date:20080819

Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

2008-08-19 Thread Gert Doering

Hi,

On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote:
 I have a customer who went directly to cisco to ask about how to load
 balance two WAN connections 

I see two key issues here:

 - how to load *balance*.

 - how to reliably detect wireless is down if there is no end-to-end
   routing possible

The first one is hard - if you have two routers involved, VRRP (or GLBP,
if there is only a single client) will not provide load balancing, but
only failover.  That is: while one of the boxes is working, it will 
receive all the traffic from the PIX, and if it breaks, all the traffic
goes to the other box.

One possible approach to do this might be via manual balancing, as
in route all the VPN connections over one path, and all the web surfing
over the other path, but that's not overly easy to maintain.  The other
approach might be with Cisco OER - let the boxes figure out what 
destinations have the most traffic, and balance these flows over both
links.  But that will only work outbound from the customer to you - from
the ISP (you) to the customer, you also need to decide upon the balancing
criteria, if any.

Just failover is easy :)


The second part (how to diagnose that the wireless is down) is easier - you
could use a BGP session from the customer router to your edge router, just
sending customer routes and default back and forth.  If the wireless
mesh breaks, the BGP session will also break, and routing will fall over
to the other link.   (The StarOS routers would need to know the customer
routes statically, but that's not a problem, unless the customer changes
their IP addresses frequently).

If BGP is not an option, you could do it with IP SLA (ping testing) and
static route tracking (if it doesn't ping, withdraw the route) on both 
ends, but that's less elegant than BGP - and much more configuration work.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany [EMAIL PROTECTED]
fax: +49-89-35655025[EMAIL PROTECTED]


pgpdG432FhRdo.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 11503 ssl redundancy synch

2008-08-19 Thread Toby Burrows (Qube)

Many thanks Vijay, had suspected as much, just didn't want to believe
it! It does seem really silly for the price of these things, it looks
like I will be pushing for a pair of F5's when I implement my shared LB
solution, 

Thanks again,
Toby Burrows

-Original Message-
From: Ramcharan, Vijay A [mailto:[EMAIL PROTECTED] 
Sent: 18 August 2008 19:46
To: Toby Burrows (Qube); cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] 11503 ssl redundancy synch

I don't believe you are missing anything. SSL files (keys, certs etc)
are most likely not copied across.  You will probably need to manually
import them into your standby box. 
For whatever reason, the ACE has this same limitation (seemingly silly
as I can't put my finger on the reason why Cisco cannot sync SSL files
as well as the config). 

F5 has had this on their boxes for a long time now. Makes SSL
configuration a snap. 

 
Vijay Ramcharan 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Toby Burrows
(Qube)
Sent: August 18, 2008 04:52
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 11503 ssl redundancy synch

Hi all, 
I have 2 css11503's in active/passive redundancy config. When using the
commit_redundConfig command the ssl does not copy across. I have cleared
the standby box and started again, but with no luck. The config guides I
have found offer little info on the ssl redundancy, just the normal IP
redundancy, the question is should I configure the ssl config and import
the certs on both boxes and then 

commit the redundant config when I have verified the ssl config on the
standby unit?  Or should it copy all config including all the ssl stuff
and I'm missing something?

Thanks in advance

 

Toby Burrows

Network Engineer


Qube Networks :: The Engineer's Choice for Co-Location, Internet
Bandwidth, Design  Build, and Managed Servers
 
Qube Networks Ltd :: Company Number 04155284 Registered in England and
Wales :: VAT Registration No: GB 769 6428 71 
This e-mail and the information it contains are confidential. If you
have received this e-mail in error please notify the sender immediately.
You should not copy it for any purpose, or disclose its contents to any
other person.

P Please consider the environment - do you really need to print this
email?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 20G Etherchannel with Standby-SupV?

2008-08-19 Thread Garry

For a project we are in the process of evaluating the way to implement
the requirements ...

One solution would be a dual (extendable) site setup with a 4507R at
each site, with dual SupV 10GE and dual connection each via two
different fiber routes. Plan would be to connect one port each of the
active and standby Sup via one way, the other via the other way,
resulting in a decent redundancy in case of a Sup failure.

Anyway, having dual 10G links between both sites would definitely call
for setting up a 20G etherchannel - question is, can an etherchannel be
configured using a 10G interface from each of the two Sups? From Cisco
docs like
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps6033/product_data_sheet0900aecd801c5c66_ps4324_Products_Data_Sheet.html
I read that all ports of the SupV (2x 10G  4x 1G) in Standby/Redundancy
are usable, so I would assume this also goes for setting up Etherchannels?

Tnx, -garry
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] snmp values for indiviual vlans on trunk port

2008-08-19 Thread Vincent Hoffman

Hi,
   Just been asked if its possible to pull out the traffic values
for specific vlans on a trunk port via snmp on a 2960 or 3750.
I'm pretty sure the answer is no, but thought I'd have an ask, any
suggestions?


Vince
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Queuing on 1 Gig transit interfaces

2008-08-19 Thread David Granzer

Hello,

if the interface is GigE with traffic at around 300Mb/s and there is
not any other back presure mechanism like traffic shaping then on the
interface is not congestion and the congestion management like WFQ is
not in use.

David


the congestion management is used only when

On 8/19/08, Nic Tjirkalli [EMAIL PROTECTED] wrote:

  howdy ho,

  we have some transit interfaces taht are GIG E interfaces on CISCO 7500
  and 7600 boxes. these interfaces run at most at around 300 Meg.

  The current queuing scheme on them is FIFO.

  we have some operational folk who are making sounds that they want the
  queuing to be WFQ as these boxes are pushing a mix of internet traffic and
  VOIP packets (RTP packets)

  My feelings are to leave the queuing as FIFO but was wondering if others
  had some feelings or expierence in this

  thanking you in advance for any thoughts or info

  later



 -
  Knowledge speaks, but wisdom listens.

  Nic Tjirkalli
  Verizon Business South Africa
  Network Strategy Team

  Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
  is strictly confidential and intended only for use by the addressee unless
  otherwise indicated.

  Company Information:http://
 www.verizonbusiness.com/za/contact/legal/

  This e-mail is strictly confidential and intended only for use by the
  addressee unless otherwise indicated.

  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 20G Etherchannel with Standby-SupV?

2008-08-19 Thread Garry

Looks like I mis-read (or at least misunderstood) the wording in the
document I quoted ... in another one, I found a slightly more clear
statement which noted that of the four 10G interfaces, any two could be
used in a redundant setup ... so I guess the 20G idea is only feasible
for a 2-site setup, as in any larger setup, a ring would be operated,
which then terminates one 10G line each on two different remote sites ...

-garry
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CAB-HD8-ASYNC extension cables?

2008-08-19 Thread Andrew Girling



On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote:


The connector on the cards are (Micro)D68F (also used by SCSI-3



devices). You would be looking for a D68M-D68F cable to extend the
connection.


[...oops. sorry Brian, you were right...]

Thanks, I didn't have one on hand to check. Do you happen to know if  
the
pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be  
very

useful for sparing...)


Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been  
hard to track down online.





...though I'd admit the D68 extension is a tidier solution in the
rack :).


That's the idea. Even with clean cable management, its still better to
get that fanout as far from central panels as needed.


I was also able to come up with vendors that make custom length
CAB-HD8-ASYNC compatible cables


If going that approach, it'd be even cooler to get something in a
cassette format to go right next to the MPO breakouts...


Cisco does recommend a vendor that provides 1RU breakouts in 32 and 48  
port configurations, which you feed using D68M-D68M cables:


 Q. Are cable management solutions available for asynchronous ports?
 A. Components Express Inc. offers patch panel solutions for the  
HWIC-8A and HWIC-16A. These patch panels connect to the high-density  
asynchronous connectors and break out into individual RJ-45 jacks for  
each asynchronous port


I have not found any vendors providing a cassette format, but I  
certainly see the appeal there.


PGP.sig
Description: This is a digitally signed message part
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Platform experience and recommendations for L2TPv3.

2008-08-19 Thread Lamar Owen

Good morning list.

No rant today. :-)

I am looking, however, for the collected experience of this list in platform 
experience and recommendations for providing six to twelve point to point 
L2TPv3 (or equivalent technology) tunnels at up to 150Mb/s rates between 
APS-protected OC3 endpoints (if you have experience in that area; otherwise 
just straight tunnels).  I have a limited selection of 7500-series routers 
available, a single 3845, and a 12012 (but no OC48 POS card for a tunnel 
server; wish I could use the single card 'half' of an OC48 SRP set to do 
that, as I have one of those).

I am open to suggestions on alternative means of providing layer 2 adjacency 
for multiple VLANs across an OC3 POS link, as well.

I'd also like to hear the experience of the list on how to prevent hairpinning 
of traffic across an L2TPv3 tunnel; that is:

I've got four devices: A, B, C, and D (I know, creative names).  A and B are 
on one end of the link; C and D are on the other.  A and C are in the same 
subnet and are layer 2 adjacent through tunnel X.  B and D are both in a 
different subnet, and have layer 2 adjacency with each other through tunnel 
Y.  

How to I prevent traffic between A and B (or between C and D) of traversing 
the tunnel twice? (that is, one direction on tunnel X, through a router, then 
back through tunnel Y)  I've thought of some form of HSRP or similar 
protocol.  Or is there a better way?  A needs to use a router on its end of 
the link, and C needs to use a router on its end of the link (oh, and just 
manipulating the default routes in A or C's OS isn't a possibility due to 
what A and C would be: VMware guests).

The application is VMotion and HA/DRS on VMware across an OC3 POS WAN link 
between two VMware ESX hosts (one at the prime site, one at the DR); VMotion 
requires layer 2 adjacency (and does MAC hijacking, which has its own things, 
but I'm not that far yet) between the two ESX hosts in order to work.  

Thanks in advance for any responses.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 7600, diagnostic per-port

2008-08-19 Thread Christian Bering

Hi all,

#diagnostic start module 3 test per-port port 2
Diagnostic[Module 3]: Running test(s) 4-5 may disrupt normal system
operation
Do you want to continue? [no]: 

Will running this diagnostics feature be disruptive to traffic on any
other ports than port 2?

Port 2 is currenly down/down but I have traffic on port 1 and would
rather not disrupt traffic on that port while testing port 2.

-- 
Regards
 Christian Bering
 IP engineer, nianet a/s
 Phone: (+45) 7020 8730
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CAB-HD8-ASYNC extension cables?

2008-08-19 Thread Lamar Owen

On Monday 18 August 2008 21:40:35 Andrew Girling wrote:
 The connector on the cards are (Micro)D68F (also used by SCSI-3
 devices).  

A SCSI LVD/SE 68 pin extension might work; I'd just wonder about the pairing 
(SCSI cables have strict pairing guidelines; certain signals have to traverse 
certain pairs in the cable; the highest speed and most critical signals are 
carried in the center of the cable, and the slowest are carried closer to the 
shield).  Each data line has its paired return, which might or might not 
match pairing in the HD8-ASYNC.  At low speeds it wouldn't matter, but higher 
speed async signals might suffer from increased crosstalk.

You can see the way SCSI LVD/SE cables are laid out by looking at 
http://www.paralan.com/lvdmsepinout.html
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OT: network inventory

2008-08-19 Thread nasir.shaikh

Hi,

Anybody familiar with (freeware/shareware) tools for a network
inventory? Install-base is 100% cisco.

 

Are there other utilities around that would scan the collected
configurations and read relevant info (descriptions, ip add, link
bandwidth etc)?

 

 

Nasir Shaikh 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Jack

I think solar winds may help you.

Regards,
Jack

--
From: [EMAIL PROTECTED]
Sent: Tuesday, 19 August, 2008 8:13 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OT: network inventory

Hi,

Anybody familiar with (freeware/shareware) tools for a network
inventory? Install-base is 100% cisco.

Are there other utilities around that would scan the collected
configurations and read relevant info (descriptions, ip add, link
bandwidth etc)?

Nasir Shaikh 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Jeff Aitken

On Tue, Aug 19, 2008 at 01:13:28PM +0100, [EMAIL PROTECTED] wrote:
 Anybody familiar with (freeware/shareware) tools for a network
 inventory? Install-base is 100% cisco.

Sounds like you want rancid: 

http://www.shrubbery.net/rancid/


--Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] voice call drop on as5400

2008-08-19 Thread a0kunev

Hello

I would like to share the problem we recently got on our network. We have DS3 
coming to as5400, that converting PSTN calls to VOIP. We're handling only 
incoming calls, so the dial-pear config is simple, one voice and one voip 
provider. Recently we've started receiving complains from our customers on dead 
air and drops during their conferences. The issues looked like this - person 
dialed to the DID and nobody answered during 10-120 secounds, then the call 
terminated by timeout. 

recently we're able to reproduce this, with debug 'call-mgmnt' it's dumping the 
following on console:
Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received
Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received
Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received
Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received
Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3
Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3
Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3
Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3

I've checked with tcpdump cisco do not send anything to IP bridge to establish 
the call at that time. Telco says they see a lot of rejected calls from our 
side, but there is nothing on our end(I have not seen yet)

as5400 were recently updated to 12.4(9)T4.

Please advise on how to debug this problem.
regards, Andrei
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CAB-HD8-ASYNC extension cables?

2008-08-19 Thread Bjørn Mork

Andrew Girling [EMAIL PROTECTED] writes:
 On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote:

 Thanks, I didn't have one on hand to check. Do you happen to know if
 the
 pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be
 very
 useful for sparing...)

 Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been
 hard to track down online.

It's here:
http://www.cisco.com/en/US/docs/routers/access/hardware/notes/marcabl.pdf

The pinout does not seem to be consistent with the CAB-OCTAL. Ref
http://www.cisco.com/en/US/docs/routers/access/2500/software/user/guide/cables.html#wp2406


Bjørn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Adam Greene

Besides documenting config changes, can rancid perform a tftp backup of 
router / switch startup configs, or integrate with some other software to 
pull down the config file if a change is detected?

- Original Message - 
From: Lamar Owen [EMAIL PROTECTED]

To: cisco-nsp@puck.nether.net
Sent: Tuesday, August 19, 2008 8:42 AM
Subject: Re: [c-nsp] OT: network inventory

On Tuesday 19 August 2008 08:13:28 [EMAIL PROTECTED] wrote:

Anybody familiar with (freeware/shareware) tools for a network
inventory? Install-base is 100% cisco.

Are there other utilities around that would scan the collected
configurations and read relevant info (descriptions, ip add, link
bandwidth etc)?

I use OpenNMS, which is a full bore network management system.  Has great
autodiscovery, and reads what it needs to know via SNMP.  Can do layer 2 
link

detections and paths.

Doesn't pull in configs; rancid does that quite well.
--
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Rikard Stemland Skjelsvik



http://www.ziptie.org/

--
Rikard

On Tue, 19 Aug 2008, [EMAIL PROTECTED] wrote:


Hi,

Anybody familiar with (freeware/shareware) tools for a network
inventory? Install-base is 100% cisco.



Are there other utilities around that would scan the collected
configurations and read relevant info (descriptions, ip add, link
bandwidth etc)?





Nasir Shaikh



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Lamar Owen

On Tuesday 19 August 2008 09:04:29 Adam Greene wrote:
 Besides documenting config changes, can rancid perform a tftp backup of
 router / switch startup configs, or integrate with some other software to
 pull down the config file if a change is detected?

See 
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid
and see if that meets your needs.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Jon Lewis


On Tue, 19 Aug 2008, Adam Greene wrote:

Besides documenting config changes, can rancid perform a tftp backup of 
router / switch startup configs, or integrate with some other software to 
pull down the config file if a change is detected?


It doesn't use tftp for it, but rancid does backup your configs and put 
them into CVS so you can see when a change was made, compare configs from 
different times, etc.  It also stores the latest versions of the configs 
as flat files, so you can easily do some scripting to do things like find 
all routers of a certain type, make a list of router names and the 
software versions they're running, etc.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Joe Provo

On Tue, Aug 19, 2008 at 09:04:29AM -0400, Adam Greene wrote:
 Besides documenting config changes, can rancid perform a tftp backup of 
 router / switch startup configs, or integrate with some other software to 
 pull down the config file if a change is detected?

Lots of folks trigger rancid runs on snmp traps or syslog events. 
Best IMO is to front-end your changes thru rancid  have that 
wrapper log/trigger runs/etc to your heart's content.  Only the
long list of 'round tuits' is to recreate all the good ol rtrmon
suite actions as rancid wrappers.


-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread chip

So far all of the software that's been presented will autodiscover devices
and backup configs and such.  Is there anything around that will actually
take inventory of a router.  By inventory I mean, list of cards, model
numbers, serial numbers, pluggable optics, etc.  I've been working on
scripts to do this and it's become alot more complicated than I had
originally planned.  If there's already some software out there that does
this, I'd love to get my hands on it.

--chip

-- 
Just my $.02, your mileage may vary, batteries not included, etc
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Mike Louis

You can use a tool from the cisco partner site called Cisco Network Discovery 
Tool. It will categorize every modules in IOS/CatOS devices and output them to 
excel spreadsheets. It lists all EOL hardware and Software as well as serial 
numbers and such per device and module. Its great for smartnet renewals and 
tracking. You have to be a partner to use it though but it works well. I use it 
all the time. It also lists what IOS have PSIRT etc and provides links to the 
cisco PSIRT site.

Mike

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chip
Sent: Tuesday, August 19, 2008 9:57 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: network inventory

So far all of the software that's been presented will autodiscover devices
and backup configs and such.  Is there anything around that will actually
take inventory of a router.  By inventory I mean, list of cards, model
numbers, serial numbers, pluggable optics, etc.  I've been working on
scripts to do this and it's become alot more complicated than I had
originally planned.  If there's already some software out there that does
this, I'd love to get my hands on it.

--chip

--
Just my $.02, your mileage may vary, batteries not included, etc
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of the 
individual or entity to which it is addressed and may contain information that 
is non-public, proprietary, legally privileged, confidential, and/or exempt 
from disclosure.  If you are not the intended recipient, you are hereby 
notified that any use, dissemination, distribution, or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please notify the original sender immediately by telephone or return 
email and destroy or delete this message along with any attachments immediately.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread gordon

I've had pretty good luck with nedi so far:

http://www.nedi.ch/

On Tue, 19 Aug 2008 09:56:42 -0400
chip [EMAIL PROTECTED] wrote:

 So far all of the software that's been presented will autodiscover
 devices and backup configs and such.  Is there anything around that
 will actually take inventory of a router.  By inventory I mean, list
 of cards, model numbers, serial numbers, pluggable optics, etc.  I've
 been working on scripts to do this and it's become alot more
 complicated than I had originally planned.  If there's already some
 software out there that does this, I'd love to get my hands on it.
 
 --chip
 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Lamar Owen

On Tuesday 19 August 2008 09:56:42 chip wrote:
 So far all of the software that's been presented will autodiscover devices
 and backup configs and such.  Is there anything around that will actually
 take inventory of a router.  By inventory I mean, list of cards, model
 numbers, serial numbers, pluggable optics, etc. 

So you want to issue a 'show inventory raw' command and capture the results, 
essentially, right?

Seems rancid could do this, as it can produce arbitrary scripts and diff the 
results; perhaps a rancid expert here (which I'm not) can further comment.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Ian MacKinnon


hi Chip,
chip wrote:

So far all of the software that's been presented will autodiscover devices
and backup configs and such.  Is there anything around that will actually
take inventory of a router.  By inventory I mean, list of cards, model
numbers, serial numbers, pluggable optics, etc.  I've been working on
scripts to do this and it's become alot more complicated than I had
originally planned.  If there's already some software out there that does
this, I'd love to get my hands on it.

--chip


CiscoWorks does all that magic inventory stuff.
Costs though :-(

You can then do all sorts of queries, eg tell me all the routers running 
12.x with a WIC because there is a vulnerability.



On recent IOS's show inventory does what you want, but it is not 
supported everywhere.



--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread chip

On Tue, Aug 19, 2008 at 10:24 AM, Lamar Owen [EMAIL PROTECTED] wrote:

 On Tuesday 19 August 2008 09:56:42 chip wrote:
  So far all of the software that's been presented will autodiscover
 devices
  and backup configs and such.  Is there anything around that will actually
  take inventory of a router.  By inventory I mean, list of cards, model
  numbers, serial numbers, pluggable optics, etc.

 So you want to issue a 'show inventory raw' command and capture the
 results,
 essentially, right?

 Seems rancid could do this, as it can produce arbitrary scripts and diff
 the
 results; perhaps a rancid expert here (which I'm not) can further comment.
 --
 Lamar Owen
 Chief Information Officer
 Pisgah Astronomical Research Institute
 1 PARI Drive
 Rosman, NC  28772
 http://www.pari.edu
 ___


'show inventory raw'

How have I missed this command for so long?  That's perfect!

Thanks sir!

Now to parse, put into xml, and track the changes.  Lots easier than dealing
with snmp, different platforms, different os versions.

--chip

-- 
Just my $.02, your mileage may vary, batteries not included, etc
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Queuing on 1 Gig transit interfaces

2008-08-19 Thread Rodney Dunn

Exactly. Some folks think they need it just to say they are doing
fancy qos. ;)

If you want to put a MQC policy on the interface they can.

But don't do it at those rates on the 7500 as you will kill the
VIP CPU. They need a hardware forwarding platform to do those
rates with QOS.

Rodney

On Tue, Aug 19, 2008 at 11:43:59AM +0200, David Granzer wrote:
 Hello,
 
 if the interface is GigE with traffic at around 300Mb/s and there is
 not any other back presure mechanism like traffic shaping then on the
 interface is not congestion and the congestion management like WFQ is
 not in use.
 
 David
 
 
 the congestion management is used only when
 
 On 8/19/08, Nic Tjirkalli [EMAIL PROTECTED] wrote:
 
   howdy ho,
 
   we have some transit interfaces taht are GIG E interfaces on CISCO 7500
   and 7600 boxes. these interfaces run at most at around 300 Meg.
 
   The current queuing scheme on them is FIFO.
 
   we have some operational folk who are making sounds that they want the
   queuing to be WFQ as these boxes are pushing a mix of internet traffic and
   VOIP packets (RTP packets)
 
   My feelings are to leave the queuing as FIFO but was wondering if others
   had some feelings or expierence in this
 
   thanking you in advance for any thoughts or info
 
   later
 
 
 
  -
   Knowledge speaks, but wisdom listens.
 
   Nic Tjirkalli
   Verizon Business South Africa
   Network Strategy Team
 
   Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
   is strictly confidential and intended only for use by the addressee unless
   otherwise indicated.
 
   Company Information:http://
  www.verizonbusiness.com/za/contact/legal/
 
   This e-mail is strictly confidential and intended only for use by the
   addressee unless otherwise indicated.
 
   ___
   cisco-nsp mailing list  cisco-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/cisco-nsp
   archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup

2008-08-19 Thread Ben Steele

omg terrible formatting, apologies everyone! damn webmail client...

- Original Message - 
From: [EMAIL PROTECTED]

To: cisco-nsp@puck.nether.net; Scott Lambert [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2008 1:25 PM
Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet 
handoffload balancing/failover setup

 BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }

Hi Scott,
Try this:
Seeing as you are working statics over your wireless cloud to
simplify things a little setup a GRE tunnel from your 7200 over the
wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU,
ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and
also add keepalives so it will actually go down if it is down), and I
assume your T1 is point to point from the other 1841 to the 7200.
Now assuming this is going to be a redundant configuration as well
as load-balanced you need to have a subnet that can float between the
2 links that your customer can NAT against (which by the way will
happen on the ASA they got sold), there are 2 ways you can achieve
this, 1 is by using ip sla to monitor the next hop of each of the
customer links from your 7200 with statics, the other is private BGP,
you sure as hell don't want to start running an IGP to your
customers(unless it's MPLS VPN).
Lets say you assign your customer 1.0.0.0/27 as their usable
floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE
tunnel(wireless) is 2.0.0.5/30 at your end.
Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their
own rtr group of course, say 1 and 2 respectively).
Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0
255.255.255.224 2.0.0.6 track 2
Hope that makes sense, essentially traffic will only route to your
customer if your 7200 can ping their respective 1841, the other
private BGP option I am going to assume you are already familiar with
being in an ISP.
Now for the customer to you.
AFAIK the ASA cannot load balance it can only forward out 1
interface at a time.
So what you need to do is put the ASA and the 2 1841 interfaces into
a switch so they can all see each other at layer2, now setup hsrp on
your 1841 interfaces for redundant gateways lets say you use
1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a
little trickier, I am going to assume your T1 is your primary link for
this example but you can switch it around if you want.
On your T1 1841 add a static route for the wireless /30 to go via
the LAN interface of the Wireless 1841(ip route 2.0.0.4
255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of
the wireless link from your T1 1841, you want to setup ip sla to
monitor the ISP end of the wireless link from your T1 router(ie the T1
router is monitoring 2.0.0.5) and you also want to monitor its end of
the T1 link aswell 2.0.0.1
What this does is let your primary gateway know that it has a
complete and valid path for both gateways for redundancy.
Now you add 2 static routes with tracking on your primary 1841
Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0
1.0.0.2 track 2
Your wireless 1841 need only have the 1 gateway via its wireless
tunnel as it should only ever fall over to that router if there is a
serious problem on the primary side so you don't want it routing back
that way anyway, however make sure you enable pre-empt so it fails
back to the primary once it is back up.
You can optimise this a little further with the global command ip
cef load-sharing algorithm include-ports destination source or if
your game you can even do per-packet load sharing however i wouldn't
recommend it as your 2 paths are going to have different
characteristics, id probably just try the method i listed first.
As mentioned previously the ASA config will just be straightforward,
NAT/PAT against some pool in 1.0.0.0/27 with a default route to
1.0.0.3(hsrp), nothing more to it, the 1841's will do all the
redundancy and load balancing.
Hope at least some of that made sense, if you need clarification on
anything let me know.
Cheers
Ben
On Tue 19/08/08 9:06 AM , Scott Lambert [EMAIL PROTECTED] sent:
 I have a customer who went directly to cisco to ask about how to
load
balance two WAN connections to their Cisco PIX 515E. Cisco sold them
an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with
the
ASA and 1841s. Apparantly, the customer didn't even mention that the

two connections were to the same ISP, me. The customer just ordered
the
equipment and said Make it work.
The WANs are T1 (existing) and 4Mbps ethernet delivered via a
wireless
network.
Cisco sales tech guy said:
 What we discussed was the ASA having a default route to the
virtual
 IP address of the routers and they would be running either VRRP or

 GLBP (whatever they decided they wanted to do) going out to the
 service provider. Then the routers would simply have a default
route
 going out to the service provider to hit the 'Net.
The network design is

Re: [c-nsp] debugging stack corruption

2008-08-19 Thread Rodney Dunn

How are you getting this output?

If you ssh/telnet to it and run the command do you get th esame output?

That's not stack corruption to me.

Rodney

On Mon, Aug 18, 2008 at 01:10:44PM -0700, bill fumerola wrote:
 
 anyone see anything like this. i assume only a reload will fix this:
 
 rtr1#sh proc cpu | e 0.0
 CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes:
 35%
  PID Runtime(ms)   Invoked  uSecs   5Sec   1Min   5Min TTY Process
 3528125122320274973 22 23.35% 20.79% 20.97%   0 Exec  
   
70   3616544001417549298255  0.15%  0.11%  0.12%   0 IP Input  
   
   115  4851843096833738  0  0.15%  0.14%  0.15%   0 HQF Shaper 
 Backg
 rtr1#
 
 nobody else is logged on, little to no amount of traffic is running
 through the aux/cons ports, but this is interesting:
 
 rtr1#show stacks
 Minimum process stacks:
  Free/Size   Name
  5676/6000   CDP BLOB
  8640/9000   EM ED RF
 11052/12000  Router Init
  8676/9000   cdp init process
  8348/12000  Init
  5304/6000   RADIUS INITCONFIG
  3616/6000   BGP Open
  2264/3000   Rom Random Update Process
  5616/6000   URPF stats
  5316/6000   BGP Accepter
  9248/12000  Exec
  7176/12000  SSH Process
  4264/6000   TFTP Read Process
  4204/6000   MSDP Open
 34540/36000  TCP Command
  5236/7200   TTY Daemon
  8496/9000   IP-EIGRP Router
  3360/6000
 d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL 
 PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\
 ,d^[mdd^\^Nld^\
 dd^[  4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[
 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\
 ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[
 ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\
 ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\
 ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[
 \d^[^Add^[^Q\d^[^QLd^[
 ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[
 ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL
  
 PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[
 $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\
 dd^[
 Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[
 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[
 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[
 ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\
 ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[
 d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[
 Dd^[dld^[.d^[Lld^\   td^\4d^\ld^^Td^\d^\ d^\
 ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\
  6856/9000
 d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL 
 PROTECTED])$d^[pLd^[|^\d^\
 ,d^[mdd^\^Nld^\
 dd^[  4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[
 4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\
 ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[
 ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\
 Minimum process stacks:
  Free/Size   Name
 ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\
 ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[
 \d^[^Add^[^Q\d^[^QLd^[
 ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[
 ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL
  
 PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[
 $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\
 dd^[
 Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[
 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[
 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[
 ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\
 ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[
 d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[
 Dd^[dld^[.d^[Lld^\   td^\4d^\ld^^Td^\d^\ d^\
 ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\
 10468/12000  HSRP (Standby)
 
 Interrupt level stacks:
 LevelCalled Unused/Size  Name
   1  2648551315   6280/9000  Network interfaces
   2   0   9000/9000  DMA/Timer

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Giany

I see a lot of people ask about this. Here it is my 2 cents:

I have set this using rancid and some perl scripts. If you manage to install 
rancid then the perl script should contain:

1. variables with : rancid config files , router.db, snmp community
2. vars with port type for cisco/cat/juniper smth like ( %switchports = 
(WS-X5225R,24|100baseTX,)
3. get the list of devices you have :
 smth like : my @devcisco = `cat router.db | grep -i :up: | grep -i cisco | 
cut -f1 -d:`;
  the same for the rest of devices
4. then for the list of devices you have get the infos you need (slot , port, 
ip..)



--- On Tue, 8/19/08, Lamar Owen [EMAIL PROTECTED] wrote:
From: Lamar Owen [EMAIL PROTECTED]
Subject: Re: [c-nsp] OT: network inventory
To: cisco-nsp@puck.nether.net
Date: Tuesday, August 19, 2008, 7:24 AM

On Tuesday 19 August 2008 09:56:42 chip wrote:
 So far all of the software that's been presented will autodiscover
devices
 and backup configs and such.  Is there anything around that will actually
 take inventory of a router.  By inventory I mean, list of cards, model
 numbers, serial numbers, pluggable optics, etc. 

So you want to issue a 'show inventory raw' command and capture the
results, 
essentially, right?

Seems rancid could do this, as it can produce arbitrary scripts and diff the 
results; perhaps a rancid expert here (which I'm not) can further comment.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Transmit Discards Across MLPPP

2008-08-19 Thread Jeffrey Wojciechowski

Hi All:

I am new to this forum so not sure if this is a good place to ask this question.

Whats the best way to troubleshoot transmit discards across MLPPP?

Here is my setup and symptoms:

-Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE 
image)
-I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals
-today bandwidth (Sending) across multilink max of 2.05mbps
-95th percentile on sending utilization is 33.74%
-today dropped packets so far 1,418
-show policy-map interface shows no drops in the ef queue (for our voip) so all 
drops are falling thru to our class-default which is using flow based fair 
queuing
-drops only show @ multilink interface (sh int multilink123) not at the T1 
interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0)
-I dont show any lost fragments (sh int multilink ppp) nor does the provider on 
the other end of this circuit)

My understanding is that the router should only be discarding if the sending 
interface is congested but its no. I am concerned about thsese drops while the 
utilization is fairly low. Drops do increase as traffic increases on the link.

Any guidence/advice would be very much appreicated.

If this has been asked and answered in another thread, please point me in the 
right direction.

Thanks!

Jeff Wojciechowski


_
Get thousands of games on your PC, your mobile phone, and the web with Windows®.
http://clk.atdmt.com/MRT/go/108588800/direct/01/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transmit Discards Across MLPPP

2008-08-19 Thread Rodney Dunn

On a Cisco bundle we do QOS before putting the MLPPP headers on.
That prevents a lot of out of orders if you do QOS after putting
the MLP headers on.

So what you are seeing sounds correct.

You are most likely bursting above the bundle rate coming from
your LAN going towards the bundle so the QOS kicks in, prioritizes the
traffic, and drops the lower priority.

Rodney


On Tue, Aug 19, 2008 at 10:12:50AM -0500, Jeffrey Wojciechowski wrote:
 Hi All:
 
 I am new to this forum so not sure if this is a good place to ask this 
 question.
 
 Whats the best way to troubleshoot transmit discards across MLPPP?
 
 Here is my setup and symptoms:
 
 -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth 
 (IPBASE image)
 -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals
 -today bandwidth (Sending) across multilink max of 2.05mbps
 -95th percentile on sending utilization is 33.74%
 -today dropped packets so far 1,418
 -show policy-map interface shows no drops in the ef queue (for our voip) so 
 all drops are falling thru to our class-default which is using flow based 
 fair queuing
 -drops only show @ multilink interface (sh int multilink123) not at the T1 
 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0)
 -I dont show any lost fragments (sh int multilink ppp) nor does the provider 
 on the other end of this circuit)
 
 My understanding is that the router should only be discarding if the sending 
 interface is congested but its no. I am concerned about thsese drops while 
 the utilization is fairly low. Drops do increase as traffic increases on the 
 link.
 
 Any guidence/advice would be very much appreicated.
 
 If this has been asked and answered in another thread, please point me in the 
 right direction.
 
 Thanks!
 
 Jeff Wojciechowski
 
 
 _
 Get thousands of games on your PC, your mobile phone, and the web with 
 Windows?.
 http://clk.atdmt.com/MRT/go/108588800/direct/01/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Laurent Geyer

On Tue, Aug 19, 2008 at 9:56 AM, chip [EMAIL PROTECTED] wrote:

 So far all of the software that's been presented will autodiscover devices
 and backup configs and such.  Is there anything around that will actually
 take inventory of a router.  By inventory I mean, list of cards, model
 numbers, serial numbers, pluggable optics, etc.  I've been working on
 scripts to do this and it's become alot more complicated than I had
 originally planned.  If there's already some software out there that does
 this, I'd love to get my hands on it.


Checkout Ziptie. It's still a work in progress and things tend to change
around a bit, but the core framework is there and looks very promising.

The hardware inventory may not go as far as giving you details on the
pluggable optics, but it covers the linecard inventory pretty well as of
right now, and the dev team encourages feedback/feature requests.

http://www.ziptie.org/files/images/Screenshot-ZipTie%20-%20Hardware%20Model%20-%20ZipTie%20.preview.png

I'm still in the 'playing around' stage with it, but I'm giving serious
consideration to putting it into production.

Cheers,

Laurent
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] voice call drop on as5400

2008-08-19 Thread a0kunev

Hi Alex,

this is CAS  with em, unfortunatly.

T1s configured as

signaling-class cas test
 profile incoming S*a*d*n

controller T1 7/0:1
 framing esf
 ds0-group 0 timeslots 1-24 type em-fgb dtmf dnis
 cas-custom 0
 class test
!
controller T3 7/0
 framing m23
 clock source line
 t1 1-28 controller
!

I dont see much debug info regarding the issue, enabled debugs for:
CAS:
 Channel Associated Signaling debugging is on
Call Management:
 Call Management debugging is on
Call-denial module:
 Call-denial debugging is on
Call Treatment:
 Call treatment action debugging is on

We issue rate is quite high, about 1000 rejections on 5000-6000 calls
every day.

Regards, Andrei

On Tue, Aug 19, 2008 at 4:59 PM, Alex Balashov
[EMAIL PROTECTED] wrote:

 Is there anything that be gleaned from either the debug on the SIP side
 or the ISDN (are these PRIs?) side?  (debug isdn q931)

 On Tue, August 19, 2008 8:36 am, a0kunev wrote:
 Hello

 I would like to share the problem we recently got on our network. We have
 DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling
 only incoming calls, so the dial-pear config is simple, one voice and one
 voip provider. Recently we've started receiving complains from our
 customers on dead air and drops during their conferences. The issues
 looked like this - person dialed to the DID and nobody answered during
 10-120 secounds, then the call terminated by timeout.

 recently we're able to reproduce this, with debug 'call-mgmnt' it's
 dumping the following on console:
 Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ
 received
 Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ
 received
 Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ
 received
 Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ
 received
 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3
 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3
 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3
 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3

 I've checked with tcpdump cisco do not send anything to IP bridge to
 establish the call at that time. Telco says they see a lot of rejected
 calls from our side, but there is nothing on our end(I have not seen yet)

 as5400 were recently updated to 12.4(9)T4.

 Please advise on how to debug this problem.
 regards, Andrei
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



 --
 Alex Balashov
 Evariste Systems
 Web: http://www.evaristesys.com/
 Tel: (+1) (678) 954-0670
 Direct : (+1) (678) 954-0671
 Mobile : (+1) (706) 338-8599


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] debugging stack corruption

2008-08-19 Thread bill fumerola

On Tue, Aug 19, 2008 at 10:41:05AM -0400, Rodney Dunn wrote:
 How are you getting this output?

ssh rtr1
en
sh stacks

 If you ssh/telnet to it and run the command do you get th esame output?

it is not signal noise (serial spew, ip corruption, etc).

 That's not stack corruption to me.

i'll try and profile the exec process, but i'm not so good w/ profiling
and tracing w/o at least symbols.

there is also the matter of the 30% solid EXEC process. however, the
switch that device is attached to (both in network and by serial via
rtr1:auxsw1:cons) is exhibiting the same behavior. it could be a feedback
loop on the serial connection, but i've tried turning all of that down
and still no relief. the jump occurred to both at the same time.

it could just be corruption in the display, but the CPU spike is what
made me investigate in the first place.

-- bill

  rtr1#show stacks
  Minimum process stacks:
   Free/Size   Name
[...]
   3360/6000
  d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL 
  PROTECTED]d^\^B,[EMAIL PROTECTED])$d^[pLd^[|^\d^\
  ,d^[mdd^\^Nld^\
  dd^[4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[
  4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\
  ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[
  ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\
  ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\
  ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[
  \d^[^Add^[^Q\d^[^QLd^[
  ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[
  ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL
   
  PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[
  $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\
  dd^[
  Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[
  4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[
  4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[
  ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\
  ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[
  d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[
  Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\
  ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\
   6856/9000
  d^\^[Td^[T^Dd^\y^Dd^\^P[EMAIL PROTECTED]d^\^B,[EMAIL 
  PROTECTED])$d^[pLd^[|^\d^\
  ,d^[mdd^\^Nld^\
  dd^[4d^[Qd^[^V^\d^\1dd^[1d^[O4d^[|Dd^\^Pd^[^Ydd^[e\d^[)$d^[NTd^[
  4d^[1^Dd^[`Td^[{td^[^E^\d^[md^[^Z^Ld^[8d^[}^Dd^[j^\d^\^Q|d^[x^\d^[u^\d^\
  ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[
  ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\
  Minimum process stacks:
   Free/Size   Name
  ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\
  ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[
  \d^[^Add^[^Q\d^[^QLd^[
  ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^Dd^[x$d^[^^Dd^[
  ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,[EMAIL
   
  PROTECTED]^Dd^\,$d^\+Dd^\,4d^[^Dd^\`^Dd^[^VTd^[k4d^[P^Td^[a$d^[$d^[^V^\d^[^Utd^[mdd^[^Ytd^[|^Ld^[^L^Ld^\^ALd^[#^Dd^[e\d^[f^Dd^\^FTd^[^Pld^[^B|d^[n^\d^[d4d^[H|d^[^Rtd^[^N^Td^Td^[^Td^[{,d^[+dd^[`Td^[.^Dd^[s\d^[^ETd^[^Z^Ld^[
  $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\
  dd^[
  Ld^[)$d^[#td^[1d^[^E|d^[^_Ld^[KTd^[
  4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[
  4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[Md^[.,d^[]ld^[Qd^[U^\d^[~td^[l$d^[8d^[6^Ld^[^F4d^[^Odd^\^O$d^[^Kd^[^Nd^[^K^Dd^[^W4d^[_,d^[p^Dd^[+^\d^[N,d^[$Td^[~^\d^[eLd^[NTd^[
  ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~d^\
  ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[?d^[md^[
  d^[o4d^[wd^[yd^[*d^\^Pd^[u|d^[^Ydd^\^Pdd^[^Yd^[D|d^\^P,d^[.td^\^Nld^\^N4d^[|Dd^[$^\d^[jTd^[q,d^[j^\d^[\Td^\^Q|d^[f,d^[^D,d^[gDd^[x^\d^[]4d^\Dd^[w^Ld^[bLd^[L\d^[
  Dd^[dld^[.d^[Lld^\ td^\4d^\ld^^Td^\d^\ d^\
  ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\
  10468/12000  HSRP (Standby)
  
  Interrupt level stacks:
  LevelCalled Unused/Size  Name
1  2648551315   6280/9000  Network interfaces
2   0   9000/9000  DMA/Timer Interrupt
3  185107   7472/9000  PA Management Int Handler
4  1715750501   8444/9000  Console Uart
5   0   9000/9000  OIR/Error Interrupt
7  3207930022   8532/9000  NMI Interrupt Handler
  
  Spurious interrupts: 233
  rtr1#
  
  and on a different router:
  
  rtr1.chi#sh stacks
  Minimum process stacks:
   Free/Size   Name
  []

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Mathias Spoerr

 So far all of the software that's been presented will autodiscover 
devices
 and backup configs and such.  Is there anything around that will 
actually
 take inventory of a router.  By inventory I mean, list of cards, model
 numbers, serial numbers, pluggable optics, etc.  I've been working on
 scripts to do this and it's become alot more complicated than I had
 originally planned.  If there's already some software out there that 
does
 this, I'd love to get my hands on it.
 

wktools will also do this - it first collects all of the needed 
information with SSH/Telnet and then parses it. You will get the S/Ns of 
the chassis and all modules, power supplies... show inventory raw is not 
available on all platforms and versions...

Mathias

smime.p7s
Description: S/MIME Cryptographic Signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

2008-08-19 Thread Scott Lambert

On Mon, Aug 18, 2008 at 09:02:27PM -0700, Seth Mattinen wrote:
 Scott Lambert wrote:
  I have a customer who went directly to cisco to ask about how to load
  balance two WAN connections to their Cisco PIX 515E.  Cisco sold them an
  ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the
  ASA and 1841s.  Apparantly, the customer didn't even mention that the
  two connections were to the same ISP, me.  The customer just ordered the
  equipment and said Make it work.
 
 Whoever sold them on that solution should be the one to make it work. ;)
 
Wouldn't that be nice though? :-)

I'd like to thank everyone for their replies.  I've learned quite a lot
from them.  I'll be doing more reading and testing with the suggested
methods.  We'll see what happens.  I think I'm going to punt on the load
balancing for now and just get it working in failover mode.

I'll reply back when I know more and can ask intelligent follow-up
questions.

I had a thought on load balancing though, maybe I could hook both 1841s
and the wireless ethernet handoff to a switch and get VRRP working on
that side so that if the T1 router is up, then traffic can use both
the wireless and T1 via whatever method but if the T1 router died, the
wireless only router could take over.

Thank you so much for your help!  I don't feel so much like a fish out
of water now.

-- 
Scott LambertKC5MLE   Unix SysAdmin
[EMAIL PROTECTED]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

2008-08-19 Thread Frank Bulk

If you can do (private) BGP, this document may help:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918
6a00800945bf.shtml#conf3

Frank

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering
Sent: Tuesday, August 19, 2008 3:21 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff
load balancing/failover setup

Hi,

On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote:
 I have a customer who went directly to cisco to ask about how to load
 balance two WAN connections

I see two key issues here:

 - how to load *balance*.

 - how to reliably detect wireless is down if there is no end-to-end
   routing possible

The first one is hard - if you have two routers involved, VRRP (or GLBP,
if there is only a single client) will not provide load balancing, but
only failover.  That is: while one of the boxes is working, it will
receive all the traffic from the PIX, and if it breaks, all the traffic
goes to the other box.

One possible approach to do this might be via manual balancing, as
in route all the VPN connections over one path, and all the web surfing
over the other path, but that's not overly easy to maintain.  The other
approach might be with Cisco OER - let the boxes figure out what
destinations have the most traffic, and balance these flows over both
links.  But that will only work outbound from the customer to you - from
the ISP (you) to the customer, you also need to decide upon the balancing
criteria, if any.

Just failover is easy :)


The second part (how to diagnose that the wireless is down) is easier - you
could use a BGP session from the customer router to your edge router, just
sending customer routes and default back and forth.  If the wireless
mesh breaks, the BGP session will also break, and routing will fall over
to the other link.   (The StarOS routers would need to know the customer
routes statically, but that's not a problem, unless the customer changes
their IP addresses frequently).

If BGP is not an option, you could do it with IP SLA (ping testing) and
static route tracking (if it doesn't ping, withdraw the route) on both
ends, but that's less elegant than BGP - and much more configuration work.

gert
--
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
[EMAIL PROTECTED]
fax: +49-89-35655025
[EMAIL PROTECTED]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ASA - Export rules

2008-08-19 Thread Artur Renato Araujo da Silva

Hi,

I would like to export the ASA rules to a HTML file (without using ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?


Tks
Artur

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA - Export rules

2008-08-19 Thread Teller, Robert

I use this script to parse my pix acls and export them to an excel file.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Artur Renato
Araujo da Silva
Sent: Tuesday, August 19, 2008 1:57 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco ASA - Export rules

Hi,

I would like to export the ASA rules to a HTML file (without using
ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?

Tks
Artur

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

#
The information contained in this e-mail and subsequent attachments may be 
privileged, 
confidential and protected from disclosure.  This transmission is intended for 
the sole 
use of the individual and entity to whom it is addressed.  If you are not the 
intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  
If you 
think that you have received this message in error, please e-mail the sender at 
the above 
e-mail address.
#
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA - Export rules

2008-08-19 Thread Teller, Robert

'Created by Robert Teller
WScript.Echo This script will take a minute or two to run  vbCrLf 
Please be patient

Const ForReading = 1

'Looks for CF acl query
WSArg = Wscript.arguments.Count

If WSArg  1 Then
WScript.Echo Please select a valid source
WScript.Quit
End If

PixACL = Wscript.arguments.Item(0)

set ObjExcel = createobject(excel.application)
Set FSO = CreateObject(Scripting.FileSystemObject)
Set objTextFile = FSO.OpenTextFile(PixACL, ForReading)

'Names excel file
EName = Split(WScript.ScriptName, .)(0)  .xls
EName = Replace(WScript.ScriptFullName,WScript.ScriptName,EName)


'Text files for output
OFiles = Split(WScript.ScriptName, .)(0)  .xls

If fso.FileExists(Ename) Then fso.DeleteFile(Ename)


ObjExcel.workbooks.Add
ObjExcel.Worksheets.Add.Name = Main

XRules = 0

For Each Sheet In ObjExcel.Worksheets
If sheet.name  Main Then
sheet.usedrange.delete
sheet.delete
End If
Next


ObjExcel.Worksheets.Add.Name = Rules
ObjExcel.Worksheets(Rules).move ObjExcel.Sheets(2)
Rules DMZ ,Line ,Action ,Protocol ,Source ,SrcPort
,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval
'   ObjExcel.Worksheets(Rules).activate
'   ObjExcel.Cells(1,1).value = DMZ 'acl_dmzname
'   ObjExcel.Cells(1,2).value = Line # 'line ###
'   ObjExcel.Cells(1,3).value = Action 'Permit/deny
'   ObjExcel.Cells(1,4).value = Protocol 'ICMP/TCP/UDP
'   ObjExcel.Cells(1,5).value = Source
'   ObjExcel.Cells(1,6).value = Destination
'   ObjExcel.Cells(1,7).value = Port # 'http/https.
'   ObjExcel.Cells(1,8).value = Hit Count 'hitcnt=...
'   ObjExcel.Cells(1,9).value = Inactive 'hitcnt=...



Do Until objTextFile.AtEndOfStream
If IsEmpty(text) Then
Text = objTextFile.Readline 
Text = Replace(Text,access-list ,)
Else
Text = Text  objTextFile.Readline 
End If
Loop


AclArray = Split(text,access-list )



x = 1
For Each AccessList In AclArray
'Make sure the line Is a valid acl
ACLCheck = Split(AccessList, )
If UBound(ACLCheck)  3 Then
If ACLCheck(3)  remark Then 
PixParse AccessList
End If
End If
Next

Sub PixParse(ACL)
'Converts object-group to Group
If InStr(ACL,object-group) Then ACL =
Replace(ACL,object-group,Group)

'Checks of ACL is inactive
If InStr(ACL, inactive ) Then
Inactive = True
ACL = Replace(ACL, inactive,)
End If

'Format and Remove logging information from variable Item
If InStrRev(ACL, log ) And InStrRev(ACL, interval ) Then
'Checks for matching log level
LoGLevelB = InStr(ACL, log ) + 5
LoGLevelE = InStr(LogLevelB,ACL,  )
LogLevel = Mid(ACL,LogLevelB,LogLevelE - LogLevelB)


LogIntervalB = InStr(LogLevelE,ACL,  interval ) + 10
LogIntervalE = InStr(LogIntervalB,ACL,  ) 
LogInterval = Mid(ACL,LogIntervalB, LogIntervalE -
LogIntervalB)

ACL = Replace(ACL, log   Loglevel   interval  
logInterval, )
End If 

'### DMZ ###
DMZ = InStr(ACL, )
DMZ = Left(ACL,DMZ)
'### DMZ ###

'### Line ###
LineB = InStr(ACL, line ) + 6
LineE = InStr(LineB,ACL,  )
Line = Line   Mid(ACL,LineB, LineE - LineB)
'### Line ###

'### Action ###
If InStr(ACL,deny) Then 
Action = Deny
ElseIf InStr(ACL,permit) Then 
Action = Permit
Else
Action = Other
End If
'### Action ###

'### Protocol ###
Protocol = Split(ACL, )(5)
'### Protocol ###

'### Src Host ###
'Determine if src is Host,Subnet or Any
SrcHost = Split(ACL, )(6)
Select Case SrcHost
Case host
SourceB = InStr(ACL,  host ) + 6
SourceE = InStr(SourceB,ACL,  )
Source = Host   Mid(ACL, SourceB,
SourceE - SourceB)
Case Group
SourceB = InStr(ACL,  Group ) + 7
SourceE = InStr(SourceB,ACL,  )
Source = Group   Mid(ACL, SourceB,
SourceE - SourceB)
Case any
Source = Any
SourceE = InStr(ACL,SrcHost) +
Len(SrcHost)
Case Else
SourceB =

Re: [c-nsp] Cisco ASA - Export rules

2008-08-19 Thread Christian Koch

you could use nipper, which is a config auditor, so it will audit your
security policy and configuration, and you have the options to export
to xml, html, etc ..

http://sourceforge.net/projects/nipper/?abmode=1



On Tue, Aug 19, 2008 at 4:56 PM, Artur Renato Araujo da Silva
[EMAIL PROTECTED] wrote:
 Hi,

 I would like to export the ASA rules to a HTML file (without using ASDM).

 Does anyone know a way (script?) to parse the ACLs and export to HTML?


 Tks
 Artur

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Oliver Gorwits


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Chip,

chip wrote:
| Is there
| anything around that will actually take inventory of a router.
| By inventory I mean, list of cards, model numbers, serial
| numbers, pluggable optics, etc.


We use Netdisco for network discovery (both for switches/routers,
and connected end stations). It's written with Perl+Net-SNMP, has a
web front-end, and uses PostgreSQL storage:

~   http://netdisco.org/

(The version in CVS is -much- improved, and will be released RSN)

As for device inventory, the latest Netdisco code does all the
ENTITY-MIB work, and I've been working on graphically representing
that in the web UI:

http://sites.google.com/a/gapps.oxuni.org.uk/oliver/netdisco-frontpanels

Screenshot from above:
http://users.ox.ac.uk/~oliver/data/images/frontpanel/frontpanel_demo_c3750_stack.png

Next step is to generate SVG as an alternative to the vendor images.


I hope that helps, and provides ideas for your own scripts,

regards,
oliver.
- --
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIq2EK2NPq7pwWBt4RAlQQAJ9iBrUgYoe9rckwZ61+CDArkmqAdwCg5bbO
v2WhKVmWnK2WX/qFtSy7xHU=
=+vRH
-END PGP SIGNATURE-
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: network inventory

2008-08-19 Thread Stig Johansen

Check out NAV (Network Administration Visualized) at http://metanav.uninett.no/ 
as well. It gives full inventory of all devices as well as a load of other 
useful features..

Best regards,
Stig Meireles Johansen

-Opprinnelig melding-
Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av chip
Sendt: 19. august 2008 15:57
Til: cisco-nsp@puck.nether.net
Emne: Re: [c-nsp] OT: network inventory

So far all of the software that's been presented will autodiscover devices
and backup configs and such.  Is there anything around that will actually
take inventory of a router.  By inventory I mean, list of cards, model
numbers, serial numbers, pluggable optics, etc.  I've been working on
scripts to do this and it's become alot more complicated than I had
originally planned.  If there's already some software out there that does
this, I'd love to get my hands on it.

--chip

-- 
Just my $.02, your mileage may vary, batteries not included, etc
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?

2008-08-19 Thread Christian Koch

a 64bit route distinguisher and the 32bit ip address are used to
create vpnv4 address, which specifically solves the overlap problem



On Tue, Aug 19, 2008 at 9:19 PM, Andy Saykao
[EMAIL PROTECTED] wrote:
 Just wondering from those in the know, whether it's best practice to
 implement public or private IP's for the PE-to-CE link. What's everyone
 using and why?

 For our MPLS network, I've been asked by my Manager to use private IP's
 for the PE-CE link in order to give the customer the appearance that
 they are on a secure PRIVATE network due to private IP's being used.
 Although I tend to be more fond of using public IP's because it's a
 unique address space so you don't have to worry about overlapping IP
 addresses on the customer's end and secondly there's no configuration
 from the Service Provider's end should you need to remove the connection
 from the VRF to conduct further testing from the Internet becuse the
 connection is already using public IP's  (eg: for cases where the
 customer is complaining of slow speeds, packet loss, drop outs, etc and
 you want to test the individual connection and bypass their VPN).

 Thanks.

 Andy

 This email and any files transmitted with it are confidential and intended
  solely for the use of the individual or entity to whom they are addressed.
 Please notify the sender immediately by email if you have received this
 email by mistake and delete this email from your system. Please note that
  any views or opinions presented in this email are solely those of the
  author and do not necessarily represent those of the organisation.
 Finally, the recipient should check this email and any attachments for
 the presence of viruses. The organisation accepts no liability for any
 damage caused by any virus transmitted by this email.

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA - Export rules

2008-08-19 Thread Church, Charles

In ASDM, there is a button under file called Show running configuration
in a new window.  That opens up a browser window with a URL something
like:
https://X.Y.Z.6/admin/exec/show%20running-config/show%20running-config%2
0asdm#  that shows the whole running config.  

Probably nothing you couldn't get from an ssh session or expect script.
Use Grep or find on access-list and that should be it.

Chuck 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Artur Renato
Araujo da Silva
Sent: Tuesday, August 19, 2008 4:57 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco ASA - Export rules


Hi,

I would like to export the ASA rules to a HTML file (without using
ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?


Tks
Artur

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Unable to connect VLAN traffic

2008-08-19 Thread Johnny Ramirez

We have layer 2 connectivity from our main office to an offsite facility where 
our servers reside. We are connected via fiber but is not a dedicated circuit.
 
Recently I  created a VLAN with same ID on both switches (main office and 
Offsite facility) . I trunked the port on both ends but not traffic passes on 
this VLAN. Obviously only VLAN 1 works. According to a consultant the provider 
of the fiber connection needs to turn something on  for us to be able to pass 
VLAN traffic other than VLAN 1's. What would be that something, he does not 
even kow it himself. 
 
Can anybody shed any light on this?. We are urgently needing to have a separate 
VLAN for our VOIP traffic.
 
Thanks
 
John
 
 


  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to connect VLAN traffic

2008-08-19 Thread Derick Winkworth

Q-in-Q

Johnny Ramirez wrote:
 We have layer 2 connectivity from our main office to an offsite facility 
 where our servers reside. We are connected via fiber but is not a dedicated 
 circuit.
  
 Recently I  created a VLAN with same ID on both switches (main office and 
 Offsite facility) . I trunked the port on both ends but not traffic passes on 
 this VLAN. Obviously only VLAN 1 works. According to a consultant the 
 provider of the fiber connection needs to turn something on  for us to be 
 able to pass VLAN traffic other than VLAN 1's. What would be that 
 something, he does not even kow it himself. 
  
 Can anybody shed any light on this?. We are urgently needing to have a 
 separate VLAN for our VOIP traffic.
  
 Thanks
  
 John
  
  


   
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 No virus found in this incoming message.
 Checked by AVG - http://www.avg.com 
 Version: 8.0.138 / Virus Database: 270.6.5/1620 - Release Date: 8/19/2008 
 6:04 AM



   
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?

2008-08-19 Thread John Osmon

On Tue, Aug 19, 2008 at 09:41:09PM -0400, Christian Koch wrote:
 a 64bit route distinguisher and the 32bit ip address are used to
 create vpnv4 address, which specifically solves the overlap problem

I don't think the overlap is the real issue:

  Although I tend to be more fond of using public IP's because it's a
  unique address space so you don't have to worry about overlapping IP
  addresses on the customer's end and secondly there's no configuration
  from the Service Provider's end should you need to remove the connection
  from the VRF to conduct further testing from the Internet becuse the
  connection is already using public IP's

Using non-RFC1918 address means you have a guaranteed unique identifier
for the interface.  The non-overlap issue is a side effect of having a
unique identifier.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?

2008-08-19 Thread Mikael Abrahamsson


On Wed, 20 Aug 2008, Andy Saykao wrote:


Just wondering from those in the know, whether it's best practice to
implement public or private IP's for the PE-to-CE link. What's everyone
using and why?


Best practice is to use public IP for the PE-CE link and then you admin 
the CE using that address. If you have a serial interface you can do this 
with a /32 routed towards the physical interface and use 
unnumbered/loopback, otherwise you have to use /30 or /31.


Using RFC1918 space creates huge potential of overlaps with customers, and 
a nightmare for management if you want your CE range to be unique per VPN, 
how are you going to reach your CEs via SNMP etc?


--
Mikael Abrahamssonemail: [EMAIL PROTECTED]
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to connect VLAN traffic

2008-08-19 Thread Johnny Ramirez


Justin,
 
I appreciate your well explained answer. So basically they would tell me what 
VLANs I should use for me to match them.
 
 
Thanks
 
 
 
John--- On Tue, 8/19/08, Justin Shore [EMAIL PROTECTED] wrote:

From: Justin Shore [EMAIL PROTECTED] 
Subject: Re: [c-nsp] Unable to connect VLAN traffic
To: Johnny Ramirez [EMAIL PROTECTED]
Cc: cisco-nsp@puck.nether.net
Date: Tuesday, August 19, 2008, 9:41 PM

Johnny Ramirez wrote:
 We have layer 2 connectivity from our main office to an offsite facility
where our servers reside. We are connected via fiber but is not a dedicated
circuit.
  
 Recently I  created a VLAN with same ID on both switches (main office and
Offsite facility) . I trunked the port on both ends but not traffic passes on
this VLAN. Obviously only VLAN 1 works. According to a consultant the provider
of the fiber connection needs to turn something on  for us to be
able to pass VLAN traffic other than VLAN 1's. What would be that
something, he does not even kow it himself. 
  
 Can anybody shed any light on this?. We are urgently needing to have a
separate VLAN for our VOIP traffic.

John,

Basically what this amounts to is that your transport provider is only 
accepting untagged Ethernet frames and thus only the one VLAN you 
previously used on your access interface.  You need the provider to 
accept tagged Ethernet frames so that tagged frames from each of your 
VLANs will be accepted for transport.  The provider may either dictate 
to you what VLAN IDs you must use.  They may use Q-in-Q (aka VLAN 
stacking) to assign their own tag in front of your tags.  This would 
give you the most flexibility and will keep you from having to work with 
them to allow future VLANs across the trunk.

Justin




  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to connect VLAN traffic

2008-08-19 Thread Ryan Lambert

Johnny,

I think the better solution if your provider can accommodate, is to do
Q-in-Q instead of having to dictate what tags you can use. This allows you,
as Justin mentioned, to use your own tags across the circuit instead of
having to coordinate with them every time you need to add another VLAN, or
change something.

-Ryan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Johnny Ramirez
Sent: Tuesday, August 19, 2008 11:55 PM
To: Justin Shore
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Unable to connect VLAN traffic


Justin,
 
I appreciate your well explained answer. So basically they would tell me
what VLANs I should use for me to match them.
 
 
Thanks
 
 
 
John--- On Tue, 8/19/08, Justin Shore [EMAIL PROTECTED] wrote:

From: Justin Shore [EMAIL PROTECTED] 
Subject: Re: [c-nsp] Unable to connect VLAN traffic
To: Johnny Ramirez [EMAIL PROTECTED]
Cc: cisco-nsp@puck.nether.net
Date: Tuesday, August 19, 2008, 9:41 PM

Johnny Ramirez wrote:
 We have layer 2 connectivity from our main office to an offsite facility
where our servers reside. We are connected via fiber but is not a dedicated
circuit.
  
 Recently I  created a VLAN with same ID on both switches (main office and
Offsite facility) . I trunked the port on both ends but not traffic passes
on
this VLAN. Obviously only VLAN 1 works. According to a consultant the
provider
of the fiber connection needs to turn something on  for us to be
able to pass VLAN traffic other than VLAN 1's. What would be that
something, he does not even kow it himself. 
  
 Can anybody shed any light on this?. We are urgently needing to have a
separate VLAN for our VOIP traffic.

John,

Basically what this amounts to is that your transport provider is only 
accepting untagged Ethernet frames and thus only the one VLAN you 
previously used on your access interface.  You need the provider to 
accept tagged Ethernet frames so that tagged frames from each of your 
VLANs will be accepted for transport.  The provider may either dictate 
to you what VLAN IDs you must use.  They may use Q-in-Q (aka VLAN 
stacking) to assign their own tag in front of your tags.  This would 
give you the most flexibility and will keep you from having to work with 
them to allow future VLANs across the trunk.

Justin




  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to connect VLAN traffic

2008-08-19 Thread Justin Shore


Johnny Ramirez wrote:


Justin,
 
I appreciate your well explained answer. So basically they would tell me 
what VLANs I should use for me to match them.


That's one possibility.  Hopefully your SP has progressed beyond that 
point though and supports Q-in-Q.  It scales much better than 
integrating customer VLAN IDs with the SP's VLAN IDs.  With Q-in-Q 
they'll internally assign a VLAN ID to your access interface and will 
prepend that VLAN tag to whatever VLAN tags you hand them on your trunk 
port.  They'll switch that double-stacked Ethernet frame across their SP 
backbone to your other remote access interface.  That's of course an 
assumption based on what you wrote about shared fiber.  It's possible 
they're doing some sort of EoMPLS but the access edge will still likely 
be Q-in-Q to stuff multiple VLANs into a EoMPLS VC.


HTH
 Justin



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VLAN ID limit?

2008-08-19 Thread Alex Balashov

For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like 
VLAN IDs higher than 1005:



sw01(config)#switchport trunk allowed vlan add 1202
Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
number (1202) out of the range 1 to 1005.

This is with a trunking interface:

interface FastEthernet0/1
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,3,100,1002-1005
 switchport mode trunk

IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

I'm pretty sure this has already been asked a thousand times, but how do 
I get around this issue so I can get support for the extended VLAN IDs 
up to 4096?


--
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN ID limit?

2008-08-19 Thread Andrew Gristina

Are you in transparent vtp mode?

On Tue, Aug 19, 2008 at 9:48 PM, Alex Balashov
[EMAIL PROTECTED] wrote:
 For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN
 IDs higher than 1005:


 sw01(config)#switchport trunk allowed vlan add 1202
 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
 number (1202) out of the range 1 to 1005.

 This is with a trunking interface:

 interface FastEthernet0/1
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,100,1002-1005
  switchport mode trunk

 IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

 I'm pretty sure this has already been asked a thousand times, but how do I
 get around this issue so I can get support for the extended VLAN IDs up to
 4096?

 --
 Alex Balashov
 Evariste Systems
 Web: http://www.evaristesys.com/
 Tel: (+1) (678) 954-0670
 Direct : (+1) (678) 954-0671
 Mobile : (+1) (706) 338-8599
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN ID limit?

2008-08-19 Thread Chris Phillips


Alex,

You don't get around it on the 2924.  You will need to upgrade to the 
2950G-24-EI.


They're not much more than the 2924.

Good luck.

Alex Balashov wrote:
For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like 
VLAN IDs higher than 1005:



sw01(config)#switchport trunk allowed vlan add 1202
Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
number (1202) out of the range 1 to 1005.

This is with a trunking interface:

interface FastEthernet0/1
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,3,100,1002-1005
 switchport mode trunk

IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

I'm pretty sure this has already been asked a thousand times, but how do 
I get around this issue so I can get support for the extended VLAN IDs 
up to 4096?



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN ID limit?

2008-08-19 Thread Alex Balashov


Damn.

Are you absolutely sure there is no IOS upgrade for the existing switch 
that can fix this?


Chris Phillips wrote:


Alex,

You don't get around it on the 2924.  You will need to upgrade to the 
2950G-24-EI.


They're not much more than the 2924.

Good luck.

Alex Balashov wrote:
For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like 
VLAN IDs higher than 1005:



sw01(config)#switchport trunk allowed vlan add 1202
Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
number (1202) out of the range 1 to 1005.

This is with a trunking interface:

interface FastEthernet0/1
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,3,100,1002-1005
 switchport mode trunk

IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

I'm pretty sure this has already been asked a thousand times, but how 
do I get around this issue so I can get support for the extended VLAN 
IDs up to 4096?





--
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN ID limit?

2008-08-19 Thread Chris Phillips

The last time I checked 12.0(WC17) or something like that, it was not 
possible.  WC17 came out in mid-2007 if I recall correctly.


I don't think that Cisco is going to support anything  1005 on the XL 
series switches ever.  Their goal is to keep you buying new gear, and if 
they just keep adding features to the odd stuff, who needs new gear.


Anyway, there's several other improvements that the 2950Gs have over the 
XLs, that make it much more appealing.  Here's a few:


they run 12.1 instead of 12.0
ssh support
do support
don't have to use the vlan database to create VLANs
etc...

Like I said before, they're dirt cheap and very much worth the slight 
price increase.


Alex Balashov wrote:

Damn.

Are you absolutely sure there is no IOS upgrade for the existing switch 
that can fix this?


Chris Phillips wrote:


Alex,

You don't get around it on the 2924.  You will need to upgrade to the 
2950G-24-EI.


They're not much more than the 2924.

Good luck.

Alex Balashov wrote:
For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like 
VLAN IDs higher than 1005:



sw01(config)#switchport trunk allowed vlan add 1202
Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
number (1202) out of the range 1 to 1005.

This is with a trunking interface:

interface FastEthernet0/1
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,3,100,1002-1005
 switchport mode trunk

IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

I'm pretty sure this has already been asked a thousand times, but how 
do I get around this issue so I can get support for the extended VLAN 
IDs up to 4096?






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN ID limit?

2008-08-19 Thread Gabriel Kuri

afaik, the 2900XL and 3500XL series switches do not support extended range 
vLANs, you'll need to upgrade your switch, sorry ...

http://supportwiki.cisco.com/ViewWiki/index.php/The_Cisco_Catalyst_switch_does_not_permit_the_creation_of_extended-range_VLANs_in_the_VLAN_database_mode


-
Gabriel Kuri | Sr. Network Engineer
Instructional and Information Technology Division
California State Polytechnic University, Pomona
http://www.csupomona.edu/~iit | +1 909 979 6363



-Original Message-
From: [EMAIL PROTECTED] on behalf of Alex Balashov
Sent: Tue 8/19/2008 9:48 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VLAN ID limit?
 
For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like 
VLAN IDs higher than 1005:


sw01(config)#switchport trunk allowed vlan add 1202
Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN
number (1202) out of the range 1 to 1005.

This is with a trunking interface:

interface FastEthernet0/1
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,100,1002-1005
  switchport mode trunk

IOS is 12.0(5)WC8 (C2900XL-C3H2S-M).

I'm pretty sure this has already been asked a thousand times, but how do 
I get around this issue so I can get support for the extended VLAN IDs 
up to 4096?

-- 
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

59 matches

Mail list logo