[c-nsp] Total output drops - congestion ? - 7200-VXR
Hi all,
I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of output drops e.g.
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
13342805
I 'suspect' that these output drops could be the root cause of the device
attached to this port going down consistently.
Question: Since 'output drops' seems to relate to interface congestion can
anyone recommed a tool to 'blast' this particular interface in
order to test {in,out}queues and congestion ?
-aW
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT
1914. If you have received this email in error, you are requested to contact
the sender and delete the email.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/ | ___internet e\ | r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails. Cheers Ben On 16/07/2008, at 4:11 PM, Edi Guntoro wrote: Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/| ___internet e\| r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
Wilkinson, Alex wrote: can anyone recommed a tool to 'blast' this particular interface TTCP with UDP traffic, best directed at a null-routed IP address on the other side of that interface. Pay careful attention to the order of command-line parameters or weird things will happen. If you want bidirectional traffic and TCP is sufficient, iperf is much nicer than TTCP. Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
Thanks Ben, I understand now. Coz previously, regarding the user I though this is a single user with PC/notebook/windows dialing using two different wireless service... is it possible? regards - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 2:21:27 PM Subject: Re: [c-nsp] Cisco MMPPP i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails. Cheers Ben On 16/07/2008, at 4:11 PM, Edi Guntoro wrote: Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/| ___internet e\| r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
Yes it's possible to have say windows do multilink ppp through 2 seperate network devices, never tried it though so not sure how reliable their implementation of it is. Ben On 16/07/2008, at 5:12 PM, Edi Guntoro wrote: Thanks Ben, I understand now. Coz previously, regarding the user I though this is a single user with PC/notebook/windows dialing using two different wireless service... is it possible? regards - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 2:21:27 PM Subject: Re: [c-nsp] Cisco MMPPP i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails. Cheers Ben On 16/07/2008, at 4:11 PM, Edi Guntoro wrote: Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/| ___internet e\| r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
Hi, Is it recommended to run three STM-1 (PA-POS-1OC3) on a single Cisco700vxr with NPE-G1 ? Regards, Samit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2621xm vs 1800?
There is a nice index including this and other similar product comparisions (switch performance, vpn performance etc.) at:- http://www.cisco.com/web/partners/tools/quickreference/index.html Paul. Paul Stewart wrote: Thanks... that's actually the document I was looking for ;) Our theory to date on the issues with the 2621XM's is possibly the vendor itself and the memory they have been using. We have had a number of problems with a particular batch of them purchased a while ago and the 3rd party memory they are using specifically (we use 3rd party all the time with great success normally). Want to swap one of the sites that is having repeated issues and prove it's in the router somewhere or in the next hop device (wireless backhaul). Thanks, Paul -Original Message- From: Paul Cosgrove [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2008 2:50 PM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 2621xm vs 1800? Very much an upgrade judging from the following table. More than double the PPS Mbps for Fast/CEF switched packets:- http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp erformance.pdf Would be interesting to know the cause of the issue though, Paul. Paul Stewart wrote: Hi there... We have some remote sites with 2621XM's running today. These routers are doing PPPOE termination primarily for 40-60 users. The 2621XM is handling the load just fine however we've been having random problems with them lately and wanted to swap out the 2621XM for a different, more current model to see if the problem goes away (traffic just stops passing on the FE interfaces after a few weeks - tried multiple IOS versions - happening at several sites). My question is whether or not an 1841 would be a downgrade or an upgrade for PPS and overall load? Or should we just bite the bullet and get 2801's instead? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shape an L3 interface to 100mbit
Hi again, It may be a bit unclear, but on the 3560/3750-platform, you'll have to do egress policing by manipulating the DSCP-values on input-interfaces and tweaking the srr-queues on the output-interfaces. The old 3550-platform supported egress policing via aggregate-policers, a bit more logically and without the need for changing any values. Best regards, Stig Meireles Johansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Bales Sent: 15. juli 2008 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Shape an L3 interface to 100mbit Hey Guys, I have a situation where my upstream is policing my connection to 100mb. I have a GigE interconnect to them, and we are currently connected at 1gb/full duplex. I have been requested to shape the traffic leaving our interconnect to 100mb so as to reduce the performance issues caused by packet loss etc caused by policing. What is the easiest way to apply 100mb shaping to an L3 (no switchport) interface on a 3560G? The speed of this link could change in the near future (over the next couple of days) so I would prefer to use QoS rules to apply shaping to this interface as opposed to forcing the interconnect to 100/Full (which would be of no use if the link changed to 250mb). Regards, K. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
Samit wrote: Hi, Is it recommended to run three STM-1 (PA-POS-1OC3) on a single Cisco700vxr with NPE-G1 ? Technically, it is supported, as each of the two buses have 600 bandwidth points, with an STM-1 interface taking up 300. Question is whether it might be recommendable to get a second router for redundancy reasons, e.g. if you are terminating several uplinks with that one router. If so, I'd advise against doing it all on one router ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
If I remember correctly they are rate limited. You should use netflow and match on ACL dst if of Null0 rather than the log feature of the ACL's. Rodney On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote: Hi charles, Depends on the engine processor. Our G1 can handle this, it just the router not shown on the log (we saved to a syslog-ng server). rgs a. rahman isnaini r.sutan Church, Charles wrote: If the router is subject to enough traffic where thousands of ACL hits are happening per second, you DON'T want to have any entries of that ACL logging. It's terrible for performance. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a. rahman isnaini r.sutan Sent: Tuesday, July 15, 2008 10:05 PM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time. Thanks Rodney. Other thing, though the ACL matches thousand of hits at once.. The log couldn't show this (log buffere has been set to 4096 x 2) a. rahman isnaini r.sutan Rodney Dunn wrote: There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 bug ?
Yep. Done in CEF path. Rodney On Tue, Jul 15, 2008 at 05:34:21PM +0100, Paul Cosgrove wrote: Hi Rodney, Is that safe to do even if the traffic rate and/or cpu is high? Looks like a nice feature. Paul. Rodney Dunn wrote: Or you could load the new 12.4(20)T and set up a packet capture on the punt path. ;) rtp-rodunn-871#monitor capture point ip process-switched test in ? cr rtp-rodunn-871#monitor capture point ip process-switched rodney in rtp-rodunn-871#mon rtp-rodunn-871#monitor cap rtp-rodunn-871#monitor capture buf rtp-rodunn-871#monitor capture buffer pakdump ? circular Circular Buffer clear Clear contents of capture buffer exportExport in Pcap format filterConfigure filters limit Limit the packets dumped to the buffer linearLinear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) cr rtp-rodunn-871#monitor capture buffer pakdump Start the capture and export it to pcap. ;) This is new functionality in 12.4(20)T so we've got some enhancements to add to it. Rodney On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote: Hi, IP Input spike is usually caused by abnormal 'IP input' traffic that gets punted into the RP from CEF for whatever reason. A very common cause is broadcast storm. You can see what what packet is holding the CPU with 'show buffers input interface fa0/1'. However you need to do this command during a real spike... Pavel On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert [EMAIL PROTECTED] wrote: Is anyone aware of a bug or configuration that could cause a sudden spike in IP input? uptime is 26 weeks, 3 days, 10 hours, 54 minutes System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008 System restarted at 01:41:34 PST Tue Jan 8 2008 System image file is flash:c2800nm-ipbasek9-mz.124-17a.bin Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory. PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 66 125056 2917547 42 0.00% 0.00% 0.00% 0 CDP Protocol 6728872876 373263867 77 0.08% 51.78% 47.36% 0 IP Input Seattle-WAN 01:00:26 PM Friday Jul 11 2008 DST 58988 555446598432 100 90 ** 80 70 60* 50* 40* 30* 20* 10 *** *** 0511223344556 05050505050 CPU% per second (last 60 seconds) 999 1 566333443445333434346534453335336645645556354344 100 *** 90 #*** 80 ##** 70 ##** 60 ##** 50 ##** 40 ##** 30 ##** 20 ### * # 10 ###*** * * ** ** * # 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 1 111 11 11 1 712 1112 111 11211 691760977743309128787415602150180091972430809462896712922076244160072513 100 90 80 * 70 * 60 * 50 * 40 * 30 * * 20 * * * * ** ** * * * * ** * * * * * 10 051122334455667. . 050505050505 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU%
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
What is the configuration of that interface and can you provide
a 'sh int' between two drop periods?
On Wed, Jul 16, 2008 at 02:22:31PM +0800, Wilkinson, Alex wrote:
Hi all,
I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of output drops e.g.
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
13342805
I 'suspect' that these output drops could be the root cause of the device
attached to this port going down consistently.
Question: Since 'output drops' seems to relate to interface congestion can
anyone recommed a tool to 'blast' this particular interface in
order to test {in,out}queues and congestion ?
-aW
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES
ACT 1914. If you have received this email in error, you are requested to
contact the sender and delete the email.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
On Wednesday 16 July 2008 18:10:00 Garry wrote: Technically, it is supported, as each of the two buses have 600 bandwidth points, with an STM-1 interface taking up 300. Question is whether it might be recommendable to get a second router for redundancy reasons, e.g. if you are terminating several uplinks with that one router. If so, I'd advise against doing it all on one router ... If you can afford a second router, I agree with Garry. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
Have you tried 'hold-queue ...' command. This may resolves your problem.
On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
[EMAIL PROTECTED] wrote:
Hi all,
I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of output drops e.g.
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
13342805
I 'suspect' that these output drops could be the root cause of the device
attached to this port going down consistently.
Question: Since 'output drops' seems to relate to interface congestion can
anyone recommed a tool to 'blast' this particular interface in
order to test {in,out}queues and congestion ?
-aW
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES
ACT 1914. If you have received this email in error, you are requested to
contact the sender and delete the email.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
OK than, so Cisco Router has a limitation on plotting the maximum hits/matches on ACL to a raw log. Thanks Rodney. a. rahman isnaini r.sutan Rodney Dunn wrote: If I remember correctly they are rate limited. You should use netflow and match on ACL dst if of Null0 rather than the log feature of the ACL's. Rodney On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote: Hi charles, Depends on the engine processor. Our G1 can handle this, it just the router not shown on the log (we saved to a syslog-ng server). rgs a. rahman isnaini r.sutan Church, Charles wrote: If the router is subject to enough traffic where thousands of ACL hits are happening per second, you DON'T want to have any entries of that ACL logging. It's terrible for performance. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a. rahman isnaini r.sutan Sent: Tuesday, July 15, 2008 10:05 PM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time. Thanks Rodney. Other thing, though the ACL matches thousand of hits at once.. The log couldn't show this (log buffere has been set to 4096 x 2) a. rahman isnaini r.sutan Rodney Dunn wrote: There is no limit to the number of times the ACL will match and drop. The counter depending on how it's defined in the code may wrap but that should never impact the ACL from matching and dropping/permitting. Rodney On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote: Hi, Might be some you have noted once, the maximum value (number) that Cisco ACL can match let say flooding packets. Here : deny tcp any any eq 1434 (5732 matches) fro example. Since I have a problem with 7200 NPE G1, the huge traffic cannot be detected matched by ACL. thanks for share if you will. a. rahman isnaini r.sutan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco 7200vxr-npeG1)
Gentlemen, Saying about Cisco it's very new and interesting matrices for me (I mean bus/interface bandwidth points). Is this info available publicly? Thank U -- Respect, Andy Oleynik ... andyo Is it recommended to run three STM-1 (PA-POS-1OC3) on a single andyo Cisco700vxr with NPE-G1 ? andyo andyo Technically, it is supported, as each of the two buses have 600 andyo bandwidth points, with an STM-1 interface taking up 300. Question andyo is andyo whether it might be recommendable to get a second router for andyo redundancy andyo reasons, e.g. if you are terminating several uplinks with that one andyo router. If so, I'd advise against doing it all on one router ... ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco 7200vxr-npeG1)
http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_presentation09186a008009184d.pdf Regards, Mathias From: Andrey Oleinik [EMAIL PROTECTED] To: Garry [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Date: 16.07.2008 15:00 Subject: Re: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco 7200vxr-npeG1) Gentlemen, Saying about Cisco it's very new and interesting matrices for me (I mean bus/interface bandwidth points). Is this info available publicly? Thank U -- Respect, Andy Oleynik ... andyo Is it recommended to run three STM-1 (PA-POS-1OC3) on a single andyo Cisco700vxr with NPE-G1 ? andyo andyo Technically, it is supported, as each of the two buses have 600 andyo bandwidth points, with an STM-1 interface taking up 300. Question andyo is andyo whether it might be recommendable to get a second router for andyo redundancy andyo reasons, e.g. if you are terminating several uplinks with that one andyo router. If so, I'd advise against doing it all on one router ... ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME Cryptographic Signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA connectivity issues
Hello, We've had an ASA5500 online for about two years providing VPN services for wireless users on our campus (v8.0(3)). Starting over the weekend, we've encountered a problem where users can connect and authenticate, but traffic isn't passing through the box (i.e. client side show transmit data but nothing received back). Moreover, it appears to come and go in two ways. First, if your client connects and you wait long enough (~10 - 20 mins), traffic magically starts flowing. Second, the issue in general seems to disappear over night, which is leading us to think that its some sort of new client (iphone maybe?) in the field but Cisco is saying that they haven't heard any reports of this type of issue. The last time we made a configuration change was in April, so we're at a loss for what might be causing this. We've had a TAC case open for a few days, but they haven't made much progress. Is anyone else seeing similar behavoir? Eric :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
On Wed, 16 Jul 2008, Samit wrote: Is it recommended to run three STM-1 (PA-POS-1OC3) on a single Cisco700vxr with NPE-G1 ? Could it be done? Yes, but I wouldn't expect to see good performance if you try to move anything approaching line-rate traffic on those interfaces. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
Samit, Take a look at the Jacket Card. It would help to extend the bandwidth point limitation: http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/port_ad apter_jacket_card_install/8427J.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samit Sent: Wednesday, July 16, 2008 11:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1 Hi, Is it recommended to run three STM-1 (PA-POS-1OC3) on a single Cisco700vxr with NPE-G1 ? Regards, Samit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
It is inadvisable to increase the output hold-queue as far as I am
aware, this could cause packets to be delayed on egress which could
cause TCP timeouts.
Dave.
Farhan Jaffer wrote:
Have you tried 'hold-queue ...' command. This may resolves your problem.
On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
[EMAIL PROTECTED] wrote:
Hi all,
I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of output drops e.g.
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
13342805
I 'suspect' that these output drops could be the root cause of the device
attached to this port going down consistently.
Question: Since 'output drops' seems to relate to interface congestion can
anyone recommed a tool to 'blast' this particular interface in
order to test {in,out}queues and congestion ?
-aW
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES
ACT 1914. If you have received this email in error, you are requested to
contact the sender and delete the email.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Can an AS5350 route ISDN calls to ISDN?
Hi, We're using a Cisco AS5350 as a SIP - ISDN PRI gateway. Normally we route calls from the incoming ISDN line to a SIP server (and vice versa). Currently we're wondering if we can route calls coming in from a specific ISDN line to another ISDN line directly without having to go through a SIP server. I've searched using Google and some pages suggest that these gateways can only route from ISDN to VoIP or vice versa. From http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010fed1.shtml I learned a lot more about which dialpeer is matched, but not whether there's a preference against routing calls from ISDN to ISDN directly or that it's fully supported. Does anyone have experience either way? Pointers to relevant documents? -- Andreas Sikkema Service Specialist Voice Unet BV, Almere, the Netherlands ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
Hi Guys,
This really depends on the speed of the Interface and what is connected on the
other side.
We had a Serial Satellite link of 5M, which was never running higher than
4.5M - due to regular bursty traffic.
After increasing the queue (fair-queue 320 256 0) the link now does about
4.9M, without drops without any significant increase in latency.
I guess the default WFQ size might be a bit small for some links.
I also think that hold-queue is only relevant if you are using FIFO queuing.
Alternatively WRR queuing could help.
cheers
/rolf
On Wednesday 16 July 2008 16:41:15 David Freedman wrote:
It is inadvisable to increase the output hold-queue as far as I am
aware, this could cause packets to be delayed on egress which could
cause TCP timeouts.
Dave.
Farhan Jaffer wrote:
Have you tried 'hold-queue ...' command. This may resolves your problem.
On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
[EMAIL PROTECTED] wrote:
Hi all,
I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of output drops e.g.
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
13342805
I 'suspect' that these output drops could be the root cause of the
device attached to this port going down consistently.
Question: Since 'output drops' seems to relate to interface congestion
can anyone recommed a tool to 'blast' this particular interface in order
to test {in,out}queues and congestion ?
-aW
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
Andreas Sikkema wrote: We're using a Cisco AS5350 as a SIP - ISDN PRI gateway. Normally we route calls from the incoming ISDN line to a SIP server (and vice versa). Currently we're wondering if we can route calls coming in from a specific ISDN line to another ISDN line directly without having to go through a SIP server. The answer is yes. What it *cannot* do is hairpin VoIP calls (in VoIP, out VoIP). But it can cross-connect TDM. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] configurations
Hello, anybody having a AS5350 with PRI(s) and asterisk running for incoming/outgoing calls between SIP and ISDN/Analog is willing to post as5350 config and asterisk config? just to get straight to the core... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] configurations
On Wed, July 16, 2008 5:53 pm, Raul Lopez Nevot wrote: Hello, anybody having a AS5350 with PRI(s) and asterisk running for incoming/outgoing calls between SIP and ISDN/Analog is willing to post as5350 config and asterisk config? All the configs I have are rather lengthy (for AS5300s and 5400s) as they involve considerable routing complexity. Is there some specific question you have, or are you trying to arrive at a holistic sense of how to configure such a gateway to front Asterisk? I'd like to get you the relevant subset of the config that distills it down to what you're looking for. -- Alex -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 2651XM and NM
Greetings, So, according to this at table 3: http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html the NM-2FE are not supported on the 2651XM. Any idea as to how I could get 3 FE ports on a 2651XM? I don't need anywhere near line speed but need the link to sync up at 100M full duplex. If not I guess I'll have to just get a 2691. :( Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2651XM and NM
On Wed, Jul 16, 2008 at 06:56:37PM -0400, Jason Berenson wrote: So, according to this at table 3: http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html the NM-2FE are not supported on the 2651XM. Any idea as to how I could get 3 FE ports on a 2651XM? I don't need anywhere near line speed but need the link to sync up at 100M full duplex. If not I guess I'll have to just get a 2691. :( Right, anything with a LAN port on an NM card isn't supported in a 26xx(plain or XM) (with the 2691 excepted, maybe they should have called it the 3610 or something.. :). There's the NM-16ESW which would fit into the 2651XM and function as one more FE port with 16 switch ports behind it. I personally would swap out the chassis for a 3640, which gives you a little more CPU than the 2651XM, and you can fit alot more cards/ports into it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2651XM and NM
Doug, The only issue is the XM is not EOL and the 3640 is, I think. I may be able to dig up a 3640 in my office, if not I'll probably go with a 2691. -Jason Doug McIntyre wrote: On Wed, Jul 16, 2008 at 06:56:37PM -0400, Jason Berenson wrote: So, according to this at table 3: http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html the NM-2FE are not supported on the 2651XM. Any idea as to how I could get 3 FE ports on a 2651XM? I don't need anywhere near line speed but need the link to sync up at 100M full duplex. If not I guess I'll have to just get a 2691. :( Right, anything with a LAN port on an NM card isn't supported in a 26xx(plain or XM) (with the 2691 excepted, maybe they should have called it the 3610 or something.. :). There's the NM-16ESW which would fit into the 2651XM and function as one more FE port with 16 switch ports behind it. I personally would swap out the chassis for a 3640, which gives you a little more CPU than the 2651XM, and you can fit alot more cards/ports into it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Total output drops - congestion ? - 7200-VXR
0n Wed, Jul 16, 2008 at 07:28:05AM -0400, Rodney Dunn wrote: What is the configuration of that interface and can you provide a 'sh int' between two drop periods? From 'running-config' interface FastEthernet4/10 no snmp trap link-status From 'show int FastEthernet4/10' FastEthernet4/10 is up, line protocol is up (connected) Hardware is Fast Ethernet Port, address is 0009.e85e.9879 (bia 0009.e85e.9879) MTU 1500 bytes, BW 1 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10Mb/s input flow-control is unsupported output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of show interface counters 18:17:11 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 118 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 7 packets input, 524 bytes, 0 no buffer Received 0 broadcasts (0 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 136771 packets output, 13580522 bytes, 0 underruns 1 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out You will note that it is Half-duplex, 10Mb/s. That is no mistake since the device that is connected to this switch-port is only capable of 10Mb/s. I did a 'clear counters FastEthernet4/10' yesterday and came in this morning to find our ATM link was down again and Total output drops up to 118. I then reboot the device that is connected to this switch-port and volia, ATM link comes up and EIGRP neighbour adjacency reforms. Not sure how to verify if congestion is the root cause of this re-occuring problem. -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT and hairpin's
Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
Hi Nick, We had the same problem at work and used DNS to get around it. The only solution we found was to have an second internal DNS that would resolv to the internal IP so that both internal and external users could access the server from a common DNS name. Marc. 2008/7/17 Geyer, Nick [EMAIL PROTECTED]: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
This is where dns doctoring on the asa/pix really comes in handy! Split dns is usually the way to go but I had another thought, can you put the public 203 address as an alias on the server and then setup a policy route-map on your lan interface to match packets with a destination of your server and port say something like permit tcp LAN host 203.1.2.3 eq 80 then put a set ip next-hop SERVER LAN IP On 17/07/2008, at 2:46 PM, Geyer, Nick wrote: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
Hi Marc, That's what I usually do as well. In this scenario though an internal DNS server is not an option as all traffic is by IP address not hostname. Its got me stumped and I know Cisco used to say it was not possible, but am just wondering if there is anything new that could be used/manipulated to do this. Cheers From: Marc Archer [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2008 3:25 PM To: Geyer, Nick Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT and hairpin's Hi Nick, We had the same problem at work and used DNS to get around it. The only solution we found was to have an second internal DNS that would resolv to the internal IP so that both internal and external users could access the server from a common DNS name. Marc. 2008/7/17 Geyer, Nick [EMAIL PROTECTED]: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
