[c-nsp] ddos attack makes c6509 cpu soared.
Hello all. I have operated sup720 based c6509(DFC3 included) with time-based sampling netflow enabled. Some days ago, there was a ddos attack against the server over 1Mpps, then the cpu of the c6509 soared from 5 to 95. As I know, sup720 based c6509 can do services upto 30Mpps, but I can't understand why the cpu is high? Is there any relations with netflow enabled config? cisco website says that the flow number of netflow supports to 128,000. Then, should I disable netflow when ddos attacked? Thanks for your help.. Reagrds.. _ MSN 메신저의 차세대 버전, Windows Live Messenger! http://windowslive.msn.co.kr/wlm/messenger/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 - Support for MPLS and IPv6
SXH2 is now available for download. Feature Navigator is not yet updated with the feature set for the SXH2 code though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Monday, March 31, 2008 1:20 AM To: Juno Guy Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat6500 - Support for MPLS and IPv6 Hi, On Sun, Mar 30, 2008 at 10:52:04PM -0400, Juno Guy wrote: It is my understanding that somewhere after the 12.2SX release MPLS and IPv6 will no longer be supported on the 6500 (but will continue to be supported on the 7600 as I understand). Well, as far as I understand, this is currently not the case, and I haven't seen any announcement to that extent. (Except as has already been written: the *modular* variant of SXF had no support for either, but that was not yet, and not not any longer). OTOH, personally, I have great distrust for the 7600/6500 BUs, and it wouldn't surprise me to come to a point in the future where I need to decide do I want support for 32 bit AS numbers, or do I want support for my existing hardware. Cisco needs to do a *lot* to get back the customer trust that these two BUs have destroyed. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Vlan interface vs. sub-interface
I've made this a several times on small endpoint routers, the customer had a Switch with a few VLANs and then connected a trunk port to a 1841 or 2811 router to a FastEthernet port on the router. Here's a brief example: interface FastEthernet0/0 description Connected to switch trunk port end ! interface FastEthernet0/0.10 description VLAN 10 encapsulation dot1q 10 end ! interface FastEthernet0/0.100 description VLAN 100 encapsulation dot1q 100 end ! And so on... Hope this helps someone. Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Armstrong Sent: Tuesday, April 01, 2008 5:06 AM To: David Coulson Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Vlan interface vs. sub-interface I've never seen a mixed L2/L3 platform that supported SVIs where you could make subinterfaces and set vlan encapsulation ? David Coulson wrote: One of the big advantages of sub-interfaces over VLAN interfaces is that if 'VLAN 100' on one port is a totally different network to 'VLAN 100' on another. Using a sub-interface you can configure them as unique L3 interfaces. I've done this a lot with dot1q handoffs, and it works nicely. Is there a mechanism in place for QinQ mappings to a SVI? Never really dealt with that before, but now I'm curious. David Nate wrote: I'm trying to put together a table of advantages (and disadvantages) of a vlan interface (SVI) vs. a sub-interface of a physical port. So far, I have the following. SVI Advantage: -Ability to add redundant link to the L3 interface -Better counter and statistics displayed through CLI Disadvantage: -Need to be mindful of Spanning Tree issues on redundant links -The number of SVI supported maybe limited dependent on platform? Physical port sub-interface - Advantage: -Easier to configure and supported on more platforms? Disadvantage: -Inability to add L2 redundant links -Statistics on CLI limited -Bandwidth limited to physical port Are there more significant advantages/disadvantages (e.g. buffer limit, queue depth) that I'm missing? Thanks, Nate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Hi Peter, The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? W On 31/03/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Mon, 2008-03-31 at 21:01 +0100, William wrote: I did try the icmp permit commands but that still doesnt fix my issue. I also get DENY's come up in the logs when I try to telnet to the devices over the vpn (on the client 800 end). %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst inside:22.22.22.2 (type 8, code 0) This is an ICMP deny, specifically addressed by the icmp permit commands. If you get denys from TCP connections the log messages will be different. They should actually tell you which ACL denies the traffic. (If it says it's an implicit deny on an interface without an ACL.) Their format (the log message number) could give a clue. I'm just shooting in the dark, but according to the above message the traffic enters and exits the same interface; do you have the same-security-traffic permit intra-interface command for that? Otherwise I'm blank. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 7200 GigE interface w/NPE 225.
Greetings, I tried to install a single-port optical GigE card in a Cisco 7204 VXR chassis with an NPE 225 and was informed by the IOS that it is incompatible with the NPE 225, so the adaptor is shut down. Anyone know how to get around this limitation other than by getting a beefier NPE? I do not actually intend to run anywhere *near* a gig of traffic through that thing; it's just that the handoff I am getting from a provider is optical and this is the easiest route for me. If I do have to get a new NPE, will a 400 suffice, or do I have to go 1G? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ddos attack makes c6509 cpu soared.
On Apr 1, 2008, at 1:13 PM, MontyRee wrote: Then, should I disable netflow when ddos attacked? No, that's not the solution. What process was high? Was the 6509 itself under attack, as well. --- Roland Dobbins [EMAIL PROTECTED] // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ddos attack makes c6509 cpu soared.
On Tue, 2008-04-01 at 06:13 +, MontyRee wrote: I have operated sup720 based c6509(DFC3 included) with time-based sampling netflow enabled. Some days ago, there was a ddos attack against the server over 1Mpps, then the cpu of the c6509 soared from 5 to 95. As I know, sup720 based c6509 can do services upto 30Mpps, but I can't understand why the cpu is high? The 30 mpps is the raw forwarding rate. If you start doing things like NDE you will get lower performance. Is there any relations with netflow enabled config? cisco website says that the flow number of netflow supports to 128,000. Then, should I disable netflow when ddos attacked? The Sup720 does Netflow characterization in hardware, but the export is handled by the processor, so if you use NDE you could be hit bad by DDoS. The flow mask you use also has a lot to say about how many flows are generated. Doing sampled Netflow should reduce the problem a little, even though you might end up generating almost the same number of flows and thus the same amount of exports. Disable netflow during DDoS attack? Well, netflow can help you find the cause, and 95% CPU is not necessarily a problem, but dead routers are of no use of course. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ddos attack makes c6509 cpu soared.
On Apr 1, 2008, at 3:10 PM, Peter Rathlev wrote: Doing sampled Netflow should reduce the problem a little, even though you might end up generating almost the same number of flows and thus the same amount of exports. Sampling on 6500/7600 is export telemetry flow-sampling, not packet- sampling which controls flow generation, keep in mind. As you indicate, if NDE was the process hogging the CPU, there are various things which can be done to tune it, including export telemetry sampling, mls timer adjustments, flow-mask adjustments, etc. --- Roland Dobbins [EMAIL PROTECTED] // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
Alex Balashov wrote: Greetings, I tried to install a single-port optical GigE card in a Cisco 7204 VXR chassis with an NPE 225 and was informed by the IOS that it is incompatible with the NPE 225, so the adaptor is shut down. Anyone know how to get around this limitation other than by getting a beefier NPE? I do not actually intend to run anywhere *near* a gig of traffic through that thing; it's just that the handoff I am getting from a provider is optical and this is the easiest route for me. If I do have to get a new NPE, will a 400 suffice, or do I have to go 1G? I believe an NPE-300 would be sufficient. I don't recall putting a PA-GE into an NPE-225, but IIRC BT use a PA-GE in an NPE-300 to deliver ADSL in the UK. You won't get more than 400mbit (200mbit each way) across a PA-GE no matter what slot/npe you put it in! :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
Adam Armstrong wrote: Alex Balashov wrote: Greetings, I tried to install a single-port optical GigE card in a Cisco 7204 VXR chassis with an NPE 225 and was informed by the IOS that it is incompatible with the NPE 225, so the adaptor is shut down. Anyone know how to get around this limitation other than by getting a beefier NPE? I do not actually intend to run anywhere *near* a gig of traffic through that thing; it's just that the handoff I am getting from a provider is optical and this is the easiest route for me. If I do have to get a new NPE, will a 400 suffice, or do I have to go 1G? I believe an NPE-300 would be sufficient. I don't recall putting a PA-GE into an NPE-225, but IIRC BT use a PA-GE in an NPE-300 to deliver ADSL in the UK. You won't get more than 400mbit (200mbit each way) across a PA-GE no matter what slot/npe you put it in! :) Thanks for the insight... Strangely, if I Google npe 225 gige I get all sorts of results for router configurations that appear to include the NPE 225 and a PA-GE, for instance: http://www.cisco.com/en/US/products/hw/routers/ps341/products_data_sheet09186a0080088724.html This leads me to believe that I should be able to install a GigE port in this thing in principle. So, why does the IOS reject the adaptor on grounds that it is not compatible with this npe cpu. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic Counters and QoS Policy
Ivan wrote on Tuesday, April 01, 2008 11:51 AM: I am sending some test traffic through a Cisco 1841 (12.4(15)T4) and am hoping someone can confirm what I have found. I am sending 64 byte packets (including IP headers) through uniformly at 11bps (215 PPS). The counters on the interface show traffic of 134000bps and 215 PPS. This works out to be 78 bytes per packet. It would seem the additional 14 bytes are the layer 2 Ethernet header (6 bytes source MAC, 6 bytes dest MAC, 2 bytes ether type). The documentation from Cisco (http://www.cisco.com/en/US/docs/ios/12_0/interface/command/reference/ir showin.html#wp1017950) states Five minute input rate,Five minute output rate = Average number of bits and packets transmitted per second in the last 5 minutes. bytes input = Total number of bytes, including data and MAC encapsulation, in the error free packets received by the system. The description of the input rate doesn't really clarify if it includes the layer 2 header but the byte count does. Resetting the counters and doing the maths shows to me the the input rate counters do include layer 2 headers. Can anyone confirm I am on the right track here? yes, you are.. interface counters (including the input/output rate which is calculated based on these counters) include L2 encaps overhead. The interesting part is that when I have a QoS policy on the interface the policy counters are also using the layer 2 headers in the calculations as I get a 30 second offered rate 134000 bps. Does this mean for example if I apply some kind of QoS policy to 5Mbps (500bps) it will be including the layer 2 headers in the calculations? I had always assumed the it was only layer 3 and above. same as above: QoS generally includes L2 overhead (it better does as we're reserving link bandwidth, and L2 overhead can make quite a difference on the link).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Hi Ben, There is a default route to go via the outside, sorry about the confusion. Regards, On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of sh route On 01/04/2008, at 9:31 PM, William wrote: Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES- MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to
Re: [c-nsp] EasyVPN IOS-ASA55xx
On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7204 CPU utilisation.
On Tue, 1 Apr 2008, Alex Balashov wrote: backplane and engine. I also enabled fast route-caching and a number of ip cef should be enabled, do show int switching and see if traffic is fast-switched: Protocol IP Switching pathPkts In Chars In Pkts Out Chars Out Process 2022 247164 4890 449873 Cache misses 0 - - - Fast 18378468 22253087908 11596605 4410838728 Auton/SSE 0 0 0 0 If traffic is process switched, you should investigate why. other fairly obvious things, but those types of optimisations are what got me down to ~60% at peak in the first place - without the route-caching it was choking at nearly full utilisation. Any other common best practises? What NPE do you have? An NPE-300 should be able to do somewhere around 150-200 meg of mixed traffic (bidirectionally), so if you're at 60% cpu with 25 megs, that sounds like a lot of cpu for little traffic, even if you would be running an NPE-150 or even slower. -- Mikael Abrahamssonemail: [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
On Tue, Apr 01, 2008, Alex Balashov wrote: Strangely, if I Google npe 225 gige I get all sorts of results for router configurations that appear to include the NPE 225 and a PA-GE, for instance: http://www.cisco.com/en/US/products/hw/routers/ps341/products_data_sheet09186a0080088724.html This leads me to believe that I should be able to install a GigE port in this thing in principle. So, why does the IOS reject the adaptor on grounds that it is not compatible with this npe cpu. IOS software support changes? Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of sh route On 01/04/2008, at 9:31 PM, William wrote: Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES- MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter
Re: [c-nsp] Multicast tryout
Anders Marius Jørgensen (lists) wrote: Hi Robert, I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) The program 'mcast.exe' (command line program) from the Microsoft resource toolkit can act as a source or receiver depending on the configuration. iperf is another (rather better) multicast-capable command line tool ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Traffic Counters and QoS Policy
I am sending some test traffic through a Cisco 1841 (12.4(15)T4) and am hoping someone can confirm what I have found. I am sending 64 byte packets (including IP headers) through uniformly at 11bps (215 PPS). The counters on the interface show traffic of 134000bps and 215 PPS. This works out to be 78 bytes per packet. It would seem the additional 14 bytes are the layer 2 Ethernet header (6 bytes source MAC, 6 bytes dest MAC, 2 bytes ether type). The documentation from Cisco (http://www.cisco.com/en/US/docs/ios/12_0/interface/command/reference/irshowin.html#wp1017950) states Five minute input rate,Five minute output rate = Average number of bits and packets transmitted per second in the last 5 minutes. bytes input = Total number of bytes, including data and MAC encapsulation, in the error free packets received by the system. The description of the input rate doesn't really clarify if it includes the layer 2 header but the byte count does. Resetting the counters and doing the maths shows to me the the input rate counters do include layer 2 headers. Can anyone confirm I am on the right track here? The interesting part is that when I have a QoS policy on the interface the policy counters are also using the layer 2 headers in the calculations as I get a 30 second offered rate 134000 bps. Does this mean for example if I apply some kind of QoS policy to 5Mbps (500bps) it will be including the layer 2 headers in the calculations? I had always assumed the it was only layer 3 and above. Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
Adrian Chadd wrote: On Tue, Apr 01, 2008, Alex Balashov wrote: Strangely, if I Google npe 225 gige I get all sorts of results for router configurations that appear to include the NPE 225 and a PA-GE, for instance: http://www.cisco.com/en/US/products/hw/routers/ps341/products_data_sheet09186a0080088724.html This leads me to believe that I should be able to install a GigE port in this thing in principle. So, why does the IOS reject the adaptor on grounds that it is not compatible with this npe cpu. IOS software support changes? Possibly. That's one of the things I was hoping someone here could shed some light on. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua
Re: [c-nsp] Multicast tryout
I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) http://www.videolan.org/vlc/ VLC media player is a highly portable *multimedia player* for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as *DVD*s, *VCD*s, and various *streaming* protocols. It can also be used as a server to stream http://www.videolan.org/vlc/streaming.html in unicast or *multicast* in IPv4 or *IPv6* on a high-bandwidth network. adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
Alex Balashov wrote: Adam Armstrong wrote: Alex Balashov wrote: Greetings, I tried to install a single-port optical GigE card in a Cisco 7204 VXR chassis with an NPE 225 and was informed by the IOS that it is incompatible with the NPE 225, so the adaptor is shut down. Anyone know how to get around this limitation other than by getting a beefier NPE? I do not actually intend to run anywhere *near* a gig of traffic through that thing; it's just that the handoff I am getting from a provider is optical and this is the easiest route for me. If I do have to get a new NPE, will a 400 suffice, or do I have to go 1G? I believe an NPE-300 would be sufficient. I don't recall putting a PA-GE into an NPE-225, but IIRC BT use a PA-GE in an NPE-300 to deliver ADSL in the UK. You won't get more than 400mbit (200mbit each way) across a PA-GE no matter what slot/npe you put it in! :) Thanks for the insight... Strangely, if I Google npe 225 gige I get all sorts of results for router configurations that appear to include the NPE 225 and a PA-GE, for instance: http://www.cisco.com/en/US/products/hw/routers/ps341/products_data_sheet09186a0080088724.html This leads me to believe that I should be able to install a GigE port in this thing in principle. So, why does the IOS reject the adaptor on grounds that it is not compatible with this npe cpu. Have you tried a different IOS release/train? Perhaps the disabling was added later or removed later. adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7204 CPU utilisation.
I presume you have CEF enabled? ;) Also, can you show us a sh proc cpu sorted ? What NPE is in this 7204? Is it VXR model? Thanks, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Balashov Sent: Tuesday, April 01, 2008 4:29 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 7204 CPU utilisation. Greetings, I have a 7204 with a FastEthernet interface that has a few point-subinterfaces for inter-VLAN routing, and at its peak pushes about 25 mbps, most of it inter-VLAN traffic. Naturally, a Layer 3 switch is a smarter idea than a big Layer 3 VLAN router-on-a-trunk-stick these days, but the budget isn't there right now. When the traffic peaks at ~25 mbps, there's quite a bit of CPU utilisation; as much as 60%. I was wondering if there are any tips on what I can do to optimise the forwarding. One idea was to put in a GigE card (the subject of another thread), but I do not expect this will actually impact anything CPU-bound since all of that traverses the backplane and engine. I also enabled fast route-caching and a number of other fairly obvious things, but those types of optimisations are what got me down to ~60% at peak in the first place - without the route-caching it was choking at nearly full utilisation. Any other common best practises? Cheers, -- Alex -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- No virus found in this incoming message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.1/1352 - Release Date: 3/31/2008 10:13 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 GigE interface w/NPE 225.
Alex Balashov wrote on Tuesday, April 01, 2008 11:08 AM: Adrian Chadd wrote: On Tue, Apr 01, 2008, Alex Balashov wrote: Strangely, if I Google npe 225 gige I get all sorts of results for router configurations that appear to include the NPE 225 and a PA-GE, for instance: http://www.cisco.com/en/US/products/hw/routers/ps341/products_data_sheet 09186a0080088724.html This leads me to believe that I should be able to install a GigE port in this thing in principle. So, why does the IOS reject the adaptor on grounds that it is not compatible with this npe cpu. IOS software support changes? Possibly. That's one of the things I was hoping someone here could shed some light on. PA-GE datasheet (http://www.cisco.com/en/US/products/hw/modules/ps2033/products_data_she et09186a0080091ce7.html) states that minimum NPE is NPE-300.. You also need an NPE300 to get support for the C7200-I/O-GE+E (as stated in your link above).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Vlan interface vs. sub-interface
Nate wrote: I'm trying to put together a table of advantages (and disadvantages) of a vlan interface (SVI) vs. a sub-interface of a physical port. So far, I have the following. Assuming you are talking about layer3 routed interfaces, then basically; * On platforms that support SVIs, you should generally use SVIs. On those platforms, sub-ints are generally implemented using hidden SVIs magically picking a vlan tag (that you might later need) so there's no number of interfaces difference, and disabling spanning tree is pretty trivial * On platforms that only support sub-ints, obviously you use sub-ints SVI Advantage: -Ability to add redundant link to the L3 interface -Better counter and statistics displayed through CLI Disadvantage: -Need to be mindful of Spanning Tree issues on redundant links -The number of SVI supported maybe limited dependent on platform? Physical port sub-interface - Advantage: -Easier to configure and supported on more platforms? Disadvantage: -Inability to add L2 redundant links -Statistics on CLI limited -Bandwidth limited to physical port Are there more significant advantages/disadvantages (e.g. buffer limit, queue depth) that I'm missing? Thanks, Nate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
Hi Robert, I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) The program 'mcast.exe' (command line program) from the Microsoft resource toolkit can act as a source or receiver depending on the configuration. See: http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7- 96ee-b18c4790cffddisplaylang=en /Anders ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
Re: [c-nsp] EasyVPN IOS-ASA55xx
Hmm %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst inside:22.22.22.2 (type 8, code 0) Seems to contradict that, any chance of getting more of the config? just change the passwords and IP's Also reply off list, I think this one has congested it enough :) On 01/04/2008, at 9:43 PM, William wrote: Hi Ben, There is a default route to go via the outside, sorry about the confusion. Regards, On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of sh route On 01/04/2008, at 9:31 PM, William wrote: Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP- DES- MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command
Re: [c-nsp] EasyVPN IOS-ASA55xx
Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NPE-G1 support for jumbo frames
I'm thinking of upgrading our NPE300/400s along with their PA-FE-TX port adapters with NPE-G1s in order to get jumbo frame support for terminating EoMPLS xconnects. I've tried searching on CCO and Google but couldn't find a definitive answer as to whether the GE ports (copper or fiber) on the NPE-G1 support jumbo frames or at least 1530 MTU. Can anyone comment as to whether this is supported or not? Thanks for any feedback. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
On Tue, Apr 01, 2008, Jose wrote: I'm thinking of upgrading our NPE300/400s along with their PA-FE-TX port adapters with NPE-G1s in order to get jumbo frame support for terminating EoMPLS xconnects. I've tried searching on CCO and Google but couldn't find a definitive answer as to whether the GE ports (copper or fiber) on the NPE-G1 support jumbo frames or at least 1530 MTU. Can anyone comment as to whether this is supported or not? Thanks for any feedback. Uhm, doesn't the PA-FE-TX support larger frames? Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
Adrian Chadd wrote: On Tue, Apr 01, 2008, Jose wrote: I'm thinking of upgrading our NPE300/400s along with their PA-FE-TX port adapters with NPE-G1s in order to get jumbo frame support for terminating EoMPLS xconnects. I've tried searching on CCO and Google but couldn't find a definitive answer as to whether the GE ports (copper or fiber) on the NPE-G1 support jumbo frames or at least 1530 MTU. Can anyone comment as to whether this is supported or not? Thanks for any feedback. Uhm, doesn't the PA-FE-TX support larger frames? Adrian __ NOD32 2991 (20080401) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com We have not been able to change the MTU for the PA-FE-TXs to anything larger than the standard 1500. Every time you try and change it, it spits back an error about not being allowed on this interface. This is with the 7206VXR NPE300 running 12.2(15)T. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2 SRC opinions?
On Mar 30, 2008, at 1:51 AM, Stephen Fulton wrote: Hi all, It's been 2 months since 12.2 SRC was released, and I'm curious about how it's held up on the 7600 series? I've got a 7600/RSP720 arriving soon, and I'm considering SRC. We ran into CSCsm99975 where around 80% or so of the linecards in all of the routers that were clients of a route reflector reset themselves when the route reflector was reloaded. Glad we found this in the lab, not in production. Probably not an issue if you aren't running IPv6, but if you are, you may want to look at this. We're looking at the next rev of SRC, which should be out relatively soon. Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
On Apr 1, 2008, at 5:16 AM, Adam Armstrong wrote: I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) http://www.videolan.org/vlc/ VLC media player is a highly portable *multimedia player* for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as *DVD*s, *VCD*s, and various *streaming* protocols. It can also be used as a server to stream http://www.videolan.org/vlc/streaming.html in unicast or *multicast* in IPv4 or *IPv6* on a high-bandwidth network. I would second the recommendation for VLC. I use it a lot when demonstrating multicast video... Set up a PC/laptop sending on one side of a router lab, and one on the other side with the video received being played, and you can see what the impact of convergence times or oversubscribed links do to the video. Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
Hi, On Tue, Apr 01, 2008 at 08:14:11PM +0800, Adrian Chadd wrote: Uhm, doesn't the PA-FE-TX support larger frames? See the mailing list archives for lengthy discussions on this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgphG5OkLduqs.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
Jose schrieb: We have not been able to change the MTU for the PA-FE-TXs to anything larger than the standard 1500. Every time you try and change it, it spits back an error about not being allowed on this interface. This is with the 7206VXR NPE300 running 12.2(15)T. We're running up to 1530 on a PA-FE-TX (NPE300/7206VXR with 12.2(31)SB) because of MPLS: Slot 4: Fast-ethernet (TX-ISL) Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 28w3d ago EEPROM contents at hardware discovery: Hardware revision 1.0 Board revision A0 Serial number 3579616 Part number73-1688-03 FRU Part Number: PA-FE-TX ! interface FastEthernet4/0 ... mtu 1530 ... ! -- Gerald (ax/tc) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GE Copper in 7140
Please don't use that anymore. If you can't set the MTU on the physical large enough to account for all overhead it's better not to do it. For the long winded answer look back at the archives where we discussed this. Rodney On Mon, Mar 31, 2008 at 11:59:06PM +0100, Adam Armstrong wrote: Kris Amy wrote: The only reason I need this is to get copper ethernet with an MTU 1500. It seems that the FE ports do not support a custom MTU. There is tag-switching mtu, if all you need it for is passing MPLS. adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SP Labs (was: 7600 Questions)
On Mar 28, 2008, at 12:55 AM, Justin Shore wrote: What I'd give to have spares... I'm curious, how many SPs out there have labs to test out new code, new deployment options and concepts, burn in new gear, recreate bugs, etc? I'm trying to justify the purchase of some spare hardware to be used as lab equipment. I work for a large SP, and we have a number of labs and lab groups testing versions of code, new topologies, or major changes to configurations before we put them into production. It has definitely saved us some pain, such as letting us know to skip the first rev of SRC as I mentioned in an earlier post. While we try, we don't have as much luck reproducing issues in the lab that we see in the field. Possibly it's that the easily caught and reproduced bugs get found before deployment. Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
Hello, mgen was very useful in some tests I have done in the past: http://cs.itd.nrl.navy.mil/work/mgen/index.php John On Tue, 1 Apr 2008, Robert Hass wrote: Hi I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) Please adivse. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-X6748-GE-TX in 7613
In the power consumption calculation tool we are unable to populate modules 1 through 8 of a 7613 with the WS-X6748-GE-TX module. Does anyone know whether the module is simply not supported in modules 1 through 8 (like the ES20 modules), or will it be supported but simply won't provide us with the 40Gbps throughput? Thanks, -- Ran. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
Gerald Krause wrote: Jose schrieb: We have not been able to change the MTU for the PA-FE-TXs to anything larger than the standard 1500. Every time you try and change it, it spits back an error about not being allowed on this interface. This is with the 7206VXR NPE300 running 12.2(15)T. We're running up to 1530 on a PA-FE-TX (NPE300/7206VXR with 12.2(31)SB) because of MPLS: Slot 4: Fast-ethernet (TX-ISL) Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 28w3d ago EEPROM contents at hardware discovery: Hardware revision 1.0 Board revision A0 Serial number 3579616 Part number73-1688-03 FRU Part Number: PA-FE-TX ! interface FastEthernet4/0 ... mtu 1530 ... ! -- Gerald (ax/tc) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ NOD32 2991 (20080401) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Awesome! Thanks Gerald. I'll try this code on our lab router and see if it makes the difference. Hopefully I'll still get a chance to upgrade the NPEs to G1s but at least this could let us deploy EoMPLS without having to wait for hardware shipments. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP 4 MIB Support for per-Peer Received Routes
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsbgpmib.html A BGP RIB could potentially contain 10,000 or more routes, which makes a manual walk operation impossible and automated walk operations very inefficient. Could potentially contain more than 10,000 routes? When was this written - 1991? :-) In any event, does anyone know offhand if this enhanced lookup MIB is available in Zebra or Quagga? Has this become an RFC? Thanks, -Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6748-GE-TX in 7613
Ran Liebermann wrote on Tuesday, April 01, 2008 3:25 PM: In the power consumption calculation tool we are unable to populate modules 1 through 8 of a 7613 with the WS-X6748-GE-TX module. Does anyone know whether the module is simply not supported in modules 1 through 8 (like the ES20 modules), or will it be supported but simply won't provide us with the 40Gbps throughput? it won't power up in slots 1-8 as it requires dual fabric channels. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
On Tue, Apr 01, 2008 at 11:06:15AM +0100, Phil Mayers wrote: Anders Marius J?rgensen (lists) wrote: I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) The program 'mcast.exe' (command line program) from the Microsoft resource toolkit can act as a source or receiver depending on the configuration. iperf is another (rather better) multicast-capable command line tool And more: nuttcp - http://www.wcisd.hpc.mil/nuttcp/ nepim - www.nongnu.org/nepim/ Everton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Its quite possibly the the Y2K that we had to have. :) Maybe the US DoD and the US government in general will hand back all their IPv4 address blocks when they supposedly cut over to IPv6, who knows? Jeff Doyle has being going on about it for ages on his Network World CiscoSubnet blog http://www.networkworld.com/community/?q=doyle Geoff Huston also talks a lot about IPv4 address exhaustion on his site: http://www.potaroo.net/ The interesting thing in the client space, other than your Cisco ISR's I don't think there are any retail modems that do IPv6. Yay Cisco. A good summary of issues can be found in this document http://rip.psg.com/%7Erandy/070722.v6-op-reality.pdf Got to love Microsoft, XP has a Windows IPv6 stack that doesn't do native IPv6 DNS lookups. So I'm pretty pessimistic at the moment Let the fun begin. On Wed, Apr 2, 2008 at 12:27 AM, Patrick J Greene [EMAIL PROTECTED] wrote: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in( http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT : IPv6 - Will it hit like an avalanch?
I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GE Copper in 7140
On Tue, 1 Apr 2008, Rodney Dunn wrote: Please don't use that anymore. If you can't set the MTU on the physical large enough to account for all overhead it's better not to do it. For the long winded answer look back at the archives where we discussed this. I think the 7120/7140 is a special case, since it's out of support and new software isn't compiled for it. So telling someone don't use it for MPLS when there is a way to do it that works, isn't really helpful. -- Mikael Abrahamssonemail: [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Trunking Catalyst to HP Procurve...
Hopefully this will ring a bell with someone that has been there done that and can save me a road trip with a sniffer... We recently added a few HP ProCurve switches (2810s) at the access layer using simple trunks back to our existing Ciscos (2950/2960/3550/3560s). All is well with the exception that our network monitoring is turning up discards on the trunks (roughly every 10 seconds). I've tried disabling all of the negotiations that I can think of, e.g.,: interface GigabitEthernet0/1 description FLT-Uplink-2 switchport mode trunk switchport nonegotiate no cdp enable end but the discards continue. Also getting a *lot* of noisy spanning tree traffic seen on the Cisco side: Protocol PathPkts In Chars In Pkts Out Chars Out Spanning TreeProcess 17447867 1099182989 3219 204892 Ciscos are trunning default PVST, HPs are doing whatever they do out of the box. Not sure if this is an issue or just brain-dead old Catalyst show int switching counter bug :-) Things seem to be working, but then there isn't much traffic in this building. It just doesn't look right. Any suggestions would be appreciated. Thanks... Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ddos attack makes c6509 cpu soared.
At 10:10 AM 4/1/2008 +0200, Peter Rathlev observed: On Tue, 2008-04-01 at 06:13 +, MontyRee wrote: I have operated sup720 based c6509(DFC3 included) with time-based sampling netflow enabled. Some days ago, there was a ddos attack against the server over 1Mpps, then the cpu of the c6509 soared from 5 to 95. As I know, sup720 based c6509 can do services upto 30Mpps, but I can't understand why the cpu is high? The 30 mpps is the raw forwarding rate. If you start doing things like NDE you will get lower performance. It's 30Mpps (assuming central fwding in compact mode) regardless of packet size regardless of NF, qos, ACL, etc enabled w/in the constraints of what's supported in hw. NF collection is supported in hw. Enabling NDE doesn't change that, but the aging/export process will drive up the CPU (again, not impacting performance unless the control plane ends up overburdened and protocols start reconverging etc), especially with a consistently full table. But the hw continues to fwd at 30Mpps. Is there any relations with netflow enabled config? cisco website says that the flow number of netflow supports to 128,000. Then, should I disable netflow when ddos attacked? The Sup720 does Netflow characterization in hardware, but the export is handled by the processor, so if you use NDE you could be hit bad by DDoS. The flow mask you use also has a lot to say about how many flows are generated. Doing sampled Netflow should reduce the problem a little, even though you might end up generating almost the same number of flows and thus the same amount of exports. Sampled probably won't help, in fact it could hurt. Sampled on 7600/6500 purges the NF table in large batches on a (short) regular basis can drive up the CPU. Using full NF increasing the aging timers will prob be more effective in reducing CPU during a time of heavy NF table utilization. On the other hand, not sure we've established yet that NDE is actually to blame for the high CPU in this case, based on the information so far... Tim Disable netflow during DDoS attack? Well, netflow can help you find the cause, and 95% CPU is not necessarily a problem, but dead routers are of no use of course. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, [EMAIL PROTECTED] Routing Switching CCIE #5561 Technical Marketing Engineer, Data Center BU Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Hi, On Tue, Apr 01, 2008 at 09:27:01AM -0400, Patrick J Greene wrote: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in (http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . Doing that is a personal decision. We decided to move to IPv6 years ago - and now we're leaning back and waiting for the panic to break out in other networks. What are your thoughts and plans? We've upgraded our network to be fully dual-stacked, and now we're waiting for IPv4 to run out. Is anybody really running out of IP space, other that ARIN? Everybody is. The maths is quite easy - how many people on earth? how many IPv4 addresses? Will it be enough so that everybody can use the Internet? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? It would make very much sense to do so. What about non ISP's? Does corporate America really need to worry? If you want to do business with regions that have not been fortunate enough to grab enough IPv4 addresses when there were still plenty, like India or China, having your web content and e-mail servers up on IPv6 seems like a good idea. (If you do business with the american government, ditto) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpGoH1PQslcy.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
On Tue, 1 Apr 2008, Patrick J Greene wrote: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? We are doing it. Some years ago our decision makers decided we wouldn't be a loose screw in the global transition to IPv6. The organization i work for manages the country's ccTLD, the Academic Network and the local Internet Exchange Point among other activities. Is anybody really running out of IP space, other that ARIN? The world is. The IPv4 address distribution flow/chain is: IANA/ICANN - RIRs (ARIN/APNIC/RIPE/LACNIC/AFRINIC) - ISPs In some parts of the world (namely Asia-Pacific) ISPs are the fourth layer, and not the third because the third is the NIR (National Internet Registry). Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? Need is perhaps a strong word. But if you can, that would be nice, yes. Have you noticed the root zone has some new records? and some of the DNS root servers themselves now hold IPv6 addresses? ;-) What about non ISP's? Does corporate America really need to worry? Only if reach the point where they need more public IPv4 addresses and they can't get them from ISPs. or from anywhere.. Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Best Regards, - Carlos Friac,asSee: Wide Area Network Working Group (WAN) www.gigapix.pt FCCN - Fundacao para a Computacao Cientifica Nacional www.ipv6.eu Av. do Brasil, n.101 www.6diss.org 1700-066 Lisboa, Portugal, Europe www.geant2.net Tel: +351 218440100 Fax: +351 218472167 www.fccn.pt - The end is near see http://ipv4.potaroo.net Internet is just routes (241744/992), naming (billions) and... people! Esta mensagem foi enviada de: This message was sent from: 2001:690:2080:8004:250:daff:fe3b:2830 Aviso de Confidencialidade Esta mensagem e' exclusivamente destinada ao seu destinatario, podendo conter informacao CONFIDENCIAL, cuja divulgacao esta' expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218440100 devendo apagar o seu conteudo de imediato. Warning This message is intended exclusively for its addressee. It may contain CONFIDENTIAL information protected by law. If this message has been received due to any error, please notify us via e-mail or by telephone +351 218440100 and delete it immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Patrick J Greene wrote: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Patrick, This is a frequent topic on the various NOGs lists. If you're interested in the technical aspects of IPv6, problems, solutions, deployments, etc then you might want to check out the NANOG presentation archive: http://www.nanog.org/subjects.html The NANOG mailing list is also a great place for the State of IPv6 questions. I would encourage your to read through the list archives though prior to posting. The archives probably already answer most of your questions. Plus the list members are a bunch of cantankerous old kooks who don't like answering questions twice. ;-) http://www.merit.edu/mail.archives/nanog/ Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Whisper wrote: Got to love Microsoft, XP has a Windows IPv6 stack that doesn't do native IPv6 DNS lookups. Bleh!! Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
The Mayas made some paintings and predictions that on 2012-12-21 the world will end. They also painted something like a net that spans around the globe. Since I heard that, I suppose that I know the exact date when we'll all switch to IPv6 ;-) My suggestion would be to leave IPv4 for all the core services, routers, maybe even servers, ... and move all cable/DSL users, web-enabled cell phones, PDAs, UMTS cards, (all those not so vital devices) to IPv6. Greets, Bernd Patrick J Greene schrieb: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
On Wed, 2 Apr 2008, Whisper wrote: Its quite possibly the the Y2K that we had to have. :) Not really. The problem with Y2K was the danger of working systems stop working/behaving as expected. The problem with IPv4/IPv6 is about growth. When IPv4 blocks reach the exhaustion point, the public Internet can't keep growing... but current systems will keep on working. Maybe the US DoD and the US government in general will hand back all their IPv4 address blocks when they supposedly cut over to IPv6, who knows? Doesn't make a lot of sense to me... There's also the possibility of a market, instead of the current global (almost free) distribution system. And it's not foreseeable anyone will give their addresses back, if some money can be *possibly* made from that at any point in future. Jeff Doyle has being going on about it for ages on his Network World CiscoSubnet blog http://www.networkworld.com/community/?q=doyle Geoff Huston also talks a lot about IPv4 address exhaustion on his site: http://www.potaroo.net/ Try http://ipv4.potaroo.net instead... The interesting thing in the client space, other than your Cisco ISR's I don't think there are any retail modems that do IPv6. Yay Cisco. Most really don't as we speak, but there it's not a 0% figure. A good summary of issues can be found in this document http://rip.psg.com/%7Erandy/070722.v6-op-reality.pdf Got to love Microsoft, XP has a Windows IPv6 stack that doesn't do native IPv6 DNS lookups. Not an issue while IPv4+IPv6 is possible. Vista has this issue solved, afaik. So I'm pretty pessimistic at the moment Most of my pessimism comes from looking at the number of ASes in the IPv4 routing table, and finding only about 3% of them in the global IPv6 routing table.. Low priority is one thing. Hiding head in the sand is something different. ./Carlos Let the fun begin. On Wed, Apr 2, 2008 at 12:27 AM, Patrick J Greene [EMAIL PROTECTED] wrote: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in( http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Mohacsi Janos wrote: Whisper wrote: Got to love Microsoft, XP has a Windows IPv6 stack that doesn't do native IPv6 DNS lookups. May be worth asking Microsoft to fix this in Windows XP SP3? Isn't SP3 too close to release for that? It's not like they couldn't release any old Tuesday patch for that. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
See: 4966 Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status. C. Aoun, E. Davies. July 2007. Best Regards, ./Carlos On Tue, 1 Apr 2008, Church, Charles wrote: Guess I won't bother with Christmas presents that year! So does NAT-PT take off again so they can all work together? None of the tunnelling or dual-stack schemes seem to be getting much traction. Chuck - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Tue Apr 01 10:39:17 2008 Subject: Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch? The Mayas made some paintings and predictions that on 2012-12-21 the world will end. They also painted something like a net that spans around the globe. Since I heard that, I suppose that I know the exact date when we'll all switch to IPv6 ;-) My suggestion would be to leave IPv4 for all the core services, routers, maybe even servers, ... and move all cable/DSL users, web-enabled cell phones, PDAs, UMTS cards, (all those not so vital devices) to IPv6. Greets, Bernd Patrick J Greene schrieb: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
Guess I won't bother with Christmas presents that year! So does NAT-PT take off again so they can all work together? None of the tunnelling or dual-stack schemes seem to be getting much traction. Chuck - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Tue Apr 01 10:39:17 2008 Subject: Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch? The Mayas made some paintings and predictions that on 2012-12-21 the world will end. They also painted something like a net that spans around the globe. Since I heard that, I suppose that I know the exact date when we'll all switch to IPv6 ;-) My suggestion would be to leave IPv4 for all the core services, routers, maybe even servers, ... and move all cable/DSL users, web-enabled cell phones, PDAs, UMTS cards, (all those not so vital devices) to IPv6. Greets, Bernd Patrick J Greene schrieb: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
My suggestion would be to leave IPv4 for all the core services, routers, maybe even servers, ... and move all cable/DSL users, web-enabled cell phones, PDAs, UMTS cards, (all those not so vital devices) to IPv6. Wouldn't this type of deployment tactic ensure that we would require tunnels between each client, through each and every router, to each and every service that the clients use the Internet for? I like the idea of deploying from the core. This way, it can be ensured that each and every device from the core all the way to the edge are capable of attaching IPv6 CPE to. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7000
I am curious to hear from those that have began to implement or are currently reviewing the Nexus 7000 platform. I have been doing some research and I like what I hear. Now I'm curious in receiving some feedback from the guys on the ground, good, bad or indifferent. Thanks in advance. Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose To: Gerald Krause Subject: Re: [c-nsp] NPE-G1 support for jumbo frames Gerald Krause wrote: Jose schrieb: We have not been able to change the MTU for the PA-FE-TXs to anything larger than the standard 1500. Every time you try and change it, it spits back an error about not being allowed on this interface. This is with the 7206VXR NPE300 running 12.2(15)T. One other oh surprise!!! is the fact that the NPE-Gx built-in ports won't do over MTU of 1500 when their speed is set to anything other than 1000. Huh? Come again? Yep.. that's right... set the speed to 100, and the max MTU is 1500. Set the speed to 1000, and the max MTU is now 9216. Same port, same GBIC/copper, same code. Found this one in regression testing before we upgraded a mess of NPE-300's to NPE-G2's. We ended up having to leave the PA-FE-TX's in for a couple months, until a planned switch upgrade could be completed ahead of schedule. Others might not be so fortunate. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST operation...
Have you configured the following attributes, # spanning-tre mst root # spanning-tre mst priority # spanning-tre mst pre-standard If you already have configured/played with the above commands than I would ask for the output of ... # show spantree mst X active (where x is your instance number) # show spantree summary mst # show spantree mst configuration # show spantree statistics mst mod/port instance ( mod/port the one connected to secondary switch) Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Fischer Sent: Tuesday, April 01, 2008 7:58 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MST operation... I am running (2) Cat6509-E's with Sup720-3B's running IOS. They are connected via layer 2 by a (2)10GigE port-channel. Spanning tree is configured via MST with 3 instances - instance 0 (default), instance 1 (roots all odd-numbered VLANs to switch 1 - priority 4096), and instance 2 (roots all even-numbered VLANs to switch 2) - pretty simple configuration. Switch 2 is the secondary for odd-numbered VLANs (priority 8192), and the same is true for switch 1 on the even-numbered VLANs All was well, but we recently upgraded the code from 12.2(18)SXF12a to 12.2(18)SXF13 to address vulnerabilities Cisco published - not a quantum leap in terms of code revision. Now, the root of MST0 is properly situated, but both switches think they are the root for MST1 and MST2. I cannot, as yet, link this change in the operation of spanning-tree to the code upgrade - this is in a lab scenario for the time being. Debugging of spanning-tree events, root, and bpdu's revealed nothing occurring across the port-channel. The operation of the Port-channel seems to be fine from all reports on the switch. Even had a couple of CCIE's at the VAR look at it, and nothing jumped out at them as to being obvious. The switches were rebooted a couple times, and the MST configuration was cleared, and re-entered into the switch. Show spanning-tree MST detail reveals that packets are being exchanged between the two switches on MST 0 over the port-channel, but on MST's 1 2, but switches show transmits, but 0 receives across the port-channel. This has me a bit baffled, and thought I'd throw it out to this forum to see if anyone has seen similar behavior. Any and all insight and assistance in getting to the root cause of this (pun intended) is most sincerely appreciated. Regards, Steve Fischer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Packet capturing above 1Gbps
I am about to open a case with TAC regarding feasibility of using either SPAN or VACL capture or some other method of capturing traffic exceeding 1Gbps. I am not even sure if it is possible to send this much captured traffic to a 10Gbps port connected to something like a GigaVue-420 which can split the traffic into smaller, more manageable streams for analysis. The solution should be able to provide a full view of all packets as the analysis stations receiving the captures will be providing reports on the captured data all the way up to the application layer. Realistically, traffic loads within the applicable VLAN may reach up to 3 Gbps at peak periods. From your expericence, what are some of the ways in which this can be done? Thanks. Vijay Ramcharan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet capturing above 1Gbps
Ramcharan, Vijay A wrote: I am about to open a case with TAC regarding feasibility of using either SPAN or VACL capture or some other method of capturing traffic exceeding 1Gbps. I am not even sure if it is possible to send this much captured traffic to a 10Gbps port connected to something like a GigaVue-420 which can split the traffic into smaller, more manageable streams for analysis. The solution should be able to provide a full view of all packets as the analysis stations receiving the captures will be providing reports on the captured data all the way up to the application layer. Realistically, traffic loads within the applicable VLAN may reach up to 3 Gbps at peak periods. From your expericence, what are some of the ways in which this can be done? We are using a plain SPAN session on 6500s to mirror an SVI on an active/standby pair of 10gig ports facing our firewall: ip vrf INSIDE description blah ip vrf OUTSIDE description blah int vlan4000 ip vrf forwarding OUTSIDE ip address 192.168.1.x 255.255.255.252 int vlan4001 ip vrf forwarding INSIDE ip address 192.168.2.y 255.255.255.252 int Te1/1 description main port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/2 description 2nd port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/3 description facing sniffer monitor session 1 source vlan 4001 monitor session 1 destination interface Te1/3 It seems to work fine. I've also used ERSPAN to mirror very high-rate interfaces (1Gbit/sec) and it seems to work fine, though it brings the capturing box to its knees! VACL is mutually exclusive with OAL (which we have configured) so I haven't tried that. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
we run MPLS on the G-1 gig ports over copper. we use the MPLS MTU command to override the interface MTU. It allows the original L3 packet to be 1500 PLUS adds MPLS headers, technically exceeding the interface MTU. An MPLS MTU of 1512 allow for up to 3 4-byte MPLS labels (1 for PE, 2 for P, 3 for MPLS-TE) |interface GigabitEthernet0/1|| || ip address x.x.x.x y.y.y.y || ...|| || mpls ip || mpls mtu 1512||| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet capturing above 1Gbps
Thank you Phil and Mike. I heard back from Cisco. They say VACL captures at those rates are supported and should not result in performance hits on the switch. I probably should have mentioned that we already have an application (Tealeaf) that will be used for analysis. I believe the VACL capture to 10Gbps port to a GigaVue-420 and then split out to the analysis servers is a good approach. Much of the parts are already present - just need to get a conversation going with Gigamon now. Vijay Ramcharan -Original Message- From: Phil Mayers [mailto:[EMAIL PROTECTED] Sent: April 01, 2008 13:20 To: Ramcharan, Vijay A Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Packet capturing above 1Gbps Ramcharan, Vijay A wrote: I am about to open a case with TAC regarding feasibility of using either SPAN or VACL capture or some other method of capturing traffic exceeding 1Gbps. I am not even sure if it is possible to send this much captured traffic to a 10Gbps port connected to something like a GigaVue-420 which can split the traffic into smaller, more manageable streams for analysis. The solution should be able to provide a full view of all packets as the analysis stations receiving the captures will be providing reports on the captured data all the way up to the application layer. Realistically, traffic loads within the applicable VLAN may reach up to 3 Gbps at peak periods. From your expericence, what are some of the ways in which this can be done? We are using a plain SPAN session on 6500s to mirror an SVI on an active/standby pair of 10gig ports facing our firewall: ip vrf INSIDE description blah ip vrf OUTSIDE description blah int vlan4000 ip vrf forwarding OUTSIDE ip address 192.168.1.x 255.255.255.252 int vlan4001 ip vrf forwarding INSIDE ip address 192.168.2.y 255.255.255.252 int Te1/1 description main port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/2 description 2nd port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/3 description facing sniffer monitor session 1 source vlan 4001 monitor session 1 destination interface Te1/3 It seems to work fine. I've also used ERSPAN to mirror very high-rate interfaces (1Gbit/sec) and it seems to work fine, though it brings the capturing box to its knees! VACL is mutually exclusive with OAL (which we have configured) so I haven't tried that. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Video nat traversal
Can a Cisco router be a gatekeeper and NAT traversal box for video calls over the internet? I've been looking at the: http://www.polycom.com/usa/en/products/video/security_firewall_traversal/v2iu_4350t_series.html and I was told that a cisco router might be able to do this as well. Is this possible? If so , what would I need to accomplish this? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7204 CPU utilisation.
On Tuesday 01 April 2008, Alex Balashov wrote: Naturally, a Layer 3 switch is a smarter idea than a big Layer 3 VLAN router-on-a-trunk-stick these days, but the budget isn't there right now. Not if you're doing heavy QoS. We've been hit with issues where QoS commands exist on Cisco desktop switches, but they don't actually take - this can get annoying pretty fast. In the end, it depends on what features you need to turn on, that determines whether you provide Layer 3 services off a switch or trunked router port. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 support for jumbo frames
Lasher, Donn wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose To: Gerald Krause Subject: Re: [c-nsp] NPE-G1 support for jumbo frames Gerald Krause wrote: Jose schrieb: We have not been able to change the MTU for the PA-FE-TXs to anything larger than the standard 1500. Every time you try and change it, it spits back an error about not being allowed on this interface. This is with the 7206VXR NPE300 running 12.2(15)T. One other oh surprise!!! is the fact that the NPE-Gx built-in ports won't do over MTU of 1500 when their speed is set to anything other than 1000. Huh? Come again? Yep.. that's right... set the speed to 100, and the max MTU is 1500. Set the speed to 1000, and the max MTU is now 9216. Same port, same GBIC/copper, same code. Found this one in regression testing before we upgraded a mess of NPE-300's to NPE-G2's. We ended up having to leave the PA-FE-TX's in for a couple months, until a planned switch upgrade could be completed ahead of schedule. Others might not be so fortunate. __ NOD32 2993 (20080401) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Donn, what version of code were you using? This is pretty scary considering that one of the factors of going to NPE-G1 is hoping to take advantage of jumbo frame or at least 1530 on the three ports. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet capturing above 1Gbps
On Apr 2, 2008, at 2:03 AM, Ramcharan, Vijay A wrote: I believe the VACL capture to 10Gbps port to a GigaVue-420 and then split out to the analysis servers is a good approach. Be sure you don't exceed the pps limitations of your linecard(s) - the SPANned traffic counts towards those limits. --- Roland Dobbins [EMAIL PROTECTED] // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c3570 stack flapping
Hi, We have an installation of many (1500+) 3750s in production and have seen this. Some of the causes have been * Faulty stack ports. We are seeing an increasing amount of these failures on our network * Faulty stack cables(!) * Humidity - sometimes we notice on humid days that we see stacks randomly flap! I suspect this has to do more with the cable - but this has been a consistent trend. We use the APC environmental monotoring units for keeping track of humidity. Hot humid air being rapidly cooled will cause condensation INSIDE the stack cable!!! Nasty, nasty stuff. Sometimes on occasion, we will see a stack flap as a once-off every few days. Our steps to troubleshoot and resolve these issues are: * Reconnect stack cable * Replace stack cable Alternatively if the link doesn't come up again, reload the stack... * Replace switch - this is the tough one because we don't always know which stack member has the suspect port. Let me know how you go. Tristan. - Original Message - From: Wyatt Mattias Ishmael Jovial Gyllenvarg [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Friday, March 28, 2008 9:21 PM Subject: [c-nsp] c3570 stack flapping Hi All I have a new stack of 2x 3750-12s that was recently stacked. We just noticed packet loss there and as part of the troubleshooting we powered of the second switch as the below was flooding the log. (no connections in it yet) *Nov 21 20:57:52.834: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN *Nov 21 20:57:53.589: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN *Nov 21 20:57:54.587: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP *Nov 21 20:57:54.587: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN *Nov 21 20:57:58.622: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP *Nov 21 20:57:59.629: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN *Nov 21 20:58:01.642: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP *Nov 21 20:58:02.900: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state UP *Nov 21 20:58:03.655: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN *Nov 21 20:58:03.907: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN This stopped the packet loss. As this is in production we are not able too perform and more troubleshooting at the time. Has anyone seen this before? Do I have a bad stack cable or a bad stack interface? Or perhaps a missmatch in ios version (cant double check that they are the same now) or firmware or hardware? Best regards Mattias Gyllenvarg Skycom AB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
On Tue, 1 Apr 2008, Carlos Friacas wrote: See: 4966 Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status. C. Aoun, E. Davies. July 2007. Yes, but there is a new movement called NAT64 that might fly... Regards, Janos Best Regards, ./Carlos On Tue, 1 Apr 2008, Church, Charles wrote: Guess I won't bother with Christmas presents that year! So does NAT-PT take off again so they can all work together? None of the tunnelling or dual-stack schemes seem to be getting much traction. Chuck - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Tue Apr 01 10:39:17 2008 Subject: Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch? The Mayas made some paintings and predictions that on 2012-12-21 the world will end. They also painted something like a net that spans around the globe. Since I heard that, I suppose that I know the exact date when we'll all switch to IPv6 ;-) My suggestion would be to leave IPv4 for all the core services, routers, maybe even servers, ... and move all cable/DSL users, web-enabled cell phones, PDAs, UMTS cards, (all those not so vital devices) to IPv6. Greets, Bernd Patrick J Greene schrieb: I keep seeing all of these articles about IPv6 being put off until the last minute and then we will all have to scramble to put it in(http://www.networkworld.com/news/2008/033108-ntt-anerica-ipv6.html) . What are your thoughts and plans? Is anybody really running out of IP space, other that ARIN? Need we need to be looking at getting IPv6 Internet connections and hosting on IPv6 now? What about non ISP's? Does corporate America really need to worry? Thanks, Patrick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/