Re: [c-nsp] Cisco/HP 3020 refuses telnet
On our blade switches there is an option on the web interface that allows management from all -external- ports. By default this is disabled. -- Tassos matthew zeier wrote on 21-Jul-08 04:28: Peter Rathlev wrote: On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote: I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped accepting telnet (because rancid started to fail config checks). Short of rebooting I'm not sure how to fix. I can login on the console (using tacacs auth of all things, so IP works) and can ping it. But telnet gives a connection refused. I've even go so far as changing the IP address on fa0. Any clues/ideas? How do you log in now? Through the management-webinterface? Can you see the running config, and see if there are any access-class defined in you line vty config that would deny you access? I might also be management-interface-related. The IGESM switches we use (mainly IBM) mostly only accept connections to the interface Vlan marked with the management command. (Btw: Changing the management interface is a little unintuitive, but well explained in the docs.) I have four chassis and 8 of these switches all basically with the same config. Only one is no longer accepting telnet. I can only login to it from the serial console. In fact, the first thing I checked with the vty and access list (there isn't one) and then I diff'd the config to the other working switch in that same chassis. I hate these Cisco-but-not-really-Cisco switches so much (no TAC support!). I like the ease of wiring but they're such a pain that I've now started buying the pass-through ethernet modules and running 32 cables to two 3650s! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600, SRB3, high CPU on BGP Event
Chris, Some interfaces (like Eth) doesn't provide us with connectivity status at IP level. So U unnecessary need to have ur Ethernet to be flapping to lose IP-connectivity, correct? But I think U just have ur RIB rebuilt too fast due to flaps somewhere behind of ur neis. -- Respect, Andy Oleynik Telecom Dpt Chief BMS Consulting Ltd 10, Stritenska Str., of. 520 Kyiv, 01025, UA tel +380(44)4619961 tel +380(44)4619963 extn 162 fax +380(44)4619962 www.bms-consulting.com andyo -Original Message- andyo From: [EMAIL PROTECTED] [mailto:cisco-nsp- andyo [EMAIL PROTECTED] On Behalf Of Christian Bering andyo Sent: Friday, July 18, 2008 9:34 PM andyo To: cisco-nsp@puck.nether.net andyo Subject: [c-nsp] 7600, SRB3, high CPU on BGP Event andyo andyo Hi all, andyo andyo After upgrading a SUP720-3BXL to SRB3, CPU utilization has gone up andyo quite andyo a bit. The CLI is extremely slow and the input lag is awful. andyo andyo The process eating up most of the CPU is the BGP Event which andyo seems to andyo run quite often and every time it does, I get the following andyo messages andyo from 'debug ip bgp event': andyo andyo Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. andyo penalty andyo 3447, flap count 40165 andyo Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. andyo penalty andyo 3947, flap count 40166 andyo Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. andyo penalty andyo 4447, flap count 40167 andyo andyo EvD isn't enabled on the box and searching CCO for it shows me an andyo interface ought to be involved in it if it was: andyo andyo 00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty andyo 1000, andyo flap count 1 andyo andyo But I have no interfaces flapping and I am puzzled why I am seeing andyo these andyo messages when debugging BGP events. What would be the cause of andyo these andyo messages and is it likely they are responsible for the high CPU andyo utilization? andyo andyo Thanks in advance, andyo andyo -- andyo Regards andyo Christian Bering andyo ___ andyo cisco-nsp mailing list cisco-nsp@puck.nether.net andyo https://puck.nether.net/mailman/listinfo/cisco-nsp andyo archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec SA + EzVPN conflict
Not sure if there is any command to enforce a client-side split-vpn which breaks the server-side configuration. This would kind of invalidate the whole securitymodel. What you could do, is separate the two VPN's in two different VRF's. I haven't tried putting an EzVPN-config in a VRF before, but maybe it works? If not, let the EzVPN live in the global routing and stick the IPSec-tunnel in another VRF. You'll have to do some creative config/wiring on the LAN-side, but it should be possible. Best regards, Stig Meireles Johansen -- http://en.wikipedia.org/wiki/Posting_style For users of modern email clients and intelligent email services like Google mail, which display entire email threads in logical order and hide extraneous content, the distinction between different posting styles is often now less relevant. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Hicks Sent: 20. juli 2008 21:06 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPSec SA + EzVPN conflict Hello One of my customers has an IPSec VPN to Company A, and wants to migrate his existing client-based VPN to Company B to the same router (3725 with 12.4(12) Advanced Enterprise Services on it). After putting the EzVPN config on, the VPN to Company B came up and hosts there were reachable. Nothing at Company A was reachable, yet the SAs were still established. Further digging showed that the SAs for Company B's VPN specified a remote network of 0.0.0.0/0, tunnelling all traffic and not just to the subnet we're interested in. Is there a way around this? Peter -- Peter Hicks | e: [EMAIL PROTECTED] | g: 0x5DA31330 | w: www.poggs.com A: Because it destroys the flow of the conversation Q: Why is top-posting bad? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] bgp traffic index
hi, i've configured BGP accounting policy exactly as written in the Cisco documentation and it's not working. this is an example from testing environment - i've 1 router in AS100 which is connected in F0/0 to 2 routers : AS200 + AS300. this is the configuration: --- router bgp 100 neighbor 1.1.1.2 remote-as 200 neighbor 1.1.1.3 remote-as 300 table-map INDEX ! ip as-path access-list 2 permit _200_ ip as-path access-list 3 permit _300_ ! route-map INDEX permit 10 match as-path 2 set traffic-index 2 ! route-map INDEX permit 20 match as-path 3 set traffic-index 3 ! route-map INDEX permit 30 set traffic-index 4 ! interface f0/0 ip address 1.1.1.1 255.255.255.0 bgp-policy accounting -- the problem is when i enter the command : show cef interface policy-statistics i get 0 in the entire rows : *Router_1# show cef interface policy-statistics : F0/0 is up (if_number 1) BucketPackets Bytes 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco/HP 3020 refuses telnet
matthew zeier wrote: I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped accepting telnet (because rancid started to fail config checks). Short of rebooting I'm not sure how to fix. I can login on the console (using tacacs auth of all things, so IP works) and can ping it. But telnet gives a connection refused. I've even go so far as changing the IP address on fa0. Any clues/ideas? Something might have eaten all the VTYs. If that's so, you can actually see who's connected via SNMP (if you've got it setup) and even terminate their connection - a colleague of mine discovered this: snmpwalk -c READCOMM -v 2c $SWITCH .1.3.6.1.2.1.6.13.1.1 TCP-MIB::tcpConnState.192.168.1.1.22.192.168.1.41.1022 = established(5) # lots more then: snmpset -c WRITECOMM -v 2c $SWITCH TCP-MIB::tcpConnState.$DSTIP.$DPORT.$SRCIP.$SPORT i 12 You'll want to fix this permanently if this is the problem: line vty 0 15 session-timeout 1440 exec-timeout 1440 0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Reconstructing a spanning-tree break
Hi, In the sh span vlan X detail command there's output similar to the following: Root port is 47 (GigabitEthernet1/47), cost of root path is 14 Topology change flag not set, detected flag not set Number of topology changes 11 last change occurred 2d00h ago from GigabitEthernet1/47 What is the meaning of the number of Number of topology changes. Is this only incremented when a BPDU with the TC bit set it received? Or is it set when a switch sends a TCN? Or perhaps even against a root port that has gone down or stopped receiving BPDUs? We have had a strange spanning-tree occurance that we are trying to reconstruct. Looking at the ports listed under topology changes, we have this occurance: SW7 -- SW8 |X || /|\ | SW3 SW4 (R) | \|/ || /|\ | SW1 --- SW2 SW4 is the root switch. X is a blocking port Arrows represent the port that received a topology change (all at the same time). So SW4 received a TC from SW2, which received a TC from SW3, which received a TC from SW7, which recevied a TC from SW8. But SW8 claims to have recevied a TC from SW7. :| This doesn't seem to make sense unless SW8 is listing the port for some other reason? logging event link-status (or spanning-tree logging was not configured on any switch so don't know if any of the ports went up or down. SW3 and SW4 are L3 switches, running HSRP. Oridinarily SW4 is active and SW3 is standby, but for a period of time both went active. Can anyone explain what happened here? Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - unsupported parameter - peer reset
Hi, To my astonishment, everything started working fine after enabling mpls on juniper ERX globally. Can any one tell me the reason? My understanding which proved to be wrong in case of ERX is - The issue we have is bgp session not establishing (not, bgp is not advertising the vpnv4 routes). ERX can advertise ipv4:vpn unicast (vpnv4 routes) only after mpbgp is in establish state. The statement from juniper holds true not only for juniper but for any other vendor as until mpls is not configured it will not advertise any vpnv4 routes. The process for bgp is - First bgp session is established then only bgp advertise the routes / prefixes The process for mpbgp is - First the mpbgp session is establish then only one can see any vpnv4 routes My point is to establish mpbgp session we do not need to enable mpls. After mpbgp session only vpnv4 prefixes can be seen in mpbgp table. Thus the answer from Juniper is not to the point. Still we do not know the reason for mpbgp session not establishing and in the logs it is clearly stating the reason is capability mismatch. Further to this mbbgp and mpls are entirely two different independent protocols and configured separately, one under bgp process and another under mpls and mpls is just a transport protocol. Summary of the above is - advertisement of vpnv4 routes, mpbgp session establishment and enabling mpls are different process. Thus juniper has to rework on the issue and let us know the actual reason. Regards, Vikas Sharma On 7/14/08, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, I have mpls network where I am connecting ERX (juniper box) as PE to cisco 12 k (vpnv4 route reflector). At all locations itsworking fine except one and showing me on ERX unsupported capabilities. from ERX - We received an unsupported-capability notification from this peer. This indicates that the peer does not ignore unrecognized capabilities. We received the notification before we received an open from this peer. As a result we cannot guess which capabilities are supported by the peer. We won't advertise capabilities with known interoperability problems. Capability advertisements: Capabilities option: send Dynamic capability negotiation: send Deprecated dynamic capability negotiation: send Multi-protocol extensions: send Route refresh: send Route refresh (Cisco proprietary): send Four octet AS numbers: send Graceful restart: Graceful restart negotiation: Restart time is 120 seconds Stale paths time is 360 seconds The last time that the session was in state established: We did not send the graceful-restart capability We did not receive the graceful-restart capability Total of 20782 messages sent, 20639 messages received 0 update messages sent, 0 update messages received As per rfc3392, if bgp speaking router does not understand optional community, it should ignore it and should not try to re-establish the session. I am attaching the status of sh ip bgp vpnv1 a s for the ref. on ERX - sh ip bgp vpnv4 all s Local router ID 212.74.69.117, local AS 8220 Administrative state is Start BGP Operational state is Up Shutdown in overload state is disabled Default local preference is 100 IGP synchronization is disabled Default originate is disabled Auto summary is disabled Always compare MED is disabled Compare MED within confederation is disabled Advertise inactive routes is disabled Advertise best external route to internal peers is disabled Enforce first AS is enabled Missing MED as worst is disabled Route flap dampening is disabled Log neighbor changes is enabled Fast External Fallover is disabled No maximum received AS-path length BGP administrative distances are 20 (ext), 200 (int), and 200 (local) Client-to-client reflection is enabled Cluster ID is not configured (local router ID used) Route-target filter is enabled Default IPv4-unicast is enabled Check next-hops of vpn routes is disabled Redistribution of iBGP routes is disabled Graceful restart is globally disabled Global graceful-restart restart time is 120 seconds Global graceful-restart stale paths time is 360 seconds Graceful-restart path selection defer time is 360 seconds Graceful-restart is not ready to switch to the standby SRP The last restart was not graceful Address family ipv4:vpn-unicast in core VRF operationally down due to IPv6 not present Local-RIB version 2. FIB version 2. Messages Messages Prefixes Neighbor AS State Up/down time Sent Received Received 212.74.69.1128220 Idle 2d 06:25:40 18301 18166 0 212.74.69.1138220 Idle 4d 11:06:33 20934 20788 0 these are two route reflectors connected to this PE. We have one more PE (again ERX box), which does not have any issue. For
Re: [c-nsp] Reconstructing a spanning-tree break
Hi, logging event link-status (or spanning-tree logging was not configured on any switch so don't know if any of the ports went up or down. no syslog either. what about the uptime of the switches...did one or more fail due to loss of power? are you running PVST? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fwd: bgp traffic index
-- Forwarded message -- From: almog ohayon [EMAIL PROTECTED] Date: Mon, Jul 21, 2008 at 3:24 PM Subject: Re: [c-nsp] bgp traffic index To: Raymond Macharia [EMAIL PROTECTED] cef was enabled globally. even after i've enabled ip route-cache flow it's not working. important note: when i enter sh ip cef detailed i can see that the prefix is marked with the correct taffic-index but when i write show cef interface policy-statistics it's show me nothing ... what kind of traffic is the router refer to in the following command ?? any traffic ?? even ping ?? On Mon, Jul 21, 2008 at 1:23 PM, Raymond Macharia [EMAIL PROTECTED] wrote: Hi have you enabled CEF globally. usually comes enabled but its good to check also on the interface do you have ip route-cache flow enabled? Regards Raymond On Mon, Jul 21, 2008 at 12:04 PM, almog ohayon [EMAIL PROTECTED] wrote: hi, i've configured BGP accounting policy exactly as written in the Cisco documentation and it's not working. this is an example from testing environment - i've 1 router in AS100 which is connected in F0/0 to 2 routers : AS200 + AS300. this is the configuration: --- router bgp 100 neighbor 1.1.1.2 remote-as 200 neighbor 1.1.1.3 remote-as 300 table-map INDEX ! ip as-path access-list 2 permit _200_ ip as-path access-list 3 permit _300_ ! route-map INDEX permit 10 match as-path 2 set traffic-index 2 ! route-map INDEX permit 20 match as-path 3 set traffic-index 3 ! route-map INDEX permit 30 set traffic-index 4 ! interface f0/0 ip address 1.1.1.1 255.255.255.0 bgp-policy accounting -- the problem is when i enter the command : show cef interface policy-statistics i get 0 in the entire rows : *Router_1# show cef interface policy-statistics : F0/0 is up (if_number 1) BucketPackets Bytes 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Raymond Macharia ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM and AAA
Hi, I have a setup where user dialin in to access server (BRAS) and get authenticated via AAA. Now I want to implement fwsm so that all traffic first go to fwsm then to anywhere in the network. But since user is getting all attributes e.g. ip address, vrf from aaa, I am not able to understand the traffic flow. Can anyone help me out to understand this? 1st packet should go to fwsm anf then to vrf, the issue id I can not map vlan to vrf as I am getting all these information from AAA. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Reconstructing a spanning-tree break
[EMAIL PROTECTED] wrote: Hi, logging event link-status (or spanning-tree logging was not configured on any switch so don't know if any of the ports went up or down. no syslog either. what about the uptime of the switches...did one or more fail due to loss of power? are you running PVST? alan Hi Alan, It's Rapid-PVST. Thanks for your reply. I've since found out some other information (SW2 was reloaded) that makes things a bit confusing to explain the entire situation here, and I wouldn't expect anyone here to sit through my entire timeline of events :) It would be helpful if someone could answer just the first question, regarding the meaning of topology changes under sh span vlan x detail. Root port is 47 (GigabitEthernet1/47), cost of root path is 14 Topology change flag not set, detected flag not set Number of topology changes 11 last change occurred 2d00h ago from GigabitEthernet1/47 That is, what type of packet (TCN, TCA, BPDU with TC set) or event (missing root BDPU, transition to fowarding) causes this counter to increment (and record the port underneath). And, how, after a spanning-tree convergance/event (caused by the reloading of SW2) the ports listed under the topology change can end up pointing at each other (as in this example): SW7 -- SW8 |X || /|\ | SW3 SW4 (R) | \|/ || /|\ | SW1 --- SW2 SW4 is the root switch. X is a blocking port Arrows represent the port that received a topology change (all at the same time) listed under sh spantree vlan X detail. What happened to make the ports listed on SW7 and SW8 point at each other? I can envisage this scenario: SW2 is reloaded causing the blocking port on SW8 to go forwarding. After SW2 is reloaded the port goes back to blocking, and SW8 issues a TCN. But this would mean that SW8 logged the _outgoing_ port it sent the TCN on, while all the others logged the report that _received_ the TCN on. I can't find any information to support this hyposis. The name topology change also suggests that it could be looking at the TC bit in BPDUs, not the TCNs. If anyone can explain this to me I will be very grateful, Sam (I'm actually beginning to suspect that SW2 continued to forward BPDUs but not HSRP packets and knowledge of how the counters work should help me work this possibility). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco/HP 3020 refuses telnet
Is it possible it's out of memory? That can cause telnet to fail, but console access would still work. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tassos Chatzithomaoglou Sent: Monday, July 21, 2008 2:39 AM To: matthew zeier Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco/HP 3020 refuses telnet On our blade switches there is an option on the web interface that allows management from all -external- ports. By default this is disabled. -- Tassos matthew zeier wrote on 21-Jul-08 04:28: Peter Rathlev wrote: On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote: I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped accepting telnet (because rancid started to fail config checks). Short of rebooting I'm not sure how to fix. I can login on the console (using tacacs auth of all things, so IP works) and can ping it. But telnet gives a connection refused. I've even go so far as changing the IP address on fa0. Any clues/ideas? How do you log in now? Through the management-webinterface? Can you see the running config, and see if there are any access-class defined in you line vty config that would deny you access? I might also be management-interface-related. The IGESM switches we use (mainly IBM) mostly only accept connections to the interface Vlan marked with the management command. (Btw: Changing the management interface is a little unintuitive, but well explained in the docs.) I have four chassis and 8 of these switches all basically with the same config. Only one is no longer accepting telnet. I can only login to it from the serial console. In fact, the first thing I checked with the vty and access list (there isn't one) and then I diff'd the config to the other working switch in that same chassis. I hate these Cisco-but-not-really-Cisco switches so much (no TAC support!). I like the ease of wiring but they're such a pain that I've now started buying the pass-through ethernet modules and running 32 cables to two 3650s! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Maximizing Router capabilities
Hi list, I am trying to maximize my router's capabilty by maximizing its DRAM and Flash. Now I am trying to maximize IOS capabilities. Which is better to load, advance IP IOS or Enterprise IOS? THanks! Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
You load the one you are licensed for... Michael Balasko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dracul Sent: Monday, July 21, 2008 8:01 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Maximizing Router capabilities Hi list, I am trying to maximize my router's capabilty by maximizing its DRAM and Flash. Now I am trying to maximize IOS capabilities. Which is better to load, advance IP IOS or Enterprise IOS? THanks! Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
Dracul wrote: Thanks all, Assuming budget is not a hindrance. So should I go for the advance enterprise? Advance enterprise is different from advanced-ip series? Yes, they're different. It's not about budget, it's about what's right for your network. Feature-loaded sometimes translates to bug-loaded. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
Assuming budget is not a hindrance. So should I go for the advance enterprise? Advance enterprise is different from advanced-ip series? http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin0900aecd80281b17.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
You should really shop by feature set. Advanced Enterprise IOS licenses are expensive. If you don't need all of the features present, you should only license the features you need. Expanding DRAM and Flash beyond what is required for the image you need is also sometimes expensive, depending on which router you have. We can't tell you which IOS does what unless we know which router you're using. Features change by platform. Ideally, you can figure out which features you need by reading through the IOS documentation at http://cisco.com/go/ios , then use the feature navigator linked below to find an appropriate image for your router. Justin On Jul 21, 2008, at 10:50 AM, Dracul wrote: Thanks all, Assuming budget is not a hindrance. So should I go for the advance enterprise? Advance enterprise is different from advanced-ip series? regards, Chris On Mon, Jul 21, 2008 at 11:39 PM, Jon Lewis [EMAIL PROTECTED] wrote: On Mon, 21 Jul 2008, Dracul wrote: Hi list, I am trying to maximize my router's capabilty by maximizing its DRAM and Flash. Now I am trying to maximize IOS capabilities. Which is better to load, advance IP IOS or Enterprise IOS? cisco.com/go/fn Use the image that supports the set of features you need or think you may need. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ -- === Support www.gawadkalinga.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Transparent Proxy
I don't know what I am doing wrong trying to set this up, I want to filter all port 80 traffic through a proxy. I have a 3662 configured the following way: Int f0/0 Main Internet Feed Int f/01 Network Users (That I want to force through a Proxy) ip policy route-map our-proxy access-list 111 deny tcp any any neq www access-list 111 deny tcp host 192.168.1.188 any access-list 111 permit tcp any any log route-map our-proxy permit 10 match ip address 111 set ip next-hop 192.168.1.188 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent Proxy
Hi, Take a look at WCCP. It should be supported on most of the proxy servers out there: http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp _ps6350_TSD_Products_Configuration_Guide_Chapter.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rhino Lists Sent: Monday, July 21, 2008 19:16 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Transparent Proxy I don't know what I am doing wrong trying to set this up, I want to filter all port 80 traffic through a proxy. I have a 3662 configured the following way: Int f0/0 Main Internet Feed Int f/01 Network Users (That I want to force through a Proxy) ip policy route-map our-proxy access-list 111 deny tcp any any neq www access-list 111 deny tcp host 192.168.1.188 any access-list 111 permit tcp any any log route-map our-proxy permit 10 match ip address 111 set ip next-hop 192.168.1.188 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus Question
Does anyone know where I can find or what the power draw are for the Nexus - 48x1GE and 32x10GE LCs? Also, anyone heard when the NX7018 will be out? thx, Juno ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus Question
Juno, This should be what you asked for: http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/install ation/guide/n7k_sys_specs.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juno Guy Sent: Monday, July 21, 2008 19:45 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus Question Does anyone know where I can find or what the power draw are for the Nexus - 48x1GE and 32x10GE LCs? Also, anyone heard when the NX7018 will be out? thx, Juno ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus Question
At 09:44 AM 7/21/2008, Juno Guy observed: Does anyone know where I can find or what the power draw are for the Nexus - 48x1GE and 32x10GE LCs? The cisco power calculator: http://tools.cisco.com/cpc/ Also, anyone heard when the NX7018 will be out? Target is end of this calendar year, subject to change. Tim thx, Juno ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, [EMAIL PROTECTED] Routing Switching CCIE #5561 Technical Marketing Engineer, Data Center BU Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus Question
I don't know about the 32-port 10GE cards, but here's a 'show env power' from the N7K I'm working with to replace our 6506 and 6509: Power Supply: Voltage: 50 Volts - PS ModelPower Power Status (Watts) (Amp) - 1 N7K-AC-6.0KW 6000.00120.00 Ok 2 N7K-AC-6.0KW 6000.00120.00 Ok 3 0.00 0.00 Absent Mod ModelPower Power Power Power Status Requested Requested Allocated Allocated (Watts) (Amp) (Watts) (Amp) --- --- --- -- - -- -- 1N7K-M148GT-11400.008.00 0.00 0.00 Powered-Dn 2N7K-M148GT-11400.008.00 400.008.00 Powered-Up 5N7K-SUP1 210.004.20 210.004.20 Powered-Up 6N7K-SUP1 210.004.20 210.004.20 Powered-Up Xb1 N7K-C7010-FAB-1 60.00 1.20 60.00 1.20 Powered-Up Xb2 N7K-C7010-FAB-1 60.00 1.20 60.00 1.20 Powered-Up Xb3 N7K-C7010-FAB-1 60.00 1.20 60.00 1.20 Powered-Up Xb4 N7K-C7010-FAB-1 60.00 1.20 60.00 1.20 Powered-Up Xb5 N7K-C7010-FAB-1 60.00 1.20 60.00 1.20 Powered-Up Power Usage Summary: Power Supply redundancy mode: Redundant Power Supply redundancy operational mode: Redundant Total Power Capacity 6000.00 W Power reserved for Supervisor(s) 420.00 W Power reserved for Fan Module(s) 2184.00 W Power reserved for Fabric Module(s) 300.00 W Power currently used by Modules 400.00 W - Total Power Available2696.00 W - The N7K-M148GT-11 in slot one is dead and being RMA'd (I had a lovely Friday afternoon). :) The Cisco Power Calculator (should be available to people using guest access) at http://tools.cisco.com/cpc/ has the N7K and its associated modules listed. Justin Juno Guy wrote: Does anyone know where I can find or what the power draw are for the Nexus - 48x1GE and 32x10GE LCs? Also, anyone heard when the NX7018 will be out? thx, Juno ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
Hi, On Mon, Jul 21, 2008 at 11:01:18PM +0800, Dracul wrote: I am trying to maximize my router's capabilty by maximizing its DRAM and Flash. Now I am trying to maximize IOS capabilities. Which is better to load, advance IP IOS or Enterprise IOS? whatever you have paid for - this is an obvious troll, isn't it? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpFD6pQDvLit.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7961G won't boot
Hello, I have a 7961G that won't boot up. It powers on via poe, shows the cisco splash screen with the checkmark in the bottom left corner, then shows the upgrading screen for a few seconds, then says error on the upgrading screen, then goes back to the cisco splash screen and there is a circle with a dot in the middle of it on the bottom left corner. Is there anyway to fix this? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME6524 alternative
Hi. After an initial deployment with many ME6500's (ME6524-24GT-8S to be exact), we are finding too difficult to deal with Cisco for the expansion. What clear alternatives are available from other vendors or either from Cisco as a nice MPLS router with Ethernet only interfaces, even with less backplane or with 10/100 access interfaces ? Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7961G won't boot
Dan, I've done this with 7960's, not a 7961. Have a look at the process for conversion of the phones, here it is for the 7960 couldn't find the same for a 7961: http://www.cisco.com/en/US/products/hw/phones/ps379/products_tech_note09186a 0080094584.shtml http://tinyurl.com/23tw2c Hope it helps, David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman Sent: Monday, July 21, 2008 2:06 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7961G won't boot Hello, I have a 7961G that won't boot up. It powers on via poe, shows the cisco splash screen with the checkmark in the bottom left corner, then shows the upgrading screen for a few seconds, then says error on the upgrading screen, then goes back to the cisco splash screen and there is a circle with a dot in the middle of it on the bottom left corner. Is there anyway to fix this? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS for VoIP to specific proxy
Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Nick, You can use a class-map to match that traffic using an access-list. If you really want to be specific, you can do a match-all, and match it to 'protocol' as well. Then define a policy-map that prioritizes that class to a certain speed. Then attach the output policy to the interface. I think you can only apply a priority policy to a physical interface, versus a subint or a virtual one. You can't enforce prioritization towards you. It's up to the other providers. If they're respecting IP PREC or DSCP, you're probably all set. Otherwise, you can control it a bit with input policies to limit non-VoIP traffic (using shaping), but it's far from an exact science. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Voth Sent: Monday, July 21, 2008 4:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME6524 alternative
Rubens Kuhl Jr. wrote: Hi. After an initial deployment with many ME6500's (ME6524-24GT-8S to be exact), we are finding too difficult to deal with Cisco for the expansion. What clear alternatives are available from other vendors or either from Cisco as a nice MPLS router with Ethernet only interfaces, even with less backplane or with 10/100 access interfaces ? Out of curiosity, what problems are you having? Is it a hardware issue or a service issue? I have a couple ME6524s and have been happy with them. We also have some ME3750s and they've been good too. The MEs are designed for specific solutions. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME6524 alternative
After an initial deployment with many ME6500's (ME6524-24GT-8S to be exact), we are finding too difficult to deal with Cisco for the expansion. What clear alternatives are available from other vendors or either from Cisco as a nice MPLS router with Ethernet only interfaces, even with less backplane or with 10/100 access interfaces ? Out of curiosity, what problems are you having? Is it a hardware issue or a service issue? I have a couple ME6524s and have been happy with them. We also have some ME3750s and they've been good too. The MEs are designed for specific solutions. Cost issues and the relationship wit the local subsidiary; we have very little problems with the ME6500, one being the BFD with SVIs issue that you don't like either if I recall correctly. Are you sure ME3750s are doing good for your network ? We had tons of issues with 3750-Metro, a product that I strongly recommend for my competitors... we haven't tested ME3400 which sound very nice (but doesn't have MPLS) or 4500 with Sup-VI (no MPLS on the software yet). Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Hi Nick, You want something like this: class-map match-all VoIP-Control match protocol sip match access-group 101 class-map match-all VoIP-Data match dscp ef/match precedence 5/match protocol rtp ** match access-group 101 access-list 101 permit ip any host 202.x.VOIP.PROXY policy-map QOS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 50 class class-default fair-queue 2048 then apply the policy-map to your interface like so service-policy output QOS-OUT Make sure you have a bandwidth statement set on your interface bandwidth x where x is in kilobits. The value in the classes under the policy-map: bandwidth 60 is saying guarentee this much bandwidth in kilobits to this particular class. The value in the classes under the policy-map: priority percent 50 is saying give 50 percent of the bandwidth you specified in your bandwidth statement on your interface LLQ(low latency queuing) to this class, you want to use priority for your real time traffic (ie the rtp stream), bandwidth is fine for the normal control traffic and other traffic ie www etc. if you were wanting to prioritise that. You would modify these bandwidth and priority values to your needs based on the number of simultaneous calls you plan to offer. ** pick one that best suits you, if your voip equipment is marking a tos bit then great, otherwise match protocol rtp should work unless you are on an old IOS. You can't QoS inbound so to speak, best you can do is police traffic, I suggest you not worry about this for now as for VoIP to be effective the QoS has to be bi-directional so the other end should be matching you aswell. Ben - Original Message - From: Nick Voth [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, July 22, 2008 5:39 AM Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Hi Nick, You want something like this: class-map match-all VoIP-Control match protocol sip match access-group 101 class-map match-all VoIP-Data match dscp ef/match precedence 5/match protocol rtp ** match access-group 101 access-list 101 permit ip any host 202.x.VOIP.PROXY policy-map QOS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 50 class class-default fair-queue 2048 then apply the policy-map to your interface like so service-policy output QOS-OUT Make sure you have a bandwidth statement set on your interface bandwidth x where x is in kilobits. The value in the classes under the policy-map: bandwidth 60 is saying guarentee this much bandwidth in kilobits to this particular class. The value in the classes under the policy-map: priority percent 50 is saying give 50 percent of the bandwidth you specified in your bandwidth statement on your interface LLQ(low latency queuing) to this class, you want to use priority for your real time traffic (ie the rtp stream), bandwidth is fine for the normal control traffic and other traffic ie www etc. if you were wanting to prioritise that. You would modify these bandwidth and priority values to your needs based on the number of simultaneous calls you plan to offer. ** pick one that best suits you, if your voip equipment is marking a tos bit then great, otherwise match protocol rtp should work unless you are on an old IOS. You can't QoS inbound so to speak, best you can do is police traffic, I suggest you not worry about this for now as for VoIP to be effective the QoS has to be bi-directional so the other end should be matching you aswell. Ben - Original Message - From: Nick Voth [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, July 22, 2008 5:39 AM Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Thanks very much Charles. I'll use this as a template. -Nick From: Church, Charles [EMAIL PROTECTED] Date: Mon, 21 Jul 2008 16:15:06 -0500 To: Nick Voth [EMAIL PROTECTED], cisco-nsp@puck.nether.net Conversation: [c-nsp] QoS for VoIP to specific proxy Subject: RE: [c-nsp] QoS for VoIP to specific proxy Nick, You can use a class-map to match that traffic using an access-list. If you really want to be specific, you can do a match-all, and match it to 'protocol' as well. Then define a policy-map that prioritizes that class to a certain speed. Then attach the output policy to the interface. I think you can only apply a priority policy to a physical interface, versus a subint or a virtual one. You can't enforce prioritization towards you. It's up to the other providers. If they're respecting IP PREC or DSCP, you're probably all set. Otherwise, you can control it a bit with input policies to limit non-VoIP traffic (using shaping), but it's far from an exact science. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Voth Sent: Monday, July 21, 2008 4:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Thanks very much Ben. This makes sense. Thanks for your help! -Nick Voth From: Ben Steele [EMAIL PROTECTED] Date: Tue, 22 Jul 2008 09:09:38 +0930 To: Nick Voth [EMAIL PROTECTED], cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QoS for VoIP to specific proxy Hi Nick, You want something like this: class-map match-all VoIP-Control match protocol sip match access-group 101 class-map match-all VoIP-Data match dscp ef/match precedence 5/match protocol rtp ** match access-group 101 access-list 101 permit ip any host 202.x.VOIP.PROXY policy-map QOS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 50 class class-default fair-queue 2048 then apply the policy-map to your interface like so service-policy output QOS-OUT Make sure you have a bandwidth statement set on your interface bandwidth x where x is in kilobits. The value in the classes under the policy-map: bandwidth 60 is saying guarentee this much bandwidth in kilobits to this particular class. The value in the classes under the policy-map: priority percent 50 is saying give 50 percent of the bandwidth you specified in your bandwidth statement on your interface LLQ(low latency queuing) to this class, you want to use priority for your real time traffic (ie the rtp stream), bandwidth is fine for the normal control traffic and other traffic ie www etc. if you were wanting to prioritise that. You would modify these bandwidth and priority values to your needs based on the number of simultaneous calls you plan to offer. ** pick one that best suits you, if your voip equipment is marking a tos bit then great, otherwise match protocol rtp should work unless you are on an old IOS. You can't QoS inbound so to speak, best you can do is police traffic, I suggest you not worry about this for now as for VoIP to be effective the QoS has to be bi-directional so the other end should be matching you aswell. Ben - Original Message - From: Nick Voth [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, July 22, 2008 5:39 AM Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Disabling per-interface mls qos in 12.2SX, Possible?
Currently running a combination of SXF and SXH2a on 65xx, Sup720-3BXL Trying to disable PFC qos for a number of interfaces according to the documentation here: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1011524 which states that this should be possible (introduced in 12.2(14)SX) However, the parser does not accept this command per-interface router (config)#int g6/1 router (config-if)#no mls qos ? coscos keyword dscp-mutation mutation keyword exp-mutation exp mutation keyword mpls mpls keyword queue-mode queueing mode statistics-export qos statistics export enable or disable trust trust keyword Note lack of cr Trying the command just disables mls qos for the entire box. Does anybody know if this is possible or just a documentation error / clarification issue? or am I completely misunderstanding this? Dave. David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Hold Time Expired, but why?
same issue, no differences...got me On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: I don't know, but I would try it.. Looks weird.. oli -- *From:* Christian Koch [mailto:[EMAIL PROTECTED] *Sent:* Saturday, July 19, 2008 7:07 PM *To:* Oliver Boehmer (oboehmer) *Cc:* cisco-nsp *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why? config look ok as far as i can see, i actually dont have bgp router-id set in the bgp config... you think if i add that with the loopback ip, it would make a difference? config router bgp 65000 no synchronization bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart bgp dampening neighbor Backbone peer-group neighbor Backbone remote-as 65000 neighbor Backbone update-source Loopback1 neighbor Backbone version 4 neighbor Backbone send-community neighbor 10.10.10.2 peer-group Backbone neighbor 10.10.10.3 peer-group Backbone no auto-summary On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Hmm, %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol initialization looks unexpected, not sure what's happening.. just a hunch, but can you double-check your config regarding loopback addresses, bgp router-id and things? Possibly add some bgp debug (deb bgp all events, deb bgp all, deb bgp all keep) and see if something weird pops up? What does the neighbor's (10.10.10.3) log say? oli From: Christian Koch [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2008 3:08 PM To: Oliver Boehmer (oboehmer) Cc: cisco-nsp Subject: Re: [c-nsp] BGP Hold Time Expired, but why? hmm, i didnt check cef/mpls on the new path, i should try that.. there is connectivity between the loopbacks the session comes back up right after the timer expires.thats what puzzles me actually 3-4 is about how long i kept it down for.. Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2, changed state to down Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/2, changed state to down Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down or detached Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is DOWN (Interface not operational) Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2, changed state to down Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2, changed state to up Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2, changed state to up Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/2, changed state to up Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/2, changed state to up Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is UP Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on TenGigabitEthernet2/2 from LOADING to FULL, Loading Done Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is DOWN (Discovery Hello Hold Timer expired) Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is UP Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor 10.10.10.3 4/0 (hold time expired) 0 bytes Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol initialization Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: No clue what's happening.. I've seen issues in the past with TCP PMTUD when the path converges over a link with a different MTU (which is happening in your case), but as BGP will not send packets larger than 4k, this shouldn't be an issue here. How long did you take down the link before bringing it back up? I assume longer than 3 minutes? Have you checked CEF and MPLS along the new path? You have IP connectivity between the loopbacks aR1 and bR2? Does the session come back up eventually, or will it stay down? oli Christian Koch wrote on Saturday, July 19, 2008 8:38 AM: sorry forgot to specify the bgp session from aR1 to bR2 is the session in question ck On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch [EMAIL PROTECTED] wrote: Hello - I have the following topology in lab, testing different failure scenarios. When i disconnect the link between aR1 and bR1, what would appear to be normal happens - ospf and ldp neighbor go down. When i re-connect the link between aR1
Re: [c-nsp] Transparent Proxy
Yap, use WCCP. Your config below is not tranparent. Once your proxy down, all 80 failed. rgs a. rahman isnaini rangkayo sutan Arie Vayner (avayner) wrote: Hi, Take a look at WCCP. It should be supported on most of the proxy servers out there: http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp _ps6350_TSD_Products_Configuration_Guide_Chapter.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rhino Lists Sent: Monday, July 21, 2008 19:16 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Transparent Proxy I don't know what I am doing wrong trying to set this up, I want to filter all port 80 traffic through a proxy. I have a 3662 configured the following way: Int f0/0 Main Internet Feed Int f/01 Network Users (That I want to force through a Proxy) ip policy route-map our-proxy access-list 111 deny tcp any any neq www access-list 111 deny tcp host 192.168.1.188 any access-list 111 permit tcp any any log route-map our-proxy permit 10 match ip address 111 set ip next-hop 192.168.1.188 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/