Re: [c-nsp] Cisco 7206 - High CPU Utilization
Hi Spencer, All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that. You config isn't exactly minimal (ie, gathering flow statistics NAT also eats CPU), also notice that you are referring to 5 minute averages on the bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values. I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic` You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Kind regards, Erik Spencer Barnes schreef: Greetings, I have a Cisco 7206 (non-VXR) with an NPE-225. It has a PA-T3 card with a DS3 plugged in serving as our WAN port and a PA-FE-TX linking to another router that serves as our core router. The T3/Serial interface has a VPN endpoint configured and it is connected to a remote site that we use for off-site backups. The CPU utilization goes through the roof (90 and up) when I upload files from our network to the remote network. I do not see this problem when I am downloading to our network. I put a throttle in place on the remote side limiting the connection to 6 Mb/s and that helped (before the throttle it would stick at 99% when copying). The majority of the CPU usage is in IP input and encrypt proc. If I take the VPN out of the picture, CPU utilization is in the 40-50% ballpark which still seems high to me and obviously the VPN is having a dramatic effect on CPU usage. The average amount of bandwidth used and the packets per second rate are both low (less than 10 Mb/s and around 1000-1500 pps) for the interfaces. Should this model of router be capable of handling a heavily used VPN tunnel running at about 6 Mb/s? If I eliminate the VPN, shouldn't this model of router be able to handle at least 25% of a T3's capacity? If the answer to either questions is no, what is the lowest end Cisco router you would recommend? Random notes: Very minimal config. IP CEF is globally enabled. Turbo ACLs are enabled. Steady amount of flushes incrementing on PA-FE-TX (FA2/0) interface but not T3. interface Serial1/0 description [WAN] mtu 1500 ip address xxx 255.255.255.252 ip access-group 100 in ip access-group 103 out ip flow ingress ip nat outside no ip virtual-reassembly ip route-cache policy ip route-cache flow ipv6 enable dsu bandwidth 44210 framing c-bit cablelength 50 serial restart-delay 0 no cdp enable crypto map myvpn hold-queue 1500 in ! interface FastEthernet2/0 description [Uplink] Connected to Core FA1/0 ip address 10.1.1.1 255.255.255.0 ip flow ingress ip nat inside no ip virtual-reassembly ip route-cache policy ip route-cache flow duplex full ipv6 address xxx ipv6 enable hold-queue 1500 in FastEthernet2/0 is up, line protocol is up MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 7/255, rxload 16/255 Full-duplex, 100Mb/s, 100BaseTX/FX Last clearing of show interface counters 02:06:23 Input queue: 5/1500/0/8034 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 6561000 bits/sec, 772 packets/sec 5 minute output rate 3026000 bits/sec, 658 packets/sec 6397481 packets input, 6506974856 bytes Received 171 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 5532333 packets output, 3232118493 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Thank you in advance! Spencer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Erik Versaevel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Any dates announced for 12.5T? ...Skeeve -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Thursday, 18 December 2008 2:34 AM To: 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Here's an old post on this topic: http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html Also, I heard it's going to be implemented beginning 12.5T Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, December 17, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 32 bit ASN Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
My Cisco SE told me lat week 32b ASN will be supported in: 12.2(33)SRE for 7600 and 7200, due Q3 2009 :-( 12.4(24)T for ISR 28xx/38xx and 7200, due april 2009 Martin cisco-nsp-boun...@puck.nether.net wrote on 17/12/2008 17:32: Thanks Brian. IOS-XR and NX-OS seem the only OS's in the Cisco family that support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1). By the way, i found this document written by Jeff Doyle about this subject: http://www.networkworld.com/community/node/35767 Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brian Raaen Sent: quarta-feira, 17 de Dezembro de 2008 12:43 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN I recently brought up the same question on NANOG. Here is the thread http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html As far as I can tell Cisco is really dragging their feet on this one, unless you are buying one of their Super-Deluxe model devices that runs on a different IOS. -- Brian Raaen Network Engineer bra...@zcorum.com On Wednesday 17 December 2008, Antonio Soares wrote: Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen l...@netcraftsmen.net wrote: Let me try thinking out loud :) There BGP support for IP prefix import into VRF table: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm l You could use static routes as well. Looked at that. Trouble is the static routes have to specify next-hop, which isn't going to be very scalable for directly-connected VLAN interfaces. For dynamic, some people create two tunnels, same router, same subnet, sourced from different loopbacks. With one tunnel interface in the vrf, one in the global routing table ip vrf CUSTOMER1 rd route-target export route-target import ! interface Tunnel100 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE bandwidth 5 ip vrf forwarding CUSTOMER1 ip address 172.31.254.254 255.255.255.252 load-interval 30 tunnel source x.x.x.x tunnel destination y.y.y.y ! interface Tunnel200 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1 bandwidth 5 ip address 172.31.254.253 255.255.255.252 ip virtual-reassembly load-interval 30 tunnel source y.y.y.y tunnel destination x.x.x.x And point statics at the tunnel? I guess that could work. I was hoping to do something along the lines of: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_id_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073 But it looks like this only works for VRF-VRF BGP sessions, not VRF-GLOBAL. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate limiting but on packet count not bandwidth
Some platforms support the police rate x pps command, but i don't know if this should be used for CoPPs exclusively. storm-control unicast should block all unknown unicast, which is probably not what Primoz wants (besides the vlan/trunk matter). -- Tassos Ross Vandegrift wrote on 17/12/2008 18:25: On Wed, Dec 17, 2008 at 04:00:56PM +0100, Primoz Jeroncic wrote: Hi guys Does anyone have any idea if rate limiting traffic based on packet count would be possible on Cat3550/3560/3570 or any Cisco router? I would need to limit some users which don't generate much of traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec). So is there some option to limit their fraffic to let's say 5000packets/sec regardless on bandwidth they use? I've wanted this on Catalyst platforms for a long time, it doesn't really exist. On your platforms, you should be able to apply unicast storm-control to control the number of pps on a per-physical port basis, but you can't write a QoS policy that can be applied in general. Doesn't seem to be any way to do it on a VLAN. If you enable it on a trunk port, all VLANs will be dropped when one exceeds the threshold - probably not what you want. Ross ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 - High CPU Utilization
On Wed, 17 Dec 2008, Spencer Barnes wrote: I removed all ACLs and Netflow but that did not have an effect. I think I can move NAT to the core router for testing purposes, I'll try and do that tomorrow morning. IOS version is (C7200-JK9O3S-M), Version 12.4(21). If you're tunneling over 1500 media, doing ip tcp mss-adjust 1300 on the interface where the traffic to encrypt/tunnel is passing unencrypted/untunneled, might help you. Worth a try though, you don't want multiple tunnel/encrypted packets per packet in the VPN. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 IP Precedence map not working
Hi I am testing an NNI connection between a 7600 and a 7200 - test environment at the moment I have a scenario where a provider network allocates IPP 7 for voice, whereas we allocate IPP5 I devised a simple service policy to swap IPP in and out, i.e. policy-map NNI-VOICE-IN class NNI-VOICE-IN set precedence 5 class-map match-any NNI-VOICE-IN match precedence 7 -- policy-map NNI-VOICE-OUT class NNI-VOICE-OUT set precedence 7 class-map match-any NNI-VOICE-OUT match precedence 5 - interface GigabitEthernet3/12.20 encapsulation dot1Q 20 ip vrf forwarding TEST2 ip address 10.1.1.1 255.255.255.252 no cdp enable service-policy input NNI-VOICE-IN service-policy output NNI-VOICE-OUT On my CE routers I can check that the correct IPP is being received (1 CE per network) The problem is that it seems to be working only 1 way. If I make a call from my network to the carrier network, IPP is 5 at my CE and 7 at the remote CE which is what I want. However if I call from the remote network to my network, IPP is 7 from remote (fine) however it is still entering my local CE as 7 (not good) I removed the policy from the 7600 and installed it on the 7200 (changing the match and set around) and it works perfectly, 5-7, 7-5. On the 7600, I am connecting to the 7200 with WS-X6748-GE-TX port (LAN card) My guess is that inbound policy map on the 7600 is not being acted up, wheres the outbound is, in order to get the initial results of 1 way IPP swapping. Anyone got any ideas? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2TP over IPSec on an ASA using machine certificate authentication -- anyone has success?
Has anyone has success implementing L2TP over IPSec remote access VPN using machine certificate for phase 1 negotiation (instead of pre-shared key)? If we use pre-shared key for the phase 1 negotiation, the VPN connection is successful. But once we switch over to using certificate for phase 1 negotiation, ISAKMP just doesn't seem to complete properly enough for phase 2 to kick in (although debug crypto isakmp 255 on the ASA does say that PHASE 1 COMPLETED, debug crypto ipsec 255 returns no messages). The machine and root certificates on the OS X 10.5.5 client were successfully imported into the keychain; the trust point on the ASA5510 is also setup properly. Yet, for some reason, the phase 1 negotiation just doesn't seem to jive well. We also tested using a Windows XP client machine, but that didn't work either. If anyone has had success with implementing L2TP over IPSec using machine certificate, I sure would appreciate any pointers. I've included debug messages from both the client and the ASA. TIA, Inca Remote access client (Mac OS X 10.5.5, at 172.17.1.1) - Wed Dec 17 10:54:49 2008 : L2TP connecting to server '192.168.254.254' (192.168.254.254)... Wed Dec 17 10:54:52 2008 : L2TP sent SCCRQ Wed Dec 17 10:54:52 2008 : IPSec connection started Wed Dec 17 10:54:52 2008 : IPSec phase 1 client started Wed Dec 17 10:54:52 2008 : IPSec phase 1 server replied Wed Dec 17 10:54:52 2008 : IPSec connection failed IKE Error 18 (0x12) Invalid id information ASA5510 (running software 8.0(4)16, at 192.168.254.254) - Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 300 Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing SA payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Oakley proposal is acceptable Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal RFC VID Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal ver 03 VID Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal ver 02 VID Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received DPD VID Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing IKE SA payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 10 Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ISAKMP SA payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing NAT-Traversal VID ver 02 payload Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing Fragmentation VID + extended capabilities payload Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228 Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ke payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ISA_KE payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing nonce payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ke payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing nonce payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing Cisco Unity VID payload Dec 17 10:54:39 [IKEv1 DEBUG]: IP =
[c-nsp] MPLS-VPN migration
Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Any EEM/TCL gurus about?
Has anybody managed to get the http package working? I want to do an HTTP POST, for some reason I can't load the http.tcl package inside system:lib/tcl (is this something to do with the safe execution mode?) I've tried require package http require package http 2.4.7 require package ioshttp (trying the builtin) no success, has anybody done this before? Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp multipath-relax + dmzlink
bill fumerola wrote on Wednesday, December 17, 2008 01:04: config: bgp bestpath as-path multipath-relax bgp dmzlink-bw neighbor aa.bb.cc.73 dmzlink-bw neighbor xxx.yyy.zzz.77 dmzlink-bw interface bandwidth settings: rtr1#show ip route aa.bb.cc.73 | i direct * directly connected, via GigabitEthernet0/0.5 rtr1#show int gi0/0.5 | i BW MTU 1500 bytes, BW 9000 Kbit, DLY 10 usec, rtr1#show ip route xxx.yyy.zzz.77 | i direc * directly connected, via GigabitEthernet0/0.3 rtr1#show int gi0/0.3 | i BW MTU 1500 bytes, BW 55000 Kbit, DLY 10 usec, rtr1# bgp shows the proper DMZ-link BW: rtr1#show ip bgp 4.23.94.0 [...] 2914 7018 46164 xxx.yyy.zzz.77 from xxx.yyy.zzz.77 (129.250.0.19) Origin IGP, metric 0, localpref 100, weight 1, valid, external, multipath Community: 2914:420 2914:2000 2914:3000 36692:10210 no-export DMZ-Link Bw 6875 kbytes 701 7018 46164 aa.bb.cc.73 from aa.bb.cc.73 (137.39.2.70) Origin IGP, metric 0, localpref 100, weight 1, valid, external, multipath, best Community: 36692:10210 no-export DMZ-Link Bw 1125 kbytes here's the problem: rtr1#show ip route 4.23.94.0 Routing entry for 4.23.94.0/23 Known via bgp 36692, distance 20, metric 0 Tag 701, type external Last update from aa.bb.cc.73 00:24:40 ago Routing Descriptor Blocks: * xxx.yyy.zzz.77, from xxx.yyy.zzz.77, 00:24:40 ago Route metric is 0, traffic share count is 1 AS Hops 3 Route tag 701 aa.bb.cc.73, from aa.bb.cc.73, 00:24:40 ago Route metric is 0, traffic share count is 10 AS Hops 3 Route tag 701 the traffic share count is the inverse of what it should be (1:10 when it should be 7:1). looks like a bug, there have been a few, but not sure which one without looking into this further. I don't think it's related to bgp bestpath as-path multipath-relax in any way, rather a bug in how BGP calculates the share count it passes to RIB.. Maybe CSCsg31316 (Changes in dmzlink-bw do not reflect in the routing table) or CSCsg31406 (don't think so).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Here's an old post on this topic: http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html Also, I heard it's going to be implemented beginning 12.5T Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, December 17, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 32 bit ASN Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate limiting but on packet count not bandwidth
Maybe give storm-control with pps keyword a try. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1 2.2_25_see/configuration/guide/swtrafc.html#wp1241484 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Primoz Jeroncic Sent: Wednesday, December 17, 2008 10:01 AM To: Cisco Mailing list Subject: [c-nsp] Rate limiting but on packet count not bandwidth Hi guys Does anyone have any idea if rate limiting traffic based on packet count would be possible on Cat3550/3560/3570 or any Cisco router? I would need to limit some users which don't generate much of traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec). So is there some option to limit their fraffic to let's say 5000packets/sec regardless on bandwidth they use? Thanks for help. Have fun, Primoz Jeroncic Support - IP Connectivity Routing --- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Rate limiting but on packet count not bandwidth
Hi guys Does anyone have any idea if rate limiting traffic based on packet count would be possible on Cat3550/3560/3570 or any Cisco router? I would need to limit some users which don't generate much of traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec). So is there some option to limit their fraffic to let's say 5000packets/sec regardless on bandwidth they use? Thanks for help. Have fun, Primoz Jeroncic Support - IP Connectivity Routing --- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
Let me try thinking out loud :) There BGP support for IP prefix import into VRF table: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm l You could use static routes as well. For dynamic, some people create two tunnels, same router, same subnet, sourced from different loopbacks. With one tunnel interface in the vrf, one in the global routing table ip vrf CUSTOMER1 rd route-target export route-target import ! interface Tunnel100 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE bandwidth 5 ip vrf forwarding CUSTOMER1 ip address 172.31.254.254 255.255.255.252 load-interval 30 tunnel source x.x.x.x tunnel destination y.y.y.y ! interface Tunnel200 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1 bandwidth 5 ip address 172.31.254.253 255.255.255.252 ip virtual-reassembly load-interval 30 tunnel source y.y.y.y tunnel destination x.x.x.x If you have a lot of customers (a lot of VRFs), then maybe try DMVPN configuration with the global being the hub and each spokes in their own unique VRF...just a thought :) Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Durack Sent: Wednesday, December 17, 2008 10:54 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS-VPN migration Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Thanks Brian. IOS-XR and NX-OS seem the only OS's in the Cisco family that support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1). By the way, i found this document written by Jeff Doyle about this subject: http://www.networkworld.com/community/node/35767 Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brian Raaen Sent: quarta-feira, 17 de Dezembro de 2008 12:43 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN I recently brought up the same question on NANOG. Here is the thread http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html As far as I can tell Cisco is really dragging their feet on this one, unless you are buying one of their Super-Deluxe model devices that runs on a different IOS. -- Brian Raaen Network Engineer bra...@zcorum.com On Wednesday 17 December 2008, Antonio Soares wrote: Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Any good filters for syslog output
Hi, We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. Thanks, Tuc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 sup2 boot from PCMCIA
Thanks a lo Howard, just the last question, On my sup2 I have a sup-bootflash (bootflash in rommon mode) of 32MB and in this sup-bootflash is the corrupted IOS. Befote to buy a PCMCIA i was trying to recover and load a new IOS (20MB) from xmodem but always it stop to transmit. I don't know if this kind of recovery is posible for a supervisor2. Thanks again for your advices. David -Mensaje original- De: Howard Leadmon [mailto:how...@leadmon.net] Enviado el: Martes, 16 de Diciembre de 2008 01:46 a.m. Para: David Lima; cisco-nsp@puck.nether.net Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA Had the same issue here with a couple 6500/SUP2's, and the Flash Card's were working, but after a format got flakey. The only real end solution we found that worked was to take and replace them with a different flash card, till we got one it was happy with. Actually went though a couple cards, till we found one that all the SUP2's seemed to accept, and after that life was good.. --- Howard Leadmon -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of David Lima Sent: Friday, December 12, 2008 10:41 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software. My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I have A PCMCIA and I want to boot the new IOS from the PCMCIA. I cannot format the PCMCIA from the rommon mode. How can I format the PCMCIA? The only way is format from the target Catatalyst switch? All these because I have an error about invalid magic number when I insert the PCMCIA card into the Supervisor2 slot in rommon mode. Please I need your help, Thanks in advance. David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 3693 (20081215) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 3693 (20081215) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate limiting but on packet count not bandwidth
On Wed, Dec 17, 2008 at 04:00:56PM +0100, Primoz Jeroncic wrote: Hi guys Does anyone have any idea if rate limiting traffic based on packet count would be possible on Cat3550/3560/3570 or any Cisco router? I would need to limit some users which don't generate much of traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec). So is there some option to limit their fraffic to let's say 5000packets/sec regardless on bandwidth they use? I've wanted this on Catalyst platforms for a long time, it doesn't really exist. On your platforms, you should be able to apply unicast storm-control to control the number of pps on a per-physical port basis, but you can't write a QoS policy that can be applied in general. Doesn't seem to be any way to do it on a VLAN. If you enable it on a trunk port, all VLANs will be dropped when one exceeds the threshold - probably not what you want. Ross -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Isn't it about time for a 13.0? Or is Cisco superstitious? :) Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Wednesday, December 17, 2008 10:57 AM To: 'Luan Nguyen'; 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Any dates announced for 12.5T? ...Skeeve -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Thursday, 18 December 2008 2:34 AM To: 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Here's an old post on this topic: http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html Also, I heard it's going to be implemented beginning 12.5T Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, December 17, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 32 bit ASN Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
On 2008-12-17 16:56, Skeeve Stevens wrote: Any dates announced for 12.5T? The 4-byte ASNs will still hit in the 12.4T line. 12.5T will be created after 12.5M, which still is somewhere in the future. -- Don't expect me to cry for all the | Łukasz Bromirski reasons you had to die -- Kurt Cobain |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 - High CPU Utilization
I removed all ACLs and Netflow but that did not have an effect. I think I can move NAT to the core router for testing purposes, I'll try and do that tomorrow morning. IOS version is (C7200-JK9O3S-M), Version 12.4(21). Spencer -Original Message- From: Church, Charles [mailto:cchur...@harris.com] Sent: Wednesday, December 17, 2008 9:36 AM To: Spencer Barnes Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cisco 7206 - High CPU Utilization Try removing the ACLs and NetFlow one at a time, see if any of those help. The NAT you probably can't get rid of I'm guessing. Is this an older IOS version? Older ones couldn't do NAT in the CEF path, from what I remember. An upgrade might help. Although newer ones might complain about the NPE-225 in there. If you really need VPN, a 2851 or 3825 would do this with ease. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Spencer Barnes Sent: Wednesday, December 17, 2008 11:53 AM To: E. Versaevel Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization I included several replies in this that didn't make the list because I thought the information might be helpful. You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Pure routing. I setup a server on our external network with a big file and uploaded it to the remote network outside of the VPN, verified by a traceroute. What type of VPN is it and what type of encryption are you using? Here is the VPN config. crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key xxx address xxx crypto ipsec transform-set abc esp-des esp-md5-hmac crypto map myvpn 5 ipsec-isakmp description === 192 to xxx === set peer xxx set transform-set abc match address 153 crypto map myvpn 6 ipsec-isakmp description === 172 to xxx === set peer xxx set transform-set abc match address 154 ...is it possible that without a IPSec accelerator card that your experiences is not unsurprising? That is what it is beginning to look like but the fact that IP input is high even without the VPN is confusing to me. Based on the CPU utilization graphs and the correlating bandwidth graphs, I could upload at half the T3s capacity and more than likely crash the router. Configuration change since first post: Removed outbound ACL on Serial1/0. No effect on CPU utilization. -- Spencer -Original Message- From: E. Versaevel [mailto:e...@infopact.nl] Sent: Wednesday, December 17, 2008 12:22 AM To: Spencer Barnes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization Hi Spencer, All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that. You config isn't exactly minimal (ie, gathering flow statistics NAT also eats CPU), also notice that you are referring to 5 minute averages on the bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values. I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic` You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Kind regards, Erik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 - High CPU Utilization
I included several replies in this that didn't make the list because I thought the information might be helpful. You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Pure routing. I setup a server on our external network with a big file and uploaded it to the remote network outside of the VPN, verified by a traceroute. What type of VPN is it and what type of encryption are you using? Here is the VPN config. crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key xxx address xxx crypto ipsec transform-set abc esp-des esp-md5-hmac crypto map myvpn 5 ipsec-isakmp description === 192 to xxx === set peer xxx set transform-set abc match address 153 crypto map myvpn 6 ipsec-isakmp description === 172 to xxx === set peer xxx set transform-set abc match address 154 ...is it possible that without a IPSec accelerator card that your experiences is not unsurprising? That is what it is beginning to look like but the fact that IP input is high even without the VPN is confusing to me. Based on the CPU utilization graphs and the correlating bandwidth graphs, I could upload at half the T3s capacity and more than likely crash the router. Configuration change since first post: Removed outbound ACL on Serial1/0. No effect on CPU utilization. -- Spencer -Original Message- From: E. Versaevel [mailto:e...@infopact.nl] Sent: Wednesday, December 17, 2008 12:22 AM To: Spencer Barnes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization Hi Spencer, All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that. You config isn't exactly minimal (ie, gathering flow statistics NAT also eats CPU), also notice that you are referring to 5 minute averages on the bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values. I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic` You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Kind regards, Erik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to set port bandwidth on CatOS
Hi Everton, On Thu, Dec 18, 2008 at 5:08 AM, Everton Diniz notrev...@gmail.com wrote: How can i set bandwidth on Sw running CatOS? Like IOS: int f1/1 band 1 The bandwidth command in IOS doesn't actually change the bandwidth of an interface -- it's used by other higher layer processes like routing protocols, queueing etc. For example, you might have an Ethernet port with an access speed of 100Mbps, but your upstream is policing on ingress to 35Mbps. In this case, specifying bandwidth 35000 would likely help other IOS subsystems make proper decisions. On Ethernet interfaces, it's the speed interface command that changes the interface speed (10Mbps, 100Mbps, 1Gbps, 10Gbps etc.) To set duplex, it's the duplex command (auto, half, full). CatOS is a L2 switching operating system - no L3 support - and therefore does not have an interface command equivalent to bandwidth. Routing on CatOS-based systems is handled by a separate module, which, not surprisingly, runs IOS. The equivalent speed and duplex commands in CatOS are: set port speed .. and set port duplex .. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote: We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. I don't know of a repository but would also gladly hear about one. Until we find it, we use what should have been common sense, but often turns out to be circumstances/arbitrary. :-) For our access-switches this means ignoring ^%CDP-4-DUPLEX_MISMATCH.*, with SEP (we don't generally disable CDP downstream (I know!) and sometimes people use Cisco IP phones / ATA boxes behind non-CDP switches. What gives?). For the same general reason we don't always react immediately on seeing ^%CDP-4-NATIVE_VLAN_MISMATCH. (It's a yellow code.) Generally we ignore link/line-proto changes in VLAN interfaces, relying on only changes in physical interfaces. That means that we always ignore ^%LINEPROTO-5-UPDOWN.* Vlan.* up . Most other messages are collected, logged and mailed to the NOC. A few message types are reacted upon in a more direct way, sending out text messages (SMS) to several people and playing irritating sounds from hidden speakers in the NOC. Those are messages like ^%LDP-5-NBGCHG.* is DOWN, ^%BGP-5-ADJCHANGE.* Down and ^%ENVM-4-ENVWARN. Apart from this we correlate logs on anomalities, e.g. an RTR probe exceeding some threshold or a NFsen alert being triggered. The correlation is strictly time based, but it usually gives an operator some clue as to what's happening. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
Splunk is really good for that used to use Swatch years ago, not sure if it's still around at all We're looking at integrating Splunk into our monitoring platform in the next year or so (Cittio Watchtower). Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: December 17, 2008 5:53 PM To: Tuc at T-B-O-H Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Any good filters for syslog output On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote: We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. I don't know of a repository but would also gladly hear about one. Until we find it, we use what should have been common sense, but often turns out to be circumstances/arbitrary. :-) For our access-switches this means ignoring ^%CDP-4-DUPLEX_MISMATCH.*, with SEP (we don't generally disable CDP downstream (I know!) and sometimes people use Cisco IP phones / ATA boxes behind non-CDP switches. What gives?). For the same general reason we don't always react immediately on seeing ^%CDP-4-NATIVE_VLAN_MISMATCH. (It's a yellow code.) Generally we ignore link/line-proto changes in VLAN interfaces, relying on only changes in physical interfaces. That means that we always ignore ^%LINEPROTO-5-UPDOWN.* Vlan.* up . Most other messages are collected, logged and mailed to the NOC. A few message types are reacted upon in a more direct way, sending out text messages (SMS) to several people and playing irritating sounds from hidden speakers in the NOC. Those are messages like ^%LDP-5-NBGCHG.* is DOWN, ^%BGP-5-ADJCHANGE.* Down and ^%ENVM-4-ENVWARN. Apart from this we correlate logs on anomalities, e.g. an RTR probe exceeding some threshold or a NFsen alert being triggered. The correlation is strictly time based, but it usually gives an operator some clue as to what's happening. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output (Tuc at T-B-O-H)
You can use OSSEC (http://www.ossec.net/) to monitor your log files for you. It's pretty easy to set up and then you can set up your own custom filters like below. When OSSEC finds a match in the log it will email you. For example we have OSSEC monitoring a few syslog messages like: rule id=12 level=3 match%SEC-6-IPACCESSLOG/match descriptionUnauthorized access./description /rule rule id=13 level=10 matchPrivilege level set to 15/match descriptionUser has entered enable mode./description /rule Hope that helps. Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HWIC-3G-GSM vs 881G
Are there any technical differences between the HWIC-3G-GSM in an 1841 and a 881G (with 3G) ? Better performance? Technically or anything? Thanks. -- Skeeve Stevens, RHCE ske...@skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - ske...@eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
You could run routing protocol inside the (DMVPN) tunnel like OSPF and redistribute using MP-BGP. router ospf 1 vrf CUSTOMER1 ---VRF instance of OSPF network [tunnel interface ip network] area 0 redistribute bgp 65535 subnets route-map redis-bgp-vrf-CUSTOMER1-to-ospf ! Router ospf 2 Network [tunnel interface ip network] area 0 ! router bgp 65535 address-family ipv4 vrf CUSTOMER1 redistribute ospf 1 vrf CUSTOMER1 route-map redis-ospf-to-bgp-vrf Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: Tim Durack [mailto:tdur...@gmail.com] Sent: Wednesday, December 17, 2008 1:21 PM To: Luan Nguyen Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS-VPN migration On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen l...@netcraftsmen.net wrote: Let me try thinking out loud :) There BGP support for IP prefix import into VRF table: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm l You could use static routes as well. Looked at that. Trouble is the static routes have to specify next-hop, which isn't going to be very scalable for directly-connected VLAN interfaces. For dynamic, some people create two tunnels, same router, same subnet, sourced from different loopbacks. With one tunnel interface in the vrf, one in the global routing table ip vrf CUSTOMER1 rd route-target export route-target import ! interface Tunnel100 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE bandwidth 5 ip vrf forwarding CUSTOMER1 ip address 172.31.254.254 255.255.255.252 load-interval 30 tunnel source x.x.x.x tunnel destination y.y.y.y ! interface Tunnel200 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1 bandwidth 5 ip address 172.31.254.253 255.255.255.252 ip virtual-reassembly load-interval 30 tunnel source y.y.y.y tunnel destination x.x.x.x And point statics at the tunnel? I guess that could work. I was hoping to do something along the lines of: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_i d_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073 But it looks like this only works for VRF-VRF BGP sessions, not VRF-GLOBAL. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] STP or HSRP problem ?
Hi, anyone who has experienced or encountered this ? HSRP configuration has no problem and root bridge as well. but this logs only happened in Sw1. whereby sw2 has no suspicious error symptom found. Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Standby - Active Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Active - Speak Regards, Jack___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
Tim, Another option is to attach the existing network to the relevant VPN as a CE, and maintain connectivity to the non-migrated sites through the old topology, while every migrated site would become reachable via the VPN. In this case you just connect the old network through an ASBR to a major PE (you can have 2 or 3, but would be easier in active/standby if BW is not the issue etc as you would be creating backdoor links inside the VPN). As soon as the old network is connected, you can run expand the IGP of the global routing into the VPN, so reachability would be maintained. Let me know if you want to explore this a bit more. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Durack Sent: Wednesday, December 17, 2008 17:54 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS-VPN migration Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SoO causing 1-member update groups
On (2008-12-16 13:37 -0800), bill fumerola wrote: Hey Bill, why does adding an external community to a route (via a route-map) impact the neighbor itself? i realize in later versions of IOS this command was added to the per-{neighbor,peer-group,peer-policy} stanzas. I'm trying to think how else it could work, and I'm drawing blank. Since when neighbour has been set with SoO, you will have to send different routes to that neighbour, as you omit sending any routes that already have that SoO set. I guess SoO could have been implemented as some filter post update-group, but that would have introduced more complexity. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/