Re: [c-nsp] Configuring VWIC-1MFT-E1 for Data
Thanks Brett. Would check the link now. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C4948 total output drops / bit error problem
Hello I have lot of C4948 switches in our network. All switch have 2x1 gb/s uplink (etherchannel) to a 6509 switch. The problem is, if the traffic big on the etherchannel ( ~2x700mbit/s) the total output drops counter increase. Yesterday the counter was: Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 131796 Today morning: Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 133483 I find some sites where use the hold-queue command but it isn't on the C4948 platform. I used a packet generator device, and put 1.500.000 packet (size was 64byte) across the network. After 5 minutes the packet generator signal an error (bit error, lost packet), and the total drops counter increase suddenly. I tried lot of platform like C2970, C4948-10G, C6509/6724sfp, 3Com switch, but this loss pattern problem apply only on the C4948 devices with different IOS version. But all of C4948 devices show this problem. More interesting, if i tried this 1.5M packet 64byte test only a C4948 that no connection to other devices this can produce this problem after 5 minutes on optical and copper interfaces too. Every time when I did this test, the problem apply on the 5. minutes. Any idea? Thanks. Laci ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Most[1] large telcos I've seen[2] offering IP-VPN services tend to use RFC1918 addressing for CE-PE infrastructure. Using public addressing for much of this just often doesn't scale - thinking of some IP-VPNs which have thousands of CE elements. I just don't see how it doesn't scale with Public vs Private Space. The good point for Private Space (from Customer perspective) is that it can be reused when Customer changes provider (CE unmanaged case). Best Regards, - -- - -mat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFItRSXIvBv0k5esR4RAmBoAJwIdBIAvM+ZIBCBZNN8kjhYOOpKsACgxOij 2uW0YWyj/Av1lo6lvUd6oxw= =/5og -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF inside VRF - Cisco Juniper Interoperability
Hi, I am caught up in what seems to be a Juniper Cisco interoperability issue. I am running OSPF with customer inside VRF. Topology is something like the following: CE1 ---[Area 0]--- PE1 P1 --- P2 --- PE2 ---[Area 6]--- CE2 The two P routers are acting as route reflectors. CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series routers. The problem I am facing is that CE1 routes received at CE2 are Inter-area which is what is required (no redistribution into OSPF is done on CE1 and CE2). However, CE2 routes received by CE1 are Type 5 (E1). The documentation states that inorder to preserve the route types, domain IDs should be same on both PE routers. I have set domain ID to be 1.1.1.1:512, this was done on cisco via the command: domain-id type 0105 value 010101010200 and on juniper as: domain-id 1.1.1.1:512 in the OSPF configuration inside the VRF. Also on Juniper the domain-id was added into the ospf routes when redistributing them into MBGP. The problem seems to be with the Cisco PE1 router that can't seem to interpret the route-type attribute generated by Juniper (seen in the output as 0x306:0:393472): PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 550 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 4) from P1_Loopback_IP (P1_Loopback_IP) Origin IGP, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0105:0x010101010200 0x306:0:393472 10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback interfaces). Now the domain ID is fine but it seems that Cisco is unable to interpret the route-type attribute. 393472 translates to 60100 where 6 is the area ID, 01 says that it is type 1 LSA and and last two bytes are options are not used in this case. Upon receiving this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed on CE1 by enabling debugging) where it should inject have injected type 3: OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq 0x8001 If I replace the Juniper PE2 with a Cisco then on PE1 seems to interpret the route-type attribute correctly (OSPF RT:0.0.0.6:2:0) and inject type 3 LSA towards CE1 and CE1 receive the routes as inter-area: PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 676 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 2) from P1_Loopback_IP (P1_Loopback_IP) Origin incomplete, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER ID:10.254.2.1:512 Debug output: OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq 0x8001 Any idea what is causing this behavior? Any solution? Will appreciate any help. Regards, Junaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 2960G Issue
Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability
Junaid wrote on Wednesday, August 27, 2008 11:12 AM: Hi, I am caught up in what seems to be a Juniper Cisco interoperability issue. I am running OSPF with customer inside VRF. Topology is something like the following: CE1 ---[Area 0]--- PE1 P1 --- P2 --- PE2 ---[Area 6]--- CE2 The two P routers are acting as route reflectors. CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series routers. The problem I am facing is that CE1 routes received at CE2 are Inter-area which is what is required (no redistribution into OSPF is done on CE1 and CE2). However, CE2 routes received by CE1 are Type 5 (E1). The documentation states that inorder to preserve the route types, domain IDs should be same on both PE routers. I have set domain ID to be 1.1.1.1:512, this was done on cisco via the command: domain-id type 0105 value 010101010200 and on juniper as: domain-id 1.1.1.1:512 in the OSPF configuration inside the VRF. Also on Juniper the domain-id was added into the ospf routes when redistributing them into MBGP. The problem seems to be with the Cisco PE1 router that can't seem to interpret the route-type attribute generated by Juniper (seen in the output as 0x306:0:393472): [...] Any idea what is causing this behavior? Any solution? Will appreciate any help. which release are you using on he PE1? You might be hitting CSCsg42488 (Juniper - Cisco PE incorrect extended community for OSPF). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Netflow + Subinterfaces 7200 - 7600
Hi, I'm replacing a few 7200(NPE-G1) with 7600(RSP720) and I'm wondering what would be the best way to do netflow accounting with Vlans on the new platform.'m replacing a few 7200(NPE-G1) with 7600(RSP720) and I'm wondering what would be the best way to do netflow accounting with Vlans on the new platform. Currently, the configuration on the 7200 is like this: GigabitEthernet0/1.2 [..] ip flow ingress ! Now, on the 7600, should I also use Subinterfaces with ip flow ingress? Would that work? Or should I use Vlan interfaces and then use ip flow ingress layer2-switched vlan 2 If I do that I should NOT specify ip flow ingress on the Vlan interface, right? I would assume it would count traffic twice (once when received on an interface where ip flow ingress is active and then when it is routed from that interface into Vlan 2)? Also it seems that SRC1 doesn't have per-interface flow configuration for IPv6. :( Does someone know if that is planned in further releases? Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Tue, Aug 26, 2008 at 10:20:25AM -0500, Ge Moua wrote: Sounds like a routing issue, is your ippool handling out IP addr to the clients. The IP Pool is sending out addresses to the clients, and the client is visible in the tunnel with the assigned IP address. When I ping an address on the target network, I see the packet coming out of the tunnel. I recently set a similar config on a 1811 and this works fine. I can send you the working config if you're intersted. That would be great, I'd appeciate that. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Wed, Aug 27, 2008 at 08:08:08AM +0800, Brett Looney wrote: With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. It's been a while but from memory you need to put the include-local-lan setting into the client configuration group to do this. HTH. It now says crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel include-local-lan and when I ping 192.168.8.1, I still see the packet going out encapsulated in ESP instead of unencrypted on the LAN (the Client's LAN ip is 192.168.8.184/24). Additionally, I'd rather have a white list of IP ranges that can still be reached without encrpyption to not expose clients in public networks. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability
Hi, Just want to share my findings: The problem as suspected was a bug on Cisco side - CSCsg42488 as pointed out by Oliver Boehmer. The work around employed was to use the knob: route-type-community vendor for the OSPF instance inside the VRF on Juniper PE. Thanks once again Oliver for the solution. Now CE1 is also getting Type 3 LSAs from CE2. Regards, Junaid On Wed, Aug 27, 2008 at 3:12 PM, Junaid [EMAIL PROTECTED] wrote: Hi, I am caught up in what seems to be a Juniper Cisco interoperability issue. I am running OSPF with customer inside VRF. Topology is something like the following: CE1 ---[Area 0]--- PE1 P1 --- P2 --- PE2 ---[Area 6]--- CE2 The two P routers are acting as route reflectors. CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series routers. The problem I am facing is that CE1 routes received at CE2 are Inter-area which is what is required (no redistribution into OSPF is done on CE1 and CE2). However, CE2 routes received by CE1 are Type 5 (E1). The documentation states that inorder to preserve the route types, domain IDs should be same on both PE routers. I have set domain ID to be 1.1.1.1:512, this was done on cisco via the command: domain-id type 0105 value 010101010200 and on juniper as: domain-id 1.1.1.1:512 in the OSPF configuration inside the VRF. Also on Juniper the domain-id was added into the ospf routes when redistributing them into MBGP. The problem seems to be with the Cisco PE1 router that can't seem to interpret the route-type attribute generated by Juniper (seen in the output as 0x306:0:393472): PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 550 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 4) from P1_Loopback_IP (P1_Loopback_IP) Origin IGP, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0105:0x010101010200 0x306:0:393472 10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback interfaces). Now the domain ID is fine but it seems that Cisco is unable to interpret the route-type attribute. 393472 translates to 60100 where 6 is the area ID, 01 says that it is type 1 LSA and and last two bytes are options are not used in this case. Upon receiving this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed on CE1 by enabling debugging) where it should inject have injected type 3: OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq 0x8001 If I replace the Juniper PE2 with a Cisco then on PE1 seems to interpret the route-type attribute correctly (OSPF RT:0.0.0.6:2:0) and inject type 3 LSA towards CE1 and CE1 receive the routes as inter-area: PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 676 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local PE2_Loopback_IP (metric 2) from P1_Loopback_IP (P1_Loopback_IP) Origin incomplete, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER ID:10.254.2.1:512 Debug output: OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq 0x8001 Any idea what is causing this behavior? Any solution? Will appreciate any help. Regards, Junaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT/ACL options in a PIX
Vinny, #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 ONE MORE QUESTION,. Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? Hopefullly you can understand this last question Thanks --- On Tue, 8/26/08, Vinny Abello [EMAIL PROTECTED] wrote: From: Vinny Abello [EMAIL PROTECTED] Subject: RE: [c-nsp] NAT/ACL options in a PIX To: [EMAIL PROTECTED] [EMAIL PROTECTED], cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 10:23 PM Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point. -Vinny -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of John Ramz Sent: Tuesday, August 26, 2008 10:32 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT/ACL options in a PIX --CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip address(Q.Q.Q.11)... Thanks --- On Tue, 8/26/08, John Ramz [EMAIL PROTECTED] wrote: From: John Ramz [EMAIL PROTECTED] Subject: NAT/ACL options in a PIX To: cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 9:21 PM Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want to administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John ___ cisco-nsp mailing
Re: [c-nsp] Cisco 2960G Issue
Sorta sounds ike a bad chip on the chassis, since it's affecting 4 adjacent ports. 1-4 probably share an Asic (or part of one), 5-8, 9-12, etc. I'd call TAC on this one to get a replacement. Ken From: [EMAIL PROTECTED] on behalf of Mike Cooper Sent: Wed 8/27/2008 3:39 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco 2960G Issue
Hi Mike, I´ve never run into this issue before. I presume this is not a common problem. You can start troubleshooting with 'show platform port-asic' and 'show platform tcam'. There are also other 'show platform' and 'show controller' commands that might be useful. Regards, Leonardo Gama. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Mike Cooper Enviada em: quarta-feira, 27 de agosto de 2008 06:39 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Replacing Catalyst 4507 with Catalyst 6509
Hello, i work with Orange, a Network Service Provider, we are in an upgrade project for replacing the old Catalyst 4507 with 6509, my question is about the corresponding IOS for the current existing on the old switches, the IOS on old switches are : cat4000-i5s-mz.122-20.EW cat4000-i5s-mz.122-25.EWA cat4000-i5k91s-mz.122-25.EWA i want to know the corresponding to them for 6500, i checked for the feature set of these images and found it as below : cat4000-i5s-mz.122-20.EW -- Cisco IOS Software for the Cisco Catalyst 4500 Supervisor Engine IV and V Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP cat4000-i5s-mz.122-25.EWA -- Cisco IOS Software for the Cisco Catalyst 4000/4500 supervisor engines IV and V, and Catalyst 4500 Series Supervisor Engine V-10GE Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP cat4000-i5k91s-mz.122-25.EWA - Cisco IOS Software for the Cisco Catalyst 4000/4500 supervisor engines IV and V, and Catalyst 4500 Series Supervisor Engine V-10GE, with 3DES strong encryption Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP but from this point i wasn't able to search for the same feature set on 6500 platform, any help? Thanks Ahmed Azim Orange Business Services ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version
Hi, Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. Thanks. Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version
Antonio Acuesta (DHL AU) wrote: Hi, Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. We're running 12.2(18)SXF10 without problems. I believe 12.2(18)SXF11 and SXF12a are sort of Safe Harbor qualified. I cannot recommend 12.2(33)SXH - we've had a lot of problems. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version
Antonio, Specifically for Catalyst 6500 and its different service modules, I suggest you take a look at http://www.cisco.com/go/safeharbor I strongly recommend reading through the documents, and not just the highlights... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Acuesta (DHL AU) Sent: Wednesday, August 27, 2008 16:21 PM To: cisco-nsp Subject: Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version Hi, Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. Thanks. Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2960G Issue
Hi Mike, As I understand it that is the way the ASICs are shared on most of the catalysts. Lightning striking an ethernet cable can affect connectivity in a similar, though more persistent way; switch survived but four adjacent ports were permanently disabled. Have you recently found any unexpected gaping holes in the roof? :) Paul. Matlock, Kenneth L wrote: Sorta sounds ike a bad chip on the chassis, since it's affecting 4 adjacent ports. 1-4 probably share an Asic (or part of one), 5-8, 9-12, etc. I'd call TAC on this one to get a replacement. Ken From: [EMAIL PROTECTED] on behalf of Mike Cooper Sent: Wed 8/27/2008 3:39 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT/ACL options in a PIX
-Original Message- From: John Ramz [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 8:20 AM To: Vinny Abello; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] NAT/ACL options in a PIX Vinny, #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 You would be specifying the destination address as the outside address BEFORE the translation takes place. So in your example if a trusted host of 5.6.7.8 wants to access the server 10.10.10.11 on port 8081, and you have a static entry of: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081 netmask 255.255.255.255 0 0 you would need to make the access-list entry reference the outside IP address and port number: access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4 eq 8081 This would hit the outside access-list, permit the traffic, then translate it to 10.10.10.11 on port 8080 afterwards. #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? If you're using PAT, yes, as long as the same port on the outside isn't used. In other words, you can't use TCP 8080 on 1.2.3.4 because it's already translated to 10.10.10.11 on port 8081. static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 This would conflict. If you want to utilize the same port, you'd need a new outside address. Otherwise you could use a new port and put: static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081 netmask 255.255.255.255 0 0 access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 This again would be the outside address as the destination: access-list ACL_NAME permit tcp host 9.10.11.12 host 1.2.3.4 eq 8081 ONE MORE QUESTION,. Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 Correct. All inbound traffic will be translated to the internal address. In turn, you are also mapping all outbound traffic from the internal address to the external address when originating traffic. How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? Just add it to the access-list to allow it. With the 1 to 1 NAT, just consider outside address = inside address. You need to allow traffic to it based on the interface the traffic hits. If the traffic is hitting the outside interface, you must utilize the outside address as the destination. If you in turn have an inside access-list and are limiting traffic leaving that network, you'd be utilizing the internal addresses as the source addresses. Hopefullly you can understand this last question Thanks --- On Tue, 8/26/08, Vinny Abello [EMAIL PROTECTED] wrote: From: Vinny Abello [EMAIL PROTECTED] Subject: RE: [c-nsp] NAT/ACL options in a PIX To: [EMAIL PROTECTED] [EMAIL PROTECTED], cisco- [EMAIL PROTECTED] cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 10:23 PM Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point. -Vinny -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of John Ramz Sent: Tuesday, August 26, 2008 10:32 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT/ACL options in a PIX --CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip
[c-nsp] 6506 unusual behavior
Hi, I could use some advice here. 6506 with single WS-X6K-SUP2-2GE. Just changed IOS from 122(18)SXF14. to 12.2(18)SXF14 to get around a nasty bug that presented as hanging things like sh run and dir disk0...as well as passing traffic out the wrong interface. Now there's what appears to be an ssh debug message upon every CLI logout: edge1#exit channel_by_id: 0: bad id: channel free client_input_channel_req: channel 0: unknown channel Connection to edge1.xxx.xxx closed. And secondly, on the same box, can somebody point me in the right direction regarding this? 5d04h: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use mls cef maximum-routes to modify FIB TCAM partition. Thanks! --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT/ACL options in a PIX
Vinny, Thank you very much . It makes sense to me. I appreciate you sharing your time and knowledge John --- On Wed, 8/27/08, Vinny Abello [EMAIL PROTECTED] wrote: From: Vinny Abello [EMAIL PROTECTED] Subject: RE: [c-nsp] NAT/ACL options in a PIX To: [EMAIL PROTECTED] [EMAIL PROTECTED], cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Date: Wednesday, August 27, 2008, 9:49 AM -Original Message- From: John Ramz [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 8:20 AM To: Vinny Abello; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] NAT/ACL options in a PIX Vinny, #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 You would be specifying the destination address as the outside address BEFORE the translation takes place. So in your example if a trusted host of 5.6.7.8 wants to access the server 10.10.10.11 on port 8081, and you have a static entry of: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081 netmask 255.255.255.255 0 0 you would need to make the access-list entry reference the outside IP address and port number: access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4 eq 8081 This would hit the outside access-list, permit the traffic, then translate it to 10.10.10.11 on port 8080 afterwards. #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? If you're using PAT, yes, as long as the same port on the outside isn't used. In other words, you can't use TCP 8080 on 1.2.3.4 because it's already translated to 10.10.10.11 on port 8081. static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 This would conflict. If you want to utilize the same port, you'd need a new outside address. Otherwise you could use a new port and put: static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081 netmask 255.255.255.255 0 0 access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 This again would be the outside address as the destination: access-list ACL_NAME permit tcp host 9.10.11.12 host 1.2.3.4 eq 8081 ONE MORE QUESTION,. Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 Correct. All inbound traffic will be translated to the internal address. In turn, you are also mapping all outbound traffic from the internal address to the external address when originating traffic. How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? Just add it to the access-list to allow it. With the 1 to 1 NAT, just consider outside address = inside address. You need to allow traffic to it based on the interface the traffic hits. If the traffic is hitting the outside interface, you must utilize the outside address as the destination. If you in turn have an inside access-list and are limiting traffic leaving that network, you'd be utilizing the internal addresses as the source addresses. Hopefullly you can understand this last question Thanks --- On Tue, 8/26/08, Vinny Abello [EMAIL PROTECTED] wrote: From: Vinny Abello [EMAIL PROTECTED] Subject: RE: [c-nsp] NAT/ACL options in a PIX To: [EMAIL PROTECTED] [EMAIL PROTECTED], cisco- [EMAIL PROTECTED] cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 10:23 PM Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the
[c-nsp] NAT/ACL options in a PIX
Thanks Vinnym Ziv and Jules for your replies and help. John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6506 unusual behavior
Adam, I think you have a bit too many routes on this box... Take a look at http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.ht ml#wp1014315 The thing is that mls cef maximum-routes is not supported on Sup2... Can you please share the outputs of: - show ip route summary - show mls cef summary - show mls cef maximum-routes Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Korab Sent: Wednesday, August 27, 2008 17:58 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6506 unusual behavior Hi, I could use some advice here. 6506 with single WS-X6K-SUP2-2GE. Just changed IOS from 122(18)SXF14. to 12.2(18)SXF14 to get around a nasty bug that presented as hanging things like sh run and dir disk0...as well as passing traffic out the wrong interface. Now there's what appears to be an ssh debug message upon every CLI logout: edge1#exit channel_by_id: 0: bad id: channel free client_input_channel_req: channel 0: unknown channel Connection to edge1.xxx.xxx closed. And secondly, on the same box, can somebody point me in the right direction regarding this? 5d04h: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use mls cef maximum-routes to modify FIB TCAM partition. Thanks! --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
You need to use the Zone Base Firewall to be able to catch outbound packets generated by the router itself. Wonder if anyone use control plane policy outbound to monitor what the router is sending... It turns out that the hub router has a bad onboard encryption card. Using software encryption, everything is fine. Thanks for the suggestion Aaron. -Luan -Original Message- From: Nic Tjirkalli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 12:53 AM To: Aaron Cc: Luan M Nguyen; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels Howdy ho, How about putting on the outbound to make sure that you are sending it the the hub? good idea - add this to the hub router :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any interface Virtual-PPP1 ip access-group check_packets_in out just to make sure all was reset and applied, I reloaded the hub router and both spoke routers and looking at the ACL after a few minutes of all the routers coming up :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any no matches . I doubut this can be accurate - at least there should be IP matches as NHRP is up :- 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.174 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45 Type: dynamic, Flags: authoritative unique registered NBMA address: 41.195.37.191 from routing table on hub, traffic to NHRP neihbours should be going out of Virtual-PPP1 adsl-nhrp-hub#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 196.30.121.0/32 is subnetted, 1 subnets S 196.30.121.42 is directly connected, Dialer1 172.16.0.0/32 is subnetted, 1 subnets C 172.16.1.1 is directly connected, Loopback0 196.47.0.0/32 is subnetted, 1 subnets C 196.47.0.204 is directly connected, Virtual-PPP1 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Tunnel0 41.0.0.0/32 is subnetted, 2 subnets C 41.195.37.199 is directly connected, Dialer1 C 41.195.37.129 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Virtual-PPP1 thanx On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli [EMAIL PROTECTED] wrote: Howdy ho, Maybe try to put in an ACL or could use netflow for this as well... ip access-list extend check_packets_in permit esp any any permit udp any eq isakmp any eq isakmp permit ip any any interface dialer 1 ip access-group check_packets_in in To see if ESP coming in to your spoke router. good suggestion but now I am even more c0onfused created acl as follows and applied to dialer 1 in :- interface Dialer1 ip access-group check_packets_in in but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any `:wq`` -Luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nic Tjirkalli Sent: Monday, August 25, 2008 3:40 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels howdy ho all, thanx to thise who sent through suggestions to how to get the IPSEC to work - the ideas were :- try mode transport :- dont use wilcard for the secret so i changed the hub and spoke as follows :- crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac mode transport crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 alss same symptons - crypto comes up - hub reports IPSEC encaps and decaps - spoke sites report 0 decaps for IPSEC and no errors any other ideas? thanx howdy ho all, Was hoping I could use this forum to get some direction on resolving a strange issue I have with a DMVPN setup. All works 100% if I do not protect the tunnels with IPSEC. As soon as I enable IPSEC the tunnels stop passing traffic. The setup :- All routers are CISCO 1841 platforms. the IOS image is :- C1841-ADVIPSERVICESK9-M c1841-advipservicesk9-mz.124-21.bin HUB Router -- HUB router connects via ADSL (a PPPOE session over ethernet) and then fires up an L2TP tunnel to obtain a static IP address. The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) This IP address is the NHS. All connections to/from the hub use
Re: [c-nsp] NAT/ACL options in a PIX
You might also consider a single static NAT (vs. PAT) command, then control access with ACL's applied to the outside interface. This will map all ports on the public side to all ports on the inside. This way you won't have to do a lot of fudging around with static commands , just ACL's. Something like this: access-list outside_in permit TCP host externalIP1 host YourPublicIP eq 8081 access-list outside_in permit TCP host externalIP2 host YourPublicIP eq 8082 access-list outside_in permit TCP host externalIP3 host YourPublicIP eq 8083 static (inside,outside) YourPublicIP insideIP) 255.255.255.255 access-group outside_in in interface outside On Wed, 2008-08-27 at 08:20 -0400, John Ramz wrote: Vinny, #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 ONE MORE QUESTION,. Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? Hopefullly you can understand this last question Thanks --- On Tue, 8/26/08, Vinny Abello [EMAIL PROTECTED] wrote: From: Vinny Abello [EMAIL PROTECTED] Subject: RE: [c-nsp] NAT/ACL options in a PIX To: [EMAIL PROTECTED] [EMAIL PROTECTED], cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 10:23 PM Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point. -Vinny -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of John Ramz Sent: Tuesday, August 26, 2008 10:32 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT/ACL options in a PIX --CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip address(Q.Q.Q.11)... Thanks --- On Tue, 8/26/08, John Ramz [EMAIL PROTECTED] wrote: From: John Ramz [EMAIL PROTECTED] Subject: NAT/ACL options in a PIX To: cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 9:21 PM Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want to administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an
Re: [c-nsp] 6506 unusual behavior
On Wed, Aug 27, 2008 at 11:15 AM, Arie Vayner (avayner) [EMAIL PROTECTED] wrote: Adam, Hi Arie, I think you have a bit too many routes on this box... Probably...sup2 is kind of old. Can you please share the outputs of: - show ip route summary edge1#sh ip ro sum IP routing table name is Default-IP-Routing-Table(0) Route SourceNetworksSubnets OverheadMemory (bytes) connected 0 5 400 800 static 0 2 224 320 ospf removed 0 123 806419680 Intra-area: 5 Inter-area: 0 External-1: 0 External-2: 118 NSSA External-1: 0 NSSA External-2: 0 bgp removed 130413 130722 1671264041818320 External: 5090 Internal: 256045 Local: 0 internal26423117560 Total 133055 130852 1672132844956680 Removing Queue Size 0 - show mls cef summary edge1#sh mls cef sum Total CEF switched packets: 000825744817 Total CEF switched bytes:440372791097 Total routes:261292 IP unicast routes: 261292 IPX routes: 0 IP multicast routes: 0 - show mls cef maximum-routes edge1#sh mls cef maximum-routes ^ % Invalid input detected at '^' marker. So if that is indeed the case and this box has 261k routes while supporting 192k...what can be done to mitigate it? I don't believe the end customer has the budget to upgrade to sup720-3bxl. It's a pair of 6506s, each with an upstream provider; each box is taking full views and they iBGP peer with each other. Thanks! --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6506 unusual behavior
Adam, One thing to consider is to reduce the BGP view. Do they really need the full view, or can actually take a partial view from each provider (for example each providers originated networks, and maybe their direct customers), and then use a default route for the rest of the Internet (the best alternative is to actually ask the providers to advertise a default route). I most stub (as in non transit) ASs this should be a valid solution. Another alternative could be to introduce another set of border routers, such as 7201 routers. 7201 is a 7200/NPE-G2 in 1RU form factor with 4x1GE ports. It can easily take a full BGP view, but traffic sizing should be performed so that we can actually handle the load. Actually, I am not sure if the upgrade to Sup720-3BXL would be much more expansive than the 7201, but I suggest you explore these options with your customer. Arie -Original Message- From: Adam Korab [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 19:56 PM To: Arie Vayner (avayner) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6506 unusual behavior On Wed, Aug 27, 2008 at 11:15 AM, Arie Vayner (avayner) [EMAIL PROTECTED] wrote: Adam, Hi Arie, I think you have a bit too many routes on this box... Probably...sup2 is kind of old. Can you please share the outputs of: - show ip route summary edge1#sh ip ro sum IP routing table name is Default-IP-Routing-Table(0) Route SourceNetworksSubnets OverheadMemory (bytes) connected 0 5 400 800 static 0 2 224 320 ospf removed 0 123 806419680 Intra-area: 5 Inter-area: 0 External-1: 0 External-2: 118 NSSA External-1: 0 NSSA External-2: 0 bgp removed 130413 130722 1671264041818320 External: 5090 Internal: 256045 Local: 0 internal26423117560 Total 133055 130852 1672132844956680 Removing Queue Size 0 - show mls cef summary edge1#sh mls cef sum Total CEF switched packets: 000825744817 Total CEF switched bytes:440372791097 Total routes:261292 IP unicast routes: 261292 IPX routes: 0 IP multicast routes: 0 - show mls cef maximum-routes edge1#sh mls cef maximum-routes ^ % Invalid input detected at '^' marker. So if that is indeed the case and this box has 261k routes while supporting 192k...what can be done to mitigate it? I don't believe the end customer has the budget to upgrade to sup720-3bxl. It's a pair of 6506s, each with an upstream provider; each box is taking full views and they iBGP peer with each other. Thanks! --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA and dyn routes
Dean, PfR or as it was used to be called, OER is your friend here. http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/12_4/oer_12_ 4_book.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Dunn (rodunn) Sent: Tuesday, August 26, 2008 06:12 AM To: Dean Smith Cc: 'cisco-nsp' Subject: Re: [c-nsp] IP SLA and dyn routes I honestly haven't spent enough time with it yet to know all the details but maybe check PfR (aka: OER) to see if can help you out. Rodney On Mon, Aug 25, 2008 at 09:53:41PM +0100, Dean Smith wrote: Sounds like you actually want to run a tunnel across each SP and use an IGP through the tunnels to decide which one is up/working etc Dean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz Sent: 25 August 2008 21:13 To: cisco-nsp Subject: [c-nsp] IP SLA and dyn routes Hi all, i?m having problem with my SP(run MPLS/BGP) where the the time to converge networks is so high (10 minutes) and they say that are working and will be fix in 3 months aprox. I want anything to do convergence faster for me. I read about IP SLA, but do not find doc related IP SLA x dynamic routes, only IP SLA do track on static routes. My first connection is with this SP running BGP(MPLS cloud) and second connection is with another SP running OSPF(Frame-relay cloud). Due this problem, when remote site is down, on my central point the route of this site still up on BGP table and do not converge to OSPF, only after period 10 minutes. What another solution can i use? tks for all, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6506 unusual behavior
Arie Vayner (avayner) wrote: Adam, One thing to consider is to reduce the BGP view. Do they really need the full view, or can actually take a partial view from each provider (for example each providers originated networks, and maybe their direct customers), and then use a default route for the rest of the Internet (the best alternative is to actually ask the providers to advertise a default route). I most stub (as in non transit) ASs this should be a valid solution. Another alternative could be to introduce another set of border routers, such as 7201 routers. 7201 is a 7200/NPE-G2 in 1RU form factor with 4x1GE ports. It can easily take a full BGP view, but traffic sizing should be performed so that we can actually handle the load. Actually, I am not sure if the upgrade to Sup720-3BXL would be much more expansive than the 7201, but I suggest you explore these options with your customer. I would agree, standard cisco prices, with 35% discount in £ would be : 7201, 1GB, Dual PSU - £7,995.00 SUP720-3BXL - £20,500.00 The 7201 is significantly cheaper, and will do full gigabit, provided you don't get DDoSed :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version
Hi, On Wed, Aug 27, 2008 at 09:20:41PM +0800, Antonio Acuesta (DHL AU) wrote: Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. We've been fairly happy with 12.2(18)SXF in various versions. Latest release is SXF14. Check the release notes on CCO whether your specific combination of hardware is still supported - some modules might have been dropped SXE-SXF. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgp47DuVtDHyj.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat 4924 Metro QoS
Has anyone any experience of the QoS capabilities on the ME 4924-10GE ? The data sheet lists Per-port per-VLAN QoS. But I'm struggling to pinpoint exactly what this gives. The config examples in the 4500 Series config guide simply shows policing per VLANis this the only action available ? Essentially I'd like something with 10G ports that can do QoS per VLAN on the 10G port - but offer some per-class B/W guarantees within the VLAN. i.e. Limit VLAN 10 to 100Mb/s and within that VLAN... 10Mb/s PQ for DSCP EF 40Mb/s for DSCP AF 50Mb/s for DSCP DE I don't need to overbook the 10G port (i.e. sum of all VLANS 10G). Overall port requirement is low (10 x 1G + 1x10G) - which makes the 4924 ideal. The other options seem to be ASR, 4500+Sup6E, 7600+ES20, GSR etc. But opinions/experience welcomed..(and yes it needs to be cisco) Dean ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM CSCsi87893 purely cosmetic?
Hello, We just recently discovered the effects of CSCsi87893, where configuring a tftp-server in the sys context gives funny output like this: FWSM/act(config)# tftp-server management 10.0.0.1 fwsm-sys FWSM/act(config)# sh run : Saved : FWSM Version 3.1(4) system ! ...cut... allocate-interface Vlan2131 config-url disk:/xyz.cfg ! vPif_isVpifNumValid: Thread ssh vcid=1 from vpif=0x10001 is != current vcid=0! tftp-server 10.0.0.1 fwsm-sys prompt hostname context state Cryptochecksum:snarfsnarfsnarf : end FWSM/act(config)# It was easy finding CSCsi87893, but the bug toolkit isn't very specific. It says strange output may be noticed, but the above line gets written to startup-config with write mem. The functionality is there -- I can write net without parameters and the expected happens. What I'm wondering is: What will happen at the next reboot? Can it parse this ouput correctly? Or will I just lose the tftp-server functionality? Or will the FWSM fail to start? We're about to upgrade (3.1(6+) has this fixed), but would like to be certain about what happens after the reboot... Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Netflow software
Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow software
I'd recommend Crannog Netflow Tracker (now owned by Fluke) for this: http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/Overvie w.htm They have versions for both Linux and Windows (as well as an appliance now), and I've found it to be well worth the expense over the open-source solutions I've worked with.. My only caveat is that their licensing is not as glorious as it was pre-acq -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy Beisigl Sent: Wednesday, August 27, 2008 12:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CiscoWorks LMS - Apache daemon registration information
Hi, Could someone with LMS 3.x running on Windows please send me the output of pdreg -l Apache ? I've got an HTTP/SSL problem and I think I've stuffed the daemon registration for Apache (relates to bug CSCso59571). cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM CSCsi87893 purely cosmetic?
Peter, Yes, it does seem to be cosmetic. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Wednesday, August 27, 2008 22:23 PM To: cisco-nsp Subject: [c-nsp] FWSM CSCsi87893 purely cosmetic? Hello, We just recently discovered the effects of CSCsi87893, where configuring a tftp-server in the sys context gives funny output like this: FWSM/act(config)# tftp-server management 10.0.0.1 fwsm-sys FWSM/act(config)# sh run : Saved : FWSM Version 3.1(4) system ! ...cut... allocate-interface Vlan2131 config-url disk:/xyz.cfg ! vPif_isVpifNumValid: Thread ssh vcid=1 from vpif=0x10001 is != current vcid=0! tftp-server 10.0.0.1 fwsm-sys prompt hostname context state Cryptochecksum:snarfsnarfsnarf : end FWSM/act(config)# It was easy finding CSCsi87893, but the bug toolkit isn't very specific. It says strange output may be noticed, but the above line gets written to startup-config with write mem. The functionality is there -- I can write net without parameters and the expected happens. What I'm wondering is: What will happen at the next reboot? Can it parse this ouput correctly? Or will I just lose the tftp-server functionality? Or will the FWSM fail to start? We're about to upgrade (3.1(6+) has this fixed), but would like to be certain about what happens after the reboot... Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow software
Nfsen w/ nfdump engine. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy Beisigl Sent: Wednesday, August 27, 2008 2:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?
On Aug 26, Ian Cox [EMAIL PROTECTED] wrote: PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe that particular PA has the idprom messed up. Try doing a sh diagbus with it inserted and see what the PA idprom is telling the system. FYI: thanks to Ian I found out that the problem is that FlexWANs do not support OIR even for plug-in, not just for unplugging. The Ethernet PA I first tried worked when hotplugged, but the POS one just failed unless I first unplugged the FlexWAN. BTW: my FlexWANs happily accepted a 256 MB SODIMM from my old MSFC2, and even work with one 256 MB and one 64 MB banks (CEF is enabled only on the first slot now, but I do not need the other one anyway). -- ciao, Marco ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6506 unusual behavior
On Wed, 27 Aug 2008, Adam Korab wrote: edge1#sh mls cef sum Total CEF switched packets: 000825744817 Total CEF switched bytes:440372791097 Total routes:261292 IP unicast routes: 261292 You have 261292 routes on a Sup2. The TCAM on the Sup2 supports about 244k routes. It's time to either upgrade or give up on the idea of carrying full BGP routes. I haven't been updating it, but I have 2 articles you should read at http://jonsblog.lewis.org/ -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets Is this not correct? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. David Freedman Group Network Engineering Claranet Limited http://www.clara.net -Original Message- From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets Is this not correct? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
It now says crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel include-local-lan and when I ping 192.168.8.1, I still see the packet going out encapsulated in ESP instead of unencrypted on the LAN (the Client's LAN ip is 192.168.8.184/24). Hmmm. Interesting. What does your DefaultrouteTunnel ACL look like? Wait - just dug up your old email: ip access-list extended DefaultrouteTunnel permit ip any any So this is the issue (sorry - should have looked at this earlier) - you need to put a list of networks here that the client can access. And just to be confusing, the ACL is from the router's perspective as if the traffic is outbound. So, if the pool of IP addresses that you're handing out to the clients is 10.100.100.0/24 then that needs to be the destination address in the ACL ala: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 HTH. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
I would say it sounds like one interface is performing differently to the other(performance wise) but if it works fine when using the multilink interface that doesn't make as much sense, do you notice any drops or errors of any sort on the atm int's when you have the dialer configuration up? Also check the output of a sh dsl int atmx for each one to see if you are erroring there or syncing at different speeds or have a low noise margin on one etc.. Out of curiosity did you set that ip mtu 1492 on your dialer when you were testing? As you would've been fragmenting otherwise trying to push 1500 byte over a 1500 byte link with pppoe Can you show me your exact config (minus passwords) that you are using when you are testing this including the output of a sh dsl int atmx for each int. Another thought might be worth trying the new 12.4.20T IOS given it's QoS overhaul with HQF and the improved latency results shown by someone in an earlier thread. From: David Freedman [mailto:[EMAIL PROTECTED] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. David Freedman Group Network Engineering Claranet Limited http://www.clara.net -Original Message- From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets Is this not correct? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Q-in-Q
Hi folks... Working on a new project this week and the final outcome will be trunking with q-in-q behind the scenes via an intermediate provider. Basically, we'll be q-tagging a series of VLAN's through some 2950 switches and then handing off a 100FE connection towards the intermediate provider which is going to use q-in-q across their 3750--6509--6509 network back to a q-tagged connection of ours at another location (6509 as well). With the combination of 3750 and 6509's should I have any worries about q-in-q and MTU issues with a 100FE interface involved? I'm pretty sure mini-jumbos are supported all the way but wanted to ask Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
I would say it sounds like one interface is performing differently to the other(performance wise) but if it works fine when using the multilink interface that doesn't make as much sense, do you notice any drops or errors of any sort on the atm int's when you have the dialer configuration up? Also check the output of a sh dsl int atmx for each one to see if you are erroring there or syncing at different speeds or have a low noise margin on one etc.. They both perform fine on their own, only together does it cause a problem, we dont see any drops, just big changes in latency Out of curiosity did you set that ip mtu 1492 on your dialer when you were testing? As you would've been fragmenting otherwise trying to push 1500 byte over a 1500 byte link with pppoe I believe in the setup we are testing with we have a 1500 mtu either end so the pppoe overhead shouldn't be an issue, but will double check. Can you show me your exact config (minus passwords) that you are using when you are testing this including the output of a sh dsl int atmx for each int. The config we are using is in the original post (https://puck.nether.net/pipermail/cisco-nsp/2008-August/053632.html) There are no DSL errors recorded on the controllers, nor is there anything remarkable in the sh int output: #show int a0/0/0 | in rror|drop|throt|clear Last clearing of show interface counters 1d12h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 output errors, 0 collisions, 0 interface resets #show int a0/1/0 | in rror|drop|throt|clear Last clearing of show interface counters 1d12h Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 output errors, 0 collisions, 0 interface resets Another thought might be worth trying the new 12.4.20T IOS given it's QoS overhaul with HQF and the improved latency results shown by someone in an earlier thread. This I will try, just out of interest, do you have such a setup in production? if so , what version are you using on the CPE? Dave. From: David Freedman [mailto:[EMAIL PROTECTED] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. David Freedman Group Network Engineering Claranet Limited http://www.clara.net -Original Message- From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and
Re: [c-nsp] CiscoWorks LMS - Apache daemon registration information
On Wed, Aug 27, 2008 at 1:30 PM, Dale Shaw [EMAIL PROTECTED] wrote: Could someone with LMS 3.x running on Windows please send me the output of pdreg -l Apache ? Thanks all -- have had a few replies and, for now at least, I'm back up and running (although my SSL woes continue). cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
I believe in the setup we are testing with we have a 1500 mtu either end so the pppoe overhead shouldn't be an issue, but will double check. Dialer will default to interface mtu of 1500 bytes unless you specify something else. The config we are using is in the original post (https://puck.nether.net/pipermail/cisco-nsp/2008-August/053632.html) That doesn't have any of the previous recommendations i've made in it. This I will try, just out of interest, do you have such a setup in production? if so , what version are you using on the CPE? Haven't really played with the QoS on 12.4.20T much yet, but if you look back for the post with the subject [Improved queuing in 12.4(20)T?] from Per Carlson you can ask him what he was using J Let us all know if 12.4.20T does magic for you. Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
Dialer will default to interface mtu of 1500 bytes unless you specify something else. Sorry, to clarify, the dialer sits on top of an ATM interface which has a 4470byte MTU, from the ATM over G.SHDSL to the DSLAM, LAC, LNS and NAS there is an oversized MTU as well (2000), with the default dialer MTU of 1500 the maximum payload should leave at 1508B which is well below the MTU of all the network components end-to-end I dont believe this will cause any fragmentation? Haven't really played with the QoS on 12.4.20T much yet, but if you look back for the post with the subject [Improved queuing in 12.4(20)T?] from Per Carlson you can ask him what he was using J Let us all know if 12.4.20T does magic for you. I will try this, Thanks very much for your help, Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hello Mark: Unless I'm misreading your intent, it looks like what you are trying to accomplish is split-tunneling, such that only traffic from your VPN-connected Windows machines and your protected net is getting tunneled, while everything else is handled outside the tunnel. If this is correct, take a look at: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a008032b637.shtml Regards, Mike On 8/26/08 7:01 AM, Marc Haber [EMAIL PROTECTED] wrote: Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] how to debug etherchannel on 6500?
Hi, I'm trying to troubleshoot a strange case regarding an etherchannel (PAgP works, LACP doesn't) between a 6500 (SUP720/SXF14) and a 3750 (12.2(44)SE2), but i cannot see any debug logs on the 6500 after enabling debug etherchannel all. On the 3750 i get some messages after enabling the same debug, but i can also use debug pagp/lacp which displays a lot more (and most of them are quite helpful). Is the debug etherchannel all supposed to display anything? If not, is there another debug command on the 6500 like the debug pagp/lacp on the 3750? -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/