[c-nsp] Datacenter Network Design
We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been involved in a project like that could elaborate as much as possible on the subject? Please shed some light with me on where to start and build from there? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between C7206 and C3845
Hi, I have narrowed the problem. Now EoMPLS is working between the two routers - the change is that instead of connecting CE2 to the EtherSwitch module of C3845, I have connected it on an external 2950 switch which is then dot1q trunked to C3845. The problem appears when I connect the host on the EtherSwitch port. The configuration on the routing portion of C3845 is exactly same in both cases and the config on the 2950 and EtherSwitch is similar. Does anyone has any experience of running EoMPLS on C3845 with a host on an EtherSwitch module port? Is there any special consideration that needs to be catered for in such a scenario? Will appreciate any help. Regards, Junaid On Thu, Aug 7, 2008 at 2:15 AM, Junaid [EMAIL PROTECTED] wrote: Hi, I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are connected back-to-back via FastEthernet. The customers are connected via a switch connected to each PE: CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 The control place comes up without any issue: C7200-PE1#sh mpls l2transport vc de Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up Destination address: X (loopback ip of PE2), VC ID: 100, VC status: up Next hop: XX (ip of PE2's interface connected with PE1) Output interface: Fa3/0, imposed label stack {234} Create time: 04:55:52, last status change time: 04:22:07 Signaling protocol: LDP, peer X (loopback ip of PE2):0 up MPLS VC labels: local 2207, remote 234 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 658, send 558 byte totals: receive 61117, send 57759 packet drops: receive 0, send 0 C3845-PE2#sh mpls l2transport vc de Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up Destination address: X (loopback ip of PE1), VC ID: 100, VC status: up Next hop: XX (ip of PE1's interface connected with PE2) Output interface: Gi0/0, imposed label stack {2207} Create time: 05:06:06, last status change time: 04:42:00 Signaling protocol: LDP, peer X (loopback ip of PE1):0 up MPLS VC labels: local 234, remote 2207 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS test Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 807, send 697 byte totals: receive 81235, send 63925 packet drops: receive 0, seq error 0, send 0 But the data plane is having severe issue. I cannot ping end-to-end from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE connected to 3845), ARP works and I am able to send a ping packet to CE1. But CE1 never receives it. On the other side, CE2 does not get replies to its own ARP requests. Once I statically bind the mac address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies to it but CE1 never receives the reply. It seem that the communication is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and not the other way round. I replaced C3845 with C7206 and there was not issue in the data plane. My question is with the IOS I used for C3845, is EoMPLS not supported on it? As per Cisco's documentation, EoMPLS is supported on the IOS I used for C3845. Any one any experience in running EoMPLS on C3845? Another thing I noted was in the following output from C3845, it shows MRU=0 and also there was no outgoing interface attached: C3845-PE2#sh mpls forwarding-table labels 234 detail Local OutgoingPrefixBytes tag Outgoing Next Hop tagtag or VC or Tunnel Id switched interface 234l2ckt(100)50732 none point2point MAC/Encaps=0/0, MRU=0, Tag Stack{} No output feature configured While on C7206, the output was as it should be: C7200-PE1#sh mpls forwarding-table labels 2207 detail Local OutgoingPrefixBytes tag Outgoing Next Hop tagtag or VC or Tunnel Id switched interface 2207 Untaggedl2ckt(100)55853 Fa0/0.3point2point MAC/Encaps=0/0, MRU=1500, Tag Stack{} No output feature configured Any explanations/solutions? Regards, Junaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How to sniff traffic punted to CPU (control-plane) on 7200/7301 platform ? Is there something like rp-inband/sp-inband for 6500 ? seems 7301 is not there yet http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25-409474.html#wp9002099 - - supported hardware = Cisco Integrated Services Routers, Cisco 7200 Series Routers - -- - -mat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyQ8PIvBv0k5esR4RAgbqAKCCsuNAoMvXfalc3lux6uUEjXd9EQCdFEJ4 +nA2PXfs/XbNHAaUgAXQ/GQ= =1+wU -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Datacenter Network Design
The Solutions Reference Network Design page on Cisco's site is a good resource for network designs. http://www.cisco.com/go/srnd -Brant On 9/11/08 3:15 AM, root net [EMAIL PROTECTED] wrote: John, If you are going to build a Cisco network you should spend some time on www.cisco.com and look at all of their configuration examples and whitepapers for specific gear you are looking at or working on. Here are some books I would suggest: Cisco Press: Data Center Fundamentals End-to-End QoS Network Design Designing for Cisco Internetwork Solutions Designing Cisco Network Architectures Network Management Fundamentals www.cisco.com: (Research) HSRP STP InterVLAN routing IEEE Bridging BGP OSPF L2TPV3 MPLS / VPN IOS information Others: Administering Data Centers APC Data Center University (online classes) Some are FREE some are not. This is all I could think of since it's so late. DR will come when you start digging into the protocols and other information. Far as storage/backup iSCSI is your friend so build a GbE network. OpenFiler, NetApp, MyIVault. From the start your facility will need to handle your immediate needs and growth or at least have the ability to scale (I would say maybe 10-20% growth for small budgets). Look at evironmentals, power, fire protection: HVAC (spot coolers vs. ductless split systems vs. ducted systems, chilled water vs. air cooled), Power Requirements (Single Phase, Three Phase 208V /480V, UPS, Transfer switches, portable generators, generator), Raised Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, temperature monitoring, and lastly Pre-action vs. plain wet system. Getting a seperate Internet feed would be wise unless it's just cost prohibitive. Start out with maybe 10Mbit pipe and go from there. This all depends your customer's applications and servers. What they will be transfering and etc. Look into open source products as these are FREE and can help you. (e.g. nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) Rule of thumb: A good data center will have proactive measures and policies in place to monitor, maintain, and procure. With that said monitor everything (I mean everything) and have all staff alerted on all levels SMS, e-mail, phone if possible automatically. It's not about downtime so much it's how you procure the situation in a specific time frame. Customer serivce is a must. You will need to make the call on the gear you use but I use a mixture of Cisco, Extreme, and Juniper. For data centers it's a must for hot swappable gear so look in to carrier class gear with redundant process, power supplies, hot swappable line cards. I would recommend Cisco 6500 Series, Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper firewall licensing. BTW, Cisco 2800/3600 Series may even work. Depends on your throughput capabilities you are needing. Research all aspects of your gear from ram, flash, processor speeds, to throughput, modules, IOS, and hot swappable needs. The above will get you started. rootnet08 On 9/10/08, John Ramz [EMAIL PROTECTED] wrote: We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been involved in a project like that could elaborate as much as possible on the subject? Please shed some light with me on where to start and build from there? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
You go to 12.4(20)T and do an EPC capture on the punt path. I'm going to type up a wiki showing some examples today I hope. I'll try to post it back out. Rodney On Thu, Sep 11, 2008 at 02:12:27PM +0200, David Granzer wrote: Hello, On 9/5/08, Rodney Dunn [EMAIL PROTECTED] wrote: But make sure you do: config t int null 0 no ip unreachables The ACL drops are, last I checked, rate limit punts. If it's high CPU at IP Input really need 12.4(20)T and get a sniffer trace in the punt path to see what traffic it really is. How to sniff traffic punted to CPU (control-plane) on 7200/7301 platform ? Is there something like rp-inband/sp-inband for 6500 ? Thanks, David On the 6500 is available SPAN RP-Inband and SP-Inband Rodney On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: 2008/9/4 Stephen Kratzer : The 'log' keyword will cause matching packets to not be CEF switched. nope, log is not present. Also, if you're denying a lot of traffic from a certain source, you might want to just bit-bucket it rather than sending ICMP responses. you mean - no ip unreachables? You could match the access list in a route map and set the outbound interface to Null0. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
That's wrong. The 7301 is basically a 1RU 72xx/G2 combo. It's there so try it. The code is on Cisco.com as I just checked. Rodney On Thu, Sep 11, 2008 at 01:29:05PM +0100, Mateusz B?aszczyk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How to sniff traffic punted to CPU (control-plane) on 7200/7301 platform ? Is there something like rp-inband/sp-inband for 6500 ? seems 7301 is not there yet http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25-409474.html#wp9002099 - - supported hardware = Cisco Integrated Services Routers, Cisco 7200 Series Routers - -- - -mat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyQ8PIvBv0k5esR4RAgbqAKCCsuNAoMvXfalc3lux6uUEjXd9EQCdFEJ4 +nA2PXfs/XbNHAaUgAXQ/GQ= =1+wU -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 100FX Ports or Media Convertors?
Hi, we have quite a lot of 100Mb fibre distribution but it is spread across many locations so 24 fibre ports out from any location is just about enough. My question is now, the 3550-FX has gone and I need to replace some units the way forward with integrated ports is the 3750 with 24FX + 4 SFP @ ~ $7000 A 3650 with 24x Media convertors with dual PSU shelves @ ~ $5000 We have had quite a few 3550 MTRJ 100FX ports partially fail (high RX drops) in the past causing all kinds of fun and games with STP So even with the extra points of failure the Media convertors are looking tempting as failed units can be simply replaced. Any comments welcomed. Kevin ** This transmission is confidential and must not be used or disclosed by anyone other than the intended recipient. Neither Tata Steel UK Limited nor any of its subsidiaries can accept any responsibility for any use or misuse of the transmission by anyone. For address and company registration details of certain entities within the Corus group of companies, please visit http://www.corusgroup.com/entities ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Setting the Remote Syslog Port in IOS
I have it on a 7206VXR running 12.4(15)T2. 7206-1.clr(config)#logging host ? Hostname or A.B.C.D IP address of the syslog server ipv6 Configure IPv6 syslog server 7206-1.clr(config)#logging host 1.2.3.4 ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging sequence-num-session Include session sequence number tag in syslog message session-idSpecify syslog message session ID tagging transport Specify the transport protocol (default=UDP) vrf Set VRF option xml Enable logging in XML cr 7206-1.clr(config)#logging host 1.2.3.4 tr 7206-1.clr(config)#logging host 1.2.3.4 transport ? beep Blocks Extensible Exchange Protocol tcp Transport Control Protocol udp User Datagram Protocol 7206-1.clr(config)#logging host 1.2.3.4 transport udp ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging port Specify the UDP port number (default=514) sequence-num-session Include session sequence number tag in syslog message session-idSpecify syslog message session ID tagging xml Enable logging in XML cr 7206-1.clr(config)#logging host 1.2.3.4 transport udp port ? 1-65535 Port number I also see the command on a 3660 running 12.3(14)T7. I have it on a 3560E running 12.2(44)SE2 but not on a 3750 running 12.2(25)SEB. I do however have it on a 3560G and a basic 3560 running 12.2(44)SE2. I also have it on a Sup720-3BXL in a 7600 running SRB1. Looks like it's available for the older platforms with the right IOS. Justin Christian Koch wrote: checked for any switches after the inputting the ip address on logging host command but nothing was available #logging host 1.1.1.1 transport ? % Unrecognized command On Wed, Sep 10, 2008 at 3:55 PM, Tassos Chatzithomaoglou [EMAIL PROTECTED] wrote: Have you tried logging host XXX transport udp port Y? -- Tassos Christian Koch wrote on 10/09/2008 19:41: I know i can set the remote syslog port on ASA/PIX's, but i don't seem to see that it is possible in IOS. I wanted to segregate logs by sending them from certain devices to separate syslog ports Can anyone confirm this behavior? Has anyone had the need to do something similar? Thanks Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 100FX Ports or Media Convertors?
[EMAIL PROTECTED] wrote: Hi, we have quite a lot of 100Mb fibre distribution but it is spread across many locations so 24 fibre ports out from any location is just about enough. My question is now, the 3550-FX has gone and I need to replace some units the way forward with integrated ports is the 3750 with 24FX + 4 SFP There is the SFP-only version WS-C3750G-12S. Or find some used 2912MF-XLs :-) Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inter VRF Routing help needed
cc loo mailto:[EMAIL PROTECTED] wrote on Thursday, September 11, 2008 5:05 PM: Hi Oliver, Thanks for the quick reply. Indeed i was referring to VRF-LITE In the cisco.com example, they gave this Router(config)# ip vrf customer_a Router(config-vrf)# rd 1:1 Router(config-vrf)# route-target both 1:1 Router(config)# interface fastEthernet 0.1 Router(config-subif)# ip vrf forwarding customer_a is there any specific reason why cisco recommends using both (export/import) for its own RD ? the RD is not exported, the RT is. see answer to next question. Well, the import is not really needed in this specific case as there is no other VRF exporting routes with this route-target (so no point importing it). Oliver's example is here, but i would like to confirm if 1:100 is a typo or should it be 1:1 (like its own RD?): ip vrf customer_A rd 1:1 - route-target export 1:100 route-target import 1:900 RD and route-target are different things. They can be the same, but they must not be (in an mpls-vpn, they usually aren't the same as the RD is unique per PE per VRF). I wonder wondering if this is the correct place to post newbie questions like these ? Im a junior engineer in a singaporean isp, hoping to learn more tricks and tips in the field of IP planning :D well, I guess it's like all lists where folks help each other: If people see that you haven't done your homework, you might not get a reply. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS between C7206 and C3845
Is that an EtherSwitch Network module or Service module? They are very different beasts. I'd imagine that you were using the Network module and that the problem could have been avoided with a Service module. http://tinyurl.com/2ok8ox The Service module literally acts as an independent switch that happens to be mounted inside the ISR chassis. I don't have a solution for your EoMPLS problem when using the Network module unfortunately. Maybe someone from Cisco can chime in on that one. Justin Junaid wrote: Hi, I have narrowed the problem. Now EoMPLS is working between the two routers - the change is that instead of connecting CE2 to the EtherSwitch module of C3845, I have connected it on an external 2950 switch which is then dot1q trunked to C3845. The problem appears when I connect the host on the EtherSwitch port. The configuration on the routing portion of C3845 is exactly same in both cases and the config on the 2950 and EtherSwitch is similar. Does anyone has any experience of running EoMPLS on C3845 with a host on an EtherSwitch module port? Is there any special consideration that needs to be catered for in such a scenario? Will appreciate any help. Regards, Junaid On Thu, Aug 7, 2008 at 2:15 AM, Junaid [EMAIL PROTECTED] wrote: Hi, I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are connected back-to-back via FastEthernet. The customers are connected via a switch connected to each PE: CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 The control place comes up without any issue: C7200-PE1#sh mpls l2transport vc de Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up Destination address: X (loopback ip of PE2), VC ID: 100, VC status: up Next hop: XX (ip of PE2's interface connected with PE1) Output interface: Fa3/0, imposed label stack {234} Create time: 04:55:52, last status change time: 04:22:07 Signaling protocol: LDP, peer X (loopback ip of PE2):0 up MPLS VC labels: local 2207, remote 234 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 658, send 558 byte totals: receive 61117, send 57759 packet drops: receive 0, send 0 C3845-PE2#sh mpls l2transport vc de Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up Destination address: X (loopback ip of PE1), VC ID: 100, VC status: up Next hop: XX (ip of PE1's interface connected with PE2) Output interface: Gi0/0, imposed label stack {2207} Create time: 05:06:06, last status change time: 04:42:00 Signaling protocol: LDP, peer X (loopback ip of PE1):0 up MPLS VC labels: local 234, remote 2207 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS test Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 807, send 697 byte totals: receive 81235, send 63925 packet drops: receive 0, seq error 0, send 0 But the data plane is having severe issue. I cannot ping end-to-end from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE connected to 3845), ARP works and I am able to send a ping packet to CE1. But CE1 never receives it. On the other side, CE2 does not get replies to its own ARP requests. Once I statically bind the mac address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies to it but CE1 never receives the reply. It seem that the communication is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and not the other way round. I replaced C3845 with C7206 and there was not issue in the data plane. My question is with the IOS I used for C3845, is EoMPLS not supported on it? As per Cisco's documentation, EoMPLS is supported on the IOS I used for C3845. Any one any experience in running EoMPLS on C3845? Another thing I noted was in the following output from C3845, it shows MRU=0 and also there was no outgoing interface attached: C3845-PE2#sh mpls forwarding-table labels 234 detail Local OutgoingPrefixBytes tag Outgoing Next Hop tagtag or VC or Tunnel Id switched interface 234l2ckt(100)50732 none point2point MAC/Encaps=0/0, MRU=0, Tag Stack{} No output feature configured While on C7206, the output was as it should be: C7200-PE1#sh mpls forwarding-table labels 2207 detail Local OutgoingPrefixBytes tag Outgoing Next Hop tagtag or VC or Tunnel Id switched interface 2207 Untaggedl2ckt(100)55853 Fa0/0.3point2point MAC/Encaps=0/0, MRU=1500, Tag Stack{} No output feature configured Any explanations/solutions? Regards, Junaid ___ cisco-nsp mailing list
[c-nsp] 6500 netflow export and the switch cpu
I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b. It's forwarding several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards. I've noticed it's gotten very slow at certain things (like write mem), and when looking at the switch (remote command switch show proc cpu), I was kind of shocked to see 85% CPU utilization or higher across all time avgs. The biggest CPU eating process seems to be netflow export 223 2563111984 126342970 20287 38.27% 42.39% 42.03% 0 NDE - IPV4 Other than disabling export or moving traffic off this device, are there things I can do to tone this down? The couple hundred mbit/s this switch is forwarding is supposed to be no big deal for this platform. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 netflow export and the switch cpu
You can enable sampling if it is not enabled. It should help some. Highly unlikely. Sampling on the 6500 is performed interely in software, *after* the full set of flows has been received. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 netflow export and the switch cpu
On Thu, 11 Sep 2008, Phil Mayers wrote: current ip flowmask for unicast: if-full current ipv6 flowmask for unicast:null Do you need the full mask? It includes tcp/udp ports. Dropping to destination-source may save you a lot of flows (but obviously lose you a lot of info) I'd really like to keep ip-full. It's quite handy when tracking down what an IP has been up to (like when trying to verify infection/scanning complaints). -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] F5 BIG IP and FWSM
Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] F5 BIG IP and FWSM
That looks backwards...why not have the DG for internal hosts be the BigIP, and DG the BigIP to the inside of the FWSM? The BigIP does a good job of performing NAT, and doesn't need to be directly connected to the nodes in its pools...in fact, I would highly recommend against connecting nodes directly to the BigIP - you should utilize a core switch block for that and default route to a floating internal ip on the BigIP, from there, upstream to the FWSM and let it handle security out front. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, September 11, 2008 11:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] F5 BIG IP and FWSM Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 netflow export and the switch cpu
I wonder if it is not something in the config, rather than the traffic. I collect netflow from an old 6509 with upwards of 800M out one interface and I haven't seen any problems.Using if-full too. Granted a lot of our flows are data set transfers though. (I can't get the IOS version right now as it is managed by a different group - but it is probably fairly vanilla.) The number of flows was mentioned, is there alot of VoIP going through your switch, or something like that? What happens if you reduce the aging values? The 'long' one looks high. It just seems that with the load you are quoting, you should be able to get everything... Joe Jon Lewis [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/11/2008 01:52 PM To Phil Mayers [EMAIL PROTECTED] cc cisco-nsp@puck.nether.net Subject Re: [c-nsp] 6500 netflow export and the switch cpu On Thu, 11 Sep 2008, Phil Mayers wrote: current ip flowmask for unicast: if-full current ipv6 flowmask for unicast:null Do you need the full mask? It includes tcp/udp ports. Dropping to destination-source may save you a lot of flows (but obviously lose you a lot of info) I'd really like to keep ip-full. It's quite handy when tracking down what an IP has been up to (like when trying to verify infection/scanning complaints). -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 Subnetting - Service Provider
Hi there... In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them;) Appreciate it, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 12.4(20)T packet capture feature example
I showed a troubleshooting example on the support wiki: http://supportwiki.cisco.com/wiki/index.php/Tech_Insights:Utilizing_the_New_Packet_Capture_Feature If you want the capture in the punt path for process level you set the capture point to: monitor capture point ip process-switched Rodney ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
On Thu, 11 Sep 2008, Paul Stewart wrote: Hi there... In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them;) - /64 if you have any chance that you want to use autoconfiguration (may be in the future) - for subnets containing lots of computers I definitiely would go for /64 - /126 you got similar to /30 - /122 in between /64 and /126 - with nice : boundary - or nothing if you are satisfied by link locals - OSPFv3, IS-IS can work without global IPv6 address (even BGP can work on Cisco) Regards, Janos Mohacsi Appreciate it, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
On Thu, 11 Sep 2008, Paul Stewart wrote: In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them;) This debate rolled on NANOG a few weeks ago. People generally broke into two camps - one advocated using /64s on point-to-point links, and the other advocated smaller subnets such as /126 for point-to-points and /128s for loopbacks. So, I guess the consensus is that there isn't one :) jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
Thanks for the replies... Yeah, I'm getting various pieces of feedback - I'm going with the /126 for point to point and /128 for loopback on core devices at this point. I don't trust the autoconfiguration ideas at this point (call it old school) anyways...;) Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin M. Streiner Sent: Thursday, September 11, 2008 4:05 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPv6 Subnetting - Service Provider On Thu, 11 Sep 2008, Paul Stewart wrote: In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them;) This debate rolled on NANOG a few weeks ago. People generally broke into two camps - one advocated using /64s on point-to-point links, and the other advocated smaller subnets such as /126 for point-to-points and /128s for loopbacks. So, I guess the consensus is that there isn't one :) jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
On Thu, Sep 11, 2008 at 04:11:20PM -0400, Paul Stewart wrote: Thanks for the replies... Yeah, I'm getting various pieces of feedback - I'm going with the /126 for point to point and /128 for loopback on core devices at this point. I don't trust the autoconfiguration ideas at this point (call it old school) anyways...;) One issue we ran into was that not all the networking gear we had could support /126. The vendor's (not Cisco) immature support for IPv6 could only understand the concept of /128 loopbacks and /64 subnets. Device in question was a CMTS. Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
Thanks .. so far we've only ventured into 7600/6500 core equipment but we do have CMTS to look at in the future ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Snyder Sent: Thursday, September 11, 2008 4:27 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPv6 Subnetting - Service Provider On Thu, Sep 11, 2008 at 04:11:20PM -0400, Paul Stewart wrote: Thanks for the replies... Yeah, I'm getting various pieces of feedback - I'm going with the /126 for point to point and /128 for loopback on core devices at this point. I don't trust the autoconfiguration ideas at this point (call it old school) anyways...;) One issue we ran into was that not all the networking gear we had could support /126. The vendor's (not Cisco) immature support for IPv6 could only understand the concept of /128 loopbacks and /64 subnets. Device in question was a CMTS. Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Setting the Remote Syslog Port in IOS
hmm interesting darn, im out of luck i dont have it on on my 12ks running 12.0(32)SY4 i do have it on a rsp720/7600 runnng 12.2(33)SRB2 dont have it on sup720/7600 runnin SX7 either just not enough boxes have it, to do what i want i guess.. christian On Thu, Sep 11, 2008 at 9:39 AM, Justin Shore [EMAIL PROTECTED] wrote: I have it on a 7206VXR running 12.4(15)T2. 7206-1.clr(config)#logging host ? Hostname or A.B.C.D IP address of the syslog server ipv6 Configure IPv6 syslog server 7206-1.clr(config)#logging host 1.2.3.4 ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging sequence-num-session Include session sequence number tag in syslog message session-idSpecify syslog message session ID tagging transport Specify the transport protocol (default=UDP) vrf Set VRF option xml Enable logging in XML cr 7206-1.clr(config)#logging host 1.2.3.4 tr 7206-1.clr(config)#logging host 1.2.3.4 transport ? beep Blocks Extensible Exchange Protocol tcp Transport Control Protocol udp User Datagram Protocol 7206-1.clr(config)#logging host 1.2.3.4 transport udp ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging port Specify the UDP port number (default=514) sequence-num-session Include session sequence number tag in syslog message session-idSpecify syslog message session ID tagging xml Enable logging in XML cr 7206-1.clr(config)#logging host 1.2.3.4 transport udp port ? 1-65535 Port number I also see the command on a 3660 running 12.3(14)T7. I have it on a 3560E running 12.2(44)SE2 but not on a 3750 running 12.2(25)SEB. I do however have it on a 3560G and a basic 3560 running 12.2(44)SE2. I also have it on a Sup720-3BXL in a 7600 running SRB1. Looks like it's available for the older platforms with the right IOS. Justin Christian Koch wrote: checked for any switches after the inputting the ip address on logging host command but nothing was available #logging host 1.1.1.1 transport ? % Unrecognized command On Wed, Sep 10, 2008 at 3:55 PM, Tassos Chatzithomaoglou [EMAIL PROTECTED] wrote: Have you tried logging host XXX transport udp port Y? -- Tassos Christian Koch wrote on 10/09/2008 19:41: I know i can set the remote syslog port on ASA/PIX's, but i don't seem to see that it is possible in IOS. I wanted to segregate logs by sending them from certain devices to separate syslog ports Can anyone confirm this behavior? Has anyone had the need to do something similar? Thanks Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
Paul Stewart wrote: Hi there... In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them;) I just ran into an issue in my network (testing a 3750) where an IPv6 ACL only accepts down to a /64 for matching and only EUI-64 hosts. And there's my 877W I've mentioned a few times this week that has its own exciting quirks. Other than that, I use /64 for subnets and /128 loopbacks out of a /64 reserved for loopbacks. Using /64 and /128 is almost guaranteed to be safe at this early stage; plenty of IPv6 support just isn't that mature yet. There's an RFC or something out there (too lazy to look it up) that says use /64 for subnets, so it's the magic number for a lot of IPv6 implementations. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
Hi, yet. There's an RFC or something out there (too lazy to look it up) that says use /64 for subnets, so it's the magic number for a lot of IPv6 implementations. my initial (and, i guess, current) IPv6 deployment plan was based on /64 subnets. yes, thats a ridiculous amount of hosts per subnet...nasty software coded in 'the old style' might make these very big collision domains and i do worry about how ISC DHCPv6 will handle such large numbers of leases - recalling how it deals with /16's in IPv4 land. however, for router likn-link, non IP-based routing protocols - as mentioned IS-IS or OSPFv3 on the link-layer avoids the legacy issue (and wasting /64's for such trivialities) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] F5 BIG IP and FWSM
That looks backwards...why not have the DG for internal hosts be the BigIP, and DG the BigIP to the inside of the FWSM? The BigIP does a good job of performing NAT, and doesn't need to be directly connected to the nodes in its pools...in fact, I would highly recommend against connecting nodes directly to the BigIP - you should utilize a core switch block for that and default route to a floating internal ip on the BigIP, from there, upstream to the FWSM and let it handle security out front. I concur with this advice, esp. the note about having an L3 connected network between the back end hosts and the 'Inside' interface of the big IP. Main Benefit is failover (no arp issues on clients or F5); when dealing with large load balanced farms. ~Max -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, September 11, 2008 11:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] F5 BIG IP and FWSM Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] site to site and remote access on pix 506e
Hello Dalton: Here are a couple of ideas. 1) Change: isakmp key address x.x.x.x netmask 255.255.255.255 to isakmp key address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode 2) You might want to add: isakmp nat-traversal 20 3) I'm assuming you have a LOCAL username specified? Regards, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of dalton Sent: Thursday, September 11, 2008 3:26 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] site to site and remote access on pix 506e Hi, I'm wondering if anyone has a working config for a pix 506e running 6.3 or so, to do both site to site and remote access vpn. I assume this is possible? I have a pix running a few site to sites, however when i added the remote access config, it caused the tunnels to fail leaving them in a state of Xauth config or something of the like (don't have the exact error). Things fail when I add these 2 lines to the crypto map crypto map toCLIENT client configuration address initiate crypto map toCLIENT client authentication LOCAL config is below, thanks. -dalton PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname client-pix domain-name client.logicworks.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 no fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.2 access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.2 access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.2 access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.177.187.0 255.255.255.0 access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.2 access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.2 access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.2 access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.254.10.0 255.255.255.0 access-list splittunnelACL permit ip 10.10.1.0 255.255.255.0 10.254.10.0 255.255.255.0 pager lines 24 logging on logging timestamp logging standby logging console alerts logging monitor alerts logging buffered debugging logging history alerts mtu outside 1500 mtu inside 1500 ip audit info action alarm ip audit attack action alarm ip local pool REMOTEPOOL 10.254.10.10-10.254.10.20 mask 255.255.255.0 pdm history enable arp timeout 14400 nat (inside) 0 access-list DENY-NAT conduit permit ip any any timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set mytrans esp-aes esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set mytrans crypto map toCLIENT 20 ipsec-isakmp crypto map toCLIENT 20 match address toCLIENT crypto map toCLIENT 20 set peer x.x.x.x crypto map toCLIENT 20 set transform-set strong crypto map toCLIENT 999 ipsec-isakmp dynamic dynmap crypto map toCLIENT client configuration address initiate crypto map toCLIENT client authentication LOCAL crypto map toCLIENT interface outside isakmp enable outside isakmp key address x.x.x.x netmask 255.255.255.255 isakmp identity address isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 vpngroup client address-pool REMOTEPOOL vpngroup client dns-server x.x.x.x vpngroup client default-domain client.logicworks.net vpngroup client split-tunnel splittunnelACL vpngroup client split-dns logicworks.net vpngroup client idle-time 3600 vpngroup client password vpngroup idle-time idle-time 1800
Re: [c-nsp] Inter VRF Routing help needed
Hi cc loo - It took me a while to understand the difference between RD and RT's too. Most literature will have examples of where the RD and RT are exactly the same and you can't help but be confused when you see them being different and you'll start to ask yourself what's the point of having this RT statement when it's identicle to the RD - seems like a waste of time. But they do play a very important role when you start moving away from simple VRF design. What's most important to remember is that the RD and RT can be the same or can be totally different and that they both serve completely different purposes. Generally, in a very simple VRF set up (eg: one customer with 3 sites all being able to talk with each other and exchange data), the RD and RT will be the same because you probably won't be leaking routes between VRF's because this isn't a requirement. The RD is basically a way to allow overlapping IP addresses to exist. If we take the example of vrf_customer_A (RD 1:1) and vrf_customer_B (RD 1:2) - both can choose to use 192.168.1.0/24 and the address space will be completely unique because the RD is combined with the IPv4 address to produce the VPNv4 address like so - RD:192.168.1.1. The RT on the other hand is a BGP extended-community attribute that is also tagged onto the VPNv4 address to allow you to be able to import/export these routes to other VRF's. ip vrf customer_A rd 1:1 route-target export 1:100 route-target import 1:900 ! ip vrf customer_B rd 1:2 route-target export 1:200 route-target import 1:900 ! ip vrf Hub rd 1:9 route-target export 1:900 route-target import 1:100 route-target import 1:200 So in Oli's example, a host of vrf_customer_A might have a VPNv4 addresses of 1:1:192.168.1.1 and RT 1:100. Likewise a host of vrf_customer_B might have the VPNv4 address of 1:2:192.168.2.1 and RT 1:200. The routes with the corresponding RT's of 1:100 (vrf_customer_A) and 1:200 (vrf_customer_B) are imported by the Hub and so the Hub will end up with the routes of 192.168.1.1 and 192.168.2.1 in it's own routing table and will be able to reach these two hosts eventhough they are in different VRF's. Similarly, vrf_customer_A and vrf_customer_B need to import the RT that the Hub is exporting (1:900) so they too can reach the Hub. I've deliberately used different IP space for customer_A and customer_B. Just be careful if you plan to import/export route's between different VRF's because you'll need to make sure the routes are unique in this case. Imagine if customer_A and customer_B were both using 192.168.1.0/24. How would the Hub be able to distinguish if it should be sending to customer_A or customer_B - hence why you need to do some planning so as not to run into this problem. Sorry if it was a bit long winded. I'm new to all this too ;) Cheers. Andy cc loo mailto:[EMAIL PROTECTED] wrote on Thursday, September 11, 2008 5:05 PM: Hi Oliver, Thanks for the quick reply. Indeed i was referring to VRF-LITE In the cisco.com example, they gave this Router(config)# ip vrf customer_a Router(config-vrf)# rd 1:1 Router(config-vrf)# route-target both 1:1 Router(config)# interface fastEthernet 0.1 Router(config-subif)# ip vrf forwarding customer_a is there any specific reason why cisco recommends using both (export/import) for its own RD ? the RD is not exported, the RT is. see answer to next question. Well, the import is not really needed in this specific case as there is no other VRF exporting routes with this route-target (so no point importing it). Oliver's example is here, but i would like to confirm if 1:100 is a typo or should it be 1:1 (like its own RD?): ip vrf customer_A rd 1:1 - route-target export 1:100 route-target import 1:900 RD and route-target are different things. They can be the same, but they must not be (in an mpls-vpn, they usually aren't the same as the RD is unique per PE per VRF). I wonder wondering if this is the correct place to post newbie questions like these ? Im a junior engineer in a singaporean isp, hoping to learn more tricks and tips in the field of IP planning :D well, I guess it's like all lists where folks help each other: If people see that you haven't done your homework, you might not get a reply. oli -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 70, Issue 57 * __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to
Re: [c-nsp] 6500 netflow export and the switch cpu
On Thu, 11 Sep 2008, Jon Lewis wrote: On Thu, 11 Sep 2008, Phil Mayers wrote: What do the following say: sh mls netflow table-contention detailed Earl in Module 5 Detailed Netflow CAM (TCAM and ICAM) Utilization TCAM Utilization : 100% ICAM Utilization : 7% Netflow TCAM count : 262026 Netflow ICAM count : 10 Netflow Creation Failures: 456680 Netflow CAM aliases : 0 I guess I need to get more aggressive on the flow aging. I've been using mls aging fast time 8 threshold 3 mls aging long 480 mls aging normal 32 It looks like the fix was to enable flow-sampling. mls sampling time-based 64 has our cpu usage back down to about nothing and tcam usage down around 50%. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Check bandwidth on router
Hi List, Is there some sort of tool you can load into the IOS on a router to check bandwidth? Or if not what are you all doing these days in this situation. Like for example things are running slow and you think the Internet feed may be the problem is there a way to do speed tests on the router itself? rootnet ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 netflow export and the switch cpu
It looks like the fix was to enable flow-sampling. Out of curiosity what are you using your netflow for? I'm asking because sampling obviously isn't ideal when you are trying to get completely accurate data for accounting. I am interested in hearing people's opinion on their methods of accounting when data hits well beyond the TCAM limit(and you're already on DFC's) and you are in an all Ethernet switched world (ie not broadband ppp radius accounting), do you try and distribute the netflow onto multiple boxes closer to the edge or do you opt for another method? There is the easy option of byte counting switchports via snmp, but if people are wanting statistics of who's been where(possible legal reasons) or where the majority of traffic is coming from then that is not enough, maybe a mix of sampled netflow and switchport byte counting? It feels a shame using DFC's for a margin of their capacity purely because you need the TCAM space to produce netflow. Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Datacenter Network Design
Thanks guys for your replies. I sure have a lot to chew on. I am sure I will post back more questions once I get into it John --- On Thu, 9/11/08, Phil Bedard [EMAIL PROTECTED] wrote: From: Phil Bedard [EMAIL PROTECTED] Subject: Re: [c-nsp] Datacenter Network Design To: Brant I. Stevens [EMAIL PROTECTED] Cc: root net [EMAIL PROTECTED], [EMAIL PROTECTED], cisco-nsp@puck.nether.net Date: Thursday, September 11, 2008, 9:39 AM This is a good guide from Cisco. http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf Phil On Sep 11, 2008, at 9:00 AM, Brant I. Stevens wrote: The Solutions Reference Network Design page on Cisco's site is a good resource for network designs. http://www.cisco.com/go/srnd -Brant On 9/11/08 3:15 AM, root net [EMAIL PROTECTED] wrote: John, If you are going to build a Cisco network you should spend some time on www.cisco.com and look at all of their configuration examples and whitepapers for specific gear you are looking at or working on. Here are some books I would suggest: Cisco Press: Data Center Fundamentals End-to-End QoS Network Design Designing for Cisco Internetwork Solutions Designing Cisco Network Architectures Network Management Fundamentals www.cisco.com: (Research) HSRP STP InterVLAN routing IEEE Bridging BGP OSPF L2TPV3 MPLS / VPN IOS information Others: Administering Data Centers APC Data Center University (online classes) Some are FREE some are not. This is all I could think of since it's so late. DR will come when you start digging into the protocols and other information. Far as storage/backup iSCSI is your friend so build a GbE network. OpenFiler, NetApp, MyIVault. From the start your facility will need to handle your immediate needs and growth or at least have the ability to scale (I would say maybe 10-20% growth for small budgets). Look at evironmentals, power, fire protection: HVAC (spot coolers vs. ductless split systems vs. ducted systems, chilled water vs. air cooled), Power Requirements (Single Phase, Three Phase 208V /480V, UPS, Transfer switches, portable generators, generator), Raised Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, temperature monitoring, and lastly Pre-action vs. plain wet system. Getting a seperate Internet feed would be wise unless it's just cost prohibitive. Start out with maybe 10Mbit pipe and go from there. This all depends your customer's applications and servers. What they will be transfering and etc. Look into open source products as these are FREE and can help you. (e.g. nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) Rule of thumb: A good data center will have proactive measures and policies in place to monitor, maintain, and procure. With that said monitor everything (I mean everything) and have all staff alerted on all levels SMS, e-mail, phone if possible automatically. It's not about downtime so much it's how you procure the situation in a specific time frame. Customer serivce is a must. You will need to make the call on the gear you use but I use a mixture of Cisco, Extreme, and Juniper. For data centers it's a must for hot swappable gear so look in to carrier class gear with redundant process, power supplies, hot swappable line cards. I would recommend Cisco 6500 Series, Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper firewall licensing. BTW, Cisco 2800/3600 Series may even work. Depends on your throughput capabilities you are needing. Research all aspects of your gear from ram, flash, processor speeds, to throughput, modules, IOS, and hot swappable needs. The above will get you started. rootnet08 On 9/10/08, John Ramz [EMAIL PROTECTED] wrote: We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been
[c-nsp] console port
Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] load-sharing round robin time?
Hello, I'm doing load-sharing on a 2621 router with ios 12.3(26). ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 This was working just fine, but now we implemented a squid cache just behind the router and it strips the source ip, so all of the requests through the router all look like they are coming from the squid box now. What is happening now is the squid box is randomly switching from route to route, but it's taking about 10 minutes to switch from each route. So watching the graphs on the three routers and its only really using one route at a time. Is there a way to change the time limit for switching routes to make it switch faster? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] console port
A USB to Serial adapter will work. I've used them without any problems. --John adrian kok wrote: Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] console port
Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] console port
Hi Adrain, Yup im on OSX / ubuntu as well and a RS232-USB converter will work fine once you install the drivers On Fri, Sep 12, 2008 at 9:23 AM, adrian kok [EMAIL PROTECTED]wrote: Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inter VRF Routing help needed
Hi, Thanks for all the replies, i will go do more homework/reading up and practice in my work place :D On Fri, Sep 12, 2008 at 6:48 AM, Andy Saykao [EMAIL PROTECTED] wrote: Hi cc loo - It took me a while to understand the difference between RD and RT's too. Most literature will have examples of where the RD and RT are exactly the same and you can't help but be confused when you see them being different and you'll start to ask yourself what's the point of having this RT statement when it's identicle to the RD - seems like a waste of time. But they do play a very important role when you start moving away from simple VRF design. What's most important to remember is that the RD and RT can be the same or can be totally different and that they both serve completely different purposes. Generally, in a very simple VRF set up (eg: one customer with 3 sites all being able to talk with each other and exchange data), the RD and RT will be the same because you probably won't be leaking routes between VRF's because this isn't a requirement. The RD is basically a way to allow overlapping IP addresses to exist. If we take the example of vrf_customer_A (RD 1:1) and vrf_customer_B (RD 1:2) - both can choose to use 192.168.1.0/24 and the address space will be completely unique because the RD is combined with the IPv4 address to produce the VPNv4 address like so - RD:192.168.1.1. The RT on the other hand is a BGP extended-community attribute that is also tagged onto the VPNv4 address to allow you to be able to import/export these routes to other VRF's. ip vrf customer_A rd 1:1 route-target export 1:100 route-target import 1:900 ! ip vrf customer_B rd 1:2 route-target export 1:200 route-target import 1:900 ! ip vrf Hub rd 1:9 route-target export 1:900 route-target import 1:100 route-target import 1:200 So in Oli's example, a host of vrf_customer_A might have a VPNv4 addresses of 1:1:192.168.1.1 and RT 1:100. Likewise a host of vrf_customer_B might have the VPNv4 address of 1:2:192.168.2.1 and RT 1:200. The routes with the corresponding RT's of 1:100 (vrf_customer_A) and 1:200 (vrf_customer_B) are imported by the Hub and so the Hub will end up with the routes of 192.168.1.1 and 192.168.2.1 in it's own routing table and will be able to reach these two hosts eventhough they are in different VRF's. Similarly, vrf_customer_A and vrf_customer_B need to import the RT that the Hub is exporting (1:900) so they too can reach the Hub. I've deliberately used different IP space for customer_A and customer_B. Just be careful if you plan to import/export route's between different VRF's because you'll need to make sure the routes are unique in this case. Imagine if customer_A and customer_B were both using 192.168.1.0/24. How would the Hub be able to distinguish if it should be sending to customer_A or customer_B - hence why you need to do some planning so as not to run into this problem. Sorry if it was a bit long winded. I'm new to all this too ;) Cheers. Andy cc loo mailto:[EMAIL PROTECTED] wrote on Thursday, September 11, 2008 5:05 PM: Hi Oliver, Thanks for the quick reply. Indeed i was referring to VRF-LITE In the cisco.com example, they gave this Router(config)# ip vrf customer_a Router(config-vrf)# rd 1:1 Router(config-vrf)# route-target both 1:1 Router(config)# interface fastEthernet 0.1 Router(config-subif)# ip vrf forwarding customer_a is there any specific reason why cisco recommends using both (export/import) for its own RD ? the RD is not exported, the RT is. see answer to next question. Well, the import is not really needed in this specific case as there is no other VRF exporting routes with this route-target (so no point importing it). Oliver's example is here, but i would like to confirm if 1:100 is a typo or should it be 1:1 (like its own RD?): ip vrf customer_A rd 1:1 - route-target export 1:100 route-target import 1:900 RD and route-target are different things. They can be the same, but they must not be (in an mpls-vpn, they usually aren't the same as the RD is unique per PE per VRF). I wonder wondering if this is the correct place to post newbie questions like these ? Im a junior engineer in a singaporean isp, hoping to learn more tricks and tips in the field of IP planning :D well, I guess it's like all lists where folks help each other: If people see that you haven't done your homework, you might not get a reply. oli -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 70, Issue 57 * __ This email has been scanned by the MessageLabs Email Security System.
Re: [c-nsp] console port
Yep, but remember, if you move the serial port adaptor from one USB port to another, it will end up with a different COM port name - At least on Windows. adrian kok wrote: Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] load-sharing round robin time?
I have tried enabling per-packet load balancing, but if I do that then no pages come up in the browser. So I did a tcp-mss adjust on the interface and still no difference. topology: lansquid box2621 router---4 827 modem's(nat adsl) Dan. On Thu, Sep 11, 2008 at 9:12 PM, David Coulson [EMAIL PROTECTED] wrote: You can set it to use per-packet load balancing instead, assuming all of the paths are essentially the same (otherwise you get out of order packets, which may not be what you want). Is the squid box on the 192.168.11.x subnet? If you have ip redirects enabled, then the squid box will actually route directly to one of the gateways, rather than through the 2621... Not sure how your environment is build - Maybe a routing table and some other interface configs would help? Dan Letkeman wrote: Hello, I'm doing load-sharing on a 2621 router with ios 12.3(26). ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 This was working just fine, but now we implemented a squid cache just behind the router and it strips the source ip, so all of the requests through the router all look like they are coming from the squid box now. What is happening now is the squid box is randomly switching from route to route, but it's taking about 10 minutes to switch from each route. So watching the graphs on the three routers and its only really using one route at a time. Is there a way to change the time limit for switching routes to make it switch faster? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206vxr npe300 throughput
I've got a 7206VXR with an NPE 300. It does not run BGP. The majority of the traffic on this router will be is streaming media. The only ACLs on this router are there to protect the router it's self. We are talking about switching the full DS3 that is in this router out for a 100Mb FE feed. Should I worry about this router being able to handle 80 to 100mb of traffic? Richey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
On Friday 12 September 2008 05:29:55 [EMAIL PROTECTED] wrote: my initial (and, i guess, current) IPv6 deployment plan was based on /64 subnets. yes, thats a ridiculous amount of hosts per subnet...nasty software coded in 'the old style' might make these very big collision domains and i do worry about how ISC DHCPv6 will handle such large numbers of leases - recalling how it deals with /16's in IPv4 land. As has been mentioned by some others on the list, we use: * /112 - for subnets * /126 - for point-to-points * /128 - for Loopbacks. We don't believe in using /64's for point-to-points, as some of the peering/transit we do on v6 has shown (the other party's assignment) - I simply fail to understand how many other hosts you could possibly have on a point-to-point link, between 2 routers, to warrant a /64. We are not big on /64's ability for autoconf, like someone else has mentioned. There's a certain satisfaction to be had when I go to bed knowing that the v6 address I coded onto the router/server interface will still be the same one when I wake up the following day. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
On Thursday 11 September 2008 21:06:26 Rodney Dunn wrote: That's wrong. The 7301 is basically a 1RU 72xx/G2 combo. I thought that's the 72xx/NPE-G1 combo; the 7201 would be the -G2 combo, right? Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
Yes. The 1RU version for 7200/NPE-G1 is called 7301 Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: Friday, September 12, 2008 07:22 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NPE G1, CEF and ACLs and high CPU On Thursday 11 September 2008 21:06:26 Rodney Dunn wrote: That's wrong. The 7301 is basically a 1RU 72xx/G2 combo. I thought that's the 72xx/NPE-G1 combo; the 7201 would be the -G2 combo, right? Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Datacenter Network Design
Another very relevant resource (relatively new one) is: www.cisco.com/go/designzone Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brant I. Stevens Sent: Thursday, September 11, 2008 16:00 PM To: root net; [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Datacenter Network Design The Solutions Reference Network Design page on Cisco's site is a good resource for network designs. http://www.cisco.com/go/srnd -Brant On 9/11/08 3:15 AM, root net [EMAIL PROTECTED] wrote: John, If you are going to build a Cisco network you should spend some time on www.cisco.com and look at all of their configuration examples and whitepapers for specific gear you are looking at or working on. Here are some books I would suggest: Cisco Press: Data Center Fundamentals End-to-End QoS Network Design Designing for Cisco Internetwork Solutions Designing Cisco Network Architectures Network Management Fundamentals www.cisco.com: (Research) HSRP STP InterVLAN routing IEEE Bridging BGP OSPF L2TPV3 MPLS / VPN IOS information Others: Administering Data Centers APC Data Center University (online classes) Some are FREE some are not. This is all I could think of since it's so late. DR will come when you start digging into the protocols and other information. Far as storage/backup iSCSI is your friend so build a GbE network. OpenFiler, NetApp, MyIVault. From the start your facility will need to handle your immediate needs and growth or at least have the ability to scale (I would say maybe 10-20% growth for small budgets). Look at evironmentals, power, fire protection: HVAC (spot coolers vs. ductless split systems vs. ducted systems, chilled water vs. air cooled), Power Requirements (Single Phase, Three Phase 208V /480V, UPS, Transfer switches, portable generators, generator), Raised Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, temperature monitoring, and lastly Pre-action vs. plain wet system. Getting a seperate Internet feed would be wise unless it's just cost prohibitive. Start out with maybe 10Mbit pipe and go from there. This all depends your customer's applications and servers. What they will be transfering and etc. Look into open source products as these are FREE and can help you. (e.g. nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) Rule of thumb: A good data center will have proactive measures and policies in place to monitor, maintain, and procure. With that said monitor everything (I mean everything) and have all staff alerted on all levels SMS, e-mail, phone if possible automatically. It's not about downtime so much it's how you procure the situation in a specific time frame. Customer serivce is a must. You will need to make the call on the gear you use but I use a mixture of Cisco, Extreme, and Juniper. For data centers it's a must for hot swappable gear so look in to carrier class gear with redundant process, power supplies, hot swappable line cards. I would recommend Cisco 6500 Series, Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper firewall licensing. BTW, Cisco 2800/3600 Series may even work. Depends on your throughput capabilities you are needing. Research all aspects of your gear from ram, flash, processor speeds, to throughput, modules, IOS, and hot swappable needs. The above will get you started. rootnet08 On 9/10/08, John Ramz [EMAIL PROTECTED] wrote: We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been involved in a project like that could elaborate as much as possible on the subject? Please shed some light with me on where to start and build from there? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list
Re: [c-nsp] load-sharing round robin time?
Dan Letkeman wrote: I have tried enabling per-packet load balancing, but if I do that then no pages come up in the browser. So I did a tcp-mss adjust on the interface and still no difference. With every line being a separate NAT (I assume) your outgoing packets streams are more or less torn up now, resulting already in the initial TCP handshake being impossible ... (SYN goes out with IP1, SYN ACK returns on that line, ACK goes out with IP2 ...) The delay in switching links comes from the router setting up a traffic flow and remembering the IP-to-line assignment for a while ... Only thing I could suggest for now is using three squids (could be done on that single machine) with three different outgoing IPs, which in turn can be routed statically to one line each through route maps ... then use a fourth squid instance (towards the users) to use the other three round-robin ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] F5 BIG IP and FWSM
Hi, Thanks for the quick reply. I agree with your advice. But it might be required to loadbalance other devices those are sitting somewhere in my MPLS network. To do this mandatory condition is - LB internal interface should be able to ping / reach that. If I am using first DG to LB VIP and from LB 2nd DG to fwsm context failover ip, how can I achieve reachability from LB internal interface to servers somewhere in my MPLS network as to reach LB one have to pass through FWSM. Do i need to create a separate context for LB reachability to servers outside in MPLS network? Regards, Vikas Sharma On 9/12/08, Max Reid [EMAIL PROTECTED] wrote: That looks backwards...why not have the DG for internal hosts be the BigIP, and DG the BigIP to the inside of the FWSM? The BigIP does a good job of performing NAT, and doesn't need to be directly connected to the nodes in its pools...in fact, I would highly recommend against connecting nodes directly to the BigIP - you should utilize a core switch block for that and default route to a floating internal ip on the BigIP, from there, upstream to the FWSM and let it handle security out front. I concur with this advice, esp. the note about having an L3 connected network between the back end hosts and the 'Inside' interface of the big IP. Main Benefit is failover (no arp issues on clients or F5); when dealing with large load balanced farms. ~Max -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, September 11, 2008 11:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] F5 BIG IP and FWSM Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/