[c-nsp] How to assign same virtual interface to a PPPoE customer
Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? -- Regards, M Usman Ashraf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Chris Hills c...@chaz6.com writes: Radiator /is/ open-source, but it is not free. The fact that you get the source code doesn't by itself make the software open-source. The license may be this one: http://www.open.com.au/license.html but it says that any click-through license overrides what is written there, so don't put too much faith in that. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Hi, +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. it is Open Source, its just not free. you, as a user are free to look at the source code... please dont confuse 'open source' with 'free software', GPL , BSD, etc that said, their licence is onorous and feels like its a verbatim shrink-wrap EULA rather than dealing with what you get. does reading their PERL mean I am disassembling it? for this last reaosn alone, I'm +1 for FreeRADIUS alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli -- Regards, M Usman Ashraf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Hi all, As I can see there is just two options over the table: Freeradius and Radiator. Is there anyone here with any of them working against VPN Concentrators? I ask that because it would be the primary goal of the radius. El lun, 09-03-2009 a las 09:09 +, a.l.m.bu...@lboro.ac.uk escribió: Hi, +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. it is Open Source, its just not free. you, as a user are free to look at the source code... please dont confuse 'open source' with 'free software', GPL , BSD, etc that said, their licence is onorous and feels like its a verbatim shrink-wrap EULA rather than dealing with what you get. does reading their PERL mean I am disassembling it? for this last reaosn alone, I'm +1 for FreeRADIUS alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
Hi Junaid, Customers have Ethernet based connectivity on Alcatel ONTs that does not have SNMP support. Their PPPoE session are terminated on 7301. So we can only look for customers stats from this 7301. On Mon, Mar 9, 2009 at 3:32 PM, Junaid junaid@gmail.com wrote: Hi, Why don't you try poll (via SNMP) the customer's port on the access device (DSLAM). In this case, you will not have to deal with the dynamic allocation of the interface as the port will be fixed for a customer. Regards, Junaid On Mon, Mar 9, 2009 at 3:16 PM, M Usman Ashraf musmanash...@gmail.com wrote: Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli -- Regards, M Usman Ashraf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Regards, M Usman Ashraf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Static mapping behind 2 ASA firewall
Hi all, Scenario below. I have two ASA5520 in my network. Static mapping for nodes in LAN A work fine however mappings in LAN B don't. I am making the mapping on ASA1. Any ideas as to get mappings for LAN B accessible. Internet | | | ASA1 LAN A - (192.168.0.0/16) | | | ASA2 LAN B - (10.101.0.0/16) Richard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
I would strongly advise against this, take a look at RADIUS interim accounting and then storing that in RRD databases. Dave. M Usman Ashraf wrote: Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GLBP Groups Question
Hi, Short version of question: Does putting multiple SVI's in the same GLBP group save resources? i.e. is it more efficent to have 10 SVI's in 5 GLBP groups, or is there no difference in resource usage? Long version of question: I'm looking to have ~10 3750 stacks connected to a couple of Cisco 7609s. To avoid any spanning tree hassles, a vlan on one stack will not appear on any other stack. A decision has been made to keep the management of the 3750's in a seperate VLAN, therefore I'll need ~10 extra vlans to manage all 3750 stacks. Therefore, assume that each stack has a Data, Voice and Management VLAN. I'm going to be running GLBP on the 7609's, so that traffic is spread over the 7609s and there is redundancy in th event of 7609 failure. In order to ensure that I can always manage a 3750 Stack, I'm going to be adding the Management VLAN into GLBP as well. Will the extra 10 GLBP sessions add extra CPU overhead/load to the 7609s? Using the group feature, if I have a group 10 for Stack 1, group 20 for stack 2 etc, does adding the Management VLAN to that group save on CPU/keepalive traffic? Really my question boils down to: Is this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 10 ip y.y.y.y anymore efficent than this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 11 ip y.y.y.y Many Thanks, Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Once upon a time, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk said: it is Open Source, its just not free. you, as a user are free to look at the source code... please dont confuse 'open source' with 'free software', GPL , BSD, etc Open Source is a trademarked term that has specific requirements. Freedom to modify and redistribute the source code is a major part of that (e.g. GPL, BSD license, etc.). Don't confuse you can look but not touch with Open Source. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
Agreed, this is much better as you don't have to periodically poll and watch for session re-connects.. If you still want to go down the SNMP path: You can poll the AAA-SESSION-MIB, and use casnVaiIfIndex OID which references the ifIndex for this particular user.. oli David Freedman wrote on Monday, March 09, 2009 13:27: I would strongly advise against this, take a look at RADIUS interim accounting and then storing that in RRD databases. Dave. M Usman Ashraf wrote: Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GLBP Groups Question
Really my question boils down to: Is this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 10 ip y.y.y.y anymore efficent than this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 11 ip y.y.y.y I don't think so. The GLBP groups are local to an SVI. HOWEVER - each GLBP group uses a different GLBP virtual MAC address, and the sup has a limit as to the size of it's MAC receive filter - 64 on older hardware, and 1024 on newer hardware - so using the same group is still valuable HSRP has a feature called hsrp multiple group optimisation that will do what you want, but it doesn't work on SVIs - only subints (bah). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to assign same virtual interface to a PPPoE customer
Assuming you use a radius server that can place its accounting data in a sql server, this should work fairly well for you http://www.jmaimon.com/freeradius/mrtg-radsql/mrtg-radsql.tar.gz M Usman Ashraf wrote: Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: M Usman Ashraf wrote on Monday, March 09, 2009 09:47: Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
To me, I haven't used freeradius for VPN Concentrator. and haven't used Radiator But I think you can try it Just use computer to install any distribution of linux (debian is better) + freeradius. (if you have installation quesiton, i try to help) or Post this in freeradius newsgroup http://freeradius.org/list/index.html Anyone to use freeradius in VPN Concentrator I think you can get immediately response HTH On Mon, Mar 9, 2009 at 6:34 AM, luismi asturlui...@gmail.com wrote: Hi all, As I can see there is just two options over the table: Freeradius and Radiator. Is there anyone here with any of them working against VPN Concentrators? I ask that because it would be the primary goal of the radius. El lun, 09-03-2009 a las 09:09 +, a.l.m.bu...@lboro.ac.uk escribió: Hi, +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. it is Open Source, its just not free. you, as a user are free to look at the source code... please dont confuse 'open source' with 'free software', GPL , BSD, etc that said, their licence is onorous and feels like its a verbatim shrink-wrap EULA rather than dealing with what you get. does reading their PERL mean I am disassembling it? for this last reaosn alone, I'm +1 for FreeRADIUS alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS LDP and BGP Neighbor flapping constantly
This message slipped through the cracks. It leads me to giving an update on the problem though. I worked with TAC to troubleshoot the issue last week. The TAC engineer also noticed the giants on the 7600's side. He tried sending large ICMPs through to the 7600 from the 7201. Nothing over 1508 would pass even though the interface MTU was 9000 on both sides (and the IP MTU followed). Even sending ICMPs WITHOUT df set still resulted in a failure. We dropped the MTU to 1500 and suddenly we could send large ICMPs that needed to be fragged. Very weird. It gets weirder though. Prior to calling TAC I upgraded the code on another 7201 that's dual-homed to both 7613s in the core. As soon as I reloaded that 7201 LDP on it also started flapping to BOTH 7600s (the original 7201 was only single-homed to one 7600). BGP appears to be unaffected on this 7201. So now I have 2 7201s with constantly flapping LDP neighbors. The 2nd 7201 also can't ping either 7600 with large ICMPs. However, and this is weird, BOTH 7600s can ping the loopback on the 7201 with 9000 byte ICMPs. When I wrote that last sentence it got me thinking. I was pinging from the 7201s to Lo0 on the 7600s. Large ICMPs weren't getting there and giants were logged on the incoming L3 interface on the 7600s. I can ping from the 2nd 7201 to the directly-connected interface on either 7600 with large ICMPs and they are not dropped and no giants are logged. Even though it can send large frames to the directly-connected interface it can't to the loopback. I don't believe that's normal. From the 7600 I can turn around and ping the loopback on the 2nd 7201 with jumbo frames without any problems. It's like MTU is only being honored in one direction. This is a confusing one to me that smells like a bug. I'm running SRB1 on both 7600s and was running different 12.4(15)Tn releases on the 7201s. They are both now running 12.2(24)T. I'll drop one of them back to an early 12.4(15)Tn tonight to troubleshoot if I have to. The problem occured on the 1st 7201 without a code change and didn't occur on the 2nd until after the code change and reboot. Any thoughts? Justin David Freedman wrote: You appear to have a high number of input queue drops and input errors, granted the counters have never been cleared, do you haver any PPS graphs of the link between these two boxes? I would suspect a traffic spike or link fault causing control messages to be dropped being the cause here. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME
I have two Cisco 3750-ME (Metro) where we are trying to apply an 8 Mbps bandwidth limit to it. We tried HQM shaping but got a lovely message that Hierarchical service-policies are only supported on ES interfaces. When we tried policing, we can't seem to apply the mls qos bridged command to it: router(config)#interface vlan 260 router(config-if)#mls ? % Unrecognized command router(config-if)#mls This is the relevant configuration to our policing attempt: ip access-list extended customer-policer_inbound permit ip any any ip access-list extended customer-policer_outbound permit ip any any class-map match-any customer-networks match access-group name customer-policer_inbound match access-group name customer-policer_outbound ! policy-map customer-policer class customer-networks police 800 100 exceed-action drop ! interface Vlan260 mls qos bridged service-policy input customer-policer service-policy output customer-policer ! interface Gi1/0/1 mls qos vlan-based ! To get shaping work we should have had the uplink interface use non-ES ports and the interface facing our core use the ES ports. Any other ideas in terms or policing/shaping? Regards, Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
On 09/03/2009, at 1:29 PM, Chris Hills wrote: David Hughes wrote: +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. Radiator /is/ open-source, but it is not free. Nope. Commercial licensed product. Which isn't a bad thing - it helps the guys writing the code feed themselves. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] snmp-server ifindex persist - store data on flash/disk?
We have a number of 7206VXR boxes terminating ATM ADSL aggregation circuits. With a large number of interfaces, the persistent index table is too large for NVRAM and the interface IDs change on reboot just as if the command weren't specified. Is there a workaround or command to store the persistent data on the flash disk which has plenty of room? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
On Mon, 9 Mar 2009, luismi wrote: Hi all, As I can see there is just two options over the table: Freeradius and Radiator. Another option is Cistron Radius http://www.radius.cistron.nl/ which is probably going to be pretty similar to Freeradius, since the latter is apparently a fork of the former. Radiator is perl, so you get the 'source code', but it's not open source and you do need to buy a license to use it. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Yes. isn't bad It depends on the budget You can spend hundred thousand dollars to buy 10G router or buy $1,500 a (4 cores) computer running quagga to have $6,000 a 10G card on it. On Mon, Mar 9, 2009 at 7:02 PM, David Hughes da...@hughes.com.au wrote: On 09/03/2009, at 1:29 PM, Chris Hills wrote: David Hughes wrote: +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. Radiator /is/ open-source, but it is not free. Nope. Commercial licensed product. Which isn't a bad thing - it helps the guys writing the code feed themselves. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Once upon a time, Jon Lewis jle...@lewis.org said: Another option is Cistron Radius http://www.radius.cistron.nl/ which is probably going to be pretty similar to Freeradius, since the latter is apparently a fork of the former. Cistron RADIUS (which was based on the original Livingston RADIUS server) development has pretty much stopped in favor of FreeRADIUS. There is also a fork of FreeRADIUS called OpenRADIUS; I don't remember the reasons for the fork. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME
Frank Bulk - iName.com wrote: I have two Cisco 3750-ME (Metro) where we are trying to apply an 8 Mbps bandwidth limit to it. We tried HQM shaping but got a lovely message that Hierarchical service-policies are only supported on ES interfaces. Frank, The 3750ME can only do per-VLAN shaping on the ES ports. You can shape standard ports (but not per-VLAN) in increments of 10% of the port speed using the 'srr-queue bandwidth limit' command. To achieve 8Mbps with this you'd need to lock the [FastEthernet] port to 10Mbps and set the limit to 80%. Buffering of packets is less than ideal. The 3750ME supports hierarchical dual-level *ingress* policies on SVIs. To use these you need to set 'mls qos vlan-based' on the port and may or may not need to use a 'match input-interface' statement in the class of a subpolicy. (I've never used these so can't comment with authority) I'd provide an example but I'd just be ripping it from page 35-71 of the 3750 Metro 12.2(46)SE Software Configuration Guide ;-) I'm pretty sure neither SVIs nor standard ports support output policies so you'd best do as much as you can on the ES ports on ingress from your core. Note that ingress service policies on 12.2(44)SE1 seem to be broken - This may also affect other versions. We never logged a bug because it's fixed in 12.2(46)SE. Overall I think the quality control on IOS releases for the 3750ME leaves a BLOODY LOT to be desired. Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L3 MPLS VPN Question - Redundant Internet Access
Hi All, I'm trying to build some redundancy for our L3 MPLS VPN customers for Internet access. At the moment, customers gain Internet access via their Central Site. We configure a default route on the PE connecting the Central Site and use BGP to redistribute the default route to all other PE's with the default-information originate command like so: ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/1.902 10.15.99.2 ! interface GigabitEthernet0/1.902 description NSTEST VPN Link encapsulation dot1Q 902 ip vrf forwarding NSTEST ip address 10.15.99.1 255.255.255.252 ! address-family ipv4 vrf NSTEST redistribute connected redistribute static default-information originate no auto-summary no synchronization exit-address-family In the event that the VPN link to the Central Site goes down and branch sites can no longer gain Internet access via the Central Site, I've set up a NAT-PE for Internet traffic as a form of redundancy. [WWW] -- [NAT-PE] -- [Branch Site] -- [Central Site] -- [WWW] To accomplish this, I configured a default route on the NAT-PE and can manuallly trigger the default route to be redistributed to the PE's when the Central Site is down - just wondering if there a way to do this automatically so that when the Central Site is down, Internet traffic goes via the NAT-PE and when the Central Site is back up, Internet traffic once again goes via the Central Site??? The NAT-PE is a dedicated router and has no CE's attached to it. I've tried a few different things, but couldn't get it to work. I'm not sure if you can alter the way iBGP behaves and maybe give the default route learnt from the NAT-PE via iBGP a higher admistrative distance of say 250 (rather than the default 200) so that when the Central Site is down, the default route from the NAT-PE gets installed. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/