[c-nsp] vs 6509-E chassis
Hi Folks Can someone tell me, does the 6509-E chassis support SUP WS-X6K-SUP2-2GE. I can't find any documentation on the CCO regarding this. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp router
Re Gert, re Rossella [EMAIL PROTECTED] (Gert Doering) wrote: On Wed, Jun 04, 2008 at 09:43:54AM -0700, Rossella Mariotti-Jones wrote: This is good to know, thanks. We're going to have at least two ISPs possibly add more in the future, and a 100Mb pipe to it, which will grow to 200Mb soon. Right now we only have a DS3 and a lot of the times it gets up to 40Mb. I'm assuming we'll probably be pushing 80Mb easily pretty soon. This is our first BGP experience, we don't want to over buy but we also don't want to get stuck with a unit that's not going to be able to keep up. My gut feeling is go with a 7301 or 7200/NPE-G1. Why? Because it can deliver the 200 Mbit/s bandwidth, and it's a simple architecture - everything is software, and there is lots less hidden surprises than with the 6500/7600 platform. That would depend on packet sizes. I know we're a bit extreme (most of our packets are around 64-128 Bytes), yet...we're hitting 50% CPU load on 7301s with like 60 Mbps of Traffic (in+out aggregated), which amounts to around 72kpps. If your traffic consists of considerably larger packets, you may want to go with 7301s (G1) or 7201s (G2); if your packet sizes are small, you need to consider hardware forwarding platforms. If you need lots of ethernet ports, trunk one of the GigE ports from the router to a L2 switch (2950T-24 or such), and use that to fan out all the individual ports. Be careful if you set up an etherchannel; G1s and G2s do that in software, too, and it takes away forwarding capacity... Why is it, btw, that IOS doesn't use both CPU kernels there? Or did I miss an IOS version that started doing that? (still on 12.3T here) Yours, Elmi. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs 6509-E chassis
check here.. http://www.cisco.com/en/US/products/hw/switches/ps708/products_relevant_interfaces_and_modules.html On Fri, Jun 6, 2008 at 2:02 AM, Arne Larsen / Region Nordjylland [EMAIL PROTECTED] wrote: Hi Folks Can someone tell me, does the 6509-E chassis support SUP WS-X6K-SUP2-2GE. I can't find any documentation on the CCO regarding this. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Short pipe with Inter-as option 10b
Vikas Sharma mailto:[EMAIL PROTECTED] wrote on Friday, June 06, 2008 5:11 AM: Hi, Need your expert comment on what QoS mechanism to be used for Inter-As option 10b, pipe mode or short pipe mode. This is for ISP setup. What is the trend in ISP industry? well, Inter-Provider QoS is still a general challenge (whether it is MPLS-VPN InterAS or plain IP interconnectivity). My personal take on this (possibly not having a conclusive picture of what's being done): - On the ASBR in a 10b setup, packets are rcvd and sent labelled, so pipe vs. short-pipe doesn't apply (the difference between pipe and short-pipe is the QoS classification on the IPv4 PE-CE link at the very edge of the network). - If 10b is used and the QoS classes don't match, you re-classify by changing EXP bits of the top label, so the ASBR plays the same role as a P node, and changing MPLS PHB on P devices is possible with any MPLS Diffserv tunneling modes, including uniform mode, so the question pipe vs. short-pipe doesn't apply. - Many providers actually prefer Inter-AS option 10a as they can look at the IPv4 header to apply granular filtering and QoS. Obviously, 10a has scalability challenges, and a new Inter-AS option 10d (or 10a+b) draft-kulmala-l3vpn-interas-option-d addresses those by combining the IPv4 forwarding properties of 10a with the scalable vpnv4 control plane of 10b, so I might also call this a trend. my 2c oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Short pipe with Inter-as option 10b
Are you an MPLS carrier? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, June 05, 2008 11:11 PM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer); [EMAIL PROTECTED]; Tom Mulvey (tmulvey) Subject: [c-nsp] Short pipe with Inter-as option 10b Hi, Need your expert comment on what QoS mechanism to be used for Inter-As option 10b, pipe mode or short pipe mode. This is for ISP setup. What is the trend in ISP industry? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Maximum number of routes on Cisco 7301 NSE100
Hi, Does anyone know what the maximum number of (IPv4 unicast) routes these can take? They have 512MB of RAM, which I believe is the maximum for this model. Thanks, Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum number of routes on Cisco 7301 NSE100
Sam Stickland wrote: Hi, Does anyone know what the maximum number of (IPv4 unicast) routes these can take? They have 512MB of RAM, which I believe is the maximum for this model. Actually, I should clarify. We need to know if it can take two full feeds in a VRF (VRF lite, with minimal management only routes in the global table). These are an unusual platform for us so I don't have any spare that I can put into a lab. Despite the PXF hardware feature I don't think they use TCAM to store the FIB, so I guess the amount of memory consumed is going to depend on the IOS release. These are currently running 12.2(28)SB5. I've seen this page but there's no info regarding maximum supported routes: http://www.cisco.com/en/US/prod/collateral/routers/ps352/product_data_sheet09186a0080092263.html Hopefully someone else out there has a similar configuration and they can post the memory usage. Thanks, Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp router
On Fri, Jun 06, 2008 at 08:33:13AM +0200, Elmar K. Bins wrote: Re Gert, re Rossella [EMAIL PROTECTED] (Gert Doering) wrote: On Wed, Jun 04, 2008 at 09:43:54AM -0700, Rossella Mariotti-Jones wrote: This is good to know, thanks. We're going to have at least two ISPs possibly add more in the future, and a 100Mb pipe to it, which will grow to 200Mb soon. Right now we only have a DS3 and a lot of the times it gets up to 40Mb. I'm assuming we'll probably be pushing 80Mb easily pretty soon. This is our first BGP experience, we don't want to over buy but we also don't want to get stuck with a unit that's not going to be able to keep up. My gut feeling is go with a 7301 or 7200/NPE-G1. Why? Because it can deliver the 200 Mbit/s bandwidth, and it's a simple architecture - everything is software, and there is lots less hidden surprises than with the 6500/7600 platform. That would depend on packet sizes. I know we're a bit extreme (most of our packets are around 64-128 Bytes), yet...we're hitting 50% CPU load on 7301s with like 60 Mbps of Traffic (in+out aggregated), which amounts to around 72kpps. If your traffic consists of considerably larger packets, you may want to go with 7301s (G1) or 7201s (G2); if your packet sizes are small, you need to consider hardware forwarding platforms. If you need lots of ethernet ports, trunk one of the GigE ports from the router to a L2 switch (2950T-24 or such), and use that to fan out all the individual ports. Be careful if you set up an etherchannel; G1s and G2s do that in software, too, and it takes away forwarding capacity... Why is it, btw, that IOS doesn't use both CPU kernels there? Or did I miss an IOS version that started doing that? (still on 12.3T here) Nope. Never will. ASR will be the way forward. Rodney Yours, Elmi. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Short pipe with Inter-as option 10b
+1 for 10a. We've yet to have an instance where 10a wouldn't suit our needs and its much less headache than 10b (IMHO). -d From: Oliver Boehmer (oboehmer) [EMAIL PROTECTED] Date: Fri, 6 Jun 2008 08:48:20 +0200 To: Vikas Sharma [EMAIL PROTECTED], cisco-nsp@puck.nether.net, Krishnaji Panse (kpanse) [EMAIL PROTECTED], Tom Mulvey (tmulvey) [EMAIL PROTECTED] Conversation: Short pipe with Inter-as option 10b Subject: Re: [c-nsp] Short pipe with Inter-as option 10b Vikas Sharma mailto:[EMAIL PROTECTED] wrote on Friday, June 06, 2008 5:11 AM: Hi, Need your expert comment on what QoS mechanism to be used for Inter-As option 10b, pipe mode or short pipe mode. This is for ISP setup. What is the trend in ISP industry? well, Inter-Provider QoS is still a general challenge (whether it is MPLS-VPN InterAS or plain IP interconnectivity). My personal take on this (possibly not having a conclusive picture of what's being done): - On the ASBR in a 10b setup, packets are rcvd and sent labelled, so pipe vs. short-pipe doesn't apply (the difference between pipe and short-pipe is the QoS classification on the IPv4 PE-CE link at the very edge of the network). - If 10b is used and the QoS classes don't match, you re-classify by changing EXP bits of the top label, so the ASBR plays the same role as a P node, and changing MPLS PHB on P devices is possible with any MPLS Diffserv tunneling modes, including uniform mode, so the question pipe vs. short-pipe doesn't apply. - Many providers actually prefer Inter-AS option 10a as they can look at the IPv4 header to apply granular filtering and QoS. Obviously, 10a has scalability challenges, and a new Inter-AS option 10d (or 10a+b) draft-kulmala-l3vpn-interas-option-d addresses those by combining the IPv4 forwarding properties of 10a with the scalable vpnv4 control plane of 10b, so I might also call this a trend. my 2c oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any attachments (Message) may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EnableLocalLAN don't work
Hello, I have a cisco 871 as VPN end-point. I need to access my local lan, when my vpn is up. I'm using vpn-client 5.0.01.0600 for Windows on XP. I tried to enable Allow local lan access but that don't work much. I found that I need to enable split tunneling. I found doc to do that on vpn concentretor or pix, but I did not found anything for simple routers. Any idea ? EnableLocalLAN=0 ; This allows the user to access the local LAN if it is set to 1. ; Otherwise, the user cannot access the local LAN segment while a ; VPN session is up (the group must also be set up for split ; tunneling to allow local LAN access) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS VLAN trunk Port
Hi! I have a general question to QoS VLAN based. I have read a lot of documentation, but did not found the right answer. Is it possible to police traffic on an trunk port per vlan ? For Example, I want to limit vlan 100 to 5Mbps and the vlan 200 to 2Mbps, vlan 300 is unlimited. 4500 --Trunk vlan 100,200,300 -- 4500 Is this possible ? If yes, what is the name of the feature and how to configure ? Regards, Ahmad Sitz der NK Networks Services GmbH: Von-der-Wettern-Straße 15, 51149 Köln Registergericht: Amtsgericht Köln, Registernummer HRB 30805 Geschäftsführer: Tonis Rüsche ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS VLAN trunk Port
Some pointers: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na tive/configuration/guide/qos.html#wp1726124 http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp 1016198 In general, you enable mls qos vlan-based on the trunk, and apply the qos policy on the SVI (interface vlan) - even without any L3 config on the SVI. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cheikh-Moussa Ahmad Sent: Friday, June 06, 2008 17:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] QoS VLAN trunk Port Hi! I have a general question to QoS VLAN based. I have read a lot of documentation, but did not found the right answer. Is it possible to police traffic on an trunk port per vlan ? For Example, I want to limit vlan 100 to 5Mbps and the vlan 200 to 2Mbps, vlan 300 is unlimited. 4500 --Trunk vlan 100,200,300 -- 4500 Is this possible ? If yes, what is the name of the feature and how to configure ? Regards, Ahmad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SAA History
Thanks Arie, That certainly clears up some of my understanding of the history commands. Unfortunately it also seems to concern my suspisions that you can't create circular history buffers, or retrieve this information via SNMP. Sam Arie Vayner (avayner) wrote: Sam, Take a look here: http://www.cisco.com/en/US/docs/ios/ipsla/command/reference/sla_01.html Look at the commands starting with history Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Stickland Sent: Tuesday, June 03, 2008 12:20 PM To: Cisco-nsp Subject: [c-nsp] SAA History Hi, I'm struggling to find a good article that explains the SAA history mechanism. I'm wondering if it's possible to get the device to store a circular buffer of samples, which the management station can collect at an interval larger than the probe frequency. Not only will this keep load off the management station, but it will - hopefully - mean that statistics won't be lost during a network outage. Is this possible? It looks to me that not only do the history buckets not wrap, but that the history buckets can't actually be retrieved by SNMP. Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Single-mode GBIC question
If you stay within specs you should be fine. We've used SM in the lab with no ill effects. Attenuators also don't cost much either. Aaron On Fri, May 30, 2008 at 2:18 PM, les [EMAIL PROTECTED] wrote: I've combed the web with no luck to the answer of my simple question If you use SINGLE-MODE fiber and gbics for very short runs (same room, across the street), can you damage the GBICS? What has been your experience. Oversaturation? Life-shortening? We typically use SM towards the telco and MM for internal but have ran into some legacy fiber where it's SM internal. I have electronic background so terminology is familiar. thanks in advance -les ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Kevin White is out of the office.
I will be out of the office starting 06/06/2008 and will not return until 16/06/2008. Please contact Marcus Burbidge x2510 or Peter Smith x6501 for any urgent issues ** This transmission is confidential and must not be used or disclosed by anyone other than the intended recipient. Neither Tata Steel UK Limited nor any of its subsidiaries can accept any responsibility for any use or misuse of the transmission by anyone. For address and company registration details of certain entities within the Corus group of companies, please visit http://www.corusgroup.com/entities ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS VLAN trunk Port
Hi, If its 4500/4900 you can use Per-Port Per-VLAN QoS http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/qos.html#wp1338610 Nitzan 2008/6/6 Cheikh-Moussa Ahmad [EMAIL PROTECTED]: Hi! I have a general question to QoS VLAN based. I have read a lot of documentation, but did not found the right answer. Is it possible to police traffic on an trunk port per vlan ? For Example, I want to limit vlan 100 to 5Mbps and the vlan 200 to 2Mbps, vlan 300 is unlimited. 4500 --Trunk vlan 100,200,300 -- 4500 Is this possible ? If yes, what is the name of the feature and how to configure ? Regards, Ahmad Sitz der NK Networks Services GmbH: Von-der-Wettern-Straße 15, 51149 Köln Registergericht: Amtsgericht Köln, Registernummer HRB 30805 Geschäftsführer: Tonis Rüsche ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp router
On Fri, Jun 06, 2008 at 08:33:13AM +0200, Elmar K. Bins wrote: My gut feeling is go with a 7301 or 7200/NPE-G1. Why? Because it can deliver the 200 Mbit/s bandwidth, and it's a simple architecture - everything is software, and there is lots less hidden surprises than with the 6500/7600 platform. That would depend on packet sizes. I know we're a bit extreme (most of our packets are around 64-128 Bytes), yet...we're hitting 50% CPU load on 7301s with like 60 Mbps of Traffic (in+out aggregated), which amounts to around 72kpps. we experience the same. traffic is a little higher, but a large amount of it is DNS packets, hence mostly 512 bytes. If your traffic consists of considerably larger packets, you may want to go with 7301s (G1) or 7201s (G2); if your packet sizes are small, you need to consider hardware forwarding platforms. i know this may be heresy on this list, but look at juniper's J6350. similar price to a c7301, more throughput (even at small packet sizes). Why is it, btw, that IOS doesn't use both CPU kernels there? Or did I miss an IOS version that started doing that? (still on 12.3T here) i believe the 2nd CPU can only be enabled for some very specific features: http://www.cisco.com/en/US/docs/routers/7300/install_and_upgrade/7301/7301_install_and_config_guide/5418c.html#wp1154543 %% The Cisco 7301 includes a dual-CPU-core BCM 1250. All Cisco IOS images for the Cisco 7301 platform use CPU-core 0. CPU-core 1 allows acceleration of specific feature sets via separately purchased special software. As of Cisco IOS Release 12.3(14)YM, multi-processor forwarding (MPF) accelerates the following broadband features: L2TP Access Concentrator (LAC), L2TP Network Server (LNS), and PPP Terminated Aggregation (PTA). Port adapters are not supported in the multi-processor forwarding (MPF) path on processor 1. %% wild-ass speculation follows: i imagine the cost of data structure and code-path locking, IPIs and other multi-processor primitives (or simply the fiscal cost of coding same for this platform in 15+ year old code) negates any value to enabling the 2nd CPU for code paths that run in interrupt context and/or run through to delivery of the packet. the aforementioned MPF features can run independent of the IOS data structures that would need to be locked if the entire IOS code ran in what we traditionally call SMP. they most likely directly access the broadcom hardware over amd hypertransport, hence the unavailability of port adapters for MPF. /speculation there were murmurs of a team at cisco porting freebsd mips, which would have given native SMP support. however, all the people who were supposedly working on that no longer work for cisco (or now work in groups whose bailiwick is clearly not core OS coding). read into that what you will. -- bill ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] interrupt cpu // processor routed packets
On Thu, Jun 05, 2008 at 10:32:30AM -0400, Rodney Dunn wrote: #1 issue with tunnels is usuall a fragmentation reassembley problem. (damn, i'm usually smarter than this.. :-) Watch 'sh ip traffic' outputs for large jumps. Clear the counters and capture snapshots of 'sh ip traffic'. we were already tracking the IP-MIB in cacti, so viewing the ipFrag* and ipReasm* values made this obvious. good call. Also, do sh buff input-interface name packet' to see what packets are being punted. You have to do it against the subinterface if it's a trunk. sure enough, a bunch of packets a few bytes over the MTU and a few bytes over the minimum. it would be nice to know through which tunnel they were coming from. is there anyway to use the memory values from 'sh buff input-interface' there to display the actual packets (or buffer)? thanks for your help, this was driving me mad. -- bill ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp router
On Fri, Jun 06, 2008 at 09:21:51AM -0700, bill fumerola wrote: Why is it, btw, that IOS doesn't use both CPU kernels there? Or did I miss an IOS version that started doing that? (still on 12.3T here) i believe the 2nd CPU can only be enabled for some very specific features: http://www.cisco.com/en/US/docs/routers/7300/install_and_upgrade/7301/7301_install_and_config_guide/5418c.html#wp1154543 %% The Cisco 7301 includes a dual-CPU-core BCM 1250. All Cisco IOS images for the Cisco 7301 platform use CPU-core 0. CPU-core 1 allows acceleration of specific feature sets via separately purchased special software. As of Cisco IOS Release 12.3(14)YM, multi-processor forwarding (MPF) accelerates the following broadband features: L2TP Access Concentrator (LAC), L2TP Network Server (LNS), and PPP Terminated Aggregation (PTA). Port adapters are not supported in the multi-processor forwarding (MPF) path on processor 1. %% As stated in this letter: http://puck.nether.net/pipermail/cisco-nsp/2006-December/036864.html MPF support is discontinued in IOS. [...] there were murmurs of a team at cisco porting freebsd mips, which would have given native SMP support. however, all the people who were supposedly working on that no longer work for cisco (or now work in groups whose bailiwick is clearly not core OS coding). read into that what you will. I suppose, You've heard not about Cisco, but about Juniper. They ported FreeBSD to MIPS and then donated MIPS code back to FreeBSD: http://www.freebsd.org/news/newsflash.html 25 December: Juniper Networks, Inc. (http://www.juniper.net) has donated a reference FreeBSD port to the MIPS architecture to The FreeBSD Project. This code will be used as one reference for creating an official project-supported FreeBSD/MIPS offering ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp router
On Fri, Jun 06, 2008 at 09:04:05PM +0400, Alexandre Snarskii wrote: I suppose, You've heard not about Cisco, but about Juniper. no, i know what i said and it's accurate. They ported FreeBSD to MIPS and then donated MIPS code back to FreeBSD: http://www.freebsd.org/news/newsflash.html 25 December: Juniper Networks, Inc. (http://www.juniper.net) has donated a reference FreeBSD port to the MIPS architecture to The FreeBSD Project. This code will be used as one reference for creating an official project-supported FreeBSD/MIPS offering yeah, i know. :) -- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cisco-nsp list being indexed by MarkMail
FYI. The cisco-nsp list and other list archives on the nether mail server are being indexed by MarkMail, which converts everything to XML and provides an interesting interface for searching the lists. I found this article that briefly describes MarkMail: http://findarticles.com/p/articles/mi_pwwi/is_200801/ai_n21184835 The MarkMail FAQ is here: http://markmail.org/docs/faq.xqy To see all nether lists being tracked by MarkMail: http://nether.markmail.org/search/?q= You can search the cisco-nsp list alone with this URL: http://markmail.org/list/net.nether.puck.cisco-nsp -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS VLAN trunk Port
Hi! Thanks for the hints. I will test it. Have a nice day, Ahmad Sitz der NK Networks Services GmbH: Von-der-Wettern-Straße 15, 51149 Köln Registergericht: Amtsgericht Köln, Registernummer HRB 30805 Geschäftsführer: Tonis Rüsche ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EnableLocalLAN don't work
Hello Julien: -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of julien leroiso Sent: Friday, June 06, 2008 7:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EnableLocalLAN don't work Hello, I have a cisco 871 as VPN end-point. I need to access my local lan, when my vpn is up. I'm using vpn-client 5.0.01.0600 for Windows on XP. I tried to enable Allow local lan access but that don't work much. I found that I need to enable split tunneling. I found doc to do that on vpn concentretor or pix, but I did not found anything for simple routers. Any idea ? crypto isakmp client configuration group GROUPNAME various other entries acl ACL NUMBER (150 in the example below) So, let's say your local lan behind the router is 192.168.1.0/24 and your Pool range is 192.168.2.0/24, your acl would be: access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 So, any traffic from 192.168.2.0/24 not going to 192.168.1.0/24 will go out the split-tunnel. Regards, Mike PGP.sig Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to kill zombie administrative SSH session?
On Fri, 6 Jun 2008, Joann Deng wrote: By default only 5 ssh sessions are allowed in a single context FWSM. If type show ssh sessions it looks like no session is active. But if type show resource usage resource ssh, see 5 current sessions: FWSM1# show resource usage resource ssh Resource Current Peak LimitDenied Context SSH 55 5 110 System FWSM1# Therefore can no longer access the FWSM via ssh. This is a bug, and can be fixed by upgrading. But is there a way to kill these zombie SSH sessions without upgrading the code or reboot FWSM? No, unfortunately no other way. (of course if you have the failover pair you can make the one to be rebooted to become standby and avoid any impact, but I assume you have a single blade). best regards, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement
SCENARIO: Customer was blaming us (service provider) for their IP phones (Linksys 942 models) resetting, sometimes in the middle of a call dropping both the call and their back of the phone connected PC. Customer's IT support/VAR was not aggressive in resolving the issue (we suspected some kind of LAN issue) and so, to prove it wasn't us we stepped a little bit beyond what we normally do ourselves at the customer location. We dropped in a 3550 SMI switch, set up VLANs and trunked to their 1721 where all DHCP activity is now happening via two DHCP pools. Devices appear to be showing up in the correct VLAN and are pulling DHCP from the right pools. Could not get the Linksys phones to talk through the VLAN/NAT combination (Polycom worked ok it seemed) so we temporarily dropped them onto a public IP scheme which is working fine - we will fix this once everything else is stable. What is happening is that DNS resolution through NAT (and possibly other NAT translations) fails after several hours (or has twice).This is only affecting hosts/windows server on VLAN 1. Their Windows 2003 server acts as the DNS for their data network (it refers outside requests to ours). When this happens, customer's IT consultant can still remote terminal into their server (via static port mapping) but can't ping out of their network from it. Reloading the router restores service. Customer is also complaining that data transfer speeds are much slower between devices on their LAN (they pass around a lot of CAD files). I'm certain this must not be set up properly or we're missing something. any guidance is appreciated. RTP isn't breaking up so we didn't bother with priority queue settings on the switch. Error counts, drops and resets are ZERO on every single show int counters. I'd prefer not to go back to them and recommend the brute force fix of just physically separating the networks. ROUTER SHOW VER RELEVANT OUTPUT: (note: I've been thinking about downgrading to a stable 12.3 release we like - 12.4(1a) can't be good ?) Router#show ver Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) Router uptime is 5 hours, 34 minutes System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008 System restarted at 17:32:00 UTC Fri Jun 6 2008 System image file is flash:c1700-ipbase-mz.124-1a.bin Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K bytes of memory. Processor board ID FOC09246Q0T (879918233), with hardware revision MPC860P processor: part number 5, mask 2 1 Ethernet interface 1 FastEthernet interface 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) ROUTER CONFIGURATION: version 12.4 ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 10.0.0.254 ip dhcp excluded-address xx.xx.xx.97 ip dhcp excluded-address xx.xx.xx.98 ip dhcp excluded-address 10.0.0.1 10.0.0.10 ip dhcp excluded-address 10.0.0.100 10.0.0.110 ! ip dhcp pool phones network xx.xx.xx.96 255.255.255.224 default-router xx.xx.xx.97 dns-server xx.xx.xx.xx xx.xx.xx.xx option 66 ascii .x.com lease 30 ! ip dhcp pool data network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.100 [cust. Windows server] lease 30 ! ip name-server xx.xx.xx.xx ip name-server xx.xx.xx.xx ! class-map match-all smtp-filter match access-group 102 class-map match-all voip-sip match access-group 101 class-map match-all voip-rtp match access-group 100 ! ! policy-map voip class voip-rtp priority 960 class voip-sip bandwidth 56 class class-default fair-queue policy-map inbound class smtp-filter ! interface Ethernet0 ip address xx.xx.xx.238 255.255.255.252 ip nat outside load-interval 60 full-duplex no cdp enable service-policy input inbound service-policy output voip ! interface FastEthernet0 no ip address speed 100 full-duplex ! interface FastEthernet0.1 encapsulation dot1Q 1 native ip address 10.0.0.1 255.255.255.0 ip nat inside no snmp trap link-status ! interface FastEthernet0.2 encapsulation dot1Q 2 ip address xx.xx.xx.97 255.255.255.224 no snmp trap link-status ! ip classless ip route 0.0.0.0 0.0.0.0 xx.xx.xx.237 ! no ip http server ip nat inside source list 10 interface Ethernet0 overload ip nat inside source static tcp 10.0.0.100 25 interface Ethernet0 25 ip nat inside source static tcp 10.0.0.100 3389 interface Ethernet0 3389 ip nat inside source static tcp 10.0.0.100 443 interface Ethernet0 443 ip nat inside source static tcp 10.0.0.100 80 interface Ethernet0 80 ! access-list 10 permit 10.0.0.0 0.0.0.255 access-list 100 permit ip any
Re: [c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement
Check show proc cpu hist after it happens. A 1721 should not be doing router on a stick for a 100Mb network. It can barely forward 12Mb/s Cef switched. Much less NAT, ACL, QOS, DHCP and whatever else it is doing. Make the 3550 a L3 switch, if you have to keep DHCP on the 1721 use DHCP forwarder, use a choke network. They can't forward stuff on their lan because of the router on a stick config. And open a TAC case. On Fri, Jun 6, 2008 at 6:37 PM, Sean Shepard [EMAIL PROTECTED] wrote: SCENARIO: Customer was blaming us (service provider) for their IP phones (Linksys 942 models) resetting, sometimes in the middle of a call dropping both the call and their back of the phone connected PC. Customer's IT support/VAR was not aggressive in resolving the issue (we suspected some kind of LAN issue) and so, to prove it wasn't us we stepped a little bit beyond what we normally do ourselves at the customer location. We dropped in a 3550 SMI switch, set up VLANs and trunked to their 1721 where all DHCP activity is now happening via two DHCP pools. Devices appear to be showing up in the correct VLAN and are pulling DHCP from the right pools. Could not get the Linksys phones to talk through the VLAN/NAT combination (Polycom worked ok it seemed) so we temporarily dropped them onto a public IP scheme which is working fine - we will fix this once everything else is stable. What is happening is that DNS resolution through NAT (and possibly other NAT translations) fails after several hours (or has twice).This is only affecting hosts/windows server on VLAN 1. Their Windows 2003 server acts as the DNS for their data network (it refers outside requests to ours). When this happens, customer's IT consultant can still remote terminal into their server (via static port mapping) but can't ping out of their network from it. Reloading the router restores service. Customer is also complaining that data transfer speeds are much slower between devices on their LAN (they pass around a lot of CAD files). I'm certain this must not be set up properly or we're missing something. any guidance is appreciated. RTP isn't breaking up so we didn't bother with priority queue settings on the switch. Error counts, drops and resets are ZERO on every single show int counters. I'd prefer not to go back to them and recommend the brute force fix of just physically separating the networks. ROUTER SHOW VER RELEVANT OUTPUT: (note: I've been thinking about downgrading to a stable 12.3 release we like - 12.4(1a) can't be good ?) Router#show ver Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) Router uptime is 5 hours, 34 minutes System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008 System restarted at 17:32:00 UTC Fri Jun 6 2008 System image file is flash:c1700-ipbase-mz.124-1a.bin Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K bytes of memory. Processor board ID FOC09246Q0T (879918233), with hardware revision MPC860P processor: part number 5, mask 2 1 Ethernet interface 1 FastEthernet interface 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) ROUTER CONFIGURATION: version 12.4 ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 10.0.0.254 ip dhcp excluded-address xx.xx.xx.97 ip dhcp excluded-address xx.xx.xx.98 ip dhcp excluded-address 10.0.0.1 10.0.0.10 ip dhcp excluded-address 10.0.0.100 10.0.0.110 ! ip dhcp pool phones network xx.xx.xx.96 255.255.255.224 default-router xx.xx.xx.97 dns-server xx.xx.xx.xx xx.xx.xx.xx option 66 ascii .x.com lease 30 ! ip dhcp pool data network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.100 [cust. Windows server] lease 30 ! ip name-server xx.xx.xx.xx ip name-server xx.xx.xx.xx ! class-map match-all smtp-filter match access-group 102 class-map match-all voip-sip match access-group 101 class-map match-all voip-rtp match access-group 100 ! ! policy-map voip class voip-rtp priority 960 class voip-sip bandwidth 56 class class-default fair-queue policy-map inbound class smtp-filter ! interface Ethernet0 ip address xx.xx.xx.238 255.255.255.252 ip nat outside load-interval 60 full-duplex no cdp enable service-policy input inbound service-policy output voip ! interface FastEthernet0 no ip address speed 100 full-duplex ! interface FastEthernet0.1 encapsulation dot1Q 1 native ip address 10.0.0.1 255.255.255.0 ip nat inside no snmp trap link-status ! interface FastEthernet0.2
Re: [c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement
Cpu utilization is not averaging very high. We're not routing between the VLANs so router on a stick doesn't really apply does it? It's only 1-2 mbps in on the 10mbps Ethernet interface for their IP access and then parsed out to the appropriate VLAN via the FastEthernet sub-interfaces. Intra-(V)LAN traffic should stay on the 3550 unless headed out the gateway, yes? I see what you're saying about putting the 3550 in full L3 operation and using (I presume) ip helper-address looks like it can be configured on each VLAN. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Gristina Sent: Friday, June 06, 2008 11:47 PM To: Sean Shepard Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement Check show proc cpu hist after it happens. A 1721 should not be doing router on a stick for a 100Mb network. It can barely forward 12Mb/s Cef switched. Much less NAT, ACL, QOS, DHCP and whatever else it is doing. Make the 3550 a L3 switch, if you have to keep DHCP on the 1721 use DHCP forwarder, use a choke network. They can't forward stuff on their lan because of the router on a stick config. And open a TAC case. On Fri, Jun 6, 2008 at 6:37 PM, Sean Shepard [EMAIL PROTECTED] wrote: SCENARIO: Customer was blaming us (service provider) for their IP phones (Linksys 942 models) resetting, sometimes in the middle of a call dropping both the call and their back of the phone connected PC. Customer's IT support/VAR was not aggressive in resolving the issue (we suspected some kind of LAN issue) and so, to prove it wasn't us we stepped a little bit beyond what we normally do ourselves at the customer location. We dropped in a 3550 SMI switch, set up VLANs and trunked to their 1721 where all DHCP activity is now happening via two DHCP pools. Devices appear to be showing up in the correct VLAN and are pulling DHCP from the right pools. Could not get the Linksys phones to talk through the VLAN/NAT combination (Polycom worked ok it seemed) so we temporarily dropped them onto a public IP scheme which is working fine - we will fix this once everything else is stable. What is happening is that DNS resolution through NAT (and possibly other NAT translations) fails after several hours (or has twice).This is only affecting hosts/windows server on VLAN 1. Their Windows 2003 server acts as the DNS for their data network (it refers outside requests to ours). When this happens, customer's IT consultant can still remote terminal into their server (via static port mapping) but can't ping out of their network from it. Reloading the router restores service. Customer is also complaining that data transfer speeds are much slower between devices on their LAN (they pass around a lot of CAD files). I'm certain this must not be set up properly or we're missing something. any guidance is appreciated. RTP isn't breaking up so we didn't bother with priority queue settings on the switch. Error counts, drops and resets are ZERO on every single show int counters. I'd prefer not to go back to them and recommend the brute force fix of just physically separating the networks. ROUTER SHOW VER RELEVANT OUTPUT: (note: I've been thinking about downgrading to a stable 12.3 release we like - 12.4(1a) can't be good ?) Router#show ver Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) Router uptime is 5 hours, 34 minutes System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008 System restarted at 17:32:00 UTC Fri Jun 6 2008 System image file is flash:c1700-ipbase-mz.124-1a.bin Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K bytes of memory. Processor board ID FOC09246Q0T (879918233), with hardware revision MPC860P processor: part number 5, mask 2 1 Ethernet interface 1 FastEthernet interface 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) ROUTER CONFIGURATION: version 12.4 ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 10.0.0.254 ip dhcp excluded-address xx.xx.xx.97 ip dhcp excluded-address xx.xx.xx.98 ip dhcp excluded-address 10.0.0.1 10.0.0.10 ip dhcp excluded-address 10.0.0.100 10.0.0.110 ! ip dhcp pool phones network xx.xx.xx.96 255.255.255.224 default-router xx.xx.xx.97 dns-server xx.xx.xx.xx xx.xx.xx.xx option 66 ascii .x.com lease 30 ! ip dhcp pool data network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.100 [cust. Windows server] lease 30 ! ip name-server xx.xx.xx.xx ip