Re: [c-nsp] MPLS-VPN migration
We just tackled this one in our organisation. 2 Gotchas. 1. Router-id must be different between peers, make sure your code supports vrf specific router-id. 2. iBGP was very messy IMHO, so we went with eBGP using local-as to have each vrf appear to be a different 65xxx AS I can sent you my lab config's tomorrow. Thanks, Aaron -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Tim Durack Sent: Thursday, 18 December 2008 1:54 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS-VPN migration Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SoO causing 1-member update groups
Saku Ytti wrote on Thursday, December 18, 2008 08:37:
On (2008-12-16 13:37 -0800), bill fumerola wrote:
Hey Bill,
why does adding an external community to a route (via a route-map)
impact the neighbor itself? i realize in later versions of IOS this
command was added to the per-{neighbor,peer-group,peer-policy}
stanzas.
I'm trying to think how else it could work, and I'm drawing blank.
Since when neighbour has been set with SoO, you will have to send
different routes to that neighbour, as you omit sending any routes
that already have that SoO set.
Well, this is true, but Bill had the same SoO community configured on
all peers, so they all share the same outbound routing policy, and thus
fall all into the same update-group. This was just recently fixed via
CSCso80951 (BGP peers with same policy fall into different update-group
with SOO).
Bill: Not sure if I would use SoO for your purpose due to its dual
semantic: It tags a BGP path (which is what you want to achieve), but it
also implicitly filters those paths outbound on peers setting the same
SoO value inbound (which might or might not be intentional).
oli
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Tuc at T-B-O-H Sent: Wednesday, December 17, 2008 3:54 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Any good filters for syslog output Hi, We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. Thanks, Tuc If you're looking for a supported, proprietary product, check out Solarwinds Orion - much more than just a syslog repository, though. You are able to store syslogs in a SQL database, create rules for syslogs based upon source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message contents. You can also do fancy things like forward the syslog to another syslog server, send an email/page, modify the message, and do time-of-day rules. On the downside, if all you need is a syslog server, you have to pay for the entire Orion suite, which is pretty expensive. -evt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
We use a combo of syslog-ng+swatch for our filtering which can do quite a lot for free, any more tips on what messages people are looking for on Cisco networks would be appreciated. Cheers, W 2008/12/18 Eric Van Tol e...@atlantech.net: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Tuc at T-B-O-H Sent: Wednesday, December 17, 2008 3:54 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Any good filters for syslog output Hi, We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. Thanks, Tuc If you're looking for a supported, proprietary product, check out Solarwinds Orion - much more than just a syslog repository, though. You are able to store syslogs in a SQL database, create rules for syslogs based upon source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message contents. You can also do fancy things like forward the syslog to another syslog server, send an email/page, modify the message, and do time-of-day rules. On the downside, if all you need is a syslog server, you have to pay for the entire Orion suite, which is pretty expensive. -evt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Hi @All, what information I got regarding AS32 is somewhat worrysome: 12.0(32)S12 Q4/2008 for 72 GSR 12.4(24)T Q1/2009 ISR's, 72, 73 12.2SRE Q3-Q4/2009 for 72 76 12.2SXI unspecified late 2009 for 65 12.2SB no longer for 72, only 10k At least they'll go for asplain, so messing around with the regex to get asdot (maybe optionally supported...?) implemented is history. regards, Marcus -Ursprüngliche Nachricht- Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von Martin Moens Gesendet: Mittwoch, 17. Dezember 2008 18:46 An: cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] 32 bit ASN My Cisco SE told me lat week 32b ASN will be supported in: 12.2(33)SRE for 7600 and 7200, due Q3 2009 :-( 12.4(24)T for ISR 28xx/38xx and 7200, due april 2009 Martin cisco-nsp-boun...@puck.nether.net wrote on 17/12/2008 17:32: Thanks Brian. IOS-XR and NX-OS seem the only OS's in the Cisco family that support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1). By the way, i found this document written by Jeff Doyle about this subject: http://www.networkworld.com/community/node/35767 Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brian Raaen Sent: quarta-feira, 17 de Dezembro de 2008 12:43 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN I recently brought up the same question on NANOG. Here is the thread http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html As far as I can tell Cisco is really dragging their feet on this one, unless you are buying one of their Super-Deluxe model devices that runs on a different IOS. -- Brian Raaen Network Engineer bra...@zcorum.com On Wednesday 17 December 2008, Antonio Soares wrote: Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
12.2SXI for the 6500 is already available. So i suppose it is the first IOS that supports this feature. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Marcus.Gerdon Sent: quinta-feira, 18 de Dezembro de 2008 10:55 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Hi @All, what information I got regarding AS32 is somewhat worrysome: 12.0(32)S12 Q4/2008 for 72 GSR 12.4(24)T Q1/2009 ISR's, 72, 73 12.2SRE Q3-Q4/2009 for 72 76 12.2SXI unspecified late 2009 for 65 12.2SB no longer for 72, only 10k At least they'll go for asplain, so messing around with the regex to get asdot (maybe optionally supported...?) implemented is history. regards, Marcus -Ursprüngliche Nachricht- Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von Martin Moens Gesendet: Mittwoch, 17. Dezember 2008 18:46 An: cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] 32 bit ASN My Cisco SE told me lat week 32b ASN will be supported in: 12.2(33)SRE for 7600 and 7200, due Q3 2009 :-( 12.4(24)T for ISR 28xx/38xx and 7200, due april 2009 Martin cisco-nsp-boun...@puck.nether.net wrote on 17/12/2008 17:32: Thanks Brian. IOS-XR and NX-OS seem the only OS's in the Cisco family that support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1). By the way, i found this document written by Jeff Doyle about this subject: http://www.networkworld.com/community/node/35767 Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brian Raaen Sent: quarta-feira, 17 de Dezembro de 2008 12:43 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN I recently brought up the same question on NANOG. Here is the thread http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html As far as I can tell Cisco is really dragging their feet on this one, unless you are buying one of their Super-Deluxe model devices that runs on a different IOS. -- Brian Raaen Network Engineer bra...@zcorum.com On Wednesday 17 December 2008, Antonio Soares wrote: Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Hi, On Thu, Dec 18, 2008 at 12:51:26PM -, Antonio Soares wrote: 12.2SXI for the 6500 is already available. So i suppose it is the first IOS that supports this feature. It doesn't. Maybe planned for a later rebuild of SXI. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp5q2gUdSgvb.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP or HSRP problem ?
On Thu, 2008-12-18 at 14:58 +0800, Jack wrote: anyone who has experienced or encountered this ? HSRP configuration has no problem and root bridge as well. but this logs only happened in Sw1. whereby sw2 has no suspicious error symptom found. Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Standby - Active Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Active - Speak Are there any logs messages before this? Something must've placed the switch in standby mode for HSRP group 1 on VLAN 10. The above commands would be normal if VLAN10 changed from line protocol down to line protocol up. It wasn't bumped like that? Any aggressive timers that could make the HSRP unstable? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Hi, I just checked the info I have - 2nd source says SXJ ... so supposedly that one with a time frame was a typo and meant to be SXJ. regards, Marcus Systemtechnik Internet / Internet Engineering Versatel West GmbH Unterste-Wilms-Strasse 29 D-44143 Dortmund Fon: +49-(0)231-399-4486 | Fax: +49-(0)231-399-4491 marcus.ger...@versatel.de | www.versatel.de Sitz der Gesellschaft: Essen, Registergericht: Essen HRB 19502 Geschäftsführer: Marc Lützenkirchen, Peer Knauer, Dr. Hai Cheng, Dr. Christian Schemann AS8881 / AS8638 / AS13270 | MG3031-RIPE -Ursprüngliche Nachricht- Von: Gert Doering [mailto:g...@greenie.muc.de] Gesendet: Donnerstag, 18. Dezember 2008 14:35 An: Antonio Soares Cc: Marcus.Gerdon; cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] 32 bit ASN Hi, On Thu, Dec 18, 2008 at 12:51:26PM -, Antonio Soares wrote: 12.2SXI for the 6500 is already available. So i suppose it is the first IOS that supports this feature. It doesn't. Maybe planned for a later rebuild of SXI. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP or HSRP problem ?
Have you done a write mem or any configuration change just prior to this? Do you have any throttles on this interface? --- On Thu, 18/12/08, Teller, Robert rtel...@deltadentalwa.com wrote: From: Teller, Robert rtel...@deltadentalwa.com Subject: Re: [c-nsp] STP or HSRP problem ? To: Jack ne...@hotmail.com, cisco netpro cisco-nsp@puck.nether.net Date: Thursday, 18 December, 2008, 2:43 PM This appears to be related to hsrp. What is the exact problem your having, do your users report loss of connectivity momentarily or are you just looking in your log file and see this entry. It's hard to say without see your config what the problem is. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jack Sent: Wednesday, December 17, 2008 10:58 PM To: cisco netpro Subject: [c-nsp] STP or HSRP problem ? Hi, anyone who has experienced or encountered this ? HSRP configuration has no problem and root bridge as well. but this logs only happened in Sw1. whereby sw2 has no suspicious error symptom found. Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Standby - Active Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Active - Speak Regards, Jack # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP or HSRP problem ?
On Thu, Dec 18, 2008 at 06:43:46AM -0800, Teller, Robert wrote: This appears to be related to hsrp. What is the exact problem your having, do your users report loss of connectivity momentarily or are you just looking in your log file and see this entry. It's hard to say without see your config what the problem is. I get this often on ISR routers with high CPU (2821's) Depending on how long it lasts it can knock out streaming but that's about all that notices. C. -- 020 7729 4797 http://blog.playlouder.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
Hi, * Eric Cables ecab...@gmail.com wrote: I've been using swatch for a couple of years now, and have been pretty happy with it (I used CiscoWorks' built-in syslog analyzer before, yuck!). I have had ambitions to test out SEC (Simple Event Correlator), which appears to still be developed (not sure if I've seen a swatch update since I started using it), but I just haven't had the time to do so. For those who have used both swatch SEC, do you have any arguments for switching to SEC? We are using SEC since 4 years in production, it has been proven as a stable and a very powerful event correlation tool. Back then, I looked also into swatch. SEC made it because it allowed me to work with context-based events. This means when one event occurs, you can create a context, allowing other event rules to become active. There are tons of use cases I can think of. Event suppression, for example in case of a STP topology trap was logged. Watchdog solutions, like noticing an adjacency went down and starting a timer to check whether it came back or not. Or even complex aggregation rules, like collecting information about traffic behavior (ACL hits/IDS logs), correlating up to a point where you can make sense out of the noise (what MARS does; simpler, but free). I am certain that some of this can be done with swatch, but more complex scenarios require to have some persistent relation between events, and I think this cannot be done with swatch. Kind regards, Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 - High CPU Utilization
Thanks for the suggestion, unfortunately it didn't have an impact on the CPU utilization. I received this suggestion as well: If you run AES instead you'll massively reduce your CPU utilization. I'd suggest a G1 at least for what you're doing. An 1811 would probably run better than this router because the processor is at least somewhat designed to handle what you're doing. It helped reduce utilization on the VPN process by about 20% but I'm still seeing high CPU utilization when uploading from our network and I should have mentioned that the border router with the high CPU utilization is connected to another Cisco 7206 with a lesser NPE-200. All the same traffic flowing through the border router is going through the core so you'd think it would exhibit the high CPU utilization but it never breaks a sweat. This seems important and seems to indicate the border router is having a problem? I'm thinking downgrade the IOS on the border router ((C7200-JK9O3S-M), Version 12.4(21)) to match the core ((C7200-IK9S-M), Version 12.3(14)T7). Perhaps the newer IOS with the bigger feature set is too much for the border router? If that doesn't work I'd also be curious to see what would happen if I moved the T3 card to the core router and see if the CPU utilization goes up on it but I can't do that until after the holidays. I've followed Cisco's guide to troubleshooting high IP input utilization and I can't think of anything else to do configuration wise on the border router. Thanks for all the help from everyone so far, it is very much appreciated. Spencer -Original Message- From: Mikael Abrahamsson [mailto:swm...@swm.pp.se] Sent: Wednesday, December 17, 2008 11:13 AM To: Spencer Barnes Cc: Church, Charles; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization On Wed, 17 Dec 2008, Spencer Barnes wrote: I removed all ACLs and Netflow but that did not have an effect. I think I can move NAT to the core router for testing purposes, I'll try and do that tomorrow morning. IOS version is (C7200-JK9O3S-M), Version 12.4(21). If you're tunneling over 1500 media, doing ip tcp mss-adjust 1300 on the interface where the traffic to encrypt/tunnel is passing unencrypted/untunneled, might help you. Worth a try though, you don't want multiple tunnel/encrypted packets per packet in the VPN. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
Eric Van Tol wrote: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Tuc at T-B-O-H Sent: Wednesday, December 17, 2008 3:54 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Any good filters for syslog output Hi, We are going to be monitoring the syslog output (We already have a product (Zenoss)). Does anyone know of a repository of the Watch for these regular expressions to decide what is worth looking into, and whats worth ignoring. Thanks, Tuc If you're looking for a supported, proprietary product, check out Solarwinds Orion - much more than just a syslog repository, though. You are able to store syslogs in a SQL database, create rules for syslogs based upon source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message contents. You can also do fancy things like forward the syslog to another syslog server, send an email/page, modify the message, and do time-of-day rules. On the downside, if all you need is a syslog server, you have to pay for the entire Orion suite, which is pretty expensive. -evt For those using a windows server for syslog, sl4nt (http://www.netal.com/sl4nt.htm) is a very flexible (and not expensive) option. It as well has al above mentioned options. Martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Any good filters for syslog output
The other nice thing about SEC is that it can handle a busy log server without nuking the cpu. You can get pretty crazy with it too in terms of complexity. Christian Zeng wrote: Hi, * Eric Cables ecab...@gmail.com wrote: I've been using swatch for a couple of years now, and have been pretty happy with it (I used CiscoWorks' built-in syslog analyzer before, yuck!). I have had ambitions to test out SEC (Simple Event Correlator), which appears to still be developed (not sure if I've seen a swatch update since I started using it), but I just haven't had the time to do so. For those who have used both swatch SEC, do you have any arguments for switching to SEC? We are using SEC since 4 years in production, it has been proven as a stable and a very powerful event correlation tool. Back then, I looked also into swatch. SEC made it because it allowed me to work with context-based events. This means when one event occurs, you can create a context, allowing other event rules to become active. There are tons of use cases I can think of. Event suppression, for example in case of a STP topology trap was logged. Watchdog solutions, like noticing an adjacency went down and starting a timer to check whether it came back or not. Or even complex aggregation rules, like collecting information about traffic behavior (ACL hits/IDS logs), correlating up to a point where you can make sense out of the noise (what MARS does; simpler, but free). I am certain that some of this can be done with swatch, but more complex scenarios require to have some persistent relation between events, and I think this cannot be done with swatch. Kind regards, Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 - High CPU Utilization
On 2008-12-18 17:59, Spencer Barnes wrote: It helped reduce utilization on the VPN process by about 20% but I'm still seeing high CPU utilization when uploading from our network and I should have mentioned that the border router with the high CPU utilization is connected to another Cisco 7206 with a lesser NPE-200. All the same traffic flowing through the border router is going through the core so you'd think it would exhibit the high CPU utilization but it never breaks a sweat. This seems important and seems to indicate the border router is having a problem? For VPNs on 7200 there are SA-VAMs which offload crypto to hardware - it was mentioned already in this and in the past threads. Also, there was a suggestion to do MSS adjust on internal interface accepting the traffic to be encrypted, to minimze chances of hitting fragmentation, which will kill CPU right away. You didn't mentioned it in this mail - were You capable of making this change? The high IP Input process means something is processed in software switching, not CEF switching - so either some of the features (You mention other, smaller NPE doing fine with the traffic, which strongly suggests services are the key), or the 12.4(21) isn't the right choice - and you should stick with 12.3(14)T7. One way or the other - don't do a VPNs on border 7200 without VAMs. And even with them - look for ASA, or ISR with VPN hardware to do the offload without threatening the stability of the border platform. -- Don't expect me to cry for all the | Łukasz Bromirski reasons you had to die -- Kurt Cobain |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1751 no flash directory
Hey guys, I have this 1751 router that I am having issues with. For some reason when I do a 'show version' it doesn't list the flash memory and when I do a dir flash: the directory doesn't exist! However when going into rommon mode a dir flash: shows the flash fine but doesn't indicate the size of the flash i.e. bytes available. I have set the configuration register properly (0x2102) and cleared the configuration but still it will not list the flash in a normal boot. I was thinking I could just tftp a new flash to the system via rommon mode and tftpdnld but I have no idea how much memory the flash has! Any hints? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] So you think you know Cisco
http://www.networkworld.com/slideshows/2008/121808-cisco-quiz.html?netht=rn_121808nladname=121808 -Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
I have had a few requests for this so I thought i'd put it on-list. Thanks, Aaron Daniels -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Aaron Daniels - Lists Sent: Thursday, 18 December 2008 6:13 PM To: 'Tim Durack'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS-VPN migration We just tackled this one in our organisation. 2 Gotchas. 1. Router-id must be different between peers, make sure your code supports vrf specific router-id. 2. iBGP was very messy IMHO, so we went with eBGP using local-as to have each vrf appear to be a different 65xxx AS I can sent you my lab config's tomorrow. Thanks, Aaron -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Tim Durack Sent: Thursday, 18 December 2008 1:54 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS-VPN migration Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ router bgp 1 neighbor FIREWALL peer-group neighbor FIREWALL local-as 65255 no-prepend replace-as neighbor FIREWALL ebgp-multihop 255 neighbor 192.168.96.12 remote-as 65001 neighbor 192.168.96.12 peer-group FIREWALL neighbor 192.168.96.20 remote-as 65002 neighbor 192.168.96.20 peer-group FIREWALL ! address-family ipv4 neighbor FIREWALL route-map VRF-POLICY-IN in neighbor FIREWALL route-map VRF-POLICY-OUT out neighbor 192.168.96.12 activate neighbor 192.168.96.20 activate aggregate-address 10.255.0.0 255.255.0.0 summary-only exit-address-family ! address-family ipv4 vrf ONE neighbor 192.168.96.4 remote-as 65255 neighbor 192.168.96.4 local-as 65001 no-prepend replace-as neighbor 192.168.96.4 ebgp-multihop 255 neighbor 192.168.96.4 activate neighbor 192.168.96.4 default-originate neighbor 192.168.96.4 route-map VRF-POLICY-IN in neighbor 192.168.96.4 route-map VRF-POLICY-OUT out bgp router-id 192.168.96.12 aggregate-address 10.1.0.0 255.255.0.0 summary-only exit-address-family ! address-family ipv4 vrf TWO neighbor 192.168.96.4 remote-as 65255 neighbor 192.168.96.4 local-as 65002 no-prepend replace-as neighbor 192.168.96.4 ebgp-multihop 255 neighbor 192.168.96.4 activate neighbor 192.168.96.4 route-map VRF-POLICY-IN in neighbor 192.168.96.4 route-map VRF-POLICY-OUT out bgp router-id 192.168.96.20 aggregate-address 10.2.0.0 255.255.0.0 summary-only exit-address-family ! ip route 192.168.96.0 255.255.252.0 192.168.96.1 ip route vrf ONE 192.168.96.0 255.255.252.0 192.168.96.9 ip route vrf TWO 192.168.96.0 255.255.252.0 192.168.96.17 ! ip prefix-list NOADVERTISE-OUT seq 5 permit 192.168.96.0/22 ge 22 ! route-map VRF-POLICY-OUT deny 10 match ip address prefix-list NOADVERTISE-OUT ! route-map VRF-POLICY-OUT permit 20 ! route-map VRF-POLICY-IN permit 10 set local-preference 200 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550 routing performance
On 2008-12-19 06:32, Tony wrote: If I FTP a file from PC2 to PC1 I get speeds of 97Mbps (near enough to wire speed of 100Mbps). Nice. I then change the config so that the interfaces are in a VRF, like this: Testing using the FTP transfer again I get an average transfer speed of around 14Mbps (not so nice). My wild guess would be to check for extended-match in sdm template: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_seb/configuration/guide/swiprout.html#wp1213867 Change that, reboot the switch and then do again the tests for interfaces in VRF. As for the other tests with routing over SVIs - very strange :) as 3550 is routing in hardware. -- Don't expect me to cry for all the | Łukasz Bromirski reasons you had to die -- Kurt Cobain |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
