[c-nsp] vlan question
Hi I configure router's ethernet1 to support 4 vlans and each vlans will have /28 I have 48 ports switch. I will configure a truck port in port2 and also configure eg: port 3 - port 16 vlan2 port 17 - port 33 vlan3 port 34 - port 48 vlan4 Now I have question: 1/ how is the last vlan (vlan5)? 2/ I have one more switch. how can I put the vlan5 in this switch 3/ ls it good for this configuration? Thank you for your help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Refurbished Equipment Program
When you RMA a part back to Cisco refurb, they send you another refurbished part back. I am myself a provider of secondary market hardware and have gone through Cisco refurb a few times for my clients. My opinion on it would be that Cisco does not put a whole lot of emphasis on this program and can sometimes have shoddy product and not great service at high prices. If you are looking to save some money, find a company that specializes in off lease asset redistribution (of course I prefer to say use mine, but there are several good companies out there, most better than Cisco' program). A good provider like this should be cheaper and give you a better warranty. Please let me know if you all have any other questions you would like answered, Kenny Kenny Powers Direct: 678-969-3396 Fax: 678-969-3397 Mobile: 678-591-3022 * Enterprise Storage, Servers, Networking Equipment * Data Center Consolidations / Relocations * Asset Remarketing / Disposition Services -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ved Labs Sent: Sunday, February 22, 2009 4:27 AM To: Aaron Cc: Gert Doering; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco Refurbished Equipment Program What I believe is most of the parts would be refurbished , even for the first buy. Even when you do RMA , you get refurbished parts. How do you make sure that the part is a new one or refurbished. Biddu. On 2/21/09, Aaron dudep...@gmail.com wrote: Bad timing? On Fri, Feb 20, 2009 at 18:03, Gert Doering g...@greenie.muc.de wrote: OHi, On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote: We purchased a Cisco 6509 through this program a couple years ago. When we first got it up and running we found out it had a failed fan tray, just opened a TAC case for the RMA and got a new one right away. No complaints here! Well - if it's all nicely refurbished, I wonder why it had a failed fan in the first place. But maybe that's just me... gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ http://www.muc.de/%7Egert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Except for those software products specifically listed by Canvas on a sales quote, Customer acknowledges and agrees that Canvas does not provide any operating system software or software right-to-use licenses with the equipment it sells. Customer is responsible for registering any software it uses or obtains with the applicable licensor and for complying with all software licensing policies of such licensor. The information contained in this message and any attachments is confidential and proprietary. It is intended only for the named recipient(s). If you received this message in error, please notify us immediately and be aware that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Refurbished Equipment Program
Probably just a fluke, it happened to be that one of the 9 or so fans wasn't spinning at the proper RPM's. ---Chris On Feb 20, 2009, at 6:03 PM, Gert Doering wrote: OHi, On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote: We purchased a Cisco 6509 through this program a couple years ago. When we first got it up and running we found out it had a failed fan tray, just opened a TAC case for the RMA and got a new one right away. No complaints here! Well - if it's all nicely refurbished, I wonder why it had a failed fan in the first place. But maybe that's just me... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Refurbished Equipment Program
Hi, On Mon, Feb 23, 2009 at 10:09:26AM -0500, Chris Wallace wrote: Probably just a fluke, it happened to be that one of the 9 or so fans wasn't spinning at the proper RPM's. Which is exactly my point - the fans are monitored very well by the onboard diagnostics, and I find it surprising that a refurbished router (which should be checked for defects, or near-defects) should have fan tray that's already near-failed... In my experience with 6500 FANs, they only complain when one of the fans is really defective, as in you take out the try, 8 fans will continue to spin for 30 seconds, the 9th will stop after 3 seconds. But we're not using Cisco refurb any way - as has been said: they seem to be doing this to show good will and stop customers from getting their hardware elsewhere - but all they do is demonstrate lack of interest. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpSfddAvBIZW.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF and STATIC ROUTE to GLOBAL
This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
Jeff Fitzwater wrote: This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University Apologies for not answering your question directly. In your situation, something analogous to what we do would be (you've done some of this already): Create a VRF ESNet on your border router. Create a VRF ESNet on your campus routers. The global table of your campus routers would be connected to the global table of your border router (via RIP). The ESNet VRF of your campus routers would be connected to the global table of your border router (via RIP) in order to get a default route. In addition, the ESNet VRF of your campus routers would be connected to the ESNet VRF of your border router in order to get the ESNet VRF prefixes. If you run trunks between your border routers and campus routers, this can be accomplished with different VLANs for the different VRF-global and VRF-VRF connections. In a poor attempt at ASCII art, this would look like: I1 I1 I2ESNet ||| | ||| | ||| | Border Global Table Border ESNet VRF | \ | |\ | | \ | Campus Global Table Campus ESNet VRF So the hosts in the Campus ESNet VRF could use the default to get to I1 and I2, or the more specific prefixes to get to ESNet. In general, I tend to like this more than route-leaking between VRFs. I believe multicast doesn't like route-leaking as it causes problems with RPF. I can give you details of our setup offline if you're interested. Hope that helps, Rich Ingram === Richard N. Ingram Network Design Engineer Networking and Telecommunications Services Office of Information Technology University of Minnesota 2218 University Avenue SE Minneapolis, Minnesota 55414 Work Phone: 612-626-6626 Cell Phone: 612-802-8859 E-mail: r...@umn.edu === ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Security question regarding VTP in a L2 shared environment
Hypothetically, if there is no L2 or L3 security in place, would it be as simple as creating a sw acc vlan 230, and allowing 230 on the trunk port on my switch to start scoping about at the other end? Well, the L2 security in question is that on the other end of the trunk, it *should* be configured to only allow the VLANs that you're supposed to be sharing. If that is not configured, then yes, you could add access ports to the other VLANs, then add those VLANs to the trunk, and your access-port hosts would be on that VLAN. Since your intent is not to do that, you should configure your end of the trunk to only allow the VLANs that you intend to share with your layer-2 partner. -Geoff On Fri, Feb 20, 2009 at 9:28 PM, Steve Bertrand st...@ibctech.ca wrote: I have a shared L2 environment with a local company, in which we have numerous VLANs over fibre. I'm in the process of moving to transparent on all of my switches, and during the work, I'm checking things out. Doing a sh vlan produces output that includes VLANs that I shouldn't see: 230 xxxOFFICExxx active 240 xxxSECURITYxxx active 250 xxxDMZx active ...etc. The VLANs shown above belong to the network that I am connected to. They are completely outside of my security boundary. Hypothetically, if there is no L2 or L3 security in place, would it be as simple as creating a sw acc vlan 230, and allowing 230 on the trunk port on my switch to start scoping about at the other end? Of course I am not going to do anything of the sort, hence why I am asking here. I'm sure I know the answer already, but if I don't get any feedback from the list, I'm going to lab it up internally and do some educational testing for my own knowledge. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] what ip should be in switch?
Hi all I would like to know what is best way to setup ip in swtich If the switch ip is not in operation network eg: private ip, I can't see any operation ip in the port of the switch by sh arp. it is only showing all arp in management network If I use this ip as same as operation network, it increases this switch in risk Can you teach me? Thank you - Looking for the perfect gift? Give the gift of Flickr! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Security question regarding VTP in a L2 shared environment
Geoffrey Pendery wrote: Hypothetically, if there is no L2 or L3 security in place, would it be as simple as creating a sw acc vlan 230, and allowing 230 on the trunk port on my switch to start scoping about at the other end? Well, the L2 security in question is that on the other end of the trunk, it *should* be configured to only allow the VLANs that you're supposed to be sharing. If that is not configured, then yes, you could add access ports to the other VLANs, then add those VLANs to the trunk, and your access-port hosts would be on that VLAN. Since your intent is not to do that, you should configure your end of the trunk to only allow the VLANs that you intend to share with your layer-2 partner. My end is already configured to only allow the VLANs in use on this connection. I have other concerns regarding this setup. The connection in question terminates within another company's facility. They aggregate numerous fibre connected clients of ours, and then we provide the Internet bandwidth via a VLAN per sub. Since the only responsibility that the other company has is physical connectivity, I'm going to request that I collocate my own switch inside of their network that terminate all of our clients (and ourselves). I don't really like the potential for MitM with the existing setup. I highly doubt that this would ever happen, but in all reality, one never knows for sure. At least if I have my own switch in the other network, I'll be able to ensure end-to-end integrity to a much higher degree. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what ip should be in switch?
chloe K wrote: Hi all I would like to know what is best way to setup ip in swtich If the switch ip is not in operation network eg: private ip, I can't see any operation ip in the port of the switch by sh arp. it is only showing all arp in management network If I use this ip as same as operation network, it increases this switch in risk Put the switch management on a secure network, put your customer traffic on a different VLAN or combination of VLANs depending on the complexity of your network. For a layer 2 switch, sh arp will only display MAC and IP addresses associated with traffic to the switch, not through it. You can use sh mac-address-table (on some some versions the command is sh mac address-table) to identify layer 2 addresses associated with traffic going through the switch. In addition, access-class ACLs on the VTY lines (and snmp and http, if you use them) are a good thing to limit management to trusted hosts. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
I am not clear about your route-map match subs, set vrf. If your two specific subnets are in one campus core, you need to put them in to VRF ESNET by ip forwarding vrf ESNET. If these two specific subnets are distributed in your campus core, you need to use end-to-end vrf-lite or MPLS, and put them in VRF ESNET. One in the VRF ESNET, you can then advertise them to your ESNET eBGP peering. If your have more specific subnet within the two subnets, ip route vrf ESNET yourTwoSubnet2ESNET null 0 will populate a static route in your VRF ESNET, so you can advertise them to your ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET, and non specific are dropped. Schilling On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater jf...@princeton.eduwrote: This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
Instead of an external link with 2 physical ports, you could try to create a GRE tunnel with 2 loopback interfaces. interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface Loopback10 ip address 10.10.100.1 255.255.255.0 ! interface Tunnel1 ip vrf forwarding NSP ip address 172.16.1.1 255.255.255.0 tunnel source Loopback0 tunnel destination 10.10.100.1 ! interface Tunnel2 ip address 172.16.1.2 255.255.255.0 tunnel source Loopback10 tunnel destination 10.10.10.1 Then run OSPF...etc. I haven't try static route, but pretty sure it would work. router ospf 100 vrf NSP router-id 10.10.10.1 log-adjacency-changes redistribute bgp 65535 subnets network 10.10.10.1 0.0.0.0 area 0 network 172.16.1.1 0.0.0.0 area 0 ! router ospf 1 router-id 10.10.100.1 log-adjacency-changes network 10.10.100.1 0.0.0.0 area 0 network 172.16.1.2 0.0.0.0 area 0 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ [Mobile] 703-953-9116 + -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Monday, February 23, 2009 10:56 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
On Feb 23, 2009, at 1:59 PM, schilling wrote: I am not clear about your route-map match subs, set vrf. If your two specific subnets are in one campus core, you need to put them in to VRF ESNET by ip forwarding vrf ESNET. If these two specific subnets are distributed in your campus core, you need to use end-to- end vrf-lite or MPLS, and put them in VRF ESNET. One in the VRF ESNET, you can then advertise them to your ESNET eBGP peering. If your have more specific subnet within the two subnets, ip route vrf ESNET yourTwoSubnet2ESNET null 0 will populate a static route in your VRF ESNET, so you can advertise them to your ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET, and non specific are dropped. Maybe I am missing something about how to implement VRF. The VRF is configured on our ISP edge router A , which is also the RIP default source for our other 3 core routers. So router A has a vlan and physical port for each of the three core routers B, C, D. On vlan interface to router B, which receives traffic from the two subnets of interest (along with other subnet traffic, but not allowed to ESNET) , I thought that I could have a route-map that MATCHES an ACL for the two subnets, and SET VRF VFR-ESNET so that if the match is true it would send traffic to the VRF-ESNET to first check its route table. Once there, if the DEST was not to ESNET , it would use a default to the global and be forwarded as usual. I didn't even get to the point of trying the route-map because I couldn't get statics in the VRF so the vrf bgp would announce the two subnets to esnet. ( It's the next hop issue. If the static next hop is not reachable then it does not get installed). Well I thought it sounded good. Jeff On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater jf...@princeton.edu wrote: This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf- esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadcast storm control
Hi, --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore jus...@justinshore.com wrote: The book discusses how to harden HSRP, VLANs, VTP and trunk ports and how to prevent ARP attacks, STP attacks, etc. It has a good 802.1x section as well. It's got a good amount of useful info. I think CoPP will help you out. Identify the traffic that's causing the DoS right now and address it with CoPP. There are a lot of CoPP users on C-NSP. Then go back and harden the router later. the original problem was as far as I remember access switches with disabled or not working spanning-tree created l2-loop and flooded PE edge port. The sad truth is that even CoPP on PFC won't protect from HSRP or PIM multicast storm. Even a DHCP broadcast storm would kill the control-plane. The problem is that CoPP limits the rate to the listening processes like PIM, HSRP or DHCP-relay, but unfortunately a multicast/broadcast storm ends in a interrupt load of nearly 95% and issues OSPF, BGP and other flaps in core protocols. This is what i just figured out when someone created a l2-loop on a pair of access switches and the connected PEs (Sup720) werent reachable anymore in cause of 98% CPU load and OSPF, BFD and BGP went down although CoPP and some more mls h/w rate-limiter were configured. In lab i found out that mls qos protocol hsrp police will overcome this problem and curiously kept interrupt load down. For PIM i tried explicitely mls rate-limit multicast ipv4 pim with the same effect of protecting CPU from high interrupt load. CoPP with HSRP/PIM class and a policer of 32kbps didnt help from the high interrupt load and only kept PIM/HSRP process load down. Can anyone explain the interaction in this stuff and why CoPP can't protect from interrupts and mls h/w rate-limiter can. And why the hell isn't there more than just a PIM, HSRP and ARP h/w rate-limiter? Every directly connected device can kill PFC control-plane in sending multicast/broadcast traffic at a rate of about 100Mbps. And no storm-control is no alternative as storm-control would rate-limit multicast traffic entirely which is a no-go when using multicast as a application. cheers, christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Small routing issue
I'm working on a small issue that I just can't track down. The connection is 2 T1's bonded in a multilink interface. Connection within the core network is fine from the remote end, but the traffic will not make it to the default route on the core 7513. Hundreds of other connections are setup absolutely identical and work fine. Default route is fine and debugging doesn't show anything at all. Config is below: 7513 (Core) interface Multilink68 ip address 10.10.58.1 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 interface Serial9/0/0:1 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ! interface Serial9/0/0:2 no ip address no ip unreachables encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 198.70.33.176 255.255.255.248 10.10.58.2 2651 (Remote End) interface Multilink68 ip address 10.10.58.2 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 ! interface FastEthernet0/0 ip address 198.70.224.117 255.255.255.252 duplex auto speed auto ! interface Serial0/0 bandwidth 1540 no ip address encapsulation ppp fair-queue ppp chap hostname group68 ppp multilink ppp multilink group 68 interface Serial0/1 bandwidth 1540 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 0.0.0.0 0.0.0.0 Multilink68 #ping 10.10.53.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms ping 74.125.45.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds: . Success rate is 0 percent (0/5) trace 74.125.45.100 Type escape sequence to abort. Tracing the route to yx-in-f100.google.com (74.125.45.100) 1 10.10.58.1 4 msec 4 msec 4 msec 2 * * * 'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside. Core network is 10.10.x.x and remote end can ping anything within the core network or anything within our infrastructure. Will not ping anything outside the network. Seems like a routing issue, but I can't seem to track it down. Any idea as to what to look for or how to pinpoint a deeper routing issue? Any help would be appreciated. -Todd signature.asc Description: This is a digitally signed message part ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Mpls Troubleshooting Question
Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
#core B ip vrf ESNET . . int vlan100 desc no1 prefix for ESNET ip address 192.168.100.1 255.255.255.0 ip forwarding vrf ESNET int vlan101 desc no2 prefix for ESNET ip address 192.168.101.1 255.255.255.0 ip forwarding vrf ESNET int vlan200 desc VRF ESNET to edge A global ip address 192.168.200.1 255.255.255.252 ip forwarding vrf ESNET int vlan300 desc VRF ESNET to edge A VRF ESNET ip address 192.168.300.1 255.255.255.252 ip forwarding vrf ESNET ip route vrf ESNET 0.0.0.0 0.0.0.0 192.168.200.2 #edge A ip vrf ESNET . . int vlan200 desc global to core B VRF ESNET ip address 192.168.200.2 255.255.255.252 int vlan300 desc VRF ESNET to core B VRF ESNET ip address 192.168.300.2 255.255.255.252 ip forwarding vrf ESNET ip route 192.168.100.0 255.255.254.0 192.168.200.1 ip route vrf ESNET 192.168.100.0 255.255.254.0 192.168.300.1 You also want to have a iBGP between edge A and core B over vlan300 to propagate ESNET prefixes to core B. sh ip route vrf ESNET on both core B and edge A should have all your specific ESNET two network, ESNET BGP learned prefixes, and directly connected networks. Corresponding static routes could be done by RIP, concept should be the same. Schilling On Mon, Feb 23, 2009 at 2:41 PM, Jeff Fitzwater jf...@princeton.edu wrote: On Feb 23, 2009, at 1:59 PM, schilling wrote: I am not clear about your route-map match subs, set vrf. If your two specific subnets are in one campus core, you need to put them in to VRF ESNET by ip forwarding vrf ESNET. If these two specific subnets are distributed in your campus core, you need to use end-to-end vrf-lite or MPLS, and put them in VRF ESNET. One in the VRF ESNET, you can then advertise them to your ESNET eBGP peering. If your have more specific subnet within the two subnets, ip route vrf ESNET yourTwoSubnet2ESNET null 0 will populate a static route in your VRF ESNET, so you can advertise them to your ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET, and non specific are dropped. Maybe I am missing something about how to implement VRF. The VRF is configured on our ISP edge router A , which is also the RIP default source for our other 3 core routers. So router A has a vlan and physical port for each of the three core routers B, C, D. On vlan interface to router B, which receives traffic from the two subnets of interest (along with other subnet traffic, but not allowed to ESNET) , I thought that I could have a route-map that MATCHES an ACL for the two subnets, and SET VRF VFR-ESNET so that if the match is true it would send traffic to the VRF-ESNET to first check its route table. Once there, if the DEST was not to ESNET , it would use a default to the global and be forwarded as usual. I didn't even get to the point of trying the route-map because I couldn't get statics in the VRF so the vrf bgp would announce the two subnets to esnet. ( It's the next hop issue. If the static next hop is not reachable then it does not get installed). Well I thought it sounded good. Jeff On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater jf...@princeton.eduwrote: This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip
Re: [c-nsp] Mpls Troubleshooting Question
check no ip unreachable on the PE interface? I got bite once. verify the LSP? Ivan's blog for rescue :-) http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks Schilling On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small routing issue
I changed the ip as a test. There is a route for .224.117/30. I pasted the route for the old ip. My mistake. On Feb 23, 2009, at 6:02 PM, Matlock, Kenneth L matlo...@exempla.org wrote: The F0/0 interface on the 2651 is configured for 198.70.224.117/30, yet you're routing 198.70.33.176/29 to them. Is there NAT'ing going on, or did I miss something? Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Todd Shipway Sent: Monday, February 23, 2009 2:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Small routing issue I'm working on a small issue that I just can't track down. The connection is 2 T1's bonded in a multilink interface. Connection within the core network is fine from the remote end, but the traffic will not make it to the default route on the core 7513. Hundreds of other connections are setup absolutely identical and work fine. Default route is fine and debugging doesn't show anything at all. Config is below: 7513 (Core) interface Multilink68 ip address 10.10.58.1 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 interface Serial9/0/0:1 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ! interface Serial9/0/0:2 no ip address no ip unreachables encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 198.70.33.176 255.255.255.248 10.10.58.2 2651 (Remote End) interface Multilink68 ip address 10.10.58.2 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 ! interface FastEthernet0/0 ip address 198.70.224.117 255.255.255.252 duplex auto speed auto ! interface Serial0/0 bandwidth 1540 no ip address encapsulation ppp fair-queue ppp chap hostname group68 ppp multilink ppp multilink group 68 interface Serial0/1 bandwidth 1540 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 0.0.0.0 0.0.0.0 Multilink68 #ping 10.10.53.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms ping 74.125.45.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds: . Success rate is 0 percent (0/5) trace 74.125.45.100 Type escape sequence to abort. Tracing the route to yx-in-f100.google.com (74.125.45.100) 1 10.10.58.1 4 msec 4 msec 4 msec 2 * * * 'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside. Core network is 10.10.x.x and remote end can ping anything within the core network or anything within our infrastructure. Will not ping anything outside the network. Seems like a routing issue, but I can't seem to track it down. Any idea as to what to look for or how to pinpoint a deeper routing issue? Any help would be appreciated. -Todd ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadcast storm control
Christian Meutes wrote: Hi, --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore jus...@justinshore.com wrote: the original problem was as far as I remember access switches with disabled or not working spanning-tree created l2-loop and flooded PE edge port. Replying to a question from 2 years ago? I wish I had some of your free time in my pocket! :-) Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadcast storm control
Hi, Christian Meutes wrote: Hi, --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore jus...@justinshore.com wrote: the original problem was as far as I remember access switches with disabled or not working spanning-tree created l2-loop and flooded PE edge port. Replying to a question from 2 years ago? I wish I had some of your free time in my pocket! :-) surely so busy that its taken 2 years to reply? ;-) (thats the sort of 'free time' I wouldnt be after! ;-) ) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small routing issue
The F0/0 interface on the 2651 is configured for 198.70.224.117/30, yet you're routing 198.70.33.176/29 to them. Is there NAT'ing going on, or did I miss something? Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Todd Shipway Sent: Monday, February 23, 2009 2:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Small routing issue I'm working on a small issue that I just can't track down. The connection is 2 T1's bonded in a multilink interface. Connection within the core network is fine from the remote end, but the traffic will not make it to the default route on the core 7513. Hundreds of other connections are setup absolutely identical and work fine. Default route is fine and debugging doesn't show anything at all. Config is below: 7513 (Core) interface Multilink68 ip address 10.10.58.1 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 interface Serial9/0/0:1 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ! interface Serial9/0/0:2 no ip address no ip unreachables encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 198.70.33.176 255.255.255.248 10.10.58.2 2651 (Remote End) interface Multilink68 ip address 10.10.58.2 255.255.255.252 ppp chap hostname group68 ppp multilink ppp multilink fragment disable ppp multilink group 68 ! interface FastEthernet0/0 ip address 198.70.224.117 255.255.255.252 duplex auto speed auto ! interface Serial0/0 bandwidth 1540 no ip address encapsulation ppp fair-queue ppp chap hostname group68 ppp multilink ppp multilink group 68 interface Serial0/1 bandwidth 1540 no ip address encapsulation ppp ppp chap hostname group68 ppp multilink ppp multilink group 68 ip route 0.0.0.0 0.0.0.0 Multilink68 #ping 10.10.53.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms ping 74.125.45.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds: . Success rate is 0 percent (0/5) trace 74.125.45.100 Type escape sequence to abort. Tracing the route to yx-in-f100.google.com (74.125.45.100) 1 10.10.58.1 4 msec 4 msec 4 msec 2 * * * 'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside. Core network is 10.10.x.x and remote end can ping anything within the core network or anything within our infrastructure. Will not ping anything outside the network. Seems like a routing issue, but I can't seem to track it down. Any idea as to what to look for or how to pinpoint a deeper routing issue? Any help would be appreciated. -Todd ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mpls Troubleshooting Question
Hi, My full scenario CE1 --- PE1 --- PE2 - CEZ On the PE1 interface I have a tunnel to CEZ . nb: PE2 is not mpls enabled. CEZ has a ptp link to PE2 LSP - tunnel is up from PE1--- CEZ and I can reach the CEZ router via the tunnel ptp. - from the CEZ lan CE1 lan is reacheable. It is only from the CE1 router and from the PE1 that I cannot reach CEZ lan. Please note this customer has 6 other branches which are working well. Thanks On Tue, Feb 24, 2009 at 1:11 AM, schilling schilling2...@gmail.com wrote: check no ip unreachable on the PE interface? I got bite once. verify the LSP? Ivan's blog for rescue :-) http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks Schilling On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netconf (over SSHv2) in SXI
When I was working on an application to post xml code to my ace modules I found the xml info on the ace module, have you tried enabling http/https and browsing to the device? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lincoln Dale Sent: Wednesday, February 04, 2009 6:05 PM To: Jeffrey Ollie Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Netconf (over SSHv2) in SXI Jeffrey Ollie wrote: On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale l...@cisco.com wrote: that is purely a guess - but checking the XML schema definition (XSD) that should also be posted on cisco.com will let you verify. Any clues on where to find the XSDs? I can't seem to find them except inline in the documentation and that doesn't seem like the best way to get them. for NX-OS, where i spend most of my time, we post the NetConf XSD right alongside the software images. i am not sure where XSDs are posted on cisco.com (or if they are at all) for IOS images, but will ask internally. to my mind they should be posted along side the images, or linked to from the release notes etc., because the schema would be unique to each image. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadcast storm control
Hi, --On Montag, Februar 23, 2009 23:25:36 + a.l.m.bu...@lboro.ac.uk wrote: Replying to a question from 2 years ago? I wish I had some of your free time in my pocket! :-) surely so busy that its taken 2 years to reply? ;-) (thats the sort of 'free time' I wouldnt be after! ;-) ) I believe people use the list also to search for information and use it even if it's 2 years old. It's not only about discussing the days top issues :-) I just searched the list for content about control plane protection and felt that its in my point of view uncomplete or rather not fully clarified. I think people became the feeling that CoPP will help to protect their control plane but unfortunately this isnt completely true imho. cheers, christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mpls Troubleshooting Question
Hi Rocker that doesn't seem to me as MPLS VPN topology as both PE1 interfaces to CE1 and CEZ are non-MPLS interfaces , it is much like local-switching scenario try using CONNECT command best regards --Ibrahim On Tue, Feb 24, 2009 at 2:11 AM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, My full scenario CE1 --- PE1 --- PE2 - CEZ On the PE1 interface I have a tunnel to CEZ . nb: PE2 is not mpls enabled. CEZ has a ptp link to PE2 LSP - tunnel is up from PE1--- CEZ and I can reach the CEZ router via the tunnel ptp. - from the CEZ lan CE1 lan is reacheable. It is only from the CE1 router and from the PE1 that I cannot reach CEZ lan. Please note this customer has 6 other branches which are working well. Thanks On Tue, Feb 24, 2009 at 1:11 AM, schilling schilling2...@gmail.com wrote: check no ip unreachable on the PE interface? I got bite once. verify the LSP? Ivan's blog for rescue :-) http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks Schilling On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
