Re: [c-nsp] Latest iteration of core upgrade - questions
On Friday 30 October 2009 12:21:02 am Rick Ernst wrote: - We do have some peering, but it was originally designed at the customer/aggregation layer. Do you mean at or in? As in, do you have a dedicated peering router connected to your edge layer, or do you have an edge router doubling as your peering router? - The idea for the 7206s is as lightbulb devices. One upstream. One 7206. Two downlinks to the core. The single-point-of-failure remains within the individual upstreams. Or the box itself, since with the exception of the power supplies, it has a single, integrated control and data plane. If you have the budget in the future, get a second router and terminate your other upstream there, for border router + upstream redundancy. This keeps max possible traffic within the CPU/performance envelope. It also allows us to grow horizontally as additional upstreams come in. I'm looking at going to 7201s(? the 1U NPE-G2 equivalent) as bandwidth needs increase. 7201's might not be dense enough if you need to support additional Ethernet or non-Ethernet links. You can only use one additional PA. If you do decide to go with the 7201 and later realize you're out of ports, you'll be inclined to plant an Ethernet switch in there, stick the upstreams into it and run 802.1Q back to the 7201. This may or may not be ugly, depending on who's looking :-). - 7600/Sup720-3BXL is the top (currently only) contender for core routing/switching. If you're talking about a collapsed edge router + core switch, then there are other options, even non-Cisco. But I'm guessing you're more Cisco-inclined :-). Shop around, if you can. There's always time to make the right decision :-). As for the 7600, be sure to consider all the features it can and can't support, and match those against what your current and future plans are. Talk to your Cisco SE on this until you're satisfied. Once these boxes are in, getting them out won't be easy. And that goes for all other options you may have. - I was planning on having an core/border and core/aggregation VLAN on the 7600s. This is typical - in larger PoP's, both these functions would sit on different switches - so you end up having 4 core switches with redundancy. In smaller PoP's, 2 core switches can collapse both these functions with redundancy, and then you may grow to 4 if necessary. As your network gets bigger and you have more peering and less transit, you'll find that you'll probably only need the 2. But that's a different level in the game :-). Our customer TDM needs are drying up and eveverything is moving to ethernet. New customer aggregation is Catalyst 4948s with local-only BGP and OSPF. Customers requiring BGP ebgp-multi-hop to devices that are full-table capable. We tend to shy away from eBGP Multi-Hop as much as we can, but it's used a great deal in the field. Besides, it's a good way to go cheap-cheap at the edge (ask a well-known transit provider). - Something the redesign/reimplentation will allow is core is glue only. Customers attach at the aggregation layer and everything is a customer That's the way you want it. - I'm using IGP for loopback addresses, but also local routing. Not all devices can handle either BGP, or full-tables. That's those Cisco 4948's you're talking about... That is a different upgrade project, but I need to keep existing/legacy services running as I go forward. Well, if you're looking at the 7600 or some such for the edge, you could use it as a Layer 2 aggregation edge router and service IP customers off their individual VLAN's. That way, you don't need to worry about having to support full BGP tables on your Cisco 4948's. Of course, the downside is turning the Cisco 4948 into a pure Layer 2 device means you have to deal with STP issues re: uplink redundancy. - I'm on the fence with IPv6. Of our current name brand providers, only one of them even sort-of supports v6. v6 is also on my feature requirements list, but I'm planning on going dual-stack later rather than earlier; both to change as little as possible while upgrading and also to give me more time to digest how v6 really works and what it means. Well, if you're buying anything new now, insist that it support v6 for the features you (will) need. I'd consider it a show-stopper if any hardware/software we're buying today doesn't support v6. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SPA V1 vs V2
On 28 Oct 2009, at 14:47, Benny Amorsen wrote: Also, to some it might be surprising that the SIP-600 in a 7600 will not do QinQ no matter the SPA version, whereas the SIP-400 supposedly will with a v2 SPA (I haven't had the chance to actually try, and some documentation says that it won't work)... It's interesting that the SIP-600 doesn't do it. The SIP-400 definitely does it with the v2 SPA - we tested this in the lab under 12.2(33)SRC2 and 12.2(33)SRD. The configuration requires nothing special - encaps dot1q X second- dot1q Y. I'd be interested to see what docs say that this doesn't work :-) Kind regards, Rob -- Rob Shakir r...@eng.gxn.net Network Development EngineerGX Networks/Vialtus Solutions ddi: +44208 587 6077mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
On 29/10/2009, at 9:58 AM, David Hughes wrote: On 28/10/2009, at 11:18 PM, Roland Dobbins wrote: The smartest/sanest thing to do, IMHO, would be to work at migrating to NX-OS, feature-set by feature-set. It's by far the cleanest and best-designed OS platform Cisco have come out with to date. Couldn't agree more. NX-OS looks like a great platform that could easily become the basis for all things in the future. And lets face it, it's designed to use high-performance, low-cost CPUs for the control plane. Would we ever need to think about cpu usage of the BGP scanner again if there was a quad core i7 sitting under the hood? although i'm obviously biased (grin), no disagreement with your sentiments. there's a lot of x86 xeon dual core control-plane available on Sup1 on N7K today. with the RIB/FIB architecture used, there is also no bgp scanner process either. :) one of the luxuries we have with NX-OS is since we have complete separation of control-plane and data-plane there really isn't anything that drops you into software forwarding. that in itself is a major benefit - but it does come with the cost that the platform is only capable of implementing features that the underlying hardware (ASIC) forwarding path supports. for where Nexus and NX-OS is targeted that works out well but isn't for example, a luxury that a platform like ISR G2 could necessarily use where its more a 'swiss army' all things to all people kind of platform. On 29/10/2009, at 12:35 PM, Adrian Chadd wrote: People write crap code for fast CPU's all the time David. They also get paid for it and it somehow gets into production. :) no disagreement, the ability to get away with crappy code is more so for faster processors. however, in this case, i don't think that applies in this case. the folks that wrote said code are the same folks that have written a lot of code, and there isn't likely multiple IP hops of everyone's internet connection today, across core router platforms (even non Cisco ones) that said folks have been involved with. in the specific case of NX-OS, its very modular code which itself means one cannot tend to get away with 'crap code' because modularity doesn't come for free. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204VXR crashing when trying to load 12.2(33)SRC4
On Friday 30 October 2009 08:42:31 am Jared Gillis wrote: None of the docs I can find say anything more than 7200 is supported (no breakdown on required NPE or IO modules). Has anyone had any luck getting 12.2SR code of any kind running on a 7204VXR? If so, any advice? Thanks! You might want to try sending your crash info to TAC. FWIW, we have a 7204-VXR/NPE-G1 in production running SRC3 and a 7206-VXR/NPE-400 running SRC3 as well. No issues with those boxes. We shall be moving both of them (and others) to SRC5 later tonight. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204VXR crashing when trying to load 12.2(33)SRC4
On Friday 30 October 2009 08:42:31 am Jared Gillis wrote: Hello all, I'm trying to get a lab 7204VXR (NPE-400) up and running on SRC code, and am having no luck. I've loaded it up with 12.2(33)SRC4 ipbase, and 12.2(33)SRD3 ipbase, and the router locks or crashes on boot each time: Cisco IOS Software, 7200 Software (C7200-IPBASE-M), Version 12.2(33)SRC4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Mon 11-May-09 16:53 by prod_rel_team Image text-base: 0x60009304, data-base: 0x61E147E0 Cisco 7204VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. It will either crash there and reload, or sit there forever. I've tried making it use SRC boot code, to no effect. None of the docs I can find say anything more than 7200 is supported (no breakdown on required NPE or IO modules). Has anyone had any luck getting 12.2SR code of any kind running on a 7204VXR? If so, any advice? Thanks! You might want to try sending your crash info to TAC. FWIW, we have a 7204-VXR/NPE-G1 in production running SRC3 and a 7206-VXR/NPE-400 running SRC3 as well. No issues with those boxes. We shall be moving both of them (and others) to SRC5 later tonight. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
On Friday 30 October 2009 04:13:01 pm Lincoln Dale wrote: one of the luxuries we have with NX-OS is since we have complete separation of control-plane and data-plane there really isn't anything that drops you into software forwarding. that in itself is a major benefit - but it does come with the cost that the platform is only capable of implementing features that the underlying hardware (ASIC) forwarding path supports. Some might not see that as necessarily a bad thing, provided the ASIC is robust enough to handle all of the user's required features in the hardware path (being the only path) :-). Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
Cisco UBR routers are used as cable CMTS devices... http://www.cisco.com/en/US/products/hw/cable/ps2217/index.html i understand the difference between the ubr and the regular 7200 series. i'm wondering about just the npe-g2 card. is there any difference between the npe version for ubr and the version for 7200? is it just a part number difference? or is there a physical difference of some sort? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7204VXR crashing when trying to load 12.2(33)SRC4
Hello all, I'm trying to get a lab 7204VXR (NPE-400) up and running on SRC code, and am having no luck. I've loaded it up with 12.2(33)SRC4 ipbase, and 12.2(33)SRD3 ipbase, and the router locks or crashes on boot each time: Cisco IOS Software, 7200 Software (C7200-IPBASE-M), Version 12.2(33)SRC4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Mon 11-May-09 16:53 by prod_rel_team Image text-base: 0x60009304, data-base: 0x61E147E0 Cisco 7204VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. It will either crash there and reload, or sit there forever. I've tried making it use SRC boot code, to no effect. None of the docs I can find say anything more than 7200 is supported (no breakdown on required NPE or IO modules). Has anyone had any luck getting 12.2SR code of any kind running on a 7204VXR? If so, any advice? This may be a stretch, but check the output of `show c7200` for the hardware revision. We've run into some buggy NPE-400 hardware that showed a hardware revison of either 1.0 or 1.1 that required replacement. In our case the bug revealed its self when it had max ram (512mb) and some portion above 256 was accessed. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
one of the luxuries we have with NX-OS is since we have complete separation of control-plane and data-plane there really isn't anything that drops you into software forwarding. that in itself is a major benefit - but it does come with the cost that the platform is only capable of implementing features that the underlying hardware (ASIC) forwarding path supports. Some might not see that as necessarily a bad thing, provided the ASIC is robust enough to handle all of the user's required features in the hardware path (being the only path) :-). This is one of the things we like about vendor J - packets are either forwarded in software or not at all. There is no fallback to software forwarding. Makes for great predictability. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1w vs EoMPLS failover time
Sorry, our current situation is that during a spanning tree switchover, it encounters a buffer underrun error on the RAD box, and we are looking to see if perhaps a mpls TE tunnel with explicit paths (2 explicit paths plus a dynamic path) would help matters any as opposed to just layer 2 vlans. I'll look into FRR. Phil Bedard wrote: The part where you said what the RSTP convergence time was got lost somewhere. Just using a tunnel primary/secondary paths may not be quicker than RSTP. If you use FRR protection as well it may result in less traffic loss than RSTP. Some vendors have different behavior when the failure is on the actual ingress node than a transit node, so you may want to investigate that if you are using FRR. Phil On Oct 29, 2009, at 7:09 PM, Walter Keen wrote: I've got a jitter-sensitive application (voice DS3 over some RAD equipment) that we are testing, and I've got a rapid spanning tree ring through the below network. We have it down to during a spanning tree switchover (tested by adjusting the rapid-pvst cost on the trunk interface), and curious if people feel if EoMPLS with a mpls-TE tunnel would provide faster convergence in case of a failure, given a fairly vanilla OSPF as the IGP, and 2 explicit paths defined (A-D, then A-B-D), as the endpoints of this application are at A and D. I think I'm going to start testing this tomorrow or next week, but curious if anyone had any thoughts or suggestions. HW is 7600/RSP720 at A and B, 7600/SUP720 at D and C, all with 6724sfp cards for core-facing interfaces, and 6148 card (10/100) for RAD-facing interfaces. Network looks like A---D \--B---/ \--C-/ Or, A has a connection to D, A has a connection to B and C, B has a connection to D, C has a connection to D. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
I've used a npe-g2 card in a ubr before, but haven't tried the other way around. Joe Pruett wrote: Cisco UBR routers are used as cable CMTS devices... http://www.cisco.com/en/US/products/hw/cable/ps2217/index.html i understand the difference between the ubr and the regular 7200 series. i'm wondering about just the npe-g2 card. is there any difference between the npe version for ubr and the version for 7200? is it just a part number difference? or is there a physical difference of some sort? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Network Liberation Movement???
http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Add path capbility
Hi, I've been looking one of the feature of BGP called - Add path that allows the advertisement of multiple paths for the same address prefix and was reading this RFC http://potaroo.net/ietf/all-ids/draft-ietf-idr-add-paths-00.txt. So if in service provider scneario where we use RR for Internet and MPLS VPN based scenario and if we use this feature in RR , we get better convergance benefit also can it help to approach centralized RR specially for Internet based scenario and still once can ensure hot potato routing. Also, Not sure if this feature is required across all PE also. Can you some one share some Information ? Thanks in advance, Regards, CS. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
Some might not see that as necessarily a bad thing, provided the ASIC is robust enough to handle all of the user's required features in the hardware path (being the only path) :-). This is one of the things we like about vendor J - packets are either forwarded in software or not at all. There is no fallback to software - hardware, obviously Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
Maybe some new kind of transport. Ether anyone? -- Randy -- Original Message --- From: Matlock, Kenneth L matlo...@exempla.org To: Drew Weaver drew.wea...@thenap.com, Derick Winkworth dwinkwo...@att.net, Cisco NSP cisco-nsp@puck.nether.net, juniper-...@puck.nether.net Sent: Fri, 30 Oct 2009 10:15:19 -0600 Subject: Re: [c-nsp] Network Liberation Movement??? Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End of Original Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204VXR crashing when trying to load 12.2(33)SRC4
Chris Wopat wrote: Hello all, I'm trying to get a lab 7204VXR (NPE-400) up and running on SRC code, and am having no luck. I've loaded it up with 12.2(33)SRC4 ipbase, and 12.2(33)SRD3 ipbase, and the router locks or crashes on boot each time: Cisco IOS Software, 7200 Software (C7200-IPBASE-M), Version 12.2(33)SRC4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Mon 11-May-09 16:53 by prod_rel_team Image text-base: 0x60009304, data-base: 0x61E147E0 Cisco 7204VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. It will either crash there and reload, or sit there forever. I've tried making it use SRC boot code, to no effect. None of the docs I can find say anything more than 7200 is supported (no breakdown on required NPE or IO modules). Has anyone had any luck getting 12.2SR code of any kind running on a 7204VXR? If so, any advice? This may be a stretch, but check the output of `show c7200` for the hardware revision. We've run into some buggy NPE-400 hardware that showed a hardware revison of either 1.0 or 1.1 that required replacement. In our case the bug revealed its self when it had max ram (512mb) and some portion above 256 was accessed. Hm, sounded like a good possibility, but booting on 12.3 mainline and running show c7200 gives: C7204VXR CPU EEPROM: Hardware Revision: 1.6 Top Assy. Part Number: 800-08136-07 Part Number : 73-5308-07 Board Revision : A0 PCB Serial Number: 30273836 RMA History : 00 Fab Version : 02 Fab Part Number : 28-4086-02 Product (FRU) Number : NPE-400 Deviation Number : 0-0 EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 01 F8 41 01 06 C0 46 03 20 00 1F C8 07 0x10: 82 49 14 BC 07 42 41 30 C1 8B 33 30 32 37 33 38 0x20: 33 36 00 00 00 04 00 02 02 85 1C 0F F6 02 CB 87 0x30: 4E 50 45 2D 34 30 30 80 00 00 00 00 FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic RSTP question
I've seen CPU spikes which have caused a switchover. These were caused by software switching and spikes in traffic. Specifically it was a very large number of MPLS tunnels in a lab configuration and we ran out of ACL_TCAM ... On Thu, Oct 29, 2009 at 6:47 PM, samuel vuillaume vuillau...@gmail.comwrote: Hi Guys, I can tell you, it was a really bad day Since a while, we;ve been experiencing Interrupt High spikes CPU on one of our 7609-SUP720. So this morningwhen we got them , i ran the following as per CISCO recommendations, and unfortunately a few seconds later, the Active SUP720 reset causing a switchover over the slave one and a downtime of 10 minutes! CISCO told me many times, it was not CPU intensive and these CLI's are built to be run when CPU is at 99%... I was wondering if one of you experienced the same kind of problem. tks switch(config)#service internal switch# show platform capture buffer asic pinnacle slot 5 port 4 direction out priority lo switch# show platform capture buffer collect for 10 When i was looking at the capture buffered the crashed occured. I'm now really in a bad position tks Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Good way of finding unauthorized network elements/
Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
Yeah the software forwarding idea just ends up crashing large boxes like the 7609. If you suddenly enable a feature that causes software forwarding or you run out of TCAM and software starts to make up for that, say goodbye to either performance or your SUP/RSP. On Fri, Oct 30, 2009 at 8:45 AM, sth...@nethelp.no wrote: Some might not see that as necessarily a bad thing, provided the ASIC is robust enough to handle all of the user's required features in the hardware path (being the only path) :-). This is one of the things we like about vendor J - packets are either forwarded in software or not at all. There is no fallback to software - hardware, obviously Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
Try Netdisco. http://netdisco.org/ Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Friday, October 30, 2009 2:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Good way of finding unauthorized network elements/ Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
Only an idiot will make an important announcement on a Saturday. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Friday, October 30, 2009 1:15 PM To: Drew Weaver; Derick Winkworth; Cisco NSP; juniper- n...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
Hi Scott, I think Wireless LAN Controllers are the best tool to do that. A cheaper option is use Netstumbler. I don't have it right now but as long I recall it finds manufacturer ID. A third option (if your switches support it) is enable port security and maximum mac address numbers on each switchport. Hope this helps On Fri, Oct 30, 2009 at 4:08 PM, Scott Granados gsgrana...@comcast.netwrote: Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM traffic distribution across internal etherchannel
First, I wanted to give thanks to David for helping me track down this issue and for providing insight into the workings of the FWSM. To recap the issue I was seeing the majority of outbound traffic from the FWSM was exiting on the 3rd and 6th port of the ether-channel while the inbound traffic to the FWSM was pretty much equally distributed across the six links. Some more info on our setup… Behind this FWSM we have several high profile web properties so the majority of the traffic is http. Also, everything behind the FWSM is NATed with static NAT and we were using src-dst-ip for the ether-channel load-balancing algorithm on the 6500's. Generally traffic on the FWSM will exit the same port it was received on with several exceptions 1) Traffic inspected by the CP 2) Fragmented traffic 3) Packets forwarded between the NP's We were able to rule out the inspected and fragmented traffic pretty easily which just left option 3. The command 'show np 1 stats | inc blade' displays the number of packets that are forwarded from one NP to the other. When we issued this command twice with a 5 second pause in between we saw a significant increase in the counters. Here is an example of what happens when a client makes a connection to one of our sites 1) Packet comes from client destined to the server. 2) The SUP hashes the packet based on the src and dst IP and sends it out port 1 (NP 1) of the FWSM 3) Connection is created on NP1 4) IP header in the packet is NATed by the FWSM and sent out to destination server 5) Server replies back to the client 6) SUP hashes the packet again, but since one of the IPs has been NATed by the FWSM the packet is now hashed to port 5 (NP2) 7) FWSM receives the packet, but since the connection for this flow resides on NP1 it forwards the packet from NP2 to NP1 8) once the packet is processed by NP1 it is forwarded out port 3 (if we reversed it and NP2 did the processing it would have been forwarded out port 6) So the reason we saw the majority of traffic egress ports 3 and 6 was because the ether-channel hash and the static NAT. By changing the ether-channel load-balancing algorithm to src-dst-port we were able to get equal distribution of traffic out of the FWSM. On Wed, Oct 28, 2009 at 3:51 AM, nm...@guesswho.com wrote: David, It appears that I might have misunderstood the original question since it was only pertaining to traffic from the FWSM. My apologies. Thanks, Nick *From:* David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] *Sent:* Tuesday, October 27, 2009 10:32 PM *To:* Nicholas Maio *Cc:* j4b...@gmail.com; cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] FWSM traffic distribution across internal etherchannel Hi Nick, Changing the SUP's load-balancing algorithm (which is what is described in the link provided) only affects the traffic that egresses the switch and ingresses the FWSM. It does not impact the packet distribution in the reverse direction (egress the FWSM and ingress on the switch). I didn't indicate that I would need to know the traffic profile to determine the correct SUP load-balancing algorithm, but rather to explain why ports 3 and 6 were mainly utilized for traffic egressing the FWSM - which was Jack's original question. Sincerely, David. nm...@guesswho.com wrote: David, The section named Customizing the FWSM Internal Interface in the following page http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/switch_f.html would be helpful. As you stated you would need to know the traffic profile to detemine the correct algorithm but why would you say that there aren't any commands to change this? The command is not run in the fwsm but rather the switch/router. Nick From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) [dwhit...@cisco.com] Sent: Tuesday, October 27, 2009 8:29 PM To: jack b Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM traffic distribution across internal etherchannel Hi Jack, Yes, it is most likely that this is normal. There are no CLI commands on the FWSM to adjust this. I would have to understand your traffic profile along with your config to tell you why the given profile is almost exclusively utilizing ports 3 and 6. Sincerely, David. jack b wrote: I have a FWSM running 2.3(4)11 in slot 4 of a 6509. I have noticed that I am getting unequal traffic distribution on the links that make up the ether channel bundle between the FWSM and 6509. Here is a snapshot of the traffic distribution 4/1in 28.99mbpsout 458.10mbps 4/2in 12.37mbpsout 248.31mbps 4/3in 960.86mbps out 294.95mbps 4/4in 34.07mbpsout 505.22mbps 4/5in 15.08mbpsout 243.10mbps 4/6in 950.63mbps out 262.68mbps In is traffic from the FWSM to the switch and out is traffic
Re: [c-nsp] Good way of finding unauthorized network elements/
Scott Granados wrote: Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Ah yes, as a student one of my jobs was to pinpoint such devices using AirMagnet and hand them a nice letter about how it violated university network policy and that they needed to use the campus managed access points. Some of them were pretty creative about hiding even if you knew what port they were on, and one (in a physics lab, of course) had some fancy foil shielding to limit the footprint size and direction. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
On Halloween, no less. My first thought was we're all going to be spammed by network resalers in the next few days when I looked at that, but I then just thought wow this is incomprehensible jibberish. -Drew -Original Message- From: Lynch, Tomas [mailto:tomas.ly...@globalcrossing.com] Sent: Friday, October 30, 2009 2:20 PM To: Matlock, Kenneth L; Drew Weaver; Derick Winkworth; Cisco NSP; juniper-...@puck.nether.net Subject: RE: [c-nsp] Network Liberation Movement??? Only an idiot will make an important announcement on a Saturday. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Friday, October 30, 2009 1:15 PM To: Drew Weaver; Derick Winkworth; Cisco NSP; juniper- n...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
Hi Mike, these are great ideas. Unfortunately, my biggest problem is the folks who had my job before me didn't believe in things like best practices or researching something before they set it up so I am spending a good deal of time trying to undo the work done before me. I plan on having our IT department do a little gathering and grab all the MAC addresses of the devices that users have. (laptops etc0 Then enabling port security so folks will only be able to connect to their ports. I'm going to go look for ports learning more than one MAC at a time though, that sounds like a good way to go. Thanks for the pointers! - Original Message - From: Mike mike-ciscpnspl...@tiedyenetworks.com To: Scott Granados gsgrana...@comcast.net Cc: cisco-nsp@puck.nether.net Sent: Friday, October 30, 2009 12:07 PM Subject: Re: [c-nsp] Good way of finding unauthorized network elements/ Hi Scott, Well, teaching users to fear you thru the use of random outages to the unauthorized device and redirection to captive portals telling them you know, are some favored BOFH techniquesgrin Some realistic strategies you could engage include: Shutting down all ports that are not marked as 'in use' by you (if you know what is where), and establishing an 'deny by default' policy so that nobody, not even the company president, can plug anything in anywhere without first contacting you and telling you what they need. This stops dead cold the clod with the linksys thinking he'll put it in the unused cubicle next to him. You also could proactively disable ports that are 'down' for more than 2 weeks on the basis of a move or change, so that it has to be requested to be enabled again. Auditing the network looking for non-trunk ports that have more than 1 mac address. You will find users who have little networks in their cubicle for conveience reasons, and others (the problem users) who have a wireless AP bridging to your corporate lan this way. If you have a lan segment that is particularly vulnerable, you could also consider firewaling it off so that users need to use VPN connections. Just some ideas. Mike Scott Granados wrote: Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
inline comments On Friday, October 30, 2009, Marcelo Zilio ziliomarc...@gmail.com wrote: A third option (if your switches support it) is enable port security and maximum mac address numbers on each switchport. depending on if the device is being used as layer3 and how his topology is set up, a single mac address will only be presented to the switchport, since the linksys is nat'ing packets. if it is in the budget, the cisco wlc's will handle this task nicely, however, i am unsure of the technical licensing on upgrading from autonomous ap's to lwaps. q. On Fri, Oct 30, 2009 at 4:08 PM, Scott Granados gsgrana...@comcast.netwrote: Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
I think this will answer your question: For NPE-G2: The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 and the NPE-G2 processors. For the Cisco 7200 VXR routers, order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series routers, order the UBR7200-NPE-G1, UBR7200-NPE-G1=, UBR7200-NPE-G2, or UBR7200-NPE-G2= product. The NPE-G1 cards have a more detailed explanation: The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor. For the Cisco 7200 VXR routers , order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series router, order the UBR7200-NPE-G1 or UBR7200-NPE-G1= product. The two models of NPE-G1 have different labels and use different boot helper images, and they cannot be interchanged between the Cisco 7200 VXR routers and Cisco uBR7200 series routers. http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/network_process_engine_install_config/npense.html Bret -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Pruett Sent: Friday, October 30, 2009 8:46 AM To: Arie Vayner (avayner) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2 Cisco UBR routers are used as cable CMTS devices... http://www.cisco.com/en/US/products/hw/cable/ps2217/index.html i understand the difference between the ubr and the regular 7200 series. i'm wondering about just the npe-g2 card. is there any difference between the npe version for ubr and the version for 7200? is it just a part number difference? or is there a physical difference of some sort? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Disclaimer Confidentiality Notice: This e-mail, and any attachments and/or documents linked to this email, are intended for the addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any dissemination, distribution, or copying is prohibited. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If you have received this communication in error, please contact the original sender. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor. For the Cisco 7200 VXR routers , order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series router, order the UBR7200-NPE-G1 or UBR7200-NPE-G1= product. The two models of NPE-G1 have different labels and use different boot helper images, and they cannot be interchanged between the Cisco 7200 VXR routers and Cisco uBR7200 series routers. http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/network_process_engine_install_config/npense.html Bret thanks. i had hunted around but couldn't come up with anything that clear. i still wouldn't be surprised if you could replace the boot image and be ok, but for now i'll take cisco at their word. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
The guys at Cacti have a plugin called Mactrack that will do this as well. It also has a MAC db download function that will do the lookup for you. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Friday, October 30, 2009 2:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Good way of finding unauthorized network elements/ Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
Span your outbound traffic and look for IPs with a TTL that is off by one. -Steve -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of quinn snyder Sent: Friday, October 30, 2009 12:37 PM To: Marcelo Zilio Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Good way of finding unauthorized network elements/ inline comments On Friday, October 30, 2009, Marcelo Zilio ziliomarc...@gmail.com wrote: A third option (if your switches support it) is enable port security and maximum mac address numbers on each switchport. depending on if the device is being used as layer3 and how his topology is set up, a single mac address will only be presented to the switchport, since the linksys is nat'ing packets. if it is in the budget, the cisco wlc's will handle this task nicely, however, i am unsure of the technical licensing on upgrading from autonomous ap's to lwaps. q. On Fri, Oct 30, 2009 at 4:08 PM, Scott Granados gsgrana...@comcast.netwrote: Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Good way of finding unauthorized network elements/
This may be out of your budget, but the Cisco WLCs + WCS do a great job of this. WCS will identify rogue access points and also identify if the AP is on-net or just rogue. It also has a containment feature that works very effectively in quarantining APs and making them difficult / impossible to use. Saves a lot of grunt work with using Netstumbler or some sort of mac table lookups on the switche3s, but requires a solid AP deployment across the campus and some $$$. Works great if you are running a Cisco AP environment. -Rob -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Friday, October 30, 2009 2:09 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Good way of finding unauthorized network elements/ Hi all I have a general question. I have a network consisting of about 20 access switches and 2 core switches. We have 3 access points that we manage but think someone might have brought in a linksys or DLink consumer device and plugged in. (users, can't live with em, can't shoot em) Is there a tool or good method that could scan the arp table and look for Manufacturor ID bits so I could see roughly what's attached where? Are there better tools in general or better methods of finding rogue elements that people may attach? Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
On Halloween, no less. It's fifteen days, not hours. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
It's a marketing campaign. A so-called viral campaign (according to their blog -- http://opinion.rapp.com/). The IP is hosted by Rapp Collins Worldwide, who's a marketing firm. Don't know the actual client is. oo On Fri, Oct 30, 2009 at 2:39 PM, Drew Weaver drew.wea...@thenap.com wrote: On Halloween, no less. My first thought was we're all going to be spammed by network resalers in the next few days when I looked at that, but I then just thought wow this is incomprehensible jibberish. -Drew -Original Message- From: Lynch, Tomas [mailto:tomas.ly...@globalcrossing.com] Sent: Friday, October 30, 2009 2:20 PM To: Matlock, Kenneth L; Drew Weaver; Derick Winkworth; Cisco NSP; juniper-...@puck.nether.net Subject: RE: [c-nsp] Network Liberation Movement??? Only an idiot will make an important announcement on a Saturday. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Friday, October 30, 2009 1:15 PM To: Drew Weaver; Derick Winkworth; Cisco NSP; juniper- n...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Will this work?
I've been asked if this will work. I would think that it would but I would like a second opinion. 7206 VXR with an NPE-400, 512Mb ram, C7200 I/O 2FE/E card and two PA-MC-T3s. The PA-MC-T3s are 90 Bandwidth points each and the I/O controller counts as 400. There would be some MLPPP Bundles and some basic QOS. The only ACLs in the box would be to protect the box it's self and the occasional SMTP block for a user that won't clean up their network. I am basically trying to merge two non VXR 7206s with NPE-150s into one box. Richey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
And I'd say it's working since it's being talked about pretty heavily.;) - Original Message - From: Omachonu Ogali oog...@gmail.com To: Drew Weaver drew.wea...@thenap.com Cc: juniper-...@puck.nether.net; Cisco NSP cisco-nsp@puck.nether.net Sent: Friday, October 30, 2009 1:50 PM Subject: Re: [c-nsp] Network Liberation Movement??? It's a marketing campaign. A so-called viral campaign (according to their blog -- http://opinion.rapp.com/). The IP is hosted by Rapp Collins Worldwide, who's a marketing firm. Don't know the actual client is. oo On Fri, Oct 30, 2009 at 2:39 PM, Drew Weaver drew.wea...@thenap.com wrote: On Halloween, no less. My first thought was we're all going to be spammed by network resalers in the next few days when I looked at that, but I then just thought wow this is incomprehensible jibberish. -Drew -Original Message- From: Lynch, Tomas [mailto:tomas.ly...@globalcrossing.com] Sent: Friday, October 30, 2009 2:20 PM To: Matlock, Kenneth L; Drew Weaver; Derick Winkworth; Cisco NSP; juniper-...@puck.nether.net Subject: RE: [c-nsp] Network Liberation Movement??? Only an idiot will make an important announcement on a Saturday. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Friday, October 30, 2009 1:15 PM To: Drew Weaver; Derick Winkworth; Cisco NSP; juniper- n...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Gibberish, and marketing speak. My guess is a linux-based 'router' they're trying to sell to unsuspecting mom-and-pop businesses. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver Sent: Friday, October 30, 2009 9:38 AM To: 'Derick Winkworth'; Cisco NSP; juniper-...@puck.nether.net Subject: Re: [c-nsp] Network Liberation Movement??? Just looks like a bunch of gibberish to me. -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Derick Winkworth Sent: Friday, October 30, 2009 10:23 AM To: Cisco NSP; juniper-...@puck.nether.net Subject: [c-nsp] Network Liberation Movement??? http://networkliberationmovement.net/ 15 hours some big announcement? Anyone know what this is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
looks as if its working based on the activity in this thread... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1w vs EoMPLS failover time
Is there a jitter buffer on the RAD boxes you can adjust? Generally plain voice can deal with a decent amount of latency. If you can do a 50ms or higher jitter buffer, FRR may allow you to not underrun. Phil On Oct 30, 2009, at 10:55 AM, Walter Keen wrote: Sorry, our current situation is that during a spanning tree switchover, it encounters a buffer underrun error on the RAD box, and we are looking to see if perhaps a mpls TE tunnel with explicit paths (2 explicit paths plus a dynamic path) would help matters any as opposed to just layer 2 vlans. I'll look into FRR. Phil Bedard wrote: The part where you said what the RSTP convergence time was got lost somewhere. Just using a tunnel primary/secondary paths may not be quicker than RSTP. If you use FRR protection as well it may result in less traffic loss than RSTP. Some vendors have different behavior when the failure is on the actual ingress node than a transit node, so you may want to investigate that if you are using FRR. Phil On Oct 29, 2009, at 7:09 PM, Walter Keen wrote: I've got a jitter-sensitive application (voice DS3 over some RAD equipment) that we are testing, and I've got a rapid spanning tree ring through the below network. We have it down to during a spanning tree switchover (tested by adjusting the rapid-pvst cost on the trunk interface), and curious if people feel if EoMPLS with a mpls-TE tunnel would provide faster convergence in case of a failure, given a fairly vanilla OSPF as the IGP, and 2 explicit paths defined (A-D, then A-B-D), as the endpoints of this application are at A and D. I think I'm going to start testing this tomorrow or next week, but curious if anyone had any thoughts or suggestions. HW is 7600/ RSP720 at A and B, 7600/SUP720 at D and C, all with 6724sfp cards for core-facing interfaces, and 6148 card (10/100) for RAD-facing interfaces. Network looks like A---D \--B---/ \--C-/ Or, A has a connection to D, A has a connection to B and C, B has a connection to D, C has a connection to D. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1w vs EoMPLS failover time
Sorry, yes. There is a jitter buffer however only configurable between 3 and 29 ms. When we tested it a 29ms, we noted a severe failure of all modem and most fax calls through this box. Phil Bedard wrote: Is there a jitter buffer on the RAD boxes you can adjust? Generally plain voice can deal with a decent amount of latency. If you can do a 50ms or higher jitter buffer, FRR may allow you to not underrun. Phil On Oct 30, 2009, at 10:55 AM, Walter Keen wrote: Sorry, our current situation is that during a spanning tree switchover, it encounters a buffer underrun error on the RAD box, and we are looking to see if perhaps a mpls TE tunnel with explicit paths (2 explicit paths plus a dynamic path) would help matters any as opposed to just layer 2 vlans. I'll look into FRR. Phil Bedard wrote: The part where you said what the RSTP convergence time was got lost somewhere. Just using a tunnel primary/secondary paths may not be quicker than RSTP. If you use FRR protection as well it may result in less traffic loss than RSTP. Some vendors have different behavior when the failure is on the actual ingress node than a transit node, so you may want to investigate that if you are using FRR. Phil On Oct 29, 2009, at 7:09 PM, Walter Keen wrote: I've got a jitter-sensitive application (voice DS3 over some RAD equipment) that we are testing, and I've got a rapid spanning tree ring through the below network. We have it down to during a spanning tree switchover (tested by adjusting the rapid-pvst cost on the trunk interface), and curious if people feel if EoMPLS with a mpls-TE tunnel would provide faster convergence in case of a failure, given a fairly vanilla OSPF as the IGP, and 2 explicit paths defined (A-D, then A-B-D), as the endpoints of this application are at A and D. I think I'm going to start testing this tomorrow or next week, but curious if anyone had any thoughts or suggestions. HW is 7600/RSP720 at A and B, 7600/SUP720 at D and C, all with 6724sfp cards for core-facing interfaces, and 6148 card (10/100) for RAD-facing interfaces. Network looks like A---D \--B---/ \--C-/ Or, A has a connection to D, A has a connection to B and C, B has a connection to D, C has a connection to D. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Will this work?
Richey wrote: I've been asked if this will work. I would think that it would but I would like a second opinion. 7206 VXR with an NPE-400, 512Mb ram, C7200 I/O 2FE/E card and two PA-MC-T3s. The PA-MC-T3s are 90 Bandwidth points each and the I/O controller counts as 400. There would be some MLPPP Bundles and some basic QOS. The only ACLs in the box would be to protect the box it's self and the occasional SMTP block for a user that won't clean up their network. We have several of this exact setup as customer T1 aggregation routers with no issues. We're using OSPF for the infrastructure and iBGP for customer routes. NPE300 will even work as long as you don't have a large percentage of the T1s as multilink. Put your PA-MC-T3s in the even numbered slots. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
christian koch wrote: looks as if its working based on the activity in this thread... Or not. The concept is to build suspense and get the vict^H^H^H^Hreaders to think it's something cool. If two weeks ahead of time the grassroots is revealed to be Astroturf spun by a marketing outfit and the viral aspect is shown to be malignant, it may not have the desired effect. If it was known 15 days ahead of time that the kid was hiding in a box and not in the balloon, the TV coverage would have been a lot less intense. If you're targeting techies pretending to be a techie and are shown to be a sales guy before you make your pitch it's a lot harder sell. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Stop SYN Attack
Dear All, I have a TCP SYN attack on one of my routers (Cisco 7206), which causes the traffic to increase 100 Mbps on the Uplink interface This router is a PE router in a MPLS environment when i configured access-list to block the attack source , this causes the CPU utilization of the 7206 router to reach 100 % Does anyone knows how to block this kind of TCP SYN attack ? Does using TCP Intercept on the 7206 router will cause the CPU processing to reach the max also or not ? Thanks Jason CCIE#24775 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
Hi, On Fri, Oct 30, 2009 at 02:40:15PM -0500, Jaquish, Bret wrote: The NPE-G1 cards have a more detailed explanation: The Cisco 7200 VXR routers and Cisco uBR7200 series routers use different models of the NPE-G1 processor. For the Cisco 7200 VXR routers , order the NPE-G1 or NPE-G1= product. For the Cisco uBR7200 series router, order the UBR7200-NPE-G1 or UBR7200-NPE-G1= product. The two models of NPE-G1 have different labels and use different boot helper images, and they cannot be interchanged between the Cisco 7200 VXR routers and Cisco uBR7200 series routers. I'm not sure if I find have different labels a compelling reason for not being interchangeable (or having different PPS specs). Boot helper is one of the most misunderstood parts of the 7200 series anyway... (*and* it can be changed). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpe2YaKth3dV.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stop SYN Attack
On Oct 31, 2009, at 5:07 AM, Jason Alex wrote: Does anyone knows how to block this kind of TCP SYN attack ? You need to contract your peer(s)/upstream(s) and report the attack, so your peer(s)/upstream(s) can mitigate on their side. You should also replace the 7200 with a hardware-based platform like an ASR1K which can handle this kind of thing much better. You can also enable uRPF loose-check on the router and configure S/ RTBH to block the attack based upon the source address. On software- based routers, uRPF checks are processed earlier in the forwarding path, and so you'll get some CPU savings by dropping the traffic that way. Does using TCP Intercept on the 7206 router will cause the CPU processing to reach the max also or not ? TCP Intercept is a self-DoS misfeature which I unsuccessfully campaigned for years to remove from IOS. Enable it at your peril, heh. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ubr npe-g2 vs 7200 npe-g2
On 2009-10-30 23:07, Gert Doering wrote: I'm not sure if I find have different labels a compelling reason for not being interchangeable (or having different PPS specs). Boot helper is one of the most misunderstood parts of the 7200 series anyway... (*and* it can be changed). They can be changed from/to uBR to normal router, by changing the boot loader. It is sometimes problematic, as the existing bootloader may hang/crash during bootup, but the ROMMON tftp should work without problem. I'd say that the quoted difference in performance is simply from the fact, that the IOS for NPEs was standarized first, and tested on first, light IOS releases. As the code grow and was backloaded with uBR features, the real performance was retested and now the quoted numbers are lower, and more realistic as to current (to publishing of the docs) performance envelope. But as always, YMMV. -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] juniper trinity
It looks like you're right. This Trio chipset is a 30G chipset (full duplex) and they have 4 of them per a 120G line card. It makes sense, they have a 50G (full duplex) chipset on the T1600 core box and then the 30G one for the MX. Of course they are totally different chipsets, the former being not programmable and the latter being programmable. But I was hoping that Juniper would come up with something better than just a 30G chipset. EZChip NP4 will have better throughput than this. Marlon On Fri, Oct 30, 2009 at 5:35 PM, Judah Scott judah.scott@gmail.comwrote: The datasheet for the new MX 3D line cards is a little strange. Assuming that a find-and-replace of KB to K will make it more coherent, this is an awesome amount of queues when comparing to competitors. However, the new FPC/PIC-like card strategy is in 30Gb/s and 60Gb/s flavors. Given that the 16x10GE card is oversubscribed this looks like the old DPC 4x10Gb/s stacked complex design (except now it is 4x30Gb/s?). I guess this because the numbering is much like the DPC in that they are 0/0-3 1/0-3 2/0-3 3/0-3. Would Juniper really come out with a 30Gb/s (full duplex) chipset? With no 40GE announcement I can only assume this chipset is going to be damn hard (or expensive) to do 40GE interfaces. Am I just missing something? -J Scott On Mon, Oct 26, 2009 at 12:16 AM, magno massimo.magn...@gmail.com wrote: I agree, and I am pretty sure the new chipset will encompass and largely extend all the qos functionalities provided today by ez-chip chip. Cheers. Max On 24/10/2009, Richard A Steenbergen r...@e-gerbil.net wrote: On Sat, Oct 24, 2009 at 06:38:53PM +0200, magno wrote: I repeat, Trinity has nothing to do with ez-chip. My advice is to stop elucubrating around any ez-chip whatever. Ez-chip proved to be quite limited for some qos functions, so I really don't think juniper wants to be qos feature limited by a third-party chip anymore. I believe the original question was do the new asics integrate the functionality of ezchip, thus eliminating the need for it, and from what I've heard I believe the answer is yes. That is why we're talking about the ezchip in the first place. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/