[c-nsp] 7200/NPE-G1 WCCPv2 performance - L2 redirect vs GRE
Hi all, Does anyone know whether there is any notable performance difference with WCCPv2 using L2 redirect vs GRE as a packet forwarding method on 7200s? (NPE-400, NPE-G1, NPE-G2)? WCCPv2 is a heavy user of processor cycles on our 7200s so I'm looking at ways to reduce the impact without performing major heart surgery. Currently we use GRE but our WCCP-speaking systems (cisco WAAS) are L2 adjacent so L2 redirect is a feasible option. I'm not familiar enough with the guts of CEF to know whether this is likely to make a big difference, but I guess there has to be less work in re-writing a MAC header than completely encapsulating a packet. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problems creating a new BGP neighbor
Hi Mihai, Check out CSCsz68307 - this occurs when someone attempts to configure an invalid IP address as a BGP peer - after that you are unable to create any additional peers as you get the error message *% Create the peer-group first. To resolve the problem you either need to reload the box or configure no parser cache - the latter being more preferable. Hope that helps, Chris -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mihai Campean Sent: 14 September 2009 14:34 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Problems creating a new BGP neighbor Hi, today I tried to create a new bgp neighbor, and the following message was prompted: router1#conf t Enter configuration commands, one per line. End with CNTL/Z. router1(config)#router bgp 1235 router1(config-router)#neighbor 1.2.3.5 remote-as 1235 *% Create the peer-group first *Has anyone encountered this? The machine is a 7600 series router, running Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRC1, RELEASE SOFTWARE (fc1) Any ideea if this is a known BUG, and if there is some command on the IOS that forces you to add a new neighbor to a peer-group? Thanks, -- Best regards, -- Mihai Campean ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ PGP.sig Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problems creating a new BGP neighbor
Hi Chris, I reloaded the box this morning, but I'll configure the command in order to prevent further issues :) Thanks:) Chris Mason (chrimaso) wrote: Hi Mihai, Check out CSCsz68307 - this occurs when someone attempts to configure an invalid IP address as a BGP peer - after that you are unable to create any additional peers as you get the error message *% Create the peer-group first. To resolve the problem you either need to reload the box or configure no parser cache - the latter being more preferable. Hope that helps, Chris -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mihai Campean Sent: 14 September 2009 14:34 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Problems creating a new BGP neighbor Hi, today I tried to create a new bgp neighbor, and the following message was prompted: router1#conf t Enter configuration commands, one per line. End with CNTL/Z. router1(config)#router bgp 1235 router1(config-router)#neighbor 1.2.3.5 remote-as 1235 *% Create the peer-group first *Has anyone encountered this? The machine is a 7600 series router, running Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRC1, RELEASE SOFTWARE (fc1) Any ideea if this is a known BUG, and if there is some command on the IOS that forces you to add a new neighbor to a peer-group? Thanks, -- Best regards, -- Mihai Campean ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] instabilities with SXI2?
On Tuesday 15 September 2009 05:53:07 am Alan Buxey wrote: and hope you dont hit another bug. waiting with intense interest for SXI3 which should stop the instant crash when using ISIS with IPv6 :-( Are you seeing this in SXI2? We are planning to move to SXI2a at the end of October. We are currently running SXH3 with IS-IS supporting both v4 and v6 address families. No issues with that today. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(18)SXD to 12.2(33)SRB|C|D
On Tuesday 15 September 2009 04:39:53 am Richard A Steenbergen wrote: Personally my recommendation for going forward is SRC (SRC4 is pretty stable, all things considered). Would also recommend SRC; we have it largely deployed on a number of 7200's. SRC4 is stable, but a few issues, that will be resolved in SRC5, hound us. Nothing major, probably not faced by many others... Point is, SRC is probably a more mature release. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dampening for VPNv4
the culprit was CSCsy58115 what a relief On Thu, Sep 3, 2009 at 11:44 AM, Ved Labs vedl...@gmail.com wrote: Thanks Ben for the directions . I enabled the bgp dampening for VPNv4 address-family . It helped to some extent to see the flapped statistics from the CE . I blocked one of the /16 network , which was flapping at a higher rate , coming from CE. Still i do not see significant improvement in the CPU utilisation due to BGP router process. i can see some changes in prefixes recieved for the VPNv4 route reflector session. and there are around 2 prefixes coming from the VPVv4 RR. How do i find the culprit The router is 7206 with NPE-G1 . Could there be a memory or hardware limilitation also or some bug. Thanks, Ved. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] debug bgp updates within VRF
How do i *debug bgp updates within VRF* ** *Thanks,* *Biddu.* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco NAC - SSO Issues
Hello group, I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the CAS and i need to find a way to restart the SSO service (TCP:8910) without restarting the whole box. Disabling the option Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) in the CAM does not do the job. I think that after clearing these TCP stuck sessions, Single Sign-On will work again. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(18)SXD to 12.2(33)SRB|C|D
Upgraded to SRC4 last night and everything went pretty smoothly. A couple things I'm wondering if anyone has seen with SRC4: 1- When SRC4 booted, we were a little paniced when we saw that a bunch of our SFP ports were now dark. We resolved it by pulling the fiber and the SFP and reseating each. The original theory in doing that was to check to see if the SFP was genuine Cisco to see if we needed to enable service unsupported-transceiver but the side-effect was that it actually brought the port up. We were able to get all our dark ports up this way before enabling transceiver support so we don't think it was related to that command (but enabled it for good measure). 2- We had to enable ip mtu 1500 on a few interfaces that had their port mtu cranked into jumbo range for OSPF to work. Why we didn't have to do this in SXD is curious, but we are happy that SRC operates correctly (by showing us where our configs were inconsistent). 3- There is one device on the network (an ASR1002 running 2.4.0) that is unable to see the loopback address via OSPF from this 7600 we just upgraded. It's built an adjacency with the 7600, so it's not an MTU thing, it just doesnt see the route for it's loopback interface. We didn't do much digging into it last night because there was an alternate path on the ASR so we felt we could leave it till the AM, but strange indeed. It may too be a misconfguration that SRC expects, which SXD was relaxed about but I thought I'd ask anyway. On 2009-09-15, at 6:45 AM, Mark Tinka mti...@globaltransit.net wrote: On Tuesday 15 September 2009 04:39:53 am Richard A Steenbergen wrote: Personally my recommendation for going forward is SRC (SRC4 is pretty stable, all things considered). Would also recommend SRC; we have it largely deployed on a number of 7200's. SRC4 is stable, but a few issues, that will be resolved in SRC5, hound us. Nothing major, probably not faced by many others... Point is, SRC is probably a more mature release. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 4948 NAT support
The real issue with NAT today is ALG processing and scale. My motto is if you are not going to sign up for full support in hardware on a box that can scale to 1+ Mpps don't bother half baking it. I deal with a customer about once per week where they tried something like this. The ASR1k (no I don't work for that BU) has it right. They do it all in the FP (translation setup, ALG, etc.) with no punts. That's why the 6k doesn't scale even though it inherited NAT from the code base. Rodney Doug McIntyre wrote: On Mon, Sep 14, 2009 at 01:31:54PM -0400, Dan Benson wrote: I have a 4948 that I was hoping to upgrade a few systems with but I am dead in the water as it seems it does not support NAT. According to the NAT matrix: http://supportwiki.cisco.com/ViewWiki/index.php/Network_Address_Translation_Catalyst_Switch_Support_Matrix This matrix seems very outdated so it would explain why the 4900 product line is not listed. If you notice, the *only* products listed there that supports it is the Cat6500. The Cat 5k RSM was a seperate bolt-on router on a blade that slid into the chassis, and wasn't the switch engine at all. Anyway that stuff is old and dead (and was slow). So, don't go searching for switches that support NAT, the Cat6500 is it. Cisco leaves NAT to firewalls and routers, not switches. FWIW: The 4948 is still very current hardware. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco NAC - SSO Issues
I found a matching bug in the meanwhile but the workaround does not work: + CSCsk46672 Bug Details CAS stops listening on 8910 after threads in CLOSE_WAIT state Symptom: Agent fails to perform ADSSO Conditions: CAS no longer listening to tcp port 8910 because 50 threads are already in CLOSE_WAIT state Workaround: Under Device Management Clean Access Servers CAS Windows Auth Click UPDATE on SSO service to flush the CLOSE_WAIT states + The box i'm troubleshooting is running release 4.0.5. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: terça-feira, 15 de Setembro de 2009 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco NAC - SSO Issues Hello group, I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the CAS and i need to find a way to restart the SSO service (TCP:8910) without restarting the whole box. Disabling the option Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) in the CAM does not do the job. I think that after clearing these TCP stuck sessions, Single Sign-On will work again. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco NAC - SSO Issues
I would suggest opening a TAC case. Also, for NAC related problem, the cleanacc...@listserv.muohio.edu would be a better place to ask questions. Regards, -- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Tuesday, September 15, 2009 10:20 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco NAC - SSO Issues I found a matching bug in the meanwhile but the workaround does not work: + CSCsk46672 Bug Details CAS stops listening on 8910 after threads in CLOSE_WAIT state Symptom: Agent fails to perform ADSSO Conditions: CAS no longer listening to tcp port 8910 because 50 threads are already in CLOSE_WAIT state Workaround: Under Device Management Clean Access Servers CAS Windows Auth Click UPDATE on SSO service to flush the CLOSE_WAIT states + The box i'm troubleshooting is running release 4.0.5. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: terça-feira, 15 de Setembro de 2009 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco NAC - SSO Issues Hello group, I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the CAS and i need to find a way to restart the SSO service (TCP:8910) without restarting the whole box. Disabling the option Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) in the CAM does not do the job. I think that after clearing these TCP stuck sessions, Single Sign-On will work again. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco NAC - SSO Issues
Thanks for pointing me to the right place. In the meanwhile, i can say that the workaround mentioned in the Bug release notes worked as expected. 50 stucked TCP sessions were cleared what was enough to recover normal behavior. I still have 200+ in CLOSED_WAIT state but the next reboot will take care of that :) Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: Luan Nguyen [mailto:l...@netcraftsmen.net] Sent: terça-feira, 15 de Setembro de 2009 15:54 To: 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cisco NAC - SSO Issues I would suggest opening a TAC case. Also, for NAC related problem, the cleanacc...@listserv.muohio.edu would be a better place to ask questions. Regards, -- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Tuesday, September 15, 2009 10:20 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco NAC - SSO Issues I found a matching bug in the meanwhile but the workaround does not work: + CSCsk46672 Bug Details CAS stops listening on 8910 after threads in CLOSE_WAIT state Symptom: Agent fails to perform ADSSO Conditions: CAS no longer listening to tcp port 8910 because 50 threads are already in CLOSE_WAIT state Workaround: Under Device Management Clean Access Servers CAS Windows Auth Click UPDATE on SSO service to flush the CLOSE_WAIT states + The box i'm troubleshooting is running release 4.0.5. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: terça-feira, 15 de Setembro de 2009 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco NAC - SSO Issues Hello group, I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the CAS and i need to find a way to restart the SSO service (TCP:8910) without restarting the whole box. Disabling the option Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) in the CAM does not do the job. I think that after clearing these TCP stuck sessions, Single Sign-On will work again. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco SCE 2020 and snmp question
Donato Dunguihual Morales wrote: Hi, I need to graph via snmp and mrtg or rrdttool , ip traffic and protocols for Cisco sce 2020 box. I saw in the web , the utility rtmcmd. http://www.cisco.com/en/US/products/ps6135/products_user_guide09186a00808165dd.html#o16507. Iґm trying to run the scripts, in a linux server, with all requirements, java , mrtg, rrdtool , but i have the following error . Does anyone have any experience with this script or another form for generate a graph via snmp in SCE 2020? # ./rtmcmd.sh -S X.X.X:X -U user -P * --pqb-sce=X.X.X.X --source-dir=/templates --dest-dir=/rtm-output -c ./rtmcmd.cfg connecting to X.X.X.X ... done retrieving service configuration from SCE ... disconnecting from device ... done Failed to retrieve service configuration from SCE X.X.X.X. Aborting! Thanks in advance Donato ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ That can be done easy with cacti , here is the post http://forums.cacti.net/viewtopic.php?t=30931start=0postdays=0postorder=aschighlight= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SP-grade Ethernet over TDM
Does anyone have any suggestions for providing Ethernet links over bonded T1s? We originally looked at Overture. They claimed that their product used standard MLPPP and interoped well with 7200s. They sent out a tech to help configure it in a lab. As it turns out they also require the use of BCP (Bridging Control Protocol). To use BCP on a 7200 step #1 is to disable IP routing (literally, 'no ip routing'). That is required to facilitate bridging VLANs over MLPPP bundles. Needless to say this wasn't an option since our router was doing more than just terminating EoTDM connections. If we had an old 7200 sitting around we probably could have pulled it off. Alternately, if we have a 7600 in that colo with DS3 SPAs we could have done the same thing without disabling routing. I'm considering replacing that 7200 with an ASR in the future so perhaps this will become possible once again down the road, but not today. I've also been looking at Adtran's Ethernet over TDM products. It looks like you have to use their Total Access 5000 at the hub and then use their NetVanta 800 series as the CPE. I don't know anything about the Total Access 5000 and can't access their documentation without an account (hard to sell the product when you won't let people access the docs beforehand). Overture's CPEs for this application are the 140 and 180 models. The price is right but the product just doesn't have a production SP-grade feel to it. Management has to be done locally. There isn't a CLI option which I would think would be a requirement for SPs wanting to either script changes or backup configurations. It just doesn't feel production grade or SP-grade by any means. It's not like their 2200 or 5000 products which are much better. I've always heard good things about Adtran and that they are Cisco-like but I've never actually used them. What I'd like to find is a device that can bond multiple DS1s together with standards-based MLPPP and then bridge that to an Ethernet interface behind it. I imagine that this would interop with our 7200s nicely. It would be nice if there was some mechanism for in-line management as well, though I'm not sure how that would work short of pulling out a DS0 for management access. Does anyone know of such a product? Does anyone know of any other ways of accomplishing that same or similar thing? I don't know of any cisco products that can do this. I could foresee a situation where I need multiple VLANs at the customer premise so the Adtran solution would likely fit in better with this potential need. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AnyConnect VPN client, IOS, and Vista
Has anyone gotten AnyConnect client to work with IOS router and Vista? (With self signed cert?) I got it to work with XP but not Vista. Can someone share their config or some pointers? With Vista, it gets to the cert warning part, then dies. aaa authentication login ciscocp_vpn_xauth_ml_1 group radius crypto pki trustpoint someVPN enrollment selfsigned serial-number none ip-address none subject-name CN=vpn, O=somedomain.com, ST=IN, C=US revocation-check crl rsakeypair someVPN_RSAKey 1024 ! ! crypto pki certificate chain FirstCapitalVPN certificate self-signed 01 SNIP quit ! ! interface FastEthernet0/0 ip address w.x.y.z 255.255.255.240 ip nat outside ! interface FastEthernet0/1 ip address 10.0.0.254 255.255.255.0 ip nat inside ! ip local pool VPNPOOL 192.168.100.1 192.168.100.254 ip route 0.0.0.0 0.0.0.0 w.x.y.z1 ! radius-server host 10.0.0.26 auth-port 1645 acct-port 1646 key 7 03051418135F724216051C171C005F180C333970 ! webvpn gateway gateway_1 ip address w.x.y.z port 443 http-redirect port 80 ssl trustpoint someVPN inservice ! webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1 ! webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg sequence 2 ! webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.3.2016-k9.pkg sequence 3 ! webvpn install svc flash:/webvpn/anyconnect-wince-ARMv4I-2.3.2016-k9.pkg sequence 4 ! webvpn context webvpn secondary-color white title-color #66 text-color black ssl authenticate verify all ! ! policy group policy_1 functions svc-enabled svc address-pool VPNPOOL svc default-domain somedomain.com svc keep-client-installed svc split dns somedomain.com svc split include 10.0.0.0 255.255.255.0 svc dns-server primary 10.0.0.26 svc dns-server secondary 10.0.0.6 svc wins-server primary 10.0.0.26 svc wins-server secondary 10.0.0.6 default-group-policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 inservice ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SP-grade Ethernet over TDM
On Sep 16, 2009, at 12:14 AM, Justin Shore wrote: Does anyone have any suggestions for providing Ethernet links over bonded T1s? Yes - don't do it, given that the basic premise of running layer-2 between sites is a Very Bad Idea, much less trying to do it over bonded T1s, heh. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Enhanced download procedure
What the #$^$...@# is going on with Cisco's download site? It completely hangs Firefox with some shopping cart java thing. And this is downright scary: http://www.west.net/~jay/images/cisco-wants-root.png Enhanced downloads, brought to you by the same people who brought us enhanced interrogation? Is there a workaround? What happened to our friend kobayashi ? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SP-grade Ethernet over TDM
Does anyone have any suggestions for providing Ethernet links over bonded T1s? Yes - don't do it, given that the basic premise of running layer-2 between sites is a Very Bad Idea, much less trying to do it over bonded T1s, heh. In general I would agree. However, there is quite a bit of experience with Ethernet over bonded SHDSL lines. And it works quite well. See for instance http://www.zhone.com/products/ETHX-3300/ I would be rather surprised if Ethernet over bonded T1s performed significantly worse... Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
It should work after you allow it. Btw, it took me 1 hour to download an ASR1k IOS today with the new downloader!!! And i couldn't find another way to download it. -- Tassos Jay Hennigan wrote on 15/09/2009 20:39: What the #$^$...@# is going on with Cisco's download site? It completely hangs Firefox with some shopping cart java thing. And this is downright scary: http://www.west.net/~jay/images/cisco-wants-root.png Enhanced downloads, brought to you by the same people who brought us enhanced interrogation? Is there a workaround? What happened to our friend kobayashi ? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Hennigan Sent: Tuesday, September 15, 2009 2:09 PM To: Cisco Mailing list Subject: Re: [c-nsp] Enhanced download procedure Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Jay Hennigan wrote: Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? I can't even get that far. The stupid thing just says This image has already been added to cart right along with 0 items. Thanks Cisco for being dipsh*ts. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
On Sep 15, 2009, at 2:19 PM, Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. Another reason to use LYNX to download software. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. But every browser has a built-in download utility so this is worthless complexity and a potential security hole. It also completely breaks lynx and wget, and the benefits are exactly what? Do the people at Cisco have any idea that this so-called improvement is actually a hindrance? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SP-grade Ethernet over TDM
Top posting since it's so brief. http://www.radware.com - they have all different manner of conversion technologies in their product set. Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Tuesday, September 15, 2009 10:14 AM To: 'Cisco-nsp' Subject: [c-nsp] SP-grade Ethernet over TDM Does anyone have any suggestions for providing Ethernet links over bonded T1s? We originally looked at Overture. They claimed that their product used standard MLPPP and interoped well with 7200s. They sent out a tech to help configure it in a lab. As it turns out they also require the use of BCP (Bridging Control Protocol). To use BCP on a 7200 step #1 is to disable IP routing (literally, 'no ip routing'). That is required to facilitate bridging VLANs over MLPPP bundles. Needless to say this wasn't an option since our router was doing more than just terminating EoTDM connections. If we had an old 7200 sitting around we probably could have pulled it off. Alternately, if we have a 7600 in that colo with DS3 SPAs we could have done the same thing without disabling routing. I'm considering replacing that 7200 with an ASR in the future so perhaps this will become possible once again down the road, but not today. I've also been looking at Adtran's Ethernet over TDM products. It looks like you have to use their Total Access 5000 at the hub and then use their NetVanta 800 series as the CPE. I don't know anything about the Total Access 5000 and can't access their documentation without an account (hard to sell the product when you won't let people access the docs beforehand). Overture's CPEs for this application are the 140 and 180 models. The price is right but the product just doesn't have a production SP-grade feel to it. Management has to be done locally. There isn't a CLI option which I would think would be a requirement for SPs wanting to either script changes or backup configurations. It just doesn't feel production grade or SP-grade by any means. It's not like their 2200 or 5000 products which are much better. I've always heard good things about Adtran and that they are Cisco-like but I've never actually used them. What I'd like to find is a device that can bond multiple DS1s together with standards-based MLPPP and then bridge that to an Ethernet interface behind it. I imagine that this would interop with our 7200s nicely. It would be nice if there was some mechanism for in-line management as well, though I'm not sure how that would work short of pulling out a DS0 for management access. Does anyone know of such a product? Does anyone know of any other ways of accomplishing that same or similar thing? I don't know of any cisco products that can do this. I could foresee a situation where I need multiple VLANs at the customer premise so the Adtran solution would likely fit in better with this potential need. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
On Sep 15, 2009, at 2:22 PM, Seth Mattinen wrote: Jay Hennigan wrote: Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? I can't even get that far. The stupid thing just says This image has already been added to cart right along with 0 items. Thanks Cisco for being dipsh*ts. https://puck.nether.net/pipermail/cisco-nsp/2009-August/063367.html https://puck.nether.net/pipermail/cisco-nsp/2009-August/063276.html https://puck.nether.net/pipermail/cisco-nsp/2009-August/063209.html Go ahead and nag these folks, They asked for it. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
On Sep 15, 2009, at 2:25 PM, Jay Hennigan wrote: Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. But every browser has a built-in download utility so this is worthless complexity and a potential security hole. It also completely breaks lynx and wget, and the benefits are exactly what? Do the people at Cisco have any idea that this so-called improvement is actually a hindrance? No. They don't care. Just like this person, but at least this was a joke: http://snltranscripts.jt.org/76/76aphonecompany.phtml - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Please check the email thread a week or so back where I gave the direct contacts for feedback. They are open and want to hear helpful constructive feedback. Rodney Seth Mattinen wrote: Jay Hennigan wrote: Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? I can't even get that far. The stupid thing just says This image has already been added to cart right along with 0 items. Thanks Cisco for being dipsh*ts. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
You probably need to enabled cookies. -- Tassos Seth Mattinen wrote on 15/09/2009 21:22: Jay Hennigan wrote: Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? I can't even get that far. The stupid thing just says This image has already been added to cart right along with 0 items. Thanks Cisco for being dipsh*ts. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Jared Mauch wrote: On Sep 15, 2009, at 2:19 PM, Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. Another reason to use LYNX to download software. Is that even possible anymore with the changes they've made? ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS TE Fast Re-route
When you say backup path for patch-protection, are you talking about path protection? I've never done path protection, but it is slightly slower than FRR with link or node protection to converge, but from what I understand it is alternative to FRR that does link and node and the path gets set up in advance, so bandwidth has to be reserved, but then again you don't have to reserve too much bandwidth, as the path is backup and its reservation should not interfere in the rservation of other primary paths. As far as MPLS link and node and protection where FRR comes in, same thing happens. The path gets set up in advance and you can protect multiple links with one backup path in case of link and node protection and if you do MPLS TE mesh groups (of which I only read about and see in the lab) you can have relatively easy configuration, but possibly too much troubleshooting. So, the path is set up in advance and you can either set this up to protect until the primary tunnel fixes itself through another path, or in some cases when you don't want it happen you can keep it going on the backup path until the primary tunnel fixes itself by another path going back up. So to answer your question, the path is built, and show mpls tra fa da (too lazy to type it up) should show you the info for the backup path. At least that is how I remember it, os the path is built and ready for failure. But I think you know all that anyway. I've only read about this, but there is a concept of using backup tunnel bandwidth protection where you can say how much bandwidth of all primary tunnels it is protecting can go on it. OPNET if you have access to it (and it is too expensive for most people to use it) is good about calculating just how to best plan for various outages and what happens when various outages in a TE environment happen. Yan From: Charlie Greenaway charlie.greena...@btinet.bt.com To: cisco-nsp@puck.nether.net Sent: Monday, September 14, 2009 7:25:36 PM Subject: [c-nsp] MPLS TE Fast Re-route Hi, I have a question on MPLS TE and Fast Re-Route. I have a test network and I want to check that the behaviour I am seeing is correct. When you set-up an backup path for patch-protection, it would seem that RSVP sends signalling messages down the backup path to reserve the bandwidth. However, it does not seem to build an LSP and assign labels to it until the primary path breaks. Is this correct? Has anyone got any advice on using MPLS FRR? Thanks, Charlie G Charlie Greenaway - CCIE#11226 (Security/RS) Solutions Architect | BT iNet | Email: charlie.greena...@btinet.bt.com | Web: www.btinet.bt.com This electronic message contains information from BT iNet, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this e-mail in error, please let me know immediately on the e-mail address above. Activity and use of the BT iNet e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LLDP between a 6500 and a 3750
Having a wierd issue with LLDP between a 6500 and a 3750 There are two gig links which are in a port channel. The 6500 (r2 below) sees a lldp neighbor on both ports but the 3750 only shows the 6500 being a neighbor on the port which it has most recently received an update. This is breaking some of our automated tests to make sure switches have been correctly cabled which we are trying to make more multivendor capable. Has anyone seen anything like this before. r2#sh lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID acc-sw Gi3/9 120Gi2/0/1 acc-sw Gi3/10 120Gi2/0/2 acc-sw#sh lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID r2 Gi2/0/160 R desc Total entries displayed: 2 acc-sw#sh lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID r2 Gi2/0/260 R desc -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie co...@netech.ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
I agree 100% It makes no sense to force people to use proprietary download managers, especially when they fund the bandwidth used to retrieve the file. :thumbdown: On Tue, Sep 15, 2009 at 11:56 AM, Seth Mattinen se...@rollernet.us wrote: Jared Mauch wrote: On Sep 15, 2009, at 2:19 PM, Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. Another reason to use LYNX to download software. Is that even possible anymore with the changes they've made? ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA5505, Restricted VLAN VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, first time poster, please be gentle... I have a client scenario that I can't work out in the lab for a few days, hoping someone here might already know if it is possible or not. I have a client with an ASA5505, base license, currently utilizing the restricted VLAN to provide access to the internet only, across the outside interface. Is it possible to make a VPN connection from the restricted VLAN via (I assume) the outside interface, and gain connectivity to the inside interface across said VPN? I've been able to do similar things with IOS routers in the past, I just can't nail down from the documentation if this would be allowed on an ASA utilizing the included restricted VLAN. Thanks in advance for any insight. Regards, dtb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqwBooACgkQABP1RO+tr2TqhgCdG+/SrXMPEAhy6uoMJ9ymfK/2 tYMAn2dNigfolVLSWr/s6Nqc2ZW7v0pB =7sES -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5505, Restricted VLAN VPN
Hello Dave: snip Hello all, first time poster, please be gentle... I have a client scenario that I can't work out in the lab for a few days, hoping someone here might already know if it is possible or not. I have a client with an ASA5505, base license, currently utilizing the restricted VLAN to provide access to the internet only, across the outside interface. Is it possible to make a VPN connection from the restricted VLAN via (I assume) the outside interface, and gain connectivity to the inside interface across said VPN? I've been able to do similar things with IOS routers in the past, I just can't nail down from the documentation if this would be allowed on an ASA utilizing the included restricted VLAN. Thanks in advance for any insight. Regards, dtb snip What do you mean by restricted VLAN? The inside and outside, let's call them VLAN 1 and VLAN 2, should both work unrestricted. The restricted VLAN is the third VLAN you would use for a DMZ. If you go with the two regular VLAN's then you will be able to establish VPN connectivity from outside to inside with no technical difficulties. You may, however, have licensing restrictions if you're attempting to do SSL-based VLAN's. Regards, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSVP MPLS Fast Reroute PLR Behavior
While testing out Fast Reroute I notice that after a linkdown and successful FRR switch onto bypass, the SUT does not switch back to the primary path after link is restored and IGP reconverges. Is this expected behavior or am I perhaps missing some important config statement? I am testing on 7609s with version 12.2(33)SRD. Thanks, J Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug bgp updates within VRF
Hi Biddu, If you wish to see route table updates, then you can use debug ip routing vrf name. This will show you the updates as they are applied to the VRF routing table. If you wish to see what BGP specifically is doing then something like deb ip bgp vpnv4 unicast updates should help you out. You will see routes like 100:1:10.200.0.189/32 which is 10.200.0.189 for VRF with RD 100:1. Hope this helps. regards, Tony. --- On Tue, 15/9/09, Ved Labs vedl...@gmail.com wrote: From: Ved Labs vedl...@gmail.com Subject: [c-nsp] debug bgp updates within VRF To: cisco-nsp@puck.nether.net Received: Tuesday, 15 September, 2009, 10:31 PM How do i *debug bgp updates within VRF* ** *Thanks,* *Biddu.* __ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSVP MPLS Fast Reroute PLR Behavior
While testing out Fast Reroute I notice that after a linkdown and successful FRR switch onto bypass, the SUT does not switch back to the primary path after link is restored and IGP reconverges. Is this expected behavior or am I perhaps missing some important config statement? I am testing on 7609s with version 12.2(33)SRD. As far as I know this the expected behavior. MPLS explicit LSPs will be reoptimized at intervals you specify, but it doesn't necessarily happen right away. We have typically configured a reoptimization interval of 1 hour. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/