] QoS limiting on 10Ge ports
Hi all Im looking too limit a 10Ge too ~3Gb using policing. Platform is 650X/760X Sup32 10Ge PFC3 MSFC 2A. Is this possible at these speeds? Any experience too share? Best regards Mattias Gyllenvarg Skycom AB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP SLA - dns operation: Error code=4
Hello, I'm testing various aspects of IP SLA, and have been trying to set up an HTTP get url operation - unsuccessfully. My configuration is as follows: ip sla monitor 300 type http operation get url http://www.example.com name-server name-server cache disable threshold 5000 frequency 300 ip sla monitor schedule 300 life forever start-time now On doing a sh ip sla monitor operational-state 300 I get: Latest operation return code: Internal error On enabling trace and error debugging for this monitor, I see the following: Feb 5 10:52:05.167: IP SLA Monitor(300) Scheduler: Starting an operation Feb 5 10:52:05.167: IP SLA Monitor(300) http operation: Starting http operation Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Starting dns operation Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Query name - www.example.com Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: actual target queried = www.example.com Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Error code=4 Feb 5 10:52:05.167: IP SLA Monitor(300) Scheduler: Updating result Feb 5 10:52:05.167: IP SLA Monitor(300) http operation: Wait DNS - incorrect event The DNS name-server I am using is the same as is configured in main IOS configuration, and I can successfully ping www.example.com by name from the IOS CLI. URLs queried by IP address do work, but for monitoring it would be nice to have the DNS latency information. Googling the debug lines errors doesn't appear to produce anything useful. Any ideas? This is with 12.2(31)SB10. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT Detection with netflow or anything.
Hey all, I've been thinking about NAT detection for security purposes (rogue wireless AP's, etc). After some searching on the google I haven't been able to come up with much. Other than a page with a few dead links to papers/tools you can use I've come up empty. Anyone have any solutions to this? Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about ip rtp header-compression
The problem is I'm not using NONE of the possible queuing strategies at all right now! So why the line can't just use the whole 2Mb for RTP? My question wasn't about if you want to dedicate a specific bandwidth with some QoS policy then you'll be obviously limited to 75% or 80% of the total bandwidth, because the router needs to save some bandwidth for the rest. I'm talking about if there's a limitation on the bandwidth utilization that the ip rtp header-compression can use, even before implementing any queuing strategy or policy. Ziv -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 1:11 PM To: Ziv Leyes Cc: [c-nsp] Subject: Re: [c-nsp] Question about ip rtp header-compression Well, Satellite IP is a fun task in itself to get right. I'd suggest looking at QoS policy/class maps and getting yourself up to scratch on the different methods of queueing that are available. There's plenty of good documentation on QoS and the Cisco Way Of Doing It on the Cisco website. Go look for policy-map and class-map. Adrian On Tue, Feb 05, 2008, Ziv Leyes wrote: Hi, I have a problem I can't figure out myself. I have two 7206VXR connected between them with serial interface over satellite. The bandwidth is 2Mb (clockrate of the controller shows 2047212 on both sides) This link is exclusively used for VoIP, and the ip rtp header compression is activated on both sides with a very nice successful statistics, such as 99% hit ratio and around 2,50-3,00 efficiency improvement factor. The customer still complains about several VoIP packet loss, and in the line graphs you can see the line never exceeds the 1500-1600 Kb. I wanted to try to improve the rtp traffic so I thought about using ip rtp priority 13000 16383 2000 just to give it a try, but it gave an error saying IP RTP: Not enough bandwidth: available 1500 needed 2000 Then I realized there is a hard limit of 1500 for the IP RTP, and I wonder, where is this limit coming from? Perhaps the changes on the queuing strategy or in the QoS in the past made the router go crazy and not to detect the real bandwidth, or there's some specific IOS limitations in order to keep some bandwidth available for other needs? If someone can shed light on this mystery I'll be more than glad to hear! Thanks, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA - dns operation: Error code=4
I had one similar where the source IPs being used from CLI and SLA were different. The CLI source was correctly set to a mgmt loopback which did have access to DNS the internet. The SLA monitor was using a source that didn't - fixed by specifying the source for the SLA probe. Regards Dean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Giles Coochey Sent: 05 February 2008 10:07 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP SLA - dns operation: Error code=4 Hello, I'm testing various aspects of IP SLA, and have been trying to set up an HTTP get url operation - unsuccessfully. My configuration is as follows: ip sla monitor 300 type http operation get url http://www.example.com name-server name-server cache disable threshold 5000 frequency 300 ip sla monitor schedule 300 life forever start-time now On doing a sh ip sla monitor operational-state 300 I get: Latest operation return code: Internal error On enabling trace and error debugging for this monitor, I see the following: Feb 5 10:52:05.167: IP SLA Monitor(300) Scheduler: Starting an operation Feb 5 10:52:05.167: IP SLA Monitor(300) http operation: Starting http operation Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Starting dns operation Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Query name - www.example.com Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: actual target queried = www.example.com Feb 5 10:52:05.167: IP SLA Monitor(300) dns operation: Error code=4 Feb 5 10:52:05.167: IP SLA Monitor(300) Scheduler: Updating result Feb 5 10:52:05.167: IP SLA Monitor(300) http operation: Wait DNS - incorrect event The DNS name-server I am using is the same as is configured in main IOS configuration, and I can successfully ping www.example.com by name from the IOS CLI. URLs queried by IP address do work, but for monitoring it would be nice to have the DNS latency information. Googling the debug lines errors doesn't appear to produce anything useful. Any ideas? This is with 12.2(31)SB10. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about ip rtp header-compression
Ziv Leyes wrote on Tuesday, February 05, 2008 11:50 AM: Hi, I have a problem I can't figure out myself. I have two 7206VXR connected between them with serial interface over satellite. The bandwidth is 2Mb (clockrate of the controller shows 2047212 on both sides) This link is exclusively used for VoIP, and the ip rtp header compression is activated on both sides with a very nice successful statistics, such as 99% hit ratio and around 2,50-3,00 efficiency improvement factor. The customer still complains about several VoIP packet loss, and in the line graphs you can see the line never exceeds the 1500-1600 Kb. I wanted to try to improve the rtp traffic so I thought about using ip rtp priority 13000 16383 2000 just to give it a try, but it gave an error saying IP RTP: Not enough bandwidth: available 1500 needed 2000 Then I realized there is a hard limit of 1500 for the IP RTP, and I wonder, where is this limit coming from? by default, QoS, incl. ip rtp priority only uses 75% of the link bandwidth. You can increase this using max-reserved-bandwidth 100. I wouldn't use 100%, otherwise you'll starve your routing traffic (if you run routing over the link). You can also use CBWFQ/PQ queuing using MQC (policy-map, class-map, etc.) to prioritize your traffic. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA - dns operation: Error code=4
Giles Coochey wrote on Tuesday, February 05, 2008 11:07 AM: Hello, I'm testing various aspects of IP SLA, and have been trying to set up an HTTP get url operation - unsuccessfully. My configuration is as follows: ip sla monitor 300 type http operation get url http://www.example.com name-server name-server cache disable threshold 5000 frequency 300 ip sla monitor schedule 300 life forever start-time now On doing a sh ip sla monitor operational-state 300 I get: Latest operation return code: Internal error it could be CSCei14211 (Cat3550 internal error for SAA HTTP operations), no fix as far as I can see in 12.2SB. It looks like a platform independent issue. Can you open a TAC case? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about ip rtp header-compression
Well, Satellite IP is a fun task in itself to get right. I'd suggest looking at QoS policy/class maps and getting yourself up to scratch on the different methods of queueing that are available. There's plenty of good documentation on QoS and the Cisco Way Of Doing It on the Cisco website. Go look for policy-map and class-map. Adrian On Tue, Feb 05, 2008, Ziv Leyes wrote: Hi, I have a problem I can't figure out myself. I have two 7206VXR connected between them with serial interface over satellite. The bandwidth is 2Mb (clockrate of the controller shows 2047212 on both sides) This link is exclusively used for VoIP, and the ip rtp header compression is activated on both sides with a very nice successful statistics, such as 99% hit ratio and around 2,50-3,00 efficiency improvement factor. The customer still complains about several VoIP packet loss, and in the line graphs you can see the line never exceeds the 1500-1600 Kb. I wanted to try to improve the rtp traffic so I thought about using ip rtp priority 13000 16383 2000 just to give it a try, but it gave an error saying IP RTP: Not enough bandwidth: available 1500 needed 2000 Then I realized there is a hard limit of 1500 for the IP RTP, and I wonder, where is this limit coming from? Perhaps the changes on the queuing strategy or in the QoS in the past made the router go crazy and not to detect the real bandwidth, or there's some specific IOS limitations in order to keep some bandwidth available for other needs? If someone can shed light on this mystery I'll be more than glad to hear! Thanks, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA - dns operation: Error code=4
I had one similar where the source IPs being used from CLI and SLA were different. The CLI source was correctly set to a mgmt loopback which did have access to DNS the internet. The SLA monitor was using a source that didn't - fixed by specifying the source for the SLA probe. That was worth a try, but unfortunately didn't resolve the problem. The bug Oliver mentioned looks to have hit this on the head, and while 12.2(31)SB10 isn't listed, many are affected and it does mention that it may affect other devices other than the 3550. Yet another small reason to convince the powers that be to get Smartnet for this device (7304). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ATM SPA and SIP-200 QoS
Hi list Can someone give me an reasonable answer why the he*# cisco has to make every product different and out-of-sync with each other. E.g. migrating from c720x ATM cards to c7600 ATM SPA has become some pain. What I need to achieve is the QoS per vc for point-to-point subinterfaces. e.g. from http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a008021ff16.html#wp1262692 The following restrictions apply to the operation of QoS on the ATM SPAs: –The ATM SPAs do not support bandwidth-limited priority queueing, but support only strict *priority* policy maps (that is, the priority command without any parameters). –A maximum of one *priority* command is supported in a policy map. These restriction really cripple the QoS available on the ATM SPAs. The policy-map options that i'm left with are: (please correct me if I'm wrong) policy-map QoS_1 class Voice priority class BusinessCritical bandwidth remaining percent 25 class RealTime bandwidth remaining percent 25 class class-default With this map only Voice is given priority, since the bandwidth remaining percent 25 command only divides the unallocated bandwidth to the two categories and doesn't allocate a minimum bandwidth to each category. (note it's not possible to use the bandwidth command, I only get the following error bandwidth kbps/percent command cannot co-exist with strict priority in the same policy-map) or policy-map QoS_2 class Voice bandwidth 512 class BusinessCritical bandwidth 512 class RealTime bandwidth 512 With this map I obviously don't have any priority for Voice just minimum bandwidth reserved. 1) Will this restriction be fixed in some later software? (I have tried SRA and SRB/SRB1, not SRC) 2) Are there any better workarounds than I list here? Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Detection with netflow or anything.
Joseph, I've been thinking about NAT detection for security purposes (rogue wireless AP's, etc). After some searching on the google I haven't been able to come up with much. Other than a page with a few dead links to papers/tools you can use I've come up empty. Anyone have any solutions to this? If you have a solid understanding of your network topology, you can look at the IP TTL field: http://www.sflow.org/detectNAT/. I've normally heard of this being done in combination with a MAC-based network registration system within the capative portal, but you could probably also do this via netflow. Eric Gauthier Boston University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel
Well, router is 7507 running with 12.4(16) rsp-jk9o3sv-mz.124-16.bin... I believe that 12.4 enterprise image is supporting such features... Is there any special release to get the advantages of multipoint L2TPV3 tunnel over 7500 or 7200... Regards, Masood Ahmad shah -Original Message- From: Oliver Boehmer (oboehmer) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 12:23 PM To: Masood Ahmad Shah; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel Masood Ahmad Shah wrote on Monday, February 04, 2008 11:47 PM: Is there any low end Cisco router for the multipoint L2TPV3 tunnel to configure MPLS VPN over IP Tunnel. I just can't buy Cisco 12000 only for the multipoint L2TPV3 tunnel. I was expecting a support of tunnel mode l2tpv3 in Cisco 7500 but I just can't see it. :( according to www.cisco.com/go/fn, the MPLS VPNs over IP Tunnels feature is available in recent 12.0S on 7200, 7500, 10700 and GSR. Which release are you using? The command syntax is tunnel mode l3vpn l2tpv3 multipoint on the tunnel.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NetFlow Vs. SPAN (mix?) for detecting less than savory application behavior.
Aside from having strong written policy, some ACLs, and a good response team we are trying to come up with some proactive monitoring we can do to detect certain behavior outbound from our network (sort of like a reverse Intrusion Detection System [EDS?]) to minimize the impact of having a network where it is impossible to simply firewall and forget as the needs of the folks using the network is dynamic. Some examples of things I am trying to catch are: Botnet members SSH/FTP/SQL/etc brute-force knockers Of course the best answer is why not prevent them from becoming botnet members, etc in the first place Well, that's not so easy as we don't manage the end points/servers, etc. I would welcome suggestions on whether NetFlow Vs. SPAN (possibly using some SNORT implementation at the aggregation points would allow us to detect some of the more obvious annoyances) would be the best course of action or if possibly a combination of both would be the best any advice from folks who have already automated detection of things of this sort would be great as well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NetFlow Vs. SPAN (mix?) for detecting less than savory application behavior.
On Feb 5, 2008, at 9:17 PM, Drew Weaver wrote: I would welcome suggestions on whether NetFlow Vs. SPAN (possibly using some SNORT implementation at the aggregation points would allow us to detect some of the more obvious annoyances) would be the best course of action or if possibly a combination of both would be the best any advice from folks who have already automated detection of things of this sort would be great as well. http://homepage.mac.com/roland.dobbins/FileSharing5.html --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to serial converter
Hi, On Mon, Feb 04, 2008 at 02:26:12PM -0600, Frank Bulk wrote: Yes, I did use the USB function on the last pair of 3640's. The old one in the pair didn't have USB support, so I used the USB key on the new 3640 to load the newest firmware and ROM, copied that over to a CF card, then used that CF card in the old 3640 to load the new firmware and apply the ROM update. USB and CF on a 3640? Fascinating. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpJz3QK83oOa.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel
Masood Ahmad Shah mailto:[EMAIL PROTECTED] wrote on Tuesday, February 05, 2008 3:23 PM: Well, router is 7507 running with 12.4(16) rsp-jk9o3sv-mz.124-16.bin... I believe that 12.4 enterprise image is supporting such features... no, it is not. You need 12.0S, which is the only train currently supporting this feature (as it has very limited deployment exposure, practically limited to one large and possibly some smaller networks). Is there any special release to get the advantages of multipoint L2TPV3 tunnel over 7500 or 7200... See above, but make sure to test this in the lab first as 12.4M and 12.0S feature list is quite different (general mainline 12.4 vs. Service Provider-centric 12.0S). Running MPLS is no option for you? oli -Original Message- From: Oliver Boehmer (oboehmer) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 12:23 PM To: Masood Ahmad Shah; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel Masood Ahmad Shah wrote on Monday, February 04, 2008 11:47 PM: Is there any low end Cisco router for the multipoint L2TPV3 tunnel to configure MPLS VPN over IP Tunnel. I just can't buy Cisco 12000 only for the multipoint L2TPV3 tunnel. I was expecting a support of tunnel mode l2tpv3 in Cisco 7500 but I just can't see it. :( according to www.cisco.com/go/fn, the MPLS VPNs over IP Tunnels feature is available in recent 12.0S on 7200, 7500, 10700 and GSR. Which release are you using? The command syntax is tunnel mode l3vpn l2tpv3 multipoint on the tunnel.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD aware VRF
I'm speaking with our account rep today about the ME6524, and I'll bring this up. If anyone with Cisco Process Clue(tm) could share with me the direction I should point her, please let me know off-list. -- Stephen Rubens Kuhl Jr. wrote: I did try with an ethernet link between PE and CE, and bfd config looks good. Unless you're Ethernet links are 1Q trunks like what you'd have between a site with a pair of redundant routers doing both L3 and access layer connections (FHRPs). SRC removed BFD on SVI support, as did SXH on the ME6524s. Yes, I'm beating a dead horse but it aggravates me nonetheless. I need to upgrade to SRC but I am going to lose BFD support as soon as I do, pushing my recovery times up into seconds; far from the milliseconds Cisco sold us on when they blessed this design. And I'm still waiting for the reason why this has been removed from the code, or why it's an issue to support BFD with SVI. And I'll keep beating both dead horses, at least till Cisco or Juniper (EX series) comes up with a solution. Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EoMPLS between 7600 7200 config clarification
Hi everyone. I'm doing some preliminary testing in our lab in order to deploy EoMPLS on our ethernet network but I've run into a little bit of a snag and was wondering if anyone could clarify something for me. The setup I have is 3550---7603-SUP32---7204VXR---3550 I have VLAN 800 setup to cross from one 3550 to the other. The relevant portions of the config are as follows: 7603: interface GigabitEthernet2/2 description to 3550 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 800 switchport mode trunk no ip address load-interval 30 ! interface Vlan800 xconnect 10.0.1.4 800 encapsulation mpls ! interface GigabitEthernet1/1 description 7603 to 7204 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 220 switchport mode trunk no ip address load-interval 30 ! interface Vlan220 ip address 10.0.0.18 255.255.255.252 load-interval 30 tag-switching mtu 1520 tag-switching ip ! 7204VXR: interface FastEthernet1/0.220 encapsulation dot1Q 220 ip address 10.0.0.17 255.255.255.252 ip ospf cost 40 tag-switching mtu 1520 tag-switching ip ! interface FastEthernet3/0.800 encapsulation dot1Q 800 xconnect 10.0.1.1 800 encapsulation mpls ! Now when I do a show mpls l2 vc I can see the circuit up from the 7204 side but down from the 7603 side. I think I have everything setup properly but can't figure out why it wouldn't work. If I change things around a bit and reconfigure the 7603 to use sub-interfaces with dot1q instead of vlan interfaces like this: interface GigabitEthernet2/2.800 encapsulation dot1Q 800 xconnect 10.0.1.4 800 encapsulation mpls ! The circuit is up from both ends and pings from/to each 3550 are successful: frort01-lab#sh mpls l2 vc Local intf Local circuitDest addressVC ID Status - --- -- -- Gi2/2.800 Eth VLAN 800 10.0.1.4800UP 7603-lab# Is this the only way to get EoMPLS to work between these two devices? I'm sure I've seen the xconnect command used on VLAN interfaces before and it has worked fine. Any thoughts or comments would be greatly appreaciated. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS limiting on 10Ge ports
MKS mailto:[EMAIL PROTECTED] wrote on Tuesday, February 05, 2008 5:17 PM: Wyatt Mattias Ishmael Jovial Gyllenvarg wrote on Tuesday, February 05, 2008 9:58 AM: Hi all Im looking too limit a 10Ge too ~3Gb using policing. Platform is 650X/760X Sup32 10Ge PFC3 MSFC 2A. Is this possible at these speeds? yes, it's done in hardware on the PFC3 without performance impact (aside from dropping 7 Gbps if used at full rate ;-) Humm are you sure. The topic of the question was QoS Limiting in 10Gb I know that you limit the traffic ignoring QoS (DSCP values) e.g. policy-map 3GbE class class-default police cir 30 bc 56250 conform-action transmit exceed-action drop violate-action drop but how can you do it with a Diffserv policy, e.g. wred/wrr? well, the question was for policing, and this is how to do it. What do you mean wrt DS policy? You can obviously also police traffic based on DSCP using appropriate class-maps, so not sure what you mean.. tx, oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between 7600 7200 config clarification
Is this the only way to get EoMPLS to work between these two devices? I'm sure I've seen the xconnect command used on VLAN interfaces before and it has worked fine. Use VLAN interfaces on both sides, or subinterfaces on both sides, or ports on both sides. Some platforms/versions also don't support VLAN-based EoMPLS, only port or subinterface; Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS limiting on 10Ge ports
well, the question was for policing, and this is how to do it. What do you mean wrt DS policy? You can obviously also police traffic based on DSCP using appropriate class-maps, so not sure what you mean.. Well yes, when you are basically fixing the bandwidth for each class (class-map) What I was trying to say is that it's not possible to run wrr or wred then the actual bandwidth behind the 10G is e.g. 3G. The purpose would be to allow priority traffic have priority and then let best effort fill the rest of the pipe //MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between 7600 7200 config clarification
Jose, SVI (vlan interface) based EoMPLS requires an OSM, SIP-400, SIP-600 or ES-20 as core facing interface. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Sent: Tuesday, February 05, 2008 11:16 AM To: Cisco Subject: [c-nsp] EoMPLS between 7600 7200 config clarification Hi everyone. I'm doing some preliminary testing in our lab in order to deploy EoMPLS on our ethernet network but I've run into a little bit of a snag and was wondering if anyone could clarify something for me. The setup I have is 3550---7603-SUP32---7204VXR---3550 I have VLAN 800 setup to cross from one 3550 to the other. The relevant portions of the config are as follows: 7603: interface GigabitEthernet2/2 description to 3550 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 800 switchport mode trunk no ip address load-interval 30 ! interface Vlan800 xconnect 10.0.1.4 800 encapsulation mpls ! interface GigabitEthernet1/1 description 7603 to 7204 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 220 switchport mode trunk no ip address load-interval 30 ! interface Vlan220 ip address 10.0.0.18 255.255.255.252 load-interval 30 tag-switching mtu 1520 tag-switching ip ! 7204VXR: interface FastEthernet1/0.220 encapsulation dot1Q 220 ip address 10.0.0.17 255.255.255.252 ip ospf cost 40 tag-switching mtu 1520 tag-switching ip ! interface FastEthernet3/0.800 encapsulation dot1Q 800 xconnect 10.0.1.1 800 encapsulation mpls ! Now when I do a show mpls l2 vc I can see the circuit up from the 7204 side but down from the 7603 side. I think I have everything setup properly but can't figure out why it wouldn't work. If I change things around a bit and reconfigure the 7603 to use sub-interfaces with dot1q instead of vlan interfaces like this: interface GigabitEthernet2/2.800 encapsulation dot1Q 800 xconnect 10.0.1.4 800 encapsulation mpls ! The circuit is up from both ends and pings from/to each 3550 are successful: frort01-lab#sh mpls l2 vc Local intf Local circuitDest addressVC ID Status - --- -- -- Gi2/2.800 Eth VLAN 800 10.0.1.4800 UP 7603-lab# Is this the only way to get EoMPLS to work between these two devices? I'm sure I've seen the xconnect command used on VLAN interfaces before and it has worked fine. Any thoughts or comments would be greatly appreaciated. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PA-2T3+ don't want to use anymore multilinks
Joseph, If the channels are consecutive, just define your channel-group to cover all the channels that go to a site as one serial interface. channel-group # timeslots 1-8 speed ##k Cory Councilman [EMAIL PROTECTED] wrote: Date: Mon, 4 Feb 2008 15:25:21 -0800 From: Joseph Jackson [EMAIL PROTECTED] Subject: Re: [c-nsp] PA-2T3+ don't want to use anymore multilinks To: Cisco cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Opps I meant PA-MC-T3 interface cards. Silly me. On 2/4/08, Joseph Jackson [EMAIL PROTECTED] wrote: Hey all, I have 2 PA-2T3+ at the end of a DS3. I am currently having to split all the t1's off of it and then reform them in a MPPP bundle. Is there anyway around this with those interface cards? Its not a full DS3 as a few channels are split off for voice but I'd like to take all the remaining channels and just use them as one pipe instead of these MPPP bundles which don't seem to be providing enough bandwidth. Thanks Joseph -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 63, Issue 19 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multicast routing to VLAN1?
Did you check whether your IGMP querier is doing its job ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] De la part de William Envoyé : lundi 4 février 2008 16:30 À : Ziv Leyes Cc : [c-nsp] Objet : Re: [c-nsp] multicast routing to VLAN1? Hia, ip multicast-routing is enabled in global config. Regards, W On 04/02/2008, Ziv Leyes [EMAIL PROTECTED] wrote: First, I must ask this, did you make sure you have the global command ip multicast-routing Then on every interface you want to participate, you better use ip pim sparse-dense-mode Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of William Sent: Monday, February 04, 2008 1:33 PM To: [c-nsp] Subject: [c-nsp] multicast routing to VLAN1? Hi, We have a 4500+SUP4 running 12.1.19 EW1, running IOS throughout. We have a requirement to push multicast packets from VLAN200 (routed) to VLAN1 (routed, VLAN1 used because of legacy issues). On both VLAN interfaces we have ip pim sparse mode enabled, and have also added join statements to try to get it working. We are unable to get the multicast pushed over to VLAN1, we can see the machine(s) pumping out the multicast onto VLAN200 but nothing getting across. Is there some limitation because of the use of VLAN1? or am I missing something else? Cheers, W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** * This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. *** * *** * This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. *** * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Untagged packets on trunk interfaces
Hi Brandon, On Tue, 2008-02-05 at 12:56 -0800, Brandon Price wrote: Simple question. I do not want any UNTAGGED packets to traverse my trunk ports.. Some on this list have said to assign the native vlan to an unused vlan, but I don't even want to do that. I want ALL untagged packets on trunks to be dropped... Possible? Yes, use vlan dot1q tag native in global config mode. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPP Authentication on Serial T1 Interface with PPP
Hello folks, Sorry for hammering on the list again for help, but this is my first T1 done this way. We have a channelized DS3 coming in on a PA-MC-T3 card on a 7206. We are getting LCP errors from the far end. I suspect it's because I haven't set up any PPP authentication on the 7206 end, BUT I don't know how to get past this. With debug ppp auth enabled I see: AAA/AUTHOR/LCP: Denied Here is the config of the individual T1 interface: interface Serial4/0/1:0 description Titan Manufacturing ip address 10.0.0.5 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp no cdp enable Is there a PPP command that will tell my end, (7206 with the DS3), that no authentication is necessary? The far end is a Kentrox T1 router and we've never needed to configure a PPP username/password with those, when they are talking to each other on both sides of the T1. Thanks for any advice. -Nick Voth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between 7600 7200 config clarification
For 12.2SR there is mux-uni, which allows you to run ports in switchport mode, but then create a subinterface to support eompls. http://tinyurl.com/hfb5p Says its supported by normal LAN cards, but haven't tried it yet. Thanks Chris Justin Shore wrote: Bill, I'm in a similar boat as Jose. What options for EoMPLS do we people with 6700s have? I'm trying physical to physical with no luck. Sub-interface isn't an option for a particular design that I'm working on either. Thanks Justin Bill Wade (wwade) wrote: Jose, SVI (vlan interface) based EoMPLS requires an OSM, SIP-400, SIP-600 or ES-20 as core facing interface. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Sent: Tuesday, February 05, 2008 11:16 AM To: Cisco Subject: [c-nsp] EoMPLS between 7600 7200 config clarification Hi everyone. I'm doing some preliminary testing in our lab in order to deploy EoMPLS on our ethernet network but I've run into a little bit of a snag and was wondering if anyone could clarify something for me. The setup I have is 3550---7603-SUP32---7204VXR---3550 I have VLAN 800 setup to cross from one 3550 to the other. The relevant portions of the config are as follows: 7603: interface GigabitEthernet2/2 description to 3550 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 800 switchport mode trunk no ip address load-interval 30 ! interface Vlan800 xconnect 10.0.1.4 800 encapsulation mpls ! interface GigabitEthernet1/1 description 7603 to 7204 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 220 switchport mode trunk no ip address load-interval 30 ! interface Vlan220 ip address 10.0.0.18 255.255.255.252 load-interval 30 tag-switching mtu 1520 tag-switching ip ! 7204VXR: interface FastEthernet1/0.220 encapsulation dot1Q 220 ip address 10.0.0.17 255.255.255.252 ip ospf cost 40 tag-switching mtu 1520 tag-switching ip ! interface FastEthernet3/0.800 encapsulation dot1Q 800 xconnect 10.0.1.1 800 encapsulation mpls ! Now when I do a show mpls l2 vc I can see the circuit up from the 7204 side but down from the 7603 side. I think I have everything setup properly but can't figure out why it wouldn't work. If I change things around a bit and reconfigure the 7603 to use sub-interfaces with dot1q instead of vlan interfaces like this: interface GigabitEthernet2/2.800 encapsulation dot1Q 800 xconnect 10.0.1.4 800 encapsulation mpls ! The circuit is up from both ends and pings from/to each 3550 are successful: frort01-lab#sh mpls l2 vc Local intf Local circuitDest addressVC ID Status - --- -- -- Gi2/2.800 Eth VLAN 800 10.0.1.4800 UP 7603-lab# Is this the only way to get EoMPLS to work between these two devices? I'm sure I've seen the xconnect command used on VLAN interfaces before and it has worked fine. Any thoughts or comments would be greatly appreaciated. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Griffin [EMAIL PROTECTED] Sr. Network Engineer - CCNP Phone: (352) 273-1051 CNS - Network Services Fax: (352) 392-9440 University of Florida/FLR Gainesville, FL 32611 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Untagged packets on trunk interfaces
Brandon Price wrote: Thanks for the reply!! Please don't remove the list from the Cc: - the replies in the archived may help others From the link you sent: The vlan dot1q tag native command is a global command that configures the switch to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN Which tag is being applied to this formally native traffic? I've never used this feature - because it's a chassis global it's useless - so I'm not certain, but I think it's fair to assume the native vlans tag number. int gX/Y switchport mode trunk switchport trunk native vlan 123 switchport trunk allowed vlan 123,456 ...vlans 123 456 will come out tagged. I guess in this case, the only difference between a native and allowed vlan is... erm... the name? FYI, you can also try this: int gX/Y switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 123,456 ...that is - 999 is a dummy vlan BUT is not in the allowed vlan list; I believe this stops it forwarding traffic. Note that certain untagged packets will always come out of a Cisco if their functions are enabled e.g. CDP, 802.1d STP, MST (I think?) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] static route with higher AD preferred over BGP
Thanks. i missed the weight part !! On 2/5/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Atif Sid wrote on Tuesday, February 05, 2008 4:53 AM: I have a static route configured with Higher admin distance, intially BGP route does does not install int routing table. after a flap in BGP table the static route starts preferring, although the BGP AD is lower then Static route which is 210. any insight is appereciated. AD comes into play when a route is known via multiple sources. In your case, BGP will prefer the redistributed static route due to its higher weight over the vpnv4 route you receive via iBGP (weight wins over localpref). To solve this (somewhat classical) problem, make sure you set the weight to zero (using a route-map) when redistributing the floating static into BGP (or set the weight of the ibgp vpnv4 prefixes to 32768). This way, BGP will prefer the iBGP path, installs it in the RIB, and this one wins over the floating static. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Untagged packets on trunk interfaces
On Tue, Feb 05, 2008 at 10:53:49PM +, Phil Mayers wrote: Brandon Price wrote: Thanks for the reply!! Please don't remove the list from the Cc: - the replies in the archived may help others From the link you sent: The vlan dot1q tag native command is a global command that configures the switch to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN Which tag is being applied to this formally native traffic? I've never used this feature - because it's a chassis global it's useless - so I'm not certain, but I think it's fair to assume the native vlans tag number. int gX/Y switchport mode trunk switchport trunk native vlan 123 switchport trunk allowed vlan 123,456 ...vlans 123 456 will come out tagged. I guess in this case, the only difference between a native and allowed vlan is... erm... the name? no, 123 vill be untagged while 456 will carry a tag. FYI, you can also try this: int gX/Y switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 123,456 ...that is - 999 is a dummy vlan BUT is not in the allowed vlan list; I believe this stops it forwarding traffic. I believe you are right. -K -- Kristian LarssonKLL-RIPE Network Engineer Peering Coordinator SpriteLink [AS39525] +46 704 910401[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NetFlow Vs. SPAN (mix?) for detecting less than savory application behavior.
check out Richard Bejtlich's book - extrusion detection, very good read, and tons of usefull tips/tools in there... http://www.informit.com/store/product.aspx?isbn=0321349962 http://www.informit.com/authors/bio.aspx?a=d166f1f7-55c7-4987-80bc-230bcb6a1f94 On Feb 5, 2008 9:17 AM, Drew Weaver [EMAIL PROTECTED] wrote: Aside from having strong written policy, some ACLs, and a good response team we are trying to come up with some proactive monitoring we can do to detect certain behavior outbound from our network (sort of like a reverse Intrusion Detection System [EDS?]) to minimize the impact of having a network where it is impossible to simply firewall and forget as the needs of the folks using the network is dynamic. Some examples of things I am trying to catch are: Botnet members SSH/FTP/SQL/etc brute-force knockers Of course the best answer is why not prevent them from becoming botnet members, etc in the first place Well, that's not so easy as we don't manage the end points/servers, etc. I would welcome suggestions on whether NetFlow Vs. SPAN (possibly using some SNORT implementation at the aggregation points would allow us to detect some of the more obvious annoyances) would be the best course of action or if possibly a combination of both would be the best any advice from folks who have already automated detection of things of this sort would be great as well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA dropped packets from NMS
Do you have an IPS module installed (ie AIP-SSM-10 etc.)? If not then it maybe something being caught by ip audit if you have that configured to drop packets upon a match, sh ip audit count will give you stats on that, is there any rate-limiting configured? Probably best you show us your config Ben --On 5 February 2008 8:54:41 AM +0100 Garry [EMAIL PROTECTED] wrote: Hi, we just moved one of our NMS behind an ASA firewall. So far, most everything works, but we've noticed a certain amount of dropped/lost packets ever since we did. I assume it's some kind of throttling on the ASA side, as it affects things like Smokeping, which sends out a short burst of packets to the destinations; but also some SNMP packets don't make it out (or back). Before the change, we didn't have any problems of this kind. I did not find any info on what could be causing this ... anybody have some ideas??? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between 7600 7200 config clarification
Chris Griffin wrote: For 12.2SR there is mux-uni, which allows you to run ports in switchport mode, but then create a subinterface to support eompls. http://tinyurl.com/hfb5p Says its supported by normal LAN cards, but haven't tried it yet. Chris, That's definitely interesting. I hadn't heard about that feature. I'll give that a try tomorrow. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Untagged packets on trunk interfaces
Kristian Larsson wrote: On Tue, Feb 05, 2008 at 10:53:49PM +, Phil Mayers wrote: Brandon Price wrote: Thanks for the reply!! Please don't remove the list from the Cc: - the replies in the archived may help others From the link you sent: The vlan dot1q tag native command is a global command that configures the switch to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN Which tag is being applied to this formally native traffic? I've never used this feature - because it's a chassis global it's useless - so I'm not certain, but I think it's fair to assume the native vlans tag number. int gX/Y switchport mode trunk switchport trunk native vlan 123 switchport trunk allowed vlan 123,456 ...vlans 123 456 will come out tagged. I guess in this case, the only difference between a native and allowed vlan is... erm... the name? no, 123 vill be untagged while 456 will carry a tag. Wrong. The discussion is in the context of having typed the global command I suggested: vlan dot1q tag native ...which is a global command that configures the switch to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic (quote from Cisco docs) FYI, you can also try this: int gX/Y switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 123,456 ...that is - 999 is a dummy vlan BUT is not in the allowed vlan list; I believe this stops it forwarding traffic. I believe you are right. -K ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help getting started
On Monday 04 February 2008, Whisper wrote: Moreover, you need to provide a show version if you want people to comment on whether an IOS versions supports a specific feature or not. My gut says though, that a 2600-NonXM with 12.2 is not going to have VPN support. Actually, 12.3(25) on the 2611 (feature set IP/FW/IDS/ PLUS IPSEC 3DES BASIC) supports IPSec/VPN's (including Easy VPN server and remote). You'll need 64MB of RAM and 16MB of flash, though. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between 7600 7200 config clarification
Peter Rathlev wrote: On Tue, 2008-02-05 at 21:48 +0100, Gert Doering wrote: On Tue, Feb 05, 2008 at 02:15:40PM -0600, Justin Shore wrote: I'm in a similar boat as Jose. What options for EoMPLS do we people with 6700s have? I'm trying physical to physical with no luck. physical to physical should work, according to the documentation. I haven't tried it yet, though. Port mode (physical-physical) works on 6500 SXF, not 7600 SXF (or 12.2SR at all?) according to FN. Very strange, but one of the few feature differences between 6500 and 7600 on SXF. I'm familiar with sub-interface and SVI based EoMPLS but what is port mode? We have EoMPLS Port Mode working fine on several 6500 SXF6 without problems. Will try it on a pair of 7600 SRBs and post the results when I get to it. First side note: EoMPLS Port Mode is really sweet, transparent to CDP, STP and even UDLD. :-) Sounds pretty good. Any caveats do running it though? Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
Nick Voth wrote on Tuesday, February 05, 2008 11:14 PM:
Hello folks,
Sorry for hammering on the list again for help, but this is my first
T1 done this way. We have a channelized DS3 coming in on a PA-MC-T3
card on a 7206. We are getting LCP errors from the far end. I suspect
it's because I haven't set up any PPP authentication on the 7206 end,
BUT I don't know how to get past this.
With debug ppp auth enabled I see:
AAA/AUTHOR/LCP: Denied
Here is the config of the individual T1 interface:
interface Serial4/0/1:0
description Titan Manufacturing
ip address 10.0.0.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no cdp enable
Is there a PPP command that will tell my end, (7206 with the DS3),
that no authentication is necessary? The far end is a Kentrox T1
router and we've never needed to configure a PPP username/password
with those, when they are talking to each other on both sides of the
T1.
I guess you have
aaa new-model
aaa authorization network default group {tacacs+|radius} ...
somewhere in your config? This triggers authorization (not
authentication) on your leased line. To fix this, just use
aaa authorization network NOAUTH none
int s4/0/1:0
ppp authorization NOAUTH
or use a non-default group on your other interface where you do want to
use authen/author.
oli
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD aware VRF
Hi, I have configured BFD but it is showing down. I have used BGP to configure BFD. Client Router - a05-2821-3#sh bfd neighbors OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.5172.16.1.6 4/0Down 0(0 ) Down Gi0/0 172.16.1.1172.16.1.2 6/0Down 0(0 ) Down Gi0/1 *7600 PE -* e12-7600-1#sh bfd neighbors OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.2172.16.1.1 1/6Down 1916 (3 ) Init Gi12/1 Debug output - e12-7600-1#debug bfd event BFD event debugging is on e12-7600-1# *Feb 6 04:33:06.176: Applying event 2 *Feb 6 04:33:06.176: bfdV1FSM e:2 s:2 *Feb 6 04:33:07.008: Applying event 2 *Feb 6 04:33:07.008: bfdV1FSM e:2 s:2 *Feb 6 04:33:07.508: bfdV1FSM e:4 s:2 *Feb 6 04:33:07.508: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:33:07.912: Applying event 2 *Feb 6 04:33:07.912: bfdV1FSM e:2 s:1 *Feb 6 04:33:07.912: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event RX DOWN, state DOWN - INIT *Feb 6 04:33:08.704: Applying event 2 *Feb 6 04:33:08.704: bfdV1FSM e:2 s:2 *Feb 6 04:33:09.648: Applying event 2 *Feb 6 04:33:09.648: bfdV1FSM e:2 s:2u all *Feb 6 04:33:10.436: Applying event 2 *Feb 6 04:33:10.436: bfdV1FSM e:2 s:2 *Feb 6 04:33:10.912: bfdV1FSM e:4 s:2 *Feb 6 04:33:10.912: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:33:11.288: Applying event 2 *Feb 6 04:33:11.288: bfdV1FSM e:2 s:1 *Feb 6 04:33:11.288: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event RX DOWN, state DOWN - INIT All possible debugging has been turned off e12-7600-1# *Feb 6 04:33:12.152: Applying event 2 *Feb 6 04:33:12.152: bfdV1FSM e:2 s:2 *7200 PE -* c12-7200-3#sh bfd n OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.6172.16.1.5 1/4Down 512 (3 ) Init Gi0/2 Debug Output - c12-7200-3#debug bfd event BFD event debugging is on c12-7200-3# *Feb 6 04:39:54.544: Applying event 2 *Feb 6 04:39:54.544: bfdV1FSM e:2 s:1 *Feb 6 04:39:54.544: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event RX DOWN, state DOWN - INIT *Feb 6 04:39:55.328: Applying event 2 *Feb 6 04:39:55.328: bfdV1FSM e:2 s:2 *Feb 6 04:39:56.100: Applying event 2 *Feb 6 04:39:56.100: bfdV1FSM e:2 s:2 *Feb 6 04:39:56.880: Applying event 2 *Feb 6 04:39:56.880: bfdV1FSM e:2 s:2 *Feb 6 04:39:57.544: bfdV1FSM e:4 s:2 *Feb 6 04:39:57.544: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:39:57.676: Applying event 2 *Feb 6 04:39:57.676: bfdV1FSM e:2 s:1 *Feb 6 04:39:57.676: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event RX DOWN, state DOWN - INITu all All possible debugging has been turned off c12-7200-3# *Feb 6 04:39:58.632: Applying event 2 *Feb 6 04:39:58.632: bfdV1FSM e:2 s:2 *Feb 6 04:39:59.472: Applying event 2 *Feb 6 04:39:59.472: bfdV1FSM e:2 s:2 Both PE have SRC image. Not getting any debug output on 2800 CE router. Regards Vikas Sharma On 2/5/08, Justin Shore [EMAIL PROTECTED] wrote: Luan Nguyen wrote: I did try with an ethernet link between PE and CE, and bfd config looks good. Unless you're Ethernet links are 1Q trunks like what you'd have between a site with a pair of redundant routers doing both L3 and access layer connections (FHRPs). SRC removed BFD on SVI support, as did SXH on the ME6524s. Yes, I'm beating a dead horse but it aggravates me nonetheless. I need to upgrade to SRC but I am going to lose BFD support as soon as I do, pushing my recovery times up into seconds; far from the milliseconds Cisco sold us on when they blessed this design. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
From: Oliver Boehmer (oboehmer) [EMAIL PROTECTED]
Date: Wed, 6 Feb 2008 05:13:56 +0100
To: Nick Voth [EMAIL PROTECTED], cisco-nsp@puck.nether.net
Conversation: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
Subject: RE: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
Nick Voth wrote on Tuesday, February 05, 2008 11:14 PM:
Hello folks,
Sorry for hammering on the list again for help, but this is my first
T1 done this way. We have a channelized DS3 coming in on a PA-MC-T3
card on a 7206. We are getting LCP errors from the far end. I suspect
it's because I haven't set up any PPP authentication on the 7206 end,
BUT I don't know how to get past this.
With debug ppp auth enabled I see:
AAA/AUTHOR/LCP: Denied
Here is the config of the individual T1 interface:
interface Serial4/0/1:0
description Titan Manufacturing
ip address 10.0.0.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no cdp enable
Is there a PPP command that will tell my end, (7206 with the DS3),
that no authentication is necessary? The far end is a Kentrox T1
router and we've never needed to configure a PPP username/password
with those, when they are talking to each other on both sides of the
T1.
I guess you have
aaa new-model
aaa authorization network default group {tacacs+|radius} ...
somewhere in your config? This triggers authorization (not
authentication) on your leased line. To fix this, just use
aaa authorization network NOAUTH none
int s4/0/1:0
ppp authorization NOAUTH
or use a non-default group on your other interface where you do want to
use authen/author.
oli
Oliver,
Thanks very much. That definitely did the trick!
-Nick Voth
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
