Re: [c-nsp] Mac address flapping..
hi, i originally thought on the same lines too - but then having been told this still happens if theres only one link to the 4500s to the client - which makes the 6506-b almost a router at the end of a stick for that network things started to look a little 'wonky'. it wouldnt be taking traffic from another port(?). as far as i now see, you have 2 routers, A and B. A has the feed to the switch (and the only physical link to the customer) whilst B is connected to A via a portchannel and trunk link. a MAC for vlan042 is still flipping between the down-link from A and the link from A to B. now, from my deepest memories I've seen this sort of thing happen on our campus in the past... i've got some feeling that somewhere, that VLAN is being fed into your network as another VLAN and therefore the AMC is squirting back out and through - eg native vlan 042 is patched to vlan 1 or somesuch elsewhere, therefore the MAC is seen coming back t;other way alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VSS out-of-band mgmt
I have a VSS router that I want to do some out-of-band mgmt with. Is this possible with VRF-lite ? I would like to build a channel with the UTP ports on the sup720, give the VSS an address on this trunk but keep this interface out of the standard routing table. Can this be done with VRF-lite ? Or is there another way to do out-of-band mgmt of a VSS cluster? Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mac address flapping..
Alan, But why only 1 MAC is flapping? HSRP sends dest-mac as multicast address so there are clearly 2 paths between these switches. Unless the connection is unidrecional somehow, how on earth he doesn't see same on second 6509-b? It's confusing. -mat 2009/7/13 a.l.m.bu...@lboro.ac.uk: hi, i originally thought on the same lines too - but then having been told this still happens if theres only one link to the 4500s to the client - which makes the 6506-b almost a router at the end of a stick for that network things started to look a little 'wonky'. it wouldnt be taking traffic from another port(?). as far as i now see, you have 2 routers, A and B. A has the feed to the switch (and the only physical link to the customer) whilst B is connected to A via a portchannel and trunk link. a MAC for vlan042 is still flipping between the down-link from A and the link from A to B. now, from my deepest memories I've seen this sort of thing happen on our campus in the past... i've got some feeling that somewhere, that VLAN is being fed into your network as another VLAN and therefore the AMC is squirting back out and through - eg native vlan 042 is patched to vlan 1 or somesuch elsewhere, therefore the MAC is seen coming back t;other way alan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP multicast traffic overwhelms switches
On Sat, 11 Jul 2009 00:00:00 +0400, Łukasz Bromirski luk...@bromirski.net wrote: Thank you guys who cared to contribute to the solution of the problem. There is a list of possible reasons of doing multicast L3 switching in software. They are described in the related software configuration guides for the platforms. In my case it was misconfigured RP address. I shouldn't have put HSRP address as ip pim send-rp-announce. I fixed that and now everything is OK. On 2009-07-10 18:12, victor wrote: We are getting ready a residential triple-play network for the launch. As part of my job I'm conducting various tests on its performance, delays, etc before we go into production. Today was the multicast time and testing it I got very discouraging results. Under very moderate load of 15 IPTV streams (each approximately 1-1,5Mbps) the cpu gauge on the core C7604 increased by 15% What's the software version on the 7604, Sup model and LCs used? Can you show output of 'show platform hardware capacity' for the box and 'sh proc cpu sorted'. Also 'sh ip pim int x/y count' where the ports that multicast traffic is flowing through? but on the distribution C4924 hit 50% from zero! Clearly there's a problem with moving traffic in hardware. Can you also drop a 'show ip mroute count' from both boxes? -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with output drops
Hi Tony, After disabling QoS there are no longer any output drops. Thanks for the suggestion. Are there any features that rely on QoS, or is it a default setting? I'm trying to figure out something reasonable as to why it was enabled in the first place. -- Randy -- Original Message --- From: Tony td_mi...@yahoo.com To: cisco-nsp@puck.nether.net, Randy McAnally r...@fast-serv.com Sent: Sun, 12 Jul 2009 23:21:47 -0700 (PDT) Subject: Re: [c-nsp] Help with output drops Hi Randy, Is QoS enabled ? What does show mls qos tell you ? Do you need QOS at all ? If not, disable it globally (no mls qos) and your problem might just go away if it's being caused by queue threshold defaults.. If it's production switch, do it during a scheduled maintenance period as it might disrupt traffic for a second. regards, Tony. --- On Mon, 13/7/09, Randy McAnally r...@fast-serv.com wrote: From: Randy McAnally r...@fast-serv.com Subject: [c-nsp] Help with output drops To: cisco-nsp@puck.nether.net Date: Monday, 13 July, 2009, 1:51 PM Hi all, I just finished installing and configuring a new 6509 with dual sup7203bxl (12.2(18)SXF15a) and a 6724 linecards. It serves a simple purpose of maintaining a single BGP session, and managing layer3 (vlans) for various access switches. No end devices are connected. The problem is that we are getting constant output drops when our gig-E uplink goes above ~400 mbps. Nowhere near the interface speed! See below, take note of massive 'Total output drops' with no other errors (on either end): rtr1.ash#sh int g1/1 GigabitEthernet1/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 00d0.01ff.5800 (bia 00d0.01ff.5800) Description: PTP-UPLINK Internet address is 209.9.224.68/29 MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 118/255, rxload 12/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is T input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of show interface counters 05:01:25 Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 718023 Queueing strategy: fifo Output queue: 0/100 (size/max) 30 second input rate 47789000 bits/sec, 30797 packets/sec 30 second output rate 465362000 bits/sec, 48729 packets/sec L2 Switched: ucast: 27775 pkt, 2136621 bytes - mcast: 24590 pkt, 1574763 bytes L3 in Switched: ucast: 592150327 pkt, 95608889548 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 991372425 pkt, 1214882993007 bytes mcast: 0 pkt, 0 bytes 592554441 packets input, 95674494492 bytes, 0 no buffer Received 33643 broadcasts (17872 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 991006394 packets output, 1214377864373 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The CPU usage is nil: rtr1.ash#sh proc cpu sort CPU utilization for five seconds: 1%/0%; one minute: 0%; five minutes: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 6 3036624 252272 12037 0.47% 0.19% 0.18% 0 Check heaps 316 195004 99543 1958 0.15% 0.01% 0.00% 0 BGP Scanner 119 267568 2962884 90 0.15% 0.03% 0.02% 0 IP Input 172 413528 2134933 193 0.07% 0.03% 0.02% 0 CEF process 4 16 48214 0 0.00% 0.00% 0.00% 0 cpf_process_ipcQ 3 0 2 0 0.00% 0.00% 0.00% 0 cpf_process_msg_ 5 0 1 0 0.00% 0.00% 0.00% 0 PF Redun ICC Req 2 772 298376 2 0.00% 0.00% 0.00% 0 Load Meter 9 23964 157684 151 0.00% 0.01% 0.00% 0 ARP Input 7 0 1 0 0.00% 0.00% 0.00% 0 Pool Manager 8 0 2 0 0.00% 0.00% 0.00% 0 Timers snip I THINK I have determined the drops are caused by buffer congestion on the port: rtr1.ash#sh queueing interface gigabitEthernet 1/1 rtr1.ash#sh queueing interface gigabitEthernet 1/1 Interface GigabitEthernet1/1 queueing strategy: Weighted Round-Robin Port QoS is enabled Port is untrusted Extend trust state: not trusted [COS = 0]
Re: [c-nsp] Mac address flapping..
The most confusing thing is.. The Mac that is flapping is the Mac address for the vlan interface (VLan 42 of course) from 6509-b. But I am only seeing the log entries on 6509-a. I am looking at the entire path of the vlan now. Maybe it is patched into another vlan at some point that I am not aware of That would make life SOOO much easier... If its not. Then I think I am left with IOS bug... James -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mateusz Blaszczyk Sent: Monday, July 13, 2009 9:07 AM To: a.l.m.bu...@lboro.ac.uk Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Mac address flapping.. Alan, But why only 1 MAC is flapping? HSRP sends dest-mac as multicast address so there are clearly 2 paths between these switches. Unless the connection is unidrecional somehow, how on earth he doesn't see same on second 6509-b? It's confusing. -mat 2009/7/13 a.l.m.bu...@lboro.ac.uk: hi, i originally thought on the same lines too - but then having been told this still happens if theres only one link to the 4500s to the client - which makes the 6506-b almost a router at the end of a stick for that network things started to look a little 'wonky'. it wouldnt be taking traffic from another port(?). as far as i now see, you have 2 routers, A and B. A has the feed to the switch (and the only physical link to the customer) whilst B is connected to A via a portchannel and trunk link. a MAC for vlan042 is still flipping between the down-link from A and the link from A to B. now, from my deepest memories I've seen this sort of thing happen on our campus in the past... i've got some feeling that somewhere, that VLAN is being fed into your network as another VLAN and therefore the AMC is squirting back out and through - eg native vlan 042 is patched to vlan 1 or somesuch elsewhere, therefore the MAC is seen coming back t;other way alan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mac address flapping..
Alan, You guessed it. The customer had vlan 42 and another vlan tied together in their switch. That’s where the errors were coming from. Thanks for all of the ideas. James -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Ashton Sent: Monday, July 13, 2009 9:49 AM To: Mateusz Blaszczyk Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Mac address flapping.. The most confusing thing is.. The Mac that is flapping is the Mac address for the vlan interface (VLan 42 of course) from 6509-b. But I am only seeing the log entries on 6509-a. I am looking at the entire path of the vlan now. Maybe it is patched into another vlan at some point that I am not aware of That would make life SOOO much easier... If its not. Then I think I am left with IOS bug... James -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mateusz Blaszczyk Sent: Monday, July 13, 2009 9:07 AM To: a.l.m.bu...@lboro.ac.uk Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Mac address flapping.. Alan, But why only 1 MAC is flapping? HSRP sends dest-mac as multicast address so there are clearly 2 paths between these switches. Unless the connection is unidrecional somehow, how on earth he doesn't see same on second 6509-b? It's confusing. -mat 2009/7/13 a.l.m.bu...@lboro.ac.uk: hi, i originally thought on the same lines too - but then having been told this still happens if theres only one link to the 4500s to the client - which makes the 6506-b almost a router at the end of a stick for that network things started to look a little 'wonky'. it wouldnt be taking traffic from another port(?). as far as i now see, you have 2 routers, A and B. A has the feed to the switch (and the only physical link to the customer) whilst B is connected to A via a portchannel and trunk link. a MAC for vlan042 is still flipping between the down-link from A and the link from A to B. now, from my deepest memories I've seen this sort of thing happen on our campus in the past... i've got some feeling that somewhere, that VLAN is being fed into your network as another VLAN and therefore the AMC is squirting back out and through - eg native vlan 042 is patched to vlan 1 or somesuch elsewhere, therefore the MAC is seen coming back t;other way alan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mac address flapping..
Hi, You guessed it. The customer had vlan 42 and another vlan tied together in their switch. That’s where the errors were coming from. Thanks for all of the ideas. yay - I get a +1 NSP score - thats cool you've sorted it anyway. and anyway - this thread has been VERY useful to me anyway because of a couple of the URLs that got posted regarding platform limits alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Power Upgrade 7600
Hey folks.. Does anyone know how the 7600 chassis (7606) handles power inbalance? To explain a bit more, we have a pair of 2700Watt DC power supplies in a 7606 that needs to be upgraded soon. To avoid downtime, we are looking at upgrading one side and then the other. They are running redundant mode currently. So, can you install a larger power supply on one side and then the other without any effect? Thanks in advance, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Extended demarc
james edwards wrote: What is a real word limit on how far you can extend the demarc ? This is on Cat5e cable. I get wildly different figures from Google. Late to the dance, so blame my vacation... For T1s, Kentrox had a great white paper showing that you can go 1000-2000 feet on Cat5 cable. To go farther, up to about 6000', you'd need individually-shielded twisted pair cable (ISTP), to keep the transmit-motivated electrons from corrupting the wimpy receive-side electrons on the nearby pair. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Power Upgrade 7600
On Mon, 13 Jul 2009, Paul Stewart wrote: So, can you install a larger power supply on one side and then the other without any effect? Yes, but you have to switch it to combined power mode before putting in the higher rated one, power it up, check that everything looks ok, take out the smaller one, put in the equivalent other bigger one, check that everything looks ok, then switch back to redundant mode. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IGMP snooping ME6500
Tim Stevenson wrote: Note that you can have a pim-enabled interface with ip multicast-routing disabled and that should work too - though then the RP CPU will be setting up state (at L3) for no particularly good reason. The querier function is to avoid all that. Let us know if it improves things. Tim No, It didn't do any good :( Right now this is my config: ! vlan 200 name ipTV1 ! vlan 201 name ipTV2 ! ... ! interface Vlan200 ip address 10.201.0.2 255.255.255.0 ip igmp snooping querier shutdown end ! interface Vlan201 ip address 10.201.1.2 255.255.255.0 ip igmp snooping querier shutdown end A switch linked with ME6500 by a trunk still receive all the active iptv traffic, even if the above vlans are not even present on his config. -- Best regards, Adrian MintaMA3173-RIPE, MA314-ROTLD, www.minta.ro ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Yes, a management VRF will do exactly what you want :-) Al On 13 Jul 2009, at 13:03, Holemans Wim wrote: I have a VSS router that I want to do some out-of-band mgmt with. Is this possible with VRF-lite ? I would like to build a channel with the UTP ports on the sup720, give the VSS an address on this trunk but keep this interface out of the standard routing table. Can this be done with VRF-lite ? Or is there another way to do out-of-band mgmt of a VSS cluster? Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IGMP snooping ME6500
Please do a sh ip igmp snooping mrouter - is the trunk being learned as a mrouter port? Note that mrouter ports get all multicast traffic for all groups. Tim At 11:25 AM 7/13/2009, Adrian Minta asserted: Tim Stevenson wrote: Note that you can have a pim-enabled interface with ip multicast-routing disabled and that should work too - though then the RP CPU will be setting up state (at L3) for no particularly good reason. The querier function is to avoid all that. Let us know if it improves things. Tim No, It didn't do any good :( Right now this is my config: ! vlan 200 name ipTV1 ! vlan 201 name ipTV2 ! ... ! interface Vlan200 ip address 10.201.0.2 255.255.255.0 ip igmp snooping querier shutdown end ! interface Vlan201 ip address 10.201.1.2 255.255.255.0 ip igmp snooping querier shutdown end A switch linked with ME6500 by a trunk still receive all the active iptv traffic, even if the above vlans are not even present on his config. -- Best regards, Adrian MintaMA3173-RIPE, MA314-ROTLD, www.minta.ro Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IGMP snooping ME6500
Tim Stevenson wrote: Please do a sh ip igmp snooping mrouter - is the trunk being learned as a mrouter port? Note that mrouter ports get all multicast traffic for all groups. Tim #sh ip igmp snooping mrouter vlanports -+ 200 Gi1/26 201 Gi1/26 202 Gi1/26 IPtv router is on interface Gi1/26. This is good On Gig 1/29 we have one of the victim switches without 200-202 vlans. On peak hour more than 250Mbps of traffic flood the victim without going out on any port. Luckily it doesn't go to the victim CPU. -- Best regards, Adrian MintaMA3173-RIPE, MA314-ROTLD, www.minta.ro ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
On Mon, 2009-07-13 at 10:47 -0700, Buhrmaster, Gary wrote: Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Not that I know of. RADIUS og SNMP can take a VRF argument but neither of syslogging, TACACS or Netflow can AFAICT. It doesn't seem to have changed between SXF and SXI. OTOH a serial OOB method couldn't easily transport these protocols either. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
On Mon, 2009-07-13 at 14:03 +0200, Holemans Wim wrote: I have a VSS router that I want to do some out-of-band mgmt with. Is this possible with VRF-lite ? I would like to build a channel with the UTP ports on the sup720, give the VSS an address on this trunk but keep this interface out of the standard routing table. Can this be done with VRF-lite ? Or is there another way to do out-of-band mgmt of a VSS cluster? Remember that if you want to manage the device from a VRF and use ACLs on your VTYs, you need the vrf-also statement to actually accept traffic from VRFs at all: And otherwise yes, just create a VRF without route-target statements and include only your specific management interface in this VRF, with a default route pointing out of there. So something along the lines of: ip vrf management rd 64512:1 exit ! interface GigabitEthernet5/1 description OOB Management no switchport ip vrf forwarding management ip address 10.0.0.10 255.255.255.0 no shutdown exit ! ip route vrf management 0.0.0.0 0.0.0.0 GigabitEthernet5/1 10.0.0.10 ! access-list 99 permit 172.16.0.0 0.0.0.255 ! line vty 0 15 access-class 99 in vrf-also exit ! Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Software Download Area is Unavailable at this time
We apologize for any inconvenience. Software Download Area is unavailable at this time. New enhanced features for downloading software have arrived. Get a sneak preview here. If you are receiving an Error while downloading software and used a home address in your profile, please provide your business address to correct the error and gain access to download the software. -- snip -- Anynone know how Cisco intends to distribute software? This seems to be the lead-in deployment for making software unavailable for me. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IGMP snooping ME6500
Ok - if you have mrouter ports being learned, then the upstream router should be sending IGMP queries already IGMP snooping querier is not required. You may want to check the igmp snooping stats see what type of joins etc are being seen on 1/26. Also what is the downstream switch doing from a snooping standpoint? Probably you should just open a case w/TAC to get to the bottom of this one. Tim At 12:01 PM 7/13/2009, Adrian Minta asserted: Tim Stevenson wrote: Please do a sh ip igmp snooping mrouter - is the trunk being learned as a mrouter port? Note that mrouter ports get all multicast traffic for all groups. Tim #sh ip igmp snooping mrouter vlanports -+ 200 Gi1/26 201 Gi1/26 202 Gi1/26 IPtv router is on interface Gi1/26. This is good On Gig 1/29 we have one of the victim switches without 200-202 vlans. On peak hour more than 250Mbps of traffic flood the victim without going out on any port. Luckily it doesn't go to the victim CPU. -- Best regards, Adrian MintaMA3173-RIPE, MA314-ROTLD, www.minta.ro Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
I am still able to DL code via FTP , their web UI stinks anyways.. why bother? On Mon, Jul 13, 2009 at 12:45 PM, Jared Mauch ja...@puck.nether.net wrote: We apologize for any inconvenience. Software Download Area is unavailable at this time. New enhanced features for downloading software have arrived. Get a sneak preview here. If you are receiving an Error while downloading software and used a home address in your profile, please provide your business address to correct the error and gain access to download the software. -- snip -- Anynone know how Cisco intends to distribute software? This seems to be the lead-in deployment for making software unavailable for me. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA IPsec Tunnel Failover
Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
On Mon, 2009-07-13 at 15:45 -0400, Jared Mauch wrote: We apologize for any inconvenience. Software Download Area is unavailable at this time. Same here. New enhanced features for downloading software have arrived. Get a sneak preview here. That video almost made me puke when I saw it first. Anynone know how Cisco intends to distribute software? This seems to be the lead-in deployment for making software unavailable for me. I just finished writing a 2500 character rant to our AM asking him to deliver the message to the relevant people at Cisco. As soon as my boss accepts the wording I will send it. Whereas I previously thought oh a little javascript is no big deal I can now clearly see how this will end up making our daily routines near impossible. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] disable break on boot for IOS??
I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
Crypto software is not available via FTP. Jared Mauch On Jul 13, 2009, at 4:18 PM, Christian Koch christ...@automatick.net wrote: I am still able to DL code via FTP , their web UI stinks anyways.. why bother? On Mon, Jul 13, 2009 at 12:45 PM, Jared Mauch ja...@puck.nether.net wrote: We apologize for any inconvenience. Software Download Area is unavailable at this time. New enhanced features for downloading software have arrived. Get a sneak preview here. If you are receiving an Error while downloading software and used a home address in your profile, please provide your business address to correct the error and gain access to download the software. -- snip -- Anynone know how Cisco intends to distribute software? This seems to be the lead-in deployment for making software unavailable for me. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
Hi, I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. do you have any proof on the install time of this box? it could have been a legitimate install done during their time at your place - and may have been used for eg remote access login during times of issue - especially if the place has draconian law about supported/allowed devices. i have several Linux boxes that have saved my bacon countless times with their serial interface. I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd disabling password recovery? its a one-way process - once done there is no way back TACACS+ authentication is a way to handle all authentication via vty/con/etc. if password recovery mech is set there is no way to unset it without a visit to the factory. really like to get this machine secured so I can dig in to what he is doing. grab the linux box and use many of the boot CD methods to get access. read the shell history, see the tools present etc. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html completely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
This supportwiki articlehttp://supportwiki.cisco.com/ViewWiki/index.php/The_%22PM-SP-4-LIMITS:%22_or_%22PM-SP-STDBY-4-LIMITS:%22_error_message_is_received_in_Catalyst_switches_that_run_Cisco_IOS_Softwarecould be what you're looking for. I confirm the 1800 instances/slot limit. -Nicolas 2009/7/12 Shine Joseph shinejos...@dodo.com.au Hi, I searched in the archives if I could find the answer to my this query. = The result was negative. How many spanning-tree instances are possible in Rapid PVST+ and MST = modes in Cisco 6500 series switches with Sup720? The only documentation that I could see which says about total number of = virtual ports per line card and total active logical ports. There is no = reference to number of instances. The following netpro link mentions about 4096 instances, but this point = is not validated. http://forums.cisco.com/eforum/servlet/NetProf?page=3Dnetprofforum=3DNet= work%20Infrastructuretopic=3DLAN%2C%20Switching%20and%20RoutingtopicID=3D= .ee71a04CommCmd=3DMB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40=http://forums.cisco.com/eforum/servlet/NetProf?page=3Dnetprofforum=3DNet=%0Awork%20Infrastructuretopic=3DLAN%2C%20Switching%20and%20RoutingtopicID=3D=%0A.ee71a04CommCmd=3DMB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40= %40.2cc1484e/2#selected_message Any links or pointers would be much appreciated. Thanks in advance, Shine ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] multiple vlans on a port
I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Thanks for your help. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Yes, I've done this on a few Xen boxes myself; contact me off-line and I can send you my install notes. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Cord MacLeod wrote: I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Thanks for your help. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, This supportwiki articlehttp://supportwiki.cisco.com/ViewWiki/index.php/The_%22PM-SP-4-LIMITS:%22_or_%22PM-SP-STDBY-4-LIMITS:%22_error_message_is_received_in_Catalyst_switches_that_run_Cisco_IOS_Softwarecould be what you're looking for. I confirm the 1800 instances/slot limit. ...and across the globe, people are reading that wonderful 'migrating to MST' Cisco guide 8-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Hi, I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Linux very happily talks 802.1q. yes, if you want to feed multiple networks to the Xen host you need to send it a trunk feed... or invest in multiple NICs and assign NICs to virtual hosts. our Xen boxes get trunk feeds and /sbin/ifconfig lists all the pvlanXXX and xenbr and xenbrtrunk etc. VMWare has the virtual switch technology so currently is _slightly_ ahead of Xen on that point... alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
The text on the page has changed to: New enhanced features for downloading software coming soon. Get a sneak preview here. They are now claiming the site is fixed, but I'm asking for a RFO and what their maint policy is on the website. If my bank can tell me when they do maint, I would hope that Cisco can. - Jared On Mon, Jul 13, 2009 at 03:45:33PM -0400, Jared Mauch wrote: We apologize for any inconvenience. Software Download Area is unavailable at this time. New enhanced features for downloading software have arrived. Get a sneak preview here. If you are receiving an Error while downloading software and used a home address in your profile, please provide your business address to correct the error and gain access to download the software. -- snip -- Anynone know how Cisco intends to distribute software? This seems to be the lead-in deployment for making software unavailable for me. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Mon, 2009-07-13 at 23:38 +0200, Nicolas Rolans wrote: This supportwiki article [snip] could be what you're looking for. I confirm the 1800 instances/slot limit. ... but it doesn't say anything about the number of STP instances. I tested it on a Sup720 SXI1 and could create more than 1800 STP instances with the VLANs split among two modules: r2(config)#do sh vlan vir Slot 4 --- Total slot virtual ports 1799 Slot 5 --- Total slot virtual ports 1799 Total chassis virtual ports 3598 r2(config)#do sh spann summ tot Switch is in rapid-pvst mode Root bridge for: VLAN0100-VLAN0110, VLAN0115-VLAN0118, VLAN0120-VLAN0131 VLAN0133-VLAN0297, VLAN0500-VLAN0999, VLAN1021-VLAN2281, VLAN2300-VLAN2337 VLAN2400-VLAN4000 EtherChannel misconfig guardis enabled Extended system ID is enabled Portfast Defaultis disabled Portfast Edge BPDU Guard Defaultis disabled Portfast Edge BPDU Filter Default is disabled Loopguard Default is enabled PVST Simulation Default is enabled but inactive in rapid-pvst mode Bridge Assuranceis enabled UplinkFast is disabled BackboneFastis disabled Pathcost method usedis long Name Blocking Listening Learning Forwarding STP Active -- - -- -- 3598 vlans 0 00 3598 3598 r2(config)# I got this message during the configuration: %SW_VLAN-SP-4-VTP_SEM_BUSY: VTP semaphore is unavailable for function sw_vlansp_get_4k_vlan_info. Semaphore locked by download info After deleting the VLANs and trying the same again the message did not appear, so I guess it's nothing really bad. It seems that more then 1800 instances are possible. I didn't have more than a two module (Sup720-10G + 6724-SFP) configuration to test this on at hand. My bold guess would be that the system limit for number of STP instances is 1/13000 total virtual ports (RPVST/PVST). Whether having 1800+ STP instances on the same switch is a good idea i something completely different. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Yes, the machine will need to speak 802.1q. Most modern OS have no trouble with that. Windows, Linux, Solaris, etc.. work fine with 802.1Q. One thing more, unless Linux has started speaking Cisco DTP (which I doubt), you want to disable DTP messages from sending to the host. Dynamic Trunking Protocol (or DTP) is used to negotiate trunking protocols (ISL or 802.1q), etc... Since you know you want to do 802.1Q and you want to always trunk, you will want to add switchport nonegotiate to the interface. This keep cisco from sending a DTP frame every 30 seconds. Those frames won't hurt anything, but can show up on port statistics as bad packets on the host. Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk switchport nonegotiate end Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, July 13, 2009 6:15 PM To: Cord MacLeod Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multiple vlans on a port Hi, I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Linux very happily talks 802.1q. yes, if you want to feed multiple networks to the Xen host you need to send it a trunk feed... or invest in multiple NICs and assign NICs to virtual hosts. our Xen boxes get trunk feeds and /sbin/ifconfig lists all the pvlanXXX and xenbr and xenbrtrunk etc. VMWare has the virtual switch technology so currently is _slightly_ ahead of Xen on that point... alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
On Mon, 2009-07-13 at 14:22 -0700, Scott Granados wrote: Lets face it, there's a trend here. It's more of this shielding the user from the equipment BS which wraps itself in to the company web front end as well. Try configuring some of the VPN hardware with out pointing and clicking. It's extremely sad! I think Cisco and many other companies have lost there way when it comes to good interface design, but that's just me. We're migrating to the ASA platform for VPN (from the Altiga VPN3000 boxes). I can't say anything about the webif/ASDM/whatever as I've never ever had the pleasure to use it, but I like the CLI configuration on the ASA. But yes, there's a trend somehow. And maybe one day it'll all just be point-and-click, but as long as they (Cisco et al) sell shoddy constructions (hw/sw) that need us brainy nerds to function they better deliver the relevant tools for us to do our jobs. Alternatively the clueful people will be attracted to other platforms. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Thank you everyone for your replies. Fantastic information. On Jul 13, 2009, at 3:38 PM, Matthew Huff wrote: Yes, the machine will need to speak 802.1q. Most modern OS have no trouble with that. Windows, Linux, Solaris, etc.. work fine with 802.1Q. One thing more, unless Linux has started speaking Cisco DTP (which I doubt), you want to disable DTP messages from sending to the host. Dynamic Trunking Protocol (or DTP) is used to negotiate trunking protocols (ISL or 802.1q), etc... Since you know you want to do 802.1Q and you want to always trunk, you will want to add switchport nonegotiate to the interface. This keep cisco from sending a DTP frame every 30 seconds. Those frames won't hurt anything, but can show up on port statistics as bad packets on the host. Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk switchport nonegotiate end Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net ] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, July 13, 2009 6:15 PM To: Cord MacLeod Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multiple vlans on a port Hi, I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Linux very happily talks 802.1q. yes, if you want to feed multiple networks to the Xen host you need to send it a trunk feed... or invest in multiple NICs and assign NICs to virtual hosts. our Xen boxes get trunk feeds and /sbin/ifconfig lists all the pvlanXXX and xenbr and xenbrtrunk etc. VMWare has the virtual switch technology so currently is _slightly_ ahead of Xen on that point... alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with output drops
Hi Randy, I can't answer why it was enabled either, the default on this platform is for QOS to be disabled until you manually enable it with the mls qos command. The problem you came across is why it is disabled by default so you don't have performance issues out of the box. When I originally replied, I was looking for the reference in the Cisco doco that tells you not to enable QOS globally if you're not going to use it, as it will degrade performance. I finally found it, so here it is for the archives (the second Note point is the one you want to read): http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1750716 http://tinyurl.com/mbe65n If you can't find the relevent section, search the above document for the string Do not enable PFC QoS globally and start reading from there. QOS is used to give different treatment to different types of traffic. The classic example is that you want VoIP packets to be queued and sent before all other traffic so that your audio calls don't suffer when someone is downloading a large file which is lower priority and non real-time traffic. AFAIK disabling mls qos globally only affects your ability to use the qos queueing/policing features and doesn't stop anything else from working. I couldn't give you a guarantee that it won't break anything else, but it is a fairly targeted command to just enable/disable qos. regards, Tony. --- On Mon, 13/7/09, Randy McAnally r...@fast-serv.com wrote: From: Randy McAnally r...@fast-serv.com Subject: Re: [c-nsp] Help with output drops To: Tony td_mi...@yahoo.com, cisco-nsp@puck.nether.net Date: Monday, 13 July, 2009, 11:28 PM Hi Tony, After disabling QoS there are no longer any output drops. Thanks for the suggestion. Are there any features that rely on QoS, or is it a default setting? I'm trying to figure out something reasonable as to why it was enabled in the first place. -- Randy -- Original Message --- From: Tony td_mi...@yahoo.com To: cisco-nsp@puck.nether.net, Randy McAnally r...@fast-serv.com Sent: Sun, 12 Jul 2009 23:21:47 -0700 (PDT) Subject: Re: [c-nsp] Help with output drops Hi Randy, Is QoS enabled ? What does show mls qos tell you ? Do you need QOS at all ? If not, disable it globally (no mls qos) and your problem might just go away if it's being caused by queue threshold defaults.. If it's production switch, do it during a scheduled maintenance period as it might disrupt traffic for a second. regards, Tony. --- On Mon, 13/7/09, Randy McAnally r...@fast-serv.com wrote: From: Randy McAnally r...@fast-serv.com Subject: [c-nsp] Help with output drops To: cisco-nsp@puck.nether.net Date: Monday, 13 July, 2009, 1:51 PM Hi all, I just finished installing and configuring a new 6509 with dual sup7203bxl (12.2(18)SXF15a) and a 6724 linecards. It serves a simple purpose of maintaining a single BGP session, and managing layer3 (vlans) for various access switches.. No end devices are connected. The problem is that we are getting constant output drops when our gig-E uplink goes above ~400 mbps. Nowhere near the interface speed! See below, take note of massive 'Total output drops' with no other errors (on either end): rtr1.ash#sh int g1/1 GigabitEthernet1/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 00d0.01ff.5800 (bia 00d0.01ff.5800) Description: PTP-UPLINK Internet address is 209.9.224.68/29 MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 118/255, rxload 12/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is T input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of show interface counters 05:01:25 Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 718023 Queueing strategy: fifo Output queue: 0/100 (size/max) 30 second input rate 47789000 bits/sec, 30797 packets/sec 30 second output rate 465362000 bits/sec, 48729 packets/sec L2 Switched: ucast: 27775 pkt, 2136621 bytes - mcast: 24590 pkt, 1574763 bytes L3 in Switched: ucast: 592150327 pkt, 95608889548 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 991372425 pkt, 1214882993007 bytes mcast: 0 pkt, 0 bytes 592554441 packets input, 95674494492 bytes, 0 no buffer Received 33643 broadcasts (17872 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition
Re: [c-nsp] ASA IPsec Tunnel Failover
Answer is: BGP On Jul 13, 2009, at 1:14 PM, Munoz, Jeff wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/ destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
This is good advice for newer machines but I've got a UBR 924 with 12.1T code on it - 'no service password-recover' isn't an option for me. Which config-register setting will do what I need? Seems like maybe 0x8102 would do it, but I'm in no mood to experiment across twenty miles, especially when I'm monitoring activity for law enforcement. This guy, he is a giant pain where I sit and has been since I started at the first of the year. On Mon, Jul 13, 2009 at 4:31 PM, Matthew Huff mh...@ox.com wrote: If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.htmlcompletely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
Just make sure you test the feature (for each ROMMON release you're using) with a known enable password first. It's somewhat impossible to break into some ROMMON versions. http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Monday, July 13, 2009 11:31 PM To: 'neal rauhauser'; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] disable break on boot for IOS?? If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpw d.html completely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_not e 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
