Re: [c-nsp] EIGRP redistribution between 2 VRFs
On 14.02.2008 16:06:03 -0500, Luan Nguyen wrote: Say i have VRF RED one one of the interface, and VRF BLUE on another interface. And i need to run EIGRP on both of them. They have their own ASN and don't want to change them. How do i send routes learned from RED into BLUE and vice versa? From the command line, EIGRP doesn't allow redistribution of EIGRP from VRF. Sample config is something like this: ... Is there a way to advertise routes between them? Import the proper route-targets in VRF RED and VRF BLUE. ip vrf RED rd 123:111 route-target import 123:111 route-target import 123:222 route-target export 123:111 ip vrf BLUE rd 123:222 route-target import 123:222 route-target import 123:111 route-target export 123:222 You can also just import+export from/to one of the VRFs. Might need to attach import/export maps to filter which routes you'd like to import/export. To my knowledge there's no way to run EIGRP (or any other routing protocol) between two different VRFs (unless you stich them via a CPE) /Michael -- Michael Lyngbøl -- michael at lyngbol dot dk Network Architect, AS3292 TDC, IP·backbone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP traffic monitoring / alerting
Guys, I don't want rate I want totals per month. I am going to give thold for cacti a go but im having problems with the plugin atm.. will give it a go next week. Cheers, Aaron. -Original Message- From: Peter Rathlev [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 1:56 AM To: Aaron R Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMP traffic monitoring / alerting Whatever you measure yourself, your ISP (and their accounting) probably has the last saying. Couldn't you strike a deal with them, having them send you a notice when approaching the limit? Or maybe they could just make their measurements available to you, and then you could watch this value? Still not completely sure about what you want to measure though. Isn't it typically the 95 percentile that decides how much you pay? If it's simply some rate you shouldn't cross you could setup some shaping in front of their box. :-) Regards, Peter On Thu, 2008-02-14 at 19:13 +0900, Aaron R wrote: Hi Howard, You are absolutely correct. I am already graphing / totaling the amount of traffic out the interface I just need a way to be alerted when it exceeds a particular threshold and we have to pay our ISP big bucks for going over our limit. Saves me from checking graphs each day! Cheers, Aaron. -Original Message- From: Howard Jones [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 5:36 PM To: Aaron R Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMP traffic monitoring / alerting Aaron R wrote: Hey Guys, Has anyone come across a good app (open source or not) that will monitor the amount of traffic flowing in/out a particular interface and alert you once a certain threshold has been reached? Alerting via email would be preferable. I don't really have the time to invest in writing a script in perl as I can see there will be headaches with keeping track of the interface counter resets. Are you looking for flow *rate* (bits/sec) or total bytes transferred to alert on? It's not clear from your replies - you seem to be concerned about the size of SNMP counters which implies it's the total you a re looking for. Cacti (with it's plugin architecture and the Threshold plugin) will do this for you. If you need to alarm on total transferred, then you might need to make a new data source in Cacti - I've never wanted that particular alarm. See http://www.cacti.net/ It also does a *lot* more, so possibly is too much. Howie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How to measure Layer2 VLAN utilization in IOS
All, I have a question about monitoring of traffic volumes in a Cisco based metro Ethernet environment. I have a mixture of local switching and EoMPLS VLAN services configured on the same pair of customer access ports. As you would expect, the EoMPLS PW's are switched across the wide area and the local switching is simply between VLAN's configured on both ports in the pair. I can easily see the EoMPLS statistics in terms of packets sent and received by issuing the show mpls l2transport vc x detail command, however I simply cannot see how to obtain the same level of detail with respect to the local switched services. For example, the EoMPLS statistics are as follows: nsn1#sho mpls l2transport vc 101 detail | inc totals packet totals: receive 589562735, send 589488418 byte totals: receive 75464030080, send 2440073472 However, for a local switched service, the best I can obtain is: nsn1#sho vlan counters * Multicast counters include broadcast packets Vlan Id: 100 L2 Unicast Packets : 83244 L2 Unicast Octets : 10322256 L3 Input Unicast Packets : 0 L3 Input Unicast Octets: 0 L3 Output Unicast Packets : 0 L3 Output Unicast Octets : 0 L3 Output Multicast Packets: 0 L3 Output Multicast Octets : 0 L3 Input Multicast Packets : 0 L3 Input Multicast Octets : 0 L2 Multicast Packets : 0 L2 Multicast Octets: 0 In which case, I see the general VLAN utilisation in terms of packets and octets, but cannot determine the direction, source, destination, ingress, egress port etc...I have tried querying the SMON mib for the device using SNMP but this demonstrates the same information. I will look into what I can glean using netflow, but this seems like overkill when all I really want are some simple L2 switching statistics via CLI/SNMP. The node in question is a Cisco ME6524; however I think that this is a general problem in IOS. Does anyone have any ideas/recommendations? Many thanks James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 7600 uRPF
Hi Guys, Any idea how come hybrid uRPF mode not support on Cisco 7600 IOS. ? http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/secure.html#wp1031429 Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow performance
Hi James, Thanks for your response. We have a WS-SUP720 in the 6500, so i expect it will be then able to deal with the flows (i have monitorized it, 42K peeks, graphs attached). Next monday will be the NF-Day. On Thu, Feb 14, 2008 at 3:44 PM, James Humphris [EMAIL PROTECTED] wrote: Manuel, It depends upon the exact hardware configuration you have (SUP/PFC/DFC etc..) but on more recent components such as the SUP720, mls netflow functions are supported by a dedicated ASIC in hardware. This means that enabling mls netflow has no impact on the forwarding performance of the device. The ASIC simply listens to packets that are routed by the PFC, every time the device considers that a flow has expired, it passes the flow information to the Netflow Data Export (NDE) function and clears the cache entry, ready for re-use. It's worth bearing in mind though that the NDE function is completed by the MSFC in the slow path and hence can tend to drive up the CPU on the device. We have completed some testing in our labs here on a 7600 with SUP720. We used our test kit to generate 60K concurrent flows with randomly inserted TCP SYN and FIN flags set (loosely emulating pseudo-random TCP sessions) and observed no performance difference with and without netflow enabled. Interestingly, this test generated an average NDE traffic volume (using NDE version 5) of about 1Mbit/sec. One thing to bear in mind is the level of NDE aggregation and the impact that this has on your management network and MSFC CPU utilisation. Hope this helps James. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel García Montero Sent: 14 February 2008 14:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Netflow performance Hi, Any advice in how netflow can affect the performance in a 6509? currently the 6509 provides wccp (8 squids cache farm), with 40 MB of ram used (366.9MBytes free), cpu stable at 1-2%, and supports ~500Mbps of throughput ... I was planning the following typical config (i can attach the rest of the config if needed) mls netflow mls aging normal 60 mls aging long 64 mls flow ip interface-full mls nde sender version 5 mls nde interface ip flow-export source IP_Router ip flow-export version 5 peer-as ip flow-export destination Collector_IP Collector_Port ip flow-aggregation cache source-prefix mask source 255.255.255.0 with C Class aggregation in order to reduce flows size ¿is this premise true? Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7600 uRPF
On (2008-02-15 17:47 +0800), Soon Kian wrote: Any idea how come hybrid uRPF mode not support on Cisco 7600 IOS. ? If by hybrid you mean uRPF/strict and uRPF/loose at the same time, it's hardware restriction up until EARL7.5. EARL8 (Nexus) does not have this restriction. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/secure.html#wp1031429 Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7600 uRPF
Interesting. Wonder if there will be an EARL8 based SUP for the 65/76k? Guess we'll wait and see. Tim: On Fri, Feb 15, 2008 at 6:54 AM, Saku Ytti [EMAIL PROTECTED] wrote: On (2008-02-15 17:47 +0800), Soon Kian wrote: Any idea how come hybrid uRPF mode not support on Cisco 7600 IOS. ? If by hybrid you mean uRPF/strict and uRPF/loose at the same time, it's hardware restriction up until EARL7.5. EARL8 (Nexus) does not have this restriction. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/secure.html#wp1031429 Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
The E-mail is about him considering it? So the real question is: What are you going to do? Do you need the advanced features and deep buffer space or will a LAN card do? Sincerely, Peter Salanki Solutions Architect Procera Networks On Feb 15, 2008, at 5:48 AM, Saku Ytti wrote: On (2008-02-15 14:24 +0100), William Jackson wrote: I was considering to get this line card + DFC for the mentioned chassis over the SIP-600 and SPA-10x1GE, any comments? You might want to look at ES20, you'd be paying 10k more (list) and getting additional 10GE port. ES20 delivers L2+L3 inluding EVC which allows very rich L2 features. What you'd lose is some buffer depth (still massively more than LAN) and single tag vlan local signifance in subinterfaces. Also as it's newer card, you'd need to spend more time approving it. Also, as you didn't specify any task you're using it, I have to ask, have you considered LAN cards? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
Advanced features and deep buffer space. Will be used in our small core, for IP and MPLS traffic, QoS will also need to be there. I need a high port density card, non blocking, routed interfaces, no major hidden gotchas. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7513 RSP4+ SSO Failover Question - 12.2(25)S12
What is in the log for the previous five minutes? sh log | inc HA Gregory Boehnlein wrote: Hello, We're running a Cisco 7513 w/ Dual RSP 4+s in SSO mode. IOS is version Version 12.2(25)S12. We received a notification of an SSO failover from our Master RSP to our Slave. Prior to the failover, I had been doing a BERT test on a T1 riding on a PA-MC-T3. You can see from the logs below where I cleared the logs. About 30 seconds later, the BGP peer on the other side of the T1 I was testing on came back online and then 3 seconds after that, we got the message. Feb 15 00:50:57: %CLEAR-5-COUNTERS: Clear counter on interface Serial10/1/0/2:0 by n2net on vty1 (207.166.192.127) Feb 15 00:51:13: %BGP-5-ADJCHANGE: neighbor 207.166.197.25 Up Feb 15 00:51:16: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:51:16: %HA-5-NOTICE: Standby (slave) configured to run hw-module HA image slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:17: %HA-5-NOTICE: Loading Standby (slave) image: slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:23: %IF-4-BACKWARD_COUNTERS: Corrected for backward rxtx_errors counters (897 - 896) on Serial10/1/0/20:0 Feb 15 00:52:51: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:52:51: %HA-5-MODE: Operating mode is hsa, configured mode is sso. Feb 15 00:53:18: %ISSU_PROCESS-7-DEBUG: Peer state is hot redundant Feb 15 00:53:23: %HA-5-SYNC_NOTICE: Standby has restarted. Feb 15 00:53:24: %HA-5-MODE: Operating mode is sso, configured mode is sso. Things look normal, and the RSP4+ in slot 6 is marked as active. core-ar1#show redundancy debug Operating mode is sso redundancy mode sso hw-module slot 6 image slot0:rsp-ik91sv-mz.122-25.S12.bin hw-module slot 7 image slot0:rsp-ik91sv-mz.122-25.S12.bin Active High Availability version is 3.0 Standby High Availability version is 3.0 Active is in slot 6 Standby is in slot 7 The system total uptime since last reboot is 10 weeks, 3 days, 13 hours 50 minutes. The system has experienced 0 switchovers. There doesn't appear to be any switchover history: core-ar1#show redundancy switchover history I'm thinking that the Slave in slot 7 crashed and rebooted, but I can't seem to find any logs that would indicate it, other than the messaged in the system log. Any suggestions? Ideas? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP redistribution between 2 VRFs
Thank you guys. Work wonderfully. Stand-alone BGP...exactly what i need in this situation. -lmn On Fri, Feb 15, 2008 at 8:56 AM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Jeff Kell wrote on Friday, February 15, 2008 2:46 PM: Michael Lyngbøl wrote: On 14.02.2008 16:06:03 -0500, Luan Nguyen wrote: Say i have VRF RED one one of the interface, and VRF BLUE on another interface. And i need to run EIGRP on both of them. They have their own ASN and don't want to change them. How do i send routes learned from RED into BLUE and vice versa? Import the proper route-targets in VRF RED and VRF BLUE. You can also just import+export from/to one of the VRFs. Might need to attach import/export maps to filter which routes you'd like to import/export. That's the general idea, but it's not quite that simple (I wish it was!). Or at least I could not get it to actually work with import/export alone. You must run iBGP for the import/export to actually work (at least on Catalyst hardware as CE/PE, IOS 12.2) and have iBGP redistributing your EIGRP instances, e.g.: router bgp 9 ! address-family ipv4 redistribute connected exit-address-family ! address-family ipv4 vrf RED redistribute connected redistribute eigrp [reds-ASN] exit-address-family ! address-family ipv4 vrf BLUE redistribute connected redistribute eigrp [blues-ASN] exit-address-family If you subsequently want your red/blue EIGRP's to redistribute their respective imported routes further, you'll need to redistribute BGP within the EIGRP instances as well. Of course if all this extra stuff is NOT needed, I'd love to hear about it. It took the import/export plus mutual redistribution in my case to get it to work as desired, and I ran out of patience before trying to selective remove bits here and there to see which ones were NOT part of the solution. You are doing the right thing, you need to enable BGP (no neighbors needed) as import/export is only possible via BGP. Don't think you need the redist connected within ipv4-AF (the first address-family), but the rest is fine and required for this to work. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
Hi, On Fri, Feb 15, 2008 at 03:48:44PM +0200, Saku Ytti wrote: On (2008-02-15 14:24 +0100), William Jackson wrote: I was considering to get this line card + DFC for the mentioned chassis over the SIP-600 and SPA-10x1GE, any comments? You might want to look at ES20, you'd be paying 10k more (list) and getting additional 10GE port. Is that extra 10k including all required licenses? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpkLQC7Jhnn4.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
On (2008-02-15 16:07 +0100), Gert Doering wrote: Is that extra 10k including all required licenses? Yes. ES20 is cheaper with the 40k license, when comparing to 20x1GE or 2x10GE SIP/SPA solution. But lack of vlan local signifance is major catch, which of course can be workaround to a degree with EVC+SVI hack. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FW: WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
On (2008-02-15 15:08 +0100), William Jackson wrote: I had considered the ES20 card , this will be used for core routing , BFD, OSFP, BGP and MPLS. In core I definitely would go with LAN cards. My motivations for WAN card would be, VPLS, hierarchial QoS, MAC accounting, VLAN local signifance. I was under the impression that the WS-6724-SFP was a LAN card?? I was considering to get this line card + DFC for the mentioned chassis over the SIP-600 and SPA-10x1GE, any comments? You might want to look at ES20, you'd be paying 10k more (list) and getting additional 10GE port. ES20 delivers L2+L3 inluding EVC which allows very rich L2 features. What you'd lose is some buffer depth (still massively more than LAN) and single tag vlan local signifance in subinterfaces. Also as it's newer card, you'd need to spend more time approving it. Also, as you didn't specify any task you're using it, I have to ask, have you considered LAN cards? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7513 RSP4+ SSO Failover Question - 12.2(25)S12
Gregory Boehnlein wrote: Feb 15 00:49:57: %HA-3-SYNC_ERROR: CCB Playback error. Feb 15 00:49:57: %HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1). I must have missed this last night.. This is from 12.0 S, but it may still apply. CSCsd12203 Symptoms: On a Cisco 7500 router, the standby may reload with CCB PLAYBACK errors when the standby boots up. Conditions: This symptom has been observed on a Cisco 7500 HA setup. Workaround: There is no workaround. Further Problem Description: There is no functional impact. So it seems that there was a configuration synch error, so the slave dropped out and restarted? Yep - Usually with a standard synch (from a wr me or something) it'll try a couple of times before reloading the slave. You could enable 'debug issu error' ad see if it does it again. 12.2(25)S is up to 12.2(25)S15 now, although if has only done it once, it may be impossible to establish if the upgrade actually solves anything. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7513 RSP4+ SSO Failover Question - 12.2(25)S12
Feb 15 00:42:41: %SYS-5-CONFIG_I: Configured from console by n2net on vty1 (207.166.192.127) Feb 15 00:42:42: %LINK-3-UPDOWN: Interface Serial10/1/0/2:0, changed state to down Feb 15 00:47:39: %LINK-6-BERTSTATUS: Interface T3 10/1/0/2, BERT is completed Feb 15 00:47:40: %CONTROLLER-5-UPDOWN: Controller T3 10/1/0 T1 2, changed state to UP Feb 15 00:47:42: %LINK-3-UPDOWN: Interface Serial10/1/0/2:0, changed state to up Feb 15 00:47:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial10/1/0/2:0, changed state to up Feb 15 00:47:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial10/1/0/2:0, changed state to down Feb 15 00:49:57: %HA-3-SYNC_ERROR: CCB Playback error. Feb 15 00:49:57: %HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1). I must have missed this last night.. Feb 15 00:50:02: %SYS-5-CONFIG_I: Configured from console by n2net on vty1 (207.166.192.127) Feb 15 00:50:12: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant Feb 15 00:50:12: %HA-5-MODE: Operating mode is hsa, configured mode is sso. Feb 15 00:50:15: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave Feb 15 00:50:20: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant Feb 15 00:50:22: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave Feb 15 00:50:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial10/1/0/2:0, changed state to up Feb 15 00:50:27: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant Feb 15 00:50:30: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave Feb 15 00:50:57: %CLEAR-5-COUNTERS: Clear counter on interface Serial10/1/0/2:0 by n2net on vty1 (207.166.192.127) Feb 15 00:51:13: %BGP-5-ADJCHANGE: neighbor 207.166.197.25 Up Feb 15 00:51:16: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:51:16: %HA-5-NOTICE: Standby (slave) configured to run hw-module HA image slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:17: %HA-5-NOTICE: Loading Standby (slave) image: slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:23: %IF-4-BACKWARD_COUNTERS: Corrected for backward rxtx_errors counters (897 - 896) on Serial10/1/0/20:0 Feb 15 00:52:51: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:52:51: %HA-5-MODE: Operating mode is hsa, configured mode is sso. Feb 15 00:53:18: %ISSU_PROCESS-7-DEBUG: Peer state is hot redundant Feb 15 00:53:23: %HA-5-SYNC_NOTICE: Standby has restarted. Feb 15 00:53:24: %HA-5-MODE: Operating mode is sso, configured mode is sso. So it seems that there was a configuration synch error, so the slave dropped out and restarted? -Original Message- From: David Coulson [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 9:41 AM To: Gregory Boehnlein Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7513 RSP4+ SSO Failover Question - 12.2(25)S12 What is in the log for the previous five minutes? sh log | inc HA Gregory Boehnlein wrote: Hello, We're running a Cisco 7513 w/ Dual RSP 4+s in SSO mode. IOS is version Version 12.2(25)S12. We received a notification of an SSO failover from our Master RSP to our Slave. Prior to the failover, I had been doing a BERT test on a T1 riding on a PA-MC-T3. You can see from the logs below where I cleared the logs. About 30 seconds later, the BGP peer on the other side of the T1 I was testing on came back online and then 3 seconds after that, we got the message. Feb 15 00:50:57: %CLEAR-5-COUNTERS: Clear counter on interface Serial10/1/0/2:0 by n2net on vty1 (207.166.192.127) Feb 15 00:51:13: %BGP-5-ADJCHANGE: neighbor 207.166.197.25 Up Feb 15 00:51:16: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:51:16: %HA-5-NOTICE: Standby (slave) configured to run hw- module HA image slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:17: %HA-5-NOTICE: Loading Standby (slave) image: slot0:rsp-ik91sv-mz.122-25.S12.bin Feb 15 00:51:23: %IF-4-BACKWARD_COUNTERS: Corrected for backward rxtx_errors counters (897 - 896) on Serial10/1/0/20:0 Feb 15 00:52:51: %RSP-5-SLAVEUP: Slave changed to state Running, Buffer memory state : disabled Feb 15 00:52:51: %HA-5-MODE: Operating mode is hsa, configured mode is sso. Feb 15 00:53:18: %ISSU_PROCESS-7-DEBUG: Peer state is hot redundant Feb 15 00:53:23: %HA-5-SYNC_NOTICE: Standby has restarted. Feb 15 00:53:24: %HA-5-MODE: Operating mode is sso, configured mode is sso. Things look normal, and the RSP4+ in slot 6 is marked as active. core-ar1#show redundancy debug Operating mode is sso redundancy mode sso hw-module slot 6 image slot0:rsp-ik91sv-mz.122-25.S12.bin hw-module slot 7 image slot0:rsp-ik91sv-mz.122-25.S12.bin Active High Availability version is 3.0 Standby High Availability version is 3.0 Active is in slot 6 Standby is in slot 7 The system total uptime since last
Re: [c-nsp] TTL decrement through FWSM
what code was this in? thanks for the info as well, from this and all the responses of my other fwsm thread, i am finding out tons of useful information :) On Fri, Feb 15, 2008 at 9:12 AM, Peter Rathlev [EMAIL PROTECTED] wrote: Hi, I can see there was a thread from May 2006 about the FWSM and TTL decrements. The FWSM doesn't show up in traceroutes because of this, and that is sometimes not good seen from a debugging perspective. Does anybody know if this has been corrected in the meantime? Is there really no way of having the FWSM decrement TTL and send back unreachables for traffic passing through it? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 7.2(3) SNMP issues?
Recently upgraded 7.2(2) - 7.2(3)12 and our network monitors stopped reading interface stats off the ASAs. Anyone know of any issues? We can get system status fine, so it's not an SNMP permissions issue; but interface stats disappeared. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] favorite access-list simulator
I'd like to send the contents of a tcpdump through a simulated access-list and see what packets are getting blocked. So instead of applying an ACL to a live interface with a 'deny ip any any log' at the end, does anyone have a favorite tool/method for doing this? thx jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco7609 as P layer
On Wednesday 13 February 2008, Kim Onnel wrote: Plus it would be unfair to compare price and performance of 7600 to an M320 and Juniper would never put an M7i or M10 as P, so its all about Positioning not just 'pure technical' judgement. This depends on the size and complexity of the network. I'm sure many a (small) network would consider an M7i, M10i (or for that matter, 7206-VXR) as a good-enough core router, given their needs. While it would be difficult to equally compare a 7600 to an M320, this problem would (mostly) apply to ISP's that need that kind of horsepower (and complexity), in the first place. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco7609 as P layer
Mark Tinka wrote: On Wednesday 13 February 2008, Kim Onnel wrote: Plus it would be unfair to compare price and performance of 7600 to an M320 and Juniper would never put an M7i or M10 as P, so its all about Positioning not just 'pure technical' judgement. This depends on the size and complexity of the network. I'm sure many a (small) network would consider an M7i, M10i (or for that matter, 7206-VXR) as a good-enough core router, given their needs. I have seen M10i positioned by Juniper as P routers in environments where modest amount of GE/SONET connectivity is required (e.g. small regional sites). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco VPN Client for 64-bit????
Kaj Niemi wrote: Also.. on the webvpn side, what happened in 8.0 to ASA customization? customize foo is deprecated and does not seem to result in anything anymore (in 7.2 that worked). Now there seems to be some kind of xml importing tool instead or the assumption that everybody is to use ASDM for administration. I could not find any documentation on CCO on the new format. Yes, beginning with v8 the way to customize WebVPN changed considerably (as you wrote it works with XML-files which can be im- and exported, but those don't show up in the config at all). I don't like that fact, because it complicates the process of swapping a box in case of hardware-failure. I found out those facts in august last year, and wrote a netpro-forum thread, where I listed the problems I see in this paradigma: http://forum.cisco.com/eforum/servlet/NetProf?page=netprofforum=Virtual%20Private%20Networkstopic=GeneralCommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf8629 or in short http://preview.tinyurl.com/29adfa Nobody ever responded. I also mentioned the non-existing documentation in this post - but in the meantime I found something: The trick is not to search in the ASA-documentation, but in the ASDM-documentation. There are some infos about the XML-file-structure, but not much. Kind Regards, airflow -- Homepage: http://fp.ath.cx/ PGP-keyID: C9FEDBA2 pgp4oon9Djdd1.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-OCTAL-ASYNC alternative
Get a RJ45-RJ45 patch panel - That is, a panel with RJ45 connectors wired straight through on both sides. Plug your octal cable into one side, then run patch cables to your devices and use a RJ45-DB9 adapter. Or you can run a patch cable directly into a device that has a RJ45 console port. That way you can always roll the device side cable, or use a differently wired RJ45-DB9 adapter for anything that is unusual. Eric Helm wrote: Hello, Can anyone recommend a good solution for a 2610XM + NM-32A terminal server that will be connecting mostly to equipment with a DB9 serial port. Would prefer something that is a 19 rack mounted patch panel that could directly attach to the 68-pin connectors on the async modules and break out into 16 or 32 DB9 ports. Otherwise something that can take the RJ45 on the back and have DB9 on the front would work too. Thanks, /Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-OCTAL-ASYNC alternative
Try a Cyclades ACS box from Avocent. They come in up to 48 port variants with ac or dc single or dual power supplies. On 2/15/08, Eric Helm [EMAIL PROTECTED] wrote: Hello, Can anyone recommend a good solution for a 2610XM + NM-32A terminal server that will be connecting mostly to equipment with a DB9 serial port. Would prefer something that is a 19 rack mounted patch panel that could directly attach to the 68-pin connectors on the async modules and break out into 16 or 32 DB9 ports. Otherwise something that can take the RJ45 on the back and have DB9 on the front would work too. Thanks, /Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
Saku Ytti wrote: You might want to look at ES20, you'd be paying 10k more (list) and getting additional 10GE port. ES20 delivers L2+L3 inluding EVC which allows very rich L2 features. What you'd lose is some buffer depth (still massively more than LAN) and single tag vlan local signifance in subinterfaces. Also as it's newer card, you'd need to spend more time approving it. Are you sure on the ES20 prices, Saku? The 6724-SFP runs $15k plus another $15k for the 3CXL DFC. The ES20-GECXL runs $60k and has the DFC built in. The basic ES20 comes with the BASIC-LIC which includes: ES20 Basic License: No MVPN, IPv6, 6VPE, and L3 IP/MPLS VPN. The ADVIP-LIC includes With MVPN, IPv6, 6VPE, and L3 IP/MPLS VPN and is another $40k. The ES20 is also one of those special linecards that requires a dedicated SmartNet. 24x7x4 runs another $13,440 per year. The 6700 series cards are covered under the Sup's SmartNet. Those are list prices in US $s. I know that the US dollar has taken a beaten this year but is it that bad? :-) Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need guidance on NetFlow
I've been given the task of evaluating Solarwinds Orion, a network managment tool which was purchased some time before I began working here. Part of that suite is a NetFlow traffic analysis tool. I'm trying to get some guidance on how best to enable NetFlow in our production network. Our core and distribution layers are mostly 4510R, 8510, 4506, and 4507 switches and 3640, 7204vxr and 7206vxr routers. The access switches are 3500 and 2900 for the most part and I know that those don't support NetFlow. - What's the best source of information on what's needed to enable NetFlow on all these devices? I've been doing some searching and I've found bits and pieces of info, some of which seems to conflict with each other. - Is there some guidance on what to plan for as far as bandwidth and storage for the collector? - The NetFlow tool I'm looking at expects NetFlow v5. If I use Sampled NetFlow, will that be worthwhile? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CAB-OCTAL-ASYNC alternative
Hello, Can anyone recommend a good solution for a 2610XM + NM-32A terminal server that will be connecting mostly to equipment with a DB9 serial port. Would prefer something that is a 19 rack mounted patch panel that could directly attach to the 68-pin connectors on the async modules and break out into 16 or 32 DB9 ports. Otherwise something that can take the RJ45 on the back and have DB9 on the front would work too. Thanks, /Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2811 performance on an Ethernet over SONET connection??
Folks- I have a situation in which a customer has a 2811 router connected to an Ethernet over SONET pipe from me onto which he subscribes 15M of Internet. The SONET portion of the pipe currently has 11 VT1.5's cross-connected. This customer is seeing asymmetric performance on the link in that his upload speeds are significantly lower than the download speeds. Given that there is no congestion on the network, plenty of bandwidth is available, and no significant packet/frame loss errors are seen at any point, including on the SONET ADM boxes, I'm sort of at a loss. Further, I can plug my laptop into this port with 1323 opts, nagle, window scaling, and a large MAX window size and test absolutely fine across the circuit. I plug the same laptop into the lan side of his router (Fa0/1, below) and I see the significant drop of which he's complaining. I've also verified the speed/duplex settings are appropriate and are working correctly. One other thing I've noticed is that as I increase bandwidth across the SONET ring, the disconnect between upload and download speeds appears to grow on an almost log scale. Anyone have any thoughts or tips on this? Thanks- Joe R1#sho ver Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3d), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 19-Apr-06 09:18 by alnguyen ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) nettech uptime is 1 hour, 23 minutes System returned to ROM by power-on System image file is flash:c2800nm-ipbase-mz.124-3d.bin Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory. Processor board ID FTX1027A1HS 6 FastEthernet interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 R1#sho run Building configuration... Current configuration : 1115 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ip subnet-zero ! ! ip cef ! ! no ip domain lookup ip domain name R1.net ! ! ! ! interface FastEthernet0/0 description to Internet ip address 66.211.51.10 255.255.255.252 ip nat outside load-interval 30 duplex auto speed auto ! interface FastEthernet0/1 description To LAN ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 no ip address ! ip classless ip route 0.0.0.0 0.0.0.0 66.211.51.9 ! no ip http server ip nat inside source static 192.168.1.2 interface FastEthernet0/0 ! ! control-plane ! banner motd ^C Authorized personel only, please. ^C ! line con 0 line aux 0 line vty 0 4 password cisco login ! scheduler allocate 2 1000 ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2811 performance on an Ethernet over SONET connection??
Hi Joe, it might be you need to apply some outbound shaping onto the interface facing the Internet due to the difference between the access rate (100Mbps) and the CIR (15Mbps). This could explain why degraded throughput is experienced only upstream. I can't really imagine it could be a CPU-related issue, but all in all it's worth checking it. Cheers, Paolo On Fri, Feb 15, 2008 at 02:59:55PM -0600, Joe Freeman wrote: Folks- I have a situation in which a customer has a 2811 router connected to an Ethernet over SONET pipe from me onto which he subscribes 15M of Internet. The SONET portion of the pipe currently has 11 VT1.5's cross-connected. This customer is seeing asymmetric performance on the link in that his upload speeds are significantly lower than the download speeds. Given that there is no congestion on the network, plenty of bandwidth is available, and no significant packet/frame loss errors are seen at any point, including on the SONET ADM boxes, I'm sort of at a loss. Further, I can plug my laptop into this port with 1323 opts, nagle, window scaling, and a large MAX window size and test absolutely fine across the circuit. I plug the same laptop into the lan side of his router (Fa0/1, below) and I see the significant drop of which he's complaining. I've also verified the speed/duplex settings are appropriate and are working correctly. One other thing I've noticed is that as I increase bandwidth across the SONET ring, the disconnect between upload and download speeds appears to grow on an almost log scale. Anyone have any thoughts or tips on this? Thanks- Joe R1#sho ver Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3d), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 19-Apr-06 09:18 by alnguyen ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) nettech uptime is 1 hour, 23 minutes System returned to ROM by power-on System image file is flash:c2800nm-ipbase-mz.124-3d.bin Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory. Processor board ID FTX1027A1HS 6 FastEthernet interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 R1#sho run Building configuration... Current configuration : 1115 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ip subnet-zero ! ! ip cef ! ! no ip domain lookup ip domain name R1.net ! ! ! ! interface FastEthernet0/0 description to Internet ip address 66.211.51.10 255.255.255.252 ip nat outside load-interval 30 duplex auto speed auto ! interface FastEthernet0/1 description To LAN ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 no ip address ! ip classless ip route 0.0.0.0 0.0.0.0 66.211.51.9 ! no ip http server ip nat inside source static 192.168.1.2 interface FastEthernet0/0 ! ! control-plane ! banner motd ^C Authorized personel only, please. ^C ! line con 0 line aux 0 line vty 0 4 password cisco login ! scheduler allocate 2 1000 ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Telstra ADSL pix firewall running 6.3
Hey all, Anyone have any experince with setting up a pix firewall with Telstras buisness ADSL? I have a pix in sydney that I've been trying to get online but I am running into some show stoppers. Here is the relavent config from the pix ip address outside 165.228.203.90 255.255.255.0 pppoe setroute (I've tried this with out the IP address also) vpdn group pppoex request dialout pppoe vpdn group pppoex localname [EMAIL PROTECTED] vpdn group pppoex ppp authentication chap vpdn username [EMAIL PROTECTED] password * All the commands go in ok but when I do a debug pppoe packets it looks like the pix can't find the pppoe server. It does the discovery but never gets a response so fails. The telstra setup email includes an ATM VPI/VCI number but the pix doesn't support that (I'm guessing its only for routers). I do not have outband access to the device and have been working with the datacenters smarthands through webex (love it). I haven't been able to get in touch with Telstra as its the weekend over there but I was wondering if you guys have come across this issue before. Thanks! Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6724-SFP and 7600 S Chassis with RSP720-3CXL
Justin, Saku: Here's a comparison of Canadian list pricing (despite parity with the US dollar sigh): ES20-GE3CXL $70,800 ES20-10G3CXL$94,400 ES20-ADVIP-LIC $47,200 SIP-600 $106,200 SPA-5X1GE-V2$21,240 SPA-10X1GE $35,400 Assuming N points off list, a SIP/SPA pair is cheaper (No discounts on licences, IIRC). Now if you asked me what was the best value? The ES20, simple. -- Stephen. Justin Shore wrote: Saku Ytti wrote: You might want to look at ES20, you'd be paying 10k more (list) and getting additional 10GE port. ES20 delivers L2+L3 inluding EVC which allows very rich L2 features. What you'd lose is some buffer depth (still massively more than LAN) and single tag vlan local signifance in subinterfaces. Also as it's newer card, you'd need to spend more time approving it. Are you sure on the ES20 prices, Saku? The 6724-SFP runs $15k plus another $15k for the 3CXL DFC. The ES20-GECXL runs $60k and has the DFC built in. The basic ES20 comes with the BASIC-LIC which includes: ES20 Basic License: No MVPN, IPv6, 6VPE, and L3 IP/MPLS VPN. The ADVIP-LIC includes With MVPN, IPv6, 6VPE, and L3 IP/MPLS VPN and is another $40k. The ES20 is also one of those special linecards that requires a dedicated SmartNet. 24x7x4 runs another $13,440 per year. The 6700 series cards are covered under the Sup's SmartNet. Those are list prices in US $s. I know that the US dollar has taken a beaten this year but is it that bad? :-) Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 7.2(3) SNMP issues?
On Feb 15, 2008, at 11:37 AM, Jeff Kell wrote: Recently upgraded 7.2(2) - 7.2(3)12 and our network monitors stopped reading interface stats off the ASAs. Anyone know of any issues? We can get system status fine, so it's not an SNMP permissions issue; but interface stats disappeared. We saw the same issue when going from 7.2(3) - 7.2(3)12. Going back to 7.2(3) release fixed it. Nothing I can find in Bug Toolkit or the 7.2(3) interim release notes to explain it, though. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Telstra ADSL pix firewall running 6.3
On Fri, Feb 15, 2008, Joseph Jackson wrote: vpdn username [EMAIL PROTECTED] password * All the commands go in ok but when I do a debug pppoe packets it looks like the pix can't find the pppoe server. It does the discovery but never gets a response so fails. The telstra setup email includes an ATM VPI/VCI number but the pix doesn't support that (I'm guessing its only for routers). I do not have outband access to the device and have been working with the datacenters smarthands through webex (love it). I haven't been able to get in touch with Telstra as its the weekend over there but I was wondering if you guys have come across this issue before. Uhm, do you understand how its all meant to hold together? If its a normal DSL service today then its PPP of some sort over ethernet of some sort over an ATM VC. You've got a modem device that has the VPI/VCI correctly configured, and acting as a real bridge? Adrian (Who does that sort of stuff in Australia for a living .. occasionally.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 7.2(3) SNMP issues?
On Fri, 15 Feb 2008, Brian Landers wrote: On Feb 15, 2008, at 11:37 AM, Jeff Kell wrote: Recently upgraded 7.2(2) - 7.2(3)12 and our network monitors stopped reading interface stats off the ASAs. Anyone know of any issues? We can get system status fine, so it's not an SNMP permissions issue; but interface stats disappeared. We saw the same issue when going from 7.2(3) - 7.2(3)12. Going back to 7.2(3) release fixed it. Nothing I can find in Bug Toolkit or the 7.2(3) interim release notes to explain it, though. I also ran into this; it appears you can snmpwalk the counters in IF-MIB but you can't snmpget them: % snmpwalk -v 2c -c blah asa .1.3.6.1.2.1.31.1.1.1.6 IF-MIB::ifHCInOctets.1 = Counter64: 11871409813 IF-MIB::ifHCInOctets.2 = Counter64: 58711253205 IF-MIB::ifHCInOctets.3 = Counter64: 504682365 IF-MIB::ifHCInOctets.4 = Counter64: 2510676 IF-MIB::ifHCInOctets.5 = Counter64: 0 % snmpget -v 2c -c blah asa .1.3.6.1.2.1.31.1.1.1.6.1 IF-MIB::ifHCInOctets.1 = No Such Instance currently exists at this OID I keep forgetting to submit the bug to Cisco, mostly because 7.2(3) works well enough for me and our particular configs aren't affected by the security issue it has... Mike Andrews * [EMAIL PROTECTED] * http://www.fark.com It's not news, it's Fark.com. Carpe cavy! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
