[c-nsp] Cisco 3550 + BGP
Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? Thanks! Regards, Nimal ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
Nimal, Be careful with large IP routing tables on 3550 as the limit would not be in BGP but in the hardware TCAM resources. Take a look here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea se/12.2_44_se/command/reference/cli2.html#wp3417591 Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nimal David Sirimanne Sent: Tuesday, October 28, 2008 09:53 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 3550 + BGP Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? Thanks! Regards, Nimal ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
On Tue, 2008-10-28 at 15:52 +0800, Nimal David Sirimanne wrote: Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? As Arie mentions, you are severely limited regarding routes. Running VRF Lite limits you to 2k routes all in all, so they're primarily useful in simple MPLS L3VPN setups. That said, we've used the 3550 with great success as CEs for several years in an eBGP / VRF Lite configuration, and they work like a charm. Being in an enterprise network, they only carry a few (100) routes in each VRF. The eBGP is purely for when redundancy is needed, otherwise we use static routes from the PE. The 3550 went EoS in 2006. The 3560 is the natural successor, and has so far behaved equally well for us in this regard. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
Hi Arie, Thanks for the link. So if one were to set 'sdm prefer routing', would this change the sdm template, and allow the device to hold more routes? Arie Vayner (avayner) wrote: Nimal, Be careful with large IP routing tables on 3550 as the limit would not be in BGP but in the hardware TCAM resources. Take a look here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea se/12.2_44_se/command/reference/cli2.html#wp3417591 Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nimal David Sirimanne Sent: Tuesday, October 28, 2008 09:53 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 3550 + BGP Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? Thanks! Regards, Nimal ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
:- Nimal == Nimal David Sirimanne [EMAIL PROTECTED] writes: Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? last I tried (some 3 years ago) it died with about 7000 routes. died = cpu 100%, packet loss, black holes eating traffic and the datacenter surrounding it... -- --- Pierfrancesco Caci | Network System Administrator - INOC-DBA: 6762*PFC [EMAIL PROTECTED] | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ Linux clarabella 2.6.15-29-server #1 SMP Mon Sep 24 17:37:57 UTC 2007 i686 GNU/Linux ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Huge RTT on ATM, is there a hidden queue somewhere?
Hello, I'm experiencing weird delays on ATM VCs that I'm unable to troubleshoot. I am saturating the VC by downloading a large file (via scp) between two hosts directly connected to the routers[0] under test. I reduced both the tx-ring-limit and vc-hold-queue to the minimum allowed: interface ATM2/0.7 point-to-point description ULI-SEVESO-125473/44 mtu 1500 ip unnumbered Loopback0 ... pvc uli-seveso-hdsl 200/35 ubr 1000 tx-ring-limit 3 vc-hold-queue 4 oam-pvc manage encapsulation aal5snap ! The output queue is empty: gw-dsl#show queueing int atm2/0.7 Interface ATM2/0.7 VC 200/35 Queueing strategy: fifo Output queue 0/4, 0 drops per VC I don't know how to check the tx-ring usage per-vc. However, i see RTT go up to 700-1000 ms with an average of 600ms: 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=345 ttl=60 time=639 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=346 ttl=60 time=654 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=347 ttl=60 time=653 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=348 ttl=60 time=535 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=349 ttl=60 time=680 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=350 ttl=60 time=708 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=351 ttl=60 time=723 ms 64 bytes from vega.uli.it (62.212.0.2): icmp_seq=352 ttl=60 time=716 ms AFAIK the ATM network should not introduce huge delays. I don't know how OAM cells get treated, but under load I see the loop cells come back after 20-30ms so it shouldn't be a ATM-newtork related delay: Oct 28 11:39:25.404: ATM OAM LOOP(ATM2/0.7) O: VCD#7 VC 200/35 CTag:0x3F9B9 Oct 28 11:39:25.432: ATM OAM LOOP(ATM2/0) I: VCD#7 VC 200/35 LoopInd:0 CTag:0x3F9B9 OAM Cell Type 5 Is there any other queue where packets or cells may be queued for this long time? Thank you Bye, [0] Routers are: 7200 + NPE300 + PA-A6-OC3 = STM-1 ATM 2800 + WIC Serial = Frame relay = ATM -- Daniele Orlandi ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
[EMAIL PROTECTED] (Pierfrancesco Caci) wrote: Anyone have any experience running BGP on Cisco 3550 platforms? Any idea how many BGP routes it can handle? last I tried (some 3 years ago) it died with about 7000 routes. Just like a 3750 will hold around 11K routes. IPv4, and does so regardless of where they came from (static, OSPF, BGP, IS-IS, RIP). I have found those boxes to be reliable routers with huge throughput. The real culprit here is that those boxes do not and will (according to Cisco) never do BGP+ (IPv6). They do static IPv6. It's a shame. Elmar. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550 + BGP
On Tue, 2008-10-28 at 18:04 +0800, Nimal David Sirimanne wrote: So if one were to set 'sdm prefer routing', would this change the sdm template, and allow the device to hold more routes? Correct. It's a trade off though, limiting certain other features on the box, e.g. ACLs and QoS. Even without extended match (which is needed for VRF Lite) and using the routing template, you're limited to 24K Unicast Routes according to the documentation. Changing the SDM template requires a reload by the way. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MVPN
Hello, is an opinion out there about sizing/designing MVPNs with more than 255 groups per VRF? Should I use SSM for the default-mdt and abandon PIM-SM for this purpose? The problem I see is the maximum cache size of a /24 for the data-mdt. When this limit exceeds what will exactly happen when all streams are still active? Streaming everything over the RP will produce bottlenecks and is something I want to avoid. Thanks, Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
Not necessarily: the intermediary (I) could hear ATT#39;s path as well as cogent#39;s. (I) could advertise their route to you through ATT, and cogent would pick this over their direct connection to you due to LocPref. The behavior of (I) is hard to predict in advance, and it may not be fully deterministic. Prepending toward cogent is a good idea to increase the likelihood of deterministic behavior. -David Barak Nathan wrote: On Mon, Oct 27, 2008 at 11:56 PM, [EMAIL PROTECTED] wrote: So what would be the behavior if I set the community for Cogent to set the Local Preference to 50 in terms of transit traffic? Does that mean that Cogent's originated traffic would use ATT but Cogent's peers (with a shorter AS path through Cogent) would still traverse Cogent even though the lower local preference is there? Check out BGP Best Path Selection on google :-) I think it would go like this : if Cogent has a direct connection to ATT, then traffic from Cogent and everywhere closer to Cogent will go from Cogent to ATT and then to you. If Cogent does not have a direct connection to ATT (OK so that is unlikely), then traffic will leave Cogent on a path towards ATT . . . and the intermediary might just send it back to Cogent . . . -- HTH, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISG and Policy Routing
I am trying to do some policy routing in combination with the CISCO ISG features. Therefore I created radius profiles for the user sessions and 2 different traffic-classes to split the main traffic from the traffic to be policy routed: MAINPROFILE Service-Info=IMAINPROFILE, cisco-avpair=ip:traffic-class=in access-group name INTERNET_ACL_IN, cisco-avpair=ip:traffic-class=in default drop, cisco-avpair=ip:traffic-class=out access-group name INTERNET_ACL_OUT, cisco-avpair=ip:traffic-class=out default drop, cisco-avpair=subscriber:accounting-list=ACCOUNTING, cisco-avpair=sub-qos-policy-out=2MBIT_VOICE FILTERING cisco-avpair=ip:traffic-class=in access-group name FILTER_ACL_IN cisco-avpair=ip:traffic-class=in default drop, cisco-avpair=ip:traffic-class=out access-group name FILTER_ACL_OUT, cisco-avpair=ip:traffic-class=out default drop, nas-port:0.0.0.0:0/0/2/2000User-Password=cisco Account-Info=AIMAINPROFILE, Account-Info=AFILTERING Is it possible to add a route-map to the FILTERING traffic-class ? The standard PPP attribute cisco-avpair = lcp:interface-config=ip policy route-map ROUTEMAP doesn't work because it's not a interface. Anybody some tips or experience with the ISG features ? kind regards Rinse ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MVPN
Christian Meutes wrote: Hello, is an opinion out there about sizing/designing MVPNs with more than 255 groups per VRF? Should I use SSM for the default-mdt and abandon PIM-SM for this purpose? The problem I see is the maximum cache size I like SSM for default and data MDT, but unfortunately we had to drop it so we could interoperate with Junipers (which only implement the very new RFC, and neither of the cisco proprietary older type-2 RD or newer MDT BGP AF) As far as I can see, SSM would only be of specific help if the 255 groups were coming from 1 PE. You'd still have problems with 255 groups on 1 PE using SSM. of a /24 for the data-mdt. When this limit exceeds what will exactly Huh. I had not known that was a limit, but sure enough: core-spare(config-vrf)#mdt data 239.192.0.0 0.0.255.255 % HASH values can not exceed 255! happen when all streams are still active? Streaming everything over the RP will produce bottlenecks and is something I want to avoid. The traffic will not flow via the RP, since all the PEs should have joined towards the other PEs for the default or data group in question. The issue is that some traffic might be sent to PEs which have no interest in it (if you have more active MVPN groups than data groups, or if it's flowing in the mdt default) but it will still flow on the source tree in the P-space, not the shared tree. Whether that's actually a problem depends on the bit rate of the traffic, number of PEs and types of links. Not the most helpful answer I'm afraid. It would be nice if Cisco would start to track the newer RFCs (hell, it would be nice if they'd get it out of draft and into proposed standard) where the all BGP MVPNs might help in this case. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bonded DSL with Cisco 1800/877's
Hey all, Not having the time/budget to research the full implications myself I am approaching the list for advice. In Australia we can do either ADSL, ADSL2/2+ or SHDSL for the most part. I have a client wanting more bandwidth than any single of these connections can provide, without the availability of any other offering. The aim - to provide as much bandwidth as possible using ADSL technologies - 2, 3, or 4 (would need a 2811?), but mostly 2 would be fine. I am faced with a choice. A Cisco 1811 with 2 (or more - limit 4?) 877's in bridge mode or equal weighted routing Or A Cisco 1841 (or 2800 equiv) with 2 * HWIC-1ADSL cards Notes: - The services will be going into the same DSL provider - The services are delivered to the LNS as L2TP connections - We managed both ends - the end customer equipment, and the ISP's LNS's (Cisco 7200G2) I've never done 'bonded' or 'ppp multi-link?' with any of the above hardware.. the last time was many years ago with multi-linked 28.8 modems. Any thoughts or advice on the above? From the perspective of either the clients end, or the ISP's end or both. Thanks in advance guys. -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF over PPPoATM [solved]
For your information, I found the solution to this problem: I had to manually set the IP address on both interfaces to be within the same subnet; ip unnumbered and ip address negotiated isn't a working setup... However, what still puzzles me is why the ospf hello debugging was not reporting anything strange, the hellos just seemed to be lost. Thank you anyway, Bye, -- Daniele Orlandi つづく ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DR Scenario (IP or DNS Changes)
I was wondering if I could get some opinions about a DR scenario, where you have a DR site on a different subnet and need to failover a one server in case is crashes OR failover a whole site. Would you say that changing IP addresses of server and using bridging (to spread the subnet between the two sides) is a good idea OR modifying the DNS record and setting short timeout on these records is better? (Bridging would have to be based on L3, either GRE tunnel or something else). Thank you for your options. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded DSL with Cisco 1800/877's
I would start here: http://blog.ioshints.info/search/label/load%20balancing http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_examp le09186a00808d2b72.shtml Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skeeve Stevens Sent: Tuesday, October 28, 2008 8:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Bonded DSL with Cisco 1800/877's Hey all, Not having the time/budget to research the full implications myself I am approaching the list for advice. In Australia we can do either ADSL, ADSL2/2+ or SHDSL for the most part. I have a client wanting more bandwidth than any single of these connections can provide, without the availability of any other offering. The aim - to provide as much bandwidth as possible using ADSL technologies - 2, 3, or 4 (would need a 2811?), but mostly 2 would be fine. I am faced with a choice. A Cisco 1811 with 2 (or more - limit 4?) 877's in bridge mode or equal weighted routing Or A Cisco 1841 (or 2800 equiv) with 2 * HWIC-1ADSL cards Notes: - The services will be going into the same DSL provider - The services are delivered to the LNS as L2TP connections - We managed both ends - the end customer equipment, and the ISP's LNS's (Cisco 7200G2) I've never done 'bonded' or 'ppp multi-link?' with any of the above hardware.. the last time was many years ago with multi-linked 28.8 modems. Any thoughts or advice on the above? From the perspective of either the clients end, or the ISP's end or both. Thanks in advance guys. -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DR Scenario (IP or DNS Changes)
Personally, I think you will be better off re-pointing your DNS. Here's my logic: 1) By re-pointing DNS, it won't matter where your server is. DNS will point to it. 2) Spanning vlans across a WAN link, especially a slower link, is not a good idea, especially if it is a high-traffic vlan. 3) DNS changes are much simpler to implement. Chris - Original Message - From: [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, October 28, 2008 9:21:42 AM GMT -08:00 US/Canada Pacific Subject: [c-nsp] DR Scenario (IP or DNS Changes) I was wondering if I could get some opinions about a DR scenario, where you have a DR site on a different subnet and need to failover a one server in case is crashes OR failover a whole site. Would you say that changing IP addresses of server and using bridging (to spread the subnet between the two sides) is a good idea OR modifying the DNS record and setting short timeout on these records is better? (Bridging would have to be based on L3, either GRE tunnel or something else). Thank you for your options. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cat4000-i5s-mz.122-25.EWA14.bin - Compatible IOS for 6500
Hello, i am upgrading Cisco Catalyst 4507 to 6509 the current IOS on 4507 is : cat4000-i5s-mz.122-25.EWA14.bin what is the compatible IOS for the 6500 ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MVPN
Hi Phil, As far as I can see, SSM would only be of specific help if the 255 groups were coming from 1 PE. You'd still have problems with 255 groups on 1 PE using SSM. Even then I could use different data-mdt's for every PE in same VRF in SM mode or not? The traffic will not flow via the RP, since all the PEs should have joined towards the other PEs for the default or data group in question. The issue is that some traffic might be sent to PEs which have no interest in it (if you have more active MVPN groups than data groups, or if it's flowing in the mdt default) but it will still flow on the source tree in the P-space, not the shared tree. Whether that's actually a problem depends on the bit rate of the traffic, number of PEs and types of links. Not the most helpful answer I'm afraid. I just tested it in SM mode. What happens is that no more streams can be send because of the exhaustion of all data-mdt's. Switchover to data-mdt is configured to 1 and as soon as traffic arrives a data-mdt is tried to open and unfortunately fails therefore. The only solution as far as I can see is to do SSM without a data-mdt. Sure I could also use SM without a data-mdt but that would concentrate everything on the RP which would be the worst case of all. Or do I miss something? cheers, Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] quest for a CPE basic rate-limiting switch
I'm looking for an affordable switch that will do basic rate-limiting/policing. I've been half-heartedly searching for a solution for over a year. My boss settled on the Linksys SRW2008 :-\, but those brick constantly and can't be depended upon for anything. Basically, I have a vendor who supplies a 10/100 L2 FTTH network. Let's say I bring on customerA who has 3 sites on the FTTH network. We purchase a vlan plus a port for each location from the vendor. I'd like to install a CPE switch in each location that could ensure that the customer is only getting what they're paying for and not flooding my vendor's network (which they don't currently monitor or limit). In some cases it's 1mbps, in others 3mbps or 10mbps, but I don't need to offer QoS or need anything more granular than +/-1mps. The 3750s are out of my price range, refurbs are fine. SSH is a plus but not necessary. Does anyone have any tips? Desparately seeking switches, Chris Hunt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Root-Guard, Loop-Guard, portfast trunk questions
El lun, 27-10-2008 a las 16:19 -0400, Ryan Bradley escribió: 1) Root-guard should be enabled on every port you no not expect to hear from a root bridge. Done 2) Are you aggregating with PAgP of LACP? None, we use channel-group 1 mode on snip Loop guard uses the ports known to spanning tree. Loop guard can take advantage of logical ports provided by the Port Aggregation Protocol (PAgP). However, to form a channel, all the physical ports grouped in the channel must have compatible configurations. PAgP enforces uniform configurations of root guard or loop guard on all the physical ports to form a channel. http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/ios121_8/swcg/stp_enha.htm#1033825 3) Recommended config on uplink ports: switchport mode trunk switchport nonegotiate That is done by policy here. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of luismi Sent: Monday, October 27, 2008 2:12 PM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Root-Guard, Loop-Guard, portfast trunk questions Hi all, We have here a 3750 stack working as distribution/core layer between access switches and some routers, nothing special. We have few weeks ago an issue with one of the switches and some loops. We didn¡t find the root cause yet, we don't have neither to enough free time so we decide to go for the best configuration for our switches. The topology is quite simple, the 3750 stack with several port-channels against 2960 switches, each connection from port-channel reach each 3750 switch. The steps we did until now are... - Configure primary root bridge manually - Configure secondary root bridge manually - Configure root guard in every port-channel, at the stack side. First of all I would like to know if root guard is correctly configured in that place -as far as I understand it is correctly- and I would like to know also if there is other places to configure it. Second. Loop Guard is not configured at all. The main reason is that an issue in one of the interfaces related to a port-channel can take down all the channel. Any comment about this? Third. Configured Portfast trunk against the routers since they have also subinterfaces with several vlans too. Any advantage if we do that? Any other comments are welcome too. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] quest for a CPE basic rate-limiting switch
Jeff, I'm fuzzy on the definition of service provider, but we bill the customer and provide support for a variety of services. We do not own or manage the local FTTH network, it's owned and operated by the local power company. I _want_ to manage it, right at the demarc. Ideally i'd plug my switch into the FTTH CPE Switch and i'd rate-limit the ingress on my switch or the egress on my switch. Ingress rate-limiting is my first choice, but egress policing would be better than nothing. Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Jeff Cartier wrote: Are you the Service Provider in this model...? Who owns and manages the 8-port CPE? Its ideally up to the Service Provider to rate-limit the customer connection, which should be done as close to the demarc as possible. Best practice is to keep policing off the distribution/core and onto the access/edge layer. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -Original Message- From: Christopher Hunt [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2008 3:34 PM To: Jeff Cartier Subject: Re: [c-nsp] quest for a CPE basic rate-limiting switch Thanks for the quick reply but the vendor actually has a 8-port CPE switch on site which is out of my control. In addition, I suspect it would only have 10mbps/100mbps options and it wouldn't be able to rate-limit down to 1 or 2 mbps. Thanks though. Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Jeff Cartier wrote: What about doing rate limiting on the media converter?...each site has a media converter back to your central site connecting into your switch.. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt Sent: Tuesday, October 28, 2008 3:17 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] quest for a CPE basic rate-limiting switch I'm looking for an affordable switch that will do basic rate-limiting/policing. I've been half-heartedly searching for a solution for over a year. My boss settled on the Linksys SRW2008 :-\, but those brick constantly and can't be depended upon for anything. Basically, I have a vendor who supplies a 10/100 L2 FTTH network. Let's say I bring on customerA who has 3 sites on the FTTH network. We purchase a vlan plus a port for each location from the vendor. I'd like to install a CPE switch in each location that could ensure that the customer is only getting what they're paying for and not flooding my vendor's network (which they don't currently monitor or limit). In some cases it's 1mbps, in others 3mbps or 10mbps, but I don't need to offer QoS or need anything more granular than +/-1mps. The 3750s are out of my price range, refurbs are fine. SSH is a plus but not necessary. Does anyone have any tips? Desparately seeking switches, Chris Hunt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] quest for a CPE basic rate-limiting switch
Chris, Try looking at the ME-3400 http://www.cisco.com/en/US/products/ps6580/index.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt Sent: Tuesday, October 28, 2008 21:42 PM To: Jeff Cartier Cc: cisco-nsp Subject: Re: [c-nsp] quest for a CPE basic rate-limiting switch Jeff, I'm fuzzy on the definition of service provider, but we bill the customer and provide support for a variety of services. We do not own or manage the local FTTH network, it's owned and operated by the local power company. I _want_ to manage it, right at the demarc. Ideally i'd plug my switch into the FTTH CPE Switch and i'd rate-limit the ingress on my switch or the egress on my switch. Ingress rate-limiting is my first choice, but egress policing would be better than nothing. Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Jeff Cartier wrote: Are you the Service Provider in this model...? Who owns and manages the 8-port CPE? Its ideally up to the Service Provider to rate-limit the customer connection, which should be done as close to the demarc as possible. Best practice is to keep policing off the distribution/core and onto the access/edge layer. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -Original Message- From: Christopher Hunt [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2008 3:34 PM To: Jeff Cartier Subject: Re: [c-nsp] quest for a CPE basic rate-limiting switch Thanks for the quick reply but the vendor actually has a 8-port CPE switch on site which is out of my control. In addition, I suspect it would only have 10mbps/100mbps options and it wouldn't be able to rate-limit down to 1 or 2 mbps. Thanks though. Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Jeff Cartier wrote: What about doing rate limiting on the media converter?...each site has a media converter back to your central site connecting into your switch.. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt Sent: Tuesday, October 28, 2008 3:17 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] quest for a CPE basic rate-limiting switch I'm looking for an affordable switch that will do basic rate-limiting/policing. I've been half-heartedly searching for a solution for over a year. My boss settled on the Linksys SRW2008 :-\, but those brick constantly and can't be depended upon for anything. Basically, I have a vendor who supplies a 10/100 L2 FTTH network. Let's say I bring on customerA who has 3 sites on the FTTH network. We purchase a vlan plus a port for each location from the vendor. I'd like to install a CPE switch in each location that could ensure that the customer is only getting what they're paying for and not flooding my vendor's network (which they don't currently monitor or limit). In some cases it's 1mbps, in others 3mbps or 10mbps, but I don't need to offer QoS or need anything more granular than +/-1mps. The 3750s are out of my price range, refurbs are fine. SSH is a plus but not necessary. Does anyone have any tips? Desparately seeking switches, Chris Hunt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip nat ... route-map foo doesn't work in 12.3(26)?
Hi folks, do I miss something or is this a bug? This work: == ! int f0 ip nat inside ! int f1 ip nat outside ! ! ip nat inside source static network 192.168.1.0 10.0.106.0 /24 ! host-command ping 192.168.1.171 - 192.168.106.185 local-cpe# debug ip nat detail -- Oct 28 22:04:41.234: NAT: Create inside host entry from network translation: Oct 28 22:04:41.234: 192.168.1.171 - 10.0.106.171 (192.168.1.0 - 10.0.106.0) Oct 28 22:04:41.234: NAT: i: icmp (192.168.1.171, 1024) - (192.168.106.185, 1024) [28798] Oct 28 22:04:41.238: NAT: s=192.168.1.171-10.0.106.171, d=192.168.106.185 [28798] Oct 28 22:04:41.238: NAT: installing alias for address 10.0.106.171 Oct 28 22:04:41.302: NAT*: o: icmp (192.168.106.185, 1024) - (10.0.106.171, 1024) [4174] Oct 28 22:04:41.302: NAT*: s=192.168.106.185, d=10.0.106.171-192.168.1.171 [4174] Oct 28 22:04:42.234: NAT*: i: icmp (192.168.1.171, 1024) - (192.168.106.185, 1024) [28799] Oct 28 22:04:42.234: NAT*: s=192.168.1.171-10.0.106.171, d=192.168.106.185 [28799] remote-cpe#sh ip nat tr --- ... Outside local Outside global ... 10.0.106.171:1024 10.0.106.171:1024 This does not work: === ! int f0 ip nat inside ! int f1 ip nat outside ! ! ip nat inside source static network 192.168.1.0 10.0.106.0 /24 route-map foo ! access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.106.0 0.0.0.255 ! route-map foo permit 10 match ip address 100 ! host-command ping 192.168.1.171 - 192.168.106.185 local-cpe# debug ip nat detail -- Oct 28 22:07:00.235: NAT: map match foo Oct 28 22:07:00.239: NAT: Create inside host entry from network translation: Oct 28 22:07:00.239: 192.168.1.171 - 10.0.106.171 (192.168.1.0 - 10.0.106.0) Oct 28 22:07:00.239: NAT: map match foo Oct 28 22:07:00.239: NAT: installing alias for address 10.0.106.171 - no further NAT: s=192.168.1.171-10.0.106.171... log messages! remote-cpe#sh ip nat tr --- ...Outside local Outside global ...192.168.1.171:1024192.168.1.171:1024 -- Gerald (ax/tc) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded DSL with Cisco 1800/877's
Skeeve, Being in the same country as you, I know all about your problems with DSL and what you're trying to achieve :) We don't worry about an 1800, just have two 877 CPE's. On the 877 that is the default gateway for the site, it has routes like this: ip route 0/0 dialer1 ip route 0/0 lan_ip_of_other_877 The other 877 just has a single static route to the dialer interface. In the central site, we have the same, two equal cost routes pointing to the IP address of the dialer interface/IP of each the two 877's. It seems to work ok and also has the benefit that if one link goes down you can adjust a few routes and push everything onto the one remaining link. As per the article linked by a previous poster: http://blog.ioshints.info/2008/09/load-balancing-quirks.html You need to remember that traffic between two hosts (on either end of the link) will only be routed over ONE of the links at a time. This means that a single host doing a large transfer will only max out ONE of the links and not see the full bandwidth (make sure you are VERY clear to your customer about this aspect). We tend to use this a lot where we have branch offices that are doing Citrix/MSTSC over the link and so there are lots of smaller bandwidth traffic flows that balance fairly well across the two links. They outgrow a 512/512 link and as you well know, there is nothing to upgrade to in a lot of cases. regards, Tony. Not having the time/budget to research the full implications myself I am approaching the list for advice. Making excuses for your laziness isn't a good way to start a request asking for help ;) --- On Wed, 29/10/08, Skeeve Stevens [EMAIL PROTECTED] wrote: From: Skeeve Stevens [EMAIL PROTECTED] Subject: [c-nsp] Bonded DSL with Cisco 1800/877's To: cisco-nsp@puck.nether.net Date: Wednesday, 29 October, 2008, 12:11 AM Hey all, Not having the time/budget to research the full implications myself I am approaching the list for advice. In Australia we can do either ADSL, ADSL2/2+ or SHDSL for the most part. I have a client wanting more bandwidth than any single of these connections can provide, without the availability of any other offering. The aim - to provide as much bandwidth as possible using ADSL technologies - 2, 3, or 4 (would need a 2811?), but mostly 2 would be fine. I am faced with a choice. A Cisco 1811 with 2 (or more - limit 4?) 877's in bridge mode or equal weighted routing Or A Cisco 1841 (or 2800 equiv) with 2 * HWIC-1ADSL cards Notes: - The services will be going into the same DSL provider - The services are delivered to the LNS as L2TP connections - We managed both ends - the end customer equipment, and the ISP's LNS's (Cisco 7200G2) I've never done 'bonded' or 'ppp multi-link?' with any of the above hardware.. the last time was many years ago with multi-linked 28.8 modems. Any thoughts or advice on the above? From the perspective of either the clients end, or the ISP's end or both. Thanks in advance guys. -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded DSL with Cisco 1800/877's
The previous company i've worked for, i did setup bonding/bundling on cisco 1841's and cisco 28xx.. I've made templates of those configuration files, I see they did change some things in those files, but here they are: ftp://dl.solcon.nl/pub/dsl/configs/Cisco/ I think some people of solcon are also on this list (Rinse?) maybe they can post an example of how the virtual-template is being done on the NRP's (don't have access anymore :) ) Maarten -Original Message- From: [EMAIL PROTECTED] on behalf of Tony Sent: Wed 10/29/2008 1:01 AM To: cisco-nsp@puck.nether.net; [EMAIL PROTECTED] Subject: Re: [c-nsp] Bonded DSL with Cisco 1800/877's Skeeve, Being in the same country as you, I know all about your problems with DSL and what you're trying to achieve :) We don't worry about an 1800, just have two 877 CPE's. On the 877 that is the default gateway for the site, it has routes like this: ip route 0/0 dialer1 ip route 0/0 lan_ip_of_other_877 The other 877 just has a single static route to the dialer interface. In the central site, we have the same, two equal cost routes pointing to the IP address of the dialer interface/IP of each the two 877's. It seems to work ok and also has the benefit that if one link goes down you can adjust a few routes and push everything onto the one remaining link. As per the article linked by a previous poster: http://blog.ioshints.info/2008/09/load-balancing-quirks.html You need to remember that traffic between two hosts (on either end of the link) will only be routed over ONE of the links at a time. This means that a single host doing a large transfer will only max out ONE of the links and not see the full bandwidth (make sure you are VERY clear to your customer about this aspect). We tend to use this a lot where we have branch offices that are doing Citrix/MSTSC over the link and so there are lots of smaller bandwidth traffic flows that balance fairly well across the two links. They outgrow a 512/512 link and as you well know, there is nothing to upgrade to in a lot of cases. regards, Tony. Not having the time/budget to research the full implications myself I am approaching the list for advice. Making excuses for your laziness isn't a good way to start a request asking for help ;) --- On Wed, 29/10/08, Skeeve Stevens [EMAIL PROTECTED] wrote: From: Skeeve Stevens [EMAIL PROTECTED] Subject: [c-nsp] Bonded DSL with Cisco 1800/877's To: cisco-nsp@puck.nether.net Date: Wednesday, 29 October, 2008, 12:11 AM Hey all, Not having the time/budget to research the full implications myself I am approaching the list for advice. In Australia we can do either ADSL, ADSL2/2+ or SHDSL for the most part. I have a client wanting more bandwidth than any single of these connections can provide, without the availability of any other offering. The aim - to provide as much bandwidth as possible using ADSL technologies - 2, 3, or 4 (would need a 2811?), but mostly 2 would be fine. I am faced with a choice. A Cisco 1811 with 2 (or more - limit 4?) 877's in bridge mode or equal weighted routing Or A Cisco 1841 (or 2800 equiv) with 2 * HWIC-1ADSL cards Notes: - The services will be going into the same DSL provider - The services are delivered to the LNS as L2TP connections - We managed both ends - the end customer equipment, and the ISP's LNS's (Cisco 7200G2) I've never done 'bonded' or 'ppp multi-link?' with any of the above hardware.. the last time was many years ago with multi-linked 28.8 modems. Any thoughts or advice on the above? From the perspective of either the clients end, or the ISP's end or both. Thanks in advance guys. -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ctr+break sequence and Cisco 3500
Hi all: I might not have done hundreds times but certainly did a lot of times. But not this time. trying to breaking a cisco 3550 since lost password. I tried sequence of ctrl+break but not working for me. it just reboots back to normal working status. Then I just tried ctrl+b and not working either. checked with Cisco web page and I don't see anything special. Did i miss something here or just this Cisco 3550 has something special for password recovery? Thanks Search 1000's of available singles in your area at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ctr+break sequence and Cisco 3500
http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_reco very09186a0080094184.shtml Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (e) [EMAIL PROTECTED] (aim/yahoo): luancnc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snort bsd Sent: Tuesday, October 28, 2008 8:24 PM To: cisco-nsp Subject: [c-nsp] ctr+break sequence and Cisco 3500 Hi all: I might not have done hundreds times but certainly did a lot of times. But not this time. trying to breaking a cisco 3550 since lost password. I tried sequence of ctrl+break but not working for me. it just reboots back to normal working status. Then I just tried ctrl+b and not working either. checked with Cisco web page and I don't see anything special. Did i miss something here or just this Cisco 3550 has something special for password recovery? Thanks Search 1000's of available singles in your area at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ctr+break sequence and Cisco 3500
never mind, it is 3500, pushed the little button and I had what I wanted. sorry for wasting your time. --- On Wed, 29/10/08, snort bsd [EMAIL PROTECTED] wrote: From: snort bsd [EMAIL PROTECTED] Subject: [c-nsp] ctr+break sequence and Cisco 3500 To: cisco-nsp cisco-nsp@puck.nether.net Received: Wednesday, 29 October, 2008, 11:23 AM Hi all: I might not have done hundreds times but certainly did a lot of times. But not this time. trying to breaking a cisco 3550 since lost password. I tried sequence of ctrl+break but not working for me. it just reboots back to normal working status. Then I just tried ctrl+b and not working either. checked with Cisco web page and I don't see anything special. Did i miss something here or just this Cisco 3550 has something special for password recovery? Thanks Search 1000's of available singles in your area at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Search 1000's of available singles in your area at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4507 Sup6-E vs. 6506 Sup32-10GE
Hello all, I'm about to build out some new office space and am looking at options for access layer switches (just one switch for now, but this will be the model for a larger roll-out). Basic requirements: - About 120 GigE ports - PoE - Layer 3 (OSPF support req'd) - Redundant Sup - 10Gb uplinks to 6500 core/dist The 6506 w/ Sup32 has some potential advantages: NetFlow, GRE in hardware (for network virtualization), 6500 platform for future expansion/upgrades, but the the 32Gb bus _seems_ pretty limiting (Sup720 w/ 65xx line cards would exceed the budget). The 4507 w/ Sup6E looks good from a performance and feature standpoint (NetFlow and hardware GRE being the notable exceptions), but I have concerns about the longevity of the platform. I don't want to do a large deployment on hardware that's going to be EOL'd in a few years... I have no idea if that's actually going to happen, but I've heard rumors (feel free to refute this!) Without going in to too much detail, the user community is a mix of general office users and software developers. Some of the applications have relatively high bandwidth requirements, but nothing too special; in reality, the oversubscription ratio for either solution is probably fine. In some cases, there may be high volume (100Mb) multicast traffic, but to a limited set of users. I'm leaning towards the 4500/Sup6E, but I have this nagging feeling that the 6500/Sup32 is the 'right' solution. For either solution, pricing is more or less the same... what would you do? Thanks, James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded DSL with Cisco 1800/877's
Maarten, awesome configs and I thank you very much for those... great resource. From the other perspective... do you, or anyone else know, about what is required on the ISP's end to do multi-link? We take DSL tails from multiple providers and they land on our 7200 LNS. Is there any specific config I have to do to allow/support ppp multi-link services? ...Skeeve -Original Message- From: Moerman, Maarten [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 11:13 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net; [EMAIL PROTECTED] Subject: RE: [c-nsp] Bonded DSL with Cisco 1800/877's The previous company i've worked for, i did setup bonding/bundling on cisco 1841's and cisco 28xx.. I've made templates of those configuration files, I see they did change some things in those files, but here they are: ftp://dl.solcon.nl/pub/dsl/configs/Cisco/ I think some people of solcon are also on this list (Rinse?) maybe they can post an example of how the virtual-template is being done on the NRP's (don't have access anymore :) ) Maarten -Original Message- From: [EMAIL PROTECTED] on behalf of Tony Sent: Wed 10/29/2008 1:01 AM To: cisco-nsp@puck.nether.net; [EMAIL PROTECTED] Subject: Re: [c-nsp] Bonded DSL with Cisco 1800/877's Skeeve, Being in the same country as you, I know all about your problems with DSL and what you're trying to achieve :) We don't worry about an 1800, just have two 877 CPE's. On the 877 that is the default gateway for the site, it has routes like this: ip route 0/0 dialer1 ip route 0/0 lan_ip_of_other_877 The other 877 just has a single static route to the dialer interface. In the central site, we have the same, two equal cost routes pointing to the IP address of the dialer interface/IP of each the two 877's. It seems to work ok and also has the benefit that if one link goes down you can adjust a few routes and push everything onto the one remaining link. As per the article linked by a previous poster: http://blog.ioshints.info/2008/09/load-balancing-quirks.html You need to remember that traffic between two hosts (on either end of the link) will only be routed over ONE of the links at a time. This means that a single host doing a large transfer will only max out ONE of the links and not see the full bandwidth (make sure you are VERY clear to your customer about this aspect). We tend to use this a lot where we have branch offices that are doing Citrix/MSTSC over the link and so there are lots of smaller bandwidth traffic flows that balance fairly well across the two links. They outgrow a 512/512 link and as you well know, there is nothing to upgrade to in a lot of cases. regards, Tony. Not having the time/budget to research the full implications myself I am approaching the list for advice. Making excuses for your laziness isn't a good way to start a request asking for help ;) --- On Wed, 29/10/08, Skeeve Stevens [EMAIL PROTECTED] wrote: From: Skeeve Stevens [EMAIL PROTECTED] Subject: [c-nsp] Bonded DSL with Cisco 1800/877's To: cisco-nsp@puck.nether.net Date: Wednesday, 29 October, 2008, 12:11 AM Hey all, Not having the time/budget to research the full implications myself I am approaching the list for advice. In Australia we can do either ADSL, ADSL2/2+ or SHDSL for the most part. I have a client wanting more bandwidth than any single of these connections can provide, without the availability of any other offering. The aim - to provide as much bandwidth as possible using ADSL technologies - 2, 3, or 4 (would need a 2811?), but mostly 2 would be fine. I am faced with a choice. A Cisco 1811 with 2 (or more - limit 4?) 877's in bridge mode or equal weighted routing Or A Cisco 1841 (or 2800 equiv) with 2 * HWIC-1ADSL cards Notes: - The services will be going into the same DSL provider - The services are delivered to the LNS as L2TP connections - We managed both ends - the end customer equipment, and the ISP's LNS's (Cisco 7200G2) I've never done 'bonded' or 'ppp multi-link?' with any of the above hardware.. the last time was many years ago with multi-linked 28.8 modems. Any thoughts or advice on the above? From the perspective of either the clients end, or the ISP's end or both. Thanks in advance guys. -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Default Route behaviour on PIX
All, This may be one of those things you know after working with PIX but I just can't seem to get my head around it. Say I have a PIX that is connected to a DSL router and is filtering traffic. The DSL connection has a ppp negotiated IP address from the ISP. The ISP is also routing a /30 via said address that is used to connect between the DSL router and the PIX (if it makes any difference, the DSL router in this case is an 827). The next-hop address set in the default route on this PIX is a nonsense address. It is definitely not a valid next-hop address. Despite this fact, the PIX still happily seems to forward traffic (this is working at the moment). I set the same configuration up in a lab and it exhibited the same behavior. The lab has a router connected to the Internet via the 30.30.30.0/30 network. The edge router and the PIX are connected via 30.30.40.0/30. If I set the next hop of the default route to 30.30.40.1 (the edge router side), traffic flows. If I set the next hop of the default route to 1.1.1.1, traffic flows? Is this a known thing? The PIX appears to just throw the traffic onto the outbound interface and hope for the best? Ive tried this with both PIXOS 6.x and 7.x, both of which same to exhibit the same behavior. Ive included a snippet of the PIX config from the lab... in the hopes that maybe it is something I am doing? I would appreciate any insight.. Cheers, Nic --- PIX Config from Lab -- interface Ethernet0 description Link to EDGE FA0/1 nameif Outside security-level 0 ip address 30.30.40.2 255.255.255.252 ! interface Ethernet1 description Link to CLIENT FA0/0 nameif Inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! access-list Outside-IN extended permit ip any any access-list Outside-OUT extended permit ip any any access-list Inside-IN extended permit ip any any access-list Inside-OUT extended permit ip any any ! global (Outside) 10 interface nat (Inside) 10 0.0.0.0 0.0.0.0 access-group Outside-IN in interface Outside access-group Outside-OUT out interface Outside access-group Inside-IN in interface Inside access-group Inside-OUT out interface Inside route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Network Management
Hi all, I have been working on Network Management since few years! Over the period I've learned certain things that include : 1. Syslog 2. SNMP 3. Netflow 4. AAA (TACACS+) 5. Network Discovery Techniques (CDP, UDP ICMP scanning...) Based on this experience I've developed few in house applications for network monitoring using Syslog, SNMP Traps and CDP. For Netflow we are using Nfcapd/Nfsen ( developed by Peter Haag) Its quite painful and laborious to develop these applications from scratch and especially when you don't have a dedicated team to do this. Prior to this I did try to see for open source alternatives but now I decided to go with in house development. Since I've see a couple of discussions here on Network Management, thought I would take some suggestions from you guys. I would appreciate if you can share some ideas of what you are looking for in a typical Network Monitoring application. I hope many of you must have tried lots of open source tools and have some valuable suggestions on various aspects that include: 1. Ease of installation 2. Platform and programming language(s) 3. Features and Extensions 4. Architecture (centralized/distributed) 5. User front-end (GUI/Web) Your inputs will help me in building a comprehensive Network Monitoring application. So far I've been using C++, Mysql and PHP. Cheers, Venu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF fast hellos
Anyone currently using this in a fairly demanding environment? Ie 5-10Gbs+ Campus/DC model. Curious as to whether you've had any/many false dead peers with such a short interval, subsecond dead peer detection does sound very temping though. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/