Re: [c-nsp] mls cef max route
On Thu, 2009-03-26 at 10:36 +0530, Swati Sharma wrote: Though I have just few routes still I am getting Mar 26 04:49:06.406 UTC: %MLSCEF-SP-4-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use mls cef maximum-routes to modify FIB TCAM partition. 6500.LAB#sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) ... any idea !!! What does show tcam counts and show platform hardware capacity pfc say? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Getvpn same box ks and gm
Does anyone know when cisco plans to support getvpn key server and group member configurations on the same box? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mls cef max route
Hi, On Thu, Mar 26, 2009 at 10:36:20AM +0530, Swati Sharma wrote: 6500.LAB#sh mls cef maximum-routes Try: sh mls cef su to see what IOS is thinking about TCAM usage. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgprfgJyshA6Y.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about CBWFQ and PING times
On Thu, 2009-03-26 at 11:04 +1100, Andy Saykao wrote: I tried to create a Heirarchical QoS policy on a spare 7606 we have here and no go. Tried to create a parent shaper and policer and neither worked when the service-policy was applied to the interface. I would've thought the SIP-400 could do shaping. Data sheet says DTS is supported, but I don't have one at hand to test it. The specific PA might also set limitations. You may be out of luck with those interfaces. I assume it is a SPA in the SIP-400 you add the service-policy to, right? Interface on LAN cards can't do it this way. You wrote - You need to tell the router that it only has 200 mbps and not the full 1 Gbps. Otherwise it will allocate ~50 mbps (your 5%) for priority traffic and ~950 mbps for class-default. This statement may be true but when I do a show policy-map interface command, it seems to allocate the percentage of bandwidth correctly as to what I've specified with the bandwidth interface command (ie: bandwidth 5% (1 kbps)). I read somewhere that the QoS policy takes into account what you set the bandwidth interface command to. This seems to be true when I do a show policy-map interface because it's using the bandwidth interface command to allocate the bandwidth as shown below. The bandwidth command doesn't do anything by itself, other than letting e.g. routing protocols know what bandwidth is available on this link. EIGRP and RSVP could use this. The command does not in itself help with shaping/policing. It's correct that the policy-map percent parameter looks at exactly this parameter, but this is just configuration short-hand. Disregarding everything but your priority queue, these four methods all reserve 100 mbps on a Gigabit-interface: - No bandwidth parameter (default), priority percent 10 - No bandwidth parameter (default), priority 10 - Specify bandwidth 20, priority percent 50 - Specify bandwidth 20, priority 10 Consider the bandwidth parameter strictly informational. You would have to find out what features your interface supports. DTS and hierarchical QoS should let you use a parent shaper. Some LAN cards support SRR which could give you a crude way of shaping. We use shaping on 7200s with no problems, but I have never used DTS on the switch platforms (7600/6500) so I may make some wrong conclusions. And my SRR experience has so far been limited to lab tests. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP session resets if NLRI exchanged
Paul, You might be running into CSCsl72955. If so, you could try the workaround suggested by the following link or upgrade the code. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method =fetchBugDetailsbugId=CSCsl72955 Regards -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul Cosgrove Sent: Wednesday, March 25, 2009 11:55 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP session resets if NLRI exchanged We are attempting to establish a new BGP session between one of our CRS-1 routers, and a Redback SE800 router owned by another provider. Am not familiar with Redbacks myself and we have not peered with any before (as far as we know anyway). The BGP session only remains up if no NLRI is exchanged. If the other provider sends any prefixes to us we reply with a invalid length for attribute notification; if we send any prefixes to them they reply with invalid or corrupt AS path. The other provider uses VPNv4 within their network, though I understand that it is not configured on this peering. I'm wondering whether these errors could result if their router expects a RD (and sends one) on the advertisements, perhaps due to a software bug or typo in the config. Perhaps someone has seen this problem before? Paul. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Tracking bandwidth hogs ... any recommendations ?
Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
Wilkinson, Alex wrote: Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? Netflow. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
Why not use Netflow? On Thu, Mar 26, 2009 at 09:15:45PM +0900, Wilkinson, Alex wrote: Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html How to setup netflow to monitor top talkers, and even poll the results with SNMP. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rodney Dunn Sent: Thursday, March 26, 2009 9:50 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ? Why not use Netflow? On Thu, Mar 26, 2009 at 09:15:45PM +0900, Wilkinson, Alex wrote: Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP
You have it in a VRF which really shouldn't cause an issue as it's tag2ip and ip2tag. What code is it? Make sure it's the latest 12.4 mainline as we did some work in 12.4 to make this work. Can you get a 'sh int mul 2 stat' after a clear counters...get it a few times and send it? Also, what are the other interface configs feeding this bundle? It could be features on them causing the punts. What does 'sh cef int' say? Rodney On Wed, Mar 25, 2009 at 05:03:03PM -0400, Jason Berenson wrote: Here's a sample: interface Multilink2 ip vrf forwarding VPN1 ip address x.x.x.x 255.255.255.252 no cdp enable ppp multilink ppp multilink group 2 service-policy output voice ! interface Serial6/0/25:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! interface Serial6/0/26:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! -Jason Rodney Dunn wrote: The G1's with MLPPP should not be process switching the traffic. What is the config? The EC cards just offload the MLPPP to the new asic on the PA. Rodney On Wed, Mar 25, 2009 at 04:35:50PM -0400, Jason Berenson wrote: Greetings, I've got a 7206VXR NPE-G1 with a bunch of DS3 cards in it (PA-MC-T3). There's about 25 multilinks with an average of 2 T1s per bundle. I see a lot of process switching on the router and I have a feeling it's because we don't have the PA-MC-T3-EC card so the processor has to step in for the MLPPP. Is this the case? If I get some PA-MC-T3-EC cards to swap in, will that take a lot of load off the NPE-G1? Any output needed, please let me know. Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
Netflow would be our first choice if possible... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Wilkinson, Alex Sent: Thursday, March 26, 2009 8:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Tracking bandwidth hogs ... any recommendations ? Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This message was delivered by MDaemon - http://www.altn.com/MDaemon/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP
Rodney, It's running: 12.4(18a). I had to downgrade from the latest about 6 months ago because of a bug where 'show policy' would show no output even if QoS was working properly. router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 180493982931 25553 14234069 Total 180493982931 25553 14234069 router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 186014110973 26553 14682852 Total 186014110973 26553 14682852 fonseca#show cef in mul 2 Multilink2 is up (if_number 132) Corresponding hwidb fast_if_number 132 Corresponding hwidb firstsw-if_number 132 Internet address is 10.3.4.229/30 ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is disabled Inbound access list is not set Outbound access list is not set Interface is marked as point to point interface Hardware idb is Multilink2 Fast switching type 7, interface type 105 IP CEF switching enabled IP CEF VPN Feature Fast switching turbo vector IP Null turbo vector VPN Forwarding table nypirg Input fast flags 0x1000, Input fast flags2 0x0, Output fast flags 0x4000, Output fast flags2 0x0 ifindex 127(127) Slot -1 Slot unit 2 Unit 2 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500 Does that mean that there's no processor switching going on there? Why would a VRF make any difference to the MLPPP? I see the same outputs for a non VRF'd MLPPP. -Jason Rodney Dunn wrote: You have it in a VRF which really shouldn't cause an issue as it's tag2ip and ip2tag. What code is it? Make sure it's the latest 12.4 mainline as we did some work in 12.4 to make this work. Can you get a 'sh int mul 2 stat' after a clear counters...get it a few times and send it? Also, what are the other interface configs feeding this bundle? It could be features on them causing the punts. What does 'sh cef int' say? Rodney On Wed, Mar 25, 2009 at 05:03:03PM -0400, Jason Berenson wrote: Here's a sample: interface Multilink2 ip vrf forwarding VPN1 ip address x.x.x.x 255.255.255.252 no cdp enable ppp multilink ppp multilink group 2 service-policy output voice ! interface Serial6/0/25:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! interface Serial6/0/26:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! -Jason Rodney Dunn wrote: The G1's with MLPPP should not be process switching the traffic. What is the config? The EC cards just offload the MLPPP to the new asic on the PA. Rodney On Wed, Mar 25, 2009 at 04:35:50PM -0400, Jason Berenson wrote: Greetings, I've got a 7206VXR NPE-G1 with a bunch of DS3 cards in it (PA-MC-T3). There's about 25 multilinks with an average of 2 T1s per bundle. I see a lot of process switching on the router and I have a feeling it's because we don't have the PA-MC-T3-EC card so the processor has to step in for the MLPPP. Is this the case? If I get some PA-MC-T3-EC cards to swap in, will that take a lot of load off the NPE-G1? Any output needed, please let me know. Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
Paul Stewart wrote: Netflow would be our first choice if possible... If you can monitor it on a single span port, iftop is nice, quick, easy, and free. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
On Thu, 26 Mar 2009, Paul Stewart wrote: Netflow would be our first choice if possible... +1 Definitely NetFlow. In a pinch, one could do 'show ip ca fl' over and over a few times to try and eyeball quickly rising counters, then isolate the interesting line by doing 'show ip ca fl | inc an IP address' to verify the type of traffic, etc for that IP. For something longer-term OSU/Google code flow-tools is a good option. Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Wilkinson, Alex Sent: Thursday, March 26, 2009 8:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Tracking bandwidth hogs ... any recommendations ? Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This message was delivered by MDaemon - http://www.altn.com/MDaemon/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ wfms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
Netflow would be our first choice if possible... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Wilkinson, Alex Sent: Thursday, March 26, 2009 8:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Tracking bandwidth hogs ... any recommendations ? Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
To add to my previous note... Jeff Kell wrote: If you can monitor it on a single span port, iftop is nice, quick, easy, and free. Or ipaudit, if you want longer-term samples (provides 30-minute, daily, weekly). Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
On Thursday 26 March 2009 08:15:45 Wilkinson, Alex wrote: I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking However, i am curious how others deal with this situation ? NetFlow feeding nTop. (www.ntop.org). -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco and Foundry and MST
I'm working with a client that is migrating to Foundry from Cisco and they need to have interoperability on STP between the two vendors. I usually try to do MST when I can, usually in a cisco environment, so I'm pretty comfortable with it. Does anyone have any experience getting the 2 to play together? It's a critical environment, so minimal disruption is required. There is a core 6500 that can connects to a number of Cisco access switches, the Cisco 6500 also connects into the Foundry FESX switches. I wanted to go ahead and enable MST on the core 6500, and then working my way to the access layer (assuming the interoperability works just fine), and then the Foundry boxes. Just looking for any pro-pointers here to try to avoid baptism by fire! Thanks in advance. Nick Griffin Systems Consultant, CCIE RS 17381 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP
On Thu, Mar 26, 2009 at 10:30:08AM -0400, Jason Berenson wrote: Rodney, It's running: 12.4(18a). I had to downgrade from the latest about 6 months ago because of a bug where 'show policy' would show no output even if QoS was working properly. router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 180493982931 25553 14234069 Total 180493982931 25553 14234069 router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 186014110973 26553 14682852 Total 186014110973 26553 14682852 fonseca#show cef in mul 2 Multilink2 is up (if_number 132) Corresponding hwidb fast_if_number 132 Corresponding hwidb firstsw-if_number 132 Internet address is 10.3.4.229/30 ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is disabled Inbound access list is not set Outbound access list is not set Interface is marked as point to point interface Hardware idb is Multilink2 Fast switching type 7, interface type 105 IP CEF switching enabled IP CEF VPN Feature Fast switching turbo vector IP Null turbo vector VPN Forwarding table nypirg Input fast flags 0x1000, Input fast flags2 0x0, Output fast flags 0x4000, Output fast flags2 0x0 ifindex 127(127) Slot -1 Slot unit 2 Unit 2 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500 Does that mean that there's no processor switching going on there? Yep. It's all being interrupt switched so you should be fine. Why would a VRF make any difference to the MLPPP? forwarding vectors are different. But in this code we have the hooks to do MPLSoMLPPP if that's what you were doing..which you are not. The vrf interface on a bundle isn't what we call MPLSoMLPPP...that's when you enable MPLS on the bundle. I see the same outputs for a non VRF'd MLPPP. It's working as it should. With the new PA the overall CPU would be less b/c the mlppp work is offloaded to an asic on the PA. -Jason Rodney Dunn wrote: You have it in a VRF which really shouldn't cause an issue as it's tag2ip and ip2tag. What code is it? Make sure it's the latest 12.4 mainline as we did some work in 12.4 to make this work. Can you get a 'sh int mul 2 stat' after a clear counters...get it a few times and send it? Also, what are the other interface configs feeding this bundle? It could be features on them causing the punts. What does 'sh cef int' say? Rodney On Wed, Mar 25, 2009 at 05:03:03PM -0400, Jason Berenson wrote: Here's a sample: interface Multilink2 ip vrf forwarding VPN1 ip address x.x.x.x 255.255.255.252 no cdp enable ppp multilink ppp multilink group 2 service-policy output voice ! interface Serial6/0/25:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! interface Serial6/0/26:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! -Jason Rodney Dunn wrote: The G1's with MLPPP should not be process switching the traffic. What is the config? The EC cards just offload the MLPPP to the new asic on the PA. Rodney On Wed, Mar 25, 2009 at 04:35:50PM -0400, Jason Berenson wrote: Greetings, I've got a 7206VXR NPE-G1 with a bunch of DS3 cards in it (PA-MC-T3). There's about 25 multilinks with an average of 2 T1s per bundle. I see a lot of process switching on the router and I have a feeling it's because we don't have the PA-MC-T3-EC card so the processor has to step in for the MLPPP. Is this the case? If I get some PA-MC-T3-EC cards to swap in, will that take a lot of load off the NPE-G1? Any output needed, please let me know. Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco and Foundry and MST
Hi Nick, I did something similar a while ago, so here are some thoughts. Plan for downtime :-( Don't expect it to be totally transparent, so make the changes in a maintenance window. I think SXH and later do a real standards compliant version of MSTP with interop with standard STP. Are you planning to use multiple instances, or just use one? Make sure that your instance 0 (ie the STP) is the same on both sides, and if you are only using one instance ensure it is 0 on both sides. Be aware of the differences between Cisco RSTP and A.N.Other Spanning tree in rapid mode. I realise I am teaching you to suck eggs here, but plan what devices are going to be the root and backup, and manually configure them. Hope this is useful. Ian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Nick Griffin Sent: 26 March 2009 16:48 To: cisco-nsp Subject: [c-nsp] Cisco and Foundry and MST I'm working with a client that is migrating to Foundry from Cisco and they need to have interoperability on STP between the two vendors. I usually try to do MST when I can, usually in a cisco environment, so I'm pretty comfortable with it. Does anyone have any experience getting the 2 to play together? It's a critical environment, so minimal disruption is required. There is a core 6500 that can connects to a number of Cisco access switches, the Cisco 6500 also connects into the Foundry FESX switches. I wanted to go ahead and enable MST on the core 6500, and then working my way to the access layer (assuming the interoperability works just fine), and then the Foundry boxes. Just looking for any pro-pointers here to try to avoid baptism by fire! Thanks in advance. Nick Griffin Systems Consultant, CCIE RS 17381 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP
Rodney, With the PA-MC-T3-EC, any idea how much would be offloaded to the PA? The router is running at about 75% peak average utilization, which is a bit high considering it's mostly doing routing and not pushing more then 100Mbits. If this is being interrupt switched, I wouldn't expect the EC PA to help, right? -Jason Rodney Dunn wrote: On Thu, Mar 26, 2009 at 10:30:08AM -0400, Jason Berenson wrote: Rodney, It's running: 12.4(18a). I had to downgrade from the latest about 6 months ago because of a bug where 'show policy' would show no output even if QoS was working properly. router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 180493982931 25553 14234069 Total 180493982931 25553 14234069 router#show int mul2 stat Multilink2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 186014110973 26553 14682852 Total 186014110973 26553 14682852 fonseca#show cef in mul 2 Multilink2 is up (if_number 132) Corresponding hwidb fast_if_number 132 Corresponding hwidb firstsw-if_number 132 Internet address is 10.3.4.229/30 ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is disabled Inbound access list is not set Outbound access list is not set Interface is marked as point to point interface Hardware idb is Multilink2 Fast switching type 7, interface type 105 IP CEF switching enabled IP CEF VPN Feature Fast switching turbo vector IP Null turbo vector VPN Forwarding table nypirg Input fast flags 0x1000, Input fast flags2 0x0, Output fast flags 0x4000, Output fast flags2 0x0 ifindex 127(127) Slot -1 Slot unit 2 Unit 2 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500 Does that mean that there's no processor switching going on there? Yep. It's all being interrupt switched so you should be fine. Why would a VRF make any difference to the MLPPP? forwarding vectors are different. But in this code we have the hooks to do MPLSoMLPPP if that's what you were doing..which you are not. The vrf interface on a bundle isn't what we call MPLSoMLPPP...that's when you enable MPLS on the bundle. I see the same outputs for a non VRF'd MLPPP. It's working as it should. With the new PA the overall CPU would be less b/c the mlppp work is offloaded to an asic on the PA. -Jason Rodney Dunn wrote: You have it in a VRF which really shouldn't cause an issue as it's tag2ip and ip2tag. What code is it? Make sure it's the latest 12.4 mainline as we did some work in 12.4 to make this work. Can you get a 'sh int mul 2 stat' after a clear counters...get it a few times and send it? Also, what are the other interface configs feeding this bundle? It could be features on them causing the punts. What does 'sh cef int' say? Rodney On Wed, Mar 25, 2009 at 05:03:03PM -0400, Jason Berenson wrote: Here's a sample: interface Multilink2 ip vrf forwarding VPN1 ip address x.x.x.x 255.255.255.252 no cdp enable ppp multilink ppp multilink group 2 service-policy output voice ! interface Serial6/0/25:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! interface Serial6/0/26:0 no ip address encapsulation ppp down-when-looped no cdp enable ppp multilink ppp multilink group 2 ! -Jason Rodney Dunn wrote: The G1's with MLPPP should not be process switching the traffic. What is the config? The EC cards just offload the MLPPP to the new asic on the PA. Rodney On Wed, Mar 25, 2009 at 04:35:50PM -0400, Jason Berenson wrote: Greetings, I've got a 7206VXR NPE-G1 with a bunch of DS3 cards in it (PA-MC-T3). There's about 25 multilinks with an average of 2 T1s per bundle. I see a lot of process switching on the router and I have a feeling it's because we don't have the PA-MC-T3-EC card so the processor has to step in for the MLPPP. Is this the case? If I get some PA-MC-T3-EC cards to swap in, will that take a lot of load off the NPE-G1? Any output needed, please let me know. Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Free/low-cost traffic generator?
Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sending connected number from AS5350
[Reply to my own post] I've tried more or less everythin but failed, so I asked our supplier to just set COLP to temporary restricted. Thanks for thinking with me. -- Andreas Sikkema ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking bandwidth hogs ... any recommendations ?
You can turn up a NetFlow server which is at times complex or time consuming. A quick/dirty way to find out who is causing your issue may be just to enable ip route-cache flow on a L3 interface that his traffic is flowing through, then doing show ip cache flow - if he's sending out a ton of packets you may be able to catch it w/ this versus going the NetFlow route (NetFlow is much much better but unless you have a ton of unix/linux background getting the netflow collector/analyzer active may be a complex chore in itself..) FYI I saw that SolarWinds just put out a free/30 day demo NetFlow collector/analyzer in the past few months you can try that for a quick Win32 NetFlow software solution to isolate this quick... http://www.solarwinds.com/products/orion/nta/ Best of luck! -Rich On Thu, Mar 26, 2009 at 8:15 AM, Wilkinson, Alex alex.wilkin...@dsto.defence.gov.au wrote: Hi all, I would like to put in place measures to be able to pin point the particular user(s) who are thrashing out our WAN connection. I am thinking ... Mirror all ports (SPAN) to a spare port and use trafshow to pinpoint the culprit. However, i am curious how others deal with this situation ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
Conflicker is free and comes with unpatched windows systems. :) On a more serious note, what sort of traffic/apps are you testing? Voice? Web? Inca wrote: Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
Hi, Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. netperf? the Linux packet generator? what purpose? what do you want - lots of small SIP-style packets for QoS testing or lots of big FTP frames that suck up massive TCP windows? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
Inca wrote: Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. iperf. Single binary application for both *nix and Windows. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
On Thu, 2009-03-26 at 10:10 -0700, Inca wrote: Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. Any non-small collection of Windows machines will do this all by themselves. :-) Joke aside, you could use IPerf in UDP mode between to hosts: server$ iperf -s -u -p 4999 client$ iperf -c server_ip -u -b 1000M -p 4999 If you just want to stress a link a don't care about measuring loss etc. you could use nc in UDP mode sourcing from /dev/zero: client$ dd if=/dev/zero count=66 bs=1500 | nc -u server_ip You might face some problems trying to make PC hardware deliver multi gigabit loads, but several PCs in parallel can do it. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
d-itg http://www.grid.unina.it/software/ITG/link.php pageant ios On Thu, Mar 26, 2009 at 10:27 AM, Steve Bertrand st...@ibctech.ca wrote: Inca wrote: Does anyone know of a free (open source or otherwise) or low cost traffic generator that we can use to stress test multiple gigabit links simultaneously? Ideally, it would be a software package that one can install on *nix/OSX/Windows. iperf. Single binary application for both *nix and Windows. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mls cef max route
Hi Peter, most of the resources are available 6500.LAB#sh platform hardware capacity pfc L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 50 65536 24 1% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 524288 75 1% 144 bits (IP mcast, IPv6) 262144 5 1% detail: ProtocolUsed %Used IPv4 43 1% MPLS 32 1% EoM0 0% IPv6 2 1% IPv4 mcast 3 1% IPv6 mcast 0 0% Adjacency usage: TotalUsed %Used 1048576 239 1% Forwarding engine load: Module pps peak-pps peak-time 5 17589 03:42:33 UTC Wed Mar 18 2009 Netflow Resources TCAM utilization: Module Created Failed %Used 5 3 0 0% ICAM utilization: Module Created Failed %Used 5 0 0 0% Flowmasks: Mask# TypeFeatures IPv4: 0 reservednone IPv4: 1 unused none IPv4: 2 unused none IPv4: 3 reservednone IPv6: 0 reservednone IPv6: 1 unused none IPv6: 2 unused none IPv6: 3 reservednone CPU Rate Limiters Resources Rate limiters: Total Used Reserved %Used Layer 3 94 1 44% Layer 2 42 2 50% ACL/QoS TCAM Resources Key: ACLent - ACL TCAM entries, ACLmsk - ACL TCAM masks, AND - ANDOR, QoSent - QoS TCAM entries, QOSmsk - QoS TCAM masks, OR - ORAND, Lbl-in - ingress label, Lbl-eg - egress label, LOUsrc - LOU source, LOUdst - LOU destination, ADJ - ACL adjacency Module ACLent ACLmsk QoSent QoSmsk Lbl-in Lbl-eg LOUsrc LOUdst AND OR ADJ 5 1% 1% 1% 1% 1% 1% 0% 0% 0% 0% 1% 6500.LAB# 6500.LAB# 6500.LAB#sh tcam counts UsedFreePercent Used Reserved Labels:(in) 640900 Labels:(eg) 240940 ACL_TCAM Masks: 114085072 Entries: 60 327080 576 QOS_TCAM Masks: 74089018 Entries: 32 327360 144 LOU: 0 1280 ANDOR: 0 160 ORAND: 0 160 ADJ: 320450 6500.LAB# Regards, On Thu, Mar 26, 2009 at 2:28 PM, Peter Rathlev pe...@rathlev.dk wrote: On Thu, 2009-03-26 at 10:36 +0530, Swati Sharma wrote: Though I have just few routes still I am getting Mar 26 04:49:06.406 UTC: %MLSCEF-SP-4-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use mls cef maximum-routes to modify FIB TCAM partition. 6500.LAB#sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) ... any idea !!! What does show tcam counts and show platform hardware capacity pfc say? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free/low-cost traffic generator?
Thanks for all of the responses. Some of them like interesting. Ideally, we would like send out multiple streams of traffic (both small and large packets) simultaneously through multiple gigabit interfaces. While QoS testing maybe of interest later on, we more mainly focus on seeing if some network gears can handle the load. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mls cef max route
Hi Gert, 6500.LAB#sh mls cef su 6500.LAB#sh mls cef summary Total routes: 80 IPv4 unicast routes: 43 IPv4 Multicast routes:3 MPLS routes: 32 IPv6 unicast routes: 2 IPv6 multicast routes:0 EoM routes: 0 6500.LAB# Regards, On Thu, Mar 26, 2009 at 4:51 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Mar 26, 2009 at 10:36:20AM +0530, Swati Sharma wrote: 6500.LAB#sh mls cef maximum-routes Try: sh mls cef su to see what IOS is thinking about TCAM usage. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP
Rodney, With the PA-MC-T3-EC, any idea how much would be offloaded to the PA? As always, your mileage will vary, but Cisco has some examples and estimates available at: http://www.cisco.com/en/US/prod/collateral/modules/ps2033/prod_white_paper0900aecd8056d3cb.html (Note you need the appropriate IOS level to gain the benefits). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Stratum 0 PPS Hardware clock compatibility
I have found a lot of documentation online that states the 7200 is the only Cisco device that supports a PPS hardware clock via the Aux port. I see recommendations for Trimble Acutime 2000 since replaced by mfr. and other solutions but these documents are a few years old. Has this feature been added to other platforms such as the 6500 series? ~JasonG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] spanning-tree bpduguard vs. bpdufilter
When deploying our new network a few months ago, we set up Cisco Works to manage it. Cisco Works detected and flagged the lack of the following commands as configuration errors: spanning-tree bpduguard enable spanning-tree bpdufilter enable Thinking this recommendation came from Cisco Works, it follows that this would make sense to do, right? As some more information on the effect of these commands has come to light, this is really not a good idea. The commands almost seem to serve opposite purposes - one shuts the port down if a bpdu is detected, the other obstensibly ignores bpdus. Which one of these commands takes precendence? From what I understand, spanning-tree portfast will in effect serve the same purpose as spanning-tree bpdufilter enable IF the port is an active access port...is that correct? Thanks Steve -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree bpduguard vs. bpdufilter
Hi, spanning-tree bpduguard enable spanning-tree bpdufilter enable Thinking this recommendation came from Cisco Works, it follows that this would make sense to do, right? As some more information on the effect of these commands has come to light, this is really not a good idea. The commands almost seem to serve opposite purposes - one shuts the port down if a bpdu is detected, the other obstensibly ignores bpdus. Which one of these commands takes precendence? From what I understand, spanning-tree portfast will in effect serve the same purpose as spanning-tree bpdufilter enable IF the port is an active access port...is that correct? no. spanning-tree portfast wont listen/discover/span. if you want it do do this, you need to have the global spanning-tree command spanning-tree portfast bpdufilter default this will filter on portfast (what you alluded to). however, if you have a switch in portfast mode then it should never receive a bpdu from that port - if it does then something aint right on the network. so perhaps it is worth having protection - which is what bpduguard does. incidentally, it appears that some of this behvaiour changes from IOS to IOS - we had many links with spanning-tree portfast trunk enabled... and they got clobbered by bpduguard seeing bpdu coming down those links from the other end switch - which we knew aboutcaveat empor etc alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP session resets if NLRI exchanged
Many thanks Harold! that does indeed look like the issue. We are using 32byte ASNs, but since the problem was occuring even after we filtered that advertisement we had begun looking elsewhere. Paul. Harold Ritter (hritter) wrote: Paul, You might be running into CSCsl72955. If so, you could try the workaround suggested by the following link or upgrade the code. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method =fetchBugDetailsbugId=CSCsl72955 Regards -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul Cosgrove Sent: Wednesday, March 25, 2009 11:55 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP session resets if NLRI exchanged We are attempting to establish a new BGP session between one of our CRS-1 routers, and a Redback SE800 router owned by another provider. Am not familiar with Redbacks myself and we have not peered with any before (as far as we know anyway). The BGP session only remains up if no NLRI is exchanged. If the other provider sends any prefixes to us we reply with a invalid length for attribute notification; if we send any prefixes to them they reply with invalid or corrupt AS path. The other provider uses VPNv4 within their network, though I understand that it is not configured on this peering. I'm wondering whether these errors could result if their router expects a RD (and sends one) on the advertisements, perhaps due to a software bug or typo in the config. Perhaps someone has seen this problem before? Paul. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Alun Mcglinchey is out of the office.
I will be out of the office starting 26/03/2009 and will not return until 01/04/2009. I will respond to your message when I return, if your query is urgent please contact the IT servicedesk team on 6634 or email Cameron McKinnon (cmckin...@wiseman-dairies.co.uk) * Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company. Robert Wiseman Sons Limited reserves the right to monitor all e-mail communications through its network. This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files. ROBERT WISEMAN SONS LIMITED Registered Number: 87376 Scotland Registered Office: 159 Glasgow Road, East Kilbride, Glasgow, G74 4PA ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree bpduguard vs. bpdufilter
On Thu, Mar 26, 2009 at 4:29 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, spanning-tree bpduguard enable spanning-tree bpdufilter enable Thinking this recommendation came from Cisco Works, it follows that this would make sense to do, right? As some more information on the effect of these commands has come to light, this is really not a good idea. The commands almost seem to serve opposite purposes - one shuts the port down if a bpdu is detected, the other obstensibly ignores bpdus. Which one of these commands takes precendence? From what I understand, spanning-tree portfast will in effect serve the same purpose as spanning-tree bpdufilter enable IF the port is an active access port...is that correct? no. spanning-tree portfast wont listen/discover/span. if you want it do do this, you need to have the global spanning-tree command Right, it goes immediately from not active into forwarding state. spanning-tree portfast bpdufilter default this will filter on portfast (what you alluded to). So, I need to add this spanning-tree portfast bpdufilter default if I want bpdufilter as the default condition of interfaces configured with portfast...correct? The question is, if I'm using bpduguard on an interface, is there any additional protection afforded by bpdufilter? however, if you have a switch in portfast mode then it should never receive a bpdu from that port - if it does then something aint right on the network. so perhaps it is worth having protection - which is what bpduguard does. incidentally, it appears that some of this behvaiour changes from IOS to IOS - we had many links with spanning-tree portfast trunk enabled... and they got clobbered by bpduguard seeing bpdu coming down those links from the other end switch - which we knew aboutcaveat empor etc alan I prefer the protection of bpduguard over bpdufilter. Sure, it's more drastic, but its more idiot proof ...ok...idiot-resistent as well. Thanks -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree bpduguard vs. bpdufilter
Hello From experience, I can tell you that the bpdufilter command will override the bpduguard command. Bpdufilter effectively turns off spanning tree on a port, but portfast keeps spanning tree enabled on a port, With bpdufilter enabled there is nothing to protect you from a loop. Thank You Daniel Bielawa Network Engineer Liberty University Information Services -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Fischer Sent: Thursday, March 26, 2009 4:06 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] spanning-tree bpduguard vs. bpdufilter When deploying our new network a few months ago, we set up Cisco Works to manage it. Cisco Works detected and flagged the lack of the following commands as configuration errors: spanning-tree bpduguard enable spanning-tree bpdufilter enable Thinking this recommendation came from Cisco Works, it follows that this would make sense to do, right? As some more information on the effect of these commands has come to light, this is really not a good idea. The commands almost seem to serve opposite purposes - one shuts the port down if a bpdu is detected, the other obstensibly ignores bpdus. Which one of these commands takes precendence? From what I understand, spanning-tree portfast will in effect serve the same purpose as spanning-tree bpdufilter enable IF the port is an active access port...is that correct? Thanks Steve -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 887 CPE and 890series?!?!?!?!?!
Skeeve Stevens wrote: Seriously This is the biggest tease I've ever had! Interesting sounding box. Glad to see the lack of those awful shared console/aux ports. GigE port to support the high-bandwidth demands of Metro Ethernet deployments on a low end software forwarding box, though? That's a bit of a joke isn't it? (unless I missed some amazing pps specification in the data sheet) Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about CBWFQ and PING times
Hi Peter, Yes, it's a SPA in the SIP-400 that we add the service-policy to. DTS and hierarchical qos should be supported as per the data sheet, and I'll bring it up with our Cisco rep to see what the deal is. Consider the bandwidth parameter strictly informational. How misleading is that then. When you issue the show policy-map command, it calculates the bandwidth % using what's set with the bandwidth interface command. I'll make a note to disregard this piece of cosmetic from cisco when using the show policy-map command. Just a few things with the show policy-map command. 1/ There's an offered rate for each class - is this the amount of bandwidth the router is currently reserving for each class? POP2#sh policy-map int g4/0/2 GigabitEthernet4/0/2 Service-policy output: POP2-POP1-QOS-POLICY Counters last updated 00:00:00 ago Class-map: POP2-POP1-PRIORITY-CLASS (match-all) 299895137 packets, 119941773853 bytes 30 second offered rate 1887000 bps, drop rate 0 bps Match: access-group name POP2-POP1-PRIORITY-ACL Queueing queue limit 2500 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 299892091/119940222481 bandwidth 5% (1 kbps) Class-map: class-default (match-any) 19483508661 packets, 15273909817898 bytes 30 second offered rate 115958000 bps, drop rate 0 bps Match: any POP2#sh access-lists POP2-POP1-PRIORITY-ACL Extended IP access list POP2-POP1-PRIORITY-ACL 20 permit ip 210.15.254.0 0.0.0.255 any 30 permit ip 203.10.110.0 0.0.0.255 any 40 permit ip 210.15.210.0 0.0.0.255 any 50 permit ip 203.17.103.0 0.0.0.255 any 60 permit icmp any any 2/ One odd thing I've found is that when I permit additional icmp's to the ACL, the offered rate rapidly decreases until the offered rate is ZERO. 70 permit icmp any any echo-reply 80 permit icmp any any traceroute POP2#sh policy-map int g4/0/2 GigabitEthernet4/0/2 Service-policy output: POP2-POP1-QOS-POLICY Counters last updated 00:00:00 ago Class-map: POP2-POP1-PRIORITY-CLASS (match-all) 300148641 packets, 120077235727 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: access-group name POP2-POP1-PRIORITY-ACL Queueing queue limit 2500 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 300150499/120077414678 bandwidth 5% (1 kbps) Class-map: class-default (match-any) 19493929309 packets, 15281493202187 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any The throughput on the interface is still as expected. POP2#sh int g4/0/2 30 second input rate 50875000 bits/sec, 18880 packets/sec 30 second output rate 117992000 bits/sec, 20690 packets/sec Why does adding the extra icmp lines in the ACL cause the offered rate to be zero in both classes??? Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Tunnel Interfaces w/ DSL
Hi, This depends whether you want to do QoS based on tos bit or source / destination ip... if it is based on tos bit, u do not need to do anything and if it is based on S/S ip use QoS-pre classify command.. Regards, Message: 2 Date: Wed, 25 Mar 2009 08:11:20 -0400 From: Jeff Cartier jcart...@acs.on.ca Subject: [c-nsp] QoS on Tunnel Interfaces w/ DSL To: cisco-nsp@puck.nether.net Message-ID: bcd3e762f1767c42a5226bbacde49bfbce7...@loki.acs.local Content-Type: text/plain; charset=us-ascii Greetings All, I was wondering if anyone had any examples of how to impose QoS on a Site that would be doing IPSec VPN tunnels to another site via a standard DSL feed. I'm curious to see if best-practice is to place the policy-shaping on the interface tunnel and/or the Internet interface. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] qos on standard ethernet port for me3750
Hello: Did anyone have experiences with QoS on ME3750 standard port (not ES port), it looks like that it does not support CBWFQ, how about SRR and priority queueing, is priority queue on the first queue? thx, ~mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] qos on standard ethernet port for me3750
Michael Lee wrote: Did anyone have experiences with QoS on ME3750 standard port (not ES port), it looks like that it does not support CBWFQ, how about SRR and priority queueing, is priority queue on the first queue? Yes it supports SRR (sharing and shaping) and priority queueing. And yes, the priority queue is queue 1 if enabled on the port (priority-queue out) Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/