Re: [c-nsp] Cisco 2851 bug ?
Hi, IP Input spike is usually caused by abnormal 'IP input' traffic that gets punted into the RP from CEF for whatever reason. A very common cause is broadcast storm. You can see what what packet is holding the CPU with 'show buffers input interface fa0/1'. However you need to do this command during a real spike... Pavel On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert [EMAIL PROTECTED] wrote: Is anyone aware of a bug or configuration that could cause a sudden spike in IP input? uptime is 26 weeks, 3 days, 10 hours, 54 minutes System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008 System restarted at 01:41:34 PST Tue Jan 8 2008 System image file is flash:c2800nm-ipbasek9-mz.124-17a.bin Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory. PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 66 125056 2917547 42 0.00% 0.00% 0.00% 0 CDP Protocol 6728872876 373263867 77 0.08% 51.78% 47.36% 0 IP Input Seattle-WAN 01:00:26 PM Friday Jul 11 2008 DST 58988 555446598432 100 90 ** 80 70 60* 50* 40* 30* 20* 10 *** *** 0511223344556 05050505050 CPU% per second (last 60 seconds) 999 1 566333443445333434346534453335336645645556354344 100 *** 90 #*** 80 ##** 70 ##** 60 ##** 50 ##** 40 ##** 30 ##** 20 ### * # 10 ###*** * * ** ** * # 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 1 111 11 11 1 712 1112 111 11211 691760977743309128787415602150180091972430809462896712922076244160072513 100 90 80 * 70 * 60 * 50 * 40 * 30 * * 20 * * * * ** ** * * * * ** * * * * * 10 051122334455667. . 050505050505 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] giant packets troubleshooting
Just to be aware, there has been a cosmetic bug on many cisco platforms two years ago that clasified all dot1q trunked frame as giants. The way to see verify this is by looking whether you don't see giants on all trunk ports. Pavel On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis [EMAIL PROTECTED] wrote: Hello all I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets? Is their any methodology or any good document which details the way to troubleshoot giant packets? All responses will be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRFs
sh ip route 209.212.66.1 ? -- Respect, Andy Oleynik andyo -Original Message- andyo R1#show ip route vrf priv andyo andyo Routing Table: priv andyo andyo Gateway of last resort is 209.212.66.1 to network 0.0.0.0 andyo andyo 209.212.64.0/29 is subnetted, 1 subnets andyo C 209.212.64.176 is directly connected, andyo GigabitEthernet0/1.1000 andyo S* 0.0.0.0/0 [1/0] via 209.212.66.1, GigabitEthernet0/1.1000 andyo andyo ip route 209.212.64.177 255.255.255.255 GigabitEthernet0/1.1000 andyo 209.212.64.177 andyo ip route vrf priv 0.0.0.0 0.0.0.0 GigabitEthernet0/1.1000 andyo 209.212.66.1 andyo global andyo andyo interface GigabitEthernet0/1.1000 andyo description Priv VRF for MON T1/DSL andyo encapsulation dot1Q 1000 andyo ip vrf forwarding priv andyo ip address 209.212.64.177 255.255.255.248 andyo no ip redirects andyo no cdp enable andyo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] giant packets troubleshooting
On one link for example where we have an etherchannel between a GSR and a 4510 switch, we see a lot of giant packets on the router side and no giant packets on the switch side - Original Message - From: Pavel Skovajsa [EMAIL PROTECTED] To: Michalis Palis [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Tuesday, July 15, 2008 9:09 AM Subject: Re: [c-nsp] giant packets troubleshooting Just to be aware, there has been a cosmetic bug on many cisco platforms two years ago that clasified all dot1q trunked frame as giants. The way to see verify this is by looking whether you don't see giants on all trunk ports. Pavel On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis [EMAIL PROTECTED] wrote: Hello all I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets? Is their any methodology or any good document which details the way to troubleshoot giant packets? All responses will be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Per session QoS - Train recommendations
With regards to per-session QoS, I came a cross a number of bugs in 12.2SB which forced me to move to 12.4M to continue using this , of course, in 12.4M sub-qos-policy isn't recognised and I reverted to the more familiar lcp:interface-config=service-policy directive. Everything happily using 12.4M now but I have a desire to move back to 12.2 (possibly SRC now), is anybody doing this in later SB or SRC and truly happy with the way it works? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] giant packets troubleshooting
Dear Palis check interface MTU configuration and its default state from both sides best regards --Ibrahim On Tue, Jul 15, 2008 at 9:22 AM, Michalis Palis [EMAIL PROTECTED] wrote: On one link for example where we have an etherchannel between a GSR and a 4510 switch, we see a lot of giant packets on the router side and no giant packets on the switch side - Original Message - From: Pavel Skovajsa [EMAIL PROTECTED] To: Michalis Palis [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Tuesday, July 15, 2008 9:09 AM Subject: Re: [c-nsp] giant packets troubleshooting Just to be aware, there has been a cosmetic bug on many cisco platforms two years ago that clasified all dot1q trunked frame as giants. The way to see verify this is by looking whether you don't see giants on all trunk ports. Pavel On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis [EMAIL PROTECTED] wrote: Hello all I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets? Is their any methodology or any good document which details the way to troubleshoot giant packets? All responses will be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Crypto map + traffic via ip route vrf ... global
Make sure the traffic enters the VRF correctly via a ISAKMP-profile. Check the following quickly hacked example: Given that the peers are directly connected at outside interfaces with a 192.0.2.0/24-network. If not, adjust peer-ip's and add default route in global routingtable. No routing *into* VRF's are needed, just outgoing for the network-destination to be routed out into global-table, encrypted or not. Given that 10.10.10.0/24 is behind the 7200 and 10.20.20.0/24 is behind the ASA/other peer. ! ip vrf A-vrf rd 1:1 ! crypto keyring A-keyring pre-shared-key address 192.0.2.2 key very-private-key ! crypto isakmp policy 25 encr 3des hash sha authentication pre-share ! crypto isakmp profile A-profile vrf A-vrf keyring A-keyring match identity address 192.0.2.2 255.255.255.255 ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto map vamtest 25 ipsec-isakmp set peer 192.0.2.2 set transform-set 3dessha set isakmp-profile A-profile match address A-acl ! interface GigabitEthernet0/1 description OUTSIDE interface ip address 192.0.2.1 255.255.255.0 crypto map vamtest ! interface GigabitEthernet0/2.2081 description INSIDE VRF interface encapsulation dot1Q 2081 ip vrf forwarding A-vrf ip address 172.16.10.1 255.255.255.0 ! ip route vrf A-vrf 10.10.10.0 255.255.255.0 172.16.10.2 ip route vrf A-vrf 10.20.20.0 255.255.255.0 GigabitEthernet0/1 192.0.2.2 global ! ip access-list extended A-acl permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 mvh, Stig Meireles Johansen Seniorkonsulent __ Ementor Norge AS, Brynsalleen 2, BOX 6472 Etterstad, N-0605 Oslo Tel +47 22 09 50 00, Direkte +47 24 09 96 94 [EMAIL PROTECTED] www.ementor.no -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: 15. juli 2008 02:46 To: cisco-nsp Subject: [c-nsp] Crypto map + traffic via ip route vrf ... global Hi, I have a strange-ish problem. I've configured an IPSec tunnel between a 7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some reason traffic only gets encrypted ASA-7200, not the other way. The traffic that doesn't get encrypted comes from a VRF Lite subinterface on the back of the 7200. This VRF has a static 0/0 route with a global next hop, and the global table has a static route pointing the other way. Traffic can go from behind ASA to behind 7200 with no problems. Traffic from behind the 7200 doesn't get encrypted for some reason, including replies from ICMP echos that came encrypted. And the 7200 doesn't initiate a tunnel either. Could it be because I can't make the crypto map work for the ip route vrf ... global traffic? The configuration works fine when the host behind the 7200 isn't in a VRF, but the 7200 being software based I thought this wouldn't be a problem. Configuration at the bottom, with Host X behind the 7200 and Host Y behind the ASA. Host X is not directly connected to the 7200, but behind another router. Traffic is routed with not problems, so it's only the encryption that's missing. (The ASA complains about it in logs and I can see it with tcpdump.) The 7200 creates the IPSec SA, but only the decaps counter goes up: vamtest#sh cry ips sa interface: GigabitEthernet0/1 Crypto map tag: vamtest, local addr [7200-outside] protected vrf: (none) local ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0) remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0) current_peer [ASA-outside] port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: [7200-outside], remote crypto endpt.: [ASA-outside] path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xA9F53FD7(2851422167) inbound esp sas: spi: 0x4FC8A681(1338549889) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 3002, flow_id: VAM2:2, crypto map: vamtest sa timing: remaining key lifetime (k/sec): (4511451/1957) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA9F53FD7(2851422167) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 3001, flow_id: VAM2:1, crypto map: vamtest sa timing: remaining key lifetime (k/sec): (4511454/1955) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: vamtest# Debug (crypto ipsec + crypto isakmp + errors for both) says nothing
[c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shape an L3 interface to 100mbit
On Tue, 2008-07-15 at 21:57 +1000, Kurt Bales wrote: I have a situation where my upstream is policing my connection to 100mb. I have a GigE interconnect to them, and we are currently connected at 1gb/full duplex. I have been requested to shape the traffic leaving our interconnect to 100mb so as to reduce the performance issues caused by packet loss etc caused by policing. What is the easiest way to apply 100mb shaping to an L3 (no switchport) interface on a 3560G? You could use shaped SRR: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/configuration/guide/swqos.html http://tinyurl.com/6y8qer Since the buffers on the 3560G probably aren't that big, you could run into trouble, but it's the simplest way to do it. If the policing is giving you trouble, you could ask them to adjust burst sizes and things like that until you could were satisfied. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] giant packets troubleshooting
if you have high mtu such as 9180 on that interface, and packets exceed 1500, counters will increment On Tue, Jul 15, 2008 at 1:56 AM, Michalis Palis [EMAIL PROTECTED] wrote: Hello all I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets? Is their any methodology or any good document which details the way to troubleshoot giant packets? All responses will be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ^christian$ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Hi all, I configure a tunnel btw pix and router. The traffic goes to PIX but do not have return. I see only encaps on the router and decaps on the PIX. Is missing anything? Tks Router Output and Config TEHTCVPNRT01#sh cry ip sa interface: GigabitEthernet0/1 Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141 protected vrf: (none) local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) current_peer 200.150.180.62 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 180.200.200.141, remote crypto endpt.: 200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xEA23924(245512484) inbound esp sas: spi: 0x2E3660C5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429641/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEA23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429640/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 6 L2L address 200.150.180.62 no-xauth crypto isakmp aggressive-mode disable crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto map ra-L2L-vpn 2 ipsec-isakmp set peer 200.150.180.62 set transform-set aessha-pixrtr match address 120 reverse-route interface GigabitEthernet0/1 ip address 180.200.200.141 255.255.255.192 crypto map ra-L2L-vpn access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255 ++ PIX output and Config: local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) current_peer: 180.200.200.141:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.150.180.62 , remote crypto endpt.: 180.200.200.141 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 2e3660c5 inbound esp sas: spi: 0xea23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 4, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4607999/3478) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2e3660c5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 3, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4608000/3478) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: ip address outside 200.150.180.62 255.255.255.224 ip address inside 10.139.1.111 255.255.255.0 access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 nat (inside) 0 access-list L2Lnonat route outside 10.180.0.0 255.255.0.0 180.200.200.141 1 sysopt connection permit-ipsec crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto map L2L 1 ipsec-isakmp crypto map L2L 1 match address L2L crypto map L2L 1 set peer 180.200.200.141 crypto map L2L 1 set transform-set aessha-pixrtr crypto map L2L interface outside isakmp enable outside isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 3600 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shape an L3 interface to 100mbit
If the policing is giving you trouble, you could ask them to adjust burst sizes and things like that until you could were satisfied. The problem you get with this is that when you police for delay-sensitive traffic (small tc) your tcp slow-start will get into trouble, and when you police for tcp (large tc) your delay-sensitive traffic gets into trouble. Shaping with a low tc is imho the best option. Regards, Dirk-Jan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA Question - Antivirus
Hi folks... We have a customer looking for a new firewall but it must have antivirus on it. The AV cannot be on the fly specifically but on the desktop. Their currently solution forces their desktops to have a specific Antivirus agent installed and updated. This is something similar to the NAC solution today I'm looking at Cisco ASA 5520 Appliance Content Security Edition Bundle (Includes CSC-SSM-10, 50-user antivirus/anti-spyware license with 1-year subscription service*, firewall services, 750 IPsec VPN peers, 2 SSL VPN peers, 4 Gigabit Ethernet interfaces, and 1 Fast Ethernet interface) ASA5520-CSC10-K9 Does anyone know how the antivirus/antispyware works on these? I've read through numerous marketing material but it's not clear where this is all done on the fly or if it's desktop agent based? Thanks in advance, Paul Stewart ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
On Tue, 2008-07-15 at 10:19 -0300, Everton Diniz wrote: Hi all, I configure a tunnel btw pix and router. The traffic goes to PIX but do not have return. I see only encaps on the router and decaps on the PIX. Is missing anything? Are you sure the host in the other end is actually responding, and that this response goes towards the PIX? As far as I can see there's nothing wrong with the configuration. (I may be wrong, cf. my last mail to this list. :-)) What happens if you try to trace from the 10.139.1.0/24 host to something in 10.180.0.0/16? Do you get to the PIX (i.e. can you see the connection in the logs)? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Question - Antivirus
Paul Stewart wrote: Hi folks... We have a customer looking for a new firewall but it must have antivirus on it. The AV cannot be on the fly specifically but on the desktop. Their currently solution forces their desktops to have a specific Antivirus agent installed and updated. This is something similar to the NAC solution today I'm looking at Cisco ASA 5520 Appliance Content Security Edition Bundle (Includes CSC-SSM-10, 50-user antivirus/anti-spyware license with 1-year subscription service*, firewall services, 750 IPsec VPN peers, 2 SSL VPN peers, 4 Gigabit Ethernet interfaces, and 1 Fast Ethernet interface) ASA5520-CSC10-K9 Does anyone know how the antivirus/antispyware works on these? I've read through numerous marketing material but it's not clear where this is all done on the fly or if it's desktop agent based? Hi Paul, It is done on the fly.. we have a few educational customers using CSC-SSM-20's in ASA5520's as another layer of defence in addition to PC based antivirus. The CSC-SSM's are basically card based servers (running Linux) and integrated into the ASA via GigE. Be careful to get the correct module for the traffic mix you intend to run through it though: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.pdf Rich. -- Network Operations Exa Networks Ltd :: AS30740 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2621xm vs 1800?
Hi there... We have some remote sites with 2621XM's running today. These routers are doing PPPOE termination primarily for 40-60 users. The 2621XM is handling the load just fine however we've been having random problems with them lately and wanted to swap out the 2621XM for a different, more current model to see if the problem goes away (traffic just stops passing on the FE interfaces after a few weeks - tried multiple IOS versions - happening at several sites). My question is whether or not an 1841 would be a downgrade or an upgrade for PPS and overall load? Or should we just bite the bullet and get 2801's instead? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 bug ?
Or you could load the new 12.4(20)T and set up a packet capture on the punt path. ;) rtp-rodunn-871#monitor capture point ip process-switched test in ? cr rtp-rodunn-871#monitor capture point ip process-switched rodney in rtp-rodunn-871#mon rtp-rodunn-871#monitor cap rtp-rodunn-871#monitor capture buf rtp-rodunn-871#monitor capture buffer pakdump ? circular Circular Buffer clear Clear contents of capture buffer exportExport in Pcap format filterConfigure filters limit Limit the packets dumped to the buffer linearLinear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) cr rtp-rodunn-871#monitor capture buffer pakdump Start the capture and export it to pcap. ;) This is new functionality in 12.4(20)T so we've got some enhancements to add to it. Rodney On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote: Hi, IP Input spike is usually caused by abnormal 'IP input' traffic that gets punted into the RP from CEF for whatever reason. A very common cause is broadcast storm. You can see what what packet is holding the CPU with 'show buffers input interface fa0/1'. However you need to do this command during a real spike... Pavel On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert [EMAIL PROTECTED] wrote: Is anyone aware of a bug or configuration that could cause a sudden spike in IP input? uptime is 26 weeks, 3 days, 10 hours, 54 minutes System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008 System restarted at 01:41:34 PST Tue Jan 8 2008 System image file is flash:c2800nm-ipbasek9-mz.124-17a.bin Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory. PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 66 125056 2917547 42 0.00% 0.00% 0.00% 0 CDP Protocol 6728872876 373263867 77 0.08% 51.78% 47.36% 0 IP Input Seattle-WAN 01:00:26 PM Friday Jul 11 2008 DST 58988 555446598432 100 90 ** 80 70 60* 50* 40* 30* 20* 10 *** *** 0511223344556 05050505050 CPU% per second (last 60 seconds) 999 1 566333443445333434346534453335336645645556354344 100 *** 90 #*** 80 ##** 70 ##** 60 ##** 50 ##** 40 ##** 30 ##** 20 ### * # 10 ###*** * * ** ** * # 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 1 111 11 11 1 712 1112 111 11211 691760977743309128787415602150180091972430809462896712922076244160072513 100 90 80 * 70 * 60 * 50 * 40 * 30 * * 20 * * * * ** ** * * * * ** * * * * * 10 051122334455667. . 050505050505 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 bug ?
Hi Rodney, Is that safe to do even if the traffic rate and/or cpu is high? Looks like a nice feature. Paul. Rodney Dunn wrote: Or you could load the new 12.4(20)T and set up a packet capture on the punt path. ;) rtp-rodunn-871#monitor capture point ip process-switched test in ? cr rtp-rodunn-871#monitor capture point ip process-switched rodney in rtp-rodunn-871#mon rtp-rodunn-871#monitor cap rtp-rodunn-871#monitor capture buf rtp-rodunn-871#monitor capture buffer pakdump ? circular Circular Buffer clear Clear contents of capture buffer exportExport in Pcap format filterConfigure filters limit Limit the packets dumped to the buffer linearLinear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) cr rtp-rodunn-871#monitor capture buffer pakdump Start the capture and export it to pcap. ;) This is new functionality in 12.4(20)T so we've got some enhancements to add to it. Rodney On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote: Hi, IP Input spike is usually caused by abnormal 'IP input' traffic that gets punted into the RP from CEF for whatever reason. A very common cause is broadcast storm. You can see what what packet is holding the CPU with 'show buffers input interface fa0/1'. However you need to do this command during a real spike... Pavel On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert [EMAIL PROTECTED] wrote: Is anyone aware of a bug or configuration that could cause a sudden spike in IP input? uptime is 26 weeks, 3 days, 10 hours, 54 minutes System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008 System restarted at 01:41:34 PST Tue Jan 8 2008 System image file is flash:c2800nm-ipbasek9-mz.124-17a.bin Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory. PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 66 125056 2917547 42 0.00% 0.00% 0.00% 0 CDP Protocol 6728872876 373263867 77 0.08% 51.78% 47.36% 0 IP Input Seattle-WAN 01:00:26 PM Friday Jul 11 2008 DST 58988 555446598432 100 90 ** 80 70 60* 50* 40* 30* 20* 10 *** *** 0511223344556 05050505050 CPU% per second (last 60 seconds) 999 1 566333443445333434346534453335336645645556354344 100 *** 90 #*** 80 ##** 70 ##** 60 ##** 50 ##** 40 ##** 30 ##** 20 ### * # 10 ###*** * * ** ** * # 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 1 111 11 11 1 712 1112 111 11211 691760977743309128787415602150180091972430809462896712922076244160072513 100 90 80 * 70 * 60 * 50 * 40 * 30 * * 20 * * * * ** ** * * * * ** * * * * * 10 051122334455667. . 050505050505 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended
Re: [c-nsp] Shape an L3 interface to 100mbit
Hi there, http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se/12.2_25_se/configuration/guide/swqos.html Best regards, Stig Meireles Johansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Bales Sent: 15. juli 2008 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Shape an L3 interface to 100mbit Hey Guys, I have a situation where my upstream is policing my connection to 100mb. I have a GigE interconnect to them, and we are currently connected at 1gb/full duplex. I have been requested to shape the traffic leaving our interconnect to 100mb so as to reduce the performance issues caused by packet loss etc caused by policing. What is the easiest way to apply 100mb shaping to an L3 (no switchport) interface on a 3560G? The speed of this link could change in the near future (over the next couple of days) so I would prefer to use QoS rules to apply shaping to this interface as opposed to forcing the interconnect to 100/Full (which would be of no use if the link changed to 250mb). Regards, K. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SIP/SPA support for 6500
What SIP/SPA modules are actually supported in the 6500 running SXH2? The release notes only list the SIP-400 however the SIP-600 lists support for SXF and higher in 7600 and 6500 chassis. SPA-1XOC48-POS/RPR is listed in the release notes and requires a SIP-400. SPA-2XOC48-POS/RPR and SPA-4XOC48-POS/RPR require the SIP-600. Are the higher port density SPAs actually supported or not? SPA-OC192POS-XFP lists the 6500 as compatible. SPA-1XTENGE-XFP lists the 6500 as compatible. SPA-1X10GE-L-V2 does not have the 6500 listed as compatible. Is the newer 10GE SPA card actually supported or have the BU wars caused the SIP/SPA support to be frozen in the 6500? The ES20 of course doesn't list the 6500 and I doubt it will ever get that support. Someone can correct me if they believe otherwise. -- LR Mack McBride Network Administrator Alpha Red, Inc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2621xm vs 1800?
Very much an upgrade judging from the following table. More than double the PPS Mbps for Fast/CEF switched packets:- http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Would be interesting to know the cause of the issue though, Paul. Paul Stewart wrote: Hi there... We have some remote sites with 2621XM's running today. These routers are doing PPPOE termination primarily for 40-60 users. The 2621XM is handling the load just fine however we've been having random problems with them lately and wanted to swap out the 2621XM for a different, more current model to see if the problem goes away (traffic just stops passing on the FE interfaces after a few weeks - tried multiple IOS versions - happening at several sites). My question is whether or not an 1841 would be a downgrade or an upgrade for PPS and overall load? Or should we just bite the bullet and get 2801's instead? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2621xm vs 1800?
Thanks... that's actually the document I was looking for ;) Our theory to date on the issues with the 2621XM's is possibly the vendor itself and the memory they have been using. We have had a number of problems with a particular batch of them purchased a while ago and the 3rd party memory they are using specifically (we use 3rd party all the time with great success normally). Want to swap one of the sites that is having repeated issues and prove it's in the router somewhere or in the next hop device (wireless backhaul). Thanks, Paul -Original Message- From: Paul Cosgrove [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2008 2:50 PM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 2621xm vs 1800? Very much an upgrade judging from the following table. More than double the PPS Mbps for Fast/CEF switched packets:- http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp erformance.pdf Would be interesting to know the cause of the issue though, Paul. Paul Stewart wrote: Hi there... We have some remote sites with 2621XM's running today. These routers are doing PPPOE termination primarily for 40-60 users. The 2621XM is handling the load just fine however we've been having random problems with them lately and wanted to swap out the 2621XM for a different, more current model to see if the problem goes away (traffic just stops passing on the FE interfaces after a few weeks - tried multiple IOS versions - happening at several sites). My question is whether or not an 1841 would be a downgrade or an upgrade for PPS and overall load? Or should we just bite the bullet and get 2801's instead? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Private VLANS w/ Promiscuous port a trunk port?
Hello all, I am trying to figure out if the following will work: Have a 6500 w/ sup2/msfc2 Native IOS. Would like to configure some ports as Isolated Private VLAN ports. These Isolated ports need to only speak to a 802.1q trunk port I have. I believe I can't configure this 802.1q trunk port as a .1q trunk and a Promiscuous port switchport mode private-vlan promiscuous at the same time (its either switchport mode trunk or switchport mode priavte-vlan promiscuous - not both). The .1q trunk port will carry lots of other VLANS. Behind this .1q trunk port will be the L3 device responsible for the L3 portion of the Private VLAN. I need to make sure the Private VLAN can talk to the L3 device behind the .1q trunk port... The .1q trunk port is kind of like a router-on-a-stick. # VID 100 Private VLAN # VID 101 Isolated VLAN vlan 100 private-vlan primary vlan 101 private-vlan isolated vlan 100 priavte-vlan association 101 interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100-200 switchport mode trunk no ip address load-interval 30 spanning-tree portfast trunk interface GigabitEthernet1/2 switchport switchport mode private-vlan host switchport private-vlan host-association 100 101 spanning-tree portfast Will something like that work? Cheers, RR ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANS w/ Promiscuous port a trunk port?
i am not sure i am correct, but i thought the 'other' side of the trunk had to support PVLAN's as well... can anyone clarify if thats wrong or right? ck On Tue, Jul 15, 2008 at 3:37 PM, Rafael Rodriguez [EMAIL PROTECTED] wrote: Hello all, I am trying to figure out if the following will work: Have a 6500 w/ sup2/msfc2 Native IOS. Would like to configure some ports as Isolated Private VLAN ports. These Isolated ports need to only speak to a 802.1q trunk port I have. I believe I can't configure this 802.1q trunk port as a .1q trunk and a Promiscuous port switchport mode private-vlan promiscuous at the same time (its either switchport mode trunk or switchport mode priavte-vlan promiscuous - not both). The .1q trunk port will carry lots of other VLANS. Behind this .1q trunk port will be the L3 device responsible for the L3 portion of the Private VLAN. I need to make sure the Private VLAN can talk to the L3 device behind the .1q trunk port... The .1q trunk port is kind of like a router-on-a-stick. # VID 100 Private VLAN # VID 101 Isolated VLAN vlan 100 private-vlan primary vlan 101 private-vlan isolated vlan 100 priavte-vlan association 101 interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100-200 switchport mode trunk no ip address load-interval 30 spanning-tree portfast trunk interface GigabitEthernet1/2 switchport switchport mode private-vlan host switchport private-vlan host-association 100 101 spanning-tree portfast Will something like that work? Cheers, RR ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ^christian$ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shape an L3 interface to 100mbit
I'd love to know this too. I'm not too great on QoS yet. Any simple examples for a simple shaping policy? i.e All traffic down to a certain amount, in bound or perhaps outbound. ...Skeeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stig Johansen Sent: Wednesday, 16 July 2008 2:40 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Shape an L3 interface to 100mbit Hi there, http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se/12.2_25_se/configuration/guide/swqos.html Best regards, Stig Meireles Johansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Bales Sent: 15. juli 2008 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Shape an L3 interface to 100mbit Hey Guys, I have a situation where my upstream is policing my connection to 100mb. I have a GigE interconnect to them, and we are currently connected at 1gb/full duplex. I have been requested to shape the traffic leaving our interconnect to 100mb so as to reduce the performance issues caused by packet loss etc caused by policing. What is the easiest way to apply 100mb shaping to an L3 (no switchport) interface on a 3560G? The speed of this link could change in the near future (over the next couple of days) so I would prefer to use QoS rules to apply shaping to this interface as opposed to forcing the interconnect to 100/Full (which would be of no use if the link changed to 250mb). Regards, K. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
Thanks Rodney. Other thing, though the ACL matches thousand of hits at once.. The log couldn't show this (log buffere has been set to 4096 x 2) a. rahman isnaini r.sutan Rodney Dunn wrote: There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
If the router is subject to enough traffic where thousands of ACL hits are happening per second, you DON'T want to have any entries of that ACL logging. It's terrible for performance. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a. rahman isnaini r.sutan Sent: Tuesday, July 15, 2008 10:05 PM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time. Thanks Rodney. Other thing, though the ACL matches thousand of hits at once.. The log couldn't show this (log buffere has been set to 4096 x 2) a. rahman isnaini r.sutan Rodney Dunn wrote: There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco MMPPP
Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/ |___internet e\ | r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/ | ___internet e\ | r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
Hi charles, Depends on the engine processor. Our G1 can handle this, it just the router not shown on the log (we saved to a syslog-ng server). rgs a. rahman isnaini r.sutan Church, Charles wrote: If the router is subject to enough traffic where thousands of ACL hits are happening per second, you DON'T want to have any entries of that ACL logging. It's terrible for performance. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a. rahman isnaini r.sutan Sent: Tuesday, July 15, 2008 10:05 PM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time. Thanks Rodney. Other thing, though the ACL matches thousand of hits at once.. The log couldn't show this (log buffere has been set to 4096 x 2) a. rahman isnaini r.sutan Rodney Dunn wrote: There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/