Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup
Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: I have a customer who went directly to cisco to ask about how to load balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect wireless is down if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via manual balancing, as in route all the VPN connections over one path, and all the web surfing over the other path, but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. Just failover is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending customer routes and default back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA (ping testing) and static route tracking (if it doesn't ping, withdraw the route) on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpdG432FhRdo.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 11503 ssl redundancy synch
Many thanks Vijay, had suspected as much, just didn't want to believe it! It does seem really silly for the price of these things, it looks like I will be pushing for a pair of F5's when I implement my shared LB solution, Thanks again, Toby Burrows -Original Message- From: Ramcharan, Vijay A [mailto:[EMAIL PROTECTED] Sent: 18 August 2008 19:46 To: Toby Burrows (Qube); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 11503 ssl redundancy synch I don't believe you are missing anything. SSL files (keys, certs etc) are most likely not copied across. You will probably need to manually import them into your standby box. For whatever reason, the ACE has this same limitation (seemingly silly as I can't put my finger on the reason why Cisco cannot sync SSL files as well as the config). F5 has had this on their boxes for a long time now. Makes SSL configuration a snap. Vijay Ramcharan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Toby Burrows (Qube) Sent: August 18, 2008 04:52 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 11503 ssl redundancy synch Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 20G Etherchannel with Standby-SupV?
For a project we are in the process of evaluating the way to implement the requirements ... One solution would be a dual (extendable) site setup with a 4507R at each site, with dual SupV 10GE and dual connection each via two different fiber routes. Plan would be to connect one port each of the active and standby Sup via one way, the other via the other way, resulting in a decent redundancy in case of a Sup failure. Anyway, having dual 10G links between both sites would definitely call for setting up a 20G etherchannel - question is, can an etherchannel be configured using a 10G interface from each of the two Sups? From Cisco docs like http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps6033/product_data_sheet0900aecd801c5c66_ps4324_Products_Data_Sheet.html I read that all ports of the SupV (2x 10G 4x 1G) in Standby/Redundancy are usable, so I would assume this also goes for setting up Etherchannels? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] snmp values for indiviual vlans on trunk port
Hi, Just been asked if its possible to pull out the traffic values for specific vlans on a trunk port via snmp on a 2960 or 3750. I'm pretty sure the answer is no, but thought I'd have an ask, any suggestions? Vince ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Queuing on 1 Gig transit interfaces
Hello, if the interface is GigE with traffic at around 300Mb/s and there is not any other back presure mechanism like traffic shaping then on the interface is not congestion and the congestion management like WFQ is not in use. David the congestion management is used only when On 8/19/08, Nic Tjirkalli [EMAIL PROTECTED] wrote: howdy ho, we have some transit interfaces taht are GIG E interfaces on CISCO 7500 and 7600 boxes. these interfaces run at most at around 300 Meg. The current queuing scheme on them is FIFO. we have some operational folk who are making sounds that they want the queuing to be WFQ as these boxes are pushing a mix of internet traffic and VOIP packets (RTP packets) My feelings are to leave the queuing as FIFO but was wondering if others had some feelings or expierence in this thanking you in advance for any thoughts or info later - Knowledge speaks, but wisdom listens. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 20G Etherchannel with Standby-SupV?
Looks like I mis-read (or at least misunderstood) the wording in the document I quoted ... in another one, I found a slightly more clear statement which noted that of the four 10G interfaces, any two could be used in a redundant setup ... so I guess the 20G idea is only feasible for a 2-site setup, as in any larger setup, a ring would be operated, which then terminates one 10G line each on two different remote sites ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-HD8-ASYNC extension cables?
On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: The connector on the cards are (Micro)D68F (also used by SCSI-3 devices). You would be looking for a D68M-D68F cable to extend the connection. [...oops. sorry Brian, you were right...] Thanks, I didn't have one on hand to check. Do you happen to know if the pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be very useful for sparing...) Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been hard to track down online. ...though I'd admit the D68 extension is a tidier solution in the rack :). That's the idea. Even with clean cable management, its still better to get that fanout as far from central panels as needed. I was also able to come up with vendors that make custom length CAB-HD8-ASYNC compatible cables If going that approach, it'd be even cooler to get something in a cassette format to go right next to the MPO breakouts... Cisco does recommend a vendor that provides 1RU breakouts in 32 and 48 port configurations, which you feed using D68M-D68M cables: Q. Are cable management solutions available for asynchronous ports? A. Components Express Inc. offers patch panel solutions for the HWIC-8A and HWIC-16A. These patch panels connect to the high-density asynchronous connectors and break out into individual RJ-45 jacks for each asynchronous port I have not found any vendors providing a cassette format, but I certainly see the appeal there. PGP.sig Description: This is a digitally signed message part ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Platform experience and recommendations for L2TPv3.
Good morning list. No rant today. :-) I am looking, however, for the collected experience of this list in platform experience and recommendations for providing six to twelve point to point L2TPv3 (or equivalent technology) tunnels at up to 150Mb/s rates between APS-protected OC3 endpoints (if you have experience in that area; otherwise just straight tunnels). I have a limited selection of 7500-series routers available, a single 3845, and a 12012 (but no OC48 POS card for a tunnel server; wish I could use the single card 'half' of an OC48 SRP set to do that, as I have one of those). I am open to suggestions on alternative means of providing layer 2 adjacency for multiple VLANs across an OC3 POS link, as well. I'd also like to hear the experience of the list on how to prevent hairpinning of traffic across an L2TPv3 tunnel; that is: I've got four devices: A, B, C, and D (I know, creative names). A and B are on one end of the link; C and D are on the other. A and C are in the same subnet and are layer 2 adjacent through tunnel X. B and D are both in a different subnet, and have layer 2 adjacency with each other through tunnel Y. How to I prevent traffic between A and B (or between C and D) of traversing the tunnel twice? (that is, one direction on tunnel X, through a router, then back through tunnel Y) I've thought of some form of HSRP or similar protocol. Or is there a better way? A needs to use a router on its end of the link, and C needs to use a router on its end of the link (oh, and just manipulating the default routes in A or C's OS isn't a possibility due to what A and C would be: VMware guests). The application is VMotion and HA/DRS on VMware across an OC3 POS WAN link between two VMware ESX hosts (one at the prime site, one at the DR); VMotion requires layer 2 adjacency (and does MAC hijacking, which has its own things, but I'm not that far yet) between the two ESX hosts in order to work. Thanks in advance for any responses. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600, diagnostic per-port
Hi all, #diagnostic start module 3 test per-port port 2 Diagnostic[Module 3]: Running test(s) 4-5 may disrupt normal system operation Do you want to continue? [no]: Will running this diagnostics feature be disruptive to traffic on any other ports than port 2? Port 2 is currenly down/down but I have traffic on port 1 and would rather not disrupt traffic on that port while testing port 2. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-HD8-ASYNC extension cables?
On Monday 18 August 2008 21:40:35 Andrew Girling wrote: The connector on the cards are (Micro)D68F (also used by SCSI-3 devices). A SCSI LVD/SE 68 pin extension might work; I'd just wonder about the pairing (SCSI cables have strict pairing guidelines; certain signals have to traverse certain pairs in the cable; the highest speed and most critical signals are carried in the center of the cable, and the slowest are carried closer to the shield). Each data line has its paired return, which might or might not match pairing in the HD8-ASYNC. At low speeds it wouldn't matter, but higher speed async signals might suffer from increased crosstalk. You can see the way SCSI LVD/SE cables are laid out by looking at http://www.paralan.com/lvdmsepinout.html -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT: network inventory
Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
I think solar winds may help you. Regards, Jack -- From: [EMAIL PROTECTED] Sent: Tuesday, 19 August, 2008 8:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] OT: network inventory Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tue, Aug 19, 2008 at 01:13:28PM +0100, [EMAIL PROTECTED] wrote: Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Sounds like you want rancid: http://www.shrubbery.net/rancid/ --Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] voice call drop on as5400
Hello I would like to share the problem we recently got on our network. We have DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling only incoming calls, so the dial-pear config is simple, one voice and one voip provider. Recently we've started receiving complains from our customers on dead air and drops during their conferences. The issues looked like this - person dialed to the DID and nobody answered during 10-120 secounds, then the call terminated by timeout. recently we're able to reproduce this, with debug 'call-mgmnt' it's dumping the following on console: Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 I've checked with tcpdump cisco do not send anything to IP bridge to establish the call at that time. Telco says they see a lot of rejected calls from our side, but there is nothing on our end(I have not seen yet) as5400 were recently updated to 12.4(9)T4. Please advise on how to debug this problem. regards, Andrei ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-HD8-ASYNC extension cables?
Andrew Girling [EMAIL PROTECTED] writes: On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: Thanks, I didn't have one on hand to check. Do you happen to know if the pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be very useful for sparing...) Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been hard to track down online. It's here: http://www.cisco.com/en/US/docs/routers/access/hardware/notes/marcabl.pdf The pinout does not seem to be consistent with the CAB-OCTAL. Ref http://www.cisco.com/en/US/docs/routers/access/2500/software/user/guide/cables.html#wp2406 Bjørn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? - Original Message - From: Lamar Owen [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, August 19, 2008 8:42 AM Subject: Re: [c-nsp] OT: network inventory On Tuesday 19 August 2008 08:13:28 [EMAIL PROTECTED] wrote: Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? I use OpenNMS, which is a full bore network management system. Has great autodiscovery, and reads what it needs to know via SNMP. Can do layer 2 link detections and paths. Doesn't pull in configs; rancid does that quite well. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
http://www.ziptie.org/ -- Rikard On Tue, 19 Aug 2008, [EMAIL PROTECTED] wrote: Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tuesday 19 August 2008 09:04:29 Adam Greene wrote: Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? See http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid and see if that meets your needs. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tue, 19 Aug 2008, Adam Greene wrote: Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? It doesn't use tftp for it, but rancid does backup your configs and put them into CVS so you can see when a change was made, compare configs from different times, etc. It also stores the latest versions of the configs as flat files, so you can easily do some scripting to do things like find all routers of a certain type, make a list of router names and the software versions they're running, etc. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tue, Aug 19, 2008 at 09:04:29AM -0400, Adam Greene wrote: Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? Lots of folks trigger rancid runs on snmp traps or syslog events. Best IMO is to front-end your changes thru rancid have that wrapper log/trigger runs/etc to your heart's content. Only the long list of 'round tuits' is to recreate all the good ol rtrmon suite actions as rancid wrappers. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
You can use a tool from the cisco partner site called Cisco Network Discovery Tool. It will categorize every modules in IOS/CatOS devices and output them to excel spreadsheets. It lists all EOL hardware and Software as well as serial numbers and such per device and module. Its great for smartnet renewals and tracking. You have to be a partner to use it though but it works well. I use it all the time. It also lists what IOS have PSIRT etc and provides links to the cisco PSIRT site. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chip Sent: Tuesday, August 19, 2008 9:57 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
I've had pretty good luck with nedi so far: http://www.nedi.ch/ On Tue, 19 Aug 2008 09:56:42 -0400 chip [EMAIL PROTECTED] wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tuesday 19 August 2008 09:56:42 chip wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
hi Chip, chip wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip CiscoWorks does all that magic inventory stuff. Costs though :-( You can then do all sorts of queries, eg tell me all the routers running 12.x with a WIC because there is a vulnerability. On recent IOS's show inventory does what you want, but it is not supported everywhere. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tue, Aug 19, 2008 at 10:24 AM, Lamar Owen [EMAIL PROTECTED] wrote: On Tuesday 19 August 2008 09:56:42 chip wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ 'show inventory raw' How have I missed this command for so long? That's perfect! Thanks sir! Now to parse, put into xml, and track the changes. Lots easier than dealing with snmp, different platforms, different os versions. --chip -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Queuing on 1 Gig transit interfaces
Exactly. Some folks think they need it just to say they are doing fancy qos. ;) If you want to put a MQC policy on the interface they can. But don't do it at those rates on the 7500 as you will kill the VIP CPU. They need a hardware forwarding platform to do those rates with QOS. Rodney On Tue, Aug 19, 2008 at 11:43:59AM +0200, David Granzer wrote: Hello, if the interface is GigE with traffic at around 300Mb/s and there is not any other back presure mechanism like traffic shaping then on the interface is not congestion and the congestion management like WFQ is not in use. David the congestion management is used only when On 8/19/08, Nic Tjirkalli [EMAIL PROTECTED] wrote: howdy ho, we have some transit interfaces taht are GIG E interfaces on CISCO 7500 and 7600 boxes. these interfaces run at most at around 300 Meg. The current queuing scheme on them is FIFO. we have some operational folk who are making sounds that they want the queuing to be WFQ as these boxes are pushing a mix of internet traffic and VOIP packets (RTP packets) My feelings are to leave the queuing as FIFO but was wondering if others had some feelings or expierence in this thanking you in advance for any thoughts or info later - Knowledge speaks, but wisdom listens. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup
omg terrible formatting, apologies everyone! damn webmail client... - Original Message - From: [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net; Scott Lambert [EMAIL PROTECTED] Sent: Tuesday, August 19, 2008 1:25 PM Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi Scott, Try this: Seeing as you are working statics over your wireless cloud to simplify things a little setup a GRE tunnel from your 7200 over the wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU, ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and also add keepalives so it will actually go down if it is down), and I assume your T1 is point to point from the other 1841 to the 7200. Now assuming this is going to be a redundant configuration as well as load-balanced you need to have a subnet that can float between the 2 links that your customer can NAT against (which by the way will happen on the ASA they got sold), there are 2 ways you can achieve this, 1 is by using ip sla to monitor the next hop of each of the customer links from your 7200 with statics, the other is private BGP, you sure as hell don't want to start running an IGP to your customers(unless it's MPLS VPN). Lets say you assign your customer 1.0.0.0/27 as their usable floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE tunnel(wireless) is 2.0.0.5/30 at your end. Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their own rtr group of course, say 1 and 2 respectively). Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 255.255.255.224 2.0.0.6 track 2 Hope that makes sense, essentially traffic will only route to your customer if your 7200 can ping their respective 1841, the other private BGP option I am going to assume you are already familiar with being in an ISP. Now for the customer to you. AFAIK the ASA cannot load balance it can only forward out 1 interface at a time. So what you need to do is put the ASA and the 2 1841 interfaces into a switch so they can all see each other at layer2, now setup hsrp on your 1841 interfaces for redundant gateways lets say you use 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a little trickier, I am going to assume your T1 is your primary link for this example but you can switch it around if you want. On your T1 1841 add a static route for the wireless /30 to go via the LAN interface of the Wireless 1841(ip route 2.0.0.4 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of the wireless link from your T1 1841, you want to setup ip sla to monitor the ISP end of the wireless link from your T1 router(ie the T1 router is monitoring 2.0.0.5) and you also want to monitor its end of the T1 link aswell 2.0.0.1 What this does is let your primary gateway know that it has a complete and valid path for both gateways for redundancy. Now you add 2 static routes with tracking on your primary 1841 Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 1.0.0.2 track 2 Your wireless 1841 need only have the 1 gateway via its wireless tunnel as it should only ever fall over to that router if there is a serious problem on the primary side so you don't want it routing back that way anyway, however make sure you enable pre-empt so it fails back to the primary once it is back up. You can optimise this a little further with the global command ip cef load-sharing algorithm include-ports destination source or if your game you can even do per-packet load sharing however i wouldn't recommend it as your 2 paths are going to have different characteristics, id probably just try the method i listed first. As mentioned previously the ASA config will just be straightforward, NAT/PAT against some pool in 1.0.0.0/27 with a default route to 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the redundancy and load balancing. Hope at least some of that made sense, if you need clarification on anything let me know. Cheers Ben On Tue 19/08/08 9:06 AM , Scott Lambert [EMAIL PROTECTED] sent: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said Make it work. The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: What we discussed was the ASA having a default route to the virtual IP address of the routers and they would be running either VRRP or GLBP (whatever they decided they wanted to do) going out to the service provider. Then the routers would simply have a default route going out to the service provider to hit the 'Net. The network design is
Re: [c-nsp] debugging stack corruption
How are you getting this output? If you ssh/telnet to it and run the command do you get th esame output? That's not stack corruption to me. Rodney On Mon, Aug 18, 2008 at 01:10:44PM -0700, bill fumerola wrote: anyone see anything like this. i assume only a reload will fix this: rtr1#sh proc cpu | e 0.0 CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes: 35% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3528125122320274973 22 23.35% 20.79% 20.97% 0 Exec 70 3616544001417549298255 0.15% 0.11% 0.12% 0 IP Input 115 4851843096833738 0 0.15% 0.14% 0.15% 0 HQF Shaper Backg rtr1# nobody else is logged on, little to no amount of traffic is running through the aux/cons ports, but this is interesting: rtr1#show stacks Minimum process stacks: Free/Size Name 5676/6000 CDP BLOB 8640/9000 EM ED RF 11052/12000 Router Init 8676/9000 cdp init process 8348/12000 Init 5304/6000 RADIUS INITCONFIG 3616/6000 BGP Open 2264/3000 Rom Random Update Process 5616/6000 URPF stats 5316/6000 BGP Accepter 9248/12000 Exec 7176/12000 SSH Process 4264/6000 TFTP Read Process 4204/6000 MSDP Open 34540/36000 TCP Command 5236/7200 TTY Daemon 8496/9000 IP-EIGRP Router 3360/6000 d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\ ,d^[mdd^\^Nld^\ dd^[ 4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[ 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\ ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ \d^[^Add^[^Q\d^[^QLd^[ ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[ ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[ $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ dd^[ Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[ 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[ ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[ d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[ Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\ ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ 6856/9000 d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\ ,d^[mdd^\^Nld^\ dd^[ 4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[ 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\ ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ Minimum process stacks: Free/Size Name ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ \d^[^Add^[^Q\d^[^QLd^[ ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[ ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[ $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ dd^[ Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[ 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[ ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[ d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[ Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\ ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ 10468/12000 HSRP (Standby) Interrupt level stacks: LevelCalled Unused/Size Name 1 2648551315 6280/9000 Network interfaces 2 0 9000/9000 DMA/Timer
Re: [c-nsp] OT: network inventory
I see a lot of people ask about this. Here it is my 2 cents: I have set this using rancid and some perl scripts. If you manage to install rancid then the perl script should contain: 1. variables with : rancid config files , router.db, snmp community 2. vars with port type for cisco/cat/juniper smth like ( %switchports = (WS-X5225R,24|100baseTX,) 3. get the list of devices you have : smth like : my @devcisco = `cat router.db | grep -i :up: | grep -i cisco | cut -f1 -d:`; the same for the rest of devices 4. then for the list of devices you have get the infos you need (slot , port, ip..) --- On Tue, 8/19/08, Lamar Owen [EMAIL PROTECTED] wrote: From: Lamar Owen [EMAIL PROTECTED] Subject: Re: [c-nsp] OT: network inventory To: cisco-nsp@puck.nether.net Date: Tuesday, August 19, 2008, 7:24 AM On Tuesday 19 August 2008 09:56:42 chip wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Transmit Discards Across MLPPP
Hi All: I am new to this forum so not sure if this is a good place to ask this question. Whats the best way to troubleshoot transmit discards across MLPPP? Here is my setup and symptoms: -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals -today bandwidth (Sending) across multilink max of 2.05mbps -95th percentile on sending utilization is 33.74% -today dropped packets so far 1,418 -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. Any guidence/advice would be very much appreicated. If this has been asked and answered in another thread, please point me in the right direction. Thanks! Jeff Wojciechowski _ Get thousands of games on your PC, your mobile phone, and the web with Windows®. http://clk.atdmt.com/MRT/go/108588800/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transmit Discards Across MLPPP
On a Cisco bundle we do QOS before putting the MLPPP headers on. That prevents a lot of out of orders if you do QOS after putting the MLP headers on. So what you are seeing sounds correct. You are most likely bursting above the bundle rate coming from your LAN going towards the bundle so the QOS kicks in, prioritizes the traffic, and drops the lower priority. Rodney On Tue, Aug 19, 2008 at 10:12:50AM -0500, Jeffrey Wojciechowski wrote: Hi All: I am new to this forum so not sure if this is a good place to ask this question. Whats the best way to troubleshoot transmit discards across MLPPP? Here is my setup and symptoms: -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals -today bandwidth (Sending) across multilink max of 2.05mbps -95th percentile on sending utilization is 33.74% -today dropped packets so far 1,418 -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. Any guidence/advice would be very much appreicated. If this has been asked and answered in another thread, please point me in the right direction. Thanks! Jeff Wojciechowski _ Get thousands of games on your PC, your mobile phone, and the web with Windows?. http://clk.atdmt.com/MRT/go/108588800/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
On Tue, Aug 19, 2008 at 9:56 AM, chip [EMAIL PROTECTED] wrote: So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. Checkout Ziptie. It's still a work in progress and things tend to change around a bit, but the core framework is there and looks very promising. The hardware inventory may not go as far as giving you details on the pluggable optics, but it covers the linecard inventory pretty well as of right now, and the dev team encourages feedback/feature requests. http://www.ziptie.org/files/images/Screenshot-ZipTie%20-%20Hardware%20Model%20-%20ZipTie%20.preview.png I'm still in the 'playing around' stage with it, but I'm giving serious consideration to putting it into production. Cheers, Laurent ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] voice call drop on as5400
Hi Alex, this is CAS with em, unfortunatly. T1s configured as signaling-class cas test profile incoming S*a*d*n controller T1 7/0:1 framing esf ds0-group 0 timeslots 1-24 type em-fgb dtmf dnis cas-custom 0 class test ! controller T3 7/0 framing m23 clock source line t1 1-28 controller ! I dont see much debug info regarding the issue, enabled debugs for: CAS: Channel Associated Signaling debugging is on Call Management: Call Management debugging is on Call-denial module: Call-denial debugging is on Call Treatment: Call treatment action debugging is on We issue rate is quite high, about 1000 rejections on 5000-6000 calls every day. Regards, Andrei On Tue, Aug 19, 2008 at 4:59 PM, Alex Balashov [EMAIL PROTECTED] wrote: Is there anything that be gleaned from either the debug on the SIP side or the ISDN (are these PRIs?) side? (debug isdn q931) On Tue, August 19, 2008 8:36 am, a0kunev wrote: Hello I would like to share the problem we recently got on our network. We have DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling only incoming calls, so the dial-pear config is simple, one voice and one voip provider. Recently we've started receiving complains from our customers on dead air and drops during their conferences. The issues looked like this - person dialed to the DID and nobody answered during 10-120 secounds, then the call terminated by timeout. recently we're able to reproduce this, with debug 'call-mgmnt' it's dumping the following on console: Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 I've checked with tcpdump cisco do not send anything to IP bridge to establish the call at that time. Telco says they see a lot of rejected calls from our side, but there is nothing on our end(I have not seen yet) as5400 were recently updated to 12.4(9)T4. Please advise on how to debug this problem. regards, Andrei ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debugging stack corruption
On Tue, Aug 19, 2008 at 10:41:05AM -0400, Rodney Dunn wrote: How are you getting this output? ssh rtr1 en sh stacks If you ssh/telnet to it and run the command do you get th esame output? it is not signal noise (serial spew, ip corruption, etc). That's not stack corruption to me. i'll try and profile the exec process, but i'm not so good w/ profiling and tracing w/o at least symbols. there is also the matter of the 30% solid EXEC process. however, the switch that device is attached to (both in network and by serial via rtr1:auxsw1:cons) is exhibiting the same behavior. it could be a feedback loop on the serial connection, but i've tried turning all of that down and still no relief. the jump occurred to both at the same time. it could just be corruption in the display, but the CPU spike is what made me investigate in the first place. -- bill rtr1#show stacks Minimum process stacks: Free/Size Name [...] 3360/6000 d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\ ,d^[mdd^\^Nld^\ dd^[4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[ 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\ ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ \d^[^Add^[^Q\d^[^QLd^[ ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[ ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[ $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ dd^[ Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[ 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[ ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[ d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[ Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\ ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ 6856/9000 d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\ ,d^[mdd^\^Nld^\ dd^[4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[ 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\ ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ Minimum process stacks: Free/Size Name ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ \d^[^Add^[^Q\d^[^QLd^[ ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[ ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[ $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ dd^[ Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[ 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[ ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[ d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[ Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\ ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ 10468/12000 HSRP (Standby) Interrupt level stacks: LevelCalled Unused/Size Name 1 2648551315 6280/9000 Network interfaces 2 0 9000/9000 DMA/Timer Interrupt 3 185107 7472/9000 PA Management Int Handler 4 1715750501 8444/9000 Console Uart 5 0 9000/9000 OIR/Error Interrupt 7 3207930022 8532/9000 NMI Interrupt Handler Spurious interrupts: 233 rtr1# and on a different router: rtr1.chi#sh stacks Minimum process stacks: Free/Size Name []
Re: [c-nsp] OT: network inventory
So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. wktools will also do this - it first collects all of the needed information with SSH/Telnet and then parses it. You will get the S/Ns of the chassis and all modules, power supplies... show inventory raw is not available on all platforms and versions... Mathias smime.p7s Description: S/MIME Cryptographic Signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup
On Mon, Aug 18, 2008 at 09:02:27PM -0700, Seth Mattinen wrote: Scott Lambert wrote: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said Make it work. Whoever sold them on that solution should be the one to make it work. ;) Wouldn't that be nice though? :-) I'd like to thank everyone for their replies. I've learned quite a lot from them. I'll be doing more reading and testing with the suggested methods. We'll see what happens. I think I'm going to punt on the load balancing for now and just get it working in failover mode. I'll reply back when I know more and can ask intelligent follow-up questions. I had a thought on load balancing though, maybe I could hook both 1841s and the wireless ethernet handoff to a switch and get VRRP working on that side so that if the T1 router is up, then traffic can use both the wireless and T1 via whatever method but if the T1 router died, the wireless only router could take over. Thank you so much for your help! I don't feel so much like a fish out of water now. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup
If you can do (private) BGP, this document may help: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918 6a00800945bf.shtml#conf3 Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Tuesday, August 19, 2008 3:21 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: I have a customer who went directly to cisco to ask about how to load balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect wireless is down if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via manual balancing, as in route all the VPN connections over one path, and all the web surfing over the other path, but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. Just failover is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending customer routes and default back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA (ping testing) and static route tracking (if it doesn't ping, withdraw the route) on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco ASA - Export rules
Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA - Export rules
I use this script to parse my pix acls and export them to an excel file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 1:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA - Export rules
'Created by Robert Teller WScript.Echo This script will take a minute or two to run vbCrLf Please be patient Const ForReading = 1 'Looks for CF acl query WSArg = Wscript.arguments.Count If WSArg 1 Then WScript.Echo Please select a valid source WScript.Quit End If PixACL = Wscript.arguments.Item(0) set ObjExcel = createobject(excel.application) Set FSO = CreateObject(Scripting.FileSystemObject) Set objTextFile = FSO.OpenTextFile(PixACL, ForReading) 'Names excel file EName = Split(WScript.ScriptName, .)(0) .xls EName = Replace(WScript.ScriptFullName,WScript.ScriptName,EName) 'Text files for output OFiles = Split(WScript.ScriptName, .)(0) .xls If fso.FileExists(Ename) Then fso.DeleteFile(Ename) ObjExcel.workbooks.Add ObjExcel.Worksheets.Add.Name = Main XRules = 0 For Each Sheet In ObjExcel.Worksheets If sheet.name Main Then sheet.usedrange.delete sheet.delete End If Next ObjExcel.Worksheets.Add.Name = Rules ObjExcel.Worksheets(Rules).move ObjExcel.Sheets(2) Rules DMZ ,Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval ' ObjExcel.Worksheets(Rules).activate ' ObjExcel.Cells(1,1).value = DMZ 'acl_dmzname ' ObjExcel.Cells(1,2).value = Line # 'line ### ' ObjExcel.Cells(1,3).value = Action 'Permit/deny ' ObjExcel.Cells(1,4).value = Protocol 'ICMP/TCP/UDP ' ObjExcel.Cells(1,5).value = Source ' ObjExcel.Cells(1,6).value = Destination ' ObjExcel.Cells(1,7).value = Port # 'http/https. ' ObjExcel.Cells(1,8).value = Hit Count 'hitcnt=... ' ObjExcel.Cells(1,9).value = Inactive 'hitcnt=... Do Until objTextFile.AtEndOfStream If IsEmpty(text) Then Text = objTextFile.Readline Text = Replace(Text,access-list ,) Else Text = Text objTextFile.Readline End If Loop AclArray = Split(text,access-list ) x = 1 For Each AccessList In AclArray 'Make sure the line Is a valid acl ACLCheck = Split(AccessList, ) If UBound(ACLCheck) 3 Then If ACLCheck(3) remark Then PixParse AccessList End If End If Next Sub PixParse(ACL) 'Converts object-group to Group If InStr(ACL,object-group) Then ACL = Replace(ACL,object-group,Group) 'Checks of ACL is inactive If InStr(ACL, inactive ) Then Inactive = True ACL = Replace(ACL, inactive,) End If 'Format and Remove logging information from variable Item If InStrRev(ACL, log ) And InStrRev(ACL, interval ) Then 'Checks for matching log level LoGLevelB = InStr(ACL, log ) + 5 LoGLevelE = InStr(LogLevelB,ACL, ) LogLevel = Mid(ACL,LogLevelB,LogLevelE - LogLevelB) LogIntervalB = InStr(LogLevelE,ACL, interval ) + 10 LogIntervalE = InStr(LogIntervalB,ACL, ) LogInterval = Mid(ACL,LogIntervalB, LogIntervalE - LogIntervalB) ACL = Replace(ACL, log Loglevel interval logInterval, ) End If '### DMZ ### DMZ = InStr(ACL, ) DMZ = Left(ACL,DMZ) '### DMZ ### '### Line ### LineB = InStr(ACL, line ) + 6 LineE = InStr(LineB,ACL, ) Line = Line Mid(ACL,LineB, LineE - LineB) '### Line ### '### Action ### If InStr(ACL,deny) Then Action = Deny ElseIf InStr(ACL,permit) Then Action = Permit Else Action = Other End If '### Action ### '### Protocol ### Protocol = Split(ACL, )(5) '### Protocol ### '### Src Host ### 'Determine if src is Host,Subnet or Any SrcHost = Split(ACL, )(6) Select Case SrcHost Case host SourceB = InStr(ACL, host ) + 6 SourceE = InStr(SourceB,ACL, ) Source = Host Mid(ACL, SourceB, SourceE - SourceB) Case Group SourceB = InStr(ACL, Group ) + 7 SourceE = InStr(SourceB,ACL, ) Source = Group Mid(ACL, SourceB, SourceE - SourceB) Case any Source = Any SourceE = InStr(ACL,SrcHost) + Len(SrcHost) Case Else SourceB =
Re: [c-nsp] Cisco ASA - Export rules
you could use nipper, which is a config auditor, so it will audit your security policy and configuration, and you have the options to export to xml, html, etc .. http://sourceforge.net/projects/nipper/?abmode=1 On Tue, Aug 19, 2008 at 4:56 PM, Artur Renato Araujo da Silva [EMAIL PROTECTED] wrote: Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Chip, chip wrote: | Is there | anything around that will actually take inventory of a router. | By inventory I mean, list of cards, model numbers, serial | numbers, pluggable optics, etc. We use Netdisco for network discovery (both for switches/routers, and connected end stations). It's written with Perl+Net-SNMP, has a web front-end, and uses PostgreSQL storage: ~ http://netdisco.org/ (The version in CVS is -much- improved, and will be released RSN) As for device inventory, the latest Netdisco code does all the ENTITY-MIB work, and I've been working on graphically representing that in the web UI: http://sites.google.com/a/gapps.oxuni.org.uk/oliver/netdisco-frontpanels Screenshot from above: http://users.ox.ac.uk/~oliver/data/images/frontpanel/frontpanel_demo_c3750_stack.png Next step is to generate SVG as an alternative to the vendor images. I hope that helps, and provides ideas for your own scripts, regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIq2EK2NPq7pwWBt4RAlQQAJ9iBrUgYoe9rckwZ61+CDArkmqAdwCg5bbO v2WhKVmWnK2WX/qFtSy7xHU= =+vRH -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: network inventory
Check out NAV (Network Administration Visualized) at http://metanav.uninett.no/ as well. It gives full inventory of all devices as well as a load of other useful features.. Best regards, Stig Meireles Johansen -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av chip Sendt: 19. august 2008 15:57 Til: cisco-nsp@puck.nether.net Emne: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
a 64bit route distinguisher and the 32bit ip address are used to create vpnv4 address, which specifically solves the overlap problem On Tue, Aug 19, 2008 at 9:19 PM, Andy Saykao [EMAIL PROTECTED] wrote: Just wondering from those in the know, whether it's best practice to implement public or private IP's for the PE-to-CE link. What's everyone using and why? For our MPLS network, I've been asked by my Manager to use private IP's for the PE-CE link in order to give the customer the appearance that they are on a secure PRIVATE network due to private IP's being used. Although I tend to be more fond of using public IP's because it's a unique address space so you don't have to worry about overlapping IP addresses on the customer's end and secondly there's no configuration from the Service Provider's end should you need to remove the connection from the VRF to conduct further testing from the Internet becuse the connection is already using public IP's (eg: for cases where the customer is complaining of slow speeds, packet loss, drop outs, etc and you want to test the individual connection and bypass their VPN). Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA - Export rules
In ASDM, there is a button under file called Show running configuration in a new window. That opens up a browser window with a URL something like: https://X.Y.Z.6/admin/exec/show%20running-config/show%20running-config%2 0asdm# that shows the whole running config. Probably nothing you couldn't get from an ssh session or expect script. Use Grep or find on access-list and that should be it. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 4:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Unable to connect VLAN traffic
We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn something on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that something, he does not even kow it himself. Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. Thanks John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unable to connect VLAN traffic
Q-in-Q Johnny Ramirez wrote: We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn something on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that something, he does not even kow it himself. Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. Thanks John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.6.5/1620 - Release Date: 8/19/2008 6:04 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
On Tue, Aug 19, 2008 at 09:41:09PM -0400, Christian Koch wrote: a 64bit route distinguisher and the 32bit ip address are used to create vpnv4 address, which specifically solves the overlap problem I don't think the overlap is the real issue: Although I tend to be more fond of using public IP's because it's a unique address space so you don't have to worry about overlapping IP addresses on the customer's end and secondly there's no configuration from the Service Provider's end should you need to remove the connection from the VRF to conduct further testing from the Internet becuse the connection is already using public IP's Using non-RFC1918 address means you have a guaranteed unique identifier for the interface. The non-overlap issue is a side effect of having a unique identifier. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
On Wed, 20 Aug 2008, Andy Saykao wrote: Just wondering from those in the know, whether it's best practice to implement public or private IP's for the PE-to-CE link. What's everyone using and why? Best practice is to use public IP for the PE-CE link and then you admin the CE using that address. If you have a serial interface you can do this with a /32 routed towards the physical interface and use unnumbered/loopback, otherwise you have to use /30 or /31. Using RFC1918 space creates huge potential of overlaps with customers, and a nightmare for management if you want your CE range to be unique per VPN, how are you going to reach your CEs via SNMP etc? -- Mikael Abrahamssonemail: [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unable to connect VLAN traffic
Justin, I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. Thanks John--- On Tue, 8/19/08, Justin Shore [EMAIL PROTECTED] wrote: From: Justin Shore [EMAIL PROTECTED] Subject: Re: [c-nsp] Unable to connect VLAN traffic To: Johnny Ramirez [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn something on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that something, he does not even kow it himself. Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unable to connect VLAN traffic
Johnny, I think the better solution if your provider can accommodate, is to do Q-in-Q instead of having to dictate what tags you can use. This allows you, as Justin mentioned, to use your own tags across the circuit instead of having to coordinate with them every time you need to add another VLAN, or change something. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johnny Ramirez Sent: Tuesday, August 19, 2008 11:55 PM To: Justin Shore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Unable to connect VLAN traffic Justin, I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. Thanks John--- On Tue, 8/19/08, Justin Shore [EMAIL PROTECTED] wrote: From: Justin Shore [EMAIL PROTECTED] Subject: Re: [c-nsp] Unable to connect VLAN traffic To: Johnny Ramirez [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn something on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that something, he does not even kow it himself. Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unable to connect VLAN traffic
Johnny Ramirez wrote: Justin, I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. That's one possibility. Hopefully your SP has progressed beyond that point though and supports Q-in-Q. It scales much better than integrating customer VLAN IDs with the SP's VLAN IDs. With Q-in-Q they'll internally assign a VLAN ID to your access interface and will prepend that VLAN tag to whatever VLAN tags you hand them on your trunk port. They'll switch that double-stacked Ethernet frame across their SP backbone to your other remote access interface. That's of course an assumption based on what you wrote about shared fiber. It's possible they're doing some sort of EoMPLS but the access edge will still likely be Q-in-Q to stuff multiple VLANs into a EoMPLS VC. HTH Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN ID limit?
For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN ID limit?
Are you in transparent vtp mode? On Tue, Aug 19, 2008 at 9:48 PM, Alex Balashov [EMAIL PROTECTED] wrote: For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN ID limit?
Alex, You don't get around it on the 2924. You will need to upgrade to the 2950G-24-EI. They're not much more than the 2924. Good luck. Alex Balashov wrote: For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN ID limit?
Damn. Are you absolutely sure there is no IOS upgrade for the existing switch that can fix this? Chris Phillips wrote: Alex, You don't get around it on the 2924. You will need to upgrade to the 2950G-24-EI. They're not much more than the 2924. Good luck. Alex Balashov wrote: For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN ID limit?
The last time I checked 12.0(WC17) or something like that, it was not possible. WC17 came out in mid-2007 if I recall correctly. I don't think that Cisco is going to support anything 1005 on the XL series switches ever. Their goal is to keep you buying new gear, and if they just keep adding features to the odd stuff, who needs new gear. Anyway, there's several other improvements that the 2950Gs have over the XLs, that make it much more appealing. Here's a few: they run 12.1 instead of 12.0 ssh support do support don't have to use the vlan database to create VLANs etc... Like I said before, they're dirt cheap and very much worth the slight price increase. Alex Balashov wrote: Damn. Are you absolutely sure there is no IOS upgrade for the existing switch that can fix this? Chris Phillips wrote: Alex, You don't get around it on the 2924. You will need to upgrade to the 2950G-24-EI. They're not much more than the 2924. Good luck. Alex Balashov wrote: For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN ID limit?
afaik, the 2900XL and 3500XL series switches do not support extended range vLANs, you'll need to upgrade your switch, sorry ... http://supportwiki.cisco.com/ViewWiki/index.php/The_Cisco_Catalyst_switch_does_not_permit_the_creation_of_extended-range_VLANs_in_the_VLAN_database_mode - Gabriel Kuri | Sr. Network Engineer Instructional and Information Technology Division California State Polytechnic University, Pomona http://www.csupomona.edu/~iit | +1 909 979 6363 -Original Message- From: [EMAIL PROTECTED] on behalf of Alex Balashov Sent: Tue 8/19/2008 9:48 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VLAN ID limit? For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/